Packages changed:
  alsa-plugins
  checkpolicy (3.0 -> 3.1)
  gettext-runtime (0.20.2 -> 0.21)
  glibc (2.31 -> 2.32)
  ibus (1.5.22 -> 1.5.23)
  installation-images-MicroOS (16.19 -> 16.22)
  libselinux (3.0 -> 3.1)
  libsemanage (3.0 -> 3.1)
  libsepol (3.0 -> 3.1)
  mcstrans (3.0 -> 3.1)
  mozilla-nss
  ncurses (6.2.20200711 -> 6.2.20200912)
  policycoreutils (3.0 -> 3.1)
  restorecond (3.0 -> 3.1)
  sysvinit (2.96 -> 2.97)
  tcpd
  xdm
  xinit
  xmodmap
  xorg-x11-server

=== Details ===

==== alsa-plugins ====

- Placeholder for SLE15-SP3 sync: jsc#SLE-11987
  no functional changes at all

==== checkpolicy ====
Version update (3.0 -> 3.1)

- Update to version 3.1
  * checkpolicy treats invalid characters as an error - might break rare use
    cases (intentionally)
  * Drop extern_te_assert_t.patch, is upstream

==== gettext-runtime ====
Version update (0.20.2 -> 0.21)
Subpackages: libtextstyle0

- Add multiple new features (bsc#1165138)
- Add patches:
  * 0001-msgcat-Add-feature-to-use-the-newest-po-file.patch
  * 0002-msgcat-Merge-headers-when-use-first.patch
- Reintroduce utoreconf call
- Update to 0.21:
  * Programming languages support:
  - Shell:
    o xgettext now recognizes and ignores 'env' invocations and environment
    variable assignments in front of commands.
  - Java:
    o xgettext now recognizes format strings in the Formatter syntax.  They
    are marked as 'java-printf-format' in POT and PO files.
    o xgettext now recognizes text blocks as string literals.
  - JavaScript:
    xgettext parses JSX expressions more reliably.
  - Ruby:
    o xgettext now supports Ruby.
    o 'msgfmt -c' now verifies the syntax of translations of Ruby format
    strings.
  * Improvements for translators:
  - When msgfmt writes a MO file, it now does so in such a way that processes
    that are currently using an older copy of the MO file will not crash.
  * Libtextstyle:
  - Added support for emitting hyperlinks.
  - New API for doing formatted output.
  - The example programs support the NO_COLOR environment variable.

==== glibc ====
Version update (2.31 -> 2.32)
Subpackages: glibc-locale glibc-locale-base

- Keep nsswitch.conf in /etc for SLES15
- syslog-locking.patch: Correct locking and cancellation cleanup in syslog
  functions (bsc#1172085, BZ #26100)
- ifunc-fma4.patch: x86-64: Fix FMA4 detection in ifunc (BZ #26534)
- Update to glibc 2.32
  * Unicode 13.0.0 Support
  * New locale added: ckb_IQ
  * The GNU C Library now loads audit modules listed in the DT_AUDIT and
    DT_DEPAUDIT dynamic section entries of the main executable
  * powerpc64le supports IEEE128 long double libm/libc redirects when
    using the -mabi=ieeelongdouble to compile C code on supported GCC
    toolchains
  * To help detect buffer overflows and other out-of-bounds accesses
    several APIs have been annotated with GCC 'access' attribute
  * On Linux, functions the pthread_attr_setsigmask_np and
    pthread_attr_getsigmask_np have been added
  * The GNU C Library now provides the header file <sys/single_threaded.h>
    which declares the variable __libc_single_threaded
  * The functions sigabbrev_np and sigdescr_np have been added
  * The functions strerrorname_np and strerrordesc_np have been added
  * AArch64 now supports standard branch protection security hardening
    in glibc when it is built with a GCC that is configured with
  - -enable-standard-branch-protection (or if -mbranch-protection=standard
    flag is passed when building both GCC target libraries and glibc,
    in either case a custom GCC is needed)
  * The deprecated <sys/sysctl.h> header and the sysctl function have been
    removed
  * The sstk function is no longer available to newly linked binaries
  * The legacy signal handling functions siginterrupt, sigpause, sighold,
    sigrelse, sigignore and sigset, and the sigmask macro have been
    deprecated
  * ldconfig now defaults to the new format for ld.so.cache
  * The deprecated arrays sys_siglist, _sys_siglist, and sys_sigabbrev
    are no longer available to newly linked binaries, and their declarations
    have been removed from <string.h>
  * The deprecated symbols sys_errlist, _sys_errlist, sys_nerr, and _sys_nerr
    are no longer available to newly linked binaries, and their declarations
    have been removed from from <stdio.h>
  * Both strerror and strerror_l now share the same internal buffer in the
    calling thread, meaning that the returned string pointer may be invalided
    or contents might be overwritten on subsequent calls in the same thread or
    if the thread is terminated
  * Using weak references to libpthread functions such as pthread_create
    or pthread_key_create to detect the singled-threaded nature of a
    program is an obsolescent feature
  * The "files" NSS module no longer supports the "key" database (used for
    secure RPC)
  * The __morecore and __after_morecore_hook malloc hooks and the default
    implementation __default_morecore have been deprecated
  * The hesiod NSS module has been deprecated and will be removed in a
    future version of glibc
  * CVE-2016-10228: An infinite loop has been fixed in the iconv program when
    invoked with the -c option and when processing invalid multi-byte input
    sequences
  * CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
    corruption when they were passed a pseudo-zero argument
  * CVE-2020-1752: A use-after-free vulnerability in the glob function when
    expanding ~user has been fixed.
  * CVE-2020-6096: A signed comparison vulnerability in the ARMv7 memcpy and
    memmove functions has been fixed
- riscv-syscall-clobber.patch, ldbl-96-rem-pio2l.patch,
  long-double-alias.patch: Removed

==== ibus ====
Version update (1.5.22 -> 1.5.23)
Subpackages: libibus-1_0-5 typelib-1_0-IBus-1_0

- Update version to 1.5.23
  * Generate simple.xml with denylist 6042974 508527d 37db75b 6879879 59b902a
    568d58d 6ed34f3 5959d6f 5d67a28 394d9a8 ed7bc8d e938846 3aa670e 0d90da4
    e4dd6d1
  * Accept xdigits only for Unicode typing a440942
  * Update emoji-parser with CLDR emoji annotation release-31-0-1 9a9f828
  * Update ibusunicodegen.h with unicode-ucd 13.0.0 e10fc89
  * Delete deprecated ENABLE_APPINDICATOR_ENGINE_ICON check aa3a9f0
  * Fix SEGV 02105c4 f591381
  * Fix some errors in ibus-desktop-testing-runner 7b0d091 8da0167
  * Refactor source files 0b9d936 0ad5e9a
  * Fix string formats in translatable strings 7caead1 f8c468a ce865f6
  * Use WAYLAND_DISPLAY on Wayland sessions to make up IBus socket name (Carlos
    Garnacho) 8ce2520
  * Skip parsing of compose sequence with invalid keysyms (Neil Shepperd)
    0da3cec
  * Tell Pango about the engine language in the candidate panel (Aaron Muir
    Hamilton) 3f098dc 79a09f1
  * Fix for several error spotted by static analyzer (ntfs.hard) 00adea6
  * Remove glib_check_version() in gtk immodule (Changwoo Ryu) 5765bfd
  * Build the Emoji dictionaries in parallel (Changwoo Ryu) 59d0de4
  * Update translation
- Drop 0001-Replace-the-Qt-check-for-appindicator-engine-icon-wi.patch,
  ibus-use-wayland-display-for-socket-name.patch,
  ibus-socket-name-compatibility.patch. Merged by upstream
- Update ibus.spec: Drop the is_opensuse macro to eliminate the
  difference between SLE-15 and openSUSE-Leap (jsc#SLE-11653).
- Move xim.d files to /usr/etc when available, which is
  currently Tumbleweed only (boo#1176431)

==== installation-images-MicroOS ====
Version update (16.19 -> 16.22)

- merge gh#openSUSE/installation-images#428
- include all of xorg-x11-server
- 16.22
- merge gh#openSUSE/installation-images#427
- ensure /proc is mounted in chroot environments (bsc#1176972)
- 16.21
- merge gh#openSUSE/installation-images#426
- Extra yast module for common criteria (boo#1176982)
- 16.20

==== libselinux ====
Version update (3.0 -> 3.1)
Subpackages: libselinux1 selinux-tools

- Update to version 3.1:
  * selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
    removed. All userspace object managers should have been updated to use the
    dynamic class/perm mapping support.
    Use string_to_security_class(3) and string_to_av_perm(3) to map the class
    and permission names to their policy values, or selinux_set_mapping(3) to
    create a mapping from class and permission index values used by the
    application to the policy values.
  * Removed restrictions in libsepol and checkpolicy that required all declared
    initial SIDs to be assigned a context.
  * Support for new policy capability genfs_seclabel_symlinks
  * selinuxfs is mounted with noexec and nosuid
  * `security_compute_user()` was deprecated

==== libsemanage ====
Version update (3.0 -> 3.1)

- Add /var/lib/selinux
- Remove libsemanage-update-map-file.patch to prevent checkers from declining
  the submission. Keeping the snippet in the spec file in case we try to
  enable LTO again
- Update to version 3.1
  * Improved manpage
  * fsync final files before rename
- Disabled LTO again. This breaks e.g. shadow and also other packages
  in security:SELinux
- Fix build with LTO: [bsc#1133102]
  * Enable LTO (Link Time Optimization) and build with -ffat-lto-objects
  * Update map file to include new symbols and remove wildcards
- Add libsemanage-update-map-file.patch

==== libsepol ====
Version update (3.0 -> 3.1)

- Update to version 3.1
  * Add support for new polcap genfs_seclabel_symlinks
  * Initialize the multiple_decls field of the cil db
  * Return error when identifier declared as both type and attribute
  * Write CIL default MLS rules on separate lines
  * Sort portcon rules consistently
  * Remove leftovers of cil_mem_error_handler
  * Drop remove_cil_mem_error_handler.patch, is included

==== mcstrans ====
Version update (3.0 -> 3.1)

- Update to version 3.1
  * fix memory leak in new_context_str

==== mozilla-nss ====
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs

- Add patch to fix build on aarch64 - boo#1176934:
  * nss-freebl-fix-aarch64.patch

==== ncurses ====
Version update (6.2.20200711 -> 6.2.20200912)
Subpackages: libncurses6 ncurses-utils terminfo-base

- Add ncurses patch 20200912
  + add configure-check for systre/tre with mingw configuration, to get
    the library-dependencies as seen in msys2 configuration for mingw64.
  + build-fixes for the win32-driver configuration.
  + use more defensive binary mode setting for Win32 (Juergen Pfeifer).
- Add ncurses patch 20200907
  + fix regression in setupterm validating non-empty $TERM (report by
    Soren Tempel).
- Add ncurses patch 20200906
  + merge/adapt in-progress work by Juergen Pfeifer for new version of
    win32-driver.
  + correct description of vt330/vt340 (Ross Combs).
- Add ncurses patch 20200831
  + build-fix for awk-scripts modified for win32-driver (report by Werner
    Fink).
- Drop workaround patch awk-scripts.patch as now upstream fixed
- Add patch awk-scripts.patch as workaround for patch 20200829
- Add ncurses patch 20200829
  + remove a redundant NCURSES_EXPORT as a build-fix for "Maarten
    Anonymous".
  + merge/adapt in-progress work by Juergen Pfeifer for new version of
    win32-driver.
  + modify configure script, moving gcc -Werror options to EXTRA_CFLAGS
    to avoid breaking configure-checks (adapted from ongoing work on
    mawk and lynx).
  > errate for terminfo.src (report by Florian Weimer):
  + correct icl6404 csr
  + correct ti916 cup
  + improve ndr9500
- Refresh patch ncurses-6.2.dif
- Add ncurses patch 20200822
  + improve version-number extraction in MKlib_gen.sh
  + make the test-package for manpages installable by adjusting the
    man_db.renames file.
  + correct an off-by-one loop-limit in convert_strings function
    (report by Yue Tai).
  + add CF_SHARED_OPTS cases for HPE NonStop systems (Randall S Becker).
  + modify CF_SHARED_OPTS case for NetBSD to use the same "-shared"
    option for the non-rpath case as for the rpath case, to allow gcc to
    provide suitable runtime initialization (report by Rajeev V Pillai).
- Disable wgetch-events as it is deprecated and breaks build of
  other packages
- Add ncurses patch 20200817
  + reduce build-warnings by excluding ncurses-internals from deprecation
    warnings.
  + mark wgetch-events feature as deprecated.
  + add definition for $(LIBS) to ncurses/Makefile.in, to simplify builds
    using the string-hacks option.
  + prevent KEY_EVENT from appearing in curses.h unless the configure
    option --enable-wgetch-events is used (report by Werner Fink).
- Add ncurses patch 20200816
  + amend tic/infocmp check to allow for the respective tool's absence
    (report by Steve Wills, cf: 20200808).
  + improved some of the build-scripts with shellcheck
  + filter out -MT/-MD/-MTd/-MDd options in script for Visual Studio C++
    (discussion with "Maarten Anonymous").
- Add ncurses patch 20200808
  + improve discussion of the system's tic utility when used as part
    of cross-compiling (discussion with Keith Marshall).
  + modify configuration checks for build-time tic/infocmp to use
    AC_CHECK_TOOL. That can still be overridden by --with-tic-path and
  - -with-infocmp-path when fallbacks are used, but even if not using
    fallbacks, the improved check may help with cross-compiling
    (discussion with Keith Marshall).
  + other build-fixes for Ada95 with MinGW.
  + modify Ada95 source-generation utility to write to a file given as
    parameter rather than to the standard output, allowing builds with
    MinGW.
- Add ncurses patch 20200801
  + remove remaining parts of checks for ISC Unix (cf: 20121006).
  + add user32.lib to LDFLAGS for Visual Studio C++ configuration
    (discussion with "Maarten Anonymous").
  + modify MKkey_defs.sh to hide ncurses' definition of KEY_EVENTS to
    reduce Visual Studio C++ redefinition warnings.
  + improve/update checks for external functions in test/configure
- Add ncurses patch 20200725
  + set LINK_TESTS in CF_SHARED_OPTS for msvc (patch by
    "Maarten Anonymous")
  + improved workaround for redefinition-warnings for KEY_EVENT.
  + improve man/term.5 section on legacy storage format (report by
    Florian Weimer).
- Add ncurses patch 20200718
  + reduce redefinition-warnings for KEY_EVENT when building with Visual
    Studio C++.
  + define NCURSES_STATIC when compiling programs to link with static
    libraries, to work with MinGW vs Visual Studio C++.
  > additional changes for building with Visual Studio C++ and msys2
    (reports/patches by "Maarten Anonymous")
  + modify c++/Makefile.in to set the current directory while compiling
    the main program, so the linker can find related objects.
  + several changes to allow the c++/demo program to compile/link.
  + change an ifdef in test-directory, to use VC++ wide-character funcs.

==== policycoreutils ====
Version update (3.0 -> 3.1)

- Add get_os_version.patch
  get_os_version is implemented in a very RH/Fedora specific way.
  Ensure that it returns a valid string for SUSE by changing the
  default. Also remove the RH specific logic when generating HTML
  versions of the SELinux documentation
- Align more with Fedora spec file to get rid of python dependencies
  in the core system
  - create new python-utils sub-package
  - move some tools to devel sub-package
- Cleanup dependencies
- Proper default permissions for newrole (4755)
- Update to version 3.1
  * New `setfiles -E` option - treat conflicting specifications as errors, such
    as where two hardlinks for the same inode have different contexts.
  * `setsebool -V` reports errors from commit phase
  * matchpathcon related interfaces are deprecated
  * New `restorecon -x` option which prevents it from crossing file system
  * boundaries.
  * `sepolgen-ifgen` parses a gen_tunable statement as bool
  * Removed Requires for python3-ipy as the ipaddress module is used. No
    requires for python-ipaddress as it's assumed this is used only on recent
    systems
  * Drop chcat_join.patch, is upstream

==== restorecond ====
Version update (3.0 -> 3.1)

- Use proper macros for SYSTEMDSYSTEMUNITDIR and SYSTEMDUSERUNITDIR
- Update to version 3.1
  * `restorecond_user.service` - new systemd user service which runs
    `restorecond -u`

==== sysvinit ====
Version update (2.96 -> 2.97)

- Drop /bin/pidof and /sbin/pidof, including corresponding man
  page: let's switch to pidof as provided by procps-ng.
- Update to sysvinit 2.97:
  * Check $(ROOT) filesystem for libcrypt instead of a hardcoded
    path to /usr.
  * Code clean-up and making sure we avoid freeing unused memory.
  * Added shell script which converts systemd unit files into
    init.d style scripts.
  * Allow init to load configuration data from files stored in
    /etc/inittab.d/
  * Allow shutdown time to be specified in the format +hh:mm. This
    is in addition to the existing formats such as hh:mm, +m, and
    "now".
  * Fixed typos in manual pages.
- Update startpar to 0.65:
  + Make sure startpar testsuite can find insserv executable in
    /usr/sbin or /sbin.
  + Added PREFIX variable to Makefile and testsuite to make
    location of startpar and insserv more flexible.
- Rebase sysvinit-2.90.dif.
- Drop SCVER defines: not used in any place.
- Drop startpar-sysmacros.patch: fixed upstream.

==== tcpd ====

- tcp_wrappers_7.6-shared-lib.diff: Linux has STRERROR not SYS_ERRLIST
  [bsc#1175272]

==== xdm ====

- removed /etc/X11/xdm/Keyboard.map since it meanwhile has been
  replaced by /usr/share/systemd/kbd-model-map (used by YaST)
- Don't create the compat symlinks in /etc on the fly, track them
  properly as %config
- /etc/X11/xdm/scripts/11-ssh-agent
  * ssh-askpass now moved to /usr/libexec/ssh (boo#1175991)
- moved xdm/xdm-np PAM files to /usr/etc/pam.d, since lightdm has
  been adjusted meanwhile
- Switch to /usr/bin/pidof dependency, provided by procps-ng.
- fixes in xdm-tarball.patch
  * /usr/lib/X11/display-manager: fixes sddm, which didn't use
    xdm_reload_files in xdm_start_proc() of
    /usr/lib/X11/displaymanagers/sddm (boo#1173049)
- fixes in xdm-tarball.patch
  * symlink also $XDMDIR/xinitrc.common in /etc/X11/xinit; it
    is still often sourced in old ~/.xinitrc user files ...
- fixes in xdm-tarball.patch
  * fixed include path for generic Xresources in xdm's Xresources file
  * fixed $XDMDIR in Xsession, so sys.xsession can be found
  * sys.xsession: fixed syntax error in code, which reads
    additional xdm scripts
  * display-manager: also symlink Xstartup and Xreset in
    /etc/X11/xdm (needed by lighdm)
- specfile:
  * for now use again /etc/pam.d for xdm/xdm-np PAM files instead
    of /usr/etc/pam.d (using the latter resulted in
    "authentificataion failure" with lightdm)
- reenabled move to /usr/etc/X11/xdm; updated xdm-tarball.patch
  (includes changes from xinit-UsrEtcMove.patch) [boo#1176212]
- xinit-UsrEtcMove.patch
  * changes needed with xinitrc moving to %{_libexecdir}/xinit and
    xinitrc.common moving to /usr/etc/X11/xinit/
- reverted move to /usr/etc/X11/xdm for now due to boo#1176212
- updated xdm-tarball.patch
  * adjusted for changes in xmodmap and xinit (boo#1173049)
- xdm-tarball.patch
  * /usr/etc changes still needed for xdm.tar.bz2; will need
    more changes once xmodmap and xinit files are also moved to
    /usr/etc (boo#1173049)
- move /etc/X11/xdm --> /usr/etc/X11/xdm and
  /etc/pam.d -> /usr/etc/pam.d; still TODO: adjust scripts in
  xdm.tar.bz2 (boo#1173049)
- more cleanup
  * no longer support sle12; adjusted xdm.tar.bz2 and
    applied xdm-with-update-alternative.patch to this tarball
- cleanup
  * get rid of xdm-fallbacks.tar.bz2, which wasn't used any longer
    since SUSE 12.1
  * no longer support systmed based OSes like SUSE < 12.1 and sle11;
    removed therefore also xdm-consolekit.diff
  * no longer support sle11

==== xinit ====

- Properly track the compatibility symlink
- simplified UsrEtcMove enable/disable logic in specfile
- xinit-tarball.patch/xinit.spec
  * reenabled move to /usr/etc/X11/xinit
  * fixed remaining issues mentioned in boo#1173052, comment#6
    and boo#1176212, comment#7
- reverted move to /usr/etc/X11/xinit for now (boo#1173052, comment#6)
- moved xinit files to /usr/etc/X11/xinit and removed xinitrc
  skeleton (boo#1173052)
- xinit-tarball.patch
  * adjust tarball contenct to /usr/etc move (boo#1173052)

==== xmodmap ====

- reenabled move to /usr/etc/X11 for Tumbleweed (boo#1173053)
- reverted move to /usr/etc/X11 for now (boo#1173053, comment#3)
- moved Xmodmap files to /usr/etc/X11 (boo#1173053)

==== xorg-x11-server ====
Subpackages: xorg-x11-server-Xvfb xorg-x11-server-wayland

- n_xorg-wrapper-anybody.patch
  * replace default config /etc/X11/Xwrapper, which allows
    anybody to use the wrapper, by a patch for the code, i.e.
    [#] rootonly, console, anybody
    allowed_users=anybody
    [#] yes, no, auto
    needs_root_rights=auto
    is now the default without any Xwrapper config
    (needs_root_rights=auto was already the default before)
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
  * replaced by improved version written by Matthias Gerstner of
    our security team
    + simplified the option parsing code a bit
    + changed the "ignore forbidden argument" logic into an "abort
    on forbidden argument" logic. This is safer and avoids
    surprises on the user's end that could occur if the desired
    command line arguments aren't effective but the Xorg server is
    still started.
    + tried to adjust to the coding style present in the file
    (mostly the function name)
    + added some logic to apply the option filtering only to
    non-root users when Xorg is actually started as root. This
    should allow for full flexibility if root calls the wrapper or
    if the Xorg server only runs with user privileges.
- U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch,
  U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch,
  U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch,
  U_Revert-linux-Make-platform-device-probe-less-fragile.patch
  * fix Xserver startup on Raspberry Pi 3 (boo#1176203)
- n_xorg-wrapper-rename-Xorg.patch
  * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867)
- change default for needs_root_rights to auto in Xwrapper.config
  (boo#1175867)
- reenabled SUID wrapper for TW (boo#1175867)
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
  * Xserver option whitelist filter (boo#1175867)