Packages changed:
  cpio
  curl (7.66.0 -> 7.67.0)
  kernel-source (5.3.8 -> 5.3.9)
  rpm-config-SUSE (0.g42 -> 0.g44)
  snapper (0.8.5 -> 0.8.6)
  wpa_supplicant (2.6 -> 2.9)
  zstd (1.4.3 -> 1.4.4)

=== Details ===

==== cpio ====

- add cpio-2.12-CVE-2019-14866.patch to fix a security issue where
  cpio does not properly validate the values written in the header
  of a TAR file through the to_oct() function [bsc#1155199]
  [CVE-2019-14866]

==== curl ====
Version update (7.66.0 -> 7.67.0)
Subpackages: libcurl4

- Update spec file with spec-cleaner
- Update to 7.67.0
  * Changes:
  - curl: added --no-progress-meter
  - setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
  - urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
  * Bugfixes:
  - BINDINGS: five new bindings addded
  - CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
  - CURLOPT_TIMEOUT.3: remove the mention of "minutes"
  - ESNI: initial build/setup support
  - FTP: FTPFILE_NOCWD: avoid redundant CWDs
  - FTP: allow "rubbish" prepended to the SIZE response
  - FTP: remove trailing slash from path for LIST/MLSD
  - FTP: skip CWD to entry dir when target is absolute
  - FTP: url-decode path before evaluation
  - HTTP3.md: move -p for mkdir, remove -j for make
  - HTTP3: fix invalid use of sendto for connected UDP socket
  - HTTP3: fix prefix parameter for ngtcp2 build
  - HTTP3: show an --alt-svc using example too
  - INSTALL: add missing space for configure commands
  - INSTALL: add vcpkg installation instructions
  - altsvc: accept quoted ma and persist values
  - altsvc: both backends run h3-23 now
  - appveyor: Add MSVC ARM64 build
  - appveyor: Use two parallel compilation on appveyor with CMake
  - appveyor: add --disable-proxy autotools build
  - appveyor: publish artifacts on appveyor
  - appveyor: upgrade VS2017 to VS2019
  - asyn-thread: make use of Curl_socketpair() where available
  - asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
  - build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
  - checksrc: fix uninitialized variable warning
  - chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
  - cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
  - cirrus: switch off blackhole status on the freebsd CI machines
  - cleanups: 21 various PVS-Studio warnings
  - configure: only say ipv6 enabled when the variable is set
  - configure: remove all cyassl references
  - conn-reuse: requests wanting NTLM can reuse non-NTLM connections
  - connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
  - connect: silence sign-compare warning
  - cookie: avoid harmless use after free
  - cookie: pass in the correct cookie amount to qsort()
  - cookies: change argument type for Curl_flush_cookies
  - cookies: using a share with cookies shouldn't enable the cookie engine
  - copyrights: update copyright notices to 2019
  - curl: create easy handles on-demand and not ahead of time
  - curl: ensure HTTP 429 triggers --retry
  - curl: exit the create_transfers loop on errors
  - curl: fix memory leaked by parse_metalink()
  - curl: load large files with -d @ much faster
  - docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
  - docs: added multi-event.c example
  - docs: disambiguate CURLUPART_HOST is for host name (ie no port)
  - docs: note on failed handles not being counted by curl_multi_perform
  - doh: allow only http and https in debug mode
  - doh: avoid truncating DNS QTYPE to lower octet
  - doh: clean up dangling DOH memory on easy close
  - doh: fix (harmless) buffer overrun
  - doh: fix undefined behaviour and open up for gcc and clang optimization
  - doh: return early if there is no time left
  - examples/sslbackend: fix -Wchar-subscripts warning
  - gnutls: make gnutls_bye() not wait for response on shutdown
  - http2: expire a timeout at end of stream
  - http2: prevent dup'ed handles to send dummy PRIORITY frames
  - http2: relax verification of :authority in push promise requests
  - http2_recv: a closed stream trumps pause state
  - http: lowercase headernames for HTTP/2 and HTTP/3
  - ldap: Stop using wide char version of ldapp_err2string
  - ldap: fix OOM error on missing query string
  - mbedtls: add error message for cert validity starting in the future
  - mime: when disabled, avoid C99 macro
  - ngtcp2: adapt to API change
  - ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
  - ngtcp2: remove fprintf() calls
  - openssl: close_notify on the FTP data connection doesn't mean closure
  - openssl: use strerror on SSL_ERROR_SYSCALL
  - os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
  - parsedate: fix date parsing disabled builds
  - quiche: don't close connection at end of stream
  - quiche: persist connection details (fixes -I with --http3)
  - quiche: set 'drain' when returning without having drained the queues
  - quiche: update HTTP/3 config creation to new API
  - redirect: handle redirects to absolute URLs containing spaces
  - runtests: get textaware info from curl instead of perl
  - schannel: reverse the order of certinfo insertions
  - schannel_verify: Fix concurrent openings of CA file
  - security: silence conversion warning
  - setopt: handle ALTSVC set to NULL
  - setopt: make it easier to add new enum values
  - setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
  - smb: check for full size message before reading message details
  - smbserver: fix Python 3 compatibility
  - socks: Fix destination host shown on SOCKS5 error
  - test1162: disable MSYS2's POSIX path conversion
  - test1591: fix spelling of http feature
  - tests: add 'connect to non-listen' keywords
  - tests: fix narrowing conversion warnings
  - tests: fix the test 3001 cert failures
  - tests: makes tests succeed when using --disable-proxy
  - tests: use %FILE_PWD for file:// URLs
  - tests: use port 2 instead of 60000 for a safer non-listening port
  - tool_operate: Fix retry sleep time shown to user when Retry-After
  - url: Curl_free_request_state() should also free doh handles
  - url: don't set appconnect time for non-ssl/non-ssh connections
  - url: fix the NULL hostname compiler warning
  - url: normalize CURLINFO_EFFECTIVE_URL
  - url: only reuse TLS connections with matching pinning
  - urlapi: avoid index underflow for short ipv6 hostnames
  - urlapi: fix URL encoding when setting a full URL
  - urlapi: question mark within fragment is still fragment
  - urldata: use 'bool' for the bit type on MSVC compilers
  - vtls: fix narrowing conversion warnings

==== kernel-source ====
Version update (5.3.8 -> 5.3.9)

- Linux 5.3.9 (bnc#11519).
- io_uring: fix up O_NONBLOCK handling for sockets (bnc#1151927).
- dm snapshot: introduce account_start_copy() and
  account_end_copy() (bnc#1151927).
- dm snapshot: rework COW throttling to fix deadlock
  (bnc#1151927).
- Btrfs: fix inode cache block reserve leak on failure to allocate
  data space (bnc#1151927).
- btrfs: qgroup: Always free PREALLOC META reserve in
  btrfs_delalloc_release_extents() (bnc#1151927).
- iio: adc: meson_saradc: Fix memory allocation order
  (bnc#1151927).
- iio: fix center temperature of bmc150-accel-core (bnc#1151927).
- libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
  (bnc#1151927).
- perf tests: Avoid raising SEGV using an obvious NULL dereference
  (bnc#1151927).
- perf map: Fix overlapped map handling (bnc#1151927).
- perf script brstackinsn: Fix recovery from LBR/binary mismatch
  (bnc#1151927).
- perf jevents: Fix period for Intel fixed counters (bnc#1151927).
- perf tools: Propagate get_cpuid() error (bnc#1151927).
- perf annotate: Propagate perf_env__arch() error (bnc#1151927).
- perf annotate: Fix the signedness of failure returns
  (bnc#1151927).
- perf annotate: Propagate the symbol__annotate() error return
  (bnc#1151927).
- perf annotate: Fix arch specific ->init() failure errors
  (bnc#1151927).
- perf annotate: Return appropriate error code for allocation
  failures (bnc#1151927).
- perf annotate: Don't return -1 for error when doing BPF
  disassembly (bnc#1151927).
- staging: rtl8188eu: fix null dereference when kzalloc fails
  (bnc#1151927).
- RDMA/siw: Fix serialization issue in write_space()
  (bnc#1151927).
- RDMA/hfi1: Prevent memory leak in sdma_init (bnc#1151927).
- RDMA/iw_cxgb4: fix SRQ access from dump_qp() (bnc#1151927).
- RDMA/iwcm: Fix a lock inversion issue (bnc#1151927).
- HID: hyperv: Use in-place iterator API in the channel callback
  (bnc#1151927).
- kselftest: exclude failed TARGETS from runlist (bnc#1151927).
- selftests/kselftest/runner.sh: Add 45 second timeout per test
  (bnc#1151927).
- nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
  (bnc#1151927).
- arm64: cpufeature: Effectively expose FRINT capability to
  userspace (bnc#1151927).
- arm64: Fix incorrect irqflag restore for priority masking for
  compat (bnc#1151927).
- arm64: ftrace: Ensure synchronisation in PLT setup for
  Neoverse-N1 #1542419 (bnc#1151927).
- tty: serial: owl: Fix the link time qualifier of
  'owl_uart_exit()' (bnc#1151927).
- tty: serial: rda: Fix the link time qualifier of
  'rda_uart_exit()' (bnc#1151927).
- serial/sifive: select SERIAL_EARLYCON (bnc#1151927).
- tty: n_hdlc: fix build on SPARC (bnc#1151927).
- misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
  (bnc#1151927).
- RDMA/core: Fix an error handling path in 'res_get_common_doit()'
  (bnc#1151927).
- RDMA/cm: Fix memory leak in cm_add/remove_one (bnc#1151927).
- RDMA/nldev: Reshuffle the code to avoid need to rebind QP in
  error path (bnc#1151927).
- RDMA/mlx5: Do not allow rereg of a ODP MR (bnc#1151927).
- RDMA/mlx5: Order num_pending_prefetch properly with
  synchronize_srcu (bnc#1151927).
- RDMA/mlx5: Add missing synchronize_srcu() for MW cases
  (bnc#1151927).
- gpio: max77620: Use correct unit for debounce times
  (bnc#1151927).
- fs: cifs: mute -Wunused-const-variable message (bnc#1151927).
- arm64: vdso32: Fix broken compat vDSO build warnings
  (bnc#1151927).
- arm64: vdso32: Detect binutils support for dmb ishld
  (bnc#1151927).
- serial: mctrl_gpio: Check for NULL pointer (bnc#1151927).
- serial: 8250_omap: Fix gpio check for auto RTS/CTS
  (bnc#1151927).
- arm64: Default to building compat vDSO with clang when
  CONFIG_CC_IS_CLANG (bnc#1151927).
- arm64: vdso32: Don't use KBUILD_CPPFLAGS unconditionally
  (bnc#1151927).
- efi/cper: Fix endianness of PCIe class code (bnc#1151927).
- efi/x86: Do not clean dummy variable in kexec path
  (bnc#1151927).
- MIPS: include: Mark __cmpxchg as __always_inline (bnc#1151927).
- riscv: avoid kernel hangs when trapped in BUG() (bnc#1151927).
- riscv: avoid sending a SIGTRAP to a user thread trapped in
  WARN() (bnc#1151927).
- riscv: Correct the handling of unexpected ebreak in
  do_trap_break() (bnc#1151927).
- x86/xen: Return from panic notifier (bnc#1151927).
- ocfs2: clear zero in unaligned direct IO (bnc#1151927).
- fs: ocfs2: fix possible null-pointer dereferences in
  ocfs2_xa_prepare_entry() (bnc#1151927).
- fs: ocfs2: fix a possible null-pointer dereference in
  ocfs2_write_end_nolock() (bnc#1151927).
- fs: ocfs2: fix a possible null-pointer dereference in
  ocfs2_info_scan_inode_alloc() (bnc#1151927).
- btrfs: silence maybe-uninitialized warning in clone_range
  (bnc#1151927).
- arm64: armv8_deprecated: Checking return value for memory
  allocation (bnc#1151927).
- x86/cpu: Add Comet Lake to the Intel CPU models header
  (bnc#1151927).
- sched/fair: Scale bandwidth quota and period without losing
  quota/period ratio precision (bnc#1151927).
- sched/vtime: Fix guest/system mis-accounting on task switch
  (bnc#1151927).
- perf/core: Rework memory accounting in perf_mmap()
  (bnc#1151927).
- perf/core: Fix corner case in perf_rotate_context()
  (bnc#1151927).
- perf/x86/amd: Change/fix NMI latency mitigation to use a
  timestamp (bnc#1151927).
- drm/amdgpu: fix memory leak (bnc#1151927).
- iio: imu: adis16400: release allocated memory on failure
  (bnc#1151927).
- iio: imu: adis16400: fix memory leak (bnc#1151927).
- iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller
  (bnc#1151927).
- MIPS: include: Mark __xchg as __always_inline (bnc#1151927).
- MIPS: fw: sni: Fix out of bounds init of o32 stack
  (bnc#1151927).
- s390/cio: fix virtio-ccw DMA without PV (bnc#1151927).
- virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
  (bnc#1151927).
- nbd: fix possible sysfs duplicate warning (bnc#1151927).
- NFSv4: Fix leak of clp->cl_acceptor string (bnc#1151927).
- SUNRPC: fix race to sk_err after xs_error_report (bnc#1151927).
- s390/uaccess: avoid (false positive) compiler warnings
  (bnc#1151927).
- tracing: Initialize iter->seq after zeroing in
  tracing_read_pipe() (bnc#1151927).
- perf annotate: Fix multiple memory and file descriptor leaks
  (bnc#1151927).
- perf/aux: Fix tracking of auxiliary trace buffer allocation
  (bnc#1151927).
- USB: legousbtower: fix a signedness bug in tower_probe()
  (bnc#1151927).
- nbd: verify socket is supported during setup (bnc#1151927).
- arm64: dts: qcom: Add Lenovo Miix 630 (bnc#1151927).
- arm64: dts: qcom: Add HP Envy x2 (bnc#1151927).
- arm64: dts: qcom: Add Asus NovaGo TP370QL (bnc#1151927).
- rtw88: Fix misuse of GENMASK macro (bnc#1151927).
- s390/pci: fix MSI message data (bnc#1151927).
- thunderbolt: Correct path indices for PCIe tunnel (bnc#1151927).
- thunderbolt: Use 32-bit writes when writing ring
  producer/consumer (bnc#1151927).
- fuse: flush dirty data/metadata before non-truncate setattr
  (bnc#1151927).
- fuse: truncate pending writes on O_TRUNC (bnc#1151927).
- ALSA: bebob: Fix prototype of helper function to return negative
  value (bnc#1151927).
- ALSA: timer: Fix mutex deadlock at releasing card (bnc#1151927).
- ALSA: hda/realtek - Fix 2 front mics of codec 0x623
  (bnc#1151927).
- ALSA: hda/realtek - Add support for ALC623 (bnc#1151927).
- ath10k: fix latency issue for QCA988x (bnc#1151927).
- UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of
  scatter/gather segments") (bnc#1151927).
- nl80211: fix validation of mesh path nexthop (bnc#1151927).
- USB: gadget: Reject endpoints with 0 maxpacket value
  (bnc#1151927).
- usb-storage: Revert commit 747668dbc061 ("usb-storage: Set
  virt_boundary_mask to avoid SG overflows") (bnc#1151927).
- USB: ldusb: fix ring-buffer locking (bnc#1151927).
- USB: ldusb: fix control-message timeout (bnc#1151927).
- usb: xhci: fix Immediate Data Transfer endianness (bnc#1151927).
- usb: xhci: fix __le32/__le64 accessors in debugfs code
  (bnc#1151927).
- USB: serial: whiteheat: fix potential slab corruption
  (bnc#1151927).
- USB: serial: whiteheat: fix line-speed endianness (bnc#1151927).
- xhci: Fix use-after-free regression in xhci clear hub TT
  implementation (bnc#1151927).
- scsi: qla2xxx: Fix partial flash write of MBI (bnc#1151927).
- scsi: target: cxgbit: Fix cxgbit_fw4_ack() (bnc#1151927).
- HID: i2c-hid: add Trekstor Primebook C11B to descriptor override
  (bnc#1151927).
- HID: Fix assumption that devices have inputs (bnc#1151927).
- HID: fix error message in hid_open_report() (bnc#1151927).
- HID: logitech-hidpp: split g920_get_config() (bnc#1151927).
- HID: logitech-hidpp: rework device validation (bnc#1151927).
- HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy()
  (bnc#1151927).
- um-ubd: Entrust re-queue to the upper layers (bnc#1151927).
- s390/unwind: fix mixing regs and sp (bnc#1151927).
- s390/cmm: fix information leak in cmm_timeout_handler()
  (bnc#1151927).
- s390/idle: fix cpu idle time calculation (bnc#1151927).
- ARC: perf: Accommodate big-endian CPU (bnc#1151927).
- IB/hfi1: Avoid excessive retry for TID RDMA READ request
  (bnc#1151927).
- arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
  (bnc#1151927).
- arm64: cpufeature: Enable Qualcomm Falkor/Kryo errata 1003
  (bnc#1151927).
- virtio_ring: fix stalls for packed rings (bnc#1151927).
- rtlwifi: rtl_pci: Fix problem of too small skb->len
  (bnc#1151927).
- KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging
  is active (bnc#1151927).
- dmaengine: qcom: bam_dma: Fix resource leak (bnc#1151927).
- dmaengine: tegra210-adma: fix transfer failure (bnc#1151927).
- dmaengine: imx-sdma: fix size check for sdma script_number
  (bnc#1151927).
- dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
  (bnc#1151927).
- drm/amdgpu/gmc10: properly set BANK_SELECT and FRAGMENT_SIZE
  (bnc#1151927).
- drm/i915: Fix PCH reference clock for FDI on HSW/BDW
  (bnc#1151927).
- drm/amdgpu/gfx10: update gfx golden settings (bnc#1151927).
- drm/amdgpu/powerplay/vega10: allow undervolting in p7
  (bnc#1151927).
- drm/amdgpu: Fix SDMA hang when performing VKexample test
  (bnc#1151927).
- NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
  (bnc#1151927).
- io_uring: ensure we clear io_kiocb->result before each issue
  (bnc#1151927).
- iommu/vt-d: Fix panic after kexec -p for kdump (bnc#1151927).
- batman-adv: Avoid free/alloc race when handling OGM buffer
  (bnc#1151927).
- llc: fix sk_buff leak in llc_sap_state_process() (bnc#1151927).
- llc: fix sk_buff leak in llc_conn_service() (bnc#1151927).
- rxrpc: Fix call ref leak (bnc#1151927).
- rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
  (bnc#1151927).
- rxrpc: Fix trace-after-put looking at the put peer record
  (bnc#1151927).
- NFC: pn533: fix use-after-free and memleaks (bnc#1151927).
- bonding: fix potential NULL deref in bond_update_slave_arr
  (bnc#1151927).
- netfilter: conntrack: avoid possible false sharing
  (bnc#1151927).
- net: usb: sr9800: fix uninitialized local variable
  (bnc#1151927).
- sch_netem: fix rcu splat in netem_enqueue() (bnc#1151927).
- net: sched: sch_sfb: don't call qdisc_put() while holding tree
  lock (bnc#1151927).
- iwlwifi: exclude GEO SAR support for 3168 (bnc#1151927).
- sched/fair: Fix low cpu usage with high throttling by removing
  expiration of cpu-local slices (bnc#1151927).
- ALSA: usb-audio: DSD auto-detection for Playback Designs
  (bnc#1151927).
- ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel
  (bnc#1151927).
- ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB
  Interface (bnc#1151927).
- RDMA/mlx5: Use irq xarray locking for mkey_table (bnc#1151927).
- sched/fair: Fix -Wunused-but-set-variable warnings
  (bnc#1151927).
- powerpc/powernv: Fix CPU idle to be called with IRQs disabled
  (bnc#1151927).
- Revert "nvme: allow 64-bit results in passthru commands"
  (bnc#1151927).
- Revert "ALSA: hda: Flush interrupts on disabling" (bnc#1151927).
- commit b0d4923
- rpm/kernel-binary.spec.in: add COMPRESS_VMLINUX (bnc#1155921)
  Let COMPRESS_VMLINUX determine the compression used for vmlinux. By
  default (historically), it is gz.
- commit c8b2d9f
- ALSA: hda/ca0132 - Fix possible workqueue stall (bsc#1155836).
- commit 98ead79
- stacktrace: Don't skip first entry on noncurrent tasks
  (bnc#1154866).
  Update upstream status.
- commit f4d9b5e
- rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage
  description (bsc#1149119).
- commit 525ec92
- ata: make qc_prep return ata_completion_errors (bnc#1110252).
- ata: define AC_ERR_OK (bnc#1110252).
- ata: sata_mv, avoid trigerrable BUG_ON (bnc#1110252).
- commit 8bf663b

==== rpm-config-SUSE ====
Version update (0.g42 -> 0.g44)

- Update to version 0.g44:
  * Sync specfile changes
  * Add _lto_cflags to suse_macros for now

==== snapper ====
Version update (0.8.5 -> 0.8.6)
Subpackages: libsnapper4

- add --machine-readable option for CSV and JSON outputs.
- add --columns option for selecting columns in the commands list,
  list-configs and get-config.
- bsc#1149322
- version 0.8.6

==== wpa_supplicant ====
Version update (2.6 -> 2.9)

- Update to 2.9 release:
  * SAE changes
  - disable use of groups using Brainpool curves
  - improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
  * EAP-pwd changes
  - disable use of groups using Brainpool curves
  - allow the set of groups to be configured (eap_pwd_groups)
  - improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
  * fixed FT-EAP initial mobility domain association using PMKSA caching
    (disabled by default for backwards compatibility; can be enabled
    with ft_eap_pmksa_caching=1)
  * fixed a regression in OpenSSL 1.1+ engine loading
  * added validation of RSNE in (Re)Association Response frames
  * fixed DPP bootstrapping URI parser of channel list
  * extended EAP-SIM/AKA fast re-authentication to allow use with FILS
  * extended ca_cert_blob to support PEM format
  * improved robustness of P2P Action frame scheduling
  * added support for EAP-SIM/AKA using anonymous@realm identity
  * fixed Hotspot 2.0 credential selection based on roaming consortium
    to ignore credentials without a specific EAP method
  * added experimental support for EAP-TEAP peer (RFC 7170)
  * added experimental support for EAP-TLS peer with TLS v1.3
  * fixed a regression in WMM parameter configuration for a TDLS peer
  * fixed a regression in operation with drivers that offload 802.1X
    4-way handshake
  * fixed an ECDH operation corner case with OpenSSL
  * SAE changes
  - added support for SAE Password Identifier
  - changed default configuration to enable only groups 19, 20, 21
    (i.e., disable groups 25 and 26) and disable all unsuitable groups
    completely based on REVmd changes
  - do not regenerate PWE unnecessarily when the AP uses the
    anti-clogging token mechanisms
  - fixed some association cases where both SAE and FT-SAE were enabled
    on both the station and the selected AP
  - started to prefer FT-SAE over SAE AKM if both are enabled
  - started to prefer FT-SAE over FT-PSK if both are enabled
  - fixed FT-SAE when SAE PMKSA caching is used
  - reject use of unsuitable groups based on new implementation guidance
    in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
    groups with prime >= 256)
  - minimize timing and memory use differences in PWE derivation
    [https://w1.fi/security/2019-1/] (CVE-2019-9494)
  * EAP-pwd changes
  - minimize timing and memory use differences in PWE derivation
    [https://w1.fi/security/2019-2/] (CVE-2019-9495)
  - verify server scalar/element
    [https://w1.fi/security/2019-4/] (CVE-2019-9499)
  - fix message reassembly issue with unexpected fragment
    [https://w1.fi/security/2019-5/]
  - enforce rand,mask generation rules more strictly
  - fix a memory leak in PWE derivation
  - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
    27)
  * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
  * Hotspot 2.0 changes
  - do not indicate release number that is higher than the one
    AP supports
  - added support for release number 3
  - enable PMF automatically for network profiles created from
    credentials
  * fixed OWE network profile saving
  * fixed DPP network profile saving
  * added support for RSN operating channel validation
    (CONFIG_OCV=y and network profile parameter ocv=1)
  * added Multi-AP backhaul STA support
  * fixed build with LibreSSL
  * number of MKA/MACsec fixes and extensions
  * extended domain_match and domain_suffix_match to allow list of values
  * fixed dNSName matching in domain_match and domain_suffix_match when
    using wolfSSL
  * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
    are enabled
  * extended nl80211 Connect and external authentication to support
    SAE, FT-SAE, FT-EAP-SHA384
  * fixed KEK2 derivation for FILS+FT
  * extended client_cert file to allow loading of a chain of PEM
    encoded certificates
  * extended beacon reporting functionality
  * extended D-Bus interface with number of new properties
  * fixed a regression in FT-over-DS with mac80211-based drivers
  * OpenSSL: allow systemwide policies to be overridden
  * extended driver flags indication for separate 802.1X and PSK
    4-way handshake offload capability
  * added support for random P2P Device/Interface Address use
  * extended PEAP to derive EMSK to enable use with ERP/FILS
  * extended WPS to allow SAE configuration to be added automatically
    for PSK (wps_cred_add_sae=1)
  * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
  * extended domain_match and domain_suffix_match to allow list of values
  * added a RSN workaround for misbehaving PMF APs that advertise
    IGTK/BIP KeyID using incorrect byte order
  * fixed PTK rekeying with FILS and FT
  * fixed WPA packet number reuse with replayed messages and key
    reinstallation
    [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
    CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
    CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
  * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
    [https://w1.fi/security/2018-1/] (CVE-2018-14526)
  * added support for FILS (IEEE 802.11ai) shared key authentication
  * added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
    and transition mode defined by WFA)
  * added support for DPP (Wi-Fi Device Provisioning Protocol)
  * added support for RSA 3k key case with Suite B 192-bit level
  * fixed Suite B PMKSA caching not to update PMKID during each 4-way
    handshake
  * fixed EAP-pwd pre-processing with PasswordHashHash
  * added EAP-pwd client support for salted passwords
  * fixed a regression in TDLS prohibited bit validation
  * started to use estimated throughput to avoid undesired signal
    strength based roaming decision
  * MACsec/MKA:
  - new macsec_linux driver interface support for the Linux
    kernel macsec module
  - number of fixes and extensions
  * added support for external persistent storage of PMKSA cache
    (PMKSA_GET/PMKSA_ADD control interface commands; and
    MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
  * fixed mesh channel configuration pri/sec switch case
  * added support for beacon report
  * large number of other fixes, cleanup, and extensions
  * added support for randomizing local address for GAS queries
    (gas_rand_mac_addr parameter)
  * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
  * added option for using random WPS UUID (auto_uuid=1)
  * added SHA256-hash support for OCSP certificate matching
  * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
  * fixed a regression in RSN pre-authentication candidate selection
  * added option to configure allowed group management cipher suites
    (group_mgmt network profile parameter)
  * removed all PeerKey functionality
  * fixed nl80211 AP and mesh mode configuration regression with
    Linux 4.15 and newer
  * added ap_isolate configuration option for AP mode
  * added support for nl80211 to offload 4-way handshake into the driver
  * added support for using wolfSSL cryptographic library
  * SAE
  - added support for configuring SAE password separately of the
    WPA2 PSK/passphrase
  - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
    for SAE;
    note: this is not backwards compatible, i.e., both the AP and
    station side implementations will need to be update at the same
    time to maintain interoperability
  - added support for Password Identifier
  - fixed FT-SAE PMKID matching
  * Hotspot 2.0
  - added support for fetching of Operator Icon Metadata ANQP-element
  - added support for Roaming Consortium Selection element
  - added support for Terms and Conditions
  - added support for OSEN connection in a shared RSN BSS
  - added support for fetching Venue URL information
  * added support for using OpenSSL 1.1.1
  * FT
  - disabled PMKSA caching with FT since it is not fully functional
  - added support for SHA384 based AKM
  - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
    BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
  - fixed additional IE inclusion in Reassociation Request frame when
    using FT protocol
- Drop merged patches:
  * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
  * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
  * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
  * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
  * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
  * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
  * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
  * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
  * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
  * wpa_supplicant-bnc-1099835-fix-private-key-password.patch
  * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
  * wpa_supplicant-log-file-permission.patch
  * wpa_supplicant-log-file-cloexec.patch
  * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch
  * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch
- Rebase patches:
  * wpa_supplicant-getrandom.patch

==== zstd ====
Version update (1.4.3 -> 1.4.4)

- Update to version 1.4.4
  * perf: Improved decompression speed, by > 10%
  * perf: Better compression speed when re-using a context
  * perf: Fix compression ratio when compressing large files with
    small dictionary
  * perf: zstd reference encoder can generate RLE blocks
  * perf: minor generic speed optimization
  * api: new ability to extract sequences from the parser for analysis
  * api: fixed decoding of magic-less frames
  * api: fixed ZSTD_initCStream_advanced() performance with fast modes
  * cli: Named pipes support
  * cli: short tar's extension support
  * cli: command --output-dir-flat=DIE , generates target files into
    requested directory
  * cli: commands --stream-size=# and --size-hint=#
  * cli: command --exclude-compressed
  * cli: faster -t test mode
  * cli: improved some error messages
  * cli: fix rare deadlock condition within dictionary builder
  * misc: Improved documentation : ZSTD_CLEVEL, DYNAMIC_BMI2,
    ZSTD_CDict, function deprecation, zstd format
  * misc: fixed educational decoder : accept larger literals section,
    and removed UNALIGNED() macro
- Refresh pzstd.1.patch