diff --git a/dtb-aarch64.changes b/dtb-aarch64.changes
index 22bbeb53..40a021d8 100644
--- a/dtb-aarch64.changes
+++ b/dtb-aarch64.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/dtb-aarch64.spec b/dtb-aarch64.spec
index de2e4cfa..6a42e916 100644
--- a/dtb-aarch64.spec
+++ b/dtb-aarch64.spec
@@ -27,7 +27,7 @@
 Name:           dtb-aarch64
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
diff --git a/dtb-armv6l.changes b/dtb-armv6l.changes
index 22bbeb53..40a021d8 100644
--- a/dtb-armv6l.changes
+++ b/dtb-armv6l.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/dtb-armv6l.spec b/dtb-armv6l.spec
index ef7c6564..1e62346e 100644
--- a/dtb-armv6l.spec
+++ b/dtb-armv6l.spec
@@ -27,7 +27,7 @@
 Name:           dtb-armv6l
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
diff --git a/dtb-armv7l.changes b/dtb-armv7l.changes
index 22bbeb53..40a021d8 100644
--- a/dtb-armv7l.changes
+++ b/dtb-armv7l.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/dtb-armv7l.spec b/dtb-armv7l.spec
index 3429e9eb..b313e102 100644
--- a/dtb-armv7l.spec
+++ b/dtb-armv7l.spec
@@ -27,7 +27,7 @@
 Name:           dtb-armv7l
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
diff --git a/dtb-riscv64.changes b/dtb-riscv64.changes
index 22bbeb53..40a021d8 100644
--- a/dtb-riscv64.changes
+++ b/dtb-riscv64.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/dtb-riscv64.spec b/dtb-riscv64.spec
index 0ccc28a7..1fe4a79f 100644
--- a/dtb-riscv64.spec
+++ b/dtb-riscv64.spec
@@ -27,7 +27,7 @@
 Name:           dtb-riscv64
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
diff --git a/kernel-64kb.changes b/kernel-64kb.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-64kb.changes
+++ b/kernel-64kb.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-64kb.spec b/kernel-64kb.spec
index f49ce62e..540ef862 100644
--- a/kernel-64kb.spec
+++ b/kernel-64kb.spec
@@ -114,7 +114,7 @@ License:        GPL-2.0-only
 Group:          System/Kernel
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -158,91 +158,6 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
-# Force bzip2 instead of lzma compression to
-# 1) allow install on older dist versions, and
-# 2) decrease build times (bsc#962356 boo#1175882)
-%define _binary_payload w9.bzdio
-# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
-%undefine _unique_build_ids
-%define _no_recompute_build_ids 1
-# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
-%undefine _unique_debug_names
-
-%if "%{compress_modules}" == "zstd"
-BuildRequires:  zstd
-# Make sure kmod supports zstd compressed modules
-Requires(post): kmod-zstd
-%endif
-Provides:       %name = %version-%source_rel
-# bnc#901925
-Provides:       %name-%version-%source_rel
-Provides:       %{name}_%_target_cpu = %version-%source_rel
-Provides:       kernel-base = %version-%source_rel
-Provides:       multiversion(kernel)
-# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
-# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
-# is a subset that can replace kernel-$flavor in some scenarios. We need to
-# obsolete the -base subpackage from SLE11, so that the base files are not
-# owned by multiple packages now. The dependency is not correct wrt openSUSE
-# 11.2 - 11.4, but we primarily care about the supported upgrade path.
-Obsoletes:      %name-base < 3.1
-%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
-Recommends: kernel-firmware
-%endif
-# The following is copied to the -base subpackage as well
-# BEGIN COMMON DEPS
-Requires(pre):  suse-kernel-rpm-scriptlets
-Requires(post): suse-kernel-rpm-scriptlets
-Requires:       suse-kernel-rpm-scriptlets
-Requires(preun): suse-kernel-rpm-scriptlets
-Requires(postun): suse-kernel-rpm-scriptlets
-Requires(pre):  coreutils awk
-# For /usr/lib/module-init-tools/weak-modules2
-Requires(post): suse-module-tools
-# For depmod (modutils is a dependency provided by both module-init-tools and
-# kmod-compat)
-Requires(post): modutils
-# This Requires is wrong, because the post/postun scripts have a
-# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
-# But, there is no way to tell rpm or yast to schedule the installation
-# of perl-Bootloader before kernel-binary.rpm if both are in the list of
-# packages to install/update. Likewise, this is true for dracut.
-# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
-Requires(post): perl-Bootloader >= 0.4.15
-Requires(post): dracut
-# Install the package providing /etc/SuSE-release early enough, so that
-# the grub entry has correct title (bnc#757565)
-Requires(post): distribution-release
-
-%if 0%{?usrmerged}
-# make sure we have a post-usrmerge system
-Conflicts:      filesystem < 16
-%endif
-
-Obsoletes:      microcode_ctl < 1.18
-
-%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
-	if not fd then io.stderr:write(err) end
-	unpack = table.unpack or unpack
-	for l in fd:lines() do
-		if #l > 0 and l:sub(1,1) ~= '#' then
-			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
-			package, version = unpack(words)
-			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
-		end
-	end
-	fd:close()
-}
-
-%ifarch %ix86
-Conflicts:      libc.so.6()(64bit)
-%endif
-Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-# END COMMON DEPS
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-%obsolete_rebuilds %name
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
 Source14:       series.conf
@@ -382,19 +297,107 @@ NoSource:       113
 NoSource:       114
 NoSource:       120
 NoSource:       121
-
 ExclusiveArch:  aarch64
-%define kmp_target_cpu %_target_cpu
 %ifarch %ix86
 # Only i386/default supports i586, mark other flavors' packages as i686
 %if ! %build_default
 BuildArch:      i686
+%endif
+%endif
+
+# Force bzip2 instead of lzma compression to
+# 1) allow install on older dist versions, and
+# 2) decrease build times (bsc#962356 boo#1175882)
+%define _binary_payload w9.bzdio
+# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
+%undefine _unique_build_ids
+%define _no_recompute_build_ids 1
+# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
+%undefine _unique_debug_names
+
+%if "%{compress_modules}" == "zstd"
+BuildRequires:  zstd
+# Make sure kmod supports zstd compressed modules
+Requires(post): kmod-zstd
+%endif
+Provides:       %name = %version-%source_rel
+# bnc#901925
+Provides:       %name-%version-%source_rel
+Provides:       %{name}_%_target_cpu = %version-%source_rel
+Provides:       kernel-base = %version-%source_rel
+Provides:       multiversion(kernel)
+# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
+# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
+# is a subset that can replace kernel-$flavor in some scenarios. We need to
+# obsolete the -base subpackage from SLE11, so that the base files are not
+# owned by multiple packages now. The dependency is not correct wrt openSUSE
+# 11.2 - 11.4, but we primarily care about the supported upgrade path.
+Obsoletes:      %name-base < 3.1
+%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
+Recommends: kernel-firmware
+%endif
+# The following is copied to the -base subpackage as well
+# BEGIN COMMON DEPS
+Requires(pre):  suse-kernel-rpm-scriptlets
+Requires(post): suse-kernel-rpm-scriptlets
+Requires:       suse-kernel-rpm-scriptlets
+Requires(preun): suse-kernel-rpm-scriptlets
+Requires(postun): suse-kernel-rpm-scriptlets
+Requires(pre):  coreutils awk
+# For /usr/lib/module-init-tools/weak-modules2
+Requires(post): suse-module-tools
+# For depmod (modutils is a dependency provided by both module-init-tools and
+# kmod-compat)
+Requires(post): modutils
+# This Requires is wrong, because the post/postun scripts have a
+# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
+# But, there is no way to tell rpm or yast to schedule the installation
+# of perl-Bootloader before kernel-binary.rpm if both are in the list of
+# packages to install/update. Likewise, this is true for dracut.
+# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
+Requires(post): perl-Bootloader >= 0.4.15
+Requires(post): dracut
+# Install the package providing /etc/SuSE-release early enough, so that
+# the grub entry has correct title (bnc#757565)
+Requires(post): distribution-release
+
+%if 0%{?usrmerged}
+# make sure we have a post-usrmerge system
+Conflicts:      filesystem < 16
+%endif
+
+Obsoletes:      microcode_ctl < 1.18
+
+%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
+	if not fd then io.stderr:write(err) end
+	unpack = table.unpack or unpack
+	for l in fd:lines() do
+		if #l > 0 and l:sub(1,1) ~= '#' then
+			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
+			package, version = unpack(words)
+			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
+		end
+	end
+	fd:close()
+}
+
+%ifarch %ix86
+Conflicts:      libc.so.6()(64bit)
+%endif
+Provides:       kernel = %version-%source_rel
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+# END COMMON DEPS
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+%obsolete_rebuilds %name
+
+%define kmp_target_cpu %_target_cpu
+%ifarch %ix86
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
@@ -1302,8 +1305,8 @@ Obsoletes:      microcode_ctl < 1.18
 Conflicts:      libc.so.6()(64bit)
 %endif
 Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %obsolete_rebuilds %name-base
 %ifarch %ix86
diff --git a/kernel-binary.spec.in b/kernel-binary.spec.in
index ed158157..383e8f69 100644
--- a/kernel-binary.spec.in
+++ b/kernel-binary.spec.in
@@ -158,6 +158,15 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
+@SOURCES@
+ExclusiveArch:  @ARCHS@
+%ifarch %ix86
+# Only i386/default supports i586, mark other flavors' packages as i686
+%if ! %build_default
+BuildArch:      i686
+%endif
+%endif
+
 # Force bzip2 instead of lzma compression to
 # 1) allow install on older dist versions, and
 # 2) decrease build times (bsc#962356 boo#1175882)
@@ -245,20 +254,14 @@ Provides:       %name-srchash-@COMMIT_FULL@
 @PROVIDES_OBSOLETES@
 @PROVIDES_OBSOLETES_BASE@
 %obsolete_rebuilds %name
-@SOURCES@
 
-ExclusiveArch:  @ARCHS@
 %define kmp_target_cpu %_target_cpu
 %ifarch %ix86
-# Only i386/default supports i586, mark other flavors' packages as i686
-%if ! %build_default
-BuildArch:      i686
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
diff --git a/kernel-debug.changes b/kernel-debug.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-debug.changes
+++ b/kernel-debug.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-debug.spec b/kernel-debug.spec
index 61b4c960..85e54f63 100644
--- a/kernel-debug.spec
+++ b/kernel-debug.spec
@@ -114,7 +114,7 @@ License:        GPL-2.0-only
 Group:          System/Kernel
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -158,91 +158,6 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
-# Force bzip2 instead of lzma compression to
-# 1) allow install on older dist versions, and
-# 2) decrease build times (bsc#962356 boo#1175882)
-%define _binary_payload w9.bzdio
-# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
-%undefine _unique_build_ids
-%define _no_recompute_build_ids 1
-# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
-%undefine _unique_debug_names
-
-%if "%{compress_modules}" == "zstd"
-BuildRequires:  zstd
-# Make sure kmod supports zstd compressed modules
-Requires(post): kmod-zstd
-%endif
-Provides:       %name = %version-%source_rel
-# bnc#901925
-Provides:       %name-%version-%source_rel
-Provides:       %{name}_%_target_cpu = %version-%source_rel
-Provides:       kernel-base = %version-%source_rel
-Provides:       multiversion(kernel)
-# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
-# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
-# is a subset that can replace kernel-$flavor in some scenarios. We need to
-# obsolete the -base subpackage from SLE11, so that the base files are not
-# owned by multiple packages now. The dependency is not correct wrt openSUSE
-# 11.2 - 11.4, but we primarily care about the supported upgrade path.
-Obsoletes:      %name-base < 3.1
-%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
-Recommends: kernel-firmware
-%endif
-# The following is copied to the -base subpackage as well
-# BEGIN COMMON DEPS
-Requires(pre):  suse-kernel-rpm-scriptlets
-Requires(post): suse-kernel-rpm-scriptlets
-Requires:       suse-kernel-rpm-scriptlets
-Requires(preun): suse-kernel-rpm-scriptlets
-Requires(postun): suse-kernel-rpm-scriptlets
-Requires(pre):  coreutils awk
-# For /usr/lib/module-init-tools/weak-modules2
-Requires(post): suse-module-tools
-# For depmod (modutils is a dependency provided by both module-init-tools and
-# kmod-compat)
-Requires(post): modutils
-# This Requires is wrong, because the post/postun scripts have a
-# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
-# But, there is no way to tell rpm or yast to schedule the installation
-# of perl-Bootloader before kernel-binary.rpm if both are in the list of
-# packages to install/update. Likewise, this is true for dracut.
-# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
-Requires(post): perl-Bootloader >= 0.4.15
-Requires(post): dracut
-# Install the package providing /etc/SuSE-release early enough, so that
-# the grub entry has correct title (bnc#757565)
-Requires(post): distribution-release
-
-%if 0%{?usrmerged}
-# make sure we have a post-usrmerge system
-Conflicts:      filesystem < 16
-%endif
-
-Obsoletes:      microcode_ctl < 1.18
-
-%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
-	if not fd then io.stderr:write(err) end
-	unpack = table.unpack or unpack
-	for l in fd:lines() do
-		if #l > 0 and l:sub(1,1) ~= '#' then
-			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
-			package, version = unpack(words)
-			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
-		end
-	end
-	fd:close()
-}
-
-%ifarch %ix86
-Conflicts:      libc.so.6()(64bit)
-%endif
-Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-# END COMMON DEPS
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-%obsolete_rebuilds %name
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
 Source14:       series.conf
@@ -382,19 +297,107 @@ NoSource:       113
 NoSource:       114
 NoSource:       120
 NoSource:       121
-
 ExclusiveArch:  aarch64 %ix86 ppc64le x86_64
-%define kmp_target_cpu %_target_cpu
 %ifarch %ix86
 # Only i386/default supports i586, mark other flavors' packages as i686
 %if ! %build_default
 BuildArch:      i686
+%endif
+%endif
+
+# Force bzip2 instead of lzma compression to
+# 1) allow install on older dist versions, and
+# 2) decrease build times (bsc#962356 boo#1175882)
+%define _binary_payload w9.bzdio
+# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
+%undefine _unique_build_ids
+%define _no_recompute_build_ids 1
+# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
+%undefine _unique_debug_names
+
+%if "%{compress_modules}" == "zstd"
+BuildRequires:  zstd
+# Make sure kmod supports zstd compressed modules
+Requires(post): kmod-zstd
+%endif
+Provides:       %name = %version-%source_rel
+# bnc#901925
+Provides:       %name-%version-%source_rel
+Provides:       %{name}_%_target_cpu = %version-%source_rel
+Provides:       kernel-base = %version-%source_rel
+Provides:       multiversion(kernel)
+# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
+# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
+# is a subset that can replace kernel-$flavor in some scenarios. We need to
+# obsolete the -base subpackage from SLE11, so that the base files are not
+# owned by multiple packages now. The dependency is not correct wrt openSUSE
+# 11.2 - 11.4, but we primarily care about the supported upgrade path.
+Obsoletes:      %name-base < 3.1
+%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
+Recommends: kernel-firmware
+%endif
+# The following is copied to the -base subpackage as well
+# BEGIN COMMON DEPS
+Requires(pre):  suse-kernel-rpm-scriptlets
+Requires(post): suse-kernel-rpm-scriptlets
+Requires:       suse-kernel-rpm-scriptlets
+Requires(preun): suse-kernel-rpm-scriptlets
+Requires(postun): suse-kernel-rpm-scriptlets
+Requires(pre):  coreutils awk
+# For /usr/lib/module-init-tools/weak-modules2
+Requires(post): suse-module-tools
+# For depmod (modutils is a dependency provided by both module-init-tools and
+# kmod-compat)
+Requires(post): modutils
+# This Requires is wrong, because the post/postun scripts have a
+# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
+# But, there is no way to tell rpm or yast to schedule the installation
+# of perl-Bootloader before kernel-binary.rpm if both are in the list of
+# packages to install/update. Likewise, this is true for dracut.
+# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
+Requires(post): perl-Bootloader >= 0.4.15
+Requires(post): dracut
+# Install the package providing /etc/SuSE-release early enough, so that
+# the grub entry has correct title (bnc#757565)
+Requires(post): distribution-release
+
+%if 0%{?usrmerged}
+# make sure we have a post-usrmerge system
+Conflicts:      filesystem < 16
+%endif
+
+Obsoletes:      microcode_ctl < 1.18
+
+%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
+	if not fd then io.stderr:write(err) end
+	unpack = table.unpack or unpack
+	for l in fd:lines() do
+		if #l > 0 and l:sub(1,1) ~= '#' then
+			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
+			package, version = unpack(words)
+			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
+		end
+	end
+	fd:close()
+}
+
+%ifarch %ix86
+Conflicts:      libc.so.6()(64bit)
+%endif
+Provides:       kernel = %version-%source_rel
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+# END COMMON DEPS
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+%obsolete_rebuilds %name
+
+%define kmp_target_cpu %_target_cpu
+%ifarch %ix86
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
@@ -1300,8 +1303,8 @@ Obsoletes:      microcode_ctl < 1.18
 Conflicts:      libc.so.6()(64bit)
 %endif
 Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %obsolete_rebuilds %name-base
 %ifarch %ix86
diff --git a/kernel-default.changes b/kernel-default.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-default.changes
+++ b/kernel-default.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-default.spec b/kernel-default.spec
index cbfd538b..8191dc33 100644
--- a/kernel-default.spec
+++ b/kernel-default.spec
@@ -114,7 +114,7 @@ License:        GPL-2.0-only
 Group:          System/Kernel
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -158,131 +158,6 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
-# Force bzip2 instead of lzma compression to
-# 1) allow install on older dist versions, and
-# 2) decrease build times (bsc#962356 boo#1175882)
-%define _binary_payload w9.bzdio
-# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
-%undefine _unique_build_ids
-%define _no_recompute_build_ids 1
-# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
-%undefine _unique_debug_names
-
-%if "%{compress_modules}" == "zstd"
-BuildRequires:  zstd
-# Make sure kmod supports zstd compressed modules
-Requires(post): kmod-zstd
-%endif
-Provides:       %name = %version-%source_rel
-# bnc#901925
-Provides:       %name-%version-%source_rel
-Provides:       %{name}_%_target_cpu = %version-%source_rel
-Provides:       kernel-base = %version-%source_rel
-Provides:       multiversion(kernel)
-# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
-# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
-# is a subset that can replace kernel-$flavor in some scenarios. We need to
-# obsolete the -base subpackage from SLE11, so that the base files are not
-# owned by multiple packages now. The dependency is not correct wrt openSUSE
-# 11.2 - 11.4, but we primarily care about the supported upgrade path.
-Obsoletes:      %name-base < 3.1
-%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
-Recommends: kernel-firmware
-%endif
-# The following is copied to the -base subpackage as well
-# BEGIN COMMON DEPS
-Requires(pre):  suse-kernel-rpm-scriptlets
-Requires(post): suse-kernel-rpm-scriptlets
-Requires:       suse-kernel-rpm-scriptlets
-Requires(preun): suse-kernel-rpm-scriptlets
-Requires(postun): suse-kernel-rpm-scriptlets
-Requires(pre):  coreutils awk
-# For /usr/lib/module-init-tools/weak-modules2
-Requires(post): suse-module-tools
-# For depmod (modutils is a dependency provided by both module-init-tools and
-# kmod-compat)
-Requires(post): modutils
-# This Requires is wrong, because the post/postun scripts have a
-# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
-# But, there is no way to tell rpm or yast to schedule the installation
-# of perl-Bootloader before kernel-binary.rpm if both are in the list of
-# packages to install/update. Likewise, this is true for dracut.
-# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
-Requires(post): perl-Bootloader >= 0.4.15
-Requires(post): dracut
-# Install the package providing /etc/SuSE-release early enough, so that
-# the grub entry has correct title (bnc#757565)
-Requires(post): distribution-release
-
-%if 0%{?usrmerged}
-# make sure we have a post-usrmerge system
-Conflicts:      filesystem < 16
-%endif
-
-Obsoletes:      microcode_ctl < 1.18
-
-%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
-	if not fd then io.stderr:write(err) end
-	unpack = table.unpack or unpack
-	for l in fd:lines() do
-		if #l > 0 and l:sub(1,1) ~= '#' then
-			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
-			package, version = unpack(words)
-			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
-		end
-	end
-	fd:close()
-}
-
-%ifarch %ix86
-Conflicts:      libc.so.6()(64bit)
-%endif
-Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-# END COMMON DEPS
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-%ifarch %ix86
-Provides:       kernel-trace = 3.13
-Obsoletes:      kernel-trace <= 3.13
-%endif
-%ifarch s390x
-Provides:       kernel-trace = 3.13
-Obsoletes:      kernel-trace <= 3.13
-%endif
-%ifarch x86_64
-Provides:       kernel-trace = 3.13
-Obsoletes:      kernel-trace <= 3.13
-Provides:       kernel-bigsmp = 3.1
-Obsoletes:      kernel-bigsmp <= 3.1
-Provides:       kernel-desktop = 4.3
-Obsoletes:      kernel-desktop <= 4.3
-Provides:       kernel-xen = 4.4
-Obsoletes:      kernel-xen <= 4.4
-Provides:       kernel-ec2 = 4.4
-Obsoletes:      kernel-ec2 <= 4.4
-%endif
-%ifarch %ix86
-Provides:       kernel-trace-base = 3.13
-Obsoletes:      kernel-trace-base <= 3.13
-%endif
-%ifarch s390x
-Provides:       kernel-trace-base = 3.13
-Obsoletes:      kernel-trace-base <= 3.13
-%endif
-%ifarch x86_64
-Provides:       kernel-trace-base = 3.13
-Obsoletes:      kernel-trace-base <= 3.13
-Provides:       kernel-bigsmp-base = 3.1
-Obsoletes:      kernel-bigsmp-base <= 3.1
-Provides:       kernel-desktop-base = 4.3
-Obsoletes:      kernel-desktop-base <= 4.3
-Provides:       kernel-xen-base = 4.4
-Obsoletes:      kernel-xen-base <= 4.4
-Provides:       kernel-ec2-base = 4.4
-Obsoletes:      kernel-ec2-base <= 4.4
-%endif
-%obsolete_rebuilds %name
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
 Source14:       series.conf
@@ -422,19 +297,147 @@ NoSource:       113
 NoSource:       114
 NoSource:       120
 NoSource:       121
-
 ExclusiveArch:  aarch64 armv6hl armv7hl %ix86 ppc64le riscv64 s390x x86_64
-%define kmp_target_cpu %_target_cpu
 %ifarch %ix86
 # Only i386/default supports i586, mark other flavors' packages as i686
 %if ! %build_default
 BuildArch:      i686
+%endif
+%endif
+
+# Force bzip2 instead of lzma compression to
+# 1) allow install on older dist versions, and
+# 2) decrease build times (bsc#962356 boo#1175882)
+%define _binary_payload w9.bzdio
+# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
+%undefine _unique_build_ids
+%define _no_recompute_build_ids 1
+# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
+%undefine _unique_debug_names
+
+%if "%{compress_modules}" == "zstd"
+BuildRequires:  zstd
+# Make sure kmod supports zstd compressed modules
+Requires(post): kmod-zstd
+%endif
+Provides:       %name = %version-%source_rel
+# bnc#901925
+Provides:       %name-%version-%source_rel
+Provides:       %{name}_%_target_cpu = %version-%source_rel
+Provides:       kernel-base = %version-%source_rel
+Provides:       multiversion(kernel)
+# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
+# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
+# is a subset that can replace kernel-$flavor in some scenarios. We need to
+# obsolete the -base subpackage from SLE11, so that the base files are not
+# owned by multiple packages now. The dependency is not correct wrt openSUSE
+# 11.2 - 11.4, but we primarily care about the supported upgrade path.
+Obsoletes:      %name-base < 3.1
+%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
+Recommends: kernel-firmware
+%endif
+# The following is copied to the -base subpackage as well
+# BEGIN COMMON DEPS
+Requires(pre):  suse-kernel-rpm-scriptlets
+Requires(post): suse-kernel-rpm-scriptlets
+Requires:       suse-kernel-rpm-scriptlets
+Requires(preun): suse-kernel-rpm-scriptlets
+Requires(postun): suse-kernel-rpm-scriptlets
+Requires(pre):  coreutils awk
+# For /usr/lib/module-init-tools/weak-modules2
+Requires(post): suse-module-tools
+# For depmod (modutils is a dependency provided by both module-init-tools and
+# kmod-compat)
+Requires(post): modutils
+# This Requires is wrong, because the post/postun scripts have a
+# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
+# But, there is no way to tell rpm or yast to schedule the installation
+# of perl-Bootloader before kernel-binary.rpm if both are in the list of
+# packages to install/update. Likewise, this is true for dracut.
+# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
+Requires(post): perl-Bootloader >= 0.4.15
+Requires(post): dracut
+# Install the package providing /etc/SuSE-release early enough, so that
+# the grub entry has correct title (bnc#757565)
+Requires(post): distribution-release
+
+%if 0%{?usrmerged}
+# make sure we have a post-usrmerge system
+Conflicts:      filesystem < 16
+%endif
+
+Obsoletes:      microcode_ctl < 1.18
+
+%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
+	if not fd then io.stderr:write(err) end
+	unpack = table.unpack or unpack
+	for l in fd:lines() do
+		if #l > 0 and l:sub(1,1) ~= '#' then
+			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
+			package, version = unpack(words)
+			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
+		end
+	end
+	fd:close()
+}
+
+%ifarch %ix86
+Conflicts:      libc.so.6()(64bit)
+%endif
+Provides:       kernel = %version-%source_rel
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+# END COMMON DEPS
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+%ifarch %ix86
+Provides:       kernel-trace = 3.13
+Obsoletes:      kernel-trace <= 3.13
+%endif
+%ifarch s390x
+Provides:       kernel-trace = 3.13
+Obsoletes:      kernel-trace <= 3.13
+%endif
+%ifarch x86_64
+Provides:       kernel-trace = 3.13
+Obsoletes:      kernel-trace <= 3.13
+Provides:       kernel-bigsmp = 3.1
+Obsoletes:      kernel-bigsmp <= 3.1
+Provides:       kernel-desktop = 4.3
+Obsoletes:      kernel-desktop <= 4.3
+Provides:       kernel-xen = 4.4
+Obsoletes:      kernel-xen <= 4.4
+Provides:       kernel-ec2 = 4.4
+Obsoletes:      kernel-ec2 <= 4.4
+%endif
+%ifarch %ix86
+Provides:       kernel-trace-base = 3.13
+Obsoletes:      kernel-trace-base <= 3.13
+%endif
+%ifarch s390x
+Provides:       kernel-trace-base = 3.13
+Obsoletes:      kernel-trace-base <= 3.13
+%endif
+%ifarch x86_64
+Provides:       kernel-trace-base = 3.13
+Obsoletes:      kernel-trace-base <= 3.13
+Provides:       kernel-bigsmp-base = 3.1
+Obsoletes:      kernel-bigsmp-base <= 3.1
+Provides:       kernel-desktop-base = 4.3
+Obsoletes:      kernel-desktop-base <= 4.3
+Provides:       kernel-xen-base = 4.4
+Obsoletes:      kernel-xen-base <= 4.4
+Provides:       kernel-ec2-base = 4.4
+Obsoletes:      kernel-ec2-base <= 4.4
+%endif
+%obsolete_rebuilds %name
+
+%define kmp_target_cpu %_target_cpu
+%ifarch %ix86
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
@@ -1339,8 +1342,8 @@ Obsoletes:      microcode_ctl < 1.18
 Conflicts:      libc.so.6()(64bit)
 %endif
 Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %ifarch %ix86
 Provides:       kernel-trace-base = 3.13
diff --git a/kernel-docs.changes b/kernel-docs.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-docs.changes
+++ b/kernel-docs.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-docs.spec b/kernel-docs.spec
index 3800338e..889b1a39 100644
--- a/kernel-docs.spec
+++ b/kernel-docs.spec
@@ -32,7 +32,7 @@ License:        GPL-2.0-only
 Group:          Documentation/Man
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -83,7 +83,7 @@ BuildRequires:  texlive-zapfding
 %endif
 URL:            https://www.kernel.org/
 Provides:       %name = %version-%source_rel
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 BuildArch:      noarch
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
diff --git a/kernel-kvmsmall.changes b/kernel-kvmsmall.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-kvmsmall.changes
+++ b/kernel-kvmsmall.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-kvmsmall.spec b/kernel-kvmsmall.spec
index 12842e0b..0ea3dc9c 100644
--- a/kernel-kvmsmall.spec
+++ b/kernel-kvmsmall.spec
@@ -114,7 +114,7 @@ License:        GPL-2.0-only
 Group:          System/Kernel
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -158,91 +158,6 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
-# Force bzip2 instead of lzma compression to
-# 1) allow install on older dist versions, and
-# 2) decrease build times (bsc#962356 boo#1175882)
-%define _binary_payload w9.bzdio
-# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
-%undefine _unique_build_ids
-%define _no_recompute_build_ids 1
-# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
-%undefine _unique_debug_names
-
-%if "%{compress_modules}" == "zstd"
-BuildRequires:  zstd
-# Make sure kmod supports zstd compressed modules
-Requires(post): kmod-zstd
-%endif
-Provides:       %name = %version-%source_rel
-# bnc#901925
-Provides:       %name-%version-%source_rel
-Provides:       %{name}_%_target_cpu = %version-%source_rel
-Provides:       kernel-base = %version-%source_rel
-Provides:       multiversion(kernel)
-# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
-# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
-# is a subset that can replace kernel-$flavor in some scenarios. We need to
-# obsolete the -base subpackage from SLE11, so that the base files are not
-# owned by multiple packages now. The dependency is not correct wrt openSUSE
-# 11.2 - 11.4, but we primarily care about the supported upgrade path.
-Obsoletes:      %name-base < 3.1
-%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
-Recommends: kernel-firmware
-%endif
-# The following is copied to the -base subpackage as well
-# BEGIN COMMON DEPS
-Requires(pre):  suse-kernel-rpm-scriptlets
-Requires(post): suse-kernel-rpm-scriptlets
-Requires:       suse-kernel-rpm-scriptlets
-Requires(preun): suse-kernel-rpm-scriptlets
-Requires(postun): suse-kernel-rpm-scriptlets
-Requires(pre):  coreutils awk
-# For /usr/lib/module-init-tools/weak-modules2
-Requires(post): suse-module-tools
-# For depmod (modutils is a dependency provided by both module-init-tools and
-# kmod-compat)
-Requires(post): modutils
-# This Requires is wrong, because the post/postun scripts have a
-# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
-# But, there is no way to tell rpm or yast to schedule the installation
-# of perl-Bootloader before kernel-binary.rpm if both are in the list of
-# packages to install/update. Likewise, this is true for dracut.
-# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
-Requires(post): perl-Bootloader >= 0.4.15
-Requires(post): dracut
-# Install the package providing /etc/SuSE-release early enough, so that
-# the grub entry has correct title (bnc#757565)
-Requires(post): distribution-release
-
-%if 0%{?usrmerged}
-# make sure we have a post-usrmerge system
-Conflicts:      filesystem < 16
-%endif
-
-Obsoletes:      microcode_ctl < 1.18
-
-%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
-	if not fd then io.stderr:write(err) end
-	unpack = table.unpack or unpack
-	for l in fd:lines() do
-		if #l > 0 and l:sub(1,1) ~= '#' then
-			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
-			package, version = unpack(words)
-			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
-		end
-	end
-	fd:close()
-}
-
-%ifarch %ix86
-Conflicts:      libc.so.6()(64bit)
-%endif
-Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-# END COMMON DEPS
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-%obsolete_rebuilds %name
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
 Source14:       series.conf
@@ -382,19 +297,107 @@ NoSource:       113
 NoSource:       114
 NoSource:       120
 NoSource:       121
-
 ExclusiveArch:  aarch64 ppc64le x86_64
-%define kmp_target_cpu %_target_cpu
 %ifarch %ix86
 # Only i386/default supports i586, mark other flavors' packages as i686
 %if ! %build_default
 BuildArch:      i686
+%endif
+%endif
+
+# Force bzip2 instead of lzma compression to
+# 1) allow install on older dist versions, and
+# 2) decrease build times (bsc#962356 boo#1175882)
+%define _binary_payload w9.bzdio
+# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
+%undefine _unique_build_ids
+%define _no_recompute_build_ids 1
+# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
+%undefine _unique_debug_names
+
+%if "%{compress_modules}" == "zstd"
+BuildRequires:  zstd
+# Make sure kmod supports zstd compressed modules
+Requires(post): kmod-zstd
+%endif
+Provides:       %name = %version-%source_rel
+# bnc#901925
+Provides:       %name-%version-%source_rel
+Provides:       %{name}_%_target_cpu = %version-%source_rel
+Provides:       kernel-base = %version-%source_rel
+Provides:       multiversion(kernel)
+# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
+# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
+# is a subset that can replace kernel-$flavor in some scenarios. We need to
+# obsolete the -base subpackage from SLE11, so that the base files are not
+# owned by multiple packages now. The dependency is not correct wrt openSUSE
+# 11.2 - 11.4, but we primarily care about the supported upgrade path.
+Obsoletes:      %name-base < 3.1
+%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
+Recommends: kernel-firmware
+%endif
+# The following is copied to the -base subpackage as well
+# BEGIN COMMON DEPS
+Requires(pre):  suse-kernel-rpm-scriptlets
+Requires(post): suse-kernel-rpm-scriptlets
+Requires:       suse-kernel-rpm-scriptlets
+Requires(preun): suse-kernel-rpm-scriptlets
+Requires(postun): suse-kernel-rpm-scriptlets
+Requires(pre):  coreutils awk
+# For /usr/lib/module-init-tools/weak-modules2
+Requires(post): suse-module-tools
+# For depmod (modutils is a dependency provided by both module-init-tools and
+# kmod-compat)
+Requires(post): modutils
+# This Requires is wrong, because the post/postun scripts have a
+# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
+# But, there is no way to tell rpm or yast to schedule the installation
+# of perl-Bootloader before kernel-binary.rpm if both are in the list of
+# packages to install/update. Likewise, this is true for dracut.
+# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
+Requires(post): perl-Bootloader >= 0.4.15
+Requires(post): dracut
+# Install the package providing /etc/SuSE-release early enough, so that
+# the grub entry has correct title (bnc#757565)
+Requires(post): distribution-release
+
+%if 0%{?usrmerged}
+# make sure we have a post-usrmerge system
+Conflicts:      filesystem < 16
+%endif
+
+Obsoletes:      microcode_ctl < 1.18
+
+%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
+	if not fd then io.stderr:write(err) end
+	unpack = table.unpack or unpack
+	for l in fd:lines() do
+		if #l > 0 and l:sub(1,1) ~= '#' then
+			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
+			package, version = unpack(words)
+			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
+		end
+	end
+	fd:close()
+}
+
+%ifarch %ix86
+Conflicts:      libc.so.6()(64bit)
+%endif
+Provides:       kernel = %version-%source_rel
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+# END COMMON DEPS
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+%obsolete_rebuilds %name
+
+%define kmp_target_cpu %_target_cpu
+%ifarch %ix86
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
@@ -1306,8 +1309,8 @@ Obsoletes:      microcode_ctl < 1.18
 Conflicts:      libc.so.6()(64bit)
 %endif
 Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %obsolete_rebuilds %name-base
 %ifarch %ix86
diff --git a/kernel-lpae.changes b/kernel-lpae.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-lpae.changes
+++ b/kernel-lpae.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-lpae.spec b/kernel-lpae.spec
index f4c4268b..d07e4f26 100644
--- a/kernel-lpae.spec
+++ b/kernel-lpae.spec
@@ -114,7 +114,7 @@ License:        GPL-2.0-only
 Group:          System/Kernel
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -158,91 +158,6 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
-# Force bzip2 instead of lzma compression to
-# 1) allow install on older dist versions, and
-# 2) decrease build times (bsc#962356 boo#1175882)
-%define _binary_payload w9.bzdio
-# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
-%undefine _unique_build_ids
-%define _no_recompute_build_ids 1
-# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
-%undefine _unique_debug_names
-
-%if "%{compress_modules}" == "zstd"
-BuildRequires:  zstd
-# Make sure kmod supports zstd compressed modules
-Requires(post): kmod-zstd
-%endif
-Provides:       %name = %version-%source_rel
-# bnc#901925
-Provides:       %name-%version-%source_rel
-Provides:       %{name}_%_target_cpu = %version-%source_rel
-Provides:       kernel-base = %version-%source_rel
-Provides:       multiversion(kernel)
-# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
-# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
-# is a subset that can replace kernel-$flavor in some scenarios. We need to
-# obsolete the -base subpackage from SLE11, so that the base files are not
-# owned by multiple packages now. The dependency is not correct wrt openSUSE
-# 11.2 - 11.4, but we primarily care about the supported upgrade path.
-Obsoletes:      %name-base < 3.1
-%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
-Recommends: kernel-firmware
-%endif
-# The following is copied to the -base subpackage as well
-# BEGIN COMMON DEPS
-Requires(pre):  suse-kernel-rpm-scriptlets
-Requires(post): suse-kernel-rpm-scriptlets
-Requires:       suse-kernel-rpm-scriptlets
-Requires(preun): suse-kernel-rpm-scriptlets
-Requires(postun): suse-kernel-rpm-scriptlets
-Requires(pre):  coreutils awk
-# For /usr/lib/module-init-tools/weak-modules2
-Requires(post): suse-module-tools
-# For depmod (modutils is a dependency provided by both module-init-tools and
-# kmod-compat)
-Requires(post): modutils
-# This Requires is wrong, because the post/postun scripts have a
-# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
-# But, there is no way to tell rpm or yast to schedule the installation
-# of perl-Bootloader before kernel-binary.rpm if both are in the list of
-# packages to install/update. Likewise, this is true for dracut.
-# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
-Requires(post): perl-Bootloader >= 0.4.15
-Requires(post): dracut
-# Install the package providing /etc/SuSE-release early enough, so that
-# the grub entry has correct title (bnc#757565)
-Requires(post): distribution-release
-
-%if 0%{?usrmerged}
-# make sure we have a post-usrmerge system
-Conflicts:      filesystem < 16
-%endif
-
-Obsoletes:      microcode_ctl < 1.18
-
-%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
-	if not fd then io.stderr:write(err) end
-	unpack = table.unpack or unpack
-	for l in fd:lines() do
-		if #l > 0 and l:sub(1,1) ~= '#' then
-			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
-			package, version = unpack(words)
-			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
-		end
-	end
-	fd:close()
-}
-
-%ifarch %ix86
-Conflicts:      libc.so.6()(64bit)
-%endif
-Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-# END COMMON DEPS
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-%obsolete_rebuilds %name
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
 Source14:       series.conf
@@ -382,19 +297,107 @@ NoSource:       113
 NoSource:       114
 NoSource:       120
 NoSource:       121
-
 ExclusiveArch:  armv7hl
-%define kmp_target_cpu %_target_cpu
 %ifarch %ix86
 # Only i386/default supports i586, mark other flavors' packages as i686
 %if ! %build_default
 BuildArch:      i686
+%endif
+%endif
+
+# Force bzip2 instead of lzma compression to
+# 1) allow install on older dist versions, and
+# 2) decrease build times (bsc#962356 boo#1175882)
+%define _binary_payload w9.bzdio
+# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
+%undefine _unique_build_ids
+%define _no_recompute_build_ids 1
+# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
+%undefine _unique_debug_names
+
+%if "%{compress_modules}" == "zstd"
+BuildRequires:  zstd
+# Make sure kmod supports zstd compressed modules
+Requires(post): kmod-zstd
+%endif
+Provides:       %name = %version-%source_rel
+# bnc#901925
+Provides:       %name-%version-%source_rel
+Provides:       %{name}_%_target_cpu = %version-%source_rel
+Provides:       kernel-base = %version-%source_rel
+Provides:       multiversion(kernel)
+# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
+# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
+# is a subset that can replace kernel-$flavor in some scenarios. We need to
+# obsolete the -base subpackage from SLE11, so that the base files are not
+# owned by multiple packages now. The dependency is not correct wrt openSUSE
+# 11.2 - 11.4, but we primarily care about the supported upgrade path.
+Obsoletes:      %name-base < 3.1
+%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
+Recommends: kernel-firmware
+%endif
+# The following is copied to the -base subpackage as well
+# BEGIN COMMON DEPS
+Requires(pre):  suse-kernel-rpm-scriptlets
+Requires(post): suse-kernel-rpm-scriptlets
+Requires:       suse-kernel-rpm-scriptlets
+Requires(preun): suse-kernel-rpm-scriptlets
+Requires(postun): suse-kernel-rpm-scriptlets
+Requires(pre):  coreutils awk
+# For /usr/lib/module-init-tools/weak-modules2
+Requires(post): suse-module-tools
+# For depmod (modutils is a dependency provided by both module-init-tools and
+# kmod-compat)
+Requires(post): modutils
+# This Requires is wrong, because the post/postun scripts have a
+# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
+# But, there is no way to tell rpm or yast to schedule the installation
+# of perl-Bootloader before kernel-binary.rpm if both are in the list of
+# packages to install/update. Likewise, this is true for dracut.
+# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
+Requires(post): perl-Bootloader >= 0.4.15
+Requires(post): dracut
+# Install the package providing /etc/SuSE-release early enough, so that
+# the grub entry has correct title (bnc#757565)
+Requires(post): distribution-release
+
+%if 0%{?usrmerged}
+# make sure we have a post-usrmerge system
+Conflicts:      filesystem < 16
+%endif
+
+Obsoletes:      microcode_ctl < 1.18
+
+%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
+	if not fd then io.stderr:write(err) end
+	unpack = table.unpack or unpack
+	for l in fd:lines() do
+		if #l > 0 and l:sub(1,1) ~= '#' then
+			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
+			package, version = unpack(words)
+			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
+		end
+	end
+	fd:close()
+}
+
+%ifarch %ix86
+Conflicts:      libc.so.6()(64bit)
+%endif
+Provides:       kernel = %version-%source_rel
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+# END COMMON DEPS
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+%obsolete_rebuilds %name
+
+%define kmp_target_cpu %_target_cpu
+%ifarch %ix86
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
@@ -1300,8 +1303,8 @@ Obsoletes:      microcode_ctl < 1.18
 Conflicts:      libc.so.6()(64bit)
 %endif
 Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %obsolete_rebuilds %name-base
 %ifarch %ix86
diff --git a/kernel-obs-build.changes b/kernel-obs-build.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-obs-build.changes
+++ b/kernel-obs-build.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-obs-build.spec b/kernel-obs-build.spec
index 8a852277..5acd9174 100644
--- a/kernel-obs-build.spec
+++ b/kernel-obs-build.spec
@@ -44,7 +44,7 @@ BuildRequires:  util-linux
 %endif
 %endif
 %endif
-BuildRequires:  kernel%kernel_flavor-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+BuildRequires:  kernel%kernel_flavor-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %if 0%{?rhel_version}
 BuildRequires:  kernel
@@ -58,7 +58,7 @@ License:        GPL-2.0-only
 Group:          SLES
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
diff --git a/kernel-obs-qa.changes b/kernel-obs-qa.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-obs-qa.changes
+++ b/kernel-obs-qa.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-obs-qa.spec b/kernel-obs-qa.spec
index a354eb9e..17fb039b 100644
--- a/kernel-obs-qa.spec
+++ b/kernel-obs-qa.spec
@@ -34,7 +34,7 @@ License:        GPL-2.0-only
 Group:          SLES
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
diff --git a/kernel-pae.changes b/kernel-pae.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-pae.changes
+++ b/kernel-pae.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-pae.spec b/kernel-pae.spec
index 13d3fb54..0f605ec2 100644
--- a/kernel-pae.spec
+++ b/kernel-pae.spec
@@ -114,7 +114,7 @@ License:        GPL-2.0-only
 Group:          System/Kernel
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -158,107 +158,6 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
-# Force bzip2 instead of lzma compression to
-# 1) allow install on older dist versions, and
-# 2) decrease build times (bsc#962356 boo#1175882)
-%define _binary_payload w9.bzdio
-# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
-%undefine _unique_build_ids
-%define _no_recompute_build_ids 1
-# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
-%undefine _unique_debug_names
-
-%if "%{compress_modules}" == "zstd"
-BuildRequires:  zstd
-# Make sure kmod supports zstd compressed modules
-Requires(post): kmod-zstd
-%endif
-Provides:       %name = %version-%source_rel
-# bnc#901925
-Provides:       %name-%version-%source_rel
-Provides:       %{name}_%_target_cpu = %version-%source_rel
-Provides:       kernel-base = %version-%source_rel
-Provides:       multiversion(kernel)
-# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
-# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
-# is a subset that can replace kernel-$flavor in some scenarios. We need to
-# obsolete the -base subpackage from SLE11, so that the base files are not
-# owned by multiple packages now. The dependency is not correct wrt openSUSE
-# 11.2 - 11.4, but we primarily care about the supported upgrade path.
-Obsoletes:      %name-base < 3.1
-%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
-Recommends: kernel-firmware
-%endif
-# The following is copied to the -base subpackage as well
-# BEGIN COMMON DEPS
-Requires(pre):  suse-kernel-rpm-scriptlets
-Requires(post): suse-kernel-rpm-scriptlets
-Requires:       suse-kernel-rpm-scriptlets
-Requires(preun): suse-kernel-rpm-scriptlets
-Requires(postun): suse-kernel-rpm-scriptlets
-Requires(pre):  coreutils awk
-# For /usr/lib/module-init-tools/weak-modules2
-Requires(post): suse-module-tools
-# For depmod (modutils is a dependency provided by both module-init-tools and
-# kmod-compat)
-Requires(post): modutils
-# This Requires is wrong, because the post/postun scripts have a
-# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
-# But, there is no way to tell rpm or yast to schedule the installation
-# of perl-Bootloader before kernel-binary.rpm if both are in the list of
-# packages to install/update. Likewise, this is true for dracut.
-# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
-Requires(post): perl-Bootloader >= 0.4.15
-Requires(post): dracut
-# Install the package providing /etc/SuSE-release early enough, so that
-# the grub entry has correct title (bnc#757565)
-Requires(post): distribution-release
-
-%if 0%{?usrmerged}
-# make sure we have a post-usrmerge system
-Conflicts:      filesystem < 16
-%endif
-
-Obsoletes:      microcode_ctl < 1.18
-
-%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
-	if not fd then io.stderr:write(err) end
-	unpack = table.unpack or unpack
-	for l in fd:lines() do
-		if #l > 0 and l:sub(1,1) ~= '#' then
-			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
-			package, version = unpack(words)
-			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
-		end
-	end
-	fd:close()
-}
-
-%ifarch %ix86
-Conflicts:      libc.so.6()(64bit)
-%endif
-Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-# END COMMON DEPS
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-%ifarch %ix86
-Provides:       kernel-desktop = 4.3
-Obsoletes:      kernel-desktop <= 4.3
-Provides:       kernel-xen = 4.4
-Obsoletes:      kernel-xen <= 4.4
-Provides:       kernel-ec2 = 4.4
-Obsoletes:      kernel-ec2 <= 4.4
-%endif
-%ifarch %ix86
-Provides:       kernel-desktop-base = 4.3
-Obsoletes:      kernel-desktop-base <= 4.3
-Provides:       kernel-xen-base = 4.4
-Obsoletes:      kernel-xen-base <= 4.4
-Provides:       kernel-ec2-base = 4.4
-Obsoletes:      kernel-ec2-base <= 4.4
-%endif
-%obsolete_rebuilds %name
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
 Source14:       series.conf
@@ -398,19 +297,123 @@ NoSource:       113
 NoSource:       114
 NoSource:       120
 NoSource:       121
-
 ExclusiveArch:  %ix86
-%define kmp_target_cpu %_target_cpu
 %ifarch %ix86
 # Only i386/default supports i586, mark other flavors' packages as i686
 %if ! %build_default
 BuildArch:      i686
+%endif
+%endif
+
+# Force bzip2 instead of lzma compression to
+# 1) allow install on older dist versions, and
+# 2) decrease build times (bsc#962356 boo#1175882)
+%define _binary_payload w9.bzdio
+# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
+%undefine _unique_build_ids
+%define _no_recompute_build_ids 1
+# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
+%undefine _unique_debug_names
+
+%if "%{compress_modules}" == "zstd"
+BuildRequires:  zstd
+# Make sure kmod supports zstd compressed modules
+Requires(post): kmod-zstd
+%endif
+Provides:       %name = %version-%source_rel
+# bnc#901925
+Provides:       %name-%version-%source_rel
+Provides:       %{name}_%_target_cpu = %version-%source_rel
+Provides:       kernel-base = %version-%source_rel
+Provides:       multiversion(kernel)
+# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
+# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
+# is a subset that can replace kernel-$flavor in some scenarios. We need to
+# obsolete the -base subpackage from SLE11, so that the base files are not
+# owned by multiple packages now. The dependency is not correct wrt openSUSE
+# 11.2 - 11.4, but we primarily care about the supported upgrade path.
+Obsoletes:      %name-base < 3.1
+%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
+Recommends: kernel-firmware
+%endif
+# The following is copied to the -base subpackage as well
+# BEGIN COMMON DEPS
+Requires(pre):  suse-kernel-rpm-scriptlets
+Requires(post): suse-kernel-rpm-scriptlets
+Requires:       suse-kernel-rpm-scriptlets
+Requires(preun): suse-kernel-rpm-scriptlets
+Requires(postun): suse-kernel-rpm-scriptlets
+Requires(pre):  coreutils awk
+# For /usr/lib/module-init-tools/weak-modules2
+Requires(post): suse-module-tools
+# For depmod (modutils is a dependency provided by both module-init-tools and
+# kmod-compat)
+Requires(post): modutils
+# This Requires is wrong, because the post/postun scripts have a
+# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
+# But, there is no way to tell rpm or yast to schedule the installation
+# of perl-Bootloader before kernel-binary.rpm if both are in the list of
+# packages to install/update. Likewise, this is true for dracut.
+# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
+Requires(post): perl-Bootloader >= 0.4.15
+Requires(post): dracut
+# Install the package providing /etc/SuSE-release early enough, so that
+# the grub entry has correct title (bnc#757565)
+Requires(post): distribution-release
+
+%if 0%{?usrmerged}
+# make sure we have a post-usrmerge system
+Conflicts:      filesystem < 16
+%endif
+
+Obsoletes:      microcode_ctl < 1.18
+
+%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
+	if not fd then io.stderr:write(err) end
+	unpack = table.unpack or unpack
+	for l in fd:lines() do
+		if #l > 0 and l:sub(1,1) ~= '#' then
+			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
+			package, version = unpack(words)
+			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
+		end
+	end
+	fd:close()
+}
+
+%ifarch %ix86
+Conflicts:      libc.so.6()(64bit)
+%endif
+Provides:       kernel = %version-%source_rel
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+# END COMMON DEPS
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+%ifarch %ix86
+Provides:       kernel-desktop = 4.3
+Obsoletes:      kernel-desktop <= 4.3
+Provides:       kernel-xen = 4.4
+Obsoletes:      kernel-xen <= 4.4
+Provides:       kernel-ec2 = 4.4
+Obsoletes:      kernel-ec2 <= 4.4
+%endif
+%ifarch %ix86
+Provides:       kernel-desktop-base = 4.3
+Obsoletes:      kernel-desktop-base <= 4.3
+Provides:       kernel-xen-base = 4.4
+Obsoletes:      kernel-xen-base <= 4.4
+Provides:       kernel-ec2-base = 4.4
+Obsoletes:      kernel-ec2-base <= 4.4
+%endif
+%obsolete_rebuilds %name
+
+%define kmp_target_cpu %_target_cpu
+%ifarch %ix86
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
@@ -1322,8 +1325,8 @@ Obsoletes:      microcode_ctl < 1.18
 Conflicts:      libc.so.6()(64bit)
 %endif
 Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %ifarch %ix86
 Provides:       kernel-desktop-base = 4.3
diff --git a/kernel-source.changes b/kernel-source.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-source.changes
+++ b/kernel-source.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-source.spec b/kernel-source.spec
index e7de40ef..17d9502f 100644
--- a/kernel-source.spec
+++ b/kernel-source.spec
@@ -32,7 +32,7 @@
 Name:           kernel-source
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -49,7 +49,7 @@ BuildRequires:  fdupes
 BuildRequires:  sed
 Requires(post): coreutils sed
 Provides:       %name = %version-%source_rel
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 Provides:       linux
 Provides:       multiversion(kernel)
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
diff --git a/kernel-syms.changes b/kernel-syms.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-syms.changes
+++ b/kernel-syms.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-syms.spec b/kernel-syms.spec
index bc99c2d2..cf625a38 100644
--- a/kernel-syms.spec
+++ b/kernel-syms.spec
@@ -27,7 +27,7 @@ Group:          Development/Sources
 Version:        6.5.5
 %if %using_buildservice
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -52,7 +52,7 @@ Requires:       kernel-pae-devel = %version-%source_rel
 %endif
 Requires:       pesign-obs-integration
 Provides:       %name = %version-%source_rel
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 Provides:       multiversion(kernel)
 Source:         README.KSYMS
 Requires:       kernel-devel%variant = %version-%source_rel
diff --git a/kernel-vanilla.changes b/kernel-vanilla.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-vanilla.changes
+++ b/kernel-vanilla.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-vanilla.spec b/kernel-vanilla.spec
index 41b2959f..a18d0670 100644
--- a/kernel-vanilla.spec
+++ b/kernel-vanilla.spec
@@ -114,7 +114,7 @@ License:        GPL-2.0-only
 Group:          System/Kernel
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -158,91 +158,6 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
-# Force bzip2 instead of lzma compression to
-# 1) allow install on older dist versions, and
-# 2) decrease build times (bsc#962356 boo#1175882)
-%define _binary_payload w9.bzdio
-# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
-%undefine _unique_build_ids
-%define _no_recompute_build_ids 1
-# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
-%undefine _unique_debug_names
-
-%if "%{compress_modules}" == "zstd"
-BuildRequires:  zstd
-# Make sure kmod supports zstd compressed modules
-Requires(post): kmod-zstd
-%endif
-Provides:       %name = %version-%source_rel
-# bnc#901925
-Provides:       %name-%version-%source_rel
-Provides:       %{name}_%_target_cpu = %version-%source_rel
-Provides:       kernel-base = %version-%source_rel
-Provides:       multiversion(kernel)
-# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
-# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
-# is a subset that can replace kernel-$flavor in some scenarios. We need to
-# obsolete the -base subpackage from SLE11, so that the base files are not
-# owned by multiple packages now. The dependency is not correct wrt openSUSE
-# 11.2 - 11.4, but we primarily care about the supported upgrade path.
-Obsoletes:      %name-base < 3.1
-%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
-Recommends: kernel-firmware
-%endif
-# The following is copied to the -base subpackage as well
-# BEGIN COMMON DEPS
-Requires(pre):  suse-kernel-rpm-scriptlets
-Requires(post): suse-kernel-rpm-scriptlets
-Requires:       suse-kernel-rpm-scriptlets
-Requires(preun): suse-kernel-rpm-scriptlets
-Requires(postun): suse-kernel-rpm-scriptlets
-Requires(pre):  coreutils awk
-# For /usr/lib/module-init-tools/weak-modules2
-Requires(post): suse-module-tools
-# For depmod (modutils is a dependency provided by both module-init-tools and
-# kmod-compat)
-Requires(post): modutils
-# This Requires is wrong, because the post/postun scripts have a
-# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
-# But, there is no way to tell rpm or yast to schedule the installation
-# of perl-Bootloader before kernel-binary.rpm if both are in the list of
-# packages to install/update. Likewise, this is true for dracut.
-# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
-Requires(post): perl-Bootloader >= 0.4.15
-Requires(post): dracut
-# Install the package providing /etc/SuSE-release early enough, so that
-# the grub entry has correct title (bnc#757565)
-Requires(post): distribution-release
-
-%if 0%{?usrmerged}
-# make sure we have a post-usrmerge system
-Conflicts:      filesystem < 16
-%endif
-
-Obsoletes:      microcode_ctl < 1.18
-
-%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
-	if not fd then io.stderr:write(err) end
-	unpack = table.unpack or unpack
-	for l in fd:lines() do
-		if #l > 0 and l:sub(1,1) ~= '#' then
-			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
-			package, version = unpack(words)
-			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
-		end
-	end
-	fd:close()
-}
-
-%ifarch %ix86
-Conflicts:      libc.so.6()(64bit)
-%endif
-Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-# END COMMON DEPS
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-%obsolete_rebuilds %name
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
 Source14:       series.conf
@@ -382,19 +297,107 @@ NoSource:       113
 NoSource:       114
 NoSource:       120
 NoSource:       121
-
 ExclusiveArch:  aarch64 armv6hl armv7hl %ix86 ppc64le riscv64 s390x x86_64
-%define kmp_target_cpu %_target_cpu
 %ifarch %ix86
 # Only i386/default supports i586, mark other flavors' packages as i686
 %if ! %build_default
 BuildArch:      i686
+%endif
+%endif
+
+# Force bzip2 instead of lzma compression to
+# 1) allow install on older dist versions, and
+# 2) decrease build times (bsc#962356 boo#1175882)
+%define _binary_payload w9.bzdio
+# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
+%undefine _unique_build_ids
+%define _no_recompute_build_ids 1
+# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
+%undefine _unique_debug_names
+
+%if "%{compress_modules}" == "zstd"
+BuildRequires:  zstd
+# Make sure kmod supports zstd compressed modules
+Requires(post): kmod-zstd
+%endif
+Provides:       %name = %version-%source_rel
+# bnc#901925
+Provides:       %name-%version-%source_rel
+Provides:       %{name}_%_target_cpu = %version-%source_rel
+Provides:       kernel-base = %version-%source_rel
+Provides:       multiversion(kernel)
+# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
+# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
+# is a subset that can replace kernel-$flavor in some scenarios. We need to
+# obsolete the -base subpackage from SLE11, so that the base files are not
+# owned by multiple packages now. The dependency is not correct wrt openSUSE
+# 11.2 - 11.4, but we primarily care about the supported upgrade path.
+Obsoletes:      %name-base < 3.1
+%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
+Recommends: kernel-firmware
+%endif
+# The following is copied to the -base subpackage as well
+# BEGIN COMMON DEPS
+Requires(pre):  suse-kernel-rpm-scriptlets
+Requires(post): suse-kernel-rpm-scriptlets
+Requires:       suse-kernel-rpm-scriptlets
+Requires(preun): suse-kernel-rpm-scriptlets
+Requires(postun): suse-kernel-rpm-scriptlets
+Requires(pre):  coreutils awk
+# For /usr/lib/module-init-tools/weak-modules2
+Requires(post): suse-module-tools
+# For depmod (modutils is a dependency provided by both module-init-tools and
+# kmod-compat)
+Requires(post): modutils
+# This Requires is wrong, because the post/postun scripts have a
+# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
+# But, there is no way to tell rpm or yast to schedule the installation
+# of perl-Bootloader before kernel-binary.rpm if both are in the list of
+# packages to install/update. Likewise, this is true for dracut.
+# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
+Requires(post): perl-Bootloader >= 0.4.15
+Requires(post): dracut
+# Install the package providing /etc/SuSE-release early enough, so that
+# the grub entry has correct title (bnc#757565)
+Requires(post): distribution-release
+
+%if 0%{?usrmerged}
+# make sure we have a post-usrmerge system
+Conflicts:      filesystem < 16
+%endif
+
+Obsoletes:      microcode_ctl < 1.18
+
+%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
+	if not fd then io.stderr:write(err) end
+	unpack = table.unpack or unpack
+	for l in fd:lines() do
+		if #l > 0 and l:sub(1,1) ~= '#' then
+			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
+			package, version = unpack(words)
+			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
+		end
+	end
+	fd:close()
+}
+
+%ifarch %ix86
+Conflicts:      libc.so.6()(64bit)
+%endif
+Provides:       kernel = %version-%source_rel
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+# END COMMON DEPS
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+%obsolete_rebuilds %name
+
+%define kmp_target_cpu %_target_cpu
+%ifarch %ix86
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
@@ -1299,8 +1302,8 @@ Obsoletes:      microcode_ctl < 1.18
 Conflicts:      libc.so.6()(64bit)
 %endif
 Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %obsolete_rebuilds %name-base
 %ifarch %ix86
diff --git a/kernel-zfcpdump.changes b/kernel-zfcpdump.changes
index 22bbeb53..40a021d8 100644
--- a/kernel-zfcpdump.changes
+++ b/kernel-zfcpdump.changes
@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Tue Oct  3 16:19:55 CEST 2023 - palcantara@suse.de
+
+- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
+  CVE-2023-1192).
+- commit 34d5680
+
+-------------------------------------------------------------------
+Tue Oct  3 16:18:13 CEST 2023 - palcantara@suse.de
+
+- fs/smb/client: Reset password pointer to NULL (bsc#1215899
+  CVE-2023-5345).
+- commit 180c31b
+
+-------------------------------------------------------------------
+Tue Oct  3 08:47:21 CEST 2023 - mkubecek@suse.cz
+
+- netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+  IPSET_CMD_SWAP (CVE-2023-42756 bsc#1215767).
+- commit 5c8516c
+
+-------------------------------------------------------------------
+Tue Oct  3 08:45:02 CEST 2023 - mkubecek@suse.cz
+
+- Update
+  patches.kernel.org/6.5.3-622-netfilter-ipset-add-the-missing-IP_SET_HASH_WIT.patch
+  references (add CVE-2023-42753 bsc#1215150).
+- commit ddd076d
+
+-------------------------------------------------------------------
+Mon Sep 25 19:40:07 CEST 2023 - msuchanek@suse.de
+
+- kernel-binary: Move build-time definitions together
+  Move source list and build architecture to buildrequires to aid in
+  future reorganization of the spec template.
+- commit 30e2cef
+
 -------------------------------------------------------------------
 Mon Sep 25 10:34:49 CEST 2023 - jslaby@suse.cz
 
diff --git a/kernel-zfcpdump.spec b/kernel-zfcpdump.spec
index 653da4ca..038131b7 100644
--- a/kernel-zfcpdump.spec
+++ b/kernel-zfcpdump.spec
@@ -114,7 +114,7 @@ License:        GPL-2.0-only
 Group:          System/Kernel
 Version:        6.5.5
 %if 0%{?is_kotd}
-Release:        <RELEASE>.g6cf5261
+Release:        <RELEASE>.gb8b4c84
 %else
 Release:        0
 %endif
@@ -158,91 +158,6 @@ BuildRequires:  u-boot-tools
 # Remove some packages that are installed automatically by the build system,
 # but are not needed to build the kernel
 #!BuildIgnore: autoconf automake gettext-runtime libtool cvs gettext-tools udev insserv
-# Force bzip2 instead of lzma compression to
-# 1) allow install on older dist versions, and
-# 2) decrease build times (bsc#962356 boo#1175882)
-%define _binary_payload w9.bzdio
-# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
-%undefine _unique_build_ids
-%define _no_recompute_build_ids 1
-# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
-%undefine _unique_debug_names
-
-%if "%{compress_modules}" == "zstd"
-BuildRequires:  zstd
-# Make sure kmod supports zstd compressed modules
-Requires(post): kmod-zstd
-%endif
-Provides:       %name = %version-%source_rel
-# bnc#901925
-Provides:       %name-%version-%source_rel
-Provides:       %{name}_%_target_cpu = %version-%source_rel
-Provides:       kernel-base = %version-%source_rel
-Provides:       multiversion(kernel)
-# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
-# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
-# is a subset that can replace kernel-$flavor in some scenarios. We need to
-# obsolete the -base subpackage from SLE11, so that the base files are not
-# owned by multiple packages now. The dependency is not correct wrt openSUSE
-# 11.2 - 11.4, but we primarily care about the supported upgrade path.
-Obsoletes:      %name-base < 3.1
-%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
-Recommends: kernel-firmware
-%endif
-# The following is copied to the -base subpackage as well
-# BEGIN COMMON DEPS
-Requires(pre):  suse-kernel-rpm-scriptlets
-Requires(post): suse-kernel-rpm-scriptlets
-Requires:       suse-kernel-rpm-scriptlets
-Requires(preun): suse-kernel-rpm-scriptlets
-Requires(postun): suse-kernel-rpm-scriptlets
-Requires(pre):  coreutils awk
-# For /usr/lib/module-init-tools/weak-modules2
-Requires(post): suse-module-tools
-# For depmod (modutils is a dependency provided by both module-init-tools and
-# kmod-compat)
-Requires(post): modutils
-# This Requires is wrong, because the post/postun scripts have a
-# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
-# But, there is no way to tell rpm or yast to schedule the installation
-# of perl-Bootloader before kernel-binary.rpm if both are in the list of
-# packages to install/update. Likewise, this is true for dracut.
-# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
-Requires(post): perl-Bootloader >= 0.4.15
-Requires(post): dracut
-# Install the package providing /etc/SuSE-release early enough, so that
-# the grub entry has correct title (bnc#757565)
-Requires(post): distribution-release
-
-%if 0%{?usrmerged}
-# make sure we have a post-usrmerge system
-Conflicts:      filesystem < 16
-%endif
-
-Obsoletes:      microcode_ctl < 1.18
-
-%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
-	if not fd then io.stderr:write(err) end
-	unpack = table.unpack or unpack
-	for l in fd:lines() do
-		if #l > 0 and l:sub(1,1) ~= '#' then
-			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
-			package, version = unpack(words)
-			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
-		end
-	end
-	fd:close()
-}
-
-%ifarch %ix86
-Conflicts:      libc.so.6()(64bit)
-%endif
-Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-# END COMMON DEPS
-Provides:       %name-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-%obsolete_rebuilds %name
 Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-%srcversion.tar.xz
 Source3:        kernel-source.rpmlintrc
 Source14:       series.conf
@@ -382,19 +297,107 @@ NoSource:       113
 NoSource:       114
 NoSource:       120
 NoSource:       121
-
 ExclusiveArch:  s390x
-%define kmp_target_cpu %_target_cpu
 %ifarch %ix86
 # Only i386/default supports i586, mark other flavors' packages as i686
 %if ! %build_default
 BuildArch:      i686
+%endif
+%endif
+
+# Force bzip2 instead of lzma compression to
+# 1) allow install on older dist versions, and
+# 2) decrease build times (bsc#962356 boo#1175882)
+%define _binary_payload w9.bzdio
+# Do not recompute the build-id of vmlinux in find-debuginfo.sh (bsc#964063)
+%undefine _unique_build_ids
+%define _no_recompute_build_ids 1
+# prevent usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
+%undefine _unique_debug_names
+
+%if "%{compress_modules}" == "zstd"
+BuildRequires:  zstd
+# Make sure kmod supports zstd compressed modules
+Requires(post): kmod-zstd
+%endif
+Provides:       %name = %version-%source_rel
+# bnc#901925
+Provides:       %name-%version-%source_rel
+Provides:       %{name}_%_target_cpu = %version-%source_rel
+Provides:       kernel-base = %version-%source_rel
+Provides:       multiversion(kernel)
+# In SLE11, kernel-$flavor complemented kernel-$flavor-base. With SLE12,
+# kernel-$flavor itself contains all the needed files and kernel-$flavor-base
+# is a subset that can replace kernel-$flavor in some scenarios. We need to
+# obsolete the -base subpackage from SLE11, so that the base files are not
+# owned by multiple packages now. The dependency is not correct wrt openSUSE
+# 11.2 - 11.4, but we primarily care about the supported upgrade path.
+Obsoletes:      %name-base < 3.1
+%if ("%build_flavor" != "kvmsmall") && ("%build_flavor" != "azure")
+Recommends: kernel-firmware
+%endif
+# The following is copied to the -base subpackage as well
+# BEGIN COMMON DEPS
+Requires(pre):  suse-kernel-rpm-scriptlets
+Requires(post): suse-kernel-rpm-scriptlets
+Requires:       suse-kernel-rpm-scriptlets
+Requires(preun): suse-kernel-rpm-scriptlets
+Requires(postun): suse-kernel-rpm-scriptlets
+Requires(pre):  coreutils awk
+# For /usr/lib/module-init-tools/weak-modules2
+Requires(post): suse-module-tools
+# For depmod (modutils is a dependency provided by both module-init-tools and
+# kmod-compat)
+Requires(post): modutils
+# This Requires is wrong, because the post/postun scripts have a
+# test -x update-bootloader, having perl-Bootloader is not a hard requirement.
+# But, there is no way to tell rpm or yast to schedule the installation
+# of perl-Bootloader before kernel-binary.rpm if both are in the list of
+# packages to install/update. Likewise, this is true for dracut.
+# Need a perl-Bootloader with /usr/lib/bootloader/bootloader_entry
+Requires(post): perl-Bootloader >= 0.4.15
+Requires(post): dracut
+# Install the package providing /etc/SuSE-release early enough, so that
+# the grub entry has correct title (bnc#757565)
+Requires(post): distribution-release
+
+%if 0%{?usrmerged}
+# make sure we have a post-usrmerge system
+Conflicts:      filesystem < 16
+%endif
+
+Obsoletes:      microcode_ctl < 1.18
+
+%{lua:	fd, err = io.open(rpm.expand('%_sourcedir') .. '/kernel-binary-conflicts')
+	if not fd then io.stderr:write(err) end
+	unpack = table.unpack or unpack
+	for l in fd:lines() do
+		if #l > 0 and l:sub(1,1) ~= '#' then
+			words = {} ; for w in l:gmatch("([^%s]+)%s*") do table.insert(words, w) end
+			package, version = unpack(words)
+			print('Conflicts: ' .. package .. ' < '.. version .. '\n')
+		end
+	end
+	fd:close()
+}
+
+%ifarch %ix86
+Conflicts:      libc.so.6()(64bit)
+%endif
+Provides:       kernel = %version-%source_rel
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+# END COMMON DEPS
+Provides:       %name-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+%obsolete_rebuilds %name
+
+%define kmp_target_cpu %_target_cpu
+%ifarch %ix86
 # KMPs are always built as i586, because rpm does not allow to build
 # subpackages for different architectures. Therefore, we change the
 # /usr/src/linux-obj/<arch> symlink to i586.
 %define kmp_target_cpu i586
 %endif
-%endif
 
 %if %build_default
 %if "%CONFIG_PREEMPT_DYNAMIC" == "y"
@@ -1302,8 +1305,8 @@ Obsoletes:      microcode_ctl < 1.18
 Conflicts:      libc.so.6()(64bit)
 %endif
 Provides:       kernel = %version-%source_rel
-Provides:       kernel-%build_flavor-base-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
-Provides:       kernel-srchash-6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+Provides:       kernel-%build_flavor-base-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
+Provides:       kernel-srchash-b8b4c841314499b66975eeddde9850cfd8083fe3
 
 %obsolete_rebuilds %name-base
 %ifarch %ix86
diff --git a/patches.kernel.org.tar.bz2 b/patches.kernel.org.tar.bz2
index 3e93aed1..b425dc06 100644
--- a/patches.kernel.org.tar.bz2
+++ b/patches.kernel.org.tar.bz2
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:3af9edca08b07b1ce5d3c05bd312b07aff14907bcc0c7c7fb962c57f7bd5de3f
-size 974830
+oid sha256:a888735173039df96de61c5907271c37d77bc44f1a5b49d00cb3686a6a60b9b4
+size 974191
diff --git a/patches.suse.tar.bz2 b/patches.suse.tar.bz2
index 39586e44..22a33ce0 100644
--- a/patches.suse.tar.bz2
+++ b/patches.suse.tar.bz2
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:6733a750b9bda77ac4a1d7781ce89e98f68ce44ead9e34dde2f0de5d5653da88
-size 58966
+oid sha256:c0582774afcdd25ded6d13d61783898a59f7d8c59ba0a5d5dfecf58df53aaf3b
+size 62620
diff --git a/series.conf b/series.conf
index f7aafe15..297bda70 100644
--- a/series.conf
+++ b/series.conf
@@ -1331,6 +1331,9 @@
 	patches.suse/drm-amdgpu-set-completion-status-as-preempted-for-th.patch
 	patches.suse/drm-msm-adreno-Add-missing-MODULE_FIRMWARE-macros.patch
 	patches.suse/smb3-move-server-check-earlier-when-setting-channel-.patch
+	patches.suse/netfilter-ipset-Fix-race-between-IPSET_CMD_CREATE-an.patch
+	patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch
+	patches.suse/fs-smb-client-Reset-password-pointer-to-NULL.patch
 	########################################################
 	# end of sorted patches
 	########################################################
diff --git a/source-timestamp b/source-timestamp
index 00cd8de5..dbbea083 100644
--- a/source-timestamp
+++ b/source-timestamp
@@ -1,3 +1,3 @@
-2023-09-25 10:19:02 +0000
-GIT Revision: 6cf5261da0ebc2ca4f200ee6fe0fde9d6c3eff3e
+2023-10-04 05:02:56 +0000
+GIT Revision: b8b4c841314499b66975eeddde9850cfd8083fe3
 GIT Branch: stable