------------------------------------------------------------------ --- Changelog.all ----------- Wed Apr 14 13:31:39 UTC 2021 ------ ------------------------------------------------------------------ ------------------------------------------------------------------ ------------------ 2021-4-14 - Apr 14 2021 ------------------- ------------------------------------------------------------------ ++++ diffutils: - Remove mandatory info requires. ------------------------------------------------------------------ ------------------ 2021-4-9 - Apr 9 2021 ------------------- ------------------------------------------------------------------ ++++ blog: - Fix package split done for shared library packaging guideline (bsc#1184479). ------------------------------------------------------------------ ------------------ 2021-4-8 - Apr 8 2021 ------------------- ------------------------------------------------------------------ ++++ git: - add suse-use-builtin-add-interactive.patch - split git-core perl module into git-core, move instaweb to git-web, and the single remaining perl builtin to git, so that git-core is perl free ++++ systemd: - Fix 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch (bsc#1184254) When a symlink is removed because there's no more references to it make sure to remove the parent dir of the symlink as well. Also add some logging when something goes wrong during the removal. ------------------------------------------------------------------ ------------------ 2021-4-7 - Apr 7 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - systemd.spec: clean some of the build deps up: - libpcre is redundant with libpcre2 (only required by the full build) and the mini variant needs none of them. Hence drop the ref to libpcre. - normally libidn2 is needed by some optional features in systemd-network (only). But it's implicitly pulled in by libgnutls (required by the main package). Let's make sure the related features won't be disabled inadvertently in the future by making the dep explicit. ------------------------------------------------------------------ ------------------ 2021-4-6 - Apr 6 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - Fix fd leak in 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch (bsc#1184238) ------------------------------------------------------------------ ------------------ 2021-3-31 - Mar 31 2021 ------------------- ------------------------------------------------------------------ ++++ sed: - Build fix for the new glibc-2.31 (bsc#1183797, sed-tests-build-fix.patch). ++++ sysvinit: - (re)add also support for SLE-15-SP3 ------------------------------------------------------------------ ------------------ 2021-3-30 - Mar 30 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit 480a6d14725509307a0f3edefef3876c107ee7f1 (merge of v246.13) 423b1e759c Revert "resolved: gracefully handle with packets with too large RR count" (bsc#1183745) 4723778738 meson.build: make xinitrcdir configurable (bsc#1183408) [...] For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/8baed1c6f82798c2374bdbfdd440dd065d09fb99...480a6d14725509307a0f3edefef3876c107ee7f1 ------------------------------------------------------------------ ------------------ 2021-3-29 - Mar 29 2021 ------------------- ------------------------------------------------------------------ ++++ glibc: - s390-memmove-ifunc-selector-arch13.patch: S390: Also check vector support in memmove ifunc-selector (bsc#1184035, BZ #27511) ++++ libunistring: - version update to 0.9.10 [bsc#1183794] * The functions u8_casing_prefix_context, u8_casing_prefixes_context, u8_casing_suffix_context, u8_casing_suffixes_context, u16_casing_prefix_context, u16_casing_prefixes_context, u16_casing_suffix_context, u16_casing_suffixes_context, u32_casing_prefix_context, u32_casing_prefixes_context, u32_casing_suffix_context, u32_casing_suffixes_context, that are documented since version 0.9.1, are now actually implemented. * bump gnulib version ------------------------------------------------------------------ ------------------ 2021-3-27 - Mar 27 2021 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.31.1: * fsmonitor bug fixes * fix git bisect to take an annotated tag as a good/bad endpoint * Fix a corner case in "git mv" on case insensitive systems ------------------------------------------------------------------ ------------------ 2021-3-26 - Mar 26 2021 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1183934, CVE-2021-22890] * When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. - Add curl-CVE-2021-22890.patch ------------------------------------------------------------------ ------------------ 2021-3-24 - Mar 24 2021 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1183933, CVE-2021-22876] * The automatic referer leaks credentials - Add curl-CVE-2021-22876.patch ------------------------------------------------------------------ ------------------ 2021-3-23 - Mar 23 2021 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Fix NULL pointer deref in signature_algorithms * CVE-2021-3449 * bsc#1183852 * Add openssl-1_1-CVE-2021-3449-NULL_pointer_deref_in_signature_algorithms.patch ------------------------------------------------------------------ ------------------ 2021-3-19 - Mar 19 2021 ------------------- ------------------------------------------------------------------ ++++ util-linux: - ipcs: Avoid overflows (bsc#1178236, util-linux-ipcs-shmall-overflow-1.patch, util-linux-ipcs-shmall-overflow-2.patch). ------------------------------------------------------------------ ------------------ 2021-3-18 - Mar 18 2021 ------------------- ------------------------------------------------------------------ ++++ ca-certificates: - openssl is no longer required but coreutils and findutils are (boo#1183680). Keep openssl(cli) at runtime for now nevertheless as this package might be the only one pulling it in. ------------------------------------------------------------------ ------------------ 2021-3-16 - Mar 16 2021 ------------------- ------------------------------------------------------------------ ++++ git: - Require only openssh-clients where possible (TW, SLE >= 15 SP3) (boo#1183580) - Drop rsync requirement, not necessary anymore ------------------------------------------------------------------ ------------------ 2021-3-15 - Mar 15 2021 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.31.0: * Use of "pack-redundant" command is discouraged and will trigger a warning. The replacement is "repack -d". * The "--format=%(trailers)" mechanism gets enhanced to make it easier to design output for machine consumption. * No longer give message to choose between rebase or merge upon pull if the history fast-forwards * The configuration variable 'core.abbrev' can be set to 'no' to force no abbreviation regardless of the hash algorithm. * "git rev-parse" can be explicitly told to give output as absolute or relative path with the `--path-format=(absolute|relative)` option. * Bash completion (in contrib/) update to make it easier for end-users to add completion for their custom "git" subcommands. * "git maintenance" learned to drive scheduled maintenance on platforms whose native scheduling methods are not 'cron'. * After expiring a reflog and making a single commit, the reflog for the branch would record a single entry that knows both @{0} and @{1}, but we failed to answer "what commit were we on?", i.e. @{1} * "git bundle" learns "--stdin" option to read its refs from the standard input. Also, it now does not lose refs whey they point at the same object. * "git log" learned a new "--diff-merges=" option. * "git ls-files" can and does show multiple entries when the index is unmerged, which is a source for confusion unless -s/-u option is in use. A new option --deduplicate has been introduced. * `git worktree list` now annotates worktrees as prunable, shows locked and prunable attributes in --porcelain mode, and gained a --verbose option. * "git clone" tries to locally check out the branch pointed at by HEAD of the remote repository after it is done, but the protocol did not convey the information necessary to do so when copying an empty repository. The protocol v2 learned how to do so. * There are other ways than ".." for a single token to denote a "commit range", namely "^!" and "^-", but "git range-diff" did not understand them. * The "git range-diff" command learned "--(left|right)-only" option to show only one side of the compared range. * "git mergetool" feeds three versions (base, local and remote) of a conflicted path unmodified. The command learned to optionally prepare these files with unconflicted parts already resolved. * The .mailmap is documented to be read only from the root level of a working tree, but a stray file in a bare repository also was read by accident, which has been corrected. * "git maintenance" tool learned a new "pack-refs" maintenance task. * The error message given when a configuration variable that is expected to have a boolean value has been improved. * Signed commits and tags now allow verification of objects, whose two object names (one in SHA-1, the other in SHA-256) are both signed. * "git rev-list" command learned "--disk-usage" option. * "git {diff,log} --{skip,rotate}-to=" allows the user to discard diff output for early paths or move them to the end of the output. * "git difftool" learned "--skip-to=" option to restart an interrupted session from an arbitrary path. * "git grep" has been tweaked to be limited to the sparse checkout paths. * "git rebase --[no-]fork-point" gained a configuration variable rebase.forkPoint so that users do not have to keep specifying a non-default setting. * many bug fixes ++++ systemd: - Import commit 8baed1c6f82798c2374bdbfdd440dd065d09fb99 (merge of v246.11) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/bb5a31f416d17c5d3521900bebad885ca8f0ba8b...8baed1c6f82798c2374bdbfdd440dd065d09fb99 - Rebase 0001-conf-parser-introduce-early-drop-ins.patch - Import commit bb5a31f416d17c5d3521900bebad885ca8f0ba8b 846d61e0a1 boot: Move console declarations to missing_efi.h 171a37228b boot: Add startswith() and endswith() functions with no_case variants 0fad9f309a boot: Drop unnecessary braces c38bbb0874 boot: Fix void pointer arithmetic warning 438210924b boot: Replace raw efivar gets with typed variants e46cb3e4a0 boot: Add efivar_get/set_uint64_le() functions e16bee35c8 boot: Rename efivar_get/set_int() to efivar_get/set_uint_string() 2808d0e9a3 boot: Tighten scope of variables used in loops d3f3d57743 boot: Add efivar_get_boolean_u8() 0551ecce71 boot: Make all efivar util functions take the guid as an argument 8376ba3b9f boot: Turn all guid constants into C99 compound initializers 166fc2dad2 boot: Enable C99 c87d66e261 boot: Move Secure Boot logic to new file da7bba9438 udev: fix memleak - Rebase 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch ------------------------------------------------------------------ ------------------ 2021-3-12 - Mar 12 2021 ------------------- ------------------------------------------------------------------ ++++ nghttp2: - security update - added patches fix CVE-2020-11080 [bsc#1181358], HTTP/2 Large Settings Frame DoS + nghttp2-CVE-2020-11080.patch ------------------------------------------------------------------ ------------------ 2021-3-11 - Mar 11 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - Make sure the udev socket units are reloaded during udev package updates This uses to be done on older SLE distros but got lost when we branched systemd for SLE15-SP3 from Base:System. ------------------------------------------------------------------ ------------------ 2021-3-10 - Mar 10 2021 ------------------- ------------------------------------------------------------------ ++++ glibc: - Update glibc-2.31-HTM-vzeroupper.diff with a AVX-SSE transition fix. - Add glibc-2.31-HTM-vzeroupper.diff to avoid VZEROUPPER in the AVX2 accelerated string routines which cause HTM transaction aborts. Instead use EVEX or SSE. (bsc#1181403) ++++ systemd: - Update 1004-udev-don-t-create-by-partlabel-primary-and-.-logical.patch (bsc#1183702) StandardOutput=syslog+console is deprecated, use 'journal+console' instead which should achieve the same purpose. - fix-machines-btrfs-subvol.sh is only shipped when machined is built - Add 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch (bsc#1181192) ++++ systemd-presets-common-SUSE: - Enable user service pipewire-media-session.service (used with pipewire >= 0.3.23). ------------------------------------------------------------------ ------------------ 2021-3-9 - Mar 9 2021 ------------------- ------------------------------------------------------------------ ++++ ca-certificates: - backport bash rewrite from Factory to make sure to trigger in transactional mode (boo#1179884) ++++ git: - git 2.30.2: * CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone (boo#1183026) ++++ libcap: - Update to libcap 2.26 for supporting the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Use "or" in the license tag to avoid confusion (bsc#1180073) ------------------------------------------------------------------ ------------------ 2021-3-4 - Mar 4 2021 ------------------- ------------------------------------------------------------------ ++++ zlib: - Fix hw compression on z15 bsc#1176201 - Add zlib-s390x-z15-fix-hw-compression.patch ++++ systemd-presets-common-SUSE: - Enable user services pipewire.socket and pipewire-pulse.socket (boo#1183012). ------------------------------------------------------------------ ------------------ 2021-3-3 - Mar 3 2021 ------------------- ------------------------------------------------------------------ ++++ glibc: - nscd-netgroupcache.patch: nscd: Fix double free in netgroupcache (CVE-2021-27645, bsc#1182733, BZ #27462) ++++ openssl-1_1: - Security fixes: * Integer overflow in CipherUpdate: Incorrect SSLv2 rollback protection [bsc#1182333, CVE-2021-23840] * Null pointer deref in X509_issuer_and_serial_hash() [bsc#1182331, CVE-2021-23841] - Add openssl-CVE-2021-23840.patch openssl-CVE-2021-23841.patch ------------------------------------------------------------------ ------------------ 2021-3-2 - Mar 2 2021 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Fix unresolved error codes [bsc#1182959] - Update openssl-1.1.1-fips.patch ------------------------------------------------------------------ ------------------ 2021-2-23 - Feb 23 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit 628333aae3e893e225a42fbbd3734d10058edeef e06139117c nspawn: make rootfs relative to oci bundle path (bsc#1182598) 8ba587d46c PATCH] Always free deserialized_subscribed on reload (bsc#1180020) ++++ nodejs14: - New upstream LTS version 14.16.0: * CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (bsc#1182619) * CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620) ------------------------------------------------------------------ ------------------ 2021-2-22 - Feb 22 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - Drop 1000-logind-disable-RemoveIPC-by-default.patch Disabling RemoveIPC is now done through systemd-default-settings package. - systemd requires aaa_base >= 13.2 This dependency is required because 'systemctl {is-enabled,enable,disable} " ends up calling systemd-sysv-install which in its turn calls "chkconfig - -no-systemctl". aaa_base package has a weird versioning but the '--no-systemctl' option has been introduced starting from SLE12-SP2-GA, which shipped version "13.2+git20140911.61c1681". Spotted in bsc#1180083. ++++ sysvinit: - Update to sysvinit 2.99: * Mostly typo and just better documentation and easier to read code comments ------------------------------------------------------------------ ------------------ 2021-2-19 - Feb 19 2021 ------------------- ------------------------------------------------------------------ ++++ openldap2: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. * 0220-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. * 0222-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. * 0223-ITS-9427-fix-issuerAndThisUpdateCheck.patch - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. * 0224-ITS-9428-fix-cancel-exop.patch - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. * 0218-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. * 0217-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch * 0216-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. * 0219-ITS-9413-fix-slap_parse_user.patch - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. * 0213-ITS-9406-9407-remove-saslauthz-asserts.patch * 0214-ITS-9406-fix-debug-msg.patch - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). * 0212-ITS-9404-fix-serialNumberAndIssuerCheck.patch * 0221-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). * 0215-ITS-9408-fix-vrfilter-double-free.patch ++++ python3-core: Update to 3.6.13, final release of 3.6 branch: * Security - bpo#42967 (bsc#1182379, CVE-2021-23336): Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. - bpo#42938 (bsc#1181126, CVE-2021-3177): Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. - bpo#42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. - bpo#42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files. - bpo#40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely. * Core and Builtins - bpo#35560: Fix an assertion error in format() in debug build for floating point formatting with “n” format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan. * Library - bpo#42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases). * Tests - bpo#42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na. - bpo#41944: Tests for CJK codecs no longer call eval() on content received via HTTP. - Patches removed, because they were included in the upstream tarball: - CVE-2020-27619-no-eval-http-content.patch - CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch ++++ systemd: - Add 0001-conf-parser-introduce-early-drop-ins.patch Introduce early configuration drop-in file. This type of drop-ins are reserved for vendor own purposes only and should never been used by users. It might be removed in the future without any notice. ++++ python3: Update to 3.6.13, final release of 3.6 branch: * Security - bpo#42967 (bsc#1182379, CVE-2021-23336): Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. - bpo#42938 (bsc#1181126, CVE-2021-3177): Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. - bpo#42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. - bpo#42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files. - bpo#40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely. * Core and Builtins - bpo#35560: Fix an assertion error in format() in debug build for floating point formatting with “n” format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan. * Library - bpo#42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases). * Tests - bpo#42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na. - bpo#41944: Tests for CJK codecs no longer call eval() on content received via HTTP. - Patches removed, because they were included in the upstream tarball: - CVE-2020-27619-no-eval-http-content.patch - CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch ------------------------------------------------------------------ ------------------ 2021-2-18 - Feb 18 2021 ------------------- ------------------------------------------------------------------ ++++ kmod: - Fix grub's requoted kernel parameters (bsc#1181111) * 0001-libkmod-config-revamp-kcmdline-parsing-into-a-state-.patch * 0002-libkmod-config-re-quote-option-from-kernel-cmdline.patch ------------------------------------------------------------------ ------------------ 2021-2-17 - Feb 17 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - Drop most of the tmpfiles that deal with generic paths (bsc#1078466 bsc#1181831) They are problematic because some of them conflict with SUSE defaults. Therefore it seems better to let the revelant packages owning these paths to provide their own definitions instead. - Drop use of %systemd_postun in %postun This macro is supposed to operate on units but it was used without passing any parameters. This call was probably used for issuing a daemon-reload but the following calls to %systemd_postun_with_restart imply that already. So let's simply drop it. ++++ nodejs14: - New upstream LTS version 14.15.5: * deps: + upgrade npm to 6.14.11 + V8: backport dfcf1e86fac0 #37245 Note: Node.js is not believed to be vulnerable to CVE-2021-21148 * stream,zlib: do not use _stream_* anymore - relax OpenSSL cipher suite policies for unit tests ------------------------------------------------------------------ ------------------ 2021-2-16 - Feb 16 2021 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Update to version 2.36.2: * agetty: tty eol defaults to REPRINT * fsck.cramfs: fix fsck.cramfs crashes on blocksizes > 4K * lib/caputils: add fall back for last cap using prctl. * lib/signames: change license to public domain * libfdisk: * (dos) fix last possible sector calculation * (script) ignore empty values for start and size * ignore 33553920 byte optimal I/O size * libmount: * add vboxsf, virtiofs to pseudo filesystems * do not canonicalize ZFS source dataset * don't use "symfollow" for helpers on user mounts (boo#1181750, obsoletes util-linux-libmount-dont-use-symfollow.patch) * fix /{etc,proc}/filesystems use * login: use full tty path for PAM_TTY * lsblk: read SCSI_IDENT_SERIAL also from udev * rfkill: stop execution when rfkill device cannot be opened * setpriv: allow using [-+]all for capabilities. * su: use full tty path for PAM_TTY * switch_root: check if mount point to move even exists * umount: * ignore --no-canonicalize,-c for non-root users * Show the 'r' option in the help menu * Code cleanups and documentation improvements. * Translation updates. ++++ openldap2: - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. * patch: 0211-ITS-9454-fix-issuerAndThisUpdateCheck.patch ------------------------------------------------------------------ ------------------ 2021-2-10 - Feb 10 2021 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.30.1 * Bugfix release * "git stash" did not work well in a sparsely checked out working tree. * Newline characters in the host and path part of git:// URL are now forbidden. ++++ util-linux: - libmount: don't use "symfollow" for helpers on user mounts (boo#1181750, util-linux-libmount-dont-use-symfollow.patch) ------------------------------------------------------------------ ------------------ 2021-2-9 - Feb 9 2021 ------------------- ------------------------------------------------------------------ ++++ filesystem: - Remove duplicate line due to merge error ++++ util-linux: - Override GTKDOCIZE with /bin/true so we can run autoreconf without needing gtk-doc as a dependency. ++++ nodejs-common: - Fix typo in Requires ------------------------------------------------------------------ ------------------ 2021-2-8 - Feb 8 2021 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Resync with python36 Factory package. - Make this %primary_interpreter ++++ systemd: - Add 0001-rules-don-t-ignore-Xen-interfaces-anymore.patch (bsc#1178561) ++++ python3: - Resync with python36 Factory package. - Make this %primary_interpreter ------------------------------------------------------------------ ------------------ 2021-2-5 - Feb 5 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit f366438ca2d66c287ea836174e73dd03a98914bf (merge of v246.10) 25f220eafb sysusers: flush nscd's caches whenever /etc/{passwd,group} are modified (bsc#1181121) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/64dfb99ca3c9cbc75f6abe7aa6aa60f66ae4210d...f366438ca2d66c287ea836174e73dd03a98914bf - systemd-sysv-convert: handle the case when services are migrated from SysV scripts to systemd units and are renamed at the same time (bsc#1181788) The list of such services is hard coded and contains only the 'ntp->ntpd' translation. ------------------------------------------------------------------ ------------------ 2021-2-4 - Feb 4 2021 ------------------- ------------------------------------------------------------------ ++++ kmod: - Fix tests to not test disabled features. Disable zstd again. * kmod-populate-modules-Use-more-bash-more-quotes.patch * kmod-testsuite-compress-modules-if-feature-is-enabled.patch * kmod-also-test-xz-compression.patch ++++ util-linux: - Merge package with SLE15 SP3 and openSUSE Leap 15.3: Obsoletes upstreamed patches: - libblkid: Do not trigger CDROM autoclose (v2.35, bsc#1084671, util-linux-libblkid-cdrom-autoclose-1.patch, util-linux-libblkid-cdrom-autoclose-2.patch, util-linux-libblkid-cdrom-autoclose-3.patch). - lscpu: avoid segfault on PowerPC systems with valid hardware configurations (v2.36.1, bsc#1175623, bsc#1178554, bsc#1178825, lscpu-avoid-segfault-on-PowerPC-systems-with-valid-h.patch) - Fix for SG#57988, bsc#1174942 (v2.36): libmount-fix-mount-a-EBUSY-for-cifs.patch: Fix warning on mounts to CIFS with mount –a. - blockdev: Do not fail --report on kpartx-style partitions on multipath (v2.36, bsc#1168235, util-linux-blockdev-report-dm.patch). - nologin: Add support for -c to prevent error from su -c (v2.35, bsc#1151708, util-linux-nologin-su-c.patch). - Add libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch: Avoid triggering autofs in lookup_umount_fs_by_statfs (v2.36 boo#1168389) - mount: fall back to device node name if /dev/mapper link not found (v2.34, bsc#1149911) * Add patch: util-linux-canonicalize-coverity-scan.patch - De-duplicate fstrim -A properly (v2.34, bsc#1127701, util-linux-fstrim-A-1.patch, util-linux-fstrim-A-3.patch, util-linux-fstrim-A-4.patch). - Do not trim read-only volumes (v2.34, boo#1106214, util-linux-fstrim-A-2.patch, util-linux-fstrim-A-4.patch). - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (v2.34, bsc#1122417, util-linux-libmount-pseudofs.patch). - agetty: Return previous response of agetty for special characters (v2.34, bsc#1085196, bsc#1125886, util-linux-agetty-smart-reload-13.patch, util-linux-agetty-smart-reload-14.patch). - Fix problems in reading of login.defs values (v2.34, bsc#1121197, util-linux-login_defs-priority1.patch, util-linux-login_defs-priority2.patch, util-linux-login_defs-SYS_UID.patch). - Build with libudev support to support non-root users (boo#1169006). - Move findmnt and lsblk to util-linux-systemd, as they use libudev (bsc#1169006#c10). ------------------------------------------------------------------ ------------------ 2021-2-3 - Feb 3 2021 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Remove include-fixed/pthread.h - Change GCC exception licenses to SPDX format ------------------------------------------------------------------ ------------------ 2021-2-1 - Feb 1 2021 ------------------- ------------------------------------------------------------------ ++++ filesystem: - add /etc/skel/.cache with perm 0700 (bsc#1181011) ++++ lvm2-device-mapper: - revert commit which caused a regression: lvm2 should use 'external_device_info_source="udev"' by default (bsc#1179691) - change lvm.conf item external_device_info_source from none to udev ------------------------------------------------------------------ ------------------ 2021-1-31 - Jan 31 2021 ------------------- ------------------------------------------------------------------ ++++ gcc7: - add gcc7-pr81942.patch [bsc#1181618] ------------------------------------------------------------------ ------------------ 2021-1-29 - Jan 29 2021 ------------------- ------------------------------------------------------------------ ++++ filesystem: - Set correct permissions when creating /proc and /sys - Ignore postfix user (pulled in from buildsystem) ++++ kmod: - Supplement bash-completion subpackage against the main package and bash-completion. - Also require the main package plus bash-completion: the completion package is useless without either of the two. ++++ util-linux: - Do not require libeconf-devel on products without /usr/etc. ++++ gmp: - adjusted to be the same license as in factory (bsc#1180603) ++++ python3-core: - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. ++++ python3: - Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution. ------------------------------------------------------------------ ------------------ 2021-1-28 - Jan 28 2021 ------------------- ------------------------------------------------------------------ ++++ glibc: - gconv-assertion-iso-2022-jp.patch: gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) ++++ kmod: - Update to v28 * Add Zstandard to the supported compression formats using libzstd (tests only - cannot be disabled in tests) * Ignore ill-formed kernel command line, e.g. with "ivrs_acpihid[00:14.5]=AMD0020:0" option in it * Fix some memory leaks * Fix 0-length builtin.alias.bin: it needs at least the index header - Backport upstream fix 0001-Fix-modinfo-F-always-shows-name-for-built-ins.patch ++++ shadow: - Do not require libeconf-devel on products without /usr/etc. ------------------------------------------------------------------ ------------------ 2021-1-27 - Jan 27 2021 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ++++ python3: - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ------------------------------------------------------------------ ------------------ 2021-1-25 - Jan 25 2021 ------------------- ------------------------------------------------------------------ ++++ util-linux: - s/--enable-vendordir/--with-vendordir/ - remove pam_securetty line again. As long as there is no agreement from pam side having it would fail openQA (boo#1033626) ++++ timezone: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ------------------------------------------------------------------ ------------------ 2021-1-23 - Jan 23 2021 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - back port lvmlockd adopt orphan locks feature into sles15sp2 (bsc#1181319) + bug-1181319_01-Revert-lvmlockd-use-commonly-used-define-NOTIFYDBUS_.patch + bug-1181319_02-lvmlockctl-ensure-result-value-is-always-defined.patch + bug-1181319_03-lvmlockctl-use-inline-initilizers.patch + bug-1181319_04-lvmlockd-replace-lock-adopt-info-source.patch + bug-1181319_05-cov-check-sscanf-result.patch ++++ openssh: - Add openssh-fix-ssh-copy-id.patch, which fixes breakage introduced in 8.4p1 (bsc#1181311). ------------------------------------------------------------------ ------------------ 2021-1-22 - Jan 22 2021 ------------------- ------------------------------------------------------------------ ++++ openssh: - Improve robustness of sshd init detection when upgrading from a pre-systemd distribution. - Add openssh-reenable-dh-group14-sha1-default.patch, which adds diffie-hellman-group14-sha1 key exchange back to the default list (bsc#1180958). This is needed for backwards compatibility with older platforms. - Make sure sshd is enabled correctly when upgrading from a pre-systemd distribution (bsc#1180083). ------------------------------------------------------------------ ------------------ 2021-1-21 - Jan 21 2021 ------------------- ------------------------------------------------------------------ ++++ permissions: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ++++ shadow: - Split login.defs configuration file into own sub-package, which allows to install util-linux or pam on small embedded/edge systems or container without the need to pull in the full shadow suite. ------------------------------------------------------------------ ------------------ 2021-1-19 - Jan 19 2021 ------------------- ------------------------------------------------------------------ ++++ nodejs-common: - set nodejs14 as default for sle15-sp3+ - set nodejs15 as default for TW ------------------------------------------------------------------ ------------------ 2021-1-18 - Jan 18 2021 ------------------- ------------------------------------------------------------------ ++++ openssh: - sysusers-sshd.conf: use sysusers.d configuration file to create sshd user (avoid hard dependency on shadow). - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features - ----------- * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time limit for keys in addition to its current flag options. Time- limited keys will automatically be removed from ssh-agent after their expiry time has passed. * scp(1), sftp(1): allow the -A flag to explicitly enable agent forwarding in scp and sftp. The default remains to not forward an agent, even when ssh_config enables it. * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the destination. This allows, e.g., keeping host keys in individual files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654 * ssh(1): add %-TOKEN, environment variable and tilde expansion to the UserKnownHostsFile directive, allowing the path to be completed by the configuration (e.g. bz#1654) * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted from stdin. bz#3180 * sshd(8): improve logging for MaxStartups connection throttling. sshd will now log when it starts and stops throttling and periodically while in this state. bz#3055 Bugfixes - ------- * ssh(1), ssh-keygen(1): better support for multiple attached FIDO tokens. In cases where OpenSSH cannot unambiguously determine which token to direct a request to, the user is now required to select a token by touching it. In cases of operations that require a PIN to be verified, this avoids sending the wrong PIN to the wrong token and incrementing the token's PIN failure counter (tokens effectively erase their keys after too many PIN failures). * sshd(8): fix Include before Match in sshd_config; bz#3122 * ssh(1): close stdin/out/error when forking after authentication completes ("ssh -f ...") bz#3137 * ssh(1), sshd(8): limit the amount of channel input data buffered, avoiding peers that advertise large windows but are slow to read from causing high memory consumption. * ssh-agent(1): handle multiple requests sent in a single write() to the agent. * sshd(8): allow sshd_config longer than 256k * sshd(8): avoid spurious "Unable to load host key" message when sshd load a private key but no public counterpart * ssh(1): prefer the default hostkey algorithm list whenever we have a hostkey that matches its best-preference algorithm. * sshd(1): when ordering the hostkey algorithms to request from a server, prefer certificate types if the known_hosts files contain a key marked as a @cert-authority; bz#3157 * ssh(1): perform host key fingerprint comparisons for the "Are you sure you want to continue connecting (yes/no/[fingerprint])?" prompt with case sensitivity. * sshd(8): ensure that address/masklen mismatches in sshd_config yield fatal errors at daemon start time rather than later when they are evaluated. * ssh-keygen(1): ensure that certificate extensions are lexically sorted. Previously if the user specified a custom extension then the everything would be in order except the custom ones. bz#3198 * ssh(1): also compare username when checking for JumpHost loops. bz#3057 * ssh-keygen(1): preserve group/world read permission on known_hosts files across runs of "ssh-keygen -Rf /path". The old behaviour was to remove all rights for group/other. bz#3146 * ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen manual page and usage(). * sshd(8): explicitly construct path to ~/.ssh/rc rather than relying on it being relative to the current directory, so that it can still be found if the shell startup changes its directory. bz#3185 * sshd(8): when redirecting sshd's log output to a file, undo this redirection after the session child process is forked(). Fixes missing log messages when using this feature under some circumstances. * sshd(8): start ClientAliveInterval bookkeeping before first pass through select() loop; fixed theoretical case where busy sshd may ignore timeouts from client. * ssh(1): only reset the ServerAliveInterval check when we receive traffic from the server and ignore traffic from a port forwarding client, preventing a client from keeping a connection alive when it should be terminated. bz#2265 * ssh-keygen(1): avoid spurious error message when ssh-keygen creates files outside ~/.ssh * sftp-client(1): fix off-by-one error that caused sftp downloads to make one more concurrent request that desired. This prevented using sftp(1) in unpipelined request/response mode, which is useful when debugging. bz#3054 * ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect() helpers. bz#3071 * ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to write to it so we don't leave an empty .ssh directory when it's not needed. bz#3156 * ssh(1), sshd(8): fix multiplier when parsing time specifications when handling seconds after other units. bz#3171 ------------------------------------------------------------------ ------------------ 2021-1-16 - Jan 16 2021 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Update to version 2.36.1: * chrt: use SCHED_FLAG_RESET_ON_FORK for sched_setattr() * fallocate: fix --dig-holes at end of files * fdisk: always report fdisk_create_disklabel() errors * flock: keep -E exit status more restrictive * fstrim: remove fstab condition from fstrim.timer * hexdump: automatically use -C when called as hd * hwclock: add fallback if SYS_settimeofday does not exist, fix SYS_settimeofday fallback * libblkid: allow a lot of mac partitions, fix Atari prober logic, limit amount of parsed partitions * more libfdisk improvements * losetup: avoid infinite busy loop, increase limit of setup attempts * lsblk: fix -T optional argument, fix SCSI_IDENT_SERIAL, print zero rather than empty SIZE, read ID_SCSI_IDENT_SERIAL if available * lscpu: Add FUJITSU aarch64 A64FX cpupart, Even more Arm part numbers, avoid segfault on PowerPC systems with valid hardware configurations (bsc#1175623) * mount: Add support for "nosymfollow" mount option. * pg: fix wcstombs() * sfdisk: correct --json --dump false exclusive, fix backward - -move-data * vipw: fix short write handling in copyfile * whereis: fix out of boundary read, support zst compressed man pages * minor code improvements and fixes * minor licensing changes * improve docs - Require both group(uuidd) and user(uuidd). ------------------------------------------------------------------ ------------------ 2021-1-15 - Jan 15 2021 ------------------- ------------------------------------------------------------------ ++++ pam: - Create macros.pam with definition of %_pamdir so packages which are commonly shared between Factory and SLE can use this macro [pam.spec] ------------------------------------------------------------------ ------------------ 2021-1-14 - Jan 14 2021 ------------------- ------------------------------------------------------------------ ++++ systemd: - Remove a fix specific to Factory/TW distros. - Leave nss files in /usr/lib*, glibc loads them from there just fine (Changes from Ludwig Nussel, backported from Factory) - Define %_pamdir until it's defined by pam-devel in SLE - Use %_pamdir to install pam modules - Import commit 64dfb99ca3c9cbc75f6abe7aa6aa60f66ae4210d 65f4fa852e write_net_rules: set execute bits (bsc#1178561) 4a543f0257 journal: send journald logs to kmsg again ------------------------------------------------------------------ ------------------ 2021-1-12 - Jan 12 2021 ------------------- ------------------------------------------------------------------ ++++ kmod: - Update usr-lib-modprobe.patch to upstream submission (boo#1180821). - Require libxslt-tools for xsltproc and use local stylesheet. * no-stylesheet-download.patch ++++ openldap2: - bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues where openldap would crash due to malformed inputs. * patch: 0209-ITS-9383-remove-assert-in-certificateListValidate.patch * patch: 0210-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch ++++ systemd: - Import commit 68b1d8a9472091ccfbbc2ca234d2583716d57a2a (include merge of v246.9) 26df96473f busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/2acc5eb602eb8029f4547e37eb433c804a7db3a1...68b1d8a9472091ccfbbc2ca234d2583716d57a2a ------------------------------------------------------------------ ------------------ 2021-1-8 - Jan 8 2021 ------------------- ------------------------------------------------------------------ ++++ cyrus-sasl: - CVE-2020-8032: cyrus-sasl: Local privilege escalation to root due to insecure tmp file usage. (bsc#1180669) Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary files. ++++ openssh: - Update openssh-8.1p1-audit.patch (bsc#1180501). This fixes occasional crashes on connection termination caused by accessing freed memory. ------------------------------------------------------------------ ------------------ 2021-1-7 - Jan 7 2021 ------------------- ------------------------------------------------------------------ ++++ keyutils: - adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ------------------------------------------------------------------ ------------------ 2021-1-5 - Jan 5 2021 ------------------- ------------------------------------------------------------------ ++++ glibc: - sysvipc-sem-stat-any.patch: sysvipc: Fix SEM_STAT_ANY kernel argument pass (bsc#1180557, BZ #26637) ++++ lvm2-device-mapper: - lvm2 should use 'external_device_info_source="udev"' by default (bsc#1179691) - change lvm.conf item external_device_info_source from none to udev - comment out lvm.conf item preferred_names by default (bsc#1179738) - comment out preferred_names ------------------------------------------------------------------ ------------------ 2021-1-4 - Jan 4 2021 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Amend gcc7-aarch64-moutline-atomics.patch for glibc namespace violation with getauxval. [bsc#1167939] ++++ openldap2: - bsc#1179503 - fix proxy retry binds to a remote server * patch: 0208-ITS-9400-back-ldap-fix-retry-binds.patch ++++ nodejs14: - New upstream LTS version 14.15.4: * CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits (bsc#1180553) * CVE-2020-8287: HTTP Request Smuggling allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554) ------------------------------------------------------------------ ------------------ 2020-12-29 - Dec 29 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.30.0: * Userdiff updates for PHP, Rust, CSS * New features and options to multiple subcommands and workflows * Avoid administrator error leading to data loss with "git push --force-with-lease[=]" by introducing "--force-if-includes" * Updates to shell autocompletion * Bug fixes and internal improvements ++++ timezone: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. ------------------------------------------------------------------ ------------------ 2020-12-28 - Dec 28 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - readd --with-fpectl (bsc#1180377) ++++ python3: - readd --with-fpectl (bsc#1180377) ------------------------------------------------------------------ ------------------ 2020-12-23 - Dec 23 2020 ------------------- ------------------------------------------------------------------ ++++ timezone: - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ------------------------------------------------------------------ ------------------ 2020-12-21 - Dec 21 2020 ------------------- ------------------------------------------------------------------ ++++ libidn2: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, match factory licenses (bsc#1180138) ++++ nodejs14: - New upstream LTS version 14.15.3: * deps: + upgrade npm to 6.14.9 + update acorn to v8.0.4 * http2: check write not scheduled in scope destructor * stream: fix regression on duplex end - versioned.patch, sle12_python3_compat.patch: refreshed ------------------------------------------------------------------ ------------------ 2020-12-17 - Dec 17 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Enable support for zstd compression systemd-journald will now use zstd for compressing large fields in journal files. systemd-coredump will also use this algorithm to compress coredump files. Please note that systemd older than v246 won't be able to read new journal files as zstd algorithm is not supported by these versions. This incompatible change was actually not the only one introduced by v246 since the hash tables in journal files have been hardened against hash collisions too in an incompatible way with older versions. ------------------------------------------------------------------ ------------------ 2020-12-16 - Dec 16 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - aarch64-getauxval.patch: aarch64: Accept PLT calls to __getauxval within libc.so (bsc#1167939) - iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - printf-long-double-non-normal.patch: x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - get-nprocs-cpu-online-parsing.patch: Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ------------------------------------------------------------------ ------------------ 2020-12-15 - Dec 15 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Drop 1001-journald-turn-ForwardToSyslog-on-by-default.patch ForwardToSyslog is turned on by rsyslog. - Explicitly require group(kvm) by udev: the group used to be created by system-users-hardware, but has been split/moved to qemu/kvm, where it is more logical. The file /usr/lib/udev/rules.d/50-udev-default.rules references this group, thus we should make sure the group exists. Otherwise there are errors in the journal in the form of: /usr/lib/udev/rules.d/50-udev-default.rules:86 Unknown group 'kvm', ignoring - Import commit 2acc5eb602eb8029f4547e37eb433c804a7db3a1 (include merge of v246.7) 6131548b0f udev: link_update() should fail if the entry in symlink dir couldn't have been created f6cb8c7d79 udev: make algorithm that selects highest priority devlink less susceptible to race conditions (bsc#1084748) fc64e47291 basic/stat-util: make mtime check stricter and use entire timestamp ae91d45d3d test/sys-script.py: add missing DEVNAME entries to uevents 09e3473a7a test/udev_test.pl: add "expected good" count fc89379b5b test/udev-test.pl: suppress umount error message at startup d9e114f10d test/sd-script.py: new helper script for udev testing f2672eae66 test/udev-test.pl: generator for large list of block devices 42b68e43e2 test/udev-test.pl: add repeat count eec8ec375a tests/udev-test.pl: add multiple device test 73b8f3cf93 test/udev-test.pl: count "good" results ee04d70bb6 test/udev-test.pl: merge import parent tests into one 03942c8fbc test/udev-test.pl: merge "space and var with space" tests ec95546189 test/udev-test.pl: remove bogus rules from magic subsys test f704429217 test/udev-test.pl: Make some tests a little harder ce1a877dc0 test/udev-test.pl: last_rule is unsupported 913c72ff2d test/udev-test.pl: fix wrong test descriptions eeb25a1be6 test/udev-test.pl: allow checking multiple symlinks 00ab4292da test/udev-test.pl: test correctness of symlink targets 5b71ee2911 test/udev-test.pl: use computed devnode name 2e04bb9ae8 test/udev-test.pl: allow concurrent additions and removals 8816dd593c test/udev-test.pl: create rules only once 214418632d test/udev-test.pl: allow multiple devices per test 1eb6b23f27 udev-test: do not rely on "mail" group being defined 4a0a4dcf10 udev: Fix sound.target dependency (bsc#1179363) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/9dd0c9a724a9361207ab4a9ad29d144987fb373f...2acc5eb602eb8029f4547e37eb433c804a7db3a1 - Rebase 1008-Restore-support-for-halt.local.patch ------------------------------------------------------------------ ------------------ 2020-12-9 - Dec 9 2020 ------------------- ------------------------------------------------------------------ ++++ libapparmor: - update to AppArmor 2.13.6 - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.6 for the detailed upstream changelog - drop upstreamed patch libapparmor-so-number.diff ------------------------------------------------------------------ ------------------ 2020-12-8 - Dec 8 2020 ------------------- ------------------------------------------------------------------ ++++ cryptsetup: - SLE marker: implements jsc#SLE-5911, bsc#1165580, jsc#SLE-145149 ++++ openssl-1_1: - Fix EDIPARTYNAME NULL pointer dereference (CVE-2020-1971, bsc#1179491) * add openssl-CVE-2020-1971.patch ++++ cyrus-sasl: - Remove Berkeley DB dependency (JIRA#SLE-12190) The packages cyrus-sasl and cyrus-sasl-saslauthd are built without Berkely DB support. gdbm will be used instead of BDB. The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built with Berkely DB support. - Update to 2.1.27 * Added support for OpenSSL 1.1 * Added support for lmdb * Lots of build fixes * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech * DIGEST-MD5 plugin: Fixed memory leaks Fixed a segfault when looking for non-existent reauth cache Prevent client from going from step 3 back to step 2 Allow cmusaslsecretDIGEST-MD5 property to be disabled * GSSAPI plugin: Added support for retrieving negotiated SSF Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF Properly compute maxbufsize AFTER security layers have been set * SCRAM plugin: Added support for SCRAM-SHA-256 * LOGIN plugin: Don’t prompt client for password until requested by server * NTLM plugin: Fixed crash due to uninitialized HMAC context - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - bsc#983938 `After=syslog.target` left-overs in several unit files - added patches: fix_libpq-fe_include.diff for fixing including libpq-fe.h - removed patches obsoleted by upstream changes: * shared_link_on_ppc.patch * cyrus-sasl-2.1.27-openssl-1.1.0.patch * 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch * 0003-Check-return-error-from-gss_wrap_size_limit.patch * 0004-Add-support-for-retrieving-the-mech_ssf.patch * 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch * cyrus-sasl-fix-logging-in-gssapi.patch ------------------------------------------------------------------ ------------------ 2020-12-7 - Dec 7 2020 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1179593, CVE-2020-8286] * Inferior OCSP verification: libcurl offers "OCSP stapling" via the 'CURLOPT_SSL_VERIFYSTATUS' option that, when set, verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with '--cert-status' using the curl tool. * As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend. - Add curl-CVE-2020-8286.patch - Security fix: [bsc#1179399, CVE-2020-8285] * FTP wildcard stack overflow: The wc_statemach() internal function has been rewritten to use an ordinary loop instead of the recursive approach. - Add curl-CVE-2020-8285.patch - Security fix: [bsc#1179398, CVE-2020-8284] * Trusting FTP PASV responses: When curl performs a passive FTP transfer, it first tries the 'EPSV' command and if that is not supported, it falls back to using 'PASV'. A malicious server can use the 'PASV' response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed. * The IP address part of the response is now ignored by default, by making 'CURLOPT_FTP_SKIP_PASV_IP' default to '1L'. The same goes for the command line tool, which then might need '--no-ftp-skip-pasv-ip' set to prevent curl from ignoring the address in the server response. - Add curl-CVE-2020-8284.patch ++++ python3-core: - Adjust sphinx-update-removed-function.patch ++++ python3: - Adjust sphinx-update-removed-function.patch ------------------------------------------------------------------ ------------------ 2020-12-5 - Dec 5 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - (bsc#1179630) Update sphinx-update-removed-function.patch to work with all versions of Sphinx (not binding the Python documentation build to the latest verison of Sphinx). Updated version mentioned on gh#python/cpython#13236. ++++ python3: - (bsc#1179630) Update sphinx-update-removed-function.patch to work with all versions of Sphinx (not binding the Python documentation build to the latest verison of Sphinx). Updated version mentioned on gh#python/cpython#13236. ------------------------------------------------------------------ ------------------ 2020-12-4 - Dec 4 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add binutils-fix-relax.diff to fix linking relaxation problems with old object files hitting some enterprise software. [bsc#1179341] ++++ system-users: - Remove kvm group from hardware subpackage, since kvm is in its own subpackage (jsc#SLE-11629). ------------------------------------------------------------------ ------------------ 2020-12-3 - Dec 3 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit 9dd0c9a724a9361207ab4a9ad29d144987fb373f 450792497e sd-event: fix delays assert brain-o (#17790) 1040a19d08 udevadm: rename option '--log-priority' into '--log-level' a7b41e19bd udev: rename kernel option 'log_priority' into 'log_level' 617aed9236 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope ------------------------------------------------------------------ ------------------ 2020-12-2 - Dec 2 2020 ------------------- ------------------------------------------------------------------ ++++ audit: - Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) ------------------------------------------------------------------ ------------------ 2020-12-1 - Dec 1 2020 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-33-d12420cc66e6d26a9dff6c0e86e00de232151c82.patch * Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ++++ python3-core: - Add CVE-2020-27619-no-eval-http-content.patch fixing CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Add patch sphinx-update-removed-function.patch to no longer call a now removed function (gh#python/cpython#13236). As a consequence, no longer pin Sphinx version. ++++ python3: - Add CVE-2020-27619-no-eval-http-content.patch fixing CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Add patch sphinx-update-removed-function.patch to no longer call a now removed function (gh#python/cpython#13236). As a consequence, no longer pin Sphinx version. ------------------------------------------------------------------ ------------------ 2020-11-30 - Nov 30 2020 ------------------- ------------------------------------------------------------------ ++++ nodejs14: - openssl_binary_detection.patch: fixes unit tests on SLE12 ------------------------------------------------------------------ ------------------ 2020-11-28 - Nov 28 2020 ------------------- ------------------------------------------------------------------ ++++ grep: - remove deprecated texinfo macros - silence egrep,fgrep packaging warnings ------------------------------------------------------------------ ------------------ 2020-11-27 - Nov 27 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Pin Sphinx version to fix doc subpackage ++++ openssh: - Support /usr/etc/pam.d ++++ python3: - Pin Sphinx version to fix doc subpackage ------------------------------------------------------------------ ------------------ 2020-11-26 - Nov 26 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Add gcc7-aarch64-sls-miti-1.patch, gcc7-aarch64-sls-miti-2.patch, gcc7-aarch64-sls-miti-3.patch to backport aarch64 Straight Line Speculation mitigation [bsc#1172798, CVE-2020-13844] - Add gcc7-fix-retrieval-of-testnames.patch to support usage in testcases added by the above. - Enable fortran for the nvptx offload compiler. - Do not specify alternate offload compiler location at configure time. - Update README.First-for.SuSE.packagers - Add gcc7-pr88522.patch to avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel. - Amend gcc7-remove-Wexpansion-to-defined-from-Wextra.patch to reflect changes in option handling in the testsuite. - Add gcc7-testsuite-fixes.patch to fix PR98001 and PR98002 which are broken testcases showing with malloc debugging enabled. ++++ util-linux: - Do search /usr/sbin for mount helpers. (This drops /sbin/fs, /sbin/fs.d, which we do not use in openSUSE.) ------------------------------------------------------------------ ------------------ 2020-11-25 - Nov 25 2020 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - Update lvm2.spec file (bsc#1177533) - in %postun, disable restart blk-availability.service & lvm2-monitor.service ++++ python3-core: - Change setuptools and pip version numbers according to new wheels (bsc#1179756). - Add ignore_pip_deprec_warn.patch to switch of persistently failing test. ++++ python3: - Change setuptools and pip version numbers according to new wheels (bsc#1179756). - Add ignore_pip_deprec_warn.patch to switch of persistently failing test. ++++ sysvinit: - prepare usrmerge (boo#1029961) ------------------------------------------------------------------ ------------------ 2020-11-24 - Nov 24 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Replace bundled wheels for pip and setuptools with the updated ones (bsc#1176262 CVE-2019-20916). ++++ systemd: - Don't post-require systemd-default-settings-branding anymore This is actually not needed now that the branding package issues a PID1 reloading every times it's being updated. ++++ python3: - Replace bundled wheels for pip and setuptools with the updated ones (bsc#1176262 CVE-2019-20916). ------------------------------------------------------------------ ------------------ 2020-11-23 - Nov 23 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update binutils-2.35-branch.diff.gz to commit 1c5243df: * Fixes PR26520, aka [bsc#1179036], a problem in addr2line with certain DWARF variable descriptions. * Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878, PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869, PR26711 * The above includes fixes for dwo files produced by modern dwp, fixing several problems in the DWARF reader. ++++ systemd: - Import commit e139d4c9dbf6d735a624574dbd7db8f04eb93598 f8f7286527 units: restore sysfs conditions in sys-fs-fuse-connections.mount and sys-kernel-config.mount e9c7158dc7 units: wait until some fs modules are entirely loaded before mounting their corresponding filesystem (bsc#1178631) ac7ddc4201 Revert "units: skip modprobe@.service if the unit appears to be already loaded" 17310a1d19 core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436) 1416965614 meson: add option to skip installing to $sysconfdir ++++ nodejs14: - Update Requires: so -devel requires npm - Rely on rpmbuild to define necessary python dependencies ------------------------------------------------------------------ ------------------ 2020-11-21 - Nov 21 2020 ------------------- ------------------------------------------------------------------ ++++ c-ares: - add BR for pkg-config to get the provides in the devel package ++++ lvm2-device-mapper: - lvcreate not wiping the lvm signature without prompting with --yes parameter (bsc#1177734) + bug-1177734_raid-no-wiping-when-zeroing-raid-metadata-device.patch ------------------------------------------------------------------ ------------------ 2020-11-20 - Nov 20 2020 ------------------- ------------------------------------------------------------------ ++++ git: - only pull asciidoctor for the default ruby version ++++ util-linux: - prepare usrmerge (boo#1029961) ++++ systemd: - systemd-default-settings is needed by %post scriptlet - Revert the change that dropped %{release} from the package version constraints used in Requires: The release number is actually relevant since it can be increased when patches, which might touch multiple sub-packages of systemd, are added/modified. However the %{release} is still no more used in conflicts. ------------------------------------------------------------------ ------------------ 2020-11-19 - Nov 19 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Add gcc7-aarch64-moutline-atomics.patch to backport the aarch64 - moutline-atomics feature and accumulated fixes but not its default enabling. [jsc#SLE-12209, bsc#1167939] - Order gcc7-pr92692.patch after gcc7-aarch64-moutline-atomics.patch and refresh. ++++ c-ares: - ares_dns.h, missing_header.patch: re-add missing header in last release ++++ nodejs14: - New upstream LTS version 14.15.1: * deps: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses (bsc#1178882, CVE-2020-8277) ++++ pam: - pam_cracklib: added code to check whether the password contains a substring of of the user's name of at least characters length in some form. This is enabled by the new parameter "usersubstr=" See https://github.com/libpwquality/libpwquality/commit/bfef79dbe6aa525e9557bf4b0a61e6dde12749c4 [jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch] ------------------------------------------------------------------ ------------------ 2020-11-18 - Nov 18 2020 ------------------- ------------------------------------------------------------------ ++++ pam: - pam_xauth.c: do not free() a string which has been (successfully) passed to putenv(). [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch] ++++ python-pip: - Update in SLE-15 (bsc#1175297, jsc#ECO-3035, jsc#PM-2318) ------------------------------------------------------------------ ------------------ 2020-11-17 - Nov 17 2020 ------------------- ------------------------------------------------------------------ ++++ c-ares: - Version update to 1.17.0 Security: * avoid read-heap-buffer-overflow in ares_parse_soa_reply found during fuzzing * Avoid theoretical buffer overflow in RC4 loop comparison * Empty hquery->name could lead to invalid memory access * ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was passed in (bsc#1178882, CVE-2020-8277) Changes: * Update help information for adig, acountry, and ahost * Test Suite now uses dynamic system-assigned ports rather than hardcoded ports to prevent failures in containers * Detect remote DNS server does not support EDNS using rules from RFC 6891 * Source tree has been reorganized to use a more modern layout * Allow parsing of CAA Resource Record Bug fixes: * readaddrinfo bad sizeof() * Test cases should honor HAVE_WRITEV flag, not depend on WIN32 * FQDN with trailing period should be queried first * ares_getaddrinfo() was returning members of the struct as garbage values if unset, and was not honoring ai_socktype and ai_protocol hints. * ares_gethostbyname() with AF_UNSPEC and an ip address would fail * Properly document ares_set_local_ip4() uses host byte order For details, see https://c-ares.haxx.se/changelog.html - add missing upstream sources, to be removed for next release - remove unnecessary BuildRequires - fix building on SLE12 systems ++++ sysvinit: - Update to sysvinit 2.98: * Fixed time parsing in shutdown when there is a + in front of a 0 time offset. Commands with a postiive time offset (+1) would work but +0 fails. This has been corrected by Arkadiusz Miskiewicz. ------------------------------------------------------------------ ------------------ 2020-11-16 - Nov 16 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Revert gcc7-pr97774.patch as it causes gdb to crash. ++++ filesystem: - /proc and /sys should be %ghost to allow filesystem package updates in rootless container environments (rh#1548403) (bsc#1146705) ------------------------------------------------------------------ ------------------ 2020-11-14 - Nov 14 2020 ------------------- ------------------------------------------------------------------ ++++ python-setuptools: - Add wheel subpackage with the generated wheel for this package (bsc#1176262, CVE-2019-20916). ------------------------------------------------------------------ ------------------ 2020-11-13 - Nov 13 2020 ------------------- ------------------------------------------------------------------ ++++ pam: - Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft" to avoid spurious (and misleading) Warning: your password will expire in ... days. fixed upstream with commit db6b293046a [bsc#1178727, pam-bsc1178727-initialize-daysleft.patch] ++++ system-users: - Add qemu user to kvm group ------------------------------------------------------------------ ------------------ 2020-11-12 - Nov 12 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Fix 32bit libgnat.so link. [bsc#1178675] - Quote %{cross_arch} consistently when comparing expansion against string in RPM %if condition. ++++ system-users: - Add system account and groups for kvm, qemu, and libvirt (jsc#SLE-11629) New files: system-group-kvm.conf, system-group-libvirt.conf, system-user-qemu.conf ------------------------------------------------------------------ ------------------ 2020-11-11 - Nov 11 2020 ------------------- ------------------------------------------------------------------ ++++ openssh: - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. ++++ shadow: - Amend patches/useradd-userkeleton.patch to also write into existing directories and prefer files from /etc - Add patch useradd-userkeleton.patch to extend original C code of useradd to handle /usr/etc/skel (boo#1173321) - Remove /usr/etc/skel support in useradd.local script ------------------------------------------------------------------ ------------------ 2020-11-10 - Nov 10 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Add gcc7-pr97535.patch to fix memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577] - Add gcc7-pr97774.patch to fix debug line info for try/catch. [bsc#1178614] ++++ systemd: - Simplify systemd-sysv-convert - the previous code incorrectly assumed that the sysv init scripts were uninstalled before %post get executed. It therefore save the enablement state in %pre and restore it in %post. Now all is done in %post (making --save option useless) and there's no more need to remember the enablement state. - "--save" option is a NOP but is still kept for backward compatibility. - the previous simplifcation made /var/lib/systemd/migrated no more used. - we do not search for units in /lib/systemd anymore, this shouldn't be needed anymore these days especially since this path was only used when systemd was introduced in openSUSE and it was never used in SLE (checked SLE12-GA). - the option --show has been dropped. It's never been used even internally. - the DB is populated only once even if the script was enabled at multiple runlevels. The runlevel info was never used. A dummy value is still added to keep the same format just in case. ------------------------------------------------------------------ ------------------ 2020-11-9 - Nov 9 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - power10-support.patch: Add support for POWER10 (jsc#SLE-13520) - iconv-option-parsing.patch: Rewrite iconv option parsing (CVE-2016-10228, bsc#1027496, BZ #19519) ++++ krb5: - Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196); (bsc#1178512); - Added patches: * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch ++++ openldap2: - bsc#1178387 (CVE-2020-25692) - unauthenticated remote denial of service due to incorrect validation of modrdn equality rules. * patch: 0207-ITS-9370-check-for-equality-rule-on-old_rdn.patch ++++ systemd: - Import commit 7435299e24327ed202d686bf46a626b99f105870 f71a1ef5d0 systemctl: give a nice hint about org.freedesktop.LogControl1 when applicable 20a3f9fd95 systemctl: immediately reject invalid log levels 9f67d2e57b systemctl: merge log_target(), log_level(), service_log_setting() ddf7cf4872 systemctl: add service-log-{level,target} verbs 026d7d156d systemctl: list unit introspection verbs first, modification second 05fff5bd02 generator: use kmsg in system-level generators, journal otherwise ecc07954de log: normalize log target condition check d32ceea42b log: update comment 2ebad02b60 basic/virt: Detect PowerVM hypervisor (bsc#1176800) - Drop workaround in 1006-logind-keep-backward-compatibility-with-UserTasksMax.patch which consisted in forcing the generator to use kmsg. It is no more needed since commit dee29aeb5909f4f5604012ced250488286b8d468 has been backported. ------------------------------------------------------------------ ------------------ 2020-11-8 - Nov 8 2020 ------------------- ------------------------------------------------------------------ ++++ systemd-presets-branding-openSUSE: - Fix package description mention of 'systemd-presets-common-SUSE' ------------------------------------------------------------------ ------------------ 2020-11-6 - Nov 6 2020 ------------------- ------------------------------------------------------------------ ++++ kmod: - Add usr-lib-modprobe.patch [boo#1092648] ------------------------------------------------------------------ ------------------ 2020-11-4 - Nov 4 2020 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Modernize patch util-linux-sulogin4bsc1175514.patch * Try to autoconfigure broken serial lines ++++ cryptsetup: - prepare usrmerge (boo#1029961) ------------------------------------------------------------------ ------------------ 2020-11-2 - Nov 2 2020 ------------------- ------------------------------------------------------------------ ++++ shadow: - Change again useradd.local script to let it work even for system accounts and work together with SELinux (bsc#1178296) - Change patch useradd-script.patch to support the four arguments used by the useradd.local script (bsc#1178296) ++++ timezone: - Add fat.patch to generate "fat" timezone files (was default before 2020b) bsc#1178346 ------------------------------------------------------------------ ------------------ 2020-10-30 - Oct 30 2020 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Add patch util-linux-sulogin4bsc1175514.patch Avoid sulogin failing on not existing or not functional console devices (bsc#1175514) ++++ perl: - Split DB_File module into a seperate perl-core-DB_File package [jsc#SLE-12212] * add Recommends: perl-core-DB_File to the perl package - Fix build with newer glibc versions new patch: perl-saltbits.diff ------------------------------------------------------------------ ------------------ 2020-10-29 - Oct 29 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.29.2: "--committer-date-is-author-date" option of "rebase" and "am" subcommands lost the e-mail address by mistake in 2.29 ++++ systemd: - Move systemd-sysv-convert back from /usr/lib/systemd to /usr/sbin (bsc#1178156) SLE distros still expect the tool to be located in the old place. ++++ nodejs14: - Update to LTS version 14.15.0: (jsc#SLE-15774) * no major changes * test: reverts marking test-webcrypto-encrypt-decrypt-aes flaky ------------------------------------------------------------------ ------------------ 2020-10-23 - Oct 23 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.29.1: * build system fixes for non-default installations (not affecting this package) ++++ systemd: - Fix paths of udev rule files in 1004-udev-don-t-create-by-partlabel-primary-and-.-logical.patch and 1005-udev-optionally-disable-the-generation-of-the-partla.patch (bsc#1178023) - No more need to clean the journal-upload stuff with --without=journal_remote Since -Dremote build option has been introduced with meson, this workaround is no more needed. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Explicitly list files in /usr/lib/sysusers.d shipped by the main package Currently only one config file is shipped in this directory and we want to check any new files that may be added in the future. - Use %{_modulesloaddir}, %{_environmentdir} and %{_modprobedir} wherever appropriate - Do not include %{release} in a few places where we explicitly mention package versions It's usually not a good idea especially when used with conflicts. ------------------------------------------------------------------ ------------------ 2020-10-22 - Oct 22 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Rely on systemd-default-settings for overriding system default settings (bsc#1172517) The new branding packages now ships the drop-ins to customize systemd either for an openSUSE or a SLE ditro. - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ++++ timezone: - timezone update 2020d (bsc#1177460) * Palestine ends DST earlier than predicted, on 2020-10-24. ------------------------------------------------------------------ ------------------ 2020-10-20 - Oct 20 2020 ------------------- ------------------------------------------------------------------ ++++ findutils: - The following is patch was provided by Jie GONG - fts-dont-unconditionally-use-leaf-optimization-for-nfs.patch (bsc#1174232) fts: don't unconditionally use leaf optimization for NFS NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. See * lib/fts.c (leaf_optimization_applies): Remove NFS from the white list, and document the issue. ++++ nodejs14: - Use SLE OpenSSL version with 12-SP4+, and not just 12-SP5+ - Bump mininum ICU version to 65 ------------------------------------------------------------------ ------------------ 2020-10-19 - Oct 19 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.29.0: * The transport protocol v2 has become the default again * "git worktree" gained a "repair" subcommand, "git init - -separate-git-dir" no longer corrupts administrative data related to linked worktrees * "git maintenance" introduced for repository maintenance tasks * enhancements to multiple workflows, addition of configuration options and supported parameters, and bug fixes ++++ timezone: - timezone update 2020c (bsc#1177460) * Fiji starts DST later than usual, on 2020-12-20. ------------------------------------------------------------------ ------------------ 2020-10-17 - Oct 17 2020 ------------------- ------------------------------------------------------------------ ++++ libapparmor: - update to AppArmor 2.13.5 - fix two potential build failures - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5 for the detailed upstream changelog - add libapparmor-so-number.diff to fix libapparmor so version (!658) ------------------------------------------------------------------ ------------------ 2020-10-16 - Oct 16 2020 ------------------- ------------------------------------------------------------------ ++++ coreutils: - prepare usrmerge (boo#1029961) ++++ kmod: - prepare usrmerge (boo#1029961) ++++ nodejs14: - Update to version 14.14.0: * fs: add rm method * http: allow passing array of key/val into writeHead * src: expose v8::Isolate setup callbacks - sle12_python3_compat.patch: refreshed ------------------------------------------------------------------ ------------------ 2020-10-15 - Oct 15 2020 ------------------- ------------------------------------------------------------------ ++++ pam: - /usr/bin/xauth chokes on the old user's $HOME being on an NFS file system. Run /usr/bin/xauth using the old user's uid/gid Patch courtesy of Dr. Werner Fink. [bsc#1174593, pam-xauth_ownership.patch] ------------------------------------------------------------------ ------------------ 2020-10-13 - Oct 13 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - Rebase bpo23395-PyErr_SetInterrupt-signal.patch ++++ python3: - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - Rebase bpo23395-PyErr_SetInterrupt-signal.patch ------------------------------------------------------------------ ------------------ 2020-10-12 - Oct 12 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Reapply spec file cleanup from format_spec_file - Remove a SLE10 version check ++++ lvm2-device-mapper: - Update lvm2.spec file (bsc#1174336) - enable lvmlockd remote refresh using libdlmcontrol - update libdlm dependency relationship ++++ systemd: - Make systemd-mini-container conflict with systemd-mini-container-mini systemd-mini-container-mini was the old name used by older versions. ------------------------------------------------------------------ ------------------ 2020-10-9 - Oct 9 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Fix build with RPM 4.16: error: bare words are no longer supported, please use "...": x86 == ppc. - Fix installing .desktop file ++++ python3: - Fix build with RPM 4.16: error: bare words are no longer supported, please use "...": x86 == ppc. - Fix installing .desktop file ++++ shadow: - Add support for /usr/etc/skel to useradd.local script (boo#1173321) ------------------------------------------------------------------ ------------------ 2020-10-8 - Oct 8 2020 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Restore private key check in EC_KEY_check_key [bsc#1177479] * Update openssl-DH.patch ++++ nodejs14: - Update to version 14.13.1: * fs: rmdir recursive is no longer considered experimental - fix_ci_tests.patch: add support to SUSE's ECDH backport errors in SLE's openssl ++++ openssh: - Work around %service_add_post disabling sshd on upgrade with package name change (bsc#1177039). ++++ shadow: - shadow-login_defs-check.sh: Fix the regexp to get a real variable list (boo#1164274). ++++ timezone: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. - Rebased timezone-2018f-bsc1112310.patch ------------------------------------------------------------------ ------------------ 2020-10-6 - Oct 6 2020 ------------------- ------------------------------------------------------------------ ++++ nodejs14: - Update to version 14.13.0: * deps: upgrade to libuv 1.40.0 #35333 * module: named exports for CJS via static analysis #35249 * module: exports pattern support #34718 * src: allow N-API addon in AddLinkedBinding() ------------------------------------------------------------------ ------------------ 2020-10-2 - Oct 2 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - tmpfiles: drop entries importing files from /usr/share/factory (bsc#1170146) ------------------------------------------------------------------ ------------------ 2020-9-25 - Sep 25 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Buildrequire timezone only for general flavor. It's used in this flavor for the test suite. ++++ openssh: - Fix fillup-template usage: + %post server needs to reference ssh (not sshd), which matches the sysconfig.ssh file name the package ships. + %post client does not need any fillup_ calls, as there is no client-relevant sysconfig file present. The naming of the sysconfig file (ssh instead of sshd) is unfortunate. - Use of DISABLE_RESTART_ON_UPDATE is deprecated. Replace it with %service_del_postun_without_restart ++++ python3: - Buildrequire timezone only for general flavor. It's used in this flavor for the test suite. ------------------------------------------------------------------ ------------------ 2020-9-24 - Sep 24 2020 ------------------- ------------------------------------------------------------------ ++++ nodejs14: - Update to version 14.12.0: * n-api: + create N-API version 7 + add more property defaults - Changes since version 14.9.0 * deps: + update llhttp to 2.1.2 (bsc#1176605, CVE-2020-8201) + http: add requestTimeout. Fixes Denial of Service by resource exhaustion due to unfinished HTTP/1.1 requests (bsc#1176604, CVE-2020-8251) + buffer: also alias BigUInt methods + crypto: add randomInt function + perf_hooks: add idleTime and event loop util + stream: simpler and faster Readable async iterator + stream: save error in state ------------------------------------------------------------------ ------------------ 2020-9-21 - Sep 21 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update to 2.35.1 and rebased branch diff: * This is a point release over the previous 2.35 version, containing bug fixes, and as an exception to the usual rule, one new feature. The new feature is the support for a new directive in the assembler: ".nop". This directive creates a single no-op instruction in whatever encoding is correct for the target architecture. Unlike the .space or .fill this is a real instruction, and it does affect the generation of DWARF line number tables, should they be enabled. ++++ systemd: - SLEtify commit 2ac606cb508dc30a27aa539bcc18b4bb07f87a71 (jsc#SLE-16318) This forward port most of the SLE stuff from SLE15-SP2 to this Factory snapshot making this version good enough for starting testing the version that will be shipped in SLE15-SP3. Add 1000-logind-disable-RemoveIPC-by-default.patch Add 1001-journald-turn-ForwardToSyslog-on-by-default.patch (bsc#1065301) Add 1002-udev-add-option-to-generate-old-buggy-SCSI-serials.patch Add 1003-logind-store-a-timestamp-when-the-ACPI-power-button-.patch (bsc#981830 bsc#888612 bsc#1072933) Add 1004-udev-don-t-create-by-partlabel-primary-and-.-logical.patch Add 1005-udev-optionally-disable-the-generation-of-the-partla.patch (bsc#1089761) Add 1006-logind-keep-backward-compatibility-with-UserTasksMax.patch Add 1007-tmpfiles-follow-SUSE-policies.patch Add 1008-Restore-support-for-halt.local.patch Add 60-io-scheduler.rules (bsc#1165579 bsc#1164717) Add 80-acpi-container-hotplug.rules (bsc#1082485 bsc#1040800 bsc#1078358 bsc#1081170 bsc#1075743) Add 80-hotplug-cpu-mem.rules (bsc#1076696 bsc#1127557) Add 99-wakeup-from-idle.rules merge compats/persistent-nic-names (bsc#1061883 bsc#1083158) merge compats/udev-compat-symlinks networkd is kept enabled as it's shipped in Leap distros (bsc#1071311) Remove TasksMax limit for both user and system slices (jsc#SLE-10123). This implemented by means of 2 drop-ins shipped in system.conf.d/ and user-.slice.d/ ------------------------------------------------------------------ ------------------ 2020-9-18 - Sep 18 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled) ++++ file: - Add patchfix_of_backport_PR-62.patch as previous backport caused a shorten output of the elf interprter (bsc#1176123) ------------------------------------------------------------------ ------------------ 2020-9-17 - Sep 17 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import a prisitine copy of Factory which will serve as a new base for SLE15-SP3 (osc copypac from project:Base:System package:systemd revision:1120, using expand, using client side copy) - Remove dangling symlink /usr/lib/systemd/system/sockets.target.wants/systemd-journald-audit.socket Otherwise the build system complains. - Import commit 1cab0d44584687ace92d1df30eadf264231e3b65 (include v246.5) 304ec2c7ab fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) 6ae277fb37 test: adapt TEST-21-SYSUSERS for SUSE acd8bfd2cc test: adapt TEST-13-NSPAWN-SMOKE for SUSE [...] For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/a4e393eecb9dbe140a6c7d57419c291d786155cf...1cab0d44584687ace92d1df30eadf264231e3b65 ++++ openssh: - Move some Requires to the right subpackage. - Avoid ">&" bashism in %post. - Upgrade some old specfile constructs/macros and drop unnecessary %{?systemd_*}. - Trim descriptions and straighten out the grammar. ------------------------------------------------------------------ ------------------ 2020-9-16 - Sep 16 2020 ------------------- ------------------------------------------------------------------ ++++ bash: - Move /bin/bash to /usr/bin/bash and provide old location as symbolic link of new location (jsc#SLE-15652) - Remove minimal sh build option as not used ++++ util-linux: - Fix default permissions of wall and write. - Update to version 2.36: * blkdiscard(8) refuses to proceed if filesystem or RAID signatures are found in interactive mode (executed on a terminal). The option --force is required to the discard data. * new commands irqtop(1) and lsirq(1)to monitor kernel interrupts. * cal(1) provides a new --vertical command line option. * blkzone(8) implements open/close/finish commands now. * unshare(1) and nsenter(1) commands support the time namespace now. * agetty(8) now supports multiple paths in the option - -issue-file. * fdisk(8), sfdisk(8), cfdisk(8), mkswap(8) and wipefs(8) now support block devices locking by flock(2), new command line option --lock and $LOCK_BLOCK_DEVICE environmental variable. * dmesg(1) new command line option --follow-new to wait and print only new kernel messages. * fdisk(8) new command line option --list-details and - -noauto-pt. * fdisk(8) and sfdisk(8) support user-friendly aliases for partition types. * fstrim(8) supports new command line option --listed-in. * libfdisk provides API to relocate GPT backup header. New command line option "sfdisk --relocate". * mount(8) now supports mount by ID= tag. * login(1) supports list of "message of the day". * All tools which read /etc/login.defs is possible to compile with libeconf now. * more(1) has been refactored. * man pages cleanup * other fixes and improvements, see: https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.36/v2.36-ReleaseNotes - Refresh Add-documentation-on-blacklisted-modules-to-mount-8-.patch. - Drop upstreamed libeconf.patch, libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch. - util-linux-login_defs-check.sh: Perform all steps to integrate MOTD_FIRSTONLY. - Update baselibs.conf. ++++ systemd: - Drop 0001-udev-temporarly-restore-the-creation-a-few-symlinks-.patch linuxrc has already been fixed. - Add 0001-udev-temporarly-restore-the-creation-a-few-symlinks-.patch A temporary patch until the installer environment is updated to create some of the symlinks that udevd used to create during its startup but now udevd relies on the init system to do so. ------------------------------------------------------------------ ------------------ 2020-9-15 - Sep 15 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update binutils-2.35-branch.diff.gz to commit 23f268a0: * Add xBPF target * Fix various problems with DWARF 5 support in gas - Toolchain module update for SLE15 [jsc#ECO-2373] - Includes changes that were SLE-only in binutils-add-z15-name.diff for [bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464] - Amend binutils-revert-plt32-in-branches.diff to adjust also new testcases. ------------------------------------------------------------------ ------------------ 2020-9-11 - Sep 11 2020 ------------------- ------------------------------------------------------------------ ++++ c-ares: - simplify conditions bit to make it tad more readable ------------------------------------------------------------------ ------------------ 2020-9-10 - Sep 10 2020 ------------------- ------------------------------------------------------------------ ++++ c-ares: - Implement multibuild specfile to split out tests into its own flavor; this way we can build and run tests, which require static lib, as well as avoid packaging the latter without issues with the installed cmake file.. ++++ systemd: - Rework how we prevent journald from both enabling auditd and recording audit messages journald.conf gained a new setting Audit= to control whether journald enables audit during the boot process. So let's use it and make sure it's disabled by default by shipping a drop-in that overrides upstream default. Also we used to patch systemd to prevent journald from reading the audit messages. There's still no way for downstream to configure that properly (we would need to mask systemd-journald-audit.socket meaning shipping a symlink in /etc) but I think dropping systemd-journald-audit.socket from the package is a nicer way to do that as some users might choose to reenable this setting (by reintroducing the socket unit in /etc). - Enable audit support (bsc#1175883) Enabling audit support in systemd will only make PID1 (and some of its services) to generate some audit records for certain events. But it doesn't affect journald, which has been prevented from recording audit messages in the journal (SUSE specific behavior). ++++ openssh: - Split openssh package into openssh, openssh-common, openssh-server and openssh-clients. This allows for the ssh clients to be installed without the server component (bsc#1176434). ------------------------------------------------------------------ ------------------ 2020-9-9 - Sep 9 2020 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-21-0064ecd132c30a939125acbc5b9a1c7bcd180fa0.patch * add screen.xterm-256color to DIR_COLORS - Add patch git-22-f5e90d70d119b6aa12d019947029f9337aec378d.patch * check for Packages.db and use this instead of Packages (boo#1171762) - Add patch git-23-8f1fe28287466235ade9c62fa5995eba9e642660.patch * Rename path() to _path() to avoid using a general name. - Add patch git-24-2de52ae391e2963eb1913183a6b0530c7e781b55.patch * DIR_COLORS add TERM rxvt-unicode-256color (bug#1006973) - Add patch git-25-287cf7cb851c0636fa46a610015d2d22ad36acea.patch * sort TERM entries in etc/DIR_COLORS - Add patch git-26-0c2f2340cc6ebb51f20b36e550adc517a6b2ae42.patch * DIR_COLORS: merge TERM entries with list from (bug#1006973) - Add patch git-27-abf7927eebbd4d7f47a362d49ae7856520682c49.patch * refresh_initrd call modprobe as /sbin/modprobe (bug#1011548) - Add patch git-28-3351bcc9613ba022503103e7e4ffd01e7bd8e0fd.patch * etc/profile add some missing ;; in case esac statements - Add patch git-29-5220a5f6ba250503ccda326e65ca069d245a5ebe.patch * profile and csh.login: on s390x set TERM to dumb on serial console for sclp_line0 and ttyS0 console (bug#1153946) - Add patch git-30-b9dd70f33a124556f16dbbafc89585a82218ad61.patch * backup-rpmdb: exit if zypp.pid is there and running (bug#1161239) - Add patch git-31-52dc403d54f2c926ee5cc892d1a8a830a45d7412.patch * also add color alias for ip command, jira#sle-9880, bsc#1153943 - Add patch git-32-0ee79834ea9ebf6573a7b903f374c21e53a56c14.patch * alias.bash check if ip command knows color=auto (jsc#SLE-7679) ++++ python-pip: - add pypa-pip-issue-6413-fix.patch * addresses CVE-2019-20916 (bsc#1176262, SOC-11388) * backport of download.py changes from https://github.com/pypa/pip/issues/6413 fix ------------------------------------------------------------------ ------------------ 2020-9-8 - Sep 8 2020 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Add shared secret KAT to FIPS DH selftest [bsc#1175844] * add openssl-fips-DH_selftest_shared_secret_KAT.patch ++++ shadow: - login.defs: Add support for new util-linux-2.36 login variable MOTD_FIRSTONLY (shadow-util-linux.patch). - shadow-login_defs-comments.patch: Remove duplicated LASTLOG_UID_MAX. - shadow-login_defs-check.sh: Update for new build system. - shadow-util-linux.patch: Restore lost chunk: SYSLOG_SU_ENAB is not used in SUSE Linux. - Refresh shadow-login_defs-suse.patch and shadow-login_defs-comments.patch. ------------------------------------------------------------------ ------------------ 2020-9-4 - Sep 4 2020 ------------------- ------------------------------------------------------------------ ++++ filesystem: - Split /var/tmp out of fs-var.conf, new file is fs-var-tmp.conf. Allows to override config to add cleanup options of /var/tmp [bsc#1078466] - Create fs-tmp.conf to cleanup /tmp regular (required with tmpfs) [bsc#1175519] - Fix bug about missing group in tmpfiles.d files - Generic cleanup: - Remove /usr/local/games ++++ cryptsetup: - Update to 2.3.4: * Fix a possible out-of-bounds memory write while validating LUKS2 data segments metadata (CVE-2020-14382, boo#1176128). * Ignore reported optimal IO size if not aligned to minimal page size. * Added support for new no_read/write_wrokqueue dm-crypt options (kernel 5.9). * Added support panic_on_corruption option for dm-verity devices (kernel 5.9). * Support --master-key-file option for online LUKS2 reencryption * Always return EEXIST error code if a device already exists. * Fix a problem in integritysetup if a hash algorithm has dash in the name. * Fix crypto backend to properly handle ECB mode. * TrueCrypt/VeraCrypt compatible mode now supports the activation of devices with a larger sector. * LUKS2: Do not create excessively large headers. * Fix unspecified sector size for BitLocker compatible mode. * Fix reading key data size in metadata for BitLocker compatible mode. ------------------------------------------------------------------ ------------------ 2020-9-2 - Sep 2 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - Update to glibc 2.31 - glibc-2.14-crypt.diff, crypt_blowfish-const.patch, crypt_blowfish-1.2-sha.diff, crypt_blowfish-gensalt.patch, crypt_blowfish-1.2-hack_around_arm.diff, glibc-nodate.patch, powerpc-elision-enable-envvar.patch, s390-elision-enable-envvar.patch, crt-nocompress-debug-sections.patch, resolv-context-leak.patch, dl-runtime-resolve-opt-avx512f.patch, libpthread-compat-wrappers.patch, math-c++-compat.patch, remove-nss-nis-compat.patch, eh-frame-zero-terminator.patch, ld-so-hwcap-x86-64.patch, assert-pedantic.patch, getaddrinfo-errno.patch, resolv-conf-oom.patch, dynarray-allocation.patch, nearbyint-inexact.patch, nss-compat.patch, nscd-libnsl.patch, malloc-tcache-leak.patch, falkor-memcpy-memmove.patch, aarch64-cpu-features.patch, nss-files-large-buffers.patch, sysconf-uio-maxiov.patch, glob-tilde-overflow.patch, dl-runtime-resolve-xsave.patch, spawni-assert.patch, x86-64-dl-platform.patch, glob64-s390.patch, tst-tlsopt-powerpc.patch, powerpc-hwcap-bits.patch, malloc-tcache-check-overflow.patch, dl-init-paths-overflow.patch, fillin-rpath-empty-tokens.patch, getcwd-absolute.patch, memalign-overflow.patch, stack-guard-size-accounting.patch, libgcc-rtld-now.patch, res-send-enomem.patch, glibc-fix-avx512-mempcpy.patch, i386-memmove-sse2-unaligned.patch, realpath-ssize-max-overflow.patch, localtime-2039.patch, math-remove-slow-path.patch, aarch64-hwcap-atomics.patch, glibc-fix-aarch64-build.diff, absolute-symbols.patch, x86-haswell-string-flags.patch, pthread-cond-broadcast-waiters-after-spinning.patch, mman-map-sync.patch, mman-linux-map-shared-validate.patch, nptl-setxid-error.patch, pthread-mutex-trylock-barrier.patch, getaddrinfo-parse-ipv4-address.patch, japanese-era-name-may-2019.patch, force-elision-race.patch, regex-read-overrun.patch, regex-parse-reg-exp.patch, 0001-S390-Add-configure-check-to-detect-z10-as-mininum-ar.patch, 0002-S390-Use-hwcap-instead-of-dl_hwcap-in-ifunc-resolver.patch, 0003-S390-Unify-31-64bit-memcpy.patch, 0004-S390-Refactor-memcpy-mempcpy-ifunc-handling.patch, 0005-S390-Remove-s390-specific-implementation-of-bcopy.patch, 0006-S390-Use-memcpy-for-forward-cases-in-memmove.patch, 0007-S390-Add-configure-check-to-detect-z13-as-mininum-ar.patch, 0008-S390-Add-z13-memmove-ifunc-variant.patch, 0009-S390-Add-z13-strstr-ifunc-variant.patch, 0010-S390-Add-z13-memmem-ifunc-variant.patch, 0011-S390-Cleanup-ifunc-resolve.h.patch, 0012-S390-Mark-vx-and-vxe-as-important-hwcap.patch, 0013-S390-Add-new-hwcap-values-for-new-cpu-architecture-a.patch, 0014-S390-Add-configure-check-to-detect-support-for-arch1.patch, 0015-S390-Add-arch13-memmove-ifunc-variant.patch, 0016-S390-Add-arch13-strstr-ifunc-variant.patch, 0017-S390-Add-arch13-memmem-ifunc-variant.patch, prefer-map-32bit-exec.patch, s390-strstr-page-boundary.patch, ppc-tle-htm-nosc.patch, posix-Add-internal-symbols-for-posix_spawn-interface.patch, glibc-2.29-posix-Use-posix_spawn-on-popen.patch, backtrace-powerpc.patch, pthread-rwlock-pwn.patch, manual-memory-protection.patch, ldbl-96-rem-pio2l.patch, dl-sort-maps.patch, dlopen-filter-object.patch, glob-use-after-free.patch, nptl-setxid-race.patch, nscd-senfile.patch, ldd-system-interp.patch, abort-no-flush.patch, fnmatch-collating-elements.patch, nss-files-long-lines-2.patch, iconv-reset-input-buffer.patch, nscd-prune.patch, syslog-locking.patch: Removed. - long-double-alias.patch, glibc-nsswitch-usr.diff, euc-kr-overrun.patch, riscv-syscall-clobber.patch, nscd-gc-cycle.patch: Added. ++++ python3-core: - Add faulthandler_stack_overflow_on_GCC10.patch to make build working even with GCC10 (bpo#38965). ++++ systemd: - Upgrade to v246.4 (commit f1344d5b7f31e98aedb01e606f41d74d3caaf446) See https://github.com/openSUSE/systemd/blob/SUSE/v246/NEWS for details. Now that the number of SUSE specific patches has been shrinked and is pretty low (12 at the time of this writing), they are no more tracked by the git repo and are now handled at the package level. Hence It is easier to maintain and identify them. This effectively means that SUSE/v246 will contain upstream commits only. Added 0001-restore-var-run-and-var-lock-bind-mount-if-they-aren.patch Added 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch Added 0003-strip-the-domain-part-from-etc-hostname-when-setting.patch Added 0004-tmpfiles-support-exclude-statements-based-on-file-ow.patch Added 0005-udev-create-default-symlinks-for-primary-cd_dvd-driv.patch Added 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch Added 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch Added 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch Added 0009-pid1-handle-console-specificities-weirdness-for-s390.patch Added 0010-journald-disable-audit-support-completely-from-the-j.patch Added 0011-core-disable-session-keyring-per-system-sevice-entir.patch Added 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch ++++ nodejs14: - old_icu.patch: re-add support for ICU 65 from SLE15 SP2 - fix_ci_tests.patch: move debug symbol strip for testing to the Makefile ++++ python3: - Add faulthandler_stack_overflow_on_GCC10.patch to make build working even with GCC10 (bpo#38965). ------------------------------------------------------------------ ------------------ 2020-9-1 - Sep 1 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Just cleanup and reordering items to synchronize with python38 ++++ python3: - Just cleanup and reordering items to synchronize with python38 ------------------------------------------------------------------ ------------------ 2020-8-31 - Aug 31 2020 ------------------- ------------------------------------------------------------------ ++++ coreutils: - gnulib-test-avoid-FP-perror-strerror.patch: Add patch to avoid false-positive error in gnulib tests 'test-perror2' and 'test-strerror_r', visible on armv7l. - coreutils.spec: Reference the patch. ++++ python3-core: - Format with spec-cleaner ++++ python3: - Format with spec-cleaner ------------------------------------------------------------------ ------------------ 2020-8-28 - Aug 28 2020 ------------------- ------------------------------------------------------------------ ++++ zlib: - Add patch to fix compression level switching bsc#1175811 bsc#1175830 bsc#1175831 * zlib-compression-switching.patch ++++ nodejs14: - Update to version 14.9.0: * build: set --v8-enable-object-print by default (Mary Marchini) #34705 * deps: + upgrade to libuv 1.39.0 (cjihrig) #34915 + upgrade npm to 6.14.8 (Ruy Adorno) #34834 + V8: cherry-pick e06ace6b5cdb (Anna Henningsen) #34673 * n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) #34839 * tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) #34378 - Changes in version 14.8.0: * async_hooks: add AsyncResource.bind utility (James M Snell) #34574 * deps: update to uvwasi 0.0.10 (Colin Ihrig) #34623 * module: unflag Top-Level Await (Myles Borins) #34558 * n-api: support type-tagging objects (Gabriel Schulhof) #28237 * n-api,src: provide asynchronous cleanup hooks (Anna Henningsen) #34572 - versioned.patch: refreshed - linker_lto_jobs.patch: refreshed ------------------------------------------------------------------ ------------------ 2020-8-27 - Aug 27 2020 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175844, bsc#1173470] - Add patches: * openssl-DH.patch * openssl-kdf-selftest.patch * openssl-kdf-tls-selftest.patch * openssl-kdf-ssh-selftest.patch ++++ systemd: - Adjust %pre and %post for the restoration of upstream tmp.mount (boo#1175779) ++++ zlib: - Set -DDFLTCC_LEVEL_MASK=0x7e on s390/s390x jsc#13776 ------------------------------------------------------------------ ------------------ 2020-8-26 - Aug 26 2020 ------------------- ------------------------------------------------------------------ ++++ openldap2: - bsc#1175568 CVE-2020-8027 openldap_update_modules_path.sh has a number of issues in it's design that lead to security issues. This file has been removed, from the package, and the %post execution of the install. The function is replaced by /usr/sbin/slapd-ldif-update-crc and /usr/lib/openldap/fixup-modulepath, through the addition of the source files: * fixup-modulepath.sh * slapd-ldif-update-crc.sh * update-crc.sh ++++ systemd: - Import commit a4e393eecb9dbe140a6c7d57419c291d786155cf d8e3bd4e22 Revert "core: don't send SIGKILL to user@.service immediatly during shutdown" ++++ systemd-presets-common-SUSE: - Enable btrfsmaintenance-refresh.path and disable btrfsmaintenance-refresh.service to avoid needless refresh on boot (boo#1165780) ++++ sysvinit: - Drop /bin/pidof and /sbin/pidof, including corresponding man page: let's switch to pidof as provided by procps-ng. ------------------------------------------------------------------ ------------------ 2020-8-25 - Aug 25 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to gcc-10 branch head (c0746a1beb1ba073c7981eb09f), git583. * Fixes ABI breakage for as-base CDTORs of final classes. [gcc#95428] ++++ systemd: - Drop requirement on 'sysvinit-tools' It was used to workaround bug #886599 by explicitly calling vhangup(8) from getty@.service so when this service was stopped a virtually hangup on the specified terminal when were stopped to give the shell a few seconds to save its history. But this workaround was dropped since it had no effect (SLE12-GM was released with it but was still suffering from the bug) and was replaced by commit e9db43d5910717a108, which was released from v226 and backported to SLE12/SLE12-SP1. ++++ sysvinit: - Update to sysvinit 2.97: * Check $(ROOT) filesystem for libcrypt instead of a hardcoded path to /usr. * Code clean-up and making sure we avoid freeing unused memory. * Added shell script which converts systemd unit files into init.d style scripts. * Allow init to load configuration data from files stored in /etc/inittab.d/ * Allow shutdown time to be specified in the format +hh:mm. This is in addition to the existing formats such as hh:mm, +m, and "now". * Fixed typos in manual pages. - Update startpar to 0.65: + Make sure startpar testsuite can find insserv executable in /usr/sbin or /sbin. + Added PREFIX variable to Makefile and testsuite to make location of startpar and insserv more flexible. - Rebase sysvinit-2.90.dif. - Drop SCVER defines: not used in any place. - Drop startpar-sysmacros.patch: fixed upstream. ------------------------------------------------------------------ ------------------ 2020-8-24 - Aug 24 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to gcc-10 branch head (d523b5201cce1796717a8ca669), git580. * Includes gcc10-streamer-backports1.patch and gcc10-streamer-backports2.patch. * Includes fixes for LTO ICE [bsc#1175168] and aarc64 128bit CAS miscompilation [bsc#1174753]. ------------------------------------------------------------------ ------------------ 2020-8-21 - Aug 21 2020 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - LVM failing to activate hot spare on surprise removal (bsc#1175110) + bug-1175110_dmeventd-avoid-bail-out-preventing-repair-in-raid-pl.patch - change lvm2.spec source URL - lvm2.spec ++++ openldap2: - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125. * 0206-openldap-tlso-use-openssl-api-to-verify-host.patch ++++ python3-core: - riscv64-support.patch: bpo-33377: add triplets for mips-r6 and riscv (#6655) - riscv64-ctypes.patch: bpo-35847: RISC-V needs CTYPES_PASS_BY_REF_HACK (GH-11694) - Update list of tests to exclude under qemu linux-user ++++ python3: - riscv64-support.patch: bpo-33377: add triplets for mips-r6 and riscv (#6655) - riscv64-ctypes.patch: bpo-35847: RISC-V needs CTYPES_PASS_BY_REF_HACK (GH-11694) - Update list of tests to exclude under qemu linux-user ++++ system-users: - Don't add group nogroup to user nobody, as many daemons misuse 'nogroup' as own group ------------------------------------------------------------------ ------------------ 2020-8-20 - Aug 20 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Update the python keyring - Correct libpython name - Drop patches which are not mentioned in spec: * CVE-2019-5010-null-defer-x509-cert-DOS.patch * F00102-lib64.patch * F00251-change-user-install-location.patch * OBS_dev-shm.patch * SUSE-FEDORA-multilib.patch * bpo-31046_ensurepip_honours_prefix.patch * bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch * bpo36302-sort-module-sources.patch * bpo40784-Fix-sqlite3-deterministic-test.patch * bsc1167501-invalid-alignment.patch * python3-imp-returntype.patch - Working around missing python-packaging dependency in python-Sphinx (bsc#1174571) is not necessary anymore. ++++ systemd: - Import commit 6d6d92930acad63f9b9029c305a672c32c550d2d (include merge of v245.7) 797ad47d3e vconsole-setup: downgrade log message when setting font fails on dummy console (bsc#1172195 bsc#1173539) [...] For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/b12cd8b89b4bccfcf972b47153a2b01cd7775932...6d6d92930acad63f9b9029c305a672c32c550d2d - Drop 0001-Revert-job-Don-t-mark-as-redundant-if-deps-are-relev.patch Upstream finally reverted it and it's part of both v245.7 and master. ++++ python3: - Update the python keyring - Correct libpython name - Drop patches which are not mentioned in spec: * CVE-2019-5010-null-defer-x509-cert-DOS.patch * F00102-lib64.patch * F00251-change-user-install-location.patch * OBS_dev-shm.patch * SUSE-FEDORA-multilib.patch * bpo-31046_ensurepip_honours_prefix.patch * bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch * bpo36302-sort-module-sources.patch * bpo40784-Fix-sqlite3-deterministic-test.patch * bsc1167501-invalid-alignment.patch * python3-imp-returntype.patch - Working around missing python-packaging dependency in python-Sphinx (bsc#1174571) is not necessary anymore. ------------------------------------------------------------------ ------------------ 2020-8-19 - Aug 19 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(…). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - Drop merged fixtures: * CVE-2020-14422-ipaddress-hash-collision.patch * CVE-2019-20907_tarfile-inf-loop.patch * recursion.tar - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). ++++ python3: - Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(…). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - Drop merged fixtures: * CVE-2020-14422-ipaddress-hash-collision.patch * CVE-2019-20907_tarfile-inf-loop.patch * recursion.tar - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). ------------------------------------------------------------------ ------------------ 2020-8-15 - Aug 15 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add binutils-2.35-branch.diff.gz: it includes fix for nm -B for objects compiled with -flto and -fcommon. ------------------------------------------------------------------ ------------------ 2020-8-13 - Aug 13 2020 ------------------- ------------------------------------------------------------------ ++++ curl: - Security fix: [bsc#1175109, CVE-2020-8231] * An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. - Add curl-CVE-2020-8231.patch ------------------------------------------------------------------ ------------------ 2020-8-11 - Aug 11 2020 ------------------- ------------------------------------------------------------------ ++++ systemd-presets-common-SUSE: - Enable dnf-makecache.timer ------------------------------------------------------------------ ------------------ 2020-8-10 - Aug 10 2020 ------------------- ------------------------------------------------------------------ ++++ nodejs14: - Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686) ------------------------------------------------------------------ ------------------ 2020-8-7 - Aug 7 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add binutils-revert-nm-symversion.diff to be compatible with old output of nm relied on in scripts. - Add binutils-fix-abierrormsg.diff to work around an eager (new) error message occuring without inputs and as-needed (affects nvme-cli build). ------------------------------------------------------------------ ------------------ 2020-8-6 - Aug 6 2020 ------------------- ------------------------------------------------------------------ ++++ zlib: - Permit a deflateParams() parameter change as soon as possible(bsc#1174736) * bsc1174736-DFLTCC_LEVEL_MASK-set-to-0x1ff.patch Fix DFLTCC not flushing EOBS when creating raw streams(bsc#1174551) * bsc1174551-fxi-imcomplete-raw-streams.patch ------------------------------------------------------------------ ------------------ 2020-8-5 - Aug 5 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to gcc-10 branch head (dda1e9d08434def88ed86557d0), git501. * Includes fix for AARCH64 kernel build failure. [bsc#1174817] * Includes aarch64 SLS mitigation changes. [bsc#1172798, CVE-2020-13844] - Add gcc10-streamer-backports1.patch and gcc10-streamer-backports2.patch. - Enable x86 CET runtime for SLES15 and Leap15 also. - Do not enable the now deprecated HSA offloading capability. ------------------------------------------------------------------ ------------------ 2020-8-3 - Aug 3 2020 ------------------- ------------------------------------------------------------------ ++++ nodejs14: - Update to version 14.7.0: * deps: upgrade npm to 6.14.7 * dgram: add IPv6 scope id suffix to received udp6 dgrams * src: + allow preventing SetPromiseRejectCallback #34387 + allow setting a dir for all diagnostic output #33584 * worker: make MessagePort inherit from EventTarget #34057 * zlib: switch to lazy init for zlib streams (Andrey Pechkurov) #34048 ------------------------------------------------------------------ ------------------ 2020-7-28 - Jul 28 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.28.0 * "fetch.writeCommitGraph" is deemed to be still a bit too risky and is no longer part of the "feature.experimental" set. * The commands in the "diff" family learned to honor "diff.relative" configuration variable. * "git diff-files" has been taught to say paths that are marked as intent-to-add are new files, not modified from an empty blob. * "git gui" now allows opening work trees from the start-up dialog. * "git bugreport" learns to report what shell is in use. * SHA-256 migration work continues, including CVS/SVN interface. * Some repositories in the wild have commits that record nonsense committer timezone (e.g. rails.git); "git fast-import" learned an option to pass these nonsense timestamps intact to allow recreating existing repositories as-is. * Other code cleanup, docfix, build fix, etc. ++++ gcc10: - Update to gcc-10 branch head (c0438ced53bcf57e4ebb1c38c), git465. * Includes GCC 10.2 release. [bsc#1173972] [jsc#ECO-2373] * Picks up fixes for C++20 coroutines support. [jsc#SLE-12297] * Picks up fix for a recent chromium build fail. - Build x86 CET enabled runtime for Factory. - Disable GCN offloading for SLE12 and SLE15 GA. ++++ systemd: - Restore default upstream tmp.mount (/tmp as tmpfs) behaviour (boo#1173461) ++++ nodejs14: - avoid rpmbuild warnings on if/else/endif constructs ------------------------------------------------------------------ ------------------ 2020-7-27 - Jul 27 2020 ------------------- ------------------------------------------------------------------ ++++ krb5: - Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079) ------------------------------------------------------------------ ------------------ 2020-7-24 - Jul 24 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update to binutils 2.35: * The asseembler can now produce DWARF-5 format line number tables. * Readelf now has a "lint" mode to enable extra checks of the files it is processing. * Readelf will now display "[...]" when it has to truncate a symbol name. The old behaviour - of displaying as many characters as possible, up to the 80 column limit - can be restored by the use of the --silent-truncation option. * The linker can now produce a dependency file listing the inputs that it has processed, much like the -M -MP option supported by the compiler. - Regenerate add-ulp-section.diff with -p1 due to a fuzzing issue. - Remove binutils-2.34-branch.diff.gz. - Regenerate binutils-build-as-needed.diff due to a fuzzing issue. - Regenerate binutils-fix-invalid-op-errata.diff as one hunk was upstreamed. - Remove upstreamed patch binutils-pr25593.diff. - Regenerate unit-at-a-time.patch due to a fuzzing issue. - Regenerate binutils-revert-plt32-in-branches.diff. ------------------------------------------------------------------ ------------------ 2020-7-22 - Jul 22 2020 ------------------- ------------------------------------------------------------------ ++++ nodejs14: - Update to version 14.6.0: * deps: + upgrade to libuv 1.38.1 + upgrade npm to 6.14.6 fixing information leak through log files (bsc#1173937, CVE-2020-15095) + update V8 to 8.4.371.19 * module: + doc only deprecation of module.parent + package "imports" field * src: allow embedders to disable esm loader * tls: make 'createSecureContext' honor more options * vm: add run-after-evaluate microtask mode * worker: add option to track unmanaged file descriptors - versioned.patch - refreshed ------------------------------------------------------------------ ------------------ 2020-7-20 - Jul 20 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 (CVE-2019-20907, bpo#39017) avoiding possible infinite loop in specifically crafted tarball. Add recursion.tar as a testing tarball for the patch. ++++ python3: - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 (CVE-2019-20907, bpo#39017) avoiding possible infinite loop in specifically crafted tarball. Add recursion.tar as a testing tarball for the patch. ------------------------------------------------------------------ ------------------ 2020-7-17 - Jul 17 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Make library names internally consistent - Disable profile optimalizations as they deadlock in test_faulthandler - Disable lto as it causes mess and works with 3.7 onwards only - Sync the test disablements from the python3 in sle15 - Update to 3.6.11: - bpo-39073: Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - bpo-38576 (bsc#1155094): Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. - bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. - bpo-39401: Avoid unsafe load of api-ms-win-core-path-l1-1-0.dll at startup on Windows 7. - Remove merged patch CVE-2020-8492-urllib-ReDoS.patch ++++ python3: - Make library names internally consistent - Disable profile optimalizations as they deadlock in test_faulthandler - Disable lto as it causes mess and works with 3.7 onwards only - Sync the test disablements from the python3 in sle15 - Update to 3.6.11: - bpo-39073: Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - bpo-38576 (bsc#1155094): Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. - bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. - bpo-39401: Avoid unsafe load of api-ms-win-core-path-l1-1-0.dll at startup on Windows 7. - Remove merged patch CVE-2020-8492-urllib-ReDoS.patch ------------------------------------------------------------------ ------------------ 2020-7-16 - Jul 16 2020 ------------------- ------------------------------------------------------------------ ++++ coreutils: - Drop suse-module-tools BuildRequires: this was used for the macro regenerate_initrd_post/posttrans, which have been moved to rpm-config-SUSE in Jan 2019. ------------------------------------------------------------------ ------------------ 2020-7-15 - Jul 15 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Fix minor issues found in the staging. - Do not set ourselves as a primary interpreter ++++ python3: - Fix minor issues found in the staging. - Do not set ourselves as a primary interpreter ------------------------------------------------------------------ ------------------ 2020-7-8 - Jul 8 2020 ------------------- ------------------------------------------------------------------ ++++ c-ares: - Version update to 1.16.1 Security: * Prevent possible use-after-free and double-free in ares_getaddrinfo() if ares_destroy() is called prior to ares_getaddrinfo() completing. Reported by Jann Horn at Google Project Zero. Changes: * Allow TXT records on CHAOS qclass. Used for retriving things like version.bind, version.server, authoris.bind, hostname.bind, and id.server. [3] Bug fixes: * Fix Windows Unicode incompatibilities with ares_getaddrinfo() [1] * Silence false cast-align compiler warnings due to valid casts of struct sockaddr to struct sockaddr_in and struct sockaddr_in6. * MacOS should use libresolv for retrieving DNS servers, like iOS * CMake build system should populate the INCLUDE_DIRECTORIES property of installed targets [2] * Correct macros in use for the ares_getaddrinfo.3 man page - Changes in version 1.16.0 Changes: * Introduction of ares_getaddrinfo() API which provides similar output (including proper sorting as per RFC 6724) to the system native API, but utilizes different data structures in order to provide additional information such as TTLs and all aliases. Please reference the respective man pages for usage details. * Parse SOA records from ns_t_any response * CMake: Provide c-ares version in package export file * CMake: Add CPACK functionality for DEB and RPM * CMake: Generate PDB files during build * CMake: Support manpage installation Bug fixes: * Fix bad expectation in IPv6 localhost test. * AutoTools: use XC_CHECK_BUILD_FLAGS instead of XC_CHECK_USER_FLAGS to prevent complaints about CPPFLAGS in CFLAGS. * Fix .onion handling * Command line usage was out of date for adig and ahost. * Typos in manpages * If ares_getenv is defined, it must return a value on all platforms * If /etc/resolv.conf has invalid lookup values, use the defaults. * Tests: Separate live tests from SetServers* tests as only live tests should require internet access. * ares_gethostbyname() should return ENODATA if no valid A or AAAA record is found, but a CNAME was found. * CMake: Rework library function checking to prevent unintended linking with system libraries that aren't needed. * Due to use of inet_addr() it was not possible to return 255.255.255.255 from ares_gethostbyname(). * CMake: Fix building of tests on Windows - Drop regression.patch which have been fixed upstream - Refresh disable-live-tests.patch - Remove static lib since its required when doing tests and we dont want it included in package - Run spec-cleaner ------------------------------------------------------------------ ------------------ 2020-7-7 - Jul 7 2020 ------------------- ------------------------------------------------------------------ ++++ kmod: - Drop old RPM constructs from the build recipe. ++++ gcc10: - Update to gcc-10 branch head (12e1a54b06777db74ce375496), git355. * Includes fix for non-reproducible builds with LTO [bsc#1172846]. ------------------------------------------------------------------ ------------------ 2020-7-3 - Jul 3 2020 ------------------- ------------------------------------------------------------------ ++++ kmod: - Drop kmod-compat (boo#1173353): The symlinks in kmod-compat are not obsolete. They are desirable for kernel module autoload. The "kernel.modprobe" sysctl references /sbin/modprobe, and changing it to "/usr/bin/kmod load" is not possible, because this sysctl specifies a single executable, not a command (so spaces will be treated as part of the filename). ++++ gcc10: - Enable nvptx support for aarch64 ------------------------------------------------------------------ ------------------ 2020-7-2 - Jul 2 2020 ------------------- ------------------------------------------------------------------ ++++ nodejs14: - Update to version 14.5.0: * deps: V8 engine is updated to version 8.3. For details, see https://v8.dev/blog/v8-release-83 * events: experimental implementation of EventTarget For details, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.5.0 - sle12_python3_compat.patch: refreshed - fix_ci_tests.patch: refreshed ------------------------------------------------------------------ ------------------ 2020-7-1 - Jul 1 2020 ------------------- ------------------------------------------------------------------ ++++ diffutils: - Add ppc64_disable_failing_test to disable a sporadically failing test for ppc64 and ppc64le builds (boo#1156913) ------------------------------------------------------------------ ------------------ 2020-6-30 - Jun 30 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - nscd-senfile.patch: Fix concurrent changes on nscd aware files (bsc#1171878, BZ #23178) - nscd-prune.patch: nscd: bump GC cycle during cache pruning (bsc#1171878, BZ #26130) - syslog-locking.patch: Correct locking and cancellation cleanup in syslog functions (bsc#1172085, BZ #26100) ------------------------------------------------------------------ ------------------ 2020-6-25 - Jun 25 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to gcc-10 branch head (c91e43e9363bd119a695d6450), git290. * Includes fix for PR95719, fixing LibreOffice. ++++ python3-core: - Add CVE-2020-14422-ipaddress-hash-collision.patch fixing CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions in IPv4Interface and IPv6Interface could lead to DOS. ++++ python3: - Add CVE-2020-14422-ipaddress-hash-collision.patch fixing CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions in IPv4Interface and IPv6Interface could lead to DOS. ------------------------------------------------------------------ ------------------ 2020-6-24 - Jun 24 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - migrate-sysconfig-i18n.sh: fix marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. ------------------------------------------------------------------ ------------------ 2020-6-23 - Jun 23 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. ------------------------------------------------------------------ ------------------ 2020-6-19 - Jun 19 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Include in the package version the stable minor (if any). Also update the version shown by various command such as 'systemctl - -version' to show the stable number. ------------------------------------------------------------------ ------------------ 2020-6-17 - Jun 17 2020 ------------------- ------------------------------------------------------------------ ++++ e2fsprogs: - po-remove-unnecessary-buggy-positional-parameter-spe.patch: po: remove unnecessary/buggy positional parameter specifiers (bsc#1170964) ++++ curl: - Security fix: [bsc#1173027, CVE-2020-8177] * curl can be tricked my a malicious server to overwrite a local file when using '-J' ('--remote-header-name') and '-i' ('--head') in the same command line. - Add curl-CVE-2020-8177.patch - Security fix: [bsc#1173026, CVE-2020-8169] * Partial password leak over DNS on HTTP redirect - Add curl-CVE-2020-8169.patch ++++ systemd: - Don't restart udevd sockets during package update Otherwise we might miss kernel events as the daemon need to be stopped as well. - Import commit b12cd8b89b4bccfcf972b47153a2b01cd7775932 (include merge of v245.6) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/a6d31d1a02c2718a064bbbc40d003668acf72769...b12cd8b89b4bccfcf972b47153a2b01cd7775932 ------------------------------------------------------------------ ------------------ 2020-6-13 - Jun 13 2020 ------------------- ------------------------------------------------------------------ ++++ coreutils: - coreutils-gnulib-disable-test-float.patch: Add patch to temporarily disable the gnulib test 'test-float' failing on ppc and ppc64le. - coreutils.spec: Reference the patch. While at it, avoid conditional Patch and Source entries as that break cross-platform builds from source RPMs. ------------------------------------------------------------------ ------------------ 2020-6-12 - Jun 12 2020 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - problem with LVM cache (data loss) (bsc#1172566) + bug-1172566_cachevol-use-cachepool-code-for-metadata-size.patch ------------------------------------------------------------------ ------------------ 2020-6-11 - Jun 11 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Enable c++ for arm-none-eabi ++++ openldap2: - bsc#1172704 - Change DB_CONFIG to root:ldap permissions. - bsc#1172698 (CVE-2020-8023) - local priv esc via start script chown -R on olcdbdirectory path. Remove chown -R on start to resolve. ------------------------------------------------------------------ ------------------ 2020-6-9 - Jun 9 2020 ------------------- ------------------------------------------------------------------ ++++ nodejs-common: - Add nodejs-default, npm-default and nodejs-devel-default subpackages to provide latest, best supported nodejs for current architecture and codestream. nodejs-default - nodejs runtime only npm-default - if you need npm + nodejs nodejs-devel-default - if you need npm + nodejs + compile modules ++++ nodejs14: - Add Require for nodejs14 when intalling npm14. (bsc#1172728) ++++ perl: - Fix various security issues in the study_chunk function [bnc#1171863] [CVE-2020-10543] [bnc#1171864] [CVE-2020-10878] [bnc#1171866] [CVE-2020-12723] new patch: perl-study.diff - Comment out bad warning in features.ph file [bnc#1172348] ------------------------------------------------------------------ ------------------ 2020-6-8 - Jun 8 2020 ------------------- ------------------------------------------------------------------ ++++ krb5: - Update logrotate script, call systemd to reload the services instead of init-scripts. (boo#1169357) ------------------------------------------------------------------ ------------------ 2020-6-5 - Jun 5 2020 ------------------- ------------------------------------------------------------------ ++++ openssh: - Version update to 8.3p1: = Potentially-incompatible changes * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. = New features * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. * ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. * all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - Additional changes from 8.2p1 release: = Potentially-incompatible changes * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. * sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. * ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). It needs to be installed in the expected path, typically under /usr/libexec or similar. = New features * This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. * sshd(8): add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns. * ssh(1)/sshd(8): make the LE (low effort) DSCP code point available via the IPQoS directive. * ssh(1): when AddKeysToAgent=yes is set and the key contains no comment, add the key to the agent with the key's path as the comment. * ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509 subjects as key comments, rather than simply listing the PKCS#11 provider library path. * ssh-keygen(1): allow PEM export of DSA and ECDSA keys. * ssh(1), sshd(8): make zlib compile-time optional, available via the Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure option for OpenSSH portable. * sshd(8): when clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2. * ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt program, pass a hint to the program to describe the type of desired prompt. The possible values are "confirm" (indicating that a yes/no confirmation dialog with no text entry should be shown), "none" (to indicate an informational message only), or blank for the original ssh-askpass behaviour of requesting a password/phrase. * ssh(1): allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. * ssh-keygen(1): add a new signature operations "find-principals" to look up the principal associated with a signature from an allowed- signers file. * sshd(8): expose the number of currently-authenticating connections along with the MaxStartups limit in the process title visible to "ps". - Rebased patches: * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-no_fork-no_pid_file.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-8.0p1-gssapi-keyex.patch * openssh-8.1p1-audit.patch * openssh-8.1p1-seccomp-clock_nanosleep.patch - Removed openssh-7.7p1-seed-prng.patch (bsc#1165158). ------------------------------------------------------------------ ------------------ 2020-6-4 - Jun 4 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - no longer explicitly package setgid directory /var/log/journal (bsc#1172550). The bit will be set during %post by way of the systemd-tmpfiles invocation. This avoids a conflict with the permissions package and an rpmlint error popping up. ++++ nodejs14: - Update to version 14.4.0: * napi: fix various types of memory corruption in napi_get_value_string_*() (CVE-2020-8174, bsc#1172443) * http2: fix HTTP/2 Large Settings Frame DoS (CVE-2020-11080, bsc#1172442) * TLS session reuse can lead to host certificate verification bypass (CVE-2020-8172, bsc#1172441) ------------------------------------------------------------------ ------------------ 2020-6-3 - Jun 3 2020 ------------------- ------------------------------------------------------------------ ++++ python-pyparsing: - unittest2 -> pytest ------------------------------------------------------------------ ------------------ 2020-6-2 - Jun 2 2020 ------------------- ------------------------------------------------------------------ ++++ cracklib: - Update to version 2.9.7: + fix a buffer overflow processing long words. - Drop 0003-overflow-processing-gecos.patch and 0004-overflow-processing-long-words.patch: fixed upstream. - Update source URI. - Remove use of translation-update-upstream. It cannot be added to ring 0 on leap, and 2.9.7 has some translation fixes (bsc#1172396). ++++ permissions: - Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686) ------------------------------------------------------------------ ------------------ 2020-6-1 - Jun 1 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.27.0: * "git describe" will always use the "long" version when giving its output based misplaced tags * "git pull" issues a warning message until the pull.rebase configuration variable is explicitly given * The transport protocol version 2, which was promoted to the default in Git 2.26 release, turned out to have some remaining rough edges, so it has been demoted from the default * A handful of options to configure SSL when talking to proxies have been added * Smudge/clean conversion filters are now given more information * many bug fixes, improvements, and additional workflow options - drop upstreamed patches: * 0001-fetch-pack-return-enum-from-process_acks.patch * 0002-fetch-pack-in-protocol-v2-in_vain-only-after-ACK.patch * 0003-fetch-pack-in-protocol-v2-reset-in_vain-upon-ACK.patch - drop unneeded patches: * 0001-DOC-Move-to-DocBook-5-when-using-asciidoctor.patch * 0002-Also-use-DocBook-5-stylesheet-when-generating-HTML-o.patch ++++ audit: - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs (bsc#1172295) ------------------------------------------------------------------ ------------------ 2020-5-31 - May 31 2020 ------------------- ------------------------------------------------------------------ ++++ icu: - Add the provides for libicu to Make .Net core can install successfully. (bsc#1167603, bsc#1161007) ++++ openssh: - add upstream signing key to actually verify source signature ------------------------------------------------------------------ ------------------ 2020-5-29 - May 29 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Fix build when resolved is disabled While at it sort the build conditionals. ++++ nodejs14: - Update to version 14.3.0: * repl: previews improvements with autocompletion * it's now possible to use the await keyword outside of async functions, with the --experimental-top-level-await flag - Changes in version 14.2.0: * console: Support for console constructor groupIndentation options - skip_no_console.patch: refreshed - versioned.patch, fix_ci_tests.patch: refreshed ------------------------------------------------------------------ ------------------ 2020-5-28 - May 28 2020 ------------------- ------------------------------------------------------------------ ++++ cryptsetup: - Update to 2.3.3: * Fix BitLocker compatible device access that uses native 4kB sectors * Support large IV count (--iv-large-sectors) cryptsetup option for plain device mapping * Fix a memory leak in BitLocker compatible handling * Allow EBOIV (Initialization Vector algorithm) use * LUKS2: Require both keyslot cipher and key size option, do not fail silently - includes changes from 2.3.2: * Add option to dump content of LUKS2 unbound keyslot * Add support for discards (TRIM) for standalone dm-integrity devices (Kernel 5.7) via --allow-discards, not for LUKS2 * Fix cryptsetup-reencrypt to work on devices that do not allow direct-io device access. * Fix a crash in the BitLocker-compatible code error path * Fix Veracrypt compatible support for longer (>64 bytes) passphrases ++++ systemd: - Import commit a6d31d1a02c2718a064bbbc40d003668acf72769 bb6e2f7906 pid1: update manager settings on reload too (bsc#1163109) e9e8907b06 watchdog: reduce watchdog pings in timeout interval 385a8f9846 udev: rename the persistent link for ATA devices (bsc#1164538) 66018a12ae tmpfiles: remove unnecessary assert (bsc#1171145) ++++ permissions: - whitelist texlive public binary (bsc#1171686) ------------------------------------------------------------------ ------------------ 2020-5-27 - May 27 2020 ------------------- ------------------------------------------------------------------ ++++ kmod: - Update to release 27 * Link to libcrypto rather than requiring openssl. * Use PKCS#7 instead of CMS for parsing module signature to be compatible with LibreSSL and OpenSSL < 1.1.0. * Teach modinfo to parse modules.builtin.modinfo. When using Linux kernel >= v5.2~rc1, it is possible to get module information from this new file. ++++ lvm2-device-mapper: - removing LVM cache with cache volume does not remove the cache volume (bsc#1171907) + bug-1171907-lvremove-remove-attached-cachevol-with-removed-LV.patch ------------------------------------------------------------------ ------------------ 2020-5-26 - May 26 2020 ------------------- ------------------------------------------------------------------ ++++ gmp: - correct license statement (library itself is no GPL-3.0) ------------------------------------------------------------------ ------------------ 2020-5-25 - May 25 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Disable bump of /proc/sys/fs/nr-open Hopefully a _temporary_ workaround until bsc#1165351 is fixed otherwise user instances crashes the system is using NIS (and the nscd cache is empty). ++++ timezone: - zdump --version reported "unknown" (boo#1172055) ------------------------------------------------------------------ ------------------ 2020-5-22 - May 22 2020 ------------------- ------------------------------------------------------------------ ++++ cracklib: - Enable translation-update-upstream on leap, to remove the use of is_opensuse (jsc#SLE-12096). ++++ util-linux: - Use plain #!/bin/sh for flushb ++++ shadow: - Use pure #!/bin/sh in: * useradd.local * userdel-post.local * userdel-pre.local ------------------------------------------------------------------ ------------------ 2020-5-21 - May 21 2020 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Include pam_securetty in login.pamd again (bsc#1033626) - Update to 2.35.2 * make glibc 2.31 compatible - Dropped unneeded patch libfdisk-script-accept-sector-size.patch ------------------------------------------------------------------ ------------------ 2020-5-19 - May 19 2020 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - FIPS: RSA/DSA/ECC test_keys() print out debug messages [bsc#1171872] * Print the debug messages in test_keys() only in debug mode. - Update patches: libgcrypt-PCT-RSA.patch libgcrypt-PCT-DSA.patch libgcrypt-PCT-ECC.patch ------------------------------------------------------------------ ------------------ 2020-5-15 - May 15 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to gcc-10 branch head (b0461f44076c26ced5526e4fd6), git68. - Add gcc10-foffload-default.patch to make offloading ignore offload targets that have not been installed both at compile and runtime (for the libgomp plugin part). ------------------------------------------------------------------ ------------------ 2020-5-13 - May 13 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - nptl-setxid-race.patch: nptl: wait for pending setxid request also in detached thread (bsc#1162930, BZ #25942) ++++ util-linux: - Add patch to fix sfdisk not reading its own scripts: * libfdisk-script-accept-sector-size.patch - Use %autopatch ++++ lvm2-device-mapper: - Add missing patch, which mistakenly removed in lvm2 update + bug-998893_make_pvscan_service_after_multipathd.patch - Change lvm2.spec for fixing build error + lvm2.spec ------------------------------------------------------------------ ------------------ 2020-5-11 - May 11 2020 ------------------- ------------------------------------------------------------------ ++++ permissions: - Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173) ------------------------------------------------------------------ ------------------ 2020-5-8 - May 8 2020 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Fix verification of mount, su and umount (bsc#1166948) ------------------------------------------------------------------ ------------------ 2020-5-7 - May 7 2020 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-19-1149066a54a372b30b7cbd79cd222e11d96dc984.patch * Not all XTerm based emulators do have an terminfo entry (boo#1087982) - Add patch git-20-6452441f2054b4b290c089ce6269889993b95fc1.patch * Better support of Midnight Commander (bsc#1170527) ++++ gcc10: - Update to gcc-10 branch head (dd38686d9c810cecbaa80bb82e), git40. * Includes GCC 10.1 release. ------------------------------------------------------------------ ------------------ 2020-5-6 - May 6 2020 ------------------- ------------------------------------------------------------------ ++++ cracklib: - use /usr/lib instead of %{_libexecdir}, %{_libexecdir} should contain internal binaries, not data ------------------------------------------------------------------ ------------------ 2020-5-5 - May 5 2020 ------------------- ------------------------------------------------------------------ ++++ python-packaging: - Ignore clamav scan as it bogusly calls one file to be infected while it is just a testcase of malformed binary: [#]!BuildIgnore: post-build-checks-malwarescan ++++ python-pyparsing: - update to 2.4.7: . Each bug with Regex expressions . And expressions not properly constructing with generator . Traceback abbreviation . Bug in delta_time example . Fix regexen in pyparsing_common.real and .sci_real . Avoid FutureWarning on Python 3.7 or later . Cleanup output in runTests if comments are embedded in test string ------------------------------------------------------------------ ------------------ 2020-5-4 - May 4 2020 ------------------- ------------------------------------------------------------------ ++++ coreutils: - add coreutils-use-python3.patch to minimally port away from python 2.x use of pyinotify in the testsuite ------------------------------------------------------------------ ------------------ 2020-5-2 - May 2 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to gcc-10 branch head (2aaa1dc3c87372fd55c1c33aa7a), git5. * Includes first release candidate for GCC 10.1. * Includes gcc10-pr94734.patch ------------------------------------------------------------------ ------------------ 2020-4-30 - Apr 30 2020 ------------------- ------------------------------------------------------------------ ++++ openldap2: - bsc#1170771 (CVE-2020-12243) - recursive filters may crash server * patch: 0205-bsc-1170771-limit-depth-of-nested-filters.patch ++++ nodejs14: - Update to version 14.1.0: * deps: upgrade openssl sources to 1.1.1g (SLE-12 only) * http: doc deprecate abort and improve docs * module: do not warn when accessing __esModule of unfinished exports * n-api: detect deadlocks in thread-safe function * src: deprecate embedder APIs with replacements * stream: + don't emit end after close + don't wait for close on legacy streams + pipeline should only destroy un-finished streams * vm: add importModuleDynamically option to compileFunction skip_no_console.patch: add more unit tests that fail on dumb terminals ------------------------------------------------------------------ ------------------ 2020-4-28 - Apr 28 2020 ------------------- ------------------------------------------------------------------ ++++ git: - Protocol v2 in_vain fixes (bsc#1170741, bsc#1170939). Dropped: Revert-fetch-default-to-protocol-version-2.patch Added: 0001-fetch-pack-return-enum-from-process_acks.patch 0002-fetch-pack-in-protocol-v2-in_vain-only-after-ACK.patch 0003-fetch-pack-in-protocol-v2-reset-in_vain-upon-ACK.patch ------------------------------------------------------------------ ------------------ 2020-4-27 - Apr 27 2020 ------------------- ------------------------------------------------------------------ ++++ git: - Add back SuSEfirewall2 support needed for SLE12 (bsc#1170302). ++++ libgcrypt: - FIPS: libgcrypt: Double free in test_keys() on failed signature verification [bsc#1169944] * Use safer gcry_mpi_release() instead of mpi_free() - Update patches: * libgcrypt-PCT-DSA.patch * libgcrypt-PCT-RSA.patch * libgcrypt-PCT-ECC.patch ++++ systemd: - Drop legacy /sbin/{udevd,udevadm) symlinks hopefully for good Since boo#1160890 has been fixed since a couple of months now. - Drop content of /usr/share/factory/ (bsc#1170146) systemd ships several files in /usr/share/factory/etc that are copied to /etc in case those files are missing there. Unfortunately the content does not match the openSUSE defaults. - Drop most of the tmpfiles that deal with generic paths (bsc#1078466) They are problematic because some of them conflict with SUSE defaults. Therefore it seems better to let the revelant packages owning these paths to provide their own definitions instead. Meanwhile we still keep the homeless definitions in suse.conf until a better place is found for them. Drop 0001-Fix-run-lock-group-to-follow-openSUSE-policy.patch Drop 0001-SUSE-policy-do-not-clean-tmp-by-default.patch ++++ nodejs14: - Initial version 14.0.0 Deprecations * crypto: move pbkdf2 without digest to EOL * fs: deprecate closing FileHandle on garbage collection * http: move OutboundMessage.prototype.flush to EOL * lib: move GLOBAL and root aliases to EOL * os: move tmpDir() to EOL * src: remove deprecated wasm type check * stream: move _writableState.buffer to EOL * doc: deprecate process.mainModule * doc: deprecate process.umask() with no arguments For a detailed list of changes, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.0.0 ------------------------------------------------------------------ ------------------ 2020-4-24 - Apr 24 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (3685c5adf5c0b30268cb8f95c89e4), git176017. - Add gcc10-pr94734.patch ++++ systemd: - Drop %tmpfiles_create portables.conf from %post of networkd sub-package It was probably mistakenly added because systemd-portable served as template for systemd-network. ++++ timezone: - timezone update 2020a (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ------------------------------------------------------------------ ------------------ 2020-4-23 - Apr 23 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit 08cd65ac385c884ed6e4bd71128a0796f56ecd17 (include merge of v245.5) 1ceedf8535 meson: fix build of udev 'path_id_compat' builtin with meson 0.54 e61569d4a9 pid1: by default make user units inherit their umask from the user manager (bsc#1162698) 64fdacd5f1 user-util: rework how we validate user names (bsc#1170272) [...] For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/c5aa158173ced05201182d1cc18632a25cf43b94...08cd65ac385c884ed6e4bd71128a0796f56ecd17 - Drop 0001-meson-fix-build-of-udev-path_id_compat-builtin-with-.patch It's been merged in 'openSUSE-Factory' branch otherwise this branch won't build anymore since meson has been upgraded to version 0.54 in Factory. ++++ zlib: - Update 410.patch to contain latest fixes from IBM bsc#1166260 * The build behaviour changed ------------------------------------------------------------------ ------------------ 2020-4-21 - Apr 21 2020 ------------------- ------------------------------------------------------------------ ++++ git: - With recent switch to protocol v2 people are reporting fetches transferring unreasonable amount of data. Upstream proposes switching the protocol back until the issue is properly diagnosed. The regression is problematic for people with lower network connection speed (bsc#1170741). Added: Revert-fetch-default-to-protocol-version-2.patch ++++ python-rpm-macros: - Update to version 20200207.5feb6c1 bsc#1171561: * Do not write .pyc files for tests ------------------------------------------------------------------ ------------------ 2020-4-20 - Apr 20 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.26.2: * CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (boo#1169936) - Submit to SLE15 / resubmit to Factory (bsc#1169786, jsc#SLE-12396, bsc#1149792) ++++ openssl-1_1: - Security fix: [bsc#1169407, CVE-2020-1967] * Segmentation fault in SSL_check_chain: Server applications that call the SSL_check_chain() function during or after a TLS handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the signature_algorithms_cert TLS extension. - Add patches: * openssl-CVE-2020-1967.patch * openssl-CVE-2020-1967-test1.patch * openssl-CVE-2020-1967-test2.patch * openssl-CVE-2020-1967-test3.patch ------------------------------------------------------------------ ------------------ 2020-4-17 - Apr 17 2020 ------------------- ------------------------------------------------------------------ ++++ git: - Fix git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). ++++ gcc10: - Update to master head (b835645c7a51b7e99092abe61d677), git175845. - Drop to 4 jobs as constraint for s390x. ------------------------------------------------------------------ ------------------ 2020-4-16 - Apr 16 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (effcb4181e143bc390286a489ff84), git175831. - Package arm_cde.h and arm_mve_types.h for arm. - Alter _constraints to also constrain jobs. - Add libzstd-devel BuildRequires to cross compiler specs. - Switch to release checking builds. ++++ libgcrypt: - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) * add libgcrypt-fips_selftest_trigger_file.patch * refresh libgcrypt-global_init-constructor.patch - Remove libgcrypt-binary_integrity_in_non-FIPS.patch obsoleted by libgcrypt-global_init-constructor.patch ------------------------------------------------------------------ ------------------ 2020-4-15 - Apr 15 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (2dc9294c3c7c81a6d5e1d4dedf58f), git175805. ++++ libgcrypt: - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC: [bsc#1165539] - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Refreshed patches: * libgcrypt-PCT-DSA.patch * libgcrypt-PCT-RSA.patch * libgcrypt-PCT-ECC.patch ++++ systemd: - Switch back to the hybrid hierarchy Unfortunately Kubernetes and runc are not yet ready for cgroupsv2. Let's reconsider the unified hierarchy in a couple of months. ++++ libtirpc: - Update to libtirpc 1.2.6 - Drop patches all patches backported from this release (0001-Add-authdes_seccreate-stub.patch, 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch) ------------------------------------------------------------------ ------------------ 2020-4-14 - Apr 14 2020 ------------------- ------------------------------------------------------------------ ++++ file: - file-5.24-nitpick.dif: remove obsolete patch (bsc#1169512) - file-secure_getenv.patch: refresh ++++ git: - git 2.26.1: (boo#1168930) * CVE-2020-5260: Specially crafted URLs with newline characters could have been used to make the Git client to send credential information for a wrong host to the attacker's site boo#1168930 ------------------------------------------------------------------ ------------------ 2020-4-8 - Apr 8 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (13e41d8b9d3d7598c72c38acc86a3), git175688. ------------------------------------------------------------------ ------------------ 2020-4-6 - Apr 6 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (c72a1b6f8b26de37d1a922a8af143), git175641. ++++ util-linux: - Update to version 2.35.1: * agetty: add --show-issue, support for /run/issue and * fdisk: Correct handling of hybrid MBR, cleanup wipe warning, use 'r' to return from MBR to GPT. * lsblk: FSVER column, drop e3bb9bfb76c17b1d05814436ced62c05c4011f48.patch. * lscpu: Add HiSilicon aarch64 tsv110 cpupart, add a new columns to --cache. * mount: add --target-prefix. * mountpoint: add --nofollow option. * script: add --echo, --log-in, --logging-format, --log-out and - -log-timing. * scriptlive: new command. * scriptreplay: add --log-* options, --cr-mode, --stream, - -summary, -T --log-timing. * sfdisk: add progress bars. * unshare: add --keep-caps and --map-current-user options. * Many other fixes and improvements, see: https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.35/v2.35-ReleaseNotes https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.35/v2.35.1-ReleaseNotes - Refresh libeconf.patch. - Add libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch: Avoid triggering autofs in lookup_umount_fs_by_statfs (boo#1168389) ++++ libssh: - Fix possible Denial of Service attack when using AES-CTR ciphers; (bsc#1168699) * Add 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch ++++ systemd: - Import commit c5aa158173ced05201182d1cc18632a25cf43b94 (merge v245.4) - Add 0001-meson-fix-build-of-udev-path_id_compat-builtin-with-.patch ------------------------------------------------------------------ ------------------ 2020-4-2 - Apr 2 2020 ------------------- ------------------------------------------------------------------ ++++ cryptsetup: - Split translations to -lang package - New version to 2.3.1 * Support VeraCrypt 128 bytes passwords. VeraCrypt now allows passwords of maximal length 128 bytes (compared to legacy TrueCrypt where it was limited by 64 bytes). * Strip extra newline from BitLocker recovery keys There might be a trailing newline added by the text editor when the recovery passphrase was passed using the --key-file option. * Detect separate libiconv library. It should fix compilation issues on distributions with iconv implemented in a separate library. * Various fixes and workarounds to build on old Linux distributions. * Split lines with hexadecimal digest printing for large key-sizes. * Do not wipe the device with no integrity profile. With --integrity none we performed useless full device wipe. * Workaround for dm-integrity kernel table bug. Some kernels show an invalid dm-integrity mapping table if superblock contains the "recalculate" bit. This causes integritysetup to not recognize the dm-integrity device. Integritysetup now specifies kernel options such a way that even on unpatched kernels mapping table is correct. * Print error message if LUKS1 keyslot cannot be processed. If the crypto backend is missing support for hash algorithms used in PBKDF2, the error message was not visible. * Properly align LUKS2 keyslots area on conversion. If the LUKS1 payload offset (data offset) is not aligned to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly. * Validate LUKS2 earlier on conversion to not corrupt the device if binary keyslots areas metadata are not correct. ++++ permissions: - correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364) ------------------------------------------------------------------ ------------------ 2020-3-30 - Mar 30 2020 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - FIPS: Switch the PCT to use the new signature operation [bsc#1165539] * Patches for DSA, RSA and ECDSA test_keys functions: - libgcrypt-PCT-DSA.patch - libgcrypt-PCT-RSA.patch - libgcrypt-PCT-ECC.patch - Update patch: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch ------------------------------------------------------------------ ------------------ 2020-3-27 - Mar 27 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (038769535a8cbdd3dd3e100bde314), git175499. ++++ e2fsprogs: - e2fsck-clarify-overflow-link-count-error-message.patch: e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs-update-allocation-info-earlier-in-ext2fs_mkdi.patch: ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs-implement-dir-entry-creation-in-htree-directo.patch: ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests-add-test-to-excercise-indexed-directories-with.patch: tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs-update-dir-checksums-when-clearing-dir_index.patch: tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ------------------------------------------------------------------ ------------------ 2020-3-26 - Mar 26 2020 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - FIPS: Fix drbg to be threadsafe [bsc#1167674] * Detect fork and re-open devices in_gcry_rndlinux_gather_random * libgcrypt-check-re-open-dev_random-after-fork.patch - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: - libgcrypt-global_init-constructor.patch * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: - libgcrypt-random_selftests-testentropy.patch - libgcrypt-rsa-no-blinding.patch - libgcrypt-ecc-ecdsa-no-blinding.patch * Fix benchmark regression test in FIPS mode: - libgcrypt-FIPS-GMAC_AES-benckmark.patch ------------------------------------------------------------------ ------------------ 2020-3-25 - Mar 25 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update binutils-2.34-branch.diff.gz. ++++ glibc: - glob-use-after-free.patch: Fix use-after-free in glob when expanding ~user (CVE-2020-1752, bsc#1167631, BZ #25414) ++++ system-users: - Use test -x instead of -f ------------------------------------------------------------------ ------------------ 2020-3-24 - Mar 24 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (75c24a08d697d6442fe6c26142f05), git175422. ++++ openslp: - Add missing group(daemon) prerequires to the openslp-server package [bnc#1165050] - Add missing openslp requires to the openslp-server package [bnc#1165121] ++++ permissions: - whitelist s390-tools setgid bit on log directory (bsc#1167163) ------------------------------------------------------------------ ------------------ 2020-3-23 - Mar 23 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.26.0 (bsc#1167890, jsc#SLE-11608): * "git rebase" now uses a different backend that is based on the 'merge' machinery by default. The 'rebase.backend' configuration variable reverts to old behaviour when set to 'apply' * Improved handling of sparse checkouts * Improvements to many commands and internal features ------------------------------------------------------------------ ------------------ 2020-3-20 - Mar 20 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (7d4549b2cd209eb621453ce13be7f), git175366. ++++ openssl-1_1: - openssl dgst: default to SHA256 only when called without a digest, not when it couldn't be found (bsc#1166189) * add openssl-unknown_dgst.patch ++++ pam: - Moved pam_userdb to a separate package pam-extra. [bsc#1166510, pam.spec] ++++ system-users: - Call usermod only if installed ------------------------------------------------------------------ ------------------ 2020-3-19 - Mar 19 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.25.2: * bug fixes to various subcommands in specific operations ++++ gcc10: - Update to master head (c7e9019681857b329bbe4c1e7ec8d), git175348. - Package arm_mve.h for arm. ++++ systemd: - Import commit 31f82b39c811b4f731c80c2c2e7c56a0ca924a5b (merge v245.2) d1d3f2aa15 docs: Add syntax for templated units to systemd.preset man page 3c69813c69 man: add a tiny bit of markup bf595e788c home: fix segfault when parsing arguments in PAM module e110f4dacb test: wait a bit after starting the test service e8df08cfdb fix journalctl regression (#15099) eb3a38cc23 NEWS: add late note about job trimming issue 405f0fcfdd systemctl: hide the 'glyph' column when --no-legend is requested 1c7de81f89 format-table: allow hiding a specific column b7f2308bda core: transition to FINAL_SIGTERM state after ExecStopPost= 2867dfbf70 journalctl: show duplicate entries if they are from the same file (#14898) [...] ++++ python-pip: - Skip virtualenv tests that are pinned to old virtualenv 16 ------------------------------------------------------------------ ------------------ 2020-3-18 - Mar 18 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (4e3d3e40726e1b68bf52fa205c68495124ea60b8). - libgphobos and libgdruntime SONAME versions were reset to 1. ++++ systemd: - Upgrade to v245 (commit 74e2e834b4282c9bbdc12014f6ccf8d86e542b8d) See https://github.com/openSUSE/systemd/blob/SUSE/v245/NEWS for details. This includes the following bug fixes: - upstream commit 7f56982289275ce84e20f0554475864953e6aaab (CVE-2020-1712) - upstream commit 66a19d85a533b15ed32f4066ec880b5a8c06babd (bsc#1157315) - upstream commit 7f56982289275ce84e20f0554475864953e6aaab (bsc#1162108) The new tools provided by systemd repart, userdb, homed, fdisk, pwquality, p11kit feature have been disabled for now as they require reviews first. Default to the "unified" cgroup hierarchy. Indeed most prominent users of cgroup (such as libvirt, kubic) should be ready for such change. It's still possible to switch back to the old "hybrid" hierarchy by passing "systemd.unified_cgroup_hierarchy=0" option to the kernel command line though. Added 0001-Revert-job-Don-t-mark-as-redundant-if-deps-are-relev.patch: upstream commit 097537f07a2fab3cb73aef7bc59f2a66aa93f533 has been reverted for now on as it introduced a behavior change which has impacted plymouth at least. ------------------------------------------------------------------ ------------------ 2020-3-16 - Mar 16 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Add gcc7-pr94148.patch to fix corruption of pass private ->aux via DF. [gcc#94148] ------------------------------------------------------------------ ------------------ 2020-3-13 - Mar 13 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (3604480a6fe493c51d6ebd53d9b1abeebbbb828f). ++++ systemd: - add systemd-network-generator.service file together with systemd-network-generator binary ++++ pam: - disable libdb usage and pam_userdb again, as this causes some license conflicts. (bsc#1166510) ------------------------------------------------------------------ ------------------ 2020-3-12 - Mar 12 2020 ------------------- ------------------------------------------------------------------ ++++ libapparmor: - update to AppArmor 2.13.4 - fix log parsing for logs with an embedded newline - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4 for the detailed upstream changelog ++++ lvm2-device-mapper: - fix patch name typo - bug-1158628-04-pvmove-correcting-read_ahead-setting.patch + bug-1158628_04-pvmove-correcting-read_ahead-setting.patch ++++ libgcrypt: - Remove check not needed in _gcry_global_constructor [bsc#1164950] * Update libgcrypt-Restore-self-tests-from-constructor.patch ------------------------------------------------------------------ ------------------ 2020-3-11 - Mar 11 2020 ------------------- ------------------------------------------------------------------ ++++ python-packaging: - Update to 20.3 * Fix a bug that caused a 32-bit OS that runs on a 64-bit ARM CPU (e.g. ARM-v8, aarch64), to report the wrong bitness. - Drop already upstreamed patch issue_254.patch ------------------------------------------------------------------ ------------------ 2020-3-10 - Mar 10 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - dl-sort-maps.patch, dlopen-filter-object.patch: Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ++++ python3-core: - Change name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ++++ python3: - Change name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ++++ python-six: - Do not cause buildcycle with previous change but rather install the egg-info prepared metadata from the tarball ------------------------------------------------------------------ ------------------ 2020-3-9 - Mar 9 2020 ------------------- ------------------------------------------------------------------ ++++ coreutils: - Update to 8.32: * Noteworthy changes in release 8.32 (2020-03-05) [stable] * * Bug fixes cp now copies /dev/fd/N correctly on platforms like Solaris where it is a character-special file whose minor device number is N. [bug introduced in fileutils-4.1.6] dd conv=fdatasync no longer reports a "Bad file descriptor" error when fdatasync is interrupted, and dd now retries interrupted calls to close, fdatasync, fstat and fsync instead of incorrectly reporting an "Interrupted system call" error. [bugs introduced in coreutils-6.0] df now correctly parses the /proc/self/mountinfo file for unusual entries like ones with '\r' in a field value ("mount -t tmpfs tmpfs /foo$'\r'bar"), when the source field is empty ('mount -t tmpfs "" /mnt'), and when the filesystem type contains characters like a blank which need escaping. [bugs introduced in coreutils-8.24 with the introduction of reading the /proc/self/mountinfo file] factor again outputs immediately when stdout is a tty but stdin is not. [bug introduced in coreutils-8.24] ln works again on old systems without O_DIRECTORY support (like Solaris 10), and on systems where symlink ("x", ".") fails with errno == EINVAL (like Solaris 10 and Solaris 11). [bug introduced in coreutils-8.31] rmdir --ignore-fail-on-non-empty now works correctly for directories that fail to be removed due to permission issues. Previously the exit status was reversed, failing for non empty and succeeding for empty directories. [bug introduced in coreutils-6.11] 'shuf -r -n 0 file' no longer mistakenly reads from standard input. [bug introduced with the --repeat feature in coreutils-8.22] split no longer reports a "output file suffixes exhausted" error when the specified number of files is evenly divisible by 10, 16, 26, for --numeric, --hex, or default alphabetic suffixes respectively. [bug introduced in coreutils-8.24] seq no longer prints an extra line under certain circumstances (such as 'seq -f "%g " 1000000 1000000'). [bug introduced in coreutils-6.10] * * Changes in behavior Several programs now check that numbers end properly. For example, 'du -d 1x' now reports an error instead of silently ignoring the 'x'. Affected programs and options include du -d, expr's numeric operands on non-GMP builds, install -g and -o, ls's TABSIZE environment variable, mknod b and c, ptx -g and -w, shuf -n, and sort --batch-size and --parallel. date now parses military time zones in accordance with common usage: "A" to "M" are equivalent to UTC+1 to UTC+12 "N" to "Y" are equivalent to UTC-1 to UTC-12 "Z" is "zulu" time (UTC). For example, 'date -d "09:00B" is now equivalent to 9am in UTC+2 time zone. Previously, military time zones were parsed according to the obsolete rfc822, with their value negated (e.g., "B" was equivalent to UTC-2). [The old behavior was introduced in sh-utils 2.0.15 ca. 1999, predating coreutils package.] ls issues an error message on a removed directory, on GNU/Linux systems. Previously no error and no entries were output, and so indistinguishable from an empty directory, with default ls options. uniq no longer uses strcoll() to determine string equivalence, and so will operate more efficiently and consistently. * * New Features ls now supports the --time=birth option to display and sort by file creation time, where available. od --skip-bytes now can use lseek even if the input is not a regular file, greatly improving performance in some cases. stat(1) supports a new --cached= option, used on systems with statx(2) to control cache coherency of file system attributes, useful on network file systems. * * Improvements stat and ls now use the statx() system call where available, which can operate more efficiently by only retrieving requested attributes. stat and tail now know about the "binderfs", "dma-buf-fs", "erofs", "ppc-cmm-fs", and "z3fold" file systems. stat -f -c%T now reports the file system type, and tail -f uses inotify. * * Build-related gzip-compressed tarballs are distributed once again - Refresh patches: * coreutils-disable_tests.patch * coreutils-getaddrinfo.patch * coreutils-i18n.patch * coreutils-invalid-ids.patch * coreutils-remove_hostname_documentation.patch * coreutils-remove_kill_documentation.patch * coreutils-skip-gnulib-test-tls.patch * coreutils-tests-shorten-extreme-factor-tests.patch - coreutils-i18n.patch: * uniq: remove collation handling as required by newer POSIX; see - https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8e81d44b5 - https://www.austingroupbugs.net/view.php?id=963 - coreutils-ls-restore-8.31-behavior-on-removed-dirs.patch: * Add patch for 'ls' to restore 8.31 behavior on removed directories. - coreutils.spec: * Version: bump version. * %check: re-enable regular 'make check' for non-multibuild package. * reference the above new patch. - coreutils.keyring: * Update from upstream (Savannah). ++++ gcc10: - Update embedded newlib to newlib-3.3.0.tar.xz, drop old newlib-3.1.0.tar.xz - Enable support for amdgcn-amdhsa OpenMP/OpenACC offloading. ++++ python-six: - use setuptools for building to support pip 10.x (bsc#1166139) ------------------------------------------------------------------ ------------------ 2020-3-6 - Mar 6 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (655e5c29ae4080666154b3e10ac81116a1b7a638). - Re-add gcc9-reproducible-builds.patch and gcc9-reproducible-builds-buildid-for-checksum.patch. ------------------------------------------------------------------ ------------------ 2020-3-5 - Mar 5 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - ldbl-96-rem-pio2l.patch: Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (CVE-2020-10029, bsc#1165784, BZ #25487) ------------------------------------------------------------------ ------------------ 2020-3-4 - Mar 4 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Add gcc7-pr93888.patch to fix debug information issue with inlined functions and passed by reference arguments. [gcc#93888] ++++ openssl-1_1: - Limit the DRBG selftests to not deplete entropy (bsc#1165274) * update openssl-fips_selftest_upstream_drbg.patch ------------------------------------------------------------------ ------------------ 2020-3-3 - Mar 3 2020 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-16-ed897a1090cafb678f75dbed8802bd671d3c1921.patch get_kernel_version: fix for current kernel on s390x (from azouhr) (bsc#1151023) (bsc#1139939) - Add patch git-17-fe967bddbd74af9aba435900878397c0c7ea0b0b.patch added "-h"/"--help" to "old" command (from Bernhard Lang) - Add patch git-18-bb11f02d5dd940803c08d25b0cfd3650d9de7d41.patch change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ++++ libselinux: - Update to version 3.0 * Ignore the stem when looking up all matches in file context * Save digest of all partial matches for directory * Use Python distutils to install SELinux python bindings * ensure that digest_len is not zero * fix string conversion of unknown perms * mark all exported function "extern" Dropped Use-Python-distutils-to-install-SELinux.patch, included upstream ++++ libsemanage: - Update to version 3.0 * Add support for DCCP and SCTP protocols * include internal header to use the hidden function prototypes * mark all exported function "extern" * optionally optimize policy on rebuild Refreshed suse_path.patch ++++ libsepol: - Update to version 3.0 * cil: Allow validatetrans rules to be resolved * cil: Report disabling an optional block only at high verbose levels * cil: do not dereference perm_value_to_cil when it has not been allocated * cil: fix mlsconstrain segfault * Further improve binary policy optimization * Make an unknown permission an error in CIL * Remove cil_mem_error_handler() function pointer * Use LIBSEPOL_3.0 and fix sepol_policydb_optimize symbol mapping * Add a function to optimize kernel policy * Add ebitmap_for_each_set_bit macro Dropped fnocommon.patch as it's included upstream ------------------------------------------------------------------ ------------------ 2020-3-2 - Mar 2 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Update to master head (778a77357cad11e8dd4c810544330af0fbe843b1). * Includes fix for binutils version parsing [gcc#93965] ++++ permissions: - run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat ------------------------------------------------------------------ ------------------ 2020-2-28 - Feb 28 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Remove fix-try_load_plugin.patch as it is part of the updated binutils-2.34-branch.diff.gz patch. ++++ gcc7: - Add gcc7-pr93965.patch in order to fix binutils release date detection issue. ++++ openssh: - Don't recommend xauth to avoid pulling in X. ++++ permissions: - Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile ------------------------------------------------------------------ ------------------ 2020-2-27 - Feb 27 2020 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - vgreduce --removemissing with cache devices will remove lvs (bsc#1157736) + bug-1157736-add-suggestion-message-for-mirror-LVs.patch ------------------------------------------------------------------ ------------------ 2020-2-26 - Feb 26 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add binutils-pr25593.diff to fix DT_NEEDED order with -flto [bsc#1163744] ++++ openssl-1_1: - Run FIPS DRBG selftests against the crypto/rand DRBG implementation (bsc#1164557) * add openssl-fips_selftest_upstream_drbg.patch ------------------------------------------------------------------ ------------------ 2020-2-25 - Feb 25 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - pthread-rwlock-pwn.patch: Fix rwlock stall with PREFER_WRITER_NONRECURSIVE_NP (bsc#1164505, BZ #23861) - manual-memory-protection.patch: manual: Document mprotect and introduce section on memory protection (bsc#1163184) ++++ gcc10: - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc9. ++++ libgcrypt: - FIPS: Run the self-tests from the constructor [bsc#1164950] * Add libgcrypt-invoke-global_init-from-constructor.patch ------------------------------------------------------------------ ------------------ 2020-2-21 - Feb 21 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Disable zstd use for SLES15 and older. ++++ openssl-1_1: - Use the newly build libcrypto shared library when computing the hmac checksums in order to avoid a bootstrapping issue by BuildRequiring libopenssl1_1 (bsc#1164102) ++++ pam: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so [jsc#sle-7258, bsc#1164562, pam.spec] ------------------------------------------------------------------ ------------------ 2020-2-19 - Feb 19 2020 ------------------- ------------------------------------------------------------------ ++++ systemd: - move html documentation to sparate package to save space - move networkd and resolved binaries into correct subpackage ------------------------------------------------------------------ ------------------ 2020-2-18 - Feb 18 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update fix-try_load_plugin.patch to latest version. - Add fix-try_load_plugin.patch in order to fix fallback caused by backport for PR25355. ++++ gcc10: - Bump to rfa1160f6e50500aa38162fefb43bfb10c25e0363. - Bump to r33351ff9faa21c4c1af377d661a52ac0ce366db3. ++++ openssh: - Add patches to fix the sandbox blocking glibc on 32bit platforms (boo#1164061): * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch * openssh-8.1p1-seccomp-clock_gettime64.patch ++++ system-users: - Align /var/lib/tss permissions with trousers (boo#1162360). ------------------------------------------------------------------ ------------------ 2020-2-17 - Feb 17 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.25.1: * "git commit" now honors advise.statusHints * various updates, bug fixes and documentation updates ------------------------------------------------------------------ ------------------ 2020-2-13 - Feb 13 2020 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) * add openssl-fips_fix_selftests_return_value.patch ------------------------------------------------------------------ ------------------ 2020-2-12 - Feb 12 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Adjust installed headers for arm and aarch64, enable link-mutex for riscv64. ++++ openssl-1_1: - Added SHA3 FIPS self-tests bsc#1155345 * openssl-fips-add-SHA3-selftest.patch ------------------------------------------------------------------ ------------------ 2020-2-11 - Feb 11 2020 ------------------- ------------------------------------------------------------------ ++++ openssh: - Add openssh-8.1p1-use-openssl-kdf.patch (jsc#SLE-9443). This performs key derivation using OpenSSL's SSHKDF facility, which allows OpenSSH to benefit from the former's FIPS certification status. ++++ python-pyparsing: - update to 2.4.6 * Fixed typos in White mapping of whitespace characters, to use correct "\u" prefix instead of "u". * fix bug in left-associative ternary operators defined using infixNotation. First reported on StackOverflow by user Jeronimo. * Backport of pyparsing_test namespace from 3.0.0, including TestParseResultsAsserts mixin class defining unittest-helper methods: . def assertParseResultsEquals( self, result, expected_list=None, expected_dict=None, msg=None) . def assertParseAndCheckList( self, expr, test_string, expected_list, msg=None, verbose=True) . def assertParseAndCheckDict( self, expr, test_string, expected_dict, msg=None, verbose=True) . def assertRunTestResults( self, run_tests_report, expected_parse_results=None, msg=None) . def assertRaisesParseException(self, exc_type=ParseException, msg=None) ------------------------------------------------------------------ ------------------ 2020-2-10 - Feb 10 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Don't remove go tool buildid, needed for bootstrapping go - Increase disk constraint ++++ python-packaging: - add issue_254.patch to fix tests under non-x86_64 pplatforms ------------------------------------------------------------------ ------------------ 2020-2-8 - Feb 8 2020 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674) - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug "Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)" (bsc#1162367) - Add Requires: libpython%{so_version} == %{version}-%{release} to python3-base to keep both packages always synchronized (bsc#1162224). ++++ python3: - Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674) - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug "Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)" (bsc#1162367) - Add Requires: libpython%{so_version} == %{version}-%{release} to python3-base to keep both packages always synchronized (bsc#1162224). ------------------------------------------------------------------ ------------------ 2020-2-7 - Feb 7 2020 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-15-27e2c6180a45cca63d71ffa5de7b32dec749d2cd.patch change rp_filter to 2 to follow the current default (bsc#1160735) ------------------------------------------------------------------ ------------------ 2020-2-6 - Feb 6 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Bump to rc940105cc17111be98d8d42ba48a413b0e63aebe. - Bump libtool version of libgo. ++++ cyrus-sasl: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) * Add 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch * Add 0003-Check-return-error-from-gss_wrap_size_limit.patch * Add 0004-Add-support-for-retrieving-the-mech_ssf.patch - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) * Add 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch ++++ systemd: - Import commit f8adabc2b1f3e3ad150e7a3bfa88341eda5a8a57 (merge v244.2) 77c04ce5c2 hwdb: update to v245-rc1 b4eb884824 Fix typo in function name e2d4cb9843 polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it 83bfc0d8dd sd-bus: introduce API for re-enqueuing incoming messages 5926f9f172 polkit: use structured initialization 0697d0d972 polkit: on async pk requests, re-validate action/details 2589995acd polkit: reuse some common bus message appending code 5b2442d5c3 bus-polkit: rename return error parameter to ret_error 0a19ff7004 shared: split out polkit stuff from bus-util.c → bus-polkit.c 1325dfb577 test: adapt to the new capsh format 3538fafb47 meson: update efi path detection to gnu-efi-3.0.11 3034855a5b presets: "disable" all passive targets by default c2e3046819 shared/sysctl-util: normalize repeated slashes or dots to a single value 6f4364046f dhcp6: do not use T1 and T2 longer than one provided by the lease 0ed6cda28d network: fix implicit type conversion warning by GCC-10 f6a5c02d26 bootspec: parse random-seed-mode line in loader.conf ddc5dca8a7 sd-boot: fix typo 2bbbe9ae41 test: Synchronize journal before reading from it 072485d661 sd-bus: fix introspection bug in signal parameter names 80af3cf5e3 efi: fix build. [...] ++++ permissions: - Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687) ------------------------------------------------------------------ ------------------ 2020-2-5 - Feb 5 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Bump to r269e8130b77065452698ab97e5da77d132d00276. ++++ libtirpc: - Backport upstream fix daed7ee ("Avoid multiple-definiton with gcc -fno-common") to fix build error with gcc flag -fno-common (bsc#1160875). Tested on gcc-9 and gcc-10. 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch ++++ perl: - Backport perl-fix2020.patch to make timelocal calls work in the year 2020 [bnc#1102840] [bnc#1160039] new patch: perl-fix2020.patch ++++ permissions: Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry ++++ python-packaging: - Update to 20.1 * Fix a bug caused by reuse of an exhausted iterator. * Add type hints * Add proper trove classifiers for PyPy support * Scale back depending on ctypes for manylinux support detection * Use sys.implementation.name where appropriate for packaging.tags * Expand upon the API provded by packaging.tags * Officially support Python 3.8 * Add major, minor, and micro aliases to packaging.version.Version * Properly mark packaging has being fully typed by adding a py.typed file ++++ python-pip: - update to 20.0.2 - add setuptools-45.1.0-py3-none-any.whl for testsuite - drop pytest5.patch * Fix a regression in generation of compatibility tags * Rename an internal module, to avoid ImportErrors due to improper uninstallation * Switch to a dedicated CLI tool for vendoring dependencies. * Remove wheel tag calculation from pip and use packaging.tags. This should provide more tags ordered better than in prior releases. * Deprecate setup.py-based builds that do not generate an .egg-info directory. * The pip>=20 wheel cache is not retro-compatible with previous versions. Until pip 21.0, pip will continue to take advantage of existing legacy cache entries. * Deprecate undocumented --skip-requirements-regex option. * Deprecate passing install-location-related options via --install-option. * Use literal "abi3" for wheel tag on CPython 3.x, to align with PEP 384 which only defines it for this platform. * Remove interpreter-specific major version tag e.g. cp3-none-any from consideration. This behavior was not documented strictly, and this tag in particular is not useful. Anyone with a use case can create an issue with pypa/packaging. * Wheel processing no longer permits wheels containing more than one top-level .dist-info directory. * Support for the git+git@ form of VCS requirement is being deprecated and will be removed in pip 21.0. Switch to git+https:// or git+ssh://. git+git:// also works but its use is discouraged as it is insecure. * Default to doing a user install (as if --user was passed) when the main site-packages directory is not writeable and user site-packages are enabled. * Warn if a path in PATH starts with tilde during pip install. * Cache wheels built from Git requirements that are considered immutable, because they point to a commit hash. * Add option --no-python-version-warning to silence warnings related to deprecation of Python versions. * Cache wheels that pip wheel built locally, matching what pip install does. This particularly helps performance in workflows where pip wheel is used for building before installing. Users desiring the original behavior can use pip wheel --no-cache-dir * Display CA information in pip debug. * Show only the filename (instead of full URL), when downloading from PyPI. * Suggest a more robust command to upgrade pip itself to avoid confusion when the current pip command is not available as pip. * Define all old pip console script entrypoints to prevent import issues in stale wrapper scripts. * The build step of pip wheel now builds all wheels to a cache first, then copies them to the wheel directory all at once. Before, it built them to a temporary directory and moved them to the wheel directory one by one. * Expand ~ prefix to user directory in path options, configs, and environment variables. Values that may be either URL or path are not currently supported, to avoid ambiguity: - -find-links - -constraint, -c - -requirement, -r - -editable, -e * Correctly handle system site-packages, in virtual environments created with venv (PEP 405). * Fix case sensitive comparison of pip freeze when used with -r option. * Enforce PEP 508 requirement format in pyproject.toml build-system.requires. * Make ensure_dir() also ignore ENOTEMPTY as seen on Windows. * Fix building packages which specify backend-path in pyproject.toml. * Do not attempt to run setup.py clean after a pep517 build error, since a setup.py may not exist in that case. * Fix passwords being visible in the index-url in "Downloading " message. * Change method from shutil.remove to shutil.rmtree in noxfile.py. * Skip running tests which require subversion, when svn isn't installed * Fix not sending client certificates when using --trusted-host. * Make sure pip wheel never outputs pure python wheels with a python implementation tag. Better fix/workaround for #3025 by using a per-implementation wheel cache instead of caching pure python wheels with an implementation tag in their name. * Include subdirectory URL fragments in cache keys. * Fix typo in warning message when any of --build-option, --global-option and --install-option is used in requirements.txt * Fix the logging of cached HTTP response shown as downloading. * Effectively disable the wheel cache when it is not writable, as is the case with the http cache. * Correctly handle relative cache directory provided via --cache-dir. * ------------------------------------------------------------------ ------------------ 2020-2-4 - Feb 4 2020 ------------------- ------------------------------------------------------------------ ++++ cryptsetup: - Update to 2.3.0 (include release notes for 2.2.0) * BITLK (Windows BitLocker compatible) device access * Veritysetup now supports activation with additional PKCS7 signature of root hash through --root-hash-signature option. * Integritysetup now calculates hash integrity size according to algorithm instead of requiring an explicit tag size. * Integritysetup now supports fixed padding for dm-integrity devices. * A lot of fixes to online LUKS2 reecryption. * Add crypt_resume_by_volume_key() function to libcryptsetup. If a user has a volume key available, the LUKS device can be resumed directly using the provided volume key. No keyslot derivation is needed, only the key digest is checked. * Implement active device suspend info. Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags that informs the caller that device is suspended (luksSuspend). * Allow --test-passphrase for a detached header. Before this fix, we required a data device specified on the command line even though it was not necessary for the passphrase check. * Allow --key-file option in legacy offline encryption. The option was ignored for LUKS1 encryption initialization. * Export memory safe functions. To make developing of some extensions simpler, we now export functions to handle memory with proper wipe on deallocation. * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot. * Add optional global serialization lock for memory hard PBKDF. * Abort conversion to LUKS1 with incompatible sector size that is not supported in LUKS1. * Report error (-ENOENT) if no LUKS keyslots are available. User can now distinguish between a wrong passphrase and no keyslot available. * Fix a possible segfault in detached header handling (double free). * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2. * The libcryptsetup now keeps all file descriptors to underlying device open during the whole lifetime of crypt device context to avoid excessive scanning in udev (udev run scan on every descriptor close). * The luksDump command now prints more info for reencryption keyslot (when a device is in-reencryption). * New --device-size parameter is supported for LUKS2 reencryption. * New --resume-only parameter is supported for LUKS2 reencryption. * The repair command now tries LUKS2 reencryption recovery if needed. * If reencryption device is a file image, an interactive dialog now asks if reencryption should be run safely in offline mode (if autodetection of active devices failed). * Fix activation through a token where dm-crypt volume key was not set through keyring (but using old device-mapper table parameter mode). * Online reencryption can now retain all keyslots (if all passphrases are provided). Note that keyslot numbers will change in this case. * Allow volume key file to be used if no LUKS2 keyslots are present. * Print a warning if online reencrypt is called over LUKS1 (not supported). * Fix TCRYPT KDF failure in FIPS mode. * Remove FIPS mode restriction for crypt_volume_key_get. * Reduce keyslots area size in luksFormat when the header device is too small. * Make resize action accept --device-size parameter (supports units suffix). ------------------------------------------------------------------ ------------------ 2020-2-3 - Feb 3 2020 ------------------- ------------------------------------------------------------------ ++++ c-ares: - Upgrade to latest snapshot from 2020-01-17 - disable-live-tests.patch: refreshed - regression.patch: fix a regression in DNS results that contain both A and AAAA answers. ++++ python3-core: - Reame idle icons to idle3 in order to not conflict with python2 variant of the package bsc#1165894 * renamed the icons * renamed icon load in desktop file ++++ systemd: - Use suse.pool.ntp.org server pool on SLE (jsc#SLE-7683) ++++ python3: - Reame idle icons to idle3 in order to not conflict with python2 variant of the package bsc#1165894 * renamed the icons * renamed icon load in desktop file ------------------------------------------------------------------ ------------------ 2020-2-1 - Feb 1 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update to binutils 2.34: * The disassembler (objdump --disassemble) now has an option to generate ascii art thats show the arcs between that start and end points of control flow instructions. * The binutils tools now have support for debuginfod. Debuginfod is a HTTP service for distributing ELF/DWARF debugging information as well as source code. The tools can now connect to debuginfod servers in order to download debug information about the files that they are processing. * The assembler and linker now support the generation of ELF format files for the Z80 architecture. - Rename and get binutils-2.34-branch.diff.gz (boo#1160254). - Rebase add-ulp-section.diff, binutils-revert-plt32-in-branches.diff, cross-avr-size.patch and binutils-skip-rpaths.patch. - Add new subpackages for libctf and libctf-nobfd. - Disable LTO due to boo#1163333. - Includes fixes for these CVEs: bnc#1153768 aka CVE-2019-17451 aka PR25070 bnc#1153770 aka CVE-2019-17450 aka PR25078 ------------------------------------------------------------------ ------------------ 2020-1-31 - Jan 31 2020 ------------------- ------------------------------------------------------------------ ++++ libtirpc: - Skip unneeded autogen.sh run (configure is up-to-date), drop dependencies: libtool, autoconf - Replace krb5-mini-devel/krb5-devel with pkgconfig(krb5) ++++ permissions: - fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch) ++++ system-users: - Add tss user for TPM tools (boo#1162360). ------------------------------------------------------------------ ------------------ 2020-1-30 - Jan 30 2020 ------------------- ------------------------------------------------------------------ ++++ libsepol: - Add fnocommon.patch to prevent build failures on gcc10 and remove_cil_mem_error_handler.patch to prevent build failures due to leftovers from the removal of cil_mem_error_handler (bsc#1160874) ------------------------------------------------------------------ ------------------ 2020-1-29 - Jan 29 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Add gcc48-bsc1161913.patch to fix register allocation issue with exception handling code on s390x. [bsc#1161913] ------------------------------------------------------------------ ------------------ 2020-1-28 - Jan 28 2020 ------------------- ------------------------------------------------------------------ ++++ coreutils: - disable single and testsuite builds in rings/staging - remove duplicate "coreutils" in flavor to make it look nicer in OBS ++++ c-ares: - Add netcfg as the build requirement and runtime requirement. ares_getaddrinfo function uses the getservbyport_r function which requires the /etc/services file to function properly. That config file is provided by the netcfg package. Unit tests rely on it too, hence it has to be a build dependency as well. ++++ openssl-1_1: - Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7403] - Add patches: * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch ++++ python3-core: - Add pep538_coerce_legacy_c_locale.patch to coerce locale to C.UTF-8 always (bsc#1162423). ++++ python3: - Add pep538_coerce_legacy_c_locale.patch to coerce locale to C.UTF-8 always (bsc#1162423). ------------------------------------------------------------------ ------------------ 2020-1-24 - Jan 24 2020 ------------------- ------------------------------------------------------------------ ++++ openldap2: - bsc#1158921 libldap-data should be requires, not recommends to help prevent user confusion around configuration ownership. ++++ shadow: - Update to 4.8.1: * selinux: include stdio * man: don't suggest making groupmems user-writeable * Makefile: bail out on error in for loops * Adding logging of SSH_ORIGINAL_COMMAND to nologin * add new HOME_MODE login.defs option * Add tty logging to useradd * Useradd: make non-executable shell check only a warning * Update Dutch translation * user_busy: Do not mistake a regular user process for a namespaced one * Revert "Honor --sbindir and --bindir for binary installation" - Remove shadow-4.8-shell-check.patch: included - Remove shadow-4.8-selinux-include.patch: upstreamed ------------------------------------------------------------------ ------------------ 2020-1-23 - Jan 23 2020 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization (bsc#1161789) * openssl-fips-ignore_broken_atexit_test.patch ------------------------------------------------------------------ ------------------ 2020-1-22 - Jan 22 2020 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Add gcc7-pr92692.patch: Backport PR target/92692 to fix miscompilation of some atomic code on aarch64. [bsc#1150164] ++++ openssl-1_1: - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch ------------------------------------------------------------------ ------------------ 2020-1-21 - Jan 21 2020 ------------------- ------------------------------------------------------------------ ++++ glibc: - backtrace-powerpc.patch: Fix array overflow in backtrace on PowerPC (CVE-2020-1751, bsc#1158996, BZ #25423) ++++ openssl-1_1: - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - keep EVP_KDF functions at version 1.1.1d for backward compatibility * add openssl-keep_EVP_KDF_functions_version.patch ++++ systemd: - Drop scripts-udev-convert-lib-udev-path.sh Nobody should need it these days. ++++ python-six: - update to 1.14.0 * Add `six.assertNotRegex` * `six.moves._dummy_thread` now points to the `_thread` module on Python 3.9+. Python 3.7 and later requires threading and deprecated the `_dummy_thread` module * Remove support for Python 2.6 and Python 3.2 * `six.wraps` now ignores missing attributes ------------------------------------------------------------------ ------------------ 2020-1-20 - Jan 20 2020 ------------------- ------------------------------------------------------------------ ++++ coreutils: - minor: remove obsolete comment in spec file. ++++ gcc7: - Add gcc7-pr93246.patch: Backport PR middle-end/93246 ++++ libgcrypt: - ECDSA: Check range of coordinates (bsc#1161216) * add libgcrypt-ECDSA_check_coordinates_range.patch ++++ python-rpm-macros: - Add python-rpm-generators to express setuptools dependency for generator ++++ shadow: - Set 0755 for chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, usermod explicitly. ------------------------------------------------------------------ ------------------ 2020-1-17 - Jan 17 2020 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Bump to r507de5ee23efdc8a16d6b0b6488e118055c711cd. ++++ libgcrypt: - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] * Add patch from Fedora libgcrypt-1.8.4-fips-keygen.patch - FIPS: keywrap gives incorrect results [bsc#1161218] * Add libgcrypt-AES-KW-fix-in-place-encryption.patch ++++ python-rpm-macros: - Update to version 20200117.8e39013 bsc#1161770: * Add macros related to the Python dist metadata dependency generator ------------------------------------------------------------------ ------------------ 2020-1-16 - Jan 16 2020 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-14-12023f2e8aae5b2ac3a895301945566b9f5eb9c3.patch drop dev.cdrom.autoclose = 0 from sysctl config (bsc#1160970) ++++ shadow: - bsc#1160729: Make valid shell check only a warning * Add shadow-4.8-shell-check.patch ------------------------------------------------------------------ ------------------ 2020-1-14 - Jan 14 2020 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.25.0 * The branch description ("git branch --edit-description") has been used to fill the body of the cover letters by the format-patch command; this has been enhanced so that the subject can also be filled. * A few commands learned to take the pathspec from the standard input or a named file, instead of taking it as the command line arguments, with the "--pathspec-from-file" option. * Test updates to prepare for SHA-2 transition continues. * Redo "git name-rev" to avoid recursive calls. * When all files from some subdirectory were renamed to the root directory, the directory rename heuristics would fail to detect that as a rename/merge of the subdirectory to the root directory, which has been corrected. * HTTP transport had possible allocator/deallocator mismatch, which has been corrected. - dropped patch git-skip-test-s390x-aarch64-fail.patch (bsc#1156651) * upstream maintainers have skipped the test themselves ++++ nghttp2: - Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal ++++ systemd: - Temporarily restore /sbin/{udevd,udevadm) obsolete symlinks They're restored until YaST stop using them (see boo#1160890) - Import commit 8254b8d9646f3e0f5f8057d1ffb5d6c20f079aaa (merge v244.1) 639dc9f4bf network: set ipv6 mtu after link-up or device mtu change cbced49daa man: fix typo in net-naming-scheme man page 7dd04c99b0 network: tc: drop unused element bf4b7d07ba man: fix typos (#14304) 1ba2e7a730 ipv4ll: do not reset conflict counter on restart 49806bb310 macro: avoid subtraction overflow in ALIGN_POWER2() c4c1600689 test-network: add a test case for SendOption= 6f15b45949 network: fix segfault in parsing SendOption= 2e531b830d seccomp: real syscall numbers are >= 0 f7616ed52b network: fix copy and paste mistake e8b53300c4 network: do not drop foreign config if interface is in initialized state 00f05813bf seccomp: mmap test results depend on kernel/libseccomp/glibc 4de1909e61 seccomp: use per arch shmat_syscall d83010521d seccomp: ensure rules are loaded in seccomp_memory_deny_write_execute 2c6568221a seccomp: fix multiplexed system calls bcf0aa02bf Fix typo (duplicate "or") 96d7083c54 network: if /sys is rw, then udev should be around e874419902 nspawn: do not fail if udev is not running 29c9144655 Create parent directories when creating systemd-private subdirs 9cbb8b5254 network: do not return error but return UINT64_MAX if speed meter is disabled c08429ae33 core: swap priority can be negative f25c0be335 networkctl: fix to show BSSID 65fd2fce59 systemctl: enhance message about kexec missing kernel bdd0af5f81 Fixup typo in NEWS ------------------------------------------------------------------ ------------------ 2020-1-13 - Jan 13 2020 ------------------- ------------------------------------------------------------------ ++++ audit: - Update to version 2.6.5: * Fix segfault on shutdown * Fix hang on startup (#1587995) * Add sleep to script to dump state so file is ready when needed * Add auparse_normalizer support for SOFTWARE_UPDATE event * Mark netlabel events as simple events so that get processed quicker * When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) * Add 30-ospp-v42.rules to meet new Common Criteria requirements * Update lookup tables for the 4.18 kernel * In aureport, fix segfault in file report * Add auparse_normalizer support for labeled networking events * Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) * Event aging is off by a second * In ausearch/auparse, correct event ordering to process oldest first * auparse_reset was not clearing everything it should * Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events * In ausearch/report, lightly parse selinux portion of USER_AVC events * In ausearch/report, limit record size when malformed * In auditd, fix extract_type function for network originating events * In auditd, calculate right size and location for network originating events * Treat all network originating events as VER2 so dispatcher doesn't format it * In audisp-remote do an initial connection attempt (#1625156) * In auditd, allow expression of space left as a percentage (#1650670) * On PPC64LE systems, only allow 64 bit rules (#1462178) * Make some parts of auditd state report optional based on config * Fix ausearch when checkpointing a single file (Burn Alting) * Fix scripting in 31-privileged.rules wrt filecap (#1662516) * In ausearch, do not checkpt if stdin is input source * In libev, remove __cold__ attribute for functions to allow proper hardening * Add tests to configure.ac for openldap support * Make systemd support files use /run rather than /var/run (Christian Hesse) * Fix minor memory leak in auditd kerberos credentials code * Fix auditd regression where keep_logs is limited by rotate_logs 2 file test * In ausearch/report fix --end to use midnight time instead of now (#1671338) - Remote zos building is now a configurable option. It should be disabled in audit (and left enabled in audit-secondary). ++++ libssh: - Update to latest version of patch for CVE-2019-14889; (bsc#1158095) * Update CVE-2019-14889.patch ------------------------------------------------------------------ ------------------ 2020-1-9 - Jan 9 2020 ------------------- ------------------------------------------------------------------ ++++ blog: - Update to version 2.20 * Silent some gcc warnings, also avoid common variable (boo#1160385) * Include for makedev * sort input files (boo#1041090) * libconsole: never return empty list from getconsoles() * libconsole: Really allow to use /dev/console as a fallback in showconsole * libconsole: Add console into the list only when successfully allocated * libconsole: Correctly ignore early consoles - Remove obsolate patch blog-Remove-unused-header.patch ++++ coreutils: - switch to multibuild - add coreutils-single subpackage that contains a single binary coreutils tool similar to busybox - package LC_CTIME directories also in lang package - split off doc package - remove info macros, handled by file trigger nowadays ++++ gcc7: - gcc7-pr92154.patch: Backport PR sanitizer/92154 ++++ glibc: - posix-Add-internal-symbols-for-posix_spawn-interface.patch, glibc-2.29-posix-Use-posix_spawn-on-popen.patch: Use posix_spawn on popen (bsc#1149332, BZ #22834) ++++ e2fsprogs: - e2fsck-abort-if-there-is-a-corrupted-directory-block.patch: e2fsck: abort if there is a corrupted directory block when rehashing (bsc#1160571 CVE-2019-5188) - e2fsck-don-t-try-to-rehash-a-deleted-directory.patch: 2fsck: don't try to rehash a deleted directory (bsc#1160571 CVE-2019-5188) ++++ lvm2-device-mapper: - Update lvm.conf file (bsc#1159238) - enable issue_discards by default ------------------------------------------------------------------ ------------------ 2020-1-7 - Jan 7 2020 ------------------- ------------------------------------------------------------------ ++++ binutils: - Disable LTO during testsuite run ++++ gcc7: - Add gcc7-bsc1160086.patch to fix miscompilation in vectorized code for s390x. [bsc#1160086] [gcc#92950] ------------------------------------------------------------------ ------------------ 2020-1-6 - Jan 6 2020 ------------------- ------------------------------------------------------------------ ++++ c-ares: - Switch to cmake-based build. Some packages need the cmake build files. ------------------------------------------------------------------ ------------------ 2020-1-3 - Jan 3 2020 ------------------- ------------------------------------------------------------------ ++++ libtirpc: - Update to libtirpc 1.2.5 - A number resource leaks and other issues were fix which were identified by a Coverity Scan. - The AUTH_DES authentication has been deprecated. If any of those routines are called, they will fail immediately. - numerous bug fixes - Package changes: - Build without AUTH_DES authentication - Add patch from next release 0001-Add-authdes_seccreate-stub.patch (a86b4ff Add authdes_seccreate() stub) - Drop rc patches (libtirpc-1-1-5-rc1.patch, libtirpc-1-1-5-rc2.patch) - Drop patches all patches backported from this release (0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch, 0002-man-rpc_secure.3t-Fix-typo-in-manpage.patch, 0003-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch) ------------------------------------------------------------------ ------------------ 2020-1-2 - Jan 2 2020 ------------------- ------------------------------------------------------------------ ++++ python-six: - Pull in dbm/gdbm module from python for testing ------------------------------------------------------------------ ------------------ 2019-12-30 - Dec 30 2019 ------------------- ------------------------------------------------------------------ ++++ nodejs-common: - Bump max supported version to 42 to account for automatically built master branch called nodejs42 ------------------------------------------------------------------ ------------------ 2019-12-23 - Dec 23 2019 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - LVM Metadata Error: Error writing device at 4096 length 512 (bsc#1150021) + bug-1150021_01-scanning-open-devs-rw-when-rescanning-for-write.patch + bug-1150021_02-bcache-add-bcache_abort.patch + bug-1150021_03-label-Use-bcache_abort_fd-to-ensure-blocks-are-no-lo.patch + bug-1150021_04-bcache-add-unit-test.patch + bug-1150021_05-bcache-bcache_invalidate_fd-only-remove-prefixes-on.patch + bug-1150021_06-fix-dev_unset_last_byte-after-write-error.patch - Update patch, according to bug-1150021_01-scanning-xxx.patch + bug-1158861_06-fix-segfault-for-invalid-characters-in-vg-name.patch ++++ p11-kit: - Also build documentation (boo#1013125) ------------------------------------------------------------------ ------------------ 2019-12-20 - Dec 20 2019 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch * openssl-assembly-pack-accelerate-scalar-multiplication.patch * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch * openssl-s390x-assembly-pack-accelerate-ECDSA.patch * openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch * openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch * openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch * openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch * openssl-Fix-9bf682f-which-broke-nistp224_method.patch ++++ python-six: - update to 0.13.0: - Issue #298, pull request #299: Add `six.moves.dbm_ndbm`. - Issue #155: Add `six.moves.collections_abc`, which aliases the `collections` module on Python 2-3.2 and the `collections.abc` on Python 3.3 and greater. - Pull request #304: Re-add distutils fallback in `setup.py`. - Pull request #305: On Python 3.7, `with_metaclass` supports classes using PEP ------------------------------------------------------------------ ------------------ 2019-12-19 - Dec 19 2019 ------------------- ------------------------------------------------------------------ ++++ grep: - Update testsuite expectations, no functional changes (bsc#1155271) ++++ python3-core: - Update to 3.6.10 (still in line with jsc#SLE-9426, jsc#SLE-9427, bsc#1159035): - Security: - bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process. - bpo-37228: Due to significant security concerns, the reuse_address parameter of asyncio.loop.create_datagram_endpoint() is no longer supported. This is because of the behavior of SO_REUSEADDR in UDP. For more details, see the documentation for loop.create_datagram_endpoint(). (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.) - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller. - bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (Contributed by Dong-hee Na in bpo-38243.) - bpo-38174: Update vendorized expat library version to 2.2.8, which resolves CVE-2019-15903. - bpo-37461: Fix an infinite loop when parsing specially crafted email headers. Patch by Abhilash Raj. - bpo-34155: Fix parsing of invalid email addresses with more than one @ (e.g. a@b@c.com.) to not return the part before 2nd @ as valid email address. Patch by maxking & jpic. - Library: - bpo-38216: Allow the rare code that wants to send invalid http requests from the http.client library a way to do so. The fixes for bpo-30458 led to breakage for some projects that were relying on this ability to test their own behavior in the face of bad requests. - bpo-36564: Fix infinite loop in email header folding logic that would be triggered when an email policy’s max_line_length is not long enough to include the required markup and any values in the message. Patch by Paul Ganssle - Remove patches included in the upstream tarball: - CVE-2019-16935-xmlrpc-doc-server_title.patch (and also bpo37614-race_test_docxmlrpc_srv_setup.patch, which was resolving bsc#1174701). - CVE-2019-16056-email-parse-addr.patch - Move idle subpackage build from python3-base to python3 (bsc#1159622). appstream-glib required for packaging introduces considerable extra dependencies and a build loop via rust/librsvg. - Correct installation of idle IDE icons: + idle.png is not the target directory + non-GNOME-specific icons belong into icons/hicolor - Add required Name key to idle3 desktop file ++++ python3: - Update to 3.6.10 (still in line with jsc#SLE-9426, jsc#SLE-9427, bsc#1159035): - Security: - bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process. - bpo-37228: Due to significant security concerns, the reuse_address parameter of asyncio.loop.create_datagram_endpoint() is no longer supported. This is because of the behavior of SO_REUSEADDR in UDP. For more details, see the documentation for loop.create_datagram_endpoint(). (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.) - bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller. - bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (Contributed by Dong-hee Na in bpo-38243.) - bpo-38174: Update vendorized expat library version to 2.2.8, which resolves CVE-2019-15903. - bpo-37461: Fix an infinite loop when parsing specially crafted email headers. Patch by Abhilash Raj. - bpo-34155: Fix parsing of invalid email addresses with more than one @ (e.g. a@b@c.com.) to not return the part before 2nd @ as valid email address. Patch by maxking & jpic. - Library: - bpo-38216: Allow the rare code that wants to send invalid http requests from the http.client library a way to do so. The fixes for bpo-30458 led to breakage for some projects that were relying on this ability to test their own behavior in the face of bad requests. - bpo-36564: Fix infinite loop in email header folding logic that would be triggered when an email policy’s max_line_length is not long enough to include the required markup and any values in the message. Patch by Paul Ganssle - Remove patches included in the upstream tarball: - CVE-2019-16935-xmlrpc-doc-server_title.patch (and also bpo37614-race_test_docxmlrpc_srv_setup.patch, which was resolving bsc#1174701). - CVE-2019-16056-email-parse-addr.patch - Move idle subpackage build from python3-base to python3 (bsc#1159622). appstream-glib required for packaging introduces considerable extra dependencies and a build loop via rust/librsvg. - Correct installation of idle IDE icons: + idle.png is not the target directory + non-GNOME-specific icons belong into icons/hicolor - Add required Name key to idle3 desktop file ------------------------------------------------------------------ ------------------ 2019-12-18 - Dec 18 2019 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Obsolete libopenssl-1_0_0-devel and libopenssl-1_0_0-hmac in order to avoid conflict upon upgrade from SLE-12 (bsc#1158499) ------------------------------------------------------------------ ------------------ 2019-12-17 - Dec 17 2019 ------------------- ------------------------------------------------------------------ ++++ shadow: - Update to 4.8: * Initial optional bcrypt support. * Make build/install of 'su' optional. * Fix for vipw not resuming correctly when suspended * Sync password field descriptions in manpages * Check for valid shell argument in useradd * Allow translation of new strings through POTFILES.in * Migrate to itstool for translations * Migrate to new SELinux api * Support --enable-vendordir * pwck: Only check homedir if set and not a system user * Support nonstandard usernames * sget{pw,gr}ent: check for data at EOL * Add YYY-MM-DD support in chage * Fix failing chmod calls for suidubins * Fix --sbindir and --bindir for binary installations * Fix LASTLOG_UID_MAX in login.defs * Fix configure error with dash - Remove because upstreamed: * libeconf.patch * shadow-usermod-variable.patch - Rebase: * shadow-login_defs-unused-by-pam.patch * chkname-regex.patch * shadow-util-linux.patch * shadow-login_defs-comments.patch - Add shadow-4.8-selinux-include.patch See https://github.com/shadow-maint/shadow/pull/200 ------------------------------------------------------------------ ------------------ 2019-12-12 - Dec 12 2019 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Unify all Python 3.6* SLE packages into one (jsc#SLE-9426, jsc#SLE-9427, bsc#1159035) - Patches which were already included upstream: - CVE-2018-1061-DOS-via-regexp-difflib.patch - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch ++++ python3: - Unify all Python 3.6* SLE packages into one (jsc#SLE-9426, jsc#SLE-9427, bsc#1159035) - Patches which were already included upstream: - CVE-2018-1061-DOS-via-regexp-difflib.patch - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch ------------------------------------------------------------------ ------------------ 2019-12-11 - Dec 11 2019 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.24.1: * CVE-2019-1348: The --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (boo#1158785) * CVE-2019-1349: on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (boo#1158787) * CVE-2019-1350: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (boo#1158788) * CVE-2019-1351: on Windows mistakes drive letters outside of the US-English alphabet as relative paths (boo#1158789) * CVE-2019-1352: on Windows was unaware of NTFS Alternate Data Streams (boo#1158790) * CVE-2019-1353: when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (boo#1158791) * CVE-2019-1354: on Windows refuses to write tracked files with filenames that contain backslashes (boo#1158792) * CVE-2019-1387: Recursive clones vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (boo#1158793) * CVE-2019-19604: a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (boo#1158795) ++++ glibc: - ppc-tle-htm-nosc.patch: powerpc: Fix syscalls during early process initialization (SLE-8348, BZ #22685) ++++ libgcrypt: - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] * Add libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch ++++ systemd: - Manually set system-uid-max and system-gid-max to 499 It used to be detected automatically by meson but it's been broken by the migration of login.defs from /etc to /usr/etc. - Import commit d8f6a204858bff68b8e0e7be86b418c36087ab2e 6c5e492a65 cryptsetup: umount encrypted devices before detaching it during shutdown ------------------------------------------------------------------ ------------------ 2019-12-10 - Dec 10 2019 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - backport patches for lvm2 to avoid software abnormal work (bsc#1158861) + bug-1158861_01-config-remove-filter-typo.patch + bug-1158861_02-config-Fix-default-option-which-makes-no-sense.patch + bug-1158861_03-vgchange-don-t-fail-monitor-command-if-vg-is-exporte.patch + bug-1158861_04-fix-duplicate-pv-size-check.patch + bug-1158861_05-hints-fix-copy-of-filter.patch + bug-1158861_06-fix-segfault-for-invalid-characters-in-vg-name.patch + bug-1158861_07-vgck-let-updatemetadata-repair-mismatched-metadata.patch + bug-1158861_08-hints-fix-mem-leaking-buffers.patch + bug-1158861_09-pvcreate-pvremove-fix-reacquiring-global-lock-after.patch - backport upstream patches for passing lvm2 testsuite (bsc#1158628) + bug-1158628_01-tests-replaces-grep-q-usage.patch + bug-1158628_02-tests-fix-ra-checking.patch + bug-1158628_03-tests-simplify-some-var-settings.patch + bug-1158628-04-pvmove-correcting-read_ahead-setting.patch + bug-1158628_05-activation-add-synchronization-point.patch + bug-1158628_06-pvmove-add-missing-synchronization.patch + bug-1158628_07-activation-extend-handling-of-pending_delete.patch + bug-1158628_08-lv_manip-add-synchronizations.patch + bug-1158628_09-lvconvert-improve-validation-thin-and-cache-pool-con.patch + bug-1158628_10-thin-activate-layer-pool-aas-read-only-LV.patch + bug-1158628_11-tests-mdadm-stop-in-test-cleanup.patch + bug-1158628_12-test-increase-size-of-raid10-LV-allowing-tests-to-su.patch + bug-1158628_13-lvconvert-fix-return-value-when-zeroing-fails.patch + bug-1158628_14-tests-add-extra-settle.patch + bug-1158628_15-test-Fix-handling-leftovers-from-previous-tests.patch - bug-1043040_test-fix-read-ahead-issues-in-test-scripts.patch ++++ openssl-1_1: - Security fix: [bsc#1158809, CVE-2019-1551] * Overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli - Add openssl-1_1-CVE-2019-1551.patch ------------------------------------------------------------------ ------------------ 2019-12-9 - Dec 9 2019 ------------------- ------------------------------------------------------------------ ++++ glibc: - s390-strstr-page-boundary.patch: S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant (bsc#1157893, BZ #25226) ------------------------------------------------------------------ ------------------ 2019-12-5 - Dec 5 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Upgrade to v244 (commit 090da85161ceb1ba0b4c208963c7156a8fdf10c6) See https://github.com/openSUSE/systemd/blob/SUSE/v244/NEWS for details. This includes the following bug fixes: - upstream commit b49e14d5f3081dfcd363d8199a14c0924ae9152f (bsc#1139459) - upstream commit 22683674716fd0e5b016ce5a7d8fd90df5f9f9e7 (bsc#1151377) - upstream commit faf205de3ba9a11b0ba17682123d7f3fedc7da24 (bsc#1151377) - upstream commit 27c3112dcbd1b5f171c36c32550d9c6331375b0b (bsc#1155574) - upstream commit 21b40f16622f171a9969dc334d74fb5eb2f575c2 (bsc#1159814) - upstream commit 9b88bb5023dfa3cea406c14fdaa3d8e3e320907a (jsc#SLE-7689) Legacy and obsolete symlinks have been finally dropped. Dropped 0001-logind-keep-backward-compatibility-with-UserTasksMax.patch. Users were notified about the deprecation of UserTasksMax option and how to move to the new mechanism. The dropin replacement for UserTasksMax is therefore no more generated but its use still produces a warning. Added 0001-SUSE-policy-do-not-clean-tmp-by-default.patch and 0001-Fix-run-lock-group-to-follow-openSUSE-policy.patch. These patches were extracted from the git repo because it's not clear where the SUSE tmpfiles specificities should be located. ------------------------------------------------------------------ ------------------ 2019-12-3 - Dec 3 2019 ------------------- ------------------------------------------------------------------ ++++ libssh: - Fix CVE-2019-14889: arbitrary command execution; (bsc#1158095) * Add CVE-2019-14889.patch ++++ systemd: - Import commit dbb1d4734daffa62e0eddecfa4f784c84a9d8e76 1439d72a72 udevd: don't use monitor after manager_exit() 99288dd778 Revert "udevd: fix crash when workers time out after exit is signal caught" 152577d6d0 udevd: fix crash when workers time out after exit is signal caught f854991504 udevd: wait for workers to finish when exiting (bsc#1106383) Changes from the v243-stable (84 commits): e51d9bf9e5 man: add entry about SpeedMeter= aa1fc791c7 udev: silence warning about PROGRAM+= or IMPORT+= rules b9a619bb67 udevadm: ignore EROFS and return earlier 1ec5b9f80c basic: add vmware hypervisor detection from device-tree 7fa7080248 umount: be happy if /proc/swaps doesn't exist [...] 47d0e23d26 udev: fix memleak caused by wrong cleanup function a6fb0542c5 parse_hwdb: fix compatibility with pyparsing 2.4.* cb1d892f17 parse_hwdb: process files in order ------------------------------------------------------------------ ------------------ 2019-11-29 - Nov 29 2019 ------------------- ------------------------------------------------------------------ ++++ git: - Guard xmlto/sgml-skel BuildRequires by docs bcond. - Fix building with asciidoctor and without DocBook4 stylesheets: * Add 0002-Also-use-DocBook-5-stylesheet-when-generating-HTML-o.patch * Refresh 0001-DOC-Move-to-DocBook-5-when-using-asciidoctor.patch - Spec file cleanup, remove conditionals for obsolete/EOLed distros. - Drop curl (executable) BuildRequires, only required by some skipped tests (skipped as these have an apache2 prerequisite). - added patch git-skip-test-s390x-aarch64-fail.patch * workaround for bsc#1156651 ------------------------------------------------------------------ ------------------ 2019-11-28 - Nov 28 2019 ------------------- ------------------------------------------------------------------ ++++ cyrus-sasl: - added backport-patch cyrus-sasl-bug587.patch which fixes off-by-one error in _sasl_add_string function (see CVE-2019-19906 bsc#1159635) ------------------------------------------------------------------ ------------------ 2019-11-27 - Nov 27 2019 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - Fix tests in FIPS mode: * Fix tests: basic benchmark bench-slope pubkey t-cv25519 t-secmem * Add patch libgcrypt-fix-tests-fipsmode.patch ------------------------------------------------------------------ ------------------ 2019-11-26 - Nov 26 2019 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - Fix test dsa-rfc6979 in FIPS mode: * Disable tests in elliptic curves with 192 bits which are not recommended in FIPS mode * Add patch libgcrypt-dsa-rfc6979-test-fix.patch ------------------------------------------------------------------ ------------------ 2019-11-21 - Nov 21 2019 ------------------- ------------------------------------------------------------------ ++++ glibc: - prefer-map-32bit-exec.patch: rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126, bsc#1157292, BZ [#25204]) ++++ openssh: - Make sure ssh-keygen runs if SSHD_AUTO_KEYGEN variable is unset or contains an unrecognized value (bsc#1157176). ------------------------------------------------------------------ ------------------ 2019-11-20 - Nov 20 2019 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Clear broken ghost entry in patch git-13-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch which breaks (lib)readline (bsc#1157278) ++++ binutils: - Add binutils-fix-invalid-op-errata.diff to fix various build fails on aarch64 (PR25210, bsc#1157755). ------------------------------------------------------------------ ------------------ 2019-11-19 - Nov 19 2019 ------------------- ------------------------------------------------------------------ ++++ permissions: - fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch) ------------------------------------------------------------------ ------------------ 2019-11-18 - Nov 18 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add add-ulp-section.diff for user space live patching. ------------------------------------------------------------------ ------------------ 2019-11-16 - Nov 16 2019 ------------------- ------------------------------------------------------------------ ++++ python-pyparsing: - update to version 2.4.5: * Fixed encoding when setup.py reads README.rst to include the project long description when uploading to PyPI. A stray unicode space in README.rst prevented the source install on systems whose default encoding is not 'utf-8'. - changes from version 2.4.4: * Unresolved symbol reference in 2.4.3 release was masked by stdout buffering in unit tests, thanks for the prompt heads-up, Ned Batchelder! - changes from version 2.4.3: * Fixed a bug in ParserElement.__eq__ that would for some parsers create a recursion error at parser definition time. Thanks to Michael Clerx for the assist. (Addresses issue #123) * Fixed bug in indentedBlock where a block that ended at the end of the input string could cause pyaprsing to loop forever. Raised as part of discussion on StackOverflow with geckos. * Backports from pyparsing 3.0.0: + __diag__.enable_all_warnings() + Fixed bug in PrecededBy which caused infinite recursion, issue [#127] + support for using regex-compiled RE to construct Regex expressions ------------------------------------------------------------------ ------------------ 2019-11-15 - Nov 15 2019 ------------------- ------------------------------------------------------------------ ++++ c-ares: - Fix version number of the snapshot to not be downgrade: bsc#1156601 ++++ p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (boo#1154871, 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch, 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch) ------------------------------------------------------------------ ------------------ 2019-11-14 - Nov 14 2019 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Update to GCC 7.5.0 release. - Add gcc7-pr85887.patch to fix miscompilation with thread-safe local static initialization. [gcc#85887] ++++ curl: - Fix segfault in zypper ref: [bsc#1156481] * remove_handle: clear expire timers after multi_done() * Add patch curl-expire-clear.patch ------------------------------------------------------------------ ------------------ 2019-11-13 - Nov 13 2019 ------------------- ------------------------------------------------------------------ ++++ glibc: - GNU1815 - Hardware support in toolchain (bsc#1151582) 0001-S390-Add-configure-check-to-detect-z10-as-mininum-ar.patch 0002-S390-Use-hwcap-instead-of-dl_hwcap-in-ifunc-resolver.patch 0003-S390-Unify-31-64bit-memcpy.patch 0004-S390-Refactor-memcpy-mempcpy-ifunc-handling.patch 0005-S390-Remove-s390-specific-implementation-of-bcopy.patch 0006-S390-Use-memcpy-for-forward-cases-in-memmove.patch 0007-S390-Add-configure-check-to-detect-z13-as-mininum-ar.patch 0008-S390-Add-z13-memmove-ifunc-variant.patch 0009-S390-Add-z13-strstr-ifunc-variant.patch 0010-S390-Add-z13-memmem-ifunc-variant.patch 0011-S390-Cleanup-ifunc-resolve.h.patch 0012-S390-Mark-vx-and-vxe-as-important-hwcap.patch 0013-S390-Add-new-hwcap-values-for-new-cpu-architecture-a.patch 0014-S390-Add-configure-check-to-detect-support-for-arch1.patch 0015-S390-Add-arch13-memmove-ifunc-variant.patch 0016-S390-Add-arch13-strstr-ifunc-variant.patch 0017-S390-Add-arch13-memmem-ifunc-variant.patch ++++ libselinux: - Added Use-Python-distutils-to-install-SELinux.patch to use Python's distutils instead of building and installing python bindings manually ------------------------------------------------------------------ ------------------ 2019-11-12 - Nov 12 2019 ------------------- ------------------------------------------------------------------ ++++ libgcrypt: - CMAC AES and TDES FIPS self-tests: * CMAC AES self test missing [bsc#1155339] * CMAC TDES self test missing [bsc#1155338] - Add libgcrypt-CMAC-AES-TDES-selftest.patch ++++ systemd: - Import commit 0b715187a87907e18edf98eab9d0a50fced4a424 9dbdbc2f10 logind: fix (again) the race that might happen when logind restores VT (bsc#1101591 bsc#1140081) c848bec110 libblkid: open device in nonblock mode. (bsc#1084671) b70ad6c927 resolved: check for IP in certificate when using DoT with GnuTLS (bsc#1155539 CVE-2018-21029) bbedf3d557 resolved: require at least version 3.6.0 of GnuTLS for DNS-over-TLS eb732c2e29 resolved: fix connection failures with TLS 1.3 and GnuTLS 4e45084ac5 shared/install: failing with -ELOOP can be due to the use of an alias in install_error() 2e297f0d87 shared/install: fix error codes returned by install_context_apply() dd29d70d32 man: alias names can't be used with enable command ++++ libtirpc: - Fix previous version: - actually delete 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch - use 0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch - use 0002-man-rpc_secure.3t-Fix-typo-in-manpage.patch (renamed from 0003-man-rpc_secure.3t-Fix-typo-in-manpage.patch) - use 0003-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch (renamed from 0004-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch) ------------------------------------------------------------------ ------------------ 2019-11-11 - Nov 11 2019 ------------------- ------------------------------------------------------------------ ++++ e2fsprogs: - resize2fs-Make-minimum-size-estimates-more-reliable.patch: resize2fs: Make minimum size estimates more reliable for mounted fs (bsc#1154295) ------------------------------------------------------------------ ------------------ 2019-11-8 - Nov 8 2019 ------------------- ------------------------------------------------------------------ ++++ c-ares: - Update to upstream snapshot 20191108 * getaddrinfo - avoid infinite loop in case of NXDOMAIN * ares_getenv - return NULL in all cases * implement ares_getaddrinfo - onion-crash.patch: removed, upstreamed. - removed upstream patches that are part of the snapshot: 0001-Add-initial-implementation-for-ares_getaddrinfo-112.patch 0002-Remaining-queries-counter-fix-additional-unit-tests-.patch 0003-Bugfix-for-ares_getaddrinfo-and-additional-unit-test.patch 0004-Add-ares__sortaddrinfo-to-support-getaddrinfo-sorted.patch 0005-getaddrinfo-avoid-infinite-loop-in-case-of-NXDOMAIN-.patch 0006-getaddrinfo-callback-must-be-called-on-bad-domain-24.patch 0007-getaddrinfo-enhancements-257.patch 0008-Add-missing-limits.h-include-from-ares_getaddrinfo.c.patch 0009-Increase-portability-of-ares-test-mock-ai.cc-235.patch 0010-Disable-failing-test.patch - disable-live-tests.patch - updated ++++ openssh: - Add openssh-8.1p1-seccomp-clock_nanosleep.patch, allow clock_nanosleep glibc master implements multiple functions using that syscall making the privsep sandbox kill the preauth process. ------------------------------------------------------------------ ------------------ 2019-11-5 - Nov 5 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Fix %{_libexecdir} misuses of /usr/lib ------------------------------------------------------------------ ------------------ 2019-11-4 - Nov 4 2019 ------------------- ------------------------------------------------------------------ ++++ cpio: - add cpio-2.12-CVE-2019-14866.patch to fix a security issue where cpio does not properly validate the values written in the header of a TAR file through the to_oct() function [bsc#1155199] [CVE-2019-14866] ++++ git: - 0001-DOC-Move-to-DocBook-5-when-using-asciidoctor.patch: Don't remove "-x manpage.xsl" option - BuildRequire docbook5-xsl-stylesheets - git 2.24.0 * The command line parser learned "--end-of-options" notation. * A mechanism to affect the default setting for a (related) group of configuration variables is introduced. * "git fetch" learned "--set-upstream" option to help those who first clone from their private fork they intend to push to, add the true upstream via "git remote add" and then "git fetch" from it. * fixes and improvements to UI, workflow and features, bash completion fixes - modified patch 0001-DOC-Move-to-DocBook-5-when-using-asciidoctor.patch * part of it merged upstream * the Makefile attempted to download some documentation, banned ++++ python-rpm-macros: - Update to version 20191104.08e6493: * %pyproject_install macro should include --no-compile. * Recognise the _ for the macro arguments too ------------------------------------------------------------------ ------------------ 2019-10-31 - Oct 31 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Drop 0001-compat-rules-escape-when-used-for-shell-expansion.patch It's part of the previous import. - Import commit b7467b7b553d6d0d6f92758d966b69f1a88b6b42 441f44f371 fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495) 8a1bb5c66b swap: do not make swap units wanted by its device unit anymore ------------------------------------------------------------------ ------------------ 2019-10-29 - Oct 29 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit 5df9000899ef7d45ddbcacd0fdf73afa07a40f6b f0ed7237e4 udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) b37054aa5a compat-rules: escape '$' when used for shell expansion Changes from the v243-stable: ef677436aa test: Pass personality test even when i686 userland runs on x86_64 kernel 3f6398c450 docs: fix inadvertent change in uid range 25bb377a73 cgroup: fix typo in BPF firewall support warning message 6d97aca0d5 fix build with compilers with default stack-protector enabled fbad077cec nspawn: surrender controlling terminal to PID2 when using the PID1 stub 0553c3c668 pid1: fix DefaultTasksMax initialization f406a691a7 src/core/automount: use DirectoryMode when calling mkdir -p 20438f96c3 udevadm trigger: do not propagate EACCES and ENODEV 6480630bc3 hwdb: Correct WWWW Pattern In Documentation Comment 9d8e889810 nspawn: consistenly fail if parsing the environment fails 40e169b304 nspawn: default to unified hierarchy if --as-pid2 is used b5df1037a0 cgroup: Mark memory protections as explicitly set in transient units f14e3e02cc cgroup: Respect DefaultMemoryMin when setting memory.min ea248e53bf cgroup: Check ancestor memory min for unified memory config de1d25a506 cgroup: docs: memory.high doc fixups 2ab45f38d8 cgroup: docs: Mention unbounded protection for memory.{low,min} 19a43dc38a Consider smb3 as remote filesystem 5c0224c7bf Handle d_type == DT_UNKNOWN correctly 8282bc61df util-lib: Don't propagate EACCES from find_binary PATH lookup to caller 9d0ae987a6 network: drop noisy log message f67f0e4ec4 Updated log message when the timesync happens for the first time (#13624) e151bf4674 units: make systemd-binfmt.service easier to work with no autofs 2b8e574d82 Corect man page reference in systemd-nologin.conf comments a0577353f1 man: Add a missing space in machinectl(1) 693e983988 log: Add missing "%" in "%m" log format strings ea7151b8c4 pid1: do not warn if /run/systemd/relabel-extra.d/ doesn't exist b90549290e man: fix typo ++++ zlib: - Update the zlib-no-version-check.patch to be even more forgiving with the versions on the zlib to allow updates without rebuilds ------------------------------------------------------------------ ------------------ 2019-10-28 - Oct 28 2019 ------------------- ------------------------------------------------------------------ ++++ nodejs-common: - Remove extra -g from compiler command-line ++++ permissions: - fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch) - fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch) ------------------------------------------------------------------ ------------------ 2019-10-23 - Oct 23 2019 ------------------- ------------------------------------------------------------------ ++++ c-ares: - Add upstream patches with the ares_getaddrinfo function: * 0001-Add-initial-implementation-for-ares_getaddrinfo-112.patch * 0002-Remaining-queries-counter-fix-additional-unit-tests-.patch * 0003-Bugfix-for-ares_getaddrinfo-and-additional-unit-test.patch * 0004-Add-ares__sortaddrinfo-to-support-getaddrinfo-sorted.patch * 0005-getaddrinfo-avoid-infinite-loop-in-case-of-NXDOMAIN-.patch * 0006-getaddrinfo-callback-must-be-called-on-bad-domain-24.patch * 0007-getaddrinfo-enhancements-257.patch * 0008-Add-missing-limits.h-include-from-ares_getaddrinfo.c.patch * 0009-Increase-portability-of-ares-test-mock-ai.cc-235.patch - Add a patch which disables test failing on OBS (but passing in local environment): * 0010-Disable-failing-test.patch ++++ lvm2-device-mapper: - Fix udev rules issue (bsc#1154655) + bug-1154655_udev-remove-unsupported-OPTIONS-event_timeout-rule.patch ------------------------------------------------------------------ ------------------ 2019-10-22 - Oct 22 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update to binutils 2.33.1: * Adds support for the Arm Scalable Vector Extension version 2 (SVE2) instructions, the Arm Transactional Memory Extension (TME) instructions and the Armv8.1-M Mainline and M-profile Vector Extension (MVE) instructions. * Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE, Cortex-A76AE, and Cortex-A77 processors. * Adds a .float16 directive for both Arm and AArch64 to allow encoding of 16-bit floating point literals. * For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not) Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no] configure time option to set the default behavior. Set the default if the configure option is not used to "no". * The Cortex-A53 Erratum 843419 workaround now supports a choice of which workaround to use. The option --fix-cortex-a53-843419 now takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp] which can be used to force a particular workaround to be used. See --help for AArch64 for more details. * Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties in the AArch64 ELF linker. * Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI on inputs and use PLTs protected with BTI. * Add -z pac-plt for AArch64 to pick PAC enabled PLTs. * Add --source-comment[=] option to objdump which if present, provides a prefix to source code lines displayed in a disassembly. * Add --set-section-alignment = option to objcopy to allow the changing of section alignments. * Add --verilog-data-width option to objcopy for verilog targets to control width of data elements in verilog hex format. * The separate debug info file options of readelf (--debug-dump=links and --debug-dump=follow) and objdump (--dwarf=links and - -dwarf=follow-links) will now display and/or follow multiple links if more than one are present in a file. (This usually happens when gcc's -gsplit-dwarf option is used). In addition objdump's --dwarf=follow-links now also affects its other display options, so that for example, when combined with - -syms it will cause the symbol tables in any linked debug info files to also be displayed. In addition when combined with - -disassemble the --dwarf= follow-links option will ensure that any symbol tables in the linked files are read and used when disassembling code in the main file. * Add support for dumping types encoded in the Compact Type Format to objdump and readelf. - Includes fixes for these CVEs: bnc#1126826 aka CVE-2019-9077 aka PR1126826 bnc#1126829 aka CVE-2019-9075 aka PR1126829 bnc#1126831 aka CVE-2019-9074 aka PR24235 bnc#1140126 aka CVE-2019-12972 aka PR23405 bnc#1143609 aka CVE-2019-14444 aka PR24829 bnc#1142649 aka CVE-2019-14250 aka PR90924 - Remove patches that are now included in the release: binutils-2.32-branch.diff.gz, binutils-fix-ld-segv.diff, binutils-pr24486.patch, riscv-abi-check.patch, rx-gas-padding-pr24464.patch. - Add binutils-2.33-branch.diff.gz patch. - Rebase binutils-revert-plt32-in-branches.diff and cross-avr-size.patch patch. ++++ file: - Add temporary patch CVE-2019-18218-46a8443f.patch from upstream to fix bsc#1154661 -- heap-based buffer overflow in cdf_read_property_info in cdf.c ++++ python3-core: - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py ++++ systemd: - Remove intltool BuildRequires, not needed since v237 - Use python3-base BuildRequires instead of full python3 ++++ python3: - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py ------------------------------------------------------------------ ------------------ 2019-10-21 - Oct 21 2019 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - lvm2-pvscan needs process speed improvement on a large scale PVs (jcs#SLE-5498) + jcs-SLE5498_pvscan-allow-use-of-noudevsync-option.patch ++++ systemd: - Add 0001-compat-rules-escape-when-used-for-shell-expansion.patch (bsc#1153648) Added to the quaratine area to avoid uploading a new tar ball just for that single change. It will be dropped during the next import. - don't package locales in -mini package ++++ zlib: - Add SUSE specific patch to fix bsc#1138793, we simply don't want to test if the app was linked with exactly same version of zlib like the one that is present on the runtime: * zlib-no-version-check.patch ------------------------------------------------------------------ ------------------ 2019-10-18 - Oct 18 2019 ------------------- ------------------------------------------------------------------ ++++ python-pip: - Update to version 19.3.1 * Document Python 3.8 support. * Fix bug that prevented installation of PEP 517 packages without setup.py. * Remove undocumented support for un-prefixed URL requirements pointing to SVN repositories. * Remove the deprecated --venv option from pip config. * Make pip show warn about packages not found. * Abort installation if any archive contains a file which would be placed outside the extraction location. * pip's CLI completion code no longer prints a Traceback if it is interrupted. * Ignore errors copying socket files for local source installs (in Python 3). * Skip copying .tox and .nox directories to temporary build directories * Ignore "require_virtualenv" in pip config ------------------------------------------------------------------ ------------------ 2019-10-17 - Oct 17 2019 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-13-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word (bsc#1084934). Add some missed key escape sequences for urxvt-unicode terminal as well (boo#1007715). ++++ cryptsetup: - Create a weak dependency cycle between libcryptsetup and libcryptsetup-hmac to make sure they are installed together (bsc#1090768) ++++ openssh: - Update openssh-7.7p1-audit.patch to fix crash (bsc#1152730). Fix by Enzo Matsumiya (ematsumiya@suse.com). This was integrated in a separate code stream merged with the Oct. 10 update; the patch was also rebased and renamed to openssh-8.1p1-audit.patch. ------------------------------------------------------------------ ------------------ 2019-10-16 - Oct 16 2019 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-12-80d14205f913cc67a98c562f988ea700a56c369b.patch * service: check if there is a second argument before using it (bsc#1051143) ++++ lz4: - enable testsuite - verbose build ++++ libtirpc: - Updated to libtirpc 1.1.5 rc2 (this includes changes in 1.1.4 release) - add libtirpc-1-1-5-rc1.patch and libtirpc-1-1-5-rc2.patch to reflect upstream changes after 1.1.4 release - remove /etc/bindresvport.blacklist as it's still supported by glibc although it's not compiled with --enable-obsolete-rpc - Drop patches accepted in previous releases or not needed - 000-bindresvport_blacklist.patch (accepted in 5b037cc9, libtirpc 1.1.4) - 001-new-rpcbindsock-path.patch (not needed, rpcbind now uses /var/run directory) - 002-revert-binddynport.patch (fixed in 2802259, libtirpc-1-0-4-rc1) - 0001-Fix-regression-introduced-by-change-rpc-version-orde.patch (backport of 25d38d7, libtirpc-1-0-4-rc1) - 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch (backport of 145272c, libtirpc-1-0-4-rc2) - Add fixes from upcomming release - 0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch - 0003-man-rpc_secure.3t-Fix-typo-in-manpage.patch - 0004-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch ++++ python-pyparsing: - Do not pull in setuptools dependency at all to avoid cycles ------------------------------------------------------------------ ------------------ 2019-10-15 - Oct 15 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add binutils-fix-ld-segv.diff to fix a segfault in ld when building some versions of pacemaker. [bsc#1154025, bsc#1154016] ++++ lz4: - version update to 1.9.2 * decompression functions were reading a few bytes beyond input size * api: lz4frame initializers compatibility with c++, reported by @degski * cli : added command --list, based on a patch by @gabrielstedman * fixes CVE-2019-17543 [bsc#1153936] ++++ ncurses: - Add patches CVE-2019-17594.patch for bsc#1154036 -- CVE-2019-17594: heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c CVE-2019-17595.patch for bsc#1154037 -- CVE-2019-17595: heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c ------------------------------------------------------------------ ------------------ 2019-10-14 - Oct 14 2019 ------------------- ------------------------------------------------------------------ ++++ openssh: - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Added openssh-7.9p1-revert-new-qos-defaults.patch, which reverts an upstream commit that caused compatibility issues with other software (bsc#1136402). - Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes" in /etc/sysconfig/ssh. This is set to "yes" by default, but can be changed by the system administrator (bsc#1139089). - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). ------------------------------------------------------------------ ------------------ 2019-10-11 - Oct 11 2019 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Fixed EVP_PBE_scrypt() to allow NULL salt values. * Revealed by nodejs12 during bsc#1149572. * Modified openssl-jsc-SLE-8789-backport_KDF.patch ------------------------------------------------------------------ ------------------ 2019-10-10 - Oct 10 2019 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-11-b20083a930f766939f47dddc66d089c9fee5d38a.patch * check if variables can be set before modifying them to avoid warnings on login with a restricted shell (bsc#1138869) ++++ openssh: - Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). * ssh-keygen(1): print key comment when extracting public key from a private key. * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - Additional changes from 8.0p1 release: * scp(1): Add "-T" flag to disable client-side filtering of server file list. * sshd(8): Remove support for obsolete "host/port" syntax. * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config, * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect. * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands. * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. - Rebased patches: * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-X_forward_with_disabled_ipv6.patch * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-disable_openssl_abi_check.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-seed-prng.patch * openssh-7.7p1-sftp_force_permissions.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-8.0p1-gssapi-keyex.patch (formerly openssh-7.7p1-gssapi_key_exchange.patch) * openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch) - Removed patches (integrated upstream): * 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch * openssh-7.7p1-seccomp_ioctl_s390_EP11.patch * openssh-7.9p1-CVE-2018-20685.patch * openssh-7.9p1-brace-expansion.patch * openssh-CVE-2019-6109-force-progressmeter-update.patch * openssh-CVE-2019-6109-sanitize-scp-filenames.patch * openssh-CVE-2019-6111-scp-client-wildcard.patch - Removed patches (obsolete): * openssh-openssl-1_0_0-compatibility.patch ------------------------------------------------------------------ ------------------ 2019-10-9 - Oct 9 2019 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-08-9875dffab3ddda0c3e8399f935f059246c961f2a.patch * Add s390x compressed kernel support (bsc#1151023) - Add git-09-c6cd010dd8b6efddd71c30f00a923d8f2537584c.patch * Fix LC_NAME and LC_ADDRESS in sh.ssh - Add patch git-10-43091e644ff54997468a215b891dcaa75173f133.patch * fix string test to arithmetic test in /etc/profile.d/wsl.sh ------------------------------------------------------------------ ------------------ 2019-10-8 - Oct 8 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - libeconf.patch: fix a long int error on 32bit ++++ python-packaging: - Update to 19.2: * Many buildsystem tweaks to accomodate for distribution shipping - Remove all the merged patches: * 0001-Fix-test-failures-test_linux_platforms_manylinux-for.patch * 0002-Fix-check-for-64-bit-OS.patch * 0003-Add-additional-test-to-get-100-branch-coverage.patch * 0004-Fix-test_macos_version_detection-failure-on-32-bit-L.patch * 0005-Drop-dependency-on-attrs.patch ------------------------------------------------------------------ ------------------ 2019-10-7 - Oct 7 2019 ------------------- ------------------------------------------------------------------ ++++ git: - Complete (but maybe a bit too generous) fix of bsc#1112230 ++++ shadow: - libeconf.patch: Add support for libeconf and /usr/etc for login.defs. - Move first configuration files and pam config files to /usr/etc ------------------------------------------------------------------ ------------------ 2019-10-5 - Oct 5 2019 ------------------- ------------------------------------------------------------------ ++++ icu: - Update to release 65.1 (jsc#SLE-11118). * Updated to CLDR 36 locale data with many additions and corrections, and some new measurement units. * The Java LocaleMatcher API is improved, and ported to C++. - Drop 075cefb2e21f57f4cac1bc2868e93dd1b8c077cc.patch (merged) ------------------------------------------------------------------ ------------------ 2019-10-4 - Oct 4 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Import commit 428b937f917ae177f2315e8469800941885e441a 0026b58744 pid1: fix DefaultTasksMax initialization ------------------------------------------------------------------ ------------------ 2019-10-3 - Oct 3 2019 ------------------- ------------------------------------------------------------------ ++++ git: - These patches have been merged upstream a long time ago, no longer needed: * 0001-submodule-helper-use-to-signal-end-of-clone-options.patch * 0002-submodule-config-ban-submodule-urls-that-start-with-.patch * 0003-submodule-config-ban-submodule-paths-that-start-with.patch * git-mark-path-lookup-errors.patch ------------------------------------------------------------------ ------------------ 2019-10-2 - Oct 2 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses. [bsc#1152590] ++++ gcc7: - Add gcc7-bsc1146475.patch to fix debug info created for array definitions that complete an earlier declaration. [bsc#1146475] ++++ lvm2-device-mapper: - Fix LV activation issues (boo#1152378, rh#1727270) + bug-1152378-md-component-detection-for-differing-PV-and-device-s.patch + bug-1152378-pvscan-fix-PV-online-when-device-has-a-different-siz.patch ------------------------------------------------------------------ ------------------ 2019-10-1 - Oct 1 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - libeconf.patch: Add support for libeconf - Move /etc/pam.d/* to /usr/etc/pam.d - Remove migration code for su from coreutils to util-linux, not needed anymore ++++ gmp: - Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - Run spec-cleaner on the spec ------------------------------------------------------------------ ------------------ 2019-9-30 - Sep 30 2019 ------------------- ------------------------------------------------------------------ ++++ e2fsprogs: - libsupport-add-checks-to-prevent-buffer-overrun-bugs.patch: add checks to prevent buffer overrun bugs in quota code (bsc#1152101, CVE-2019-5094) ++++ systemd: - Import commit ed81f69153488279957268e247a5c81b678da491 (changes from v243-stable) fab6f010ac dhcp6: use unaligned_read_be32() f2d9af4322 dhcp6: add missing option length check ccf797511e ndisc: make first solicit delayed randomly f2275b6e12 dhcp6: read OPTION_INFORMATION_REFRESH_TIME option 6dfbe58ee7 l10n: update Czech Translation d4cd0e9d32 sd-radv: if lifetime < SD_RADV_DEFAULT_MAX_TIMEOUT_USEC, adjust timeout (#13491) dbefe59259 polkit: fix typo a321507476 sd-netlink: fix invalid assertion 45dca7fe86 network: do not enter failed state if device's sysfs entry does not exist yet dd83d58796 network: add missing link->network checks b294305888 path: stop watching path specs once we triggered the target unit 2cd636c437 hwdb: add Medion Akoya E2292 (#13498) d133bdd1fa po: update Brazilian Portuguese translation 530e09b594 po: update Polish translation 0c5c3e34c1 polkit: change "revert settings" to "reset settings" 73e0f372d8 man: fix description of ARPIntervalSec= units 5412cc54a1 hwdb: axis override for Dell 9360 touchpad 9d4e658529 test: drop the missed || exit 1 expression 7ed7ea82f6 udevadm: use usec_add() 477bf86c91 udevadm: missing initialization of descriptor 19ac31c989 networkd: unbreak routing_policy_rule_compare_func() a20a2157a8 core: coldplug possible nop_job eb55241742 tty-ask-pwd-agent: fix message forwarded to wall(1) 1a3c53c06c core: Fix setting StatusUnitFormat from config files 91db81e4dd network DHCP4: Dont mislead the logs. 6af590838b Update m4 for selective utmp support. modified: tmpfiles.d/systemd.conf.m4 6823c907cf core: restore initialization of u->source_mtime 29308bcc13 mount-setup: relabel items mentioned directly in relabel-extra.d 8ca1e56165 Call getgroups() to know size of supplementary groups array to allocate 5d84a7ad1c test: add test cases for empty string match 1536348cc8 udev: fix multi match 3ccafef0ad man: move TimeoutCleanSec= entry from .service to .exec 8c0c30a820 zsh: udpate bootctl completions 0556c247a2 resolved: fix abort when recv() returns 0 9a25d75520 man: remove repeated words be3be29347 hwdb: Also mark lis3lv02d sensors in "HP" laptops as being in the base 4b92ffccaa udev: also logs file permission 75a2845e5a udev: add missing flag for OPTIONS=static_node 19e9fc4262 network: do not abort execution when a config file cannot be loaded 3e1267cf50 fileio: update warning message 1b3156edd2 pstore: fix use after free f500d2fa81 journal: Make the output of --update-catalog deterministic 64d0f7042d travis: protect the systemd organization on Fuzzit from forks 4247938ee1 hwdb: Mark lis3lv02d sensors in HP laptops as being in the base 379158684a po: update Japanese translation 31e1bbd1ca docs: fix push recipe in RELEASE.md f06530d86b man/systemctl.xml: fix missing "not" 22aba2b969 docs: fix typo in boot loader doc 000e08ca70 pstore: fix typo in error message - directoy -> directory f7f9c69ac5 Fix typo in comment: overide -> override ca8ba8f8c0 po: update Polish translation ------------------------------------------------------------------ ------------------ 2019-9-26 - Sep 26 2019 ------------------- ------------------------------------------------------------------ ++++ permissions: - Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797) ------------------------------------------------------------------ ------------------ 2019-9-23 - Sep 23 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Some files related to the portable stuff were missing some %exclude ------------------------------------------------------------------ ------------------ 2019-9-19 - Sep 19 2019 ------------------- ------------------------------------------------------------------ ++++ coreutils: - Do not recommend lang package. The lang package already has a supplements. ++++ kbd: - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ++++ util-linux: - Do not recommend lang package. The lang package already has a supplements. ++++ python3-core: - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792 - Add bpo36263-Fix_hashlib_scrypt.patch which works around bsc#1151490 ++++ systemd: - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ++++ python3: - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792 - Add bpo36263-Fix_hashlib_scrypt.patch which works around bsc#1151490 ------------------------------------------------------------------ ------------------ 2019-9-18 - Sep 18 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - split off networkd and resolved into separate network subpackage - use separate lang package for translations - Import commit 9e41d7ec3572d8d5ea1e00f683e9fbf8108e85b4 fb1b9d54f9 tty-ask-pwd-agent: fix message forwarded to wall(1) dd14da3bb6 core: restore initialization of u->source_mtime d62f30f647 resolved: create /etc/resolv.conf symlink at runtime - Slighly rework (mostly reorganization) the portable stuff ++++ linux-glibc-devel: - Update to kernel headers 5.3 - Make it arch dependent due to difference in installed headers ++++ sysvinit: - Update to sysvinit 2.96 * Added -z command line paramter to pidof which tells pidof to try to find processes in uninterruptable (D) or zombie (Z) states. This can cause pidof to hang, but produces a more complete process list. * Reformatted init code to make if/while logic more clear. * Make sure src/Makefile cleans up all executable files when parent Makefile calls "make clean". ------------------------------------------------------------------ ------------------ 2019-9-16 - Sep 16 2019 ------------------- ------------------------------------------------------------------ ++++ python3-core: - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, bnc#1149955, CVE-2019-16056] ++++ python3: - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, bnc#1149955, CVE-2019-16056] ------------------------------------------------------------------ ------------------ 2019-9-12 - Sep 12 2019 ------------------- ------------------------------------------------------------------ ++++ openslp: - Add missing zlib build dependency, which used to be pulled in by libopenssl-devel. The package fails to build since the openssl upgrade to 1.1.1 (bsc#1149792) ++++ openssl: - Update to 1.1.1d release ++++ timezone: - timezone update 2019c (bsc#1150451) * Fiji observes DST from 2019-11-10 to 2020-01-12. * Norfolk Island starts observing Australian-style DST. ------------------------------------------------------------------ ------------------ 2019-9-11 - Sep 11 2019 ------------------- ------------------------------------------------------------------ ++++ curl: - Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481] [bsc#1149604, bsc#1149572, jsc#SLE-9295] * Changes: - CURLINFO_RETRY_AFTER: parse the Retry-After header value - HTTP3: initial (experimental still not working) support - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - curl: support parallel transfers with -Z - curl_multi_poll: a sister to curl_multi_wait() that waits more - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID * Bugfixes: - CVE-2019-5481: FTP-KRB double-free - CVE-2019-5482: TFTP small blocksize heap buffer overflow - CMake: remove needless newlines at end of gss variables - CMake: use platform dependent name for dlopen() library - CURLINFO docs: mention that in redirects times are added - CURLOPT_ALTSVC.3: use a "" file name to not load from a file - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED - CURLOPT_HEADERFUNCTION.3: clarify - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly - CURLOPT_READFUNCTION.3: provide inline example - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 - Curl_addr2string: take an addrlen argument too - Curl_fillreadbuffer: avoid double-free trailer buf on error - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown - alt-svc: add protocol version selection masking - alt-svc: fix removal of expired cache entry - alt-svc: make it use h3-22 with ngtcp2 as well - alt-svc: more liberal ALPN name parsing - alt-svc: send Alt-Used: in redirected requests - alt-svc: with quiche, use the quiche h3 alpn string - asyn-thread: create a socketpair to wait on - cleanup: move functions out of url.c and make them static - cleanup: remove the 'numsocks' argument used in many places - configure: avoid undefined check_for_ca_bundle - curl.h: add CURL_HTTP_VERSION_3 to the version enum - curl: cap the maximum allowed values for retry time arguments - curl: handle a libcurl build without netrc support - curl: make use of CURLINFO_RETRY_AFTER when retrying - curl: use CURLINFO_PROTOCOL to check for HTTP(s) - curl_global_init_mem.3: mention it was added in 7.12.0 - curl_version: bump string buffer size to 250 - curl_version_info.3: mentioned ALTSVC and HTTP3 - curl_version_info: offer quic (and h3) library info - curl_version_info: provide nghttp2 details - defines: avoid underscore-prefixed defines - docs/ALTSVC: remove what works and the experimental explanation - docs/EXPERIMENTAL: explain what it means and what's experimental now - docs/MANUAL.md: converted to markdown from plain text - docs/examples/curlx: fix errors - docs: s/curl_debug/curl_dbg_debug in comments and docs - easy: resize receive buffer on easy handle reset - examples: Avoid reserved names in hiperfifo examples - examples: add http3.c, altsvc.c and http3-present.c - http09: disable HTTP/0.9 by default in both tool and library - http2: when marked for closure and wanted to close == OK - http2_recv: trigger another read when the last data is returned - http: fix use of credentials from URL when using HTTP proxy - http_negotiate: improve handling of gss_init_sec_context() failures - md4: Use our own MD4 when no crypto libraries are available - multi: call detach_connection before Curl_disconnect - nss: use TLSv1.3 as default if supported - openssl: build warning free with boringssl - openssl: use SSL_CTX_set__proto_version() when available - plan9: add support for running on Plan 9 - progress: reset download/uploaded counter between transfers - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp - scp: fix directory name length used in memcpy - smb: init *msg to NULL in smb_send_and_recv() - smtp: check for and bail out on too short EHLO response - source: remove names from source comments - spnego_sspi: add typecast to fix build warning - src/makefile: fix uncompressed hugehelp.c generation - ssh-libssh: do not specify O_APPEND when not in append mode - ssh: move code into vssh for SSH backends - sspi: fix memory leaks - tests: Replace outdated test case numbering documentation - tftp: return error when packet is too small for options - timediff: make it 64 bit (if possible) even with 32 bit time_t - travis: reduce number of torture tests in 'coverage' - url: make use of new HTTP version if alt-svc has one - urlapi: verify the IPv6 numerical address - urldata: avoid 'generic', use dedicated pointers - vauth: Use CURLE_AUTH_ERROR for auth function errors * Removed patches: - curl-CVE-2018-0500.patch - curl-CVE-2018-14618.patch - curl-CVE-2018-16839.patch - curl-CVE-2018-16840.patch - curl-CVE-2018-16842.patch - curl-CVE-2018-16890.patch - curl-CVE-2019-3822.patch - curl-CVE-2019-3823.patch - curl-CVE-2019-5436.patch - curl-CVE-2019-5481.patch - curl-CVE-2019-5482.patch ++++ openssl-1_1: - Update to 1.1.1d (bsc#1133925, jsc#SLE-6430) * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. (bsc#1150247, CVE-2019-1549) * Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. (bsc#1150003, CVE-2019-1547) * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. (bsc#1150250, CVE-2019-1563) * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling EC_GROUP_new_from_ecpkparameters()/EC_GROUP_new_from_ecparameters(). * Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems. * Changed DH_check to accept parameters with order q and 2q subgroups. With order 2q subgroups the bit 0 of the private key is not secret but DH_generate_key works around that by clearing bit 0 of the private key for those. This avoids leaking bit 0 of the private key. * Significantly reduce secure memory usage by the randomness pools. * Revert the DEVRANDOM_WAIT feature for Linux systems - drop 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch (upstream) - refresh patches * openssl-1.1.0-no-html.patch * openssl-jsc-SLE-8789-backport_KDF.patch ------------------------------------------------------------------ ------------------ 2019-9-10 - Sep 10 2019 ------------------- ------------------------------------------------------------------ ++++ sqlite3: - bsc#1150137, CVE-2019-16168, sqlite3-CVE-2019-16168.patch: Improper validation of qlite_stat1 sz field leads to division by zero. ------------------------------------------------------------------ ------------------ 2019-9-9 - Sep 9 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - Update to current 2.32 branch @7b468db3 adding binutils-2.32-branch.diff.gz [jsc#ECO-368]. - Includes fixes for these CVEs: bsc#1109412 aka CVE-2018-17358 aka PR23686 bsc#1109413 aka CVE-2018-17359 aka PR23686 bsc#1109414 aka CVE-2018-17360 aka PR23685 bsc#1111996 aka CVE-2018-18309 aka PR23770 bsc#1112534 aka CVE-2018-18484 aka GCC PR87636 bsc#1112535 aka CVE-2018-18483 aka PR23767 bsc#1113247 aka CVE-2018-18607 aka PR23805 bsc#1113252 aka CVE-2018-18606 aka PR23806 bsc#1113255 aka CVE-2018-18605 aka PR23804 bsc#1116827 aka CVE-2018-17985 aka GCC PR87335 bsc#1118830 aka CVE-2018-19932 aka PR23932 bsc#1118831 aka CVE-2018-19931 aka PR23942 bsc#1120640 aka CVE-2018-1000876 aka PR23994 bsc#1121034 aka CVE-2018-20651 aka PR24041 bsc#1121035 aka CVE-2018-20623 aka PR24049 bsc#1121056 aka CVE-2018-20671 aka PR24005 bsc#1142772 aka CVE-2019-1010180 aka PR23657 - Refresh s390-biarch.diff and binutils-revert-plt32-in-branches.diff . - For the SLE12 package this also removes patches binutils-z13-1.diff, binutils-z13-2.diff, binutils-z13-3.diff, binutils-z13-4.diff and binutils-z13-5.diff . ++++ gcc7: - Rework shared spec file parts to allow custom Summary and Description for cross compilers. Clarify their Summary and Description. [bsc#1148517] - Reorder things in cross.spec.in so the Version define comes before the first use of %version. ++++ lvm2-device-mapper: - Update lvm2.spec: make baselibs.conf to a common source. - Avoid creation of mixed-blocksize PV on LVM volume groups (bsc#1149408) + bug-1149408_Fix-rounding-writes-up-to-sector-size.patch + bug-1149408_vgcreate-vgextend-restrict-PVs-with-mixed-block-size.patch - Update lvm.conf files - add devices/allow_mixed_block_sizes item ++++ openssl-1_1: - To avoid seperate certification of openssh server / client move the SSH KDF (Key Derivation Function) into openssl. * jsc#SLE-8789 * Sourced from commit 8d76481b189b7195ef932e0fb8f0e23ab0120771#diff-a9562bc75317360a2e6b8b0748956e34 in openssl master (introduce the SSH KDF) and commit 5a285addbf39f91d567f95f04b2b41764127950d in openssl master (backport EVP/KDF API framework) * added openssl-jsc-SLE-8789-backport_KDF.patch ++++ python3-core: - jsc#PM-1350 bsc#1149121 Update python3 to the last version of the 3.6 line. This is just a bugfix release with no changes in functionality. - The following patches were included in the upstream release as so they can be removed in the package: - CVE-2018-20852-cookie-domain-check.patch - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-10160-netloc-port-regression.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - CVE-2019-9947-no-ctrl-char-http.patch - Patch bpo23395-PyErr_SetInterrupt-signal.patch has been reapplied on the upstream base without changing any functionality. - Add patch aarch64-prolong-timeout.patch to fix failing test_utime_current_old test. ++++ python3: - jsc#PM-1350 bsc#1149121 Update python3 to the last version of the 3.6 line. This is just a bugfix release with no changes in functionality. - The following patches were included in the upstream release as so they can be removed in the package: - CVE-2018-20852-cookie-domain-check.patch - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-10160-netloc-port-regression.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - CVE-2019-9947-no-ctrl-char-http.patch - Patch bpo23395-PyErr_SetInterrupt-signal.patch has been reapplied on the upstream base without changing any functionality. - Add patch aarch64-prolong-timeout.patch to fix failing test_utime_current_old test. ------------------------------------------------------------------ ------------------ 2019-9-6 - Sep 6 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Track 0001-resolved-create-etc-resolv.conf-symlink-at-runtime.patch in the git repo This patch has been in the quarantine area long enough, so let's move it in the git repo. ------------------------------------------------------------------ ------------------ 2019-9-5 - Sep 5 2019 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Update to gcc-7-branch head (r275405). * Pulls fix for POWER9 DARN miscompilation. (bsc#1149145, CVE-2019-15847) * Includes gcc8-pr89752.patch ++++ curl: - Security fix: [bsc#1149496,CVE-2019-5482] * TFTP small blocksize heap buffer overflow * Added curl-CVE-2019-5482.patch - Security fix: [bsc#1149495,CVE-2019-5481] * FTP-KRB: double-free during kerberos FTP data transfer * Added curl-CVE-2019-5481.patch ------------------------------------------------------------------ ------------------ 2019-9-4 - Sep 4 2019 ------------------- ------------------------------------------------------------------ ++++ expat: - Security fix (CVE-2019-15903, bsc#1149429) * Crafted XML input results in heap-based buffer over-read by fooling the parser into changing from DTD parsing to document parsing * Added patches: - expat-CVE-2019-15903.patch - expat-CVE-2019-15903-tests.patch ------------------------------------------------------------------ ------------------ 2019-9-3 - Sep 3 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Upgrade to v243 (commit e0b24c4356aa0c1c56ff274ff72228f33482a5be) See https://github.com/openSUSE/systemd/blob/SUSE/v243/NEWS for details. This includes the following bug fixes: - upstream commit b2774a3ae692113e1f47a336a6c09bac9cfb49ad (CVE-2019-20386 bsc#1161436) - upstream commit 5406c36844b35504a64e9f05fc74b8e5e5a09143 (bsc#1132400) - upstream commit 83a32ea7b03d6707b8e5bb90a0b3a6eb868ef633 (bsc#1132721) - upstream commit 7cc5ef5f1811c539ae7f20255c2a093f413cc64f (bsc#1172824 bsc#1142733) - upstream commit 83cb24ac20baf19f7834931dcf6e03486b4c9c30 (bsc#1156213) - upstream commit a2dcb1d78737d3daa301ee63fbdd02837acb71a8 (bsc#1158485) - upstream commit 08185cff19efcb1d7d9fb7b546e7f516ab6dae91 (bsc#1165011) - upstream commit 59c55e73eaee345e1ee67c23eace8895ed499693 (bsc#1177510) Drop 0001-Revert-insserv.conf-generator.patch as it's been dropped from branch SUSE/v243 while we were rebasing. Drop 0001-rc-local-generator-deprecate-halt.local-support.patch as this functionality had been deprecated during the previous release and now have been dropped by upstream. ------------------------------------------------------------------ ------------------ 2019-9-2 - Sep 2 2019 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - Update to LVM2.2.03.05 - To drop lvm2-clvm and lvm2-cmirrord rpms (jsc#PM-1324) - Fix Out of date package (bsc#1111734) - Fix occasional slow shutdowns with kernel 5.0.0 and up (bsc#1137648) - Remove clvmd - Remove lvmlib (api) - Remove lvmetad - Drop patches that have been merged into upstream - bug-1114113_metadata-prevent-writing-beyond-metadata-area.patch - bug-1137296_pvremove-vgextend-fix-using-device-aliases-with-lvmetad.patch - bug-1135984_cache-support-no_discard_passdown.patch - Drop patches that have been nonexist/unsupport in upstream - bsc1080299-detect-clvm-properly.patch - bug-998893_make_pvscan_service_after_multipathd.patch - bug-978055_clvmd-try-to-refresh-device-cache-on-the-first-failu.patch - bug-950089_test-fix-lvm2-testsuite-build-error.patch - bug-1072624_test-lvmetad_dump-always-timed-out-when-using-nc.patch - tests-specify-python3-as-the-script-interpreter.patch - Update spec files - merge device-mapper, lvm2-lockd, lvm2 into one spec file - clvmd/lvmlib (api)/lvmetad had been removed, so delete related context in spec file - Update lvm.conf files - remove all lvmetad lines/keywords - add event_activation - remove fallback_to_lvm1 & related items - remove locking_type/fallback_to_clustered_locking/fallback_to_local_locking items - remove locking_library item - remove all special filter rules ++++ libgcrypt: - Security fix: [bsc#1148987,CVE-2019-13627] * Mitigation against an ECDSA timing attack * Added libgcrypt-CVE-2019-13627.patch ++++ shadow: - bsc#1144060: Add pam_keyinit.so to /etc/pam.d configuration files to support kernel keyring feature - Update pamd.tar.bz2 with pam configuration files accordingly ------------------------------------------------------------------ ------------------ 2019-8-31 - Aug 31 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - enable xtensa architecture (Tensilica lc6 and related) - Fix SUSE typo in README package name ------------------------------------------------------------------ ------------------ 2019-8-30 - Aug 30 2019 ------------------- ------------------------------------------------------------------ ++++ blog: - Add blog-Remove-unused-header.patch: Fix build with new glibc (gh#bitstreamout/showconsole#3). ++++ util-linux: - lsblk: force to print PKNAME for partition with e3bb9bfb76c17b1d05814436ced62c05c4011f48.patch ++++ nghttp2: - Conditionally remove dependecy on jemalloc for SLE-12 ------------------------------------------------------------------ ------------------ 2019-8-29 - Aug 29 2019 ------------------- ------------------------------------------------------------------ ++++ openssl-1_1: - Upgrade to 1.1.1c (jsc#SLE-9135, bsc#1148799) * Support for TLSv1.3 added * Allow GNU style "make variables" to be used with Configure. * Add a STORE module (OSSL_STORE) * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes * Add multi-prime RSA (RFC 8017) support * Add SM3 implemented according to GB/T 32905-2016 * Add SM4 implemented according to GB/T 32907-2016. * Add 'Maximum Fragment Length' TLS extension negotiation and support * Add ARIA support * Add SHA3 * Rewrite of devcrypto engine * Add support for SipHash * Grand redesign of the OpenSSL random generator - drop FIPS support * don't build with FIPS mode (not supported in 1.1.1) - drop FIPS patches * openssl-fips-clearerror.patch * openssl-fips_disallow_ENGINE_loading.patch * openssl-fips-dont-fall-back-to-default-digest.patch * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips-fix-odd-rsakeybits.patch * openssl-fips-rsagen-d-bits.patch * openssl-fips-selftests_in_nonfips_mode.patch * openssl-rsakeygen-minimum-distance.patch * openssl-1.1.0-fips.patch - add TLS 1.3 ciphers to DEFAULT_SUSE - merge openssl-1.0.1e-add-suse-default-cipher.patch and openssl-1.0.1e-add-test-suse-default-cipher-suite.patch to openssl-DEFAULT_SUSE_cipher.patch - Use upstream patch for the locale crash (bsc#1135550) * https://github.com/openssl/openssl/pull/8966 * add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch - drop patches (upstream): * openssl-Bleichenbachers_CAT.patch * openssl-CVE-2018-0734.patch * openssl-CVE-2018-0735.patch * openssl-CVE-2019-1543.patch * openssl-disable_rsa_keygen_tests_with_small_modulus.patch * openssl-dsa_paramgen2_check.patch * openssl-One_and_Done.patch * openssl-speed_skip_binary_curves_NO_EC2M.patch * openssl-static-deps.patch * openssl-urandom-reseeding.patch * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch * 0001-DSA-mod-inverse-fix.patch * 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch * 0001-apps-speed-fix-segfault-while-looking-up-algorithm-n.patch - drop s390x patches (rebased): * 0002-s390x-assembly-pack-add-KMA-code-path-for-aes-ctr.patch * 0003-crypto-aes-asm-aes-s390x.pl-replace-decrypt-flag-by-.patch * 0004-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch * 0005-s390x-assembly-pack-add-KMAC-code-path-for-aes-ccm.patch * 0006-s390x-assembly-pack-add-KM-code-path-for-aes-ecb.patch * 0007-s390x-assembly-pack-add-KMO-code-path-for-aes-ofb.patch * 0008-s390x-assembly-pack-add-KMF-code-path-for-aes-cfb-cf.patch * 0009-Fix-undefined-behavior-in-s390x-aes-gcm-ccm.patch * 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch * 0001-s390x-assembly-pack-extend-s390x-capability-vector.patch - add s390x patches: * 0001-s390x-assembly-pack-perlasm-support.patch * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch * 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch * 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch * 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch ++++ openssl: - Upgrade to 1.1.1c release to get TLS 1.3 support (jsc#SLE-9135, bsc#1148799) ++++ sysvinit: - Update to killproc 2.23 * killproc has its upstream at https://github.com/bitstreamout/killproc * Use new system call statx(2) to replace old stat(2)/lstat(2) - Remove patches now upstream: * killproc-2.18-open_flags.dif * killproc-2.21.dif * killproc-sysmacros.patch * killproc-mntinf-optional.patch ------------------------------------------------------------------ ------------------ 2019-8-28 - Aug 28 2019 ------------------- ------------------------------------------------------------------ ++++ e2fsprogs: - libext2fs-call-fsync-2-to-clear-stale-errors-for-a-n.patch: libext2fs: call fsync(2) to clear stale errors for a new a unix I/O channel (bsc#1145716) ------------------------------------------------------------------ ------------------ 2019-8-27 - Aug 27 2019 ------------------- ------------------------------------------------------------------ ++++ libdb-4_8: - Add opd deadlock patch as found and documented by Red Hat. (bsc#1148244) * 0001-OPD-deadlock-RH-BZ-1349779.patch ------------------------------------------------------------------ ------------------ 2019-8-22 - Aug 22 2019 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-07-82a17f1689e8957635c8ccaae7c9b3bff7f94d49.patch * add sysctl.d/51-network.conf to tighten network security a bit see also (boo#1146866) (jira#SLE-9132) ------------------------------------------------------------------ ------------------ 2019-8-21 - Aug 21 2019 ------------------- ------------------------------------------------------------------ ++++ icu: - Remove old obsoletes/provides for migration from very old products, as they break our shared library policy (bsc#1146907). ------------------------------------------------------------------ ------------------ 2019-8-19 - Aug 19 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Remove outdated buildignore for pwdutils, had no effect with shadow anyways ++++ libdb-4_8: - Remove the getpatches as it does not work at all, oracle removed the pages - Use spec-cleaner - Fix stripped debuginfo to make sure we can debug with libdb ++++ nghttp2: - Require correct library from devel package - boo#1125689 - Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by - -read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall ++++ openssh: - don't install SuSEfirewall2 service on Factory, since SuSEfirewall2 has been replaced by firewalld, see [1]. [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html ++++ python-packaging: - Remove dependency on attrs Add: 0005-Drop-dependency-on-attrs.patch this fixes bsc#1144506 ++++ shadow: - encryption_method_nis.patch: drop, DES should really not be used anymore anywhere, even with NIS - shadow-login_defs-suse.patch: remove encryption NIS entry ------------------------------------------------------------------ ------------------ 2019-8-18 - Aug 18 2019 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.23.0: * The "--base" option of "format-patch" computed the patch-ids for prerequisite patches in an unstable way, which has been updated to compute in a way that is compatible with "git patch-id - -stable". * The "git log" command by default behaves as if the --mailmap option was given. * fixes and improvements to UI, workflow and features ------------------------------------------------------------------ ------------------ 2019-8-16 - Aug 16 2019 ------------------- ------------------------------------------------------------------ ++++ bash: - Rework patch readline-7.0-screen.patch again for bug boo#1143055 * Map all "screen(-xxx)?.yyy(-zzz)?" to "screen" as well as map "konsole(-xxx)?" and "gnome(-xxx)?" to "xterm" ++++ gcc7: - Remove bogus fixed include bits/statx.h from glibc 2.30. [gcc#91085] ------------------------------------------------------------------ ------------------ 2019-8-15 - Aug 15 2019 ------------------- ------------------------------------------------------------------ ++++ python-packaging: - Fix a bit the multibuild conversion - Remove the attrs from the deps as they are no longer needed ------------------------------------------------------------------ ------------------ 2019-8-14 - Aug 14 2019 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.22.1 * A relative pathname given to "git init --template= " ought to be relative to the directory "git init" gets invoked in, but it instead was made relative to the repository, which has been corrected. * "git worktree add" used to fail when another worktree connected to the same repository was corrupt, which has been corrected. * "git am -i --resolved" segfaulted after trying to see a commit as if it were a tree, which has been corrected. * "git merge --squash" is designed to update the working tree and the index without creating the commit, and this cannot be countermanded by adding the "--commit" option; the command now refuses to work when both options are given. * Update to Unicode 12.1 width table. * "git request-pull" learned to warn when the ref we ask them to pull from in the local repository and in the published repository are different. * "git fetch" into a lazy clone forgot to fetch base objects that are necessary to complete delta in a thin packfile, which has been corrected. * The URL decoding code has been updated to avoid going past the end of the string while parsing %-- sequence. * "git clean" silently skipped a path when it cannot lstat() it; now it gives a warning. * "git rm" to resolve a conflicted path leaked an internal message "needs merge" before actually removing the path, which was confusing. This has been corrected. * Many more bugfixes and code cleanups. ++++ systemd: - enable systemd-portabled ------------------------------------------------------------------ ------------------ 2019-8-13 - Aug 13 2019 ------------------- ------------------------------------------------------------------ ++++ nghttp2: - Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. - Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. - Drop no longer needed boost170.patch ++++ python-pip: - Update to version 19.2.2: * Merge pull request #6827 from cjerdonek/issue-6804-find-links-expansion * Fix handling of tokens (single part credentials) in URLs (#6818) * Simplify the handling of "typing.cast" ++++ system-users: - Remove s390 groups again. The s390-tools maintainer wants to add groups in s390-tools manually. ------------------------------------------------------------------ ------------------ 2019-8-12 - Aug 12 2019 ------------------- ------------------------------------------------------------------ ++++ gcc10: - Add lto-dump to cross packages. - New package, inherits from gcc9 * gcc-add-defaultsspec.diff, add the ability to provide a specs file that is read by default * tls-no-direct.diff, avoid direct %fs references on x86 to not slow down Xen * gcc43-no-unwind-tables.diff, do not produce unwind tables for CRT files * gcc41-ppc32-retaddr.patch, fix expansion of __builtin_return_addr for ppc, just a testcase * gcc44-textdomain.patch, make translation files version specific and adjust textdomain to find them * gcc44-rename-info-files.patch, fix cross-references in info files when renaming them to be version specific * gcc48-libstdc++-api-reference.patch, fix link in the installed libstdc++ html documentation * gcc48-remove-mpfr-2.4.0-requirement.patch, make GCC work with earlier mpfr versions on old products * gcc5-no-return-gcc43-workaround.patch, make build work with host gcc 4.3 * gcc7-remove-Wexpansion-to-defined-from-Wextra.patch, removes new warning from -Wextra * gcc7-avoid-fixinc-error.diff ------------------------------------------------------------------ ------------------ 2019-8-8 - Aug 8 2019 ------------------- ------------------------------------------------------------------ ++++ python-packaging: - Enable tests via _multibuild Add patches from https://github.com/pypa/packaging/pull/176: * 0001-Fix-test-failures-test_linux_platforms_manylinux-for.patch * 0002-Fix-check-for-64-bit-OS.patch * 0003-Add-additional-test-to-get-100-branch-coverage.patch * 0004-Fix-test_macos_version_detection-failure-on-32-bit-L.patch (these fix the tests on non-x86 platforms and can be dropped on the next release) - Add Requires:python-attrs as this is a new dependency this fixes bsc#1144506 ++++ python-pip: - Update to version 19.2.1: * Fix a ``NoneType`` ``AttributeError`` when evaluating hashes and no hashes provided * Drop support for EOL Python 3.4. * Credentials will now be loaded using keyring when installed * Fully support using --trusted-host inside requirements files * Update timestamps in pip's --log file to include milliseconds * Respect whether a file has been marked as "yanked" from a simple repository (see PEP 592 for details) * When choosing candidates to install, prefer candidates with a hash matching one of the user-provided hashes * Improve the error message when METADATA or PKG-INFO is None when accessing metadata * Add a new command pip debug that can display e.g. the list of compatible tags for the current Python * Display hint on installing with --pre when search results include pre-release versions * Report to Warehouse that pip is running under CI if the PIP_IS_CI environment variable is set * Allow --python-version to be passed as a dotted version string (e.g. 3.7 or 3.7.3) * Log the final filename and SHA256 of a .whl file when done building a wheel * Include the wheel's tags in the log message explanation when a candidate wheel link is found incompatible * Add a --path argument to pip freeze to support --target installations * Add a --path argument to pip list to support --target installations - from version 19.2.0 * Drop support for EOL Python 3.4. (#6685) * Improve deprecation messages to include the version in which the functionality will be removed. (#6549) * Credentials will now be loaded using keyring when installed. (#5948) * Fully support using --trusted-host inside requirements files. (#3799) * Update timestamps in pip’s --log file to include milliseconds. (#6587) * Respect whether a file has been marked as “yanked” from a simple repository (see PEP 592 for details). (#6633) * When choosing candidates to install, prefer candidates with a hash matching one of the user-provided hashes. (#5874) * Improve the error message when METADATA or PKG-INFO is None when accessing metadata. (#5082) * Add a new command pip debug that can display e.g. the list of compatible tags for the current Python. (#6638) * Display hint on installing with --pre when search results include pre-release versions. (#5169) * Report to Warehouse that pip is running under CI if the PIP_IS_CI environment variable is set. (#5499) * Allow --python-version to be passed as a dotted version string (e.g. 3.7 or 3.7.3). (#6585) * Log the final filename and SHA256 of a .whl file when done building a wheel. (#5908) * Include the wheel’s tags in the log message explanation when a candidate wheel link is found incompatible. (#6121) * Add a --path argument to pip freeze to support --target installations. (#6404) * Add a --path argument to pip list to support --target installations. (#6551) * Set sys.argv[0] to the underlying setup.py when invoking setup.py via the setuptools shim so setuptools doesn’t think the path is -c. (#1890) * Update pip download to respect the given --python-version when checking "Requires-Python". (#5369) * Respect --global-option and --install-option when installing from a version control url (e.g. git). (#5518) * Make the “ascii” progress bar really be “ascii” and not Unicode. (#5671) * Fail elegantly when trying to set an incorrectly formatted key in config. (#5963) * Prevent DistutilsOptionError when prefix is indicated in the global environment and --target is used. (#6008) * Fix pip install to respect --ignore-requires-python when evaluating links. (#6371) * Fix a debug log message when freezing an editable, non-version controlled requirement. (#6383) * Extend to Subversion 1.8+ the behavior of calling Subversion in interactive mode when pip is run interactively. (#6386) * Prevent pip install from permitting directory traversal if e.g. a malicious server sends a Content-Disposition header with a filename containing ../ or ..\\. (#6413) (bsc#1176262, CVE-2019-20916) * Hide passwords in output when using --find-links. (#6489) * Include more details in the log message if pip freeze can’t generate a requirement string for a particular distribution. (#6513) * Add the line number and file location to the error message when reading an invalid requirements file in certain situations. (#6527) * Prefer os.confstr to ctypes when extracting glibc version info. (#6543, #6675) * Improve error message printed when an invalid editable requirement is provided. (#6648) * Improve error message formatting when a command errors out in a subprocess. (#6651) ------------------------------------------------------------------ ------------------ 2019-8-6 - Aug 6 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Issue a warning for outdated pam files (bsc#1082293, boo#1081947#c68). - Fix comments and unify look of PAM files (login.pamd, remote.pamd, runuser-l.pamd, runuser.pamd, su-l.pamd, su.pamd). ++++ python-packaging: - update to 19.1: * Add the ``packaging.tags`` module. * Correctly handle two-digit versions in ``python_version`` ++++ python-pyparsing: - update to 2.4.2: - Updated the shorthand notation that has been added for repetition expressions: expr[min, max], with '...' valid as a min or max value - The defaults on all the `__diag__` switches have been set to False, to avoid getting alarming warnings. To use these diagnostics, set them to True after importing pyparsing. - Fixed bug introduced by the use of __getitem__ for repetition, overlooking Python's legacy implementation of iteration by sequentially calling __getitem__ with increasing numbers until getting an IndexError. Found during investigation of problem reported by murlock, merci! - Changed [...] to emit ZeroOrMore instead of OneOrMore. - Removed code that treats ParserElements like iterables. - Change all __diag__ switches to False. - update to 2.4.1.1: - API change adding support for `expr[...]` - the original code in 2.4.1 incorrectly implemented this as OneOrMore. Code using this feature under this relase should explicitly use `expr[0, ...]` for ZeroOrMore and `expr[1, ...]` for OneOrMore. In 2.4.2 you will be able to write `expr[...]` equivalent to `ZeroOrMore(expr)`. - Bug if composing And, Or, MatchFirst, or Each expressions using an expression. This only affects code which uses explicit expression construction using the And, Or, etc. classes instead of using overloaded operators '+', '^', and so on. If constructing an And using a single expression, you may get an error that "cannot multiply ParserElement by 0 or (0, 0)" or a Python `IndexError`. - Some newly-added `__diag__` switches are enabled by default, which may give rise to noisy user warnings for existing parsers. - update to 2.4.1: - A new shorthand notation has been added for repetition expressions: expr[min, max], with '...' valid as a min - '...' can also be used as short hand for SkipTo when used in adding parse expressions to compose an And expression. - '...' can also be used as a "skip forward in case of error" expression - Improved exception messages to show what was actually found, not just what was expected. - Added diagnostic switches to help detect and warn about common parser construction mistakes, or enable additional parse debugging. Switches are attached to the pyparsing.__diag__ namespace object - Added ParseResults.from_dict classmethod, to simplify creation of a ParseResults with results names using a dict, which may be nested. This makes it easy to add a sub-level of named items to the parsed tokens in a parse action. - Added asKeyword argument (default=False) to oneOf, to force keyword-style matching on the generated expressions. - ParserElement.runTests now accepts an optional 'file' argument to redirect test output to a file-like object (such as a StringIO, or opened file). Default is to write to sys.stdout. - conditionAsParseAction is a helper method for constructing a parse action method from a predicate function that simply returns a boolean result. Useful for those places where a predicate cannot be added using addCondition, but must be converted to a parse action (such as in infixNotation). May be used as a decorator if default message and exception types can be used. See ParserElement.addCondition for more details about the expected signature and behavior for predicate condition methods. - While investigating issue #93, I found that Or and addCondition could interact to select an alternative that is not the longest match. This is because Or first checks all alternatives for matches without running attached parse actions or conditions, orders by longest match, and then rechecks for matches with conditions and parse actions. Some expressions, when checking with conditions, may end up matching on a shorter token list than originally matched, but would be selected because of its original priority. This matching code has been expanded to do more extensive searching for matches when a second-pass check matches a smaller list than in the first pass. - Fixed issue #87, a regression in indented block. Reported by Renz Bagaporo, who submitted a very nice repro example, which makes the bug-fixing process a lot easier, thanks! - Fixed MemoryError issue #85 and #91 with str generation for Forwards. Thanks decalage2 and Harmon758 for your patience. - Modified setParseAction to accept None as an argument, indicating that all previously-defined parse actions for the expression should be cleared. - Modified pyparsing_common.real and sci_real to parse reals without leading integer digits before the decimal point, consistent with Python real number formats. Original PR #98 submitted by ansobolev. - Modified runTests to call postParse function before dumping out the parsed results - allows for postParse to add further results, such as indications of additional validation success/failure. - Updated statemachine example: refactored state transitions to use overridden classmethods; added Mixin class to simplify definition of application classes that "own" the state object and delegate to it to model state-specific properties and behavior. - Added example nested_markup.py, showing a simple wiki markup with nested markup directives, and illustrating the use of '...' for skipping over input to match the next expression. (This example uses syntax that is not valid under Python 2.) - Rewrote delta_time.py example (renamed from deltaTime.py) to fix some omitted formats and upgrade to latest pyparsing idioms, beginning with writing an actual BNF. - With the help and encouragement from several contributors, including Matěj Cepl and Cengiz Kaygusuz, I've started cleaning up the internal coding styles in core pyparsing, bringing it up to modern coding practices from pyparsing's early development days dating back to 2003. Whitespace has been largely standardized along PEP8 guidelines, removing extra spaces around parentheses, and adding them around arithmetic operators and after colons and commas. I was going to hold off on doing this work until after 2.4.1, but after cleaning up a few trial classes, the difference was so significant that I continued on to the rest of the core code base. This should facilitate future work and submitted PRs, allowing them to focus on substantive code changes, and not get sidetracked by whitespace issues. ------------------------------------------------------------------ ------------------ 2019-8-5 - Aug 5 2019 ------------------- ------------------------------------------------------------------ ++++ krb5: - Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947); (bsc#1144047); ------------------------------------------------------------------ ------------------ 2019-8-1 - Aug 1 2019 ------------------- ------------------------------------------------------------------ ++++ openldap2: - bsc#1143194 (CVE-2019-13565) - ssf memory reuse leads to incorrect authorisation of another connection, granting excess connection rights (ssf). * patch: 0201-ITS-9052-zero-out-sasl_ssf-in-connection_init.patch - bsc#1143273 (CVE-2019-13057) - rootDN of a backend may proxyauth incorrectly to another backend, violating multi-tenant isolation. * patch: 0202-ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch * patch: 0203-ITS-9038-Update-test028-to-test-this-is-enforced.patch * patch: 0204-ITS-9038-Another-test028-typo.patch ------------------------------------------------------------------ ------------------ 2019-7-31 - Jul 31 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Update to version 2.34: * new command hardlink * rewrite of lsblk, now supports --dedup * support for FUSE in umount * support for "--all -o remount" in mount * su: prefer /etc/default/su over /etc/login.defs and ENV_SUPATH over ENV_ROOTPATH (bsc#1121197), improved --pty * unshare: add -S/--setuid, -G/--setgid, -R/--root and -w/--wd * fstrim: do not suppress warnings unless --quiet is used * lscpu: print 'Frequency boost' and 'Vulnerability' fields, add - -caches * logger: merge multiple MESSAGE= lines * libblkid: do not depend on libuuid, supports DRBD9 detection * libsmartcols: support N:M relationships in tree-like output * fstrim and uuidd systemd services: hardening settings to improve security and service isolation * fstrim: trim root filesystem on --fstab, check for read-only filesystems on --all and --fstab (boo#1106214). * fstrim -A: properly de-duplicate sub-volumes (boo#1127701). * Obsoletes util-linux-login_defs-priority1.patch, util-linux-login_defs-priority2.patch and util-linux-login_defs-SYS_UID.patch. * Many Other fixes, see https://www.kernel.org/pub/linux/utils/util-linux/v2.34/v2.34-ReleaseNotes - Provide and obsolete hardlink package. - util-linux-login_defs-check.sh: Update checksum, login now supports LASTLOG_UID_MAX. ++++ libgcrypt: - Fixed an issue created by incomplete implementation of previous change - [bsc#1097073] * Removed section of libgcrypt-binary_integrity_in_non-FIPS.patch that caused some tests to be executed more than once. ++++ systemd: - systemd-container creates and owns /etc/systemd/nspawn now ++++ system-users: - Add system-user-tftp subpackage with tftp user and group and /srv/tftpboot as home directory [bsc#1143454]. ------------------------------------------------------------------ ------------------ 2019-7-26 - Jul 26 2019 ------------------- ------------------------------------------------------------------ ++++ shadow: - Fix incorrect variable name in usermod (shadow-usermod-variable.patch). - shadow-login_defs-comments.patch: * Drop SHA_CRYPT_*_ROUNDS that are in the upstream login.defs. * Add missing LASTLOG_UID_MAX. * Refresh shadow-login_defs-suse.patch. - Port shadow-login_defs-check.sh to match the current spec file and login.defs. ------------------------------------------------------------------ ------------------ 2019-7-25 - Jul 25 2019 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Update to gcc-7-branch head (r273795). * Includes fix for LTO linker plugin heap overflow. (bsc#1142649, CVE-2019-14250) ++++ shadow: - Provide "useradd_or_adduser_dep" for sysuser-shadow ------------------------------------------------------------------ ------------------ 2019-7-24 - Jul 24 2019 ------------------- ------------------------------------------------------------------ ++++ git: - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld, see [1]. [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html ++++ bzip2: - update bzip2-1.0.6-CVE-2019-12900.patch to accept as many selectors as the file format allows. This relaxes the previous fix for CVE-2019-12900 so that bzip2 allows decompression of bz2 files that use (too) many selectors again. It fixes a bzip2 and lbzip2 incompatibility caused by previous patch [bsc#1139083] [CVE-2019-12900] ++++ python3-core: - FAKE RECORD FROM SLE-12 CHANNEL Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] - FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623. ++++ libseccomp: - ignore make check error for ppc64/ppc64le, bypass boo#1142614 ++++ python3: - FAKE RECORD FROM SLE-12 CHANNEL Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] - FAKE RECORD FROM SLE-12 CHANNEL bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo#34623. ------------------------------------------------------------------ ------------------ 2019-7-22 - Jul 22 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - Use -ffat-lto-objects in order to provide assembly for static libs (boo#1141913). ++++ gcc7: - Update to gcc-7-branch head (r273666). * Fixes build with -Werror=return-type. ++++ util-linux: - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197#31). - Remove /etc/default/su migration from coreutils. ++++ systemd: - Import commit 0f9271c1336c5c9055e75389732a44745d796851 (changes from v242-stable) 07f0549ffe network: do not send ipv6 token to kernel 9d34e79ae8 systemd-mount: don't check for non-normalized WHAT for network FS 5af677680c core: set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX (bsc#1142099) 29dda7597a random-util: eat up bad RDRAND values seen on AMD CPUs eb6c17c178 util-lib: fix a typo in rdrand 829c20dc8e random-util: rename "err" to "success" 5442366fbf man: rework the description of Aliases and .wants/.requires directories ae71c6f634 docs: typo in arg name replace-irreversible -> replace-irreversibly 09774a5fcb meson: make nologin path build time configurable 69ffeeb0b1 man: add note about systemctl stop return value 4cf14b5513 shared/conf-parser: say "key name" not "lvalue", add dot 4481ca7f86 shared/conf-parser: emit a nicer warning for something like "======" 46f3db894b shared/conf-parser: be nice and ignore lines without "=" 7d928995f7 nspawn: fix memleak in argument parsing 7727e6c0ae resolve: fix memleak 7f32a81976 journal: properly read unaligned le64 integers fa419099e5 activate: move array allocation to heap 815a9fef2a systemctl: print non-elapsing timers as "n/a" not "(null)" a4fc3c88f1 factory: include pam_keyinit.so in PAM factory configuration a453d63315 factory: add comment to PAM file, explaining that the defaults are not useful d9a5a70a59 factory: tighten PAM configuration 5e2d3bf80b test: make sure colors don't confuse our test 5fe3be1334 wait-online: change log level c49b6959d5 systemctl: emit warning when we get an invalid process entry from pid1 and continue 3c9f43eb03 systemctl: do not suggest passing --all if the user passed --state= 5964d1474e man: offline-updates: make dependence on system-update.target explicit a04dd26e03 alloc-util: drop _alloc_ decorator from memdup_suffix0() 7c46a694ca man: add example for setting multiple properties at once 1d72789271 man: CPUShares= is so 2015 45da304673 man: document that WakeSystem= requires privs bed58a06e4 man: document that "systemd-analyze blame/critical-chain" is not useful to track down job latency c5461f31b3 man: be more explicit that Type=oneshot services are not "active" after starting 455ee07abe man: document that the supplementary groups list is initialized from User='s database entry 5f0cb2616a alloc-util: drop _alloc_(2, 3) decorator from memdup_suffix0_multiply() 7bc336794d generator: downgrade Requires= → Wants= of fsck from /usr mount unit 66465c4381 systemctl: allow "cat" on units with bad settings ca937b49da pid1: fix serialization/deserialization of commmands with spaces 4bb3113023 growfs: call crypt_set_debug_level() correctly, skip if not needed 0db716771e cryptsetup: enable libcryptsetup debug logging if we want it c8b9b3956f cryptsetup: set libcryptsetup global log callback too 679b3f6b7f basic/log: fix SYSTEMD_LOG_* parsing error messages 8d6b5158aa units: add SystemCallErrorNumber=EPERM to systemd-portabled.service 6681fcd445 network: fix the initial value of the counter for brvlan 853ec5f458 man: Add some notes about variable $prefix for StateDirectory= e6d23358e9 sd-netlink: fix inverted log message 6feb862407 blockdev: filter out invalid block devices early 9f7c0dbc75 blockdev-util: propagate actual error 3f5355bcb9 man: document tmpfiles.d/ user/group resolvability needs c15b92cd98 man: fix wrong udev property name 9768a900d6 meson: drop duplicated source 15194f22ed cryptsetup-generator: fix luks-* entry parsing from crypttab c2475390b4 core: skip whitespace after "|" and "!" in the condition parser fdc754aeb7 shared/condition: fix printing of ConditionNull= 572385e135 test: add testcase for issue #12883 9aa1edddb0 conf-parser: fix continuation handling 8fbc72f45f networkd: fix link_up() (#12505) ++++ openssh: - ssh-askpass: Try a fallback if the other option is not available ++++ python-pip: - Add patch to build with pytest5, also sent upstream: * pytest5.patch ------------------------------------------------------------------ ------------------ 2019-7-20 - Jul 20 2019 ------------------- ------------------------------------------------------------------ ++++ shadow: - shadow-login_defs-suse.patch: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7). ------------------------------------------------------------------ ------------------ 2019-7-19 - Jul 19 2019 ------------------- ------------------------------------------------------------------ ++++ curl: - Update to 7.65.3 * progress: make the progress meter appear again ++++ python3-core: - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. ++++ python3: - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. ++++ shadow: - Fix comment about patch in spec file ------------------------------------------------------------------ ------------------ 2019-7-18 - Jul 18 2019 ------------------- ------------------------------------------------------------------ ++++ aaa_base: - Add patch git-06-8640f848c6677f1149b9765a8c86135956604007.patch * Make systemd detection cgroup oblivious (bsc#1140647) systemd can work in three exclusive cgroup modes: legacy, hybrid and unified. The mode affects where and what cgroup hierarchies are mounted. detect running systemd as systemd itself does it (src/libsystemd/sd-daemon/sd-daemon.c, function sd_booted) ++++ gcc7: - Update to gcc-7-branch head (r273559). * Includes fix for vector shift miscompilation on s390. [bsc#1141897] ++++ libgcrypt: - Fixed a race condition in initialization. * Added libgcrypt-1.8.4-allow_FSM_same_state.patch - Security fix: [bsc#1138939, CVE-2019-12904] * The C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) * Added patches: - libgcrypt-CVE-2019-12904-GCM-Prefetch.patch - libgcrypt-CVE-2019-12904-GCM.patch - libgcrypt-CVE-2019-12904-AES.patch - Fixed env-script-interpreter in cavs_driver.pl ++++ python-six: - Simplify the pytest call ------------------------------------------------------------------ ------------------ 2019-7-17 - Jul 17 2019 ------------------- ------------------------------------------------------------------ ++++ curl: - Update to 7.65.2 * Bugfixes: - CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH - CMake: Fix finding Brotli on case-sensitive file systems - CURLOPT_RANGE.3: Caution against using it for HTTP PUT - CURLOPT_SEEKDATA.3: fix variable name - bindlocal: detect and avoid IP version mismatches in bind() - build: fix Codacy warnings - c-ares: honor port numbers in CURLOPT_DNS_SERVERS - config-os400: add getpeername and getsockname defines - configure: --disable-progress-meter - configure: fix --disable-code-coverage - configure: more --disable switches to toggle off individual features - configure: remove CURL_DISABLE_TLS_SRP - conn_maxage: move the check to prune_dead_connections() - curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds - docs: Explain behavior change in --tlsv1. options since 7.54 - docs: Fix links to OpenSSL docs - docs: fix string suggesting HTTP/2 is not the default - headers: Remove no longer exported functions - http2: call done_sending on end of upload - http2: don't call stream-close on already closed streams - http2: remove CURL_DISABLE_TYPECHECK define - http: allow overriding timecond with custom header - http: clarify header buffer size calculation - krb5: fix compiler warning - lib: Use UTF-8 encoding in comments - libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS - multi: enable multiplexing by default (again) - multi: fix the transfer hashes in the socket hash entries - multi: make sure 'data' can present in several sockhash entries - netrc: Return the correct error code when out of memory - nss: don't set unused parameter - nss: inspect returnvalue of token check - nss: only cache valid CRL entries - openssl: define HAVE_SSL_GET_SHUTDOWN based on version number - openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined - openssl: fix pubkey/signature algorithm detection in certinfo - os400: make vsetopt() non-static as Curl_vsetopt() for os400 support - quote.d: asterisk prefix works for SFTP as well - runtests: keep logfiles around by default - runtests: report single test time + total duration - test1165: verify that CURL_DISABLE_ symbols are in sync - test1521: adapt to SLISTPOINT - test1523: test CURLOPT_LOW_SPEED_LIMIT - test153: fix content-length to avoid occasional hang - test188/189: fix Content-Length - tests: have runtests figure out disabled features - tests: support non-localhost HOSTIP for dict/smb servers - tests: update fixed IP for hostip/clientip split - tool_cb_prg: Fix integer overflow in progress bar - typecheck: CURLOPT_CONNECT_TO takes an slist too - typecheck: add 3 missing strings and a callback data pointer - unit1654: cleanup on memory failure - unpause: trigger a timeout for event-based transfers - url: Fix CURLOPT_MAXAGE_CONN time comparison - Rebased patch curl-use_OPENSSL_config.patch - Disable new added failing test1165 ++++ zlib: - Update the s390 patchset bsc#1137624: * 410.patch ------------------------------------------------------------------ ------------------ 2019-7-16 - Jul 16 2019 ------------------- ------------------------------------------------------------------ ++++ pam-config: - Update to version 1.1: - enhance comments in common-*-pc files ------------------------------------------------------------------ ------------------ 2019-7-15 - Jul 15 2019 ------------------- ------------------------------------------------------------------ ++++ git: - partial fix for bsc#1112230 (git instaweb gives 500 error) ------------------------------------------------------------------ ------------------ 2019-7-11 - Jul 11 2019 ------------------- ------------------------------------------------------------------ ++++ zlib: - Tweak zlib-power8-fate325307.patch to have type of crc32_vpmsum conform to usage bsc#1141059 ------------------------------------------------------------------ ------------------ 2019-7-9 - Jul 9 2019 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - Fix unknown feature in status message (bsc#1135984) + bug-1135984_cache-support-no_discard_passdown.patch ------------------------------------------------------------------ ------------------ 2019-7-8 - Jul 8 2019 ------------------- ------------------------------------------------------------------ ++++ bzip2: - add bzip2-1.0.6-CVE-2019-12900.patch to fix an out-of-bounds write in decompress.c when there are many nSelectors used in a loop to access selectorMtf [bsc#1139083] [CVE-2019-12900] ++++ linux-glibc-devel: - Update to kernel headers 5.2 ------------------------------------------------------------------ ------------------ 2019-7-3 - Jul 3 2019 ------------------- ------------------------------------------------------------------ ++++ python3-core: - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 ++++ python3: - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 ------------------------------------------------------------------ ------------------ 2019-7-2 - Jul 2 2019 ------------------- ------------------------------------------------------------------ ++++ expat: - Security fix (CVE-2018-20843, bsc#1139937) * Large number of colons in input makes parser consume high amount of resources * Added expat-CVE-2018-20843.patch ++++ libgcrypt: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 * Added libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch * Removed libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch because it was obsoleted by libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch ++++ zlib: - Use FAT LTO objects in order to provide proper static library. ++++ timezone: - timezone update 2019b (bsc#1140016): * Brazil no longer observes DST. * 'zic -b slim' outputs smaller TZif files. * Palestine's 2019 spring-forward transition was on 03-29, not 03-30. * Add info about the Crimea situation. ------------------------------------------------------------------ ------------------ 2019-7-1 - Jul 1 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Fix license of libraries: LGPL-2.1-or-later and BSD-3-Clause for libuuid (bsc#1135708). ++++ systemd: - State directory of systemd-timesync might become inaccessible after upgrading to v240+ (bsc#1137341) This happens for users who had previously used systemd-timesync with DynamicUser=true, ie the ones who upgraded from a systemd version between v235 and v239 to systemd v240 and later (v240 was the version where DynamicUser was switched back to OFF). ------------------------------------------------------------------ ------------------ 2019-6-27 - Jun 27 2019 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - Fix using device aliases with lvmetad (bsc#1137296) + bug-1137296_pvremove-vgextend-fix-using-device-aliases-with-lvmetad.patch ------------------------------------------------------------------ ------------------ 2019-6-21 - Jun 21 2019 ------------------- ------------------------------------------------------------------ ++++ sysvinit: - Remove logsave as well as the manual page as those as part of package e2fsprogs already ------------------------------------------------------------------ ------------------ 2019-6-20 - Jun 20 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Use FAT LTO objects in order to provide proper static library (boo#1138795). ++++ libsemanage: - Disable LTO due to symbol versioning (boo#1138812). ++++ libsepol: - Disable LTO due to symbol versioning (boo#1138813). ------------------------------------------------------------------ ------------------ 2019-6-18 - Jun 18 2019 ------------------- ------------------------------------------------------------------ ++++ libapparmor: - update to AppArmor 2.13.1 - some fixes in cache handling - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3 for the detailed upstream changelog ++++ util-linux: - raw.service: Add RemainAfterExit=yes (bsc#1135534). ------------------------------------------------------------------ ------------------ 2019-6-17 - Jun 17 2019 ------------------- ------------------------------------------------------------------ ++++ sysvinit: - Update to sysvinit 2.95 * new logsave helper - Update to startpar-0.63 * move startpar from /sbin to /bin - Port our patches * startpar-0.58.dif * sysvinit-2.88dsf-suse.patch * sysvinit-2.90-no-kill.patch * sysvinit-2.90.dif ------------------------------------------------------------------ ------------------ 2019-6-14 - Jun 14 2019 ------------------- ------------------------------------------------------------------ ++++ shadow: - Update to 4.7: * Spawn: don't loop forever on ECHILD * Do not fail locking if there is a stale lockfile (Tomas Mraz) * Use lckpwdf if prefix not set (Tomas Mraz) * Build: check correct DocBook version (Jan Tojnar) * Usermod: Print 'no changes' to stdout, not stderr (Serge Hallyn) * Add support for btrfs subvolumes for home (Adam Majer) * Fix chpasswd long line handling (Nathan Ruiz) * Use secure_getenv for gettime (Chris Lamb) * Make sp_lstchg reproducible (Chris Lamb) * Do not crash commonio_close if db file is not open (Tomas Mraz) * Don't flush nscd and sssd cache in read-only mode (Charlie Vuillemez) * French manpage update (Alban VIDAL) * Fix manpage defaults for SUB_UID/GID_COUNT (Tomas Mraz) * Sync po files from shadow.pot (Alban VIDAL) * Usermod: guard against unsafe chown of homedir contents (Tomas Mraz) * Add LASTLOG_UID_MAX to login.defs (Tomas Mraz) * new[ug]idmap file capabilities support (Giuseppe Scrivano and Christian Brauner) * Fix segfault in useradd (bsc#1141113, Tomas Mraz) * Coverity issues (Tomas Mraz) * Flush sssd caches (Jakub Hrozek) * Log UID in nologin (Vladimir Ivanov) * run pam_getenvlist after setup_env in su.c (Michael Vogt) * Support systems with only utmpx (A. Wilcox) * Fix unguarded ENABLE_SUBIDS code (Jan Chren (rindeal)) * Update po/zh_CN translation (Lion Yang) * Create parent dirs for useradd -m (Michael Vetter) * Prevent usermod segv * Fix usermod crash (fariouche) - Remove btrfs-subvolumes.patch (fate#316134): upstreamed: https://github.com/shadow-maint/shadow/pull/149 - Remove useradd-mkdirs.patch (bsc#865563): upstreamed https://github.com/shadow-maint/shadow/pull/112 - Remove shadow-4.6.0-fix-usermod-prefix-crash.patch upstreamed https://github.com/shadow-maint/shadow/issues/110 - Remove shadow-4.6-bsc1141113-useradd-segfault.patch (SLE15 SP3 and openSUSE Leap 15.3 only) upstreamed https://github.com/shadow-maint/shadow/issues/125 - Rebase userdel-script.patch - Rebase useradd-script.patch - Rebase shadow-util-linux.patch ------------------------------------------------------------------ ------------------ 2019-6-13 - Jun 13 2019 ------------------- ------------------------------------------------------------------ ++++ dbus-1: - Fix CVE-2019-12749 Authentication bypass (CVE-2019-12749 bsc#1137832) * added fix-CVE-2019-12749.patch ++++ glibc: - regex-parse-reg-exp.patch: ERE '0|()0|\1|0' causes regexec undefined behavior (CVE-2009-5155, bsc#1127223, BZ #18986) - regex-read-overrun.patch: regex: fix read overrun (CVE-2019-9169, bsc#1127308, BZ #24114) ++++ permissions: - Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid ------------------------------------------------------------------ ------------------ 2019-6-12 - Jun 12 2019 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Add gcc7-flive-patching.patch patch. [bsc#1071995, fate#323487] ++++ python3-core: - FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate files with python3* packages (https://fate.suse.com/327309) ++++ python3: - FAKE RECORD FROM SLE-12 CHANNEL bsc#1137942: Avoid duplicate files with python3* packages (https://fate.suse.com/327309) ++++ systemd-presets-common-SUSE: - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini ------------------------------------------------------------------ ------------------ 2019-6-11 - Jun 11 2019 ------------------- ------------------------------------------------------------------ ++++ python3-core: - bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to handle situation when the SIGINT signal is ignored or not handled ++++ python3: - bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to handle situation when the SIGINT signal is ignored or not handled ++++ python-six: - Fix pytest call - Fixdocumentation package generating ++++ systemd-presets-branding-openSUSE: - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini ------------------------------------------------------------------ ------------------ 2019-6-10 - Jun 10 2019 ------------------- ------------------------------------------------------------------ ++++ git: - git 2.22.0 * The filter specification "--filter=sparse:path=" used to create a lazy/partial clone has been removed. Using a blob that is part of the project as sparse specification is still supported with the "--filter=sparse:oid=" option * "git checkout --no-overlay" can be used to trigger a new mode of checking out paths out of the tree-ish, that allows paths that match the pathspec that are in the current index and working tree and are not in the tree-ish. * Four new configuration variables {author,committer}.{name,email} have been introduced to override user.{name,email} in more specific cases. * "git branch" learned a new subcommand "--show-current". * The command line completion (in contrib/) has been taught to complete more subcommand parameters. * The completion helper code now pays attention to repository-local configuration (when available), which allows --list-cmds to honour a repository specific setting of completion.commands, for example. * The list of conflicted paths shown in the editor while concluding a conflicted merge was shown above the scissors line when the clean-up mode is set to "scissors", even though it was commented out just like the list of updated paths and other information to help the user explain the merge better. * "git rebase" that was reimplemented in C did not set ORIG_HEAD correctly, which has been corrected. * "git worktree add" used to do a "find an available name with stat and then mkdir", which is race-prone. This has been fixed by using mkdir and reacting to EEXIST in a loop. - Removed upstreamed patch worktree-fix-worktree-add-race.patch * previous item ++++ python-rpm-macros: - Update to version 20190610.2ee3233: * Fix typo, missing opening brace. * Add the first draft of pyproject_wheel and pyproject_install macros. * Yet another attempt to preserve $PYTHONPATH set in the environment. * Document also %pytest_arch * Document %pytest in README.md * Multiline macros don't work correctly on older RPMs. * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. - Update to version 20190610.2ee3233: * Fix typo, missing opening brace. ------------------------------------------------------------------ ------------------ 2019-6-7 - Jun 7 2019 ------------------- ------------------------------------------------------------------ ++++ zlib: - Do not enable the previous patchset on s390 but just s390x bsc#1137624 ++++ openslp: - Use tcp connects to talk with other DAs [bnc#1117969] new patch: openslp.tcpknownda.diff - Fix segfault in predicate match if a registered service has a malformed attribute list [bnc#1136136] new patch: openslp.nullattr.diff ------------------------------------------------------------------ ------------------ 2019-6-6 - Jun 6 2019 ------------------- ------------------------------------------------------------------ ++++ glibc: - crt-nocompress-debug-sections.patch: Don't compress debug sections in crt*.o files (bsc#1123710) ++++ lz4: - Update to new upstream release 1.9.1 * Decompression speed was improved by about 12% (x86/x64). * New option `lz4 --list` to inspect the block type, checksum information, compressed and decompressed sizes (if present). The command is limited to single-frame files for the time being. ++++ zlib: - Add patchset for s390 improvements jsc#SLE-5807 bsc#1136717: * 410.patch ++++ systemd-presets-common-SUSE: - Enable ignition-firstboot-complete.service ------------------------------------------------------------------ ------------------ 2019-6-5 - Jun 5 2019 ------------------- ------------------------------------------------------------------ ++++ glibc: - ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig (bsc#1117993, BZ #23973) ++++ curl: - Update to 7.65.1 * Bugfixes: - CURLOPT_LOW_SPEED_* repaired - NTLM: reset proxy "multipass" state when CONNECT request is done - PolarSSL: deprecate support step 1. Removed from configure - cmake: check for if_nametoindex() - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables - conncache: Remove the DEBUGASSERT on length check - conncache: make "bundles" per host name when doing proxy tunnels - curl_share_setopt.3: improve wording - dump-header.d: spell out that no headers == empty file - example/http2-download: fix format specifier - examples: cleanups and compiler warning fixes - http2: Stop drain from being permanently set - http: don't parse body-related headers in bodyless responses - md4: build correctly with openssl without MD4 - md4: include the mbedtls config.h to get the MD4 info - multi: track users of a socket better - nss: allow to specify TLS 1.3 ciphers if supported by NSS - parse_proxy: make sure portptr is initialized - parse_proxy: use the IPv6 zone id if given - sectransp: handle errSSLPeerAuthCompleted from SSLRead() - singlesocket: use separate variable for inner loop - ssl: Update outdated "openssl-only" comments for supported backends - tests: add HAProxy keywords - tests: make test 1420 and 1406 work with rtsp-disabled libcurl - tls13-docs: mention it is only for OpenSSL >= 1.1.1 - tool_setopt: for builds with disabled-proxy, skip all proxy setopts() - url: fix bad feature-disable #ifdef - url: use correct port in ConnectionExists() ------------------------------------------------------------------ ------------------ 2019-6-4 - Jun 4 2019 ------------------- ------------------------------------------------------------------ ++++ glibc: - force-elision-race.patch: Fix race in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330, BZ #23275) ------------------------------------------------------------------ ------------------ 2019-6-3 - Jun 3 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: Fake entry for SLE12 package variant only: - Add support for new z13 instructions. [fate#327074, jsc#SLE-6206, bsc#1137271] Adds patches binutils-z13-1.diff, binutils-z13-2.diff, binutils-z13-3.diff, binutils-z13-4.diff and binutils-z13-5.diff . ++++ libselinux: - In selinux-ready * Removed check for selinux-policy package as we don't ship one (bsc#1136845) * Add check that restorecond is installed and enabled ------------------------------------------------------------------ ------------------ 2019-6-2 - Jun 2 2019 ------------------- ------------------------------------------------------------------ ++++ libseccomp: - Update to new upstream release 2.4.1 * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. ------------------------------------------------------------------ ------------------ 2019-5-31 - May 31 2019 ------------------- ------------------------------------------------------------------ ++++ openssh: - Fix a crash with GSSAPI key exchange (bsc#1136104) * modify openssh-7.7p1-gssapi_key_exchange.patch ------------------------------------------------------------------ ------------------ 2019-5-30 - May 30 2019 ------------------- ------------------------------------------------------------------ ++++ shadow: - Make building more verbose - Use spec-cleaner ------------------------------------------------------------------ ------------------ 2019-5-29 - May 29 2019 ------------------- ------------------------------------------------------------------ ++++ bash: - Add patch bash-4.4-bgpoverflow.patch which is a backport from bash 5.0 to perform better with large numbers of sub processes (bsc#1133773) ++++ libssh: - Fix the typo in Obsoletes for -devel-doc subpackage - Actually remove the description for -devel-doc subpackage ------------------------------------------------------------------ ------------------ 2019-5-28 - May 28 2019 ------------------- ------------------------------------------------------------------ ++++ libidn2: - Update to version 2.2.0 CVE-2019-12290 bsc#1154884: * Perform A-Label roundtrip for lookup functions by default * Stricter check of input to punycode decoder * Fix punycode decoding with no ASCII chars but given delimiter * Fix 'idn2 --no-tr64' (was a no-op) * Allow _ as a basic code point in domain labels * Fail building documentation if 'ronn' isn't installed * git tag changed to reflect https://semver.org/ ++++ systemd: - Import commit eaa7b8b148927d471609de75e542dffcc1b36df4 7e58b89136 udevd: change the default value of udev.children-max (again) (bsc#1107617) - Add 0001-rc-local-generator-deprecate-halt.local-support.patch /etc/init.d/halt.local support will removed from the next systemd version (v243) so for now on warn (hopefully the few) users who rely on this script so they have a chance to switch to systemd-shutdown interface. ------------------------------------------------------------------ ------------------ 2019-5-27 - May 27 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Add 0001-Revert-insserv.conf-generator.patch (bsc#1052837) All remaining packages have been fixed so they don't rely on the insser-generator to generate proper deps. So let's drop it as all services should carry the proper dependencies itself. - Drop debug-only-remove-new-policies.patch The new DBUS methods have been reviewed by the security team. ------------------------------------------------------------------ ------------------ 2019-5-24 - May 24 2019 ------------------- ------------------------------------------------------------------ ++++ libselinux: - Set License: to correct value (bsc#1135710) ------------------------------------------------------------------ ------------------ 2019-5-23 - May 23 2019 ------------------- ------------------------------------------------------------------ ++++ libssh: - Add support for new AES-GCM encryption types; (bsc#1134193) * Add 0001-libcrypto-Implement-OpenSSH-compatible-AES-GCM-ciphe.patch * Add 0001-libgcrypt-Implement-OpenSSH-compatible-AES-GCM-ciphe.patch * Add 0001-tests-Add-aes-gcm-ciphers-tests.patch ------------------------------------------------------------------ ------------------ 2019-5-22 - May 22 2019 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Strip -flto from $optflags. ++++ curl: - Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436] * Changes: - CURLOPT_DNS_USE_GLOBAL_CACHE: removed - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - pipelining: removed * Bugfixes: - CVE-2019-5435: Integer overflows in curl_url_set - CVE-2019-5436: tftp: use the current blksize for recvfrom() - --config: clarify that initial : and = might need quoting - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk - CURLOPT_ADDRESS_SCOPE: fix range check and more - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE - CURL_MAX_INPUT_LENGTH: largest acceptable string input size - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - OS400/ccsidcurl: replace use of Curl_vsetopt - OpenSSL: Report -fips in version if OpenSSL is built with FIPS - WRITEFUNCTION: add missing set_in_callback around callback - altsvc: Fix building with cookies disabled - auth: Rename the various authentication clean up functions - base64: build conditionally if there are users - cmake: avoid linking executable for some tests with cmake 3.6+ - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use - cmake: set SSL_BACKENDS - configure: avoid unportable '==' test(1) operator - configure: error out if OpenSSL wasn't detected when asked for - configure: fix default location for fish completions - cookie: Guard against possible NULL ptr deref - curl: make code work with protocol-disabled libcurl - curl: report error for "--no-" on non-boolean options - curlver.h: use parenthesis in CURL_VERSION_BITS macro - docs/INSTALL: fix broken link - doh: acknowledge CURL_DISABLE_DOH - doh: disable DOH for the cases it doesn't work - examples: remove unused variables - ftplistparser: fix LGTM alert "Empty block without comment" - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies - http: acknowledge CURL_DISABLE_HTTP_AUTH - http: mark bundle as not for multiuse on < HTTP/2 response - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - http_negotiate: do not treat failure of gss_init_sec_context() as fatal - http_ntlm: Corrected the name of the include guard - http_ntlm_wb: Handle auth for only a single request - http_ntlm_wb: Return the correct error on receiving an empty auth message - lib509: add missing include for strdup - lib557: initialize variables - mbedtls: enable use of EC keys - mime: acknowledge CURL_DISABLE_MIME - multi: improved HTTP_1_1_REQUIRED handling - netrc: acknowledge CURL_DISABLE_NETRC - nss: allow fifos and character devices for certificates - nss: provide more specific error messages on failed init - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 - openssl: mark connection for close on TLS close_notify - openvms: Remove pre-processor for SecureTransport - parse_proxy: use the URL parser API - parsedate: disabled on CURL_DISABLE_PARSEDATE - pingpong: disable more when no pingpong protocols are enabled - polarssl_threadlock: remove conditionally unused code - progress: acknowledge CURL_DISABLE_PROGRESS_METER - proxy: acknowledge DISABLE_PROXY more - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries - revert "multi: support verbose conncache closure handle" - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 - sasl: only enable if there's a protocol enabled using it - singleipconnect: show port in the verbose "Trying ..." message - socks5: user name and passwords must be shorter than 256 - socks: fix error message - socksd: new SOCKS 4+5 server for tests - spnego_gssapi: fix return code on gss_init_sec_context() failure - ssh-libssh: remove unused variable - ssh: define USE_SSH if SSH is enabled (any backend) - ssh: move variable declaration to where it's used - test1002: correct the name - test2100: Fix typos in test description - tests: Run global cleanup at end of tests - tests: make Impacket (SMB server) Python 3 compatible - tool_cb_wrt: fix bad-function-cast warning - tool_formparse: remove redundant assignment - tool_help: Warn if curl and libcurl versions do not match - tool_help: include for strcasecmp - url: always clone the CUROPT_CURLU handle - url: convert the zone id from a IPv6 URL to correct scope id - urlapi: add CURLUPART_ZONEID to set and get - urlapi: increase supported scheme length to 40 bytes - urlapi: require a non-zero host name length when parsing URL - urlapi: stricter CURLUPART_PORT parsing - urlapi: strip off zone id from numerical IPv6 addresses - urlapi: urlencode characters above 0x7f correctly - vauth/cleartext: update the PLAIN login to match RFC 4616 - vauth/oauth2: Fix OAUTHBEARER token generation - vauth: Fix incorrect function description for Curl_auth_user_contains_domain - vtls: fix potential ssl_buffer stack overflow - wildcard: disable from build when FTP isn't present - xattr: skip unittest on unsupported platforms ------------------------------------------------------------------ ------------------ 2019-5-21 - May 21 2019 ------------------- ------------------------------------------------------------------ ++++ xz: - add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ------------------------------------------------------------------ ------------------ 2019-5-20 - May 20 2019 ------------------- ------------------------------------------------------------------ ++++ python-rpm-macros: - Update to version 20190511.2ed22b6: * Add the first draft of pyproject_wheel and pyproject_install macros. ------------------------------------------------------------------ ------------------ 2019-5-16 - May 16 2019 ------------------- ------------------------------------------------------------------ ++++ e2fsprogs: - e2fsck-check-and-fix-tails-of-all-bitmaps.patch: e2fsck: check and fix tails of all bitmap blocks (bsc#1128383) ++++ curl: - Security fix [bsc#1135170, CVE-2019-5436] * A heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server * Added curl-CVE-2019-5436.patch ------------------------------------------------------------------ ------------------ 2019-5-15 - May 15 2019 ------------------- ------------------------------------------------------------------ ++++ python-pip: - Update to version 19.1.1+git.1557777841.63878672: * Update news file to match usual style * fix-5963: assert error message * Simplify CandidateEvaluator.evaluate_link(). * Fix 6486 mac gitignore (#6487) * Store instances in the VcsSupport registry instead of classes. * Remove unused cls argument from VcsSupport.unregister(). * fix-5963: Add news file * fix-5963: fail elegantly on missing name or section in config set / unset * Remove unnecessary slices. * Fix typo. - Switch to multibuild, so testing is separate from the building of the package itself. ------------------------------------------------------------------ ------------------ 2019-5-14 - May 14 2019 ------------------- ------------------------------------------------------------------ ++++ icu: - Add 075cefb2e21f57f4cac1bc2868e93dd1b8c077cc.patch to fix a regression with the C.UTF-8 locale https://unicode-org.atlassian.net/browse/ICU-20575 ++++ openldap2: - bsc#1111388 - incorrect post script call causes tmpfiles create not to be run. ++++ systemd: - Import commit 9984a86d0d2259d54c7060f9c09f214202b4efa7 f2459bf373 random-util: eat up bad RDRAND values seen on AMD CPUs c90a2e9793 util-lib: fix a typo in rdrand 4db1cc9d46 random-util: rename "err" to "success" 981a62a102 random-util: hash AT_RANDOM getauxval() value before using it 64a9c3d918 random-util: use gcc's bit_RDRND definition if it exists c5d6ecfdca random-util: rename RANDOM_DONT_DRAIN → RANDOM_MAY_FAIL 298d13df7e network: remove redunant link name in message 77cbde31f2 hwdb: Align airplane mode toggle key mapping for all Acer series 460f03794e Revert "hwdb: Apply Acer mappings to all Gateway and Packard Bell models" fe9271ad84 test: return a non-zero return code when 'nobody' user doesn't exist 29d355e755 fstab-generator: Prevent double free of reused FILE* f30f1adc11 meson: make source files including nspawn-settings.h depend on libseccomp 84bab914b8 alloc-util: don't use malloc_usable_size() to determine allocated size 5240972d8d units: drop reference to sushell man page 0a26de5e33 codespell: fix spelling errors 582de105c8 nspawn-expose-ports: fix a typo in error message ------------------------------------------------------------------ ------------------ 2019-5-13 - May 13 2019 ------------------- ------------------------------------------------------------------ ++++ systemd: - Buildrequire polkit so /usr/share/polkit-1/rules.d has an owner (bsc#1145023) Otherwise the "post build checks" would complain and would force systemd to own this directory. The owner should still be "polkit" and the perms should be in sync with the perm set by polkit itself. ++++ system-user-root: - Bump to version 20190513: * Invalidate root password by default (bsc#1134524) ------------------------------------------------------------------ ------------------ 2019-5-11 - May 11 2019 ------------------- ------------------------------------------------------------------ ++++ python-pip: - Update to version 19.1.1+git.1557521541.a731e7e3: * Docs: capitalize "URL" * Upgrade Sphinx version for Read the Docs (#6477) * Upwrap import * Remove utils/packaging.py's dependence on the current environment. * Improve import error handling Fix --no-index usage Fix missing type annotation type * Rename _link_package_versions() to evaluate_link(). * Move _link_package_versions() to CandidateEvaluator. * Refine return type of _package_versions() and find_all_candidates(). * Fix mismerged import * Issue #5948: Enable keyring support * Move run_with_log_command() after run_stderr_with_prefix(). * Change to never allow logging errors during tests. * Add failing test. * Respect --global-option and --install-option for VCS installs. - Start using upstream git checkout instead of the released tarballs so we can get tests/ directory (gh#pypa/pip#6258). - Enable tests. ------------------------------------------------------------------ ------------------ 2019-5-10 - May 10 2019 ------------------- ------------------------------------------------------------------ ++++ nghttp2: - Update to 1.38.0: * This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry. * It also fixes the bug that HTTP/1.1 chunked request stalls. * Now nghttpx does not log authorization request header field value with -LINFO. * This release fixes possible backend stall when header and request body are sent in their own packets. * The backend option gets weight parameter to influence backend selection. * This release fixes compile error with BoringSSL. - Add patch from upstream to build with new boost bsc#1134616: * boost170.patch ++++ python-pip: - Update to 19.1.1: - Restore pyproject.toml handling to how it was with pip 19.0.3 to prevent the need to add --no-use-pep517 when installing in editable mode. (#6434) - Fix a regression that caused @ to be quoted in pypiserver links. This interfered with parsing the revision string from VCS urls. (#6440) - Configuration files may now also be stored under sys.prefix (#5060) - Avoid creating an unnecessary local clone of a Bazaar branch when exporting. (#5443) - Include in pip's User-Agent string whether it looks like pip is running under CI. (#5499) - A custom (JSON-encoded) string can now be added to pip's User-Agent using the PIP_USER_AGENT_USER_DATA environment variable. (#5549) - For consistency, passing --no-cache-dir no longer affects whether wheels will be built. In this case, a temporary directory is used. (#5749) - Command arguments in subprocess log messages are now quoted using shlex.quote(). (#6290) - Prefix warning and error messages in log output with WARNING and ERROR. (#6298) - Using --build-options in a PEP 517 build now fails with an error, rather than silently ignoring the option. (#6305) - Error out with an informative message if one tries to install a pyproject.toml-style (PEP 517) source tree using --editable mode. (#6314) - When downloading a package, the ETA and average speed now only update once per second for better legibility. (#6319) - The stdout and stderr from VCS commands run by pip as subprocesses (e.g. git, hg, etc.) no longer pollute pip's stdout. (#1219) - Fix handling of requests exceptions when dependencies are debundled. (#4195) - Make pip's self version check avoid recommending upgrades to prereleases if the currently-installed version is stable. (#5175) - Fixed crash when installing a requirement from a URL that comes from a dependency without a URL. (#5889) - Improve handling of file URIs: correctly handle file://localhost/... and don't try to use UNC paths on Unix. (#5892) - Fix utils.encoding.auto_decode() LookupError with invalid encodings. utils.encoding.auto_decode() was broken when decoding Big Endian BOM byte-strings on Little Endian or vice versa. (#6054) - Fix incorrect URL quoting of IPv6 addresses. (#6285) - Redact the password from the extra index URL when using pip - v. (#6295) - The spinner no longer displays a completion message after subprocess calls not needing a spinner. It also no longer incorrectly reports an error after certain subprocess calls to Git that succeeded. (#6312) - Fix the handling of editable mode during installs when pyproject.toml is present but PEP 517 doesn't require the source tree to be treated as pyproject.toml-style. (#6370) - Fix NameError when handling an invalid requirement. (#6419) - Make dashes render correctly when displaying long options like --find-links in the text. (#6422) ------------------------------------------------------------------ ------------------ 2019-5-9 - May 9 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Update to version 2.33.2 (bsc#1134337): * agetty: Fix 8-bit processing in get_logname() (bsc#1125886). * mount: Fix "mount" output for net file systems (bsc#1122417). * Many Other fixes, see https://www.kernel.org/pub/linux/utils/util-linux/v2.33/v2.33.2-ReleaseNotes ++++ systemd: - Add debug-only-remove-new-policies.patch A temporary patch to suppress the new DBUS methods introduced by v242 until they are reviewed and whitelisted by the secteam. - Add a comment explaining why static enablement symlinks in /etc are suppressed Also remove any /etc/systemd/system/*.requires/ symlinks for the same reason. ------------------------------------------------------------------ ------------------ 2019-5-8 - May 8 2019 ------------------- ------------------------------------------------------------------ ++++ git: - Add 0001-DOC-Move-to-DocBook-5-when-using-asciidoctor.patch: Move to DocBook 5.x. Asciidoctor 2.x no longer supports the legacy DocBook 4.5 format. ------------------------------------------------------------------ ------------------ 2019-5-7 - May 7 2019 ------------------- ------------------------------------------------------------------ ++++ krb5: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap; (bsc#1134217); ++++ linux-glibc-devel: - Update to kernel headers 5.1 ------------------------------------------------------------------ ------------------ 2019-5-2 - May 2 2019 ------------------- ------------------------------------------------------------------ ++++ util-linux: - Fix problems in reading of login.defs values (bsc#1121197, util-linux-login_defs-priority1.patch, util-linux-login_defs-priority2.patch, util-linux-login_defs-SYS_UID.patch). - Perform one-time reset of /etc/default/su (bsc#1121197). - Add virtual symbols for login.defs compatibility (bsc#1121197). - Add login.defs safety check util-linux-login_defs-check.sh (bsc#1121197). ++++ systemd: - preset remote-cryptsetup.target during package installation This target is supposed to be part of the targets that should be enabled (or not depending on the presets) at package installation. - Upgrade to v242 (commit 071c380dcc434dca2a0c8b6de0519cc9e816c6d6) See https://github.com/openSUSE/systemd/blob/SUSE/v242/NEWS for details. This includes the following bug fixes: - upstream commit bf65b7e0c9fc215897b676ab9a7c9d1c688143ba (CVE-2019-3843) - upstream commit bf65b7e0c9fc215897b676ab9a7c9d1c688143ba (CVE-2019-3844) - upstream commit 37ed15d7edaf59a1fc7c9e3552cd93a83f3814ef (bsc#1124122) - upstream commit bf65b7e0c9fc215897b676ab9a7c9d1c688143ba (bsc#1133506) - upstream commit bf65b7e0c9fc215897b676ab9a7c9d1c688143ba (bsc#1133509) - upstream commit 1f82f5bb4237ed5f015daf93f818e9db95e764b8 (bsc#1150595) - upstream commit e55bdf9b6c5f72475b258a7a4585a0480551cb60 (bsc#1173422) ++++ python-rpm-macros: - Update to version 20190430.5260267: * Yet another attempt to preserve $PYTHONPATH set in the environment. * Document also %pytest_arch * Document %pytest in README.md ++++ shadow: - don't specify MOTD_FILE in login.defs but fall back to built in defaults of login (boo#1133929) ------------------------------------------------------------------ ------------------ 2019-4-30 - Apr 30 2019 ------------------- ------------------------------------------------------------------ ++++ lvm2-device-mapper: - Fix devices drop open error message (bsc#1122666) + bug-1122666_devices-drop-open-error-message.patch ++++ python3-core: - Update to 3.6.8: - bugfixes only - removed patches (subsumed in the upstream tarball): - CVE-2018-20406-pickle_LONG_BINPUT.patch - refreshed patches: - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - Python-3.0b1-record-rpm.patch - python-3.3.0b1-fix_date_time_compiler.patch - python-3.3.0b1-test-posix_fadvise.patch - python-3.3.3-skip-distutils-test_sysconfig_module.patch - python-3.6.0-multilib-new.patch - python3-sorted_tar.patch - subprocess-raise-timeout.patch - switch off LTO and PGO optimization (bsc#1133452) - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. ++++ permissions: - Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678) ++++ python3: - Update to 3.6.8: - bugfixes only - removed patches (subsumed in the upstream tarball): - CVE-2018-20406-pickle_LONG_BINPUT.patch - refreshed patches: - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - Python-3.0b1-record-rpm.patch - python-3.3.0b1-fix_date_time_compiler.patch - python-3.3.0b1-test-posix_fadvise.patch - python-3.3.3-skip-distutils-test_sysconfig_module.patch - python-3.6.0-multilib-new.patch - python3-sorted_tar.patch - subprocess-raise-timeout.patch - switch off LTO and PGO optimization (bsc#1133452) - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. ++++ shadow: - Split shadow-login_defs.patch hunks to its logical components (bsc#1121197): * shadow-login_defs-unused-by-pam.patch * shadow-login_defs-comments.patch * shadow-util-linux.patch * shadow-login_defs-suse.patch * Move appropriate hunks to chkname-regex.patch and encryption_method_nis.patch * Remove GROUPADD_CMD that is not supported (bsc#1121197#c14). - Split getdef-new-defs.patch hunks to its logical components (bsc#1121197): * encryption_method_nis.patch * chkname-regex.patch * shadow-util-linux.patch Add support for login: ALWAYS_SET_PATH and LOGIN_PLAIN_PROMPT. * useradd-script.patch, userdel-script.patch * Remove duplicated definitions of MOTD_FILE and ENV_PATH. - Add shadow-login_defs-unused-check.sh to allow verification of login.defs variable usage (bsc#1121197). - Add virtual symbols for login.defs compatibility (bsc#1121197). ------------------------------------------------------------------ ------------------ 2019-4-29 - Apr 29 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add binutils-pr24486.patch: fix for PR24486 (boo#1133131 boo#1133232). ++++ libtasn1: - Add libtasn1-object-id-recursion.patch: limit recursion in _asn1_expand_object_id (boo#1105435 CVE-2018-1000654 (https://gitlab.com/gnutls/libtasn1/merge_requests/8) ------------------------------------------------------------------ ------------------ 2019-4-25 - Apr 25 2019 ------------------- ------------------------------------------------------------------ ++++ libselinux: - Disable LTO (boo#1133244). ------------------------------------------------------------------ ------------------ 2019-4-24 - Apr 24 2019 ------------------- ------------------------------------------------------------------ ++++ gcc7: - Update to gcc-7-branch head (r270528). * Disables switch jump-tables when retpolines are used. [bsc#1131264, jsc#SLE-6738] ++++ systemd: - Drop "BuildRequires: -post-build-checks" from the specfile (bsc#1130230) The syntax of this directive is obsolete and should be replaced by "#!BuildIgnore: post-build-checks". However there's no good reasons to disable these SUSE extra checks, so let's re-enable them and fix the few errors it detected. ------------------------------------------------------------------ ------------------ 2019-4-23 - Apr 23 2019 ------------------- ------------------------------------------------------------------ ++++ binutils: - Add rx-gas-padding-pr24464.patch: fix for PR24464. ++++ libapparmor: - Disable LTO (boo#1133091). ------------------------------------------------------------------ ------------------ 2019-4-20 - Apr 20 2019 ------------------- ------------------------------------------------------------------ ++++ blog: - Implement shared library packaging guideline. ------------------------------------------------------------------ ------------------ 2019-4-18 - Apr 18 2019 ------------------- ------------------------------------------------------------------ ++++ bzip2: - add bzip2-1.0.6-CVE-2016-3189.patch to fix a heap use after free vulnerability that was reported in bzip2recover [bsc#985657] [CVE-2016-3189] ++++ icu: - Update to new upstream release 64.2 * This maintenance update for ICU 64 includes draft Unicode 12.1 update, CLDR 35.1 locale data and support for the new Japanese era Reiwa (令和). (boo#1112183, bnc#1103893, FATE#325570) ++++ python-pyparsing: - update to 2.4.0 - drop nose_to_unittest.patch - drop _service * Adds a pyparsing.__compat__ object for specifying compatibility with future breaking changes. * Conditionalizes the API-breaking behavior, based on the value pyparsing.__compat__.collect_all_And_tokens. By default, this value will be set to True, reflecting the new bugfixed behavior. * User code that is dependent on the pre-bugfix behavior can restore it by setting this value to False. * Updated unitTests.py and simple_unit_tests.py to be compatible with "python setup.py test". * Fixed bug in runTests handling '\n' literals in quoted strings. * Added tag_body attribute to the start tag expressions generated by makeHTMLTags, so that you can avoid using SkipTo to roll your own tag body expression: * indentedBlock failure handling was improved * Address Py2 incompatibility in simpleUnitTests, plus explain() and Forward str() cleanup * Fixed docstring with embedded '\w', which creates SyntaxWarnings in Py3.8. * Added example parser for rosettacode.org tutorial compiler. * Added example to show how an HTML table can be parsed into a collection of Python lists or dicts, one per row. * Updated SimpleSQL.py example to handle nested selects, reworked 'where' expression to use infixNotation. * Added include_preprocessor.py, similar to macroExpander.py. * Examples using makeHTMLTags use new tag_body expression when retrieving a tag's body text. * Updated examples that are runnable as unit tests ------------------------------------------------------------------ ------------------ 2019-4-17 - Apr 17 2019 ------------------- ------------------------------------------------------------------ ++++ sqlite3: - Upgrade to 3.28.0: * CVE-2019-9936, bsc#1130326: running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read. * CVE-2019-9937, bsc#1130325: interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference. * Enhanced window functions * Enhanced VACUUM INTO so that it works for read-only databases. * New query optimizations. * Added the sqlite3_value_frombind() API for determining if the argument to an SQL function is from a bound parameter. * Security and compatibilities enhancements to fts3_tokenizer(). * Improved robustness against corrupt database files.