Packages changed: AppStream (0.14.4 -> 0.14.6) MozillaThunderbird (91.1.2 -> 91.2.1) apache2-mod_php7 (7.4.24 -> 7.4.25) bluez-tools (0.1.38+git20190428 -> 0.1.38+git.20201024T225355.f653217) freerdp (2.4.0 -> 2.4.1) grub2 gstreamer-devtools kernel-64kb (5.14.11 -> 5.14.14) kernel-source (5.14.11 -> 5.14.14) libguestfs libyui (4.2.19 -> 4.2.20) libyui-ncurses (4.2.19 -> 4.2.20) libyui-ncurses-pkg (4.2.19 -> 4.2.20) libyui-qt (4.2.19 -> 4.2.20) libyui-qt-graph (4.2.19 -> 4.2.20) libyui-qt-pkg (4.2.19 -> 4.2.20) logrotate mpg123 (1.29.1 -> 1.29.2) ncurses (6.2.20211002 -> 6.3.20211021) ocfs2-tools parted pcre2 (10.37 -> 10.38) perl-Mojolicious (9.21 -> 9.22) php7 (7.4.24 -> 7.4.25) plasma5-openSUSE polkit postfix privoxy python python-Babel python-Mako (1.1.4 -> 1.1.5) python-base python-cryptography (3.3.2 -> 3.4.8) python-numpy python-pandas (1.3.3 -> 1.3.4) python-rpm (4.16.1.3 -> 4.17.0) python38 python38-core python38-documentation qca-qt5 rpm (4.16.1.3 -> 4.17.0) rpm-config-SUSE (0.g83 -> 0.g89) rsyslog (8.2108.0 -> 8.2110.0) suse-module-tools (16.0.11 -> 16.0.13) systemd-rpm-macros tigervnc transactional-update (3.5.6 -> 3.6.0) u-boot-rpiarm64 virt-manager yast2-country (4.4.6 -> 4.4.7) === Details === ==== AppStream ==== Version update (0.14.4 -> 0.14.6) Subpackages: libAppStreamQt2 libappstream4 - Update to 0.14.6. Check the NEWS file for the list of changes. - Only install the license files once. ==== MozillaThunderbird ==== Version update (91.1.2 -> 91.2.1) - Mozilla Thunderbird 91.2.1 * Preference added to disable automatic pausing RSS feed updates after a fetch failure * several bugfixes as outlined in release notes https://www.thunderbird.net/en-US/thunderbird/91.2.1/releasenotes/ - Increase memory required per threads for aarch64 to avoid OOM - Enable LTO on Tumbleweed. - add mozilla-bmo1724679.patch (bmo#1724679, boo#1182863) fix some env variables which are enabled for any value - Mozilla Thunderbird 91.2.0 * Saving a single message as .eml now uses a unique filename * New mail notifications did not properly take subfolders into account * Decrypting binary attachments when using an external GnuPG configuration failed * Account name fields in the account manager were not big enough for long names * LDAP searches using an extensibleMatch filter returned no results * Read-only CalDAV calendars and CardDAV address books were not detected * Multipart messages containing a calendar invite did not display any of the human-readable alternatives * Some calendar days were displayed incorrectly or duplicated (eg. two "29th" days of a particular month) * Phantom event was shown at the end of each day in Calendar week view MFSA 2021-46 (bsc#1191332) * CVE-2021-38496 (bmo#1725335) Use-after-free in MessageTask * CVE-2021-38497 (bmo#1726621) Validation message could have been overlaid on another origin * CVE-2021-38498 (bmo#1729642) Use-after-free of nsLanguageAtomService object * CVE-2021-32810 (bmo#1729813, https://github.com/crossbeam- rs/crossbeam/security/advisories/GHSA-pqqp-xmhj-wgcw) Data race in crossbeam-deque * CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 ==== apache2-mod_php7 ==== Version update (7.4.24 -> 7.4.25) - updated to 7.4.25: This is a security release (CVE-2021-21703) which also contains several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.25 ==== bluez-tools ==== Version update (0.1.38+git20190428 -> 0.1.38+git.20201024T225355.f653217) - Update to version 0.1.38+git.20201024T225355.f653217 (changes since 0.1.38+git20190428): * Fix bt-agent file reloading signal handler setup. * Remove incorrectly handled error argument from device_* calls. * Fix gcc-10 compile. * Correct the signal handler registration bt-agent. ==== freerdp ==== Version update (2.4.0 -> 2.4.1) - Upgraded to freerdp 2.4.1 Important security issues, boo#1191895: * CVE-2021-41159: Improper client input validation for gateway connections allows to overwrite memory * CVE-2021-41160: Improper region checks in all clients allow out of bound write to memory Noteworthy changes: * Refactored RPC gateway parsing code * OpenSSL 3.0 compatibility fixes * USB redirection: fixed transfer lengths Fixed issues: * #gh:FreeRDP/FreeRDP#7363: Length checks in ConvertUTF8toUTF16 * #gh:FreeRDP/FreeRDP#7349: Added checks for bitmap width and heigth values - Force library update to the latest, renamed versions (followup to boo#1191755) - Renamed libraries to follow packaging standards as requested in boo#1191755 ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin grub2-systemd-sleep-plugin - Fix installation on usrmerged s390x ==== gstreamer-devtools ==== Subpackages: libgstvalidate-1_0-0 typelib-1_0-GstValidate-1_0 - Pass debug_viewer=enabled to meson, build the optional gst-debug-viewer app. ==== kernel-64kb ==== Version update (5.14.11 -> 5.14.14) - Update patches.kernel.org/5.14.14-060-x86-fpu-Mask-out-the-invalid-MXCSR-bits-prope.patch (bsc#1012628 bsc#1191855). - commit 2b5383f - Linux 5.14.14 (bsc#1012628). - ALSA: usb-audio: Add quirk for VF0770 (bsc#1012628). - ALSA: pcm: Workaround for a wrong offset in SYNC_PTR compat ioctl (bsc#1012628). - ALSA: usb-audio: Fix a missing error check in scarlett gen2 mixer (bsc#1012628). - ALSA: seq: Fix a potential UAF by wrong private_free call order (bsc#1012628). - ALSA: hda/realtek: Enable 4-speaker output for Dell Precision 5560 laptop (bsc#1012628). - ALSA: hda - Enable headphone mic on Dell Latitude laptops with ALC3254 (bsc#1012628). - ALSA: hda/realtek: Complete partial device name to avoid ambiguity (bsc#1012628). - ALSA: hda/realtek: Add quirk for Clevo X170KM-G (bsc#1012628). - ALSA: hda/realtek - ALC236 headset MIC recording issue (bsc#1012628). - ALSA: hda/realtek: Add quirk for TongFang PHxTxX1 (bsc#1012628). - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s Gen2 (bsc#1012628). - ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW (bsc#1012628). - platform/x86: gigabyte-wmi: add support for B550 AORUS ELITE AX V2 (bsc#1012628). - platform/x86: amd-pmc: Add alternative acpi id for PMC controller (bsc#1012628). - spi: atmel: Fix PDC transfer setup bug (bsc#1012628). - mtd: rawnand: qcom: Update code word value for raw read (bsc#1012628). - nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^' (bsc#1012628). - dm: fix mempool NULL pointer race when completing IO (bsc#1012628). - ACPI: PM: Include alternate AMDI0005 id in special behaviour (bsc#1012628). - dm rq: don't queue request to blk-mq during DM suspend (bsc#1012628). - s390: fix strrchr() implementation (bsc#1012628). - clk: socfpga: agilex: fix duplicate s2f_user0_clk (bsc#1012628). - csky: don't let sigreturn play with priveleged bits of status register (bsc#1012628). - csky: Fixup regs.sr broken in ptrace (bsc#1012628). - drm/fbdev: Clamp fbdev surface size if too large (bsc#1012628). - arm64/hugetlb: fix CMA gigantic page order for non-4K PAGE_SIZE (bsc#1012628). - drm/nouveau/fifo: Reinstate the correct engine bit programming (bsc#1012628). - drm/msm: Do not run snapshot on non-DPU devices (bsc#1012628). - drm/msm: Avoid potential overflow in timeout_to_jiffies() (bsc#1012628). - btrfs: unlock newly allocated extent buffer after error (bsc#1012628). - btrfs: deal with errors when replaying dir entry during log replay (bsc#1012628). - btrfs: deal with errors when adding inode reference during log replay (bsc#1012628). - btrfs: check for error when looking up inode during dir entry replay (bsc#1012628). - btrfs: update refs for any root except tree log roots (bsc#1012628). - btrfs: fix abort logic in btrfs_replace_file_extents (bsc#1012628). - module: fix clang CFI with MODULE_UNLOAD=n (bsc#1012628). - x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails (bsc#1012628). - mei: me: add Ice Lake-N device id (bsc#1012628). - mei: hbm: drop hbm responses on early shutdown (bsc#1012628). - USB: xhci: dbc: fix tty registration race (bsc#1012628). - xhci: guard accesses to ep_state in xhci_endpoint_reset() (bsc#1012628). - xhci: add quirk for host controllers that don't update endpoint DCS (bsc#1012628). - xhci: Fix command ring pointer corruption while aborting a command (bsc#1012628). - xhci: Enable trust tx length quirk for Fresco FL11 USB controller (bsc#1012628). - cb710: avoid NULL pointer subtraction (bsc#1012628). - efi/cper: use stack buffer for error record decoding (bsc#1012628). - efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() (bsc#1012628). - usb: musb: dsps: Fix the probe error path (bsc#1012628). - Input: xpad - add support for another USB ID of Nacon GC-100 (bsc#1012628). - USB: serial: qcserial: add EM9191 QDL support (bsc#1012628). - USB: serial: option: add Quectel EC200S-CN module support (bsc#1012628). - USB: serial: option: add Telit LE910Cx composition 0x1204 (bsc#1012628). - USB: serial: option: add prod. id for Quectel EG91 (bsc#1012628). - misc: fastrpc: Add missing lock before accessing find_vma() (bsc#1012628). - virtio: write back F_VERSION_1 before validate (bsc#1012628). - EDAC/armada-xp: Fix output of uncorrectable error counter (bsc#1012628). - nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells (bsc#1012628). - virtio-blk: remove unneeded "likely" statements (bsc#1012628). - Revert "virtio-blk: Add validation for block size in config space" (bsc#1012628). - x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically (bsc#1012628). - powerpc/xive: Discard disabled interrupts in get_irqchip_state() (bsc#1012628). - iio: adc: aspeed: set driver data when adc probe (bsc#1012628). - drivers: bus: simple-pm-bus: Add support for probing simple bus only devices (bsc#1012628). - driver core: Reject pointless SYNC_STATE_ONLY device links (bsc#1012628). - iio: adc: ad7192: Add IRQ flag (bsc#1012628). - iio: adc: ad7780: Fix IRQ flag (bsc#1012628). - iio: adc: ad7793: Fix IRQ flag (bsc#1012628). - iio: adis16480: fix devices that do not support sleep mode (bsc#1012628). - iio: adc128s052: Fix the error handling path of 'adc128_probe()' (bsc#1012628). - iio: adc: max1027: Fix wrong shift with 12-bit devices (bsc#1012628). - iio: adis16475: fix deadlock on frequency set (bsc#1012628). - iio: mtk-auxadc: fix case IIO_CHAN_INFO_PROCESSED (bsc#1012628). - iio: light: opt3001: Fixed timeout error when 0 lux (bsc#1012628). - iio: accel: fxls8962af: return IRQ_HANDLED when fifo is flushed (bsc#1012628). - iio: adc: max1027: Fix the number of max1X31 channels (bsc#1012628). - iio: ssp_sensors: add more range checking in ssp_parse_dataframe() (bsc#1012628). - iio: ssp_sensors: fix error code in ssp_print_mcu_debug() (bsc#1012628). - Input: resistive-adc-touch - fix division by zero error on z1 == 0 (bsc#1012628). - eeprom: 93xx46: Add SPI device ID table (bsc#1012628). - eeprom: 93xx46: fix MODULE_DEVICE_TABLE (bsc#1012628). - eeprom: at25: Add SPI ID table (bsc#1012628). - fpga: ice40-spi: Add SPI device ID table (bsc#1012628). - iio: dac: ti-dac5571: fix an error code in probe() (bsc#1012628). - tracing: Fix missing osnoise tracer on max_latency (bsc#1012628). - tee: optee: Fix missing devices unregister during optee_remove (bsc#1012628). - ARM: dts: bcm2711-rpi-4-b: Fix usb's unit address (bsc#1012628). - ARM: dts: bcm283x: Fix VEC address for BCM2711 (bsc#1012628). - ARM: dts: bcm2711: fix MDIO #address- and #size-cells (bsc#1012628). - firmware: arm_ffa: Fix __ffa_devices_unregister (bsc#1012628). - firmware: arm_ffa: Add missing remove callback to ffa_bus_type (bsc#1012628). - ARM: dts: bcm2711-rpi-4-b: fix sd_io_1v8_reg regulator states (bsc#1012628). - ARM: dts: bcm2711-rpi-4-b: Fix pcie0's unit address formatting (bsc#1012628). - clk: renesas: rzg2l: Fix clk status function (bsc#1012628). - nvme-pci: Fix abort command id (bsc#1012628). - sctp: account stream padding length for reconf chunk (bsc#1012628). - gpio: 74x164: Add SPI device ID table (bsc#1012628). - gpio: pca953x: Improve bias setting (bsc#1012628). - net: arc: select CRC32 (bsc#1012628). - net: korina: select CRC32 (bsc#1012628). - net/smc: improved fix wait on already cleared link (bsc#1012628). - net/mlx5e: Fix memory leak in mlx5_core_destroy_cq() error path (bsc#1012628). - net/mlx5e: Mutually exclude RX-FCS and RX-port-timestamp (bsc#1012628). - net/mlx5e: Switchdev representors are not vlan challenged (bsc#1012628). - net: stmmac: fix get_hw_feature() on old hardware (bsc#1012628). - net: phy: Do not shutdown PHYs in READY state (bsc#1012628). - net: dsa: mv88e6xxx: don't use PHY_DETECT on internal PHY's (bsc#1012628). - net: dsa: microchip: Added the condition for scheduling ksz_mib_read_work (bsc#1012628). - net: dsa: fix spurious error message when unoffloaded port leaves bridge (bsc#1012628). - net: encx24j600: check error in devm_regmap_init_encx24j600 (bsc#1012628). - ethernet: s2io: fix setting mac address during resume (bsc#1012628). - vhost-vdpa: Fix the wrong input in config_cb (bsc#1012628). - nfc: fix error handling of nfc_proto_register() (bsc#1012628). - NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() (bsc#1012628). - NFC: digital: fix possible memory leak in digital_in_send_sdd_req() (bsc#1012628). - pata_legacy: fix a couple uninitialized variable bugs (bsc#1012628). - ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators() (bsc#1012628). - mlxsw: thermal: Fix out-of-bounds memory accesses (bsc#1012628). - platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call (bsc#1012628). - platform/mellanox: mlxreg-io: Fix read access of n-bytes size attributes (bsc#1012628). - spi: spidev: Add SPI ID table (bsc#1012628). - spi: bcm-qspi: clear MSPI spifie interrupt during probe (bsc#1012628). - drm/panel: olimex-lcd-olinuxino: select CRC32 (bsc#1012628). - drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read (bsc#1012628). - drm/msm: Fix null pointer dereference on pointer edp (bsc#1012628). - drm/msm/mdp5: fix cursor-related warnings (bsc#1012628). - drm/msm/submit: fix overflow check on 64-bit architectures (bsc#1012628). - drm/msm/a6xx: Track current ctx by seqno (bsc#1012628). - drm/msm/a4xx: fix error handling in a4xx_gpu_init() (bsc#1012628). - drm/msm/a3xx: fix error handling in a3xx_gpu_init() (bsc#1012628). - drm/msm/dsi: dsi_phy_14nm: Take ready-bit into account in poll_for_ready (bsc#1012628). - drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() (bsc#1012628). - drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling (bsc#1012628). - acpi/arm64: fix next_platform_timer() section mismatch error (bsc#1012628). - platform/x86: intel_scu_ipc: Fix busy loop expiry time (bsc#1012628). - mqprio: Correct stats in mqprio_dump_class_stats() (bsc#1012628). - mptcp: fix possible stall on recvmsg() (bsc#1012628). - qed: Fix missing error code in qed_slowpath_start() (bsc#1012628). - r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 (bsc#1012628). - ice: fix locking for Tx timestamp tracking flush (bsc#1012628). - block/rnbd-clt-sysfs: fix a couple uninitialized variable bugs (bsc#1012628). - nfp: flow_offload: move flow_indr_dev_register from app init to app start (bsc#1012628). - net: mscc: ocelot: make use of all 63 PTP timestamp identifiers (bsc#1012628). - net: mscc: ocelot: avoid overflowing the PTP timestamp FIFO (bsc#1012628). - net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb (bsc#1012628). - net: mscc: ocelot: deny TX timestamping of non-PTP packets (bsc#1012628). - net: mscc: ocelot: cross-check the sequence id from the timestamp FIFO with the skb PTP header (bsc#1012628). - net: dsa: felix: break at first CPU port during init and teardown (bsc#1012628). - ionic: don't remove netdev->dev_addr when syncing uc list (bsc#1012628). - commit 6859230 - media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() (CVE-2021-3542 bsc#1184673). - commit 08ab8da - x86/fpu: Mask out the invalid MXCSR bits properly (x86_32 breakage). - commit 565cd48 - rpm/kernel-obs-build.spec.in: reduce initrd functionality For building in OBS, we always build inside a virtual machine that gets a new, freshly created scratch filesystem image. So we do not need to handle fscks because that ain't gonna happen, as well as not we do not need to handle microcode update in the initrd as these only can be run on the host system anyway. We can also strip and hardlink as an additional optimisation that should not significantly hurt. - commit c72c6fc - Update upstream commit id for rtw89 patch (bsc#1191321) - commit 8dccb66 - Linux 5.14.13 (bsc#1012628). - hwmon: (pmbus/ibm-cffps) max_power_out swap changes (bsc#1012628). - io_uring: kill fasync (bsc#1012628). - sched: Always inline is_percpu_thread() (bsc#1012628). - perf/core: fix userpage->time_enabled of inactive events (bsc#1012628). - scsi: qla2xxx: Fix excessive messages during device logout (bsc#1012628). - scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported" (bsc#1012628). - scsi: ses: Fix unsigned comparison with less than zero (bsc#1012628). - drm/amdgpu: fix gart.bo pin_count leak (bsc#1012628). - net: sun: SUNVNET_COMMON should depend on INET (bsc#1012628). - vboxfs: fix broken legacy mount signature checking (bsc#1012628). - net: bgmac-platform: handle mac-address deferral (bsc#1012628). - mac80211: check return value of rhashtable_init (bsc#1012628). - net: prevent user from passing illegal stab size (bsc#1012628). - hwmon: (ltc2947) Properly handle errors when looking for the external clock (bsc#1012628). - m68k: Handle arrivals of multiple signals correctly (bsc#1012628). - pinctrl: qcom: sc7280: Add PM suspend callbacks (bsc#1012628). - mac80211: Drop frames from invalid MAC address in ad-hoc mode (bsc#1012628). - netfilter: nf_nat_masquerade: defer conntrack walk to work queue (bsc#1012628). - netfilter: nf_nat_masquerade: make async masq_inet6_event handling generic (bsc#1012628). - KVM: arm64: nvhe: Fix missing FORCE for hyp-reloc.S build rule (bsc#1012628). - ASoC: SOF: loader: release_firmware() on load failure to avoid batching (bsc#1012628). - HID: wacom: Add new Intuos BT (CTL-4100WL/CTL-6100WL) device IDs (bsc#1012628). - netfilter: ip6_tables: zero-initialize fragment offset (bsc#1012628). - HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS (bsc#1012628). - ALSA: usb-audio: Unify mixer resume and reset_resume procedure (bsc#1012628). - ALSA: oxfw: fix transmission method for Loud models based on OXFW971 (bsc#1012628). - ASoC: Intel: sof_sdw: tag SoundWire BEs as non-atomic (bsc#1012628). - ext4: correct the error path of ext4_write_inline_data_end() (bsc#1012628). - ext4: check and update i_disksize properly (bsc#1012628). - commit ab3ca44 - kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229). The semantic changed in an incompatible way so invoking the macro now causes a build failure. - commit 3e55f55 - Linux 5.14.12 (bsc#1012628). - dsa: tag_dsa: Fix mask for trunked packets (bsc#1012628). - x86/hpet: Use another crystalball to evaluate HPET usability (bsc#1012628). - x86/entry: Clear X86_FEATURE_SMAP when CONFIG_X86_SMAP=n (bsc#1012628). - x86/entry: Correct reference to intended CONFIG_64_BIT (bsc#1012628). - x86/fpu: Restore the masking out of reserved MXCSR bits (bsc#1012628). - x86/sev: Return an error on a returned non-zero SW_EXITINFO1[31:0] (bsc#1012628). - x86/Kconfig: Correct reference to MWINCHIP3D (bsc#1012628). - x86/platform/olpc: Correct ifdef symbol to intended CONFIG_OLPC_XO15_SCI (bsc#1012628). - pseries/eeh: Fix the kdump kernel crash during eeh_pseries_init (bsc#1012628). - powerpc/32s: Fix kuap_kernel_restore() (bsc#1012628). - powerpc/64s: Fix unrecoverable MCE calling async handler from NMI (bsc#1012628). - powerpc/traps: do not enable irqs in _exception (bsc#1012628). - powerpc/64s: fix program check interrupt emergency stack path (bsc#1012628). - powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000 (bsc#1012628). - powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END (bsc#1012628). - powerpc/bpf ppc32: Fix JMP32_JSET_K (bsc#1012628). - powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation (bsc#1012628). - powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 (bsc#1012628). - powerpc/bpf: Fix BPF_MOD when imm == 1 (bsc#1012628). - objtool: Make .altinstructions section entry size consistent (bsc#1012628). - objtool: Remove reloc symbol type checks in get_alt_entry() (bsc#1012628). - scsi: iscsi: Fix iscsi_task use after free (bsc#1012628). - RISC-V: Include clone3() on rv32 (bsc#1012628). - i2c: mlxcpld: Modify register setting for 400KHz frequency (bsc#1012628). - i2c: mlxcpld: Fix criteria for frequency setting (bsc#1012628). - bpf, s390: Fix potential memory leak about jit_data (bsc#1012628). - riscv/vdso: make arch_setup_additional_pages wait for mmap_sem for write killable (bsc#1012628). - riscv/vdso: Move vdso data page up front (bsc#1012628). - riscv/vdso: Refactor asm/vdso.h (bsc#1012628). - RISC-V: Fix VDSO build for !MMU (bsc#1012628). - riscv: explicitly use symbol offsets for VDSO (bsc#1012628). - i2c: mediatek: Add OFFSET_EXT_CONF setting back (bsc#1012628). - i2c: acpi: fix resource leak in reconfiguration device addition (bsc#1012628). - powerpc/iommu: Report the correct most efficient DMA mask for PCI devices (bsc#1012628). - net: prefer socket bound to interface when not in VRF (bsc#1012628). - iavf: fix double unlock of crit_lock (bsc#1012628). - i40e: Fix freeing of uninitialized misc IRQ vector (bsc#1012628). - i40e: fix endless loop under rtnl (bsc#1012628). - gve: report 64bit tx_bytes counter from gve_handle_report_stats() (bsc#1012628). - gve: fix gve_get_stats() (bsc#1012628). - rtnetlink: fix if_nlmsg_stats_size() under estimation (bsc#1012628). - gve: Properly handle errors in gve_assign_qpl (bsc#1012628). - gve: Avoid freeing NULL pointer (bsc#1012628). - gve: Correct available tx qpl check (bsc#1012628). - net: stmmac: trigger PCS EEE to turn off on link down (bsc#1012628). - net: pcs: xpcs: fix incorrect steps on disable EEE (bsc#1012628). - drm/nouveau/debugfs: fix file release memory leak (bsc#1012628). - drm/nouveau/kms/nv50-: fix file release memory leak (bsc#1012628). - drm/nouveau: avoid a use-after-free when BO init fails (bsc#1012628). - video: fbdev: gbefb: Only instantiate device when built for IP32 (bsc#1012628). - drm/panel: abt-y030xx067a: yellow tint fix (bsc#1012628). - drm/nouveau/fifo/ga102: initialise chid on return from channel creation (bsc#1012628). - drm/sun4i: dw-hdmi: Fix HDMI PHY clock setup (bsc#1012628). - bus: ti-sysc: Use CLKDM_NOAUTO for dra7 dcan1 for errata i893 (bsc#1012628). - perf jevents: Free the sys_event_tables list after processing entries (bsc#1012628). - drm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume (bsc#1012628). - drm/amdkfd: fix a potential ttm->sg memory leak (bsc#1012628). - ARM: defconfig: gemini: Restore framebuffer (bsc#1012628). - netlink: annotate data races around nlk->bound (bsc#1012628). - net: pcs: xpcs: fix incorrect CL37 AN sequence (bsc#1012628). - net: sfp: Fix typo in state machine debug string (bsc#1012628). - net/sched: sch_taprio: properly cancel timer from taprio_destroy() (bsc#1012628). - net: bridge: fix under estimation in br_get_linkxstats_size() (bsc#1012628). - net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() (bsc#1012628). - afs: Fix afs_launder_page() to set correct start file position (bsc#1012628). - netfs: Fix READ/WRITE confusion when calling iov_iter_xarray() (bsc#1012628). - drm/i915/bdb: Fix version check (bsc#1012628). - drm/i915/tc: Fix TypeC port init/resume time sanitization (bsc#1012628). - drm/i915/jsl: Add W/A 1409054076 for JSL (bsc#1012628). - drm/i915/audio: Use BIOS provided value for RKL HDA link (bsc#1012628). - ARM: imx6: disable the GIC CPU interface before calling stby-poweroff sequence (bsc#1012628). - dt-bindings: drm/bridge: ti-sn65dsi86: Fix reg value (bsc#1012628). - arm64: dts: ls1028a: fix eSDHC2 node (bsc#1012628). - arm64: dts: imx8mm-kontron-n801x-som: do not allow to switch off buck2 (bsc#1012628). - arm64: dts: imx8: change the spi-nor tx (bsc#1012628). - ARM: dts: imx: change the spi-nor tx (bsc#1012628). - ptp_pch: Load module automatically if ID matches (bsc#1012628). - powerpc/fsl/dts: Fix phy-connection-type for fm1mac3 (bsc#1012628). - netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event notification (bsc#1012628). - MIPS: Revert "add support for buggy MT7621S core detection" (bsc#1012628). - net: stmmac: dwmac-rk: Fix ethernet on rk3399 based devices (bsc#1012628). - net: mscc: ocelot: fix VCAP filters remaining active after being deleted (bsc#1012628). - net_sched: fix NULL deref in fifo_set_limit() (bsc#1012628). - libbpf: Fix memory leak in strset (bsc#1012628). - phy: mdio: fix memory leak (bsc#1012628). - libbpf: Fix segfault in light skeleton for objects without BTF (bsc#1012628). - net/mlx5e: Fix the presented RQ index in PTP stats (bsc#1012628). - net/mlx5: Fix setting number of EQs of SFs (bsc#1012628). - net/mlx5: Fix length of irq_index in chars (bsc#1012628). - net/mlx5: Avoid generating event after PPS out in Real time mode (bsc#1012628). - net/mlx5: Force round second at 1PPS out start time (bsc#1012628). - net/mlx5: E-Switch, Fix double allocation of acl flow counter (bsc#1012628). - net/mlx5e: Keep the value for maximum number of channels in-sync (bsc#1012628). - net/mlx5e: IPSEC RX, enable checksum complete (bsc#1012628). - bpf: Fix integer overflow in prealloc_elems_and_freelist() (bsc#1012628). - soc: ti: omap-prm: Fix external abort for am335x pruss (bsc#1012628). - bpf, arm: Fix register clobbering in div/mod implementation (bsc#1012628). - netfilter: nf_tables: reverse order in rule replacement expansion (bsc#1012628). - netfilter: nf_tables: add position handle in event notification (bsc#1012628). - netfilter: conntrack: fix boot failure with nf_conntrack.enable_hooks=1 (bsc#1012628). - iwlwifi: pcie: add configuration of a Wi-Fi adapter on Dell XPS 15 (bsc#1012628). - xtensa: call irqchip_init only when CONFIG_USE_OF is selected (bsc#1012628). - xtensa: use CONFIG_USE_OF instead of CONFIG_OF (bsc#1012628). - arm64: dts: qcom: pm8150: use qcom,pm8998-pon binding (bsc#1012628). - ath5k: fix building with LEDS=m (bsc#1012628). - PCI: hv: Fix sleep while in non-sleep context when removing child devices from the bus (bsc#1012628). - ARM: dts: imx6qdl-pico: Fix Ethernet support (bsc#1012628). - ARM: dts: imx: Fix USB host power regulator polarity on M53Menlo (bsc#1012628). - ARM: dts: imx: Add missing pinctrl-names for panel on M53Menlo (bsc#1012628). - soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment (bsc#1012628). - iwlwifi: mvm: Fix possible NULL dereference (bsc#1012628). - ARM: at91: pm: do not panic if ram controllers are not enabled (bsc#1012628). - Revert "arm64: dts: qcom: sc7280: Fixup the cpufreq node" (bsc#1012628). - ARM: dts: qcom: apq8064: Use 27MHz PXO clock as DSI PLL reference (bsc#1012628). - soc: qcom: socinfo: Fixed argument passed to platform_set_data() (bsc#1012628). - bus: ti-sysc: Add break in switch statement in sysc_init_soc() (bsc#1012628). - riscv: Flush current cpu icache before other cpus (bsc#1012628). - scsi: ufs: core: Fix task management completion (bsc#1012628). - ARM: dts: qcom: apq8064: use compatible which contains chipid (bsc#1012628). - ARM: dts: imx6dl-yapp4: Fix lp5562 LED driver probe (bsc#1012628). - ARM: dts: omap3430-sdp: Fix NAND device node (bsc#1012628). - xen/balloon: fix cancelled balloon action (bsc#1012628). - SUNRPC: fix sign error causing rpcsec_gss drops (bsc#1012628). - nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero (bsc#1012628). - nfsd: fix error handling of register_pernet_subsys() in init_nfsd() (bsc#1012628). - ovl: fix IOCB_DIRECT if underlying fs doesn't support direct IO (bsc#1012628). - ovl: fix missing negative dentry check in ovl_rename() (bsc#1012628). - fbdev: simplefb: fix Kconfig dependencies (bsc#1012628). - Update config files. - mmc: sdhci-of-at91: replace while loop with read_poll_timeout (bsc#1012628). - mmc: sdhci-of-at91: wait for calibration done before proceed (bsc#1012628). - mmc: meson-gx: do not use memcpy_to/fromio for dram-access-quirk (bsc#1012628). - xen/privcmd: fix error handling in mmap-resource processing (bsc#1012628). - drm/i915: Extend the async flip VT-d w/a to skl/bxt (bsc#1012628). - drm/i915: Fix runtime pm handling in i915_gem_shrink (bsc#1012628). - drm/amd/display: Fix DCN3 B0 DP Alt Mapping (bsc#1012628). - drm/amd/display: Fix detection of 4 lane for DPALT (bsc#1012628). - drm/amd/display: Limit display scaling to up to 4k for DCN 3.1 (bsc#1012628). - drm/nouveau/ga102-: support ttm buffer moves via copy engine (bsc#1012628). - drm/nouveau/kms/tu102-: delay enabling cursor until after assign_windows (bsc#1012628). - drm/amdgpu: During s0ix don't wait to signal GFXOFF (bsc#1012628). - drm/amd/display: USB4 bring up set correct address (bsc#1012628). - drm/amd/display: Fix B0 USB-C DP Alt mode (bsc#1012628). - usb: typec: tipd: Remove dependency on "connector" child fwnode (bsc#1012628). - usb: typec: tcpm: handle SRC_STARTUP state if cc changes (bsc#1012628). - usb: typec: tcpci: don't handle vSafe0V event if it's not enabled (bsc#1012628). - USB: cdc-acm: fix break reporting (bsc#1012628). - USB: cdc-acm: fix racy tty buffer accesses (bsc#1012628). - usb: gadget: f_uac2: fixed EP-IN wMaxPacketSize (bsc#1012628). - usb: chipidea: ci_hdrc_imx: Also search for 'phys' phandle (bsc#1012628). - usb: cdc-wdm: Fix check for WWAN (bsc#1012628). - Partially revert "usb: Kconfig: using select for USB_COMMON dependency" (bsc#1012628). - Update config files. - commit 7246625 - rtw89: add Realtek 802.11ax driver (bsc#1191321). - commit 4c399ab - Enable CONFIG_RTW88_DEBUG and CONFIG_RTW89_DEBUG on debug flavors (bsc#1191321) - commit a76143b ==== kernel-source ==== Version update (5.14.11 -> 5.14.14) Subpackages: kernel-default kernel-docs - Update patches.kernel.org/5.14.14-060-x86-fpu-Mask-out-the-invalid-MXCSR-bits-prope.patch (bsc#1012628 bsc#1191855). - commit 2b5383f - Linux 5.14.14 (bsc#1012628). - ALSA: usb-audio: Add quirk for VF0770 (bsc#1012628). - ALSA: pcm: Workaround for a wrong offset in SYNC_PTR compat ioctl (bsc#1012628). - ALSA: usb-audio: Fix a missing error check in scarlett gen2 mixer (bsc#1012628). - ALSA: seq: Fix a potential UAF by wrong private_free call order (bsc#1012628). - ALSA: hda/realtek: Enable 4-speaker output for Dell Precision 5560 laptop (bsc#1012628). - ALSA: hda - Enable headphone mic on Dell Latitude laptops with ALC3254 (bsc#1012628). - ALSA: hda/realtek: Complete partial device name to avoid ambiguity (bsc#1012628). - ALSA: hda/realtek: Add quirk for Clevo X170KM-G (bsc#1012628). - ALSA: hda/realtek - ALC236 headset MIC recording issue (bsc#1012628). - ALSA: hda/realtek: Add quirk for TongFang PHxTxX1 (bsc#1012628). - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s Gen2 (bsc#1012628). - ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW (bsc#1012628). - platform/x86: gigabyte-wmi: add support for B550 AORUS ELITE AX V2 (bsc#1012628). - platform/x86: amd-pmc: Add alternative acpi id for PMC controller (bsc#1012628). - spi: atmel: Fix PDC transfer setup bug (bsc#1012628). - mtd: rawnand: qcom: Update code word value for raw read (bsc#1012628). - nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^' (bsc#1012628). - dm: fix mempool NULL pointer race when completing IO (bsc#1012628). - ACPI: PM: Include alternate AMDI0005 id in special behaviour (bsc#1012628). - dm rq: don't queue request to blk-mq during DM suspend (bsc#1012628). - s390: fix strrchr() implementation (bsc#1012628). - clk: socfpga: agilex: fix duplicate s2f_user0_clk (bsc#1012628). - csky: don't let sigreturn play with priveleged bits of status register (bsc#1012628). - csky: Fixup regs.sr broken in ptrace (bsc#1012628). - drm/fbdev: Clamp fbdev surface size if too large (bsc#1012628). - arm64/hugetlb: fix CMA gigantic page order for non-4K PAGE_SIZE (bsc#1012628). - drm/nouveau/fifo: Reinstate the correct engine bit programming (bsc#1012628). - drm/msm: Do not run snapshot on non-DPU devices (bsc#1012628). - drm/msm: Avoid potential overflow in timeout_to_jiffies() (bsc#1012628). - btrfs: unlock newly allocated extent buffer after error (bsc#1012628). - btrfs: deal with errors when replaying dir entry during log replay (bsc#1012628). - btrfs: deal with errors when adding inode reference during log replay (bsc#1012628). - btrfs: check for error when looking up inode during dir entry replay (bsc#1012628). - btrfs: update refs for any root except tree log roots (bsc#1012628). - btrfs: fix abort logic in btrfs_replace_file_extents (bsc#1012628). - module: fix clang CFI with MODULE_UNLOAD=n (bsc#1012628). - x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails (bsc#1012628). - mei: me: add Ice Lake-N device id (bsc#1012628). - mei: hbm: drop hbm responses on early shutdown (bsc#1012628). - USB: xhci: dbc: fix tty registration race (bsc#1012628). - xhci: guard accesses to ep_state in xhci_endpoint_reset() (bsc#1012628). - xhci: add quirk for host controllers that don't update endpoint DCS (bsc#1012628). - xhci: Fix command ring pointer corruption while aborting a command (bsc#1012628). - xhci: Enable trust tx length quirk for Fresco FL11 USB controller (bsc#1012628). - cb710: avoid NULL pointer subtraction (bsc#1012628). - efi/cper: use stack buffer for error record decoding (bsc#1012628). - efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() (bsc#1012628). - usb: musb: dsps: Fix the probe error path (bsc#1012628). - Input: xpad - add support for another USB ID of Nacon GC-100 (bsc#1012628). - USB: serial: qcserial: add EM9191 QDL support (bsc#1012628). - USB: serial: option: add Quectel EC200S-CN module support (bsc#1012628). - USB: serial: option: add Telit LE910Cx composition 0x1204 (bsc#1012628). - USB: serial: option: add prod. id for Quectel EG91 (bsc#1012628). - misc: fastrpc: Add missing lock before accessing find_vma() (bsc#1012628). - virtio: write back F_VERSION_1 before validate (bsc#1012628). - EDAC/armada-xp: Fix output of uncorrectable error counter (bsc#1012628). - nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells (bsc#1012628). - virtio-blk: remove unneeded "likely" statements (bsc#1012628). - Revert "virtio-blk: Add validation for block size in config space" (bsc#1012628). - x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically (bsc#1012628). - powerpc/xive: Discard disabled interrupts in get_irqchip_state() (bsc#1012628). - iio: adc: aspeed: set driver data when adc probe (bsc#1012628). - drivers: bus: simple-pm-bus: Add support for probing simple bus only devices (bsc#1012628). - driver core: Reject pointless SYNC_STATE_ONLY device links (bsc#1012628). - iio: adc: ad7192: Add IRQ flag (bsc#1012628). - iio: adc: ad7780: Fix IRQ flag (bsc#1012628). - iio: adc: ad7793: Fix IRQ flag (bsc#1012628). - iio: adis16480: fix devices that do not support sleep mode (bsc#1012628). - iio: adc128s052: Fix the error handling path of 'adc128_probe()' (bsc#1012628). - iio: adc: max1027: Fix wrong shift with 12-bit devices (bsc#1012628). - iio: adis16475: fix deadlock on frequency set (bsc#1012628). - iio: mtk-auxadc: fix case IIO_CHAN_INFO_PROCESSED (bsc#1012628). - iio: light: opt3001: Fixed timeout error when 0 lux (bsc#1012628). - iio: accel: fxls8962af: return IRQ_HANDLED when fifo is flushed (bsc#1012628). - iio: adc: max1027: Fix the number of max1X31 channels (bsc#1012628). - iio: ssp_sensors: add more range checking in ssp_parse_dataframe() (bsc#1012628). - iio: ssp_sensors: fix error code in ssp_print_mcu_debug() (bsc#1012628). - Input: resistive-adc-touch - fix division by zero error on z1 == 0 (bsc#1012628). - eeprom: 93xx46: Add SPI device ID table (bsc#1012628). - eeprom: 93xx46: fix MODULE_DEVICE_TABLE (bsc#1012628). - eeprom: at25: Add SPI ID table (bsc#1012628). - fpga: ice40-spi: Add SPI device ID table (bsc#1012628). - iio: dac: ti-dac5571: fix an error code in probe() (bsc#1012628). - tracing: Fix missing osnoise tracer on max_latency (bsc#1012628). - tee: optee: Fix missing devices unregister during optee_remove (bsc#1012628). - ARM: dts: bcm2711-rpi-4-b: Fix usb's unit address (bsc#1012628). - ARM: dts: bcm283x: Fix VEC address for BCM2711 (bsc#1012628). - ARM: dts: bcm2711: fix MDIO #address- and #size-cells (bsc#1012628). - firmware: arm_ffa: Fix __ffa_devices_unregister (bsc#1012628). - firmware: arm_ffa: Add missing remove callback to ffa_bus_type (bsc#1012628). - ARM: dts: bcm2711-rpi-4-b: fix sd_io_1v8_reg regulator states (bsc#1012628). - ARM: dts: bcm2711-rpi-4-b: Fix pcie0's unit address formatting (bsc#1012628). - clk: renesas: rzg2l: Fix clk status function (bsc#1012628). - nvme-pci: Fix abort command id (bsc#1012628). - sctp: account stream padding length for reconf chunk (bsc#1012628). - gpio: 74x164: Add SPI device ID table (bsc#1012628). - gpio: pca953x: Improve bias setting (bsc#1012628). - net: arc: select CRC32 (bsc#1012628). - net: korina: select CRC32 (bsc#1012628). - net/smc: improved fix wait on already cleared link (bsc#1012628). - net/mlx5e: Fix memory leak in mlx5_core_destroy_cq() error path (bsc#1012628). - net/mlx5e: Mutually exclude RX-FCS and RX-port-timestamp (bsc#1012628). - net/mlx5e: Switchdev representors are not vlan challenged (bsc#1012628). - net: stmmac: fix get_hw_feature() on old hardware (bsc#1012628). - net: phy: Do not shutdown PHYs in READY state (bsc#1012628). - net: dsa: mv88e6xxx: don't use PHY_DETECT on internal PHY's (bsc#1012628). - net: dsa: microchip: Added the condition for scheduling ksz_mib_read_work (bsc#1012628). - net: dsa: fix spurious error message when unoffloaded port leaves bridge (bsc#1012628). - net: encx24j600: check error in devm_regmap_init_encx24j600 (bsc#1012628). - ethernet: s2io: fix setting mac address during resume (bsc#1012628). - vhost-vdpa: Fix the wrong input in config_cb (bsc#1012628). - nfc: fix error handling of nfc_proto_register() (bsc#1012628). - NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() (bsc#1012628). - NFC: digital: fix possible memory leak in digital_in_send_sdd_req() (bsc#1012628). - pata_legacy: fix a couple uninitialized variable bugs (bsc#1012628). - ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators() (bsc#1012628). - mlxsw: thermal: Fix out-of-bounds memory accesses (bsc#1012628). - platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call (bsc#1012628). - platform/mellanox: mlxreg-io: Fix read access of n-bytes size attributes (bsc#1012628). - spi: spidev: Add SPI ID table (bsc#1012628). - spi: bcm-qspi: clear MSPI spifie interrupt during probe (bsc#1012628). - drm/panel: olimex-lcd-olinuxino: select CRC32 (bsc#1012628). - drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read (bsc#1012628). - drm/msm: Fix null pointer dereference on pointer edp (bsc#1012628). - drm/msm/mdp5: fix cursor-related warnings (bsc#1012628). - drm/msm/submit: fix overflow check on 64-bit architectures (bsc#1012628). - drm/msm/a6xx: Track current ctx by seqno (bsc#1012628). - drm/msm/a4xx: fix error handling in a4xx_gpu_init() (bsc#1012628). - drm/msm/a3xx: fix error handling in a3xx_gpu_init() (bsc#1012628). - drm/msm/dsi: dsi_phy_14nm: Take ready-bit into account in poll_for_ready (bsc#1012628). - drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() (bsc#1012628). - drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling (bsc#1012628). - acpi/arm64: fix next_platform_timer() section mismatch error (bsc#1012628). - platform/x86: intel_scu_ipc: Fix busy loop expiry time (bsc#1012628). - mqprio: Correct stats in mqprio_dump_class_stats() (bsc#1012628). - mptcp: fix possible stall on recvmsg() (bsc#1012628). - qed: Fix missing error code in qed_slowpath_start() (bsc#1012628). - r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 (bsc#1012628). - ice: fix locking for Tx timestamp tracking flush (bsc#1012628). - block/rnbd-clt-sysfs: fix a couple uninitialized variable bugs (bsc#1012628). - nfp: flow_offload: move flow_indr_dev_register from app init to app start (bsc#1012628). - net: mscc: ocelot: make use of all 63 PTP timestamp identifiers (bsc#1012628). - net: mscc: ocelot: avoid overflowing the PTP timestamp FIFO (bsc#1012628). - net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb (bsc#1012628). - net: mscc: ocelot: deny TX timestamping of non-PTP packets (bsc#1012628). - net: mscc: ocelot: cross-check the sequence id from the timestamp FIFO with the skb PTP header (bsc#1012628). - net: dsa: felix: break at first CPU port during init and teardown (bsc#1012628). - ionic: don't remove netdev->dev_addr when syncing uc list (bsc#1012628). - commit 6859230 - media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() (CVE-2021-3542 bsc#1184673). - commit 08ab8da - x86/fpu: Mask out the invalid MXCSR bits properly (x86_32 breakage). - commit 565cd48 - rpm/kernel-obs-build.spec.in: reduce initrd functionality For building in OBS, we always build inside a virtual machine that gets a new, freshly created scratch filesystem image. So we do not need to handle fscks because that ain't gonna happen, as well as not we do not need to handle microcode update in the initrd as these only can be run on the host system anyway. We can also strip and hardlink as an additional optimisation that should not significantly hurt. - commit c72c6fc - Update upstream commit id for rtw89 patch (bsc#1191321) - commit 8dccb66 - Linux 5.14.13 (bsc#1012628). - hwmon: (pmbus/ibm-cffps) max_power_out swap changes (bsc#1012628). - io_uring: kill fasync (bsc#1012628). - sched: Always inline is_percpu_thread() (bsc#1012628). - perf/core: fix userpage->time_enabled of inactive events (bsc#1012628). - scsi: qla2xxx: Fix excessive messages during device logout (bsc#1012628). - scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported" (bsc#1012628). - scsi: ses: Fix unsigned comparison with less than zero (bsc#1012628). - drm/amdgpu: fix gart.bo pin_count leak (bsc#1012628). - net: sun: SUNVNET_COMMON should depend on INET (bsc#1012628). - vboxfs: fix broken legacy mount signature checking (bsc#1012628). - net: bgmac-platform: handle mac-address deferral (bsc#1012628). - mac80211: check return value of rhashtable_init (bsc#1012628). - net: prevent user from passing illegal stab size (bsc#1012628). - hwmon: (ltc2947) Properly handle errors when looking for the external clock (bsc#1012628). - m68k: Handle arrivals of multiple signals correctly (bsc#1012628). - pinctrl: qcom: sc7280: Add PM suspend callbacks (bsc#1012628). - mac80211: Drop frames from invalid MAC address in ad-hoc mode (bsc#1012628). - netfilter: nf_nat_masquerade: defer conntrack walk to work queue (bsc#1012628). - netfilter: nf_nat_masquerade: make async masq_inet6_event handling generic (bsc#1012628). - KVM: arm64: nvhe: Fix missing FORCE for hyp-reloc.S build rule (bsc#1012628). - ASoC: SOF: loader: release_firmware() on load failure to avoid batching (bsc#1012628). - HID: wacom: Add new Intuos BT (CTL-4100WL/CTL-6100WL) device IDs (bsc#1012628). - netfilter: ip6_tables: zero-initialize fragment offset (bsc#1012628). - HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS (bsc#1012628). - ALSA: usb-audio: Unify mixer resume and reset_resume procedure (bsc#1012628). - ALSA: oxfw: fix transmission method for Loud models based on OXFW971 (bsc#1012628). - ASoC: Intel: sof_sdw: tag SoundWire BEs as non-atomic (bsc#1012628). - ext4: correct the error path of ext4_write_inline_data_end() (bsc#1012628). - ext4: check and update i_disksize properly (bsc#1012628). - commit ab3ca44 - kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229). The semantic changed in an incompatible way so invoking the macro now causes a build failure. - commit 3e55f55 - Linux 5.14.12 (bsc#1012628). - dsa: tag_dsa: Fix mask for trunked packets (bsc#1012628). - x86/hpet: Use another crystalball to evaluate HPET usability (bsc#1012628). - x86/entry: Clear X86_FEATURE_SMAP when CONFIG_X86_SMAP=n (bsc#1012628). - x86/entry: Correct reference to intended CONFIG_64_BIT (bsc#1012628). - x86/fpu: Restore the masking out of reserved MXCSR bits (bsc#1012628). - x86/sev: Return an error on a returned non-zero SW_EXITINFO1[31:0] (bsc#1012628). - x86/Kconfig: Correct reference to MWINCHIP3D (bsc#1012628). - x86/platform/olpc: Correct ifdef symbol to intended CONFIG_OLPC_XO15_SCI (bsc#1012628). - pseries/eeh: Fix the kdump kernel crash during eeh_pseries_init (bsc#1012628). - powerpc/32s: Fix kuap_kernel_restore() (bsc#1012628). - powerpc/64s: Fix unrecoverable MCE calling async handler from NMI (bsc#1012628). - powerpc/traps: do not enable irqs in _exception (bsc#1012628). - powerpc/64s: fix program check interrupt emergency stack path (bsc#1012628). - powerpc/bpf ppc32: Fix BPF_SUB when imm == 0x80000000 (bsc#1012628). - powerpc/bpf ppc32: Do not emit zero extend instruction for 64-bit BPF_END (bsc#1012628). - powerpc/bpf ppc32: Fix JMP32_JSET_K (bsc#1012628). - powerpc/bpf ppc32: Fix ALU32 BPF_ARSH operation (bsc#1012628). - powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 (bsc#1012628). - powerpc/bpf: Fix BPF_MOD when imm == 1 (bsc#1012628). - objtool: Make .altinstructions section entry size consistent (bsc#1012628). - objtool: Remove reloc symbol type checks in get_alt_entry() (bsc#1012628). - scsi: iscsi: Fix iscsi_task use after free (bsc#1012628). - RISC-V: Include clone3() on rv32 (bsc#1012628). - i2c: mlxcpld: Modify register setting for 400KHz frequency (bsc#1012628). - i2c: mlxcpld: Fix criteria for frequency setting (bsc#1012628). - bpf, s390: Fix potential memory leak about jit_data (bsc#1012628). - riscv/vdso: make arch_setup_additional_pages wait for mmap_sem for write killable (bsc#1012628). - riscv/vdso: Move vdso data page up front (bsc#1012628). - riscv/vdso: Refactor asm/vdso.h (bsc#1012628). - RISC-V: Fix VDSO build for !MMU (bsc#1012628). - riscv: explicitly use symbol offsets for VDSO (bsc#1012628). - i2c: mediatek: Add OFFSET_EXT_CONF setting back (bsc#1012628). - i2c: acpi: fix resource leak in reconfiguration device addition (bsc#1012628). - powerpc/iommu: Report the correct most efficient DMA mask for PCI devices (bsc#1012628). - net: prefer socket bound to interface when not in VRF (bsc#1012628). - iavf: fix double unlock of crit_lock (bsc#1012628). - i40e: Fix freeing of uninitialized misc IRQ vector (bsc#1012628). - i40e: fix endless loop under rtnl (bsc#1012628). - gve: report 64bit tx_bytes counter from gve_handle_report_stats() (bsc#1012628). - gve: fix gve_get_stats() (bsc#1012628). - rtnetlink: fix if_nlmsg_stats_size() under estimation (bsc#1012628). - gve: Properly handle errors in gve_assign_qpl (bsc#1012628). - gve: Avoid freeing NULL pointer (bsc#1012628). - gve: Correct available tx qpl check (bsc#1012628). - net: stmmac: trigger PCS EEE to turn off on link down (bsc#1012628). - net: pcs: xpcs: fix incorrect steps on disable EEE (bsc#1012628). - drm/nouveau/debugfs: fix file release memory leak (bsc#1012628). - drm/nouveau/kms/nv50-: fix file release memory leak (bsc#1012628). - drm/nouveau: avoid a use-after-free when BO init fails (bsc#1012628). - video: fbdev: gbefb: Only instantiate device when built for IP32 (bsc#1012628). - drm/panel: abt-y030xx067a: yellow tint fix (bsc#1012628). - drm/nouveau/fifo/ga102: initialise chid on return from channel creation (bsc#1012628). - drm/sun4i: dw-hdmi: Fix HDMI PHY clock setup (bsc#1012628). - bus: ti-sysc: Use CLKDM_NOAUTO for dra7 dcan1 for errata i893 (bsc#1012628). - perf jevents: Free the sys_event_tables list after processing entries (bsc#1012628). - drm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume (bsc#1012628). - drm/amdkfd: fix a potential ttm->sg memory leak (bsc#1012628). - ARM: defconfig: gemini: Restore framebuffer (bsc#1012628). - netlink: annotate data races around nlk->bound (bsc#1012628). - net: pcs: xpcs: fix incorrect CL37 AN sequence (bsc#1012628). - net: sfp: Fix typo in state machine debug string (bsc#1012628). - net/sched: sch_taprio: properly cancel timer from taprio_destroy() (bsc#1012628). - net: bridge: fix under estimation in br_get_linkxstats_size() (bsc#1012628). - net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() (bsc#1012628). - afs: Fix afs_launder_page() to set correct start file position (bsc#1012628). - netfs: Fix READ/WRITE confusion when calling iov_iter_xarray() (bsc#1012628). - drm/i915/bdb: Fix version check (bsc#1012628). - drm/i915/tc: Fix TypeC port init/resume time sanitization (bsc#1012628). - drm/i915/jsl: Add W/A 1409054076 for JSL (bsc#1012628). - drm/i915/audio: Use BIOS provided value for RKL HDA link (bsc#1012628). - ARM: imx6: disable the GIC CPU interface before calling stby-poweroff sequence (bsc#1012628). - dt-bindings: drm/bridge: ti-sn65dsi86: Fix reg value (bsc#1012628). - arm64: dts: ls1028a: fix eSDHC2 node (bsc#1012628). - arm64: dts: imx8mm-kontron-n801x-som: do not allow to switch off buck2 (bsc#1012628). - arm64: dts: imx8: change the spi-nor tx (bsc#1012628). - ARM: dts: imx: change the spi-nor tx (bsc#1012628). - ptp_pch: Load module automatically if ID matches (bsc#1012628). - powerpc/fsl/dts: Fix phy-connection-type for fm1mac3 (bsc#1012628). - netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event notification (bsc#1012628). - MIPS: Revert "add support for buggy MT7621S core detection" (bsc#1012628). - net: stmmac: dwmac-rk: Fix ethernet on rk3399 based devices (bsc#1012628). - net: mscc: ocelot: fix VCAP filters remaining active after being deleted (bsc#1012628). - net_sched: fix NULL deref in fifo_set_limit() (bsc#1012628). - libbpf: Fix memory leak in strset (bsc#1012628). - phy: mdio: fix memory leak (bsc#1012628). - libbpf: Fix segfault in light skeleton for objects without BTF (bsc#1012628). - net/mlx5e: Fix the presented RQ index in PTP stats (bsc#1012628). - net/mlx5: Fix setting number of EQs of SFs (bsc#1012628). - net/mlx5: Fix length of irq_index in chars (bsc#1012628). - net/mlx5: Avoid generating event after PPS out in Real time mode (bsc#1012628). - net/mlx5: Force round second at 1PPS out start time (bsc#1012628). - net/mlx5: E-Switch, Fix double allocation of acl flow counter (bsc#1012628). - net/mlx5e: Keep the value for maximum number of channels in-sync (bsc#1012628). - net/mlx5e: IPSEC RX, enable checksum complete (bsc#1012628). - bpf: Fix integer overflow in prealloc_elems_and_freelist() (bsc#1012628). - soc: ti: omap-prm: Fix external abort for am335x pruss (bsc#1012628). - bpf, arm: Fix register clobbering in div/mod implementation (bsc#1012628). - netfilter: nf_tables: reverse order in rule replacement expansion (bsc#1012628). - netfilter: nf_tables: add position handle in event notification (bsc#1012628). - netfilter: conntrack: fix boot failure with nf_conntrack.enable_hooks=1 (bsc#1012628). - iwlwifi: pcie: add configuration of a Wi-Fi adapter on Dell XPS 15 (bsc#1012628). - xtensa: call irqchip_init only when CONFIG_USE_OF is selected (bsc#1012628). - xtensa: use CONFIG_USE_OF instead of CONFIG_OF (bsc#1012628). - arm64: dts: qcom: pm8150: use qcom,pm8998-pon binding (bsc#1012628). - ath5k: fix building with LEDS=m (bsc#1012628). - PCI: hv: Fix sleep while in non-sleep context when removing child devices from the bus (bsc#1012628). - ARM: dts: imx6qdl-pico: Fix Ethernet support (bsc#1012628). - ARM: dts: imx: Fix USB host power regulator polarity on M53Menlo (bsc#1012628). - ARM: dts: imx: Add missing pinctrl-names for panel on M53Menlo (bsc#1012628). - soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment (bsc#1012628). - iwlwifi: mvm: Fix possible NULL dereference (bsc#1012628). - ARM: at91: pm: do not panic if ram controllers are not enabled (bsc#1012628). - Revert "arm64: dts: qcom: sc7280: Fixup the cpufreq node" (bsc#1012628). - ARM: dts: qcom: apq8064: Use 27MHz PXO clock as DSI PLL reference (bsc#1012628). - soc: qcom: socinfo: Fixed argument passed to platform_set_data() (bsc#1012628). - bus: ti-sysc: Add break in switch statement in sysc_init_soc() (bsc#1012628). - riscv: Flush current cpu icache before other cpus (bsc#1012628). - scsi: ufs: core: Fix task management completion (bsc#1012628). - ARM: dts: qcom: apq8064: use compatible which contains chipid (bsc#1012628). - ARM: dts: imx6dl-yapp4: Fix lp5562 LED driver probe (bsc#1012628). - ARM: dts: omap3430-sdp: Fix NAND device node (bsc#1012628). - xen/balloon: fix cancelled balloon action (bsc#1012628). - SUNRPC: fix sign error causing rpcsec_gss drops (bsc#1012628). - nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero (bsc#1012628). - nfsd: fix error handling of register_pernet_subsys() in init_nfsd() (bsc#1012628). - ovl: fix IOCB_DIRECT if underlying fs doesn't support direct IO (bsc#1012628). - ovl: fix missing negative dentry check in ovl_rename() (bsc#1012628). - fbdev: simplefb: fix Kconfig dependencies (bsc#1012628). - Update config files. - mmc: sdhci-of-at91: replace while loop with read_poll_timeout (bsc#1012628). - mmc: sdhci-of-at91: wait for calibration done before proceed (bsc#1012628). - mmc: meson-gx: do not use memcpy_to/fromio for dram-access-quirk (bsc#1012628). - xen/privcmd: fix error handling in mmap-resource processing (bsc#1012628). - drm/i915: Extend the async flip VT-d w/a to skl/bxt (bsc#1012628). - drm/i915: Fix runtime pm handling in i915_gem_shrink (bsc#1012628). - drm/amd/display: Fix DCN3 B0 DP Alt Mapping (bsc#1012628). - drm/amd/display: Fix detection of 4 lane for DPALT (bsc#1012628). - drm/amd/display: Limit display scaling to up to 4k for DCN 3.1 (bsc#1012628). - drm/nouveau/ga102-: support ttm buffer moves via copy engine (bsc#1012628). - drm/nouveau/kms/tu102-: delay enabling cursor until after assign_windows (bsc#1012628). - drm/amdgpu: During s0ix don't wait to signal GFXOFF (bsc#1012628). - drm/amd/display: USB4 bring up set correct address (bsc#1012628). - drm/amd/display: Fix B0 USB-C DP Alt mode (bsc#1012628). - usb: typec: tipd: Remove dependency on "connector" child fwnode (bsc#1012628). - usb: typec: tcpm: handle SRC_STARTUP state if cc changes (bsc#1012628). - usb: typec: tcpci: don't handle vSafe0V event if it's not enabled (bsc#1012628). - USB: cdc-acm: fix break reporting (bsc#1012628). - USB: cdc-acm: fix racy tty buffer accesses (bsc#1012628). - usb: gadget: f_uac2: fixed EP-IN wMaxPacketSize (bsc#1012628). - usb: chipidea: ci_hdrc_imx: Also search for 'phys' phandle (bsc#1012628). - usb: cdc-wdm: Fix check for WWAN (bsc#1012628). - Partially revert "usb: Kconfig: using select for USB_COMMON dependency" (bsc#1012628). - Update config files. - commit 7246625 - rtw89: add Realtek 802.11ax driver (bsc#1191321). - commit 4c399ab - Enable CONFIG_RTW88_DEBUG and CONFIG_RTW89_DEBUG on debug flavors (bsc#1191321) - commit a76143b ==== libguestfs ==== Subpackages: guestfs-data guestfs-tools guestfs-winsupport libguestfs0 perl-Sys-Guestfs python3-libguestfs - Fix build errors in Factory * Alert ocaml_deprecated_cli: Setting a warning with a sequence of lowercase or uppercase letters, like 'CDEFLMPSUVYZX', is deprecated. 63c9cd93-m4-guestfs-ocaml.m4-Fix-deprecated-warning-format.patch * Error (warning 6 [labels-omitted]): label verbose was omitted in the application of this function. a4930f5f-customize-Suppress-OCaml-warning.patch - Update spec file licenses to GPL-2.0-or-later ==== libyui ==== Version update (4.2.19 -> 4.2.20) - Use the C++17 standard in the *-pkg plugins (libzypp uses that standard by default) (related to bsc#1191829) - 4.2.20 ==== libyui-ncurses ==== Version update (4.2.19 -> 4.2.20) - Use the C++17 standard in the *-pkg plugins (libzypp uses that standard by default) (related to bsc#1191829) - 4.2.20 ==== libyui-ncurses-pkg ==== Version update (4.2.19 -> 4.2.20) - Use the C++17 standard in the *-pkg plugins (libzypp uses that standard by default) (related to bsc#1191829) - 4.2.20 ==== libyui-qt ==== Version update (4.2.19 -> 4.2.20) - Use the C++17 standard in the *-pkg plugins (libzypp uses that standard by default) (related to bsc#1191829) - 4.2.20 ==== libyui-qt-graph ==== Version update (4.2.19 -> 4.2.20) - Use the C++17 standard in the *-pkg plugins (libzypp uses that standard by default) (related to bsc#1191829) - 4.2.20 ==== libyui-qt-pkg ==== Version update (4.2.19 -> 4.2.20) - Use the C++17 standard in the *-pkg plugins (libzypp uses that standard by default) (related to bsc#1191829) - 4.2.20 ==== logrotate ==== - Add patch: * logrotate-dont_warn_on_size=_syntax.patch (boo#1191816) ==== mpg123 ==== Version update (1.29.1 -> 1.29.2) Subpackages: libmpg123-0 mpg123-openal - Update to version 1.29.2 * libmpg123: Fix non-live-decoder safeguard for mpg123_framebyframe_decode() (was a no-op in practice). ==== ncurses ==== Version update (6.2.20211002 -> 6.3.20211021) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Update to ncurses 6.3 (patch 20211021) + update release notes + add "ncu2openbsd" script, to illustrate how to update an OpenBSD system to use a current ncurses release. - Add upstream keyring to verify source signatures of both ncurses and tack tar ball with their ASC (armored ASCii signature) counterpart - Add ncurses patch 20211018 + check for screen size-change in scr_init() and scr_restore(), in case a screen dump does not match the current screen dimensions (report by Frank Tkalcevic). - Add ncurses patch 20211017 + amend change for pkg-config to account for "none" being returned in the libdir-path result rather than "no" (report by Gabriele Balducci). - Add ncurses patch 20211016 + build-fix for pmake with libtool. + improve make-tar.sh scripts, adding COPYING to tar file, and clean up shellcheck warnings. + add link for "reset6" manpage in test-package ncurses6-doc + revise configure option --with-pkg-config-libdir, using the actual search path from pkg-config or pkgconf using the output from --debug (report by Pascal Pignard). + freeze ABI in ".map" files. - Correct offsets of patch ncurses-6.2.dif - Add ncurses patch 20211009 + implement "+m" option in tabs program. + fill in some details for infoton -TD + fix spelling/consistency in several descriptions -TD + use vt420+lrmm in vt420 -TD + modify save_tty_settings() to avoid opening /dev/tty for cases other than reset/init, e.g., for clear. + modify output of "toe -as" to show first description found rather than the last. + improve tic checks for number of parameters of smglp, smgrp, smgtp, and smgbp (cf: 20020525). + correct off-by-one comparison in last_char(), which did not allow special case of ":" in a terminfo description field (cf: 20120407). + remove check in tic that assumes that none or both parameterized and non-parameterized margin-setting capabilities are present (cf: 20101002). ==== ocfs2-tools ==== - Fix mounted.ocfs2 output when some devices are not ready (bsc#1191810) + fixed-mounted.ocfs2-output-when-some-devices-are-Not.patch + update-mounted.ocfs2-mounted.c.patch ==== parted ==== Subpackages: libparted0 - BuildRequire python3-base: Fix execution of test suite. Otherwise we fail with ./t0282-gpt-move-backup.sh: /usr/bin/python3: bad interpreter: No such file or directory. - run checks during build - added patches: tests-disable.patch ==== pcre2 ==== Version update (10.37 -> 10.38) Subpackages: libpcre2-16-0 libpcre2-32-0 libpcre2-8-0 - pcre2 10.38: * Following Perl's lead, \K is now locked out in lookaround assertions by default, but an option is provided to re-enable the previous behaviour ==== perl-Mojolicious ==== Version update (9.21 -> 9.22) - updated to 9.22 see /usr/share/doc/packages/perl-Mojolicious/Changes 9.22 2021-10-16 - Added a referer method to Mojo::Headers, as an alias for the referrer method. - Fixed response status log message to use the "trace" log level instead of "debug". ==== php7 ==== Version update (7.4.24 -> 7.4.25) Subpackages: php7-cli php7-ctype php7-dom php7-gd php7-gettext php7-iconv php7-json php7-mbstring php7-mysql php7-openssl php7-pdo php7-sqlite php7-tokenizer php7-xmlreader php7-xmlwriter - updated to 7.4.25: This is a security release (CVE-2021-21703) which also contains several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.25 ==== plasma5-openSUSE ==== Subpackages: plasma5-defaults-openSUSE plasma5-theme-openSUSE plasma5-workspace-branding-openSUSE sddm-theme-openSUSE - Update to 5.23.2 ==== polkit ==== Subpackages: typelib-1_0-Polkit-1_0 - fork libpolkit0 package into libpolkit-agent-1-0 and libpolkit-gobject-1-0 as mandated. bsc#1191781 ==== postfix ==== Subpackages: postfix-doc - config.postfix not updatet after lmdb switch (bsc#1190945) Adapt config.postfix - postfix master.cf: to include "submissions" service (bsc#1189684) Adapt master.cf patch - postfix fails with glibc 2.34 Define HAS_CLOSEFROM (bsc#1189101) add patch - postfix-3.6.2-glibc-234-build-fix.patch - fix config.postfix (follow up of bsc#1188477) - Syntax error in config.postfix (bsc#1188477) - Update to 3.6.2 * In Postfix 3.6, fixed a false "Result too large" (ERANGE) fatal error in the compatibility_level parser, because there was no 'errno = 0' statement before an strtol() call. * (problem introduced in Postfix 3.3) "Null pointer read" error in the cleanup daemon when "header_from_format = standard" (the default as of Postfix 3.3), and email was submitted with /usr/sbin/sendmail without From: header, and an all-space full name was specified in 1) the password file, 2) with "sendmail - F", or 3) with the NAME environment variable. Found by Renaud Metrich. * (problem introduced in Postfix 2.4) False "too many reverse jump" warnings in the showq daemon, because loop detection code was comparing memory addresses instead of queue file names. Reported by Mehmet Avcioglu. * (problem introduced in 1999) The Postfix SMTP server was sending all session transcripts to the error_notice_recipient (default: postmaster), instead of sending transcripts of bounced mail to the bounce_notice_recipient (default: postmaster). Reported by Hans van Zijst. * The texthash: map implementation broke tls_server_sni_maps, because it did not support multi-file inputs. Reported by Christopher Gurnee, who also found an instance of the missing code in the "postmap -F" source code. File: util/dict_thash.c. - spamd wants to start before mail-transfer-agent.target, but that target doesn't exist (bsc#1066854) - postfix-SUSE * rework sysconfig.postfix, add - POSTFIX_WITH_DKIM - POSTFIX_DKIM_CONN * rework config.postfix for main.cf - with_dkim - update postfix-main.cf.patch * add OpenDKIM settings - postfix-mysql * add mysql_relay_recipient_maps.cf - postfix-SUSE * rework sysconfig.postfix, add - POSTFIX_RELAY_RECIPIENTS - POSTFIX_BACKUPMX * add relay_recipients * rework config.postfix for main.cf - is_backupmx - relay_recipient_maps - Add now working CONFIG parameter to sysusers generator - Remove unnecessary group line from postfix-vmail-user.conf - Update to 3.6.1 * Bugfix (introduced: Postfix 2.11): the command "postmap lmdb:/file/name" (create LMDB database from textfile) handled duplicate input keys ungracefully, discarding entries stored up to and including the duplicate key, and causing a double free() call with lmdb versions 0.9.17 and later. Reported by Adi Prasaja; double free() root cause analysis by Howard Chu. * Typo (introduced: Postfix 3.4): silent_discard should be silent-discard in BDAT_README. - fix postfix-master.cf.patch * set correct indentation (again) for options of - submission (needs 3 spaces) - smtps (needs 4 spaces) to make config.postfix work nicely again - Update to 3.6.0 - Major changes - internal protocol identification Internal protocols have changed. You need to "postfix stop" before updating, or before backing out to an earlier release, otherwise long-running daemons (pickup, qmgr, verify, tlsproxy, postscreen) may fail to communicate with the rest of Postfix, causing mail delivery delays until Postfix is restarted. For more see /usr/share/doc/packages/postfix/RELEASE_NOTES - refreshed patches to apply cleanly again: fix-postfix-script.patch ipv6_disabled.patch pointer_to_literals.patch postfix-linux45.patch postfix-main.cf.patch postfix-master.cf.patch postfix-no-md5.patch postfix-ssl-release-buffers.patch postfix-vda-v14-3.0.3.patch set-default-db-type.patch - (bsc#1186669) - postfix.service has "Requires=var-run.mount" Remove bad requirements - Update to 3.5.10 with security fixes: * Missing null pointer checks (introduced in Postfix 3.4) after an internal I/O error during the smtp(8) to tlsproxy(8) handshake. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni. * Null pointer bug (introduced in Postfix 3.0) and memory leak (introduced in Postfix 3.4) after an inline: table syntax error in main.cf or master.cf. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni. * Incomplete null pointer check (introduced: Postfix 2.10) after truncated HaProxy version 1 handshake message. Found by Coverity, reported by Jaroslav Skarvada. Fix by Viktor Dukhovni. * Missing null pointer check (introduced: Postfix alpha) after null argv[0] value. - (bsc#1183305) - config.postfix uses db as suffix for postmaps Depending on DEF_DB_TYPE uses lmdb or db - (bsc#1182833) - /usr/share/fillup-templates/sysconfig.postfix still refers to /etc/services Use getent to detect if smtps is already defined. - (bsc#1180473) [Build 20201230] postfix has invalid default config (bsc#1181381) [Build 130.3] openQA test fails in mta, mutt - postfix broken: "queue file write error" and "error: unsupported dictionary type: hash" Export DEF_DB_TYPE before starting the perl script. - bsc#1180473 - [Build 20201230] postfix has invalid default config Fixing config.postfix and sysconfig.postfix - Update to 3.5.9 * improves the reporting of DNSSEC problems that may affect DANE security - Only do the conversion from the hash/btree databases to lmdb when the default database type changes from hash to lmdb and do not stop and start the service (the old compiled databases can live together with the new ones) - convert-bdb-to-lmdb.sh - Clean up the specfile * Remove < 1330 conditional builds * Use generated postfix-files instead of the obsolete one from postfix-SUSE.tar.gz * Use dynamicmaps.cf.d instead of modifying dynamicmaps.cf upon (de)installation of optional mysql, pgsql and ldap subpackages * Use default location for post-install, postfix-tls-script, postfix-wrapper and postmulti-script - Set lmdb to be the default db. - Convert btree tables to lmdb too. Stop postfix before converting from bdb to lmdb - This package is without bdb support. That's why convert must be done without any suse release condition. o remove patch postfix-no-btree.patch o add set-default-db-type.patch - Set database type for address_verify_map and postscreen_cache_map to lmdb (btree requires Berkeley DB) o add postfix-no-btree.patch - Set default database type to lmdb and fix update_postmaps script - Use variable substition instead of sed to remove .db suffix and substitute hash: for lmdb: in /etc/postfix/master.cf as well. Check before substitution if there is something to do (to keep rpmcheck happy). - bsc#1176650 L3: What is regularly triggering the "fillup" command and changing modify-time of /etc/sysconfig/postfix? o Remove miss placed fillup_only call from %verifyscript - Remove Berkeley DB dependency (JIRA#SLE-12191) The pacakges postfix is build without Berkely DB support. lmdb will be used instead of BDB. The pacakges postfix-bdb is build with Berkely DB support. o add patch for main.cf for postfix-bdb package postfix-bdb-main.cf.patch - Update to 3.5.8 * The Postfix SMTP client inserted into message headers longer than $line_length_limit (default: 2048), causing all subsequent header content to become message body content. * The postscreen daemon did not save a copy of the postscreen_dnsbl_reply_map lookup result. This has no effect when the recommended texthash: look table is used, but it could result in stale data with other lookup tables. * After deleting a recipient with a Milter, the Postfix recipient duplicate filter was not updated; the filter suppressed requests to add the recipient back. * Memory leak: the static: maps did not free their casefolding buffer. * With "smtpd_tls_wrappermode = yes", the smtps service was waiting for a TLS handshake, after processing an XCLIENT command. * The smtp_sasl_mechanism_filter implementation ignored table lookup errors, treating them as 'not found'. * The code that looks for Delivered-To: headers ignored headers longer than $line_length_limit (default: 2048). - Update to 3.5.7 * Fixed random certificate verification failures with "smtp_tls_connection_reuse = yes", because tlsproxy(8) was using the wrong global TLS context for connections that use DANE or non-DANE trust anchors. - Move ldap into an own sub-package like all other databases - Move manual pages to correct sub-package - Use sysusers.d to create system accounts - Remove wrong %config for systemd directory content - Use the correct signature file for source verification - Rename postfix-3.5.6.tar.gz.sig to postfix-3.5.6.tar.gz.asc (to prevent confusion, as the signature file from upstream with .sig extension is incompatible with the build service) - Update to 3.5.6 with following fixes: * Workaround for unexpected TLS interoperability problems when Postfix runs on OS distributions with system-wide OpenSSL configurations. * Memory leaks in the Postfix TLS library, the largest one involving multiple kBytes per peer certificate. - Add source verification (add postfix.keyring) - Use systemd_ordering instead of systemd_require. - Move /etc/postfix/system to /usr/lib/postfix/systemd [bsc#1173688] - Drop /var/adm/SuSEconfig from %post, it does nothing. - Rename postfix-SuSE to postfix-SUSE - Delete postfix-SUSE/README.SuSE, company name spelled wrong, completly outdated and not used. - Delete postfix-SUSE/SPAMASSASSIN+POSTFIX.SuSE, company name spelled wrong, outdated and not used. - sysconfig.mail-postfix: Fix description of MAIL_CREATE_CONFIG, SuSEconfig is gone since ages. - update_chroot.systemd: Remove advice to run SuSEconfig. - Remove rc.postfix, not used, outdated. - mkpostfixcert: Remove advice to run SuSEconfig. - Update to 3.5.4: * The connection_reuse attribute in smtp_tls_policy_maps always resulted in an "invalid attribute name" error. * SMTP over TLS connection reuse always failed for Postfix SMTP client configurations that specify explicit trust anchors (remote SMTP server certificates or public keys). * The Postfix SMTP client's DANE implementation would always send an SNI option with the name in a destination's MX record, even if the MX record pointed to a CNAME record. MX records that point to CNAME records are not conformant with RFC5321, and so are rare. Based on the DANE survey of ~2 million hosts it was found that with the corrected SMTP client behavior, sending SNI with the CNAME-expanded name, the SMTP server would not send a different certificate. This fix should therefore be safe. - Update to 3.5.3: * TLS handshake failure in the Postfix SMTP server during SNI processing, after the server-side TLS engine sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP client. * The command "postfix tls deploy-server-cert" did not handle a missing optional argument. This bug was introduced in Postfix 3.1. - Update to 3.5.2: * A TLS error for a database client caused a false 'lost connection' error for an SMTP over TLS session in the same Postfix process. This bug was introduced with Postfix 2.2. * The same bug existed in the tlsproxy(8) daemon, where a TLS error for one TLS session could cause a false 'lost connection' error for a concurrent TLS session in the same process. This bug was introduced with Postfix 2.8. * The Postfix build now disables DANE support on Linux systems with libc-musl such as Alpine, because libc-musl provides no indication whether DNS responses are authentic. This broke DANE support without a clear explanation. * Due to implementation changes in the ICU library, some Postfix daemons reported file access errrors (U_FILE_ACCESS_ERROR) after chroot(). This was fixed by initializing the ICU library before making the chroot() call. * Minor code changes to silence a compiler that special-cases string literals. * Segfault (null pointer) in the tlsproxy(8) client role when the server role was disabled. This typically happened on systems that do not receive mail, after configuring connection reuse for outbound SMTP over TLS. * The date portion of the maillog_file_rotate_suffix default value used the minute (%M) instead of the month (%m). - boo#1106004 fix incorrect locations for files in postfix-files - Dropped deprecated-RES_INSECURE1.patch to make DNSSEC-secured lookups and DANE mail transport work again - Update to 3.5.1: * Support for the haproxy v2 protocol. The Postfix implementation supports TCP over IPv4 and IPv6, as well as non-proxied connections; the latter are typically used for heartbeat tests. * Support to force-expire email messages. This introduces new postsuper(1) command-line options to request expiration, and additional information in mailq(1) or postqueue(1) output. * The Postfix SMTP and LMTP client support a list of nexthop destinations separated by comma or whitespace. These destinations will be tried in the specified order. * Incompatible changes: * Logging: Postfix daemon processes now log the from= and to= addresses in external (quoted) form in non-debug logging (info, warning, etc.). This means that when an address localpart contains spaces or other special characters, the localpart will be quoted, for example: from=<"name with spaces"@example.com> Specify "info_log_address_format = internal" for backwards compatibility. * Postfix now normalizes IP addresses received with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency with direct connections to Postfix. This may change the appearance of logging, and the way that check_client_access will match subnets of an IPv6 address. - Update to 3.4.10: * Bug (introduced: Postfix 2.3): Postfix Milter client state was not properly reset after one Milter in a multi-Milter configuration failed during MAIL FROM, resulting in a Postfix Milter client panic during the next MAIL FROM command in the same SMTP session. - bsc#1162891 server:mail/postfix: cond_slp bug on TW after moving /etc/services to /usr/etc/services - bsc#1160413 postfix fails with -fno-common - Update to 3.4.9: * Bug (introduced: Postfix 3.1): smtp_dns_resolver_options were broken while adding support for negative DNS response caching in postscreen. Postfix was inadvertently changed to call res_query() instead of res_search(). * Bug (introduced: Postfix 2.5): Postfix ignored the CONNECT macro overrides from a Milter application. Postfix now evaluates the Milter macros for an SMTP CONNECT event after the Postfix-to-Milter connection is negotiated. * Bug (introduced: Postfix 3.0): sanitize (remote) server responses before storing them in the verify database, to avoid Postfix warnings about malformed UTF8. Found during code maintenance. - Update to 3.4.8: * Fix for an Exim interoperability problem when postscreen after-220 checks are enabled. Bug introduced in Postfix 3.4: the code that detected "PIPELINING after BDAT" looked at the wrong variable. The warning now says "BDAT without valid RCPT", and the error is no longer treated as a command PIPELINING error, thus allowing mail to be delivered. Meanwhile, Exim has been fixed to stop sending BDAT commands when postscreen rejects all RCPT commands. * Usability bug, introduced in Postfix 3.4: the parser for key/certificate chain files rejected inputs that contain an EC PARAMETERS object. While this is technically correct (the documentation says what types are allowed) this is surprising behavior because the legacy cert/key parameters will accept such inputs. For now, the parser skips object types that it does not know about for usability, and logs a warning because ignoring inputs is not kosher. * Bug introduced in Postfix 2.8: don't gratuitously enable all after-220 tests when only one such test is enabled. This made selective tests impossible with 'good' clients. This will be fixed in older Postfix versions at some later time. - Backport deprecated-RES_INSECURE1.patch in order to fix boo#1149705. - Update to 3.4.7: * Robustness: the tlsproxy(8) daemon could go into a loop, logging a flood of error messages. Problem reported by Andreas Schulze after enabling SMTP/TLS connection reuse. * Workaround: OpenSSL changed an SSL_Shutdown() non-error result value into an error result value, causing logfile noise. * Configuration: the new 'TLS fast shutdown' parameter name was implemented incorrectly. The documentation said "tls_fast_shutdown_enable", but the code said "tls_fast_shutdown". This was fixed by changing the code, because no-one is expected to override the default. * Performance: workaround for poor TCP loopback performance on LINUX, where getsockopt(..., TCP_MAXSEG, ...) reports a bogus TCP maximal segment size that is 1/2 to 1/3 of the real MSS. To avoid client-side Nagle delays or server-side delayed ACKs caused by multiple smaller-than-MSS writes, Postfix chooses a VSTREAM buffer size that is a small multiple of the reported bogus MSS. This workaround increases the multiplier from 2x to 4x. * Robustness: the Postfix Dovecot client could segfault (null pointer read) or cause an SMTP server assertion to fail when talking to a fake Dovecot server. The Postfix Dovecot client now logs a proper error instead. - bsc#1120757 L3: File Permissions->Paranoid can cause a system hang Break loop if postfix has no permission in spool directory. - add postfix-avoid-infinit-loop-if-no-permission.patch - fix for boo#1144946 mydestination - missing default localhost * update config.postfix - bsc#1142881 - mkpostfixcert from Postfix still uses md - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld, see [1]. [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html - update example POSTFIX_BASIC_SPAM_PREVENTION: permit_mynetworks for * POSTFIX_SMTPD_HELO_RESTRICTIONS * POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS - fix for: Can't connect to local MySQL server through socket '/run/mysql/mysql.sock' * update config.postfix * update update_chroot.systemd - Update to 3.4.6: * Workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With "tls_fast_shutdown_enable = yes" (the default), Postfix no longer waits for the TLS peer to respond to a TLS 'close' request. This is recommended with TLSv1.0 and later. * Fixed a too-strict censoring filter that broke multiline Milter responses for header/body events. Problem report by Andreas Thienemann. * The code to reset Postfix SMTP server command counts was not called after a HaProxy handshake failure, causing stale numbers to be reported. Problem report by Joseph Ward. * postconf(5) documentation: tlsext_padding is not a tls_ssl_options feature. * smtp(8) documentation: updated the BUGS section text about Postfix support to reuse open TLS connections. * Portability: added "#undef sun" to util/unix_dgram_connect.c. - Ensure that postfix is member of all groups as before. - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini - Drop the omc config fate#301838: * it is obsolete since SLE11 - bsc#1104543 config.postfix does not start tlsmgr in master.cf when using POSTFIX_SMTP_TLS_CLIENT="must". Applyed the proposed patch. - Update to 3.4.5: Bugfix (introduced: Postfix 3.0): LMTP connections over UNIX-domain sockets were cached but not reused, due to a cache lookup key mismatch. Therefore, idle cached connections could exhaust LMTP server resources, resulting in two-second pauses between email deliveries. This problem was investigated by Juliana Rodrigueiro. File: smtp/smtp_connect.c. - Update to 3.4.4 o Incompatible changes - The Postfix SMTP server announces CHUNKING (BDAT command) by default. In the unlikely case that this breaks some important remote SMTP client, disable the feature as follows: /etc/postfix/main.cf: [#] The logging alternative: smtpd_discard_ehlo_keywords = chunking [#] The non-logging alternative: smtpd_discard_ehlo_keywords = chunking, silent_discard - This introduces a new master.cf service 'postlog' with type 'unix-dgram' that is used by the new postlogd(8) daemon. Before backing out to an older Postfix version, edit the master.cf file and remove the postlog entry. - Postfix 3.4 drops support for OpenSSL 1.0.1 - To avoid performance loss under load, the tlsproxy(8) daemon now requires a zero process limit in master.cf (this setting is provided with the default master.cf file). By default, a tlsproxy(8) process will retire after several hours. - To set the tlsproxy process limit to zero: postconf -F tlsproxy/unix/process_limit=0 postfix reload o Major changes - Postfix SMTP server support for RFC 3030 CHUNKING (the BDAT command) without BINARYMIME, in both smtpd(8) and postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions, and smtpd_proxy_filter. See BDAT_README for more. - Support for logging to file or stdout, instead of using syslog. - Logging to file solves a usability problem for MacOS, and eliminates multiple problems with systemd-based systems. - Logging to stdout is useful when Postfix runs in a container, as it eliminates a syslogd dependency. - Better handling of undocumented(!) Linux behavior whether or not signals are delivered to a PID=1 process. - Support for (key, list of filenames) in map source text. Currently, this feature is used only by tls_server_sni_maps. - Automatic retirement: dnsblog(8) and tlsproxy(8) process will now voluntarily retire after after max_idle*max_use, or some sane limit if either limit is disabled. Without this, a process could stay busy for days or more. - Postfix SMTP client support for multiple deliveries per TLS-encrypted connection. This is primarily to improve mail delivery performance for destinations that throttle clients when they don't combine deliveries. This feature is enabled with "smtp_tls_connection_reuse=yes" in main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps. It supports all Postfix TLS security levels including dane and dane-only. - SNI support in the Postfix SMTP server, the Postfix SMTP client, and in the tlsproxy(8) daemon (both server and client roles). See the postconf(5) documentation for the new tls_server_sni_maps and smtp_tls_servername parameters. - Support for files that contain multiple (key, certificate, trust chain) instances. This was required to implement server-side SNI table lookups, but it also eliminates the need for separate cert/key files for RSA, DSA, Elliptic Curve, and so on. - Support for smtpd_reject_footer_maps (as well as the postscreen variant postscreen_reject_footer_maps) for more informative reject messages. This is indexed with the Postfix SMTP server response text, and overrides the footer specified with smtpd_reject_footer. One will want to use a pcre: or regexp: map with this. o Bugfixes - Andreas Schulze discovered that reject_multi_recipient_bounce was producing false rejects with BDAT commands. This problem already existed with Postfix 2.2 smtpd_end_of_data_restrictons. Postfix 3.4.4 fixes both. - postfix-linux45.patch: support also newer kernels -- pretend we are still at kernel 3. Note that there are no conditionals for LINUX3 or LINUX4. And LINUX5 was generated, but not tested in the code which caused build failures. - skip set -x and fix version update changes entry - Update to 3.3.3 * When the master daemon runs with PID=1 (init mode), it will now reap child processes from non-Postfix code running in the same container, instead of terminating with a panic. * Bugfix (introduced: postfix-2.11): with posttls-finger, connections to unix-domain servers always resulted in "Failed to establish session" even after a connection was established. Jaroslav Skarva. File: posttls-finger/posttls-finger.c. * Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes, table lookups could casefold the search string when searching a lookup table that does not use fixed-string keys (regexp, pcre, tcp, etc.). Historically, Postfix would not case-fold the search string with such tables. File: util/dict_utf8.c. - PostrgeSQL's pg_config is meant for linking server extensions, use libpq's pkg-config instead, if available. This is needed to fix build with PostgreSQL 11. - rework config.postfix * disable commenting of smtpd_sasl_path/smtpd_sasl_type no need to comment, cause it is set to default anyway and 'uncommenting' would place it at end of file then which is not wanted - rework postfix-main.cf.patch * disable virtual_alias_domains cause (default: $virtual_alias_maps) - rework config.postfix * disable PCONF of virtual_alias_domains virtual_alias_maps will be set anyway to the correct value * extend virtual_alias_maps with - mysql_virtual_alias_domain_maps.cf - mysql_virtual_alias_domain_catchall_maps.cf - rework postfix-mysql, added * mysql_virtual_alias_domain_maps.cf * mysql_virtual_alias_domain_catchall_maps.cf needed for reject_unverified_recipient - binary hardening: link with full RELRO - Update to 3.3.2 * Support for OpenSSL 1.1.1 and TLSv1.3. * Bugfixes: - smtpd_discard_ehlo_keywords could not disable "SMTPUTF8", because some lookup table was using "EHLO_MASK_SMTPUTF8" instead. - minor memory leak in DANE support when minting issuer certs. - The Postfix build did not abort if the m4 command was not installed, resulting in a broken postconf command. - add POSTFIX_RELAY_DOMAINS * more flexibility to add to relay_domains without breaking config.postfix * rework restriction examples in sysconf.postfix based on postfix-buch.com (2. edtion by Hildebrandt, Koetter) - disable weak cipher: RC4 after check with https://ssl-tools.net/mailservers - update config.postfix * don't reject mail from authenticated users even if reject_unknown_client_hostname would match, add permit_sasl_authenticated to all restrictions requires smtpd_delay_reject = yes - update postfix-main.cf.patch * recover removed setting smtpd_sasl_path and smtpd_sasl_type, set to default value config.postfix will not 'enable' (remove #) var, but place modified (enabled) var at end of file, far away from place where it should be - rebase patches * fix-postfix-script.patch * postfix-vda-v14-3.0.3.patch * postfix-linux45.patch * postfix-master.cf.patch * pointer_to_literals.patch * postfix-no-md5.patch - bsc#1092939 - Postfixes postconf gives a lot of LDAP related warnings o add m4 as buildrequires, as proposed. - Add zlib-devel as buildrequires, previously included from openssl-devel - bsc#1087471 Unreleased Postfix update breaks SUSE Manager o Removing setting smtpd_sasl_path and smtpd_sasl_type to empty - Update to 3.3.1 * Postfix did not support running as a PID=1 process, which complicated Postfix deployment in containers. The "postfix start-fg" command will now run the Postfix master daemon as a PID=1 process if possible. Thanks for inputs from Andreas Schulze, Eray Aslan, and Viktor Dukhovni. * Segfault in the postconf(1) command after it could not open a Postfix database configuration file due to a file permission error (dereferencing a null pointer). Reported by Andreas Hasenack, fixed by Viktor Dukhovni. * The luser_relay feature became a black hole, when the luser_relay parameter was set to a non-existent local address (i.e. mail disappeared silently). Reported by J?rgen Thomsen. * Missing error propagation in the tlsproxy(8) daemon could result in a segfault after TLS handshake error (dereferencing a 0xffff...ffff pointer). This daemon handles the TLS protocol when a non-whitelisted client sends a STARTTLS command to postscreen(8). - remove pre-requirements on sysvinit(network) and sysvinit(syslog). There seems to be no good reason for that other than blowing up the dependencies (bsc#1092408). - bsc#1071807 postfix-SuSE/config.postfix: only reload postfix if the actual service is running. This prevents spurious and irrelevant error messages in system logs. - bsc#1082514 autoyast: postfix gets not set myhostname properly - set to localhost - Refresh spec-file via spec-cleaner and manual optinizations. * Add %license macro. * Set license to IPL-1.0 OR EPL-2.0. - Update to 3.3.0 * http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.3.0.RELEASE_NOTES * Dual license: in addition to the historical IBM Public License 1.0, Postfix is now also distributed with the more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. * The postconf command now warns about unknown parameter names in a Postfix database configuration file. As with other unknown parameter names, these warnings can help to find typos early. * Container support: Postfix 3.3 will run in the foreground with "postfix start-fg". This requires that Postfix multi-instance support is disabled (the default). To collect Postfix syslog information on the container's host, mount the host's /dev/log socket into the container, for example with "docker run -v /dev/log:/dev/log ...other options...", and specify a distinct Postfix syslog_name setting in the container (for example with "postconf syslog_name=the-name-here"). * Milter support: applications can now send RET and ENVID parameters in SMFIR_CHGFROM (change envelope sender) requests. * Postfix-generated From: headers with 'full name' information are now formatted as "From: name
" by default. Specify "header_from_format = obsolete" to get the earlier form "From: address (name)". * Interoperability: when Postfix IPv6 and IPv4 support are both enabled, the Postfix SMTP client will now relax MX preferences and attempt to schedule similar numbers of IPv4 and IPv6 addresses. This works around mail delivery problems when a destination announces lots of primary MX addresses on IPv6, but is reachable only over IPv4 (or vice versa). The new behavior is controlled with the smtp_balance_mx_inet_protocols parameter. * Compatibility safety net: with compatibility_level < 1, the Postfix SMTP server now warns for mail that would be blocked by the Postfix 2.10 smtpd_relay_restrictions feature, without blocking that mail. There still is a steady trickle of sites that upgrade from an earlier Postfix version. - bsc#1065411 Package postfix should require package system-user-nobody - bsc#1080772 postfix smtpd throttle getting "hello" if no sasl auth was configured - Fix usage of fillup_only:-y is not a valid option to this macro. - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - Don't mark postfix.service as config file, this is no config file. - Some of the Requires(pre) are needed for post-install and at runtime, fix the requires. - update to 3.2.4 * DANE interoperability. Postfix builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS records associated with an intermediate CA certificate. Problem report and initial fix by Erwan Legrand. * Missing dynamicmaps support in the Postfix sendmail command. This broke authorized_submit_users settings that use a dynamically-loaded map type. Problem reported by Ulrich Zehl. - bnc#1059512 L3: Postfix Problem The applied changes breaks existing postfix configurations because daemon_directory was not adapted to the new value. - fix build for SLE * nothing provides libnsl-devel * add bcond_with libnsl - bnc#1059512 L3: Postfix Problem To manage multiple Postfix instances on a single host requires that daemon_directory and shlib_directory is different to avoid use of the shared directories also as per-instance directories. For this reason daemon_directory was set to /usr/lib/postfix/bin/. shlib_directory stands /usr/lib/postfix/. - bnc#1016491 postfix raported to log "warning: group or other writable:" on each symlink in config. * Add fix-postfix-script.patch - update to 3.2.3 * Extension propagation was broken with "recipient_delimiter = .". This change reverts a change that was trying to be too clever. * The postqueue command would abort with a panic message after it experienced an output write error while listing the mail queue. This change restores a write error check that was lost with the Postfix 3.2 rewrite of the vbuf_print formatter. * Restored sanity checks for dynamically-specified width and precision in format strings (%*, %.*, and %*.*). These checks were lost with the Postfix 3.2 rewrite of the vbuf_print formatter. - Add libnsl-devel build requires for glibc obsoleting libnsl - bnc#1045264 L3: postmap problem * Applying proposed patch of leen.meyer@ziggo.nl in bnc#771811 - update to 3.2.2 * Security: Berkeley DB versions 2 and later try to read settings from a file DB_CONFIG in the current directory. This undocumented feature may introduce undisclosed vulnerabilities resulting in privilege escalation with Postfix set-gid programs (postdrop, postqueue) before they chdir to the Postfix queue directory, and with the postmap and postalias commands depending on whether the user's current directory is writable by other users. This fix does not change Postfix behavior for Berkeley DB versions < 3, but it does reduce postmap and postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6. * The SMTP server receive_override_options were not restored at the end of an SMTP session, after the options were modified by an smtpd_milter_maps setting of "DISABLE". Milter support remained disabled for the life time of the smtpd process. * After the Postfix 3.2 address/domain table lookup overhaul, the check_sender_access and check_recipient_access features ignored a non-default parent_domain_matches_subdomains setting. - revert changes of postfix-main.cf.patch from rev=261 * config.postfix will not 'enable' (remove #) var, but place modified (enabled) var at end of file, far away from place where it should be * keep vars enabled but empty - Some cleanups * Fix SUSE postfix-files to avoid chown errors (anyway this file seems to be obsolete) * Avoid installing shared libraries twice * Refresh patch postfix-linux45.patch - update postfix-master.cf.patch * recover lost (with 3.2.0 update) submission, smtps sections * merge with upstream update - update config.postfix * update master.cf generation for submission - rebase patches against 3.2.0 * pointer_to_literals.patch * postfix-no-md5.patch * postfix-ssl-release-buffers.patch * postfix-vda-v14-3.0.3.patch - Require system group mail - Use mail group name instead of GID - update to 3.2.0 - [Feature 20170128] Postfix 3.2 fixes the handling of address extensions with email addresses that contain spaces. For example, the virtual_alias_maps, canonical_maps, and smtp_generic_maps features now correctly propagate an address extension from "aa bb+ext"@example.com to "cc dd+ext"@other.example, instead of producing broken output. - [Feature 20161008] "PASS" and "STRIP" actions in header/body_checks. "STRIP" is similar to "IGNORE" but also logs the action, and "PASS" disables header, body, and Milter inspection for the remainder of the message content. Contributed by Hobbit. - [Feature 20160330] The collate.pl script by Viktor Dukhovni for grouping Postfix logfile records into "sessions" based on queue ID and process ID information. It's in the auxiliary/collate directory of the Postfix source tree. - [Feature 20160527] Postfix 3.2 cidr tables support if/endif and negation (by prepending ! to a pattern), just like regexp and pcre tables. The primarily purpose is to improve readability of complex tables. See the cidr_table(5) manpage for syntax details. - [Incompat 20160925] In the Postfix MySQL database client, the default option_group value has changed to "client", to enable reading of "client" option group settings in the MySQL options file. This fixes a "not found" problem with Postfix queries that contain UTF8-encoded non-ASCII text. Specify an empty option_group value (option_group =) to get backwards-compatible behavior. - [Feature 20161217] Stored-procedure support for MySQL databases. Contributed by John Fawcett. See mysql_table(5) for instructions. - [Feature 20170128] The postmap command, and the inline: and texthash: maps now support spaces in left-hand field of the lookup table "source text". Use double quotes (") around a left-hand field that contains spaces, and use backslash (\) to protect embedded quotes in a left-hand field. There is no change in the processing of the right-hand field. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - [Feature 20161024] smtpd_milter_maps support for per-client Milter configuration that overrides smtpd_milters, and that has the same syntax. A lookup result of "DISABLE" turns off Milter support. See MILTER_README.html for details. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - [Incompat 20170129] The postqueue command no longer forces all message arrival times to be reported in UTC. To get the old behavior, set TZ=UTC in main.cf:import_environment (this override is not recommended, as it affects all Postfix utities and daemons). - [Incompat 20161227] For safety reasons, the sendmail -C option must specify an authorized directory: the default configuration directory, a directory that is listed in the default main.cf file with alternate_config_directories or multi_instance_directories, or the command must be invoked with root privileges (UID 0 and EUID 0). This mitigates a recurring problem with the PHP mail() function. - [Feature 20160625] The Postfix SMTP server now passes remote client and local server network address and port information to the Cyrus SASL library. Build with ``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"'' for backwards compatibility. - [Feature 20161103] Postfix 3.2 disables the 'transitional' compatibility between the IDNA2003 and IDNA2008 standards for internationalized domain names (domain names beyond the limits of US-ASCII). This change makes Postfix behavior consistent with contemporary web browsers. It affects the handling of some corner cases such as German sz and Greek zeta. See http://unicode.org/cldr/utility/idna.jsp for more examples. Specify "enable_idna2003_compatibility = yes" to restore historical behavior (but keep in mind that the rest of the world may not make that same choice). - [Feature 20160828] Fixes for deprecated OpenSSL 1.1.0 API features, so that Postfix will build without depending on backwards-compatibility support. [Incompat 20161204] Postfix 3.2 removes tentative features that were implemented before the DANE spec was finalized: - Support for certificate usage PKIX-EE(1), - The ability to disable digest agility (Postfix now behaves as if "tls_dane_digest_agility = on"), and - The ability to disable support for "TLSA 2 [01] [12]" records that specify the digest of a trust anchor (Postfix now behaves as if "tls_dane_trust_anchor_digest_enable = yes). - [Feature 20161217] Postfix 3.2 enables elliptic curve negotiation with OpenSSL >= 1.0.2. This changes the default smtpd_tls_eecdh_grade setting to "auto", and introduces a new parameter tls_eecdh_auto_curves with the names of curves that may be negotiated. The default tls_eecdh_auto_curves setting is determined at compile time, and depends on the Postfix and OpenSSL versions. At runtime, Postfix will skip curve names that aren't supported by the OpenSSL library. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - refresh postfix-master.cf.patch - make sure that system users can be created in %pre - Fix requires: - shadow is needed for postfix-mysql pre-install section - insserv is not needed if systemd is used - update postfix-mysql * update mysql_*.cf files * update postfix-mysql.sql (INNODB, utf8) - update postfix-main.cf.patch * uncomment smtpd_sasl_path, smtpd_sasl_type can be changed via POSTFIX_SMTP_AUTH_SERVICE=(cyrus,dovecot) * add option for smtp_tls_policy_maps (commented) - update postfix-master.cf.patch * fix indentation of submission, smtps options for correct enabling via config.postfix - update config.postfix * fix sync of CA certificates * fix master.cf generation for submission, smtps - rebase postfix-vda-v14-3.0.3.patch - FATE#322322 Update postfix to version 3.X Merging changes with SLES12-SP2 Removeved patches: add_missed_library.patch bnc#947707.diff dynamic_maps.patch postfix-db6.diff postfix-opensslconfig.patch bnc#947519.diff dynamic_maps_pie.patch postfix-post-install.patch These are included in the new version of postfix - Remove references to SuSEconfig.postfix from sysconfig docs. (bsc#871575) - bnc#947519 SuSEconfig.postfix should enforce umask 022 - bnc#947707 mail generated by Amavis being prevented from being re-adressed by /etc/postfix/virtual - bnc#972346 /usr/sbin/SuSEconfig.postfix is wrong - postfix-linux45.patch: handle Linux 4.x and Linux 5.x (used by aarch64) (bsc#940289) - update to 3.1.4 * The postscreen daemon did not merge the client test status information for concurrent sessions from the same IP address. * The Postfix SMTP server falsely rejected a sender address when validating a sender address with "smtpd_reject_unlisted_recipient = yes" or with "reject_unlisted_sender". Cause: the address validation code did not query sender_canonical_maps. * The virtual delivery agent did not detect failure to skip to the end of a mailbox file, so that mail would be delivered to the beginning of the file. This could happen when a mailbox file was already larger than the virtual mailbox size limit. * The postsuper logged an incorrect rename operation count after creating a missing directory. * The Postfix SMTP server falsely rejected mail when a sender-dependent "error" transport was configured. Cause: the SMTP server address validation code was not updated when the sender_dependent_default_transport_maps feature was introduced. * The Postfix SMTP server falsely rejected an SMTPUTF8 sender address, when "smtpd_delay_reject = no". * The "postfix tls deploy-server-cert" command used the wrong certificate and key file. This was caused by a cut-and-paste error in the postfix-tls-script file. - improve config.postfix * improve SASL stuff * add POSTFIX_SMTP_AUTH_SERVICE=(cyrus|dovecot) - improve config.postfix * improve with MySQL stuff - update vda patch to latest available * remove postfix-vda-v13-3.10.0.patch * add postfix-vda-v14-3.0.3.patch - rebase patches (and to be p0) * pointer_to_literals.patch * postfix-main.cf.patch * postfix-master.cf.patch * postfix-no-md5.patch * postfix-ssl-release-buffers.patch - add /etc/postfix/ssl as default DIR for SSL stuff * cacerts -> ../../ssl/certs/ * certs/ - revert POSTFIX_SSL_PATH from '/etc/ssl' to '/etc/postfix/ssl' - improve config.postfix * revert smtpd_tls_CApath to POSTFIX_SSL_PATH/cacerts which is a symlink to /etc/ssl/certs Without reverting, 'gen_CA' would create files which would then be on the previous defined 'sslpath(/etc/ssl)/certs' (smtpd_tls_CApath) Cert reqs would be placed in 'sslpath(/etc/ssl)/certs/postfixreq.pem' which is not a good idea. * mkchroot: sync '/etc/postfix/ssl' to chroot * improve PCONF for smtp{,d}_tls_{cert,key}_file, adding/removing from main.cf, show warning if enabled and file is missing - update to 3.1.3: * The Postfix SMTP server did not reset a previous session's failed/total command counts before rejecting a client that exceeds request or concurrency rates. This resulted in incorrect failed/total command counts being logged at the end of the rejected session. * The unionmap multi-table interface did not propagate table lookup errors, resulting in false "user unknown" responses. * The documentation was updated with a workaround for false "not found" errors with MySQL map queries that contain UTF8-encoded text. The workaround is to specify "option_group = client" in Postfix MySQL configuration files. This will be the default setting with Postfix 3.2 and later. - update to 3.1.2: * Changes to make Postfix build with OpenSSL 1.1.0. * The makedefs script ignored readme_directory=pathname overrides. Fix by Todd C. Olson. * The tls_session_ticket_cipher documentation says that the default cipher for TLS session tickets is aes-256-cbc, but the implemented default was aes-128-cbc. Note that TLS session ticket keys are rotated after 1/2 hour, to limit the impact of attacks on session ticket keys. - postfix-post-install.patch: remove empty patch - fix Changelog cause of Factory decline - Fix typo in config.postfix - bnc#981097 config.postfix creates broken main.cf for tls client configuration - bnc#981099 /etc/sysconfig/postfix: POSTFIX_SMTP_TLS_CLIENT incomplete - update to 3.1.1: - The new address_verify_pending_request_limit parameter introduces a safety limit for the number of address verification probes in the active queue. The default limit is 1/4 of the active queue maximum size. The queue manager enforces the limit by tempfailing probe messages that exceed the limit. This design avoids dependencies on global counters that get out of sync after a process or system crash. - Machine-readable, JSON-formatted queue listing with "postqueue -j" (no "mailq" equivalent). - The milter_macro_defaults feature provides an optional list of macro name=value pairs. These specify default values for Milter macros when no value is available from the SMTP session context. - Support to enforce a destination-independent delay between email deliveries. The following example inserts 20 seconds of delay between all deliveries with the SMTP transport, limiting the delivery rate to at most three messages per minute. smtp_transport_rate_delay = 20s - Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes that a "not found" result from a DNSBL server will be valid for one hour. This may have been adequate five years ago when postscreen was first implemented, but nowadays, that one hour can result in missed opportunities to block new spambots. To address this, postscreen now respects the TTL of DNSBL "not found" replies, as well as the TTL of DNSWL replies (both "found" and "not found"). The TTL for a "not found" reply is determined according to RFC 2308 (the TTL of an SOA record in the reply). Support for DNSBL or DNSWL reply TTL values is controlled by two configuration parameters: postscreen_dnsbl_min_ttl (default: 60 seconds). postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour) The postscreen_dnsbl_ttl parameter is now obsolete, and has become the default value for the new postscreen_dnsbl_max_ttl parameter. - New "smtpd_client_auth_rate_limit" feature, to enforce an optional rate limit on AUTH commands per SMTP client IP address. Similar to other smtpd_client_*_rate_limit features, this enforces a limit on the number of requests per $anvil_rate_time_unit. - New SMTPD policy service attribute "policy_context", with a corresponding "smtpd_policy_service_policy_context" configuration parameter. Originally, this was implemented to share the same SMTPD policy service endpoint among multiple check_policy_service clients. - A new "postfix tls" command to quickly enable opportunistic TLS in the Postfix SMTP client or server, and to manage SMTP server keys and certificates, including certificate signing requests and TLSA DNS records for DANE. - build with working support for SMTPUTF8 - fix build on sle11 by pointing _libexecdir to /usr/lib all the time. - some distros did not pull pkgconfig indirectly. pull it directly. - fix building the dynamic maps: the old build had postgresql e.g. with missing symbols. - convert to AUXLIBS_* instead of plain AUXLIBS which is needed for proper dynamic maps. - reordered the CCARGS and AUXLIBS* lines to group by feature - use pkgconfig or *_config tools where possible - picked up signed char from fedora spec file - enable lmdb support: new BR lmdb-devel, new subpackage postfix-lmdb. - don't delete vmail user/groups - update to 3.1.0 - Since version 3.0 postfix supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients. Thats why the patches dynamic_maps.patch and dynamic_maps_pie.patch could be removed. - Adapting all the patches to postfix 3.1.0 - remove obsolete patches * add_missed_library.patch * postfix-opensslconfig.patch - update vda patch * remove postfix-vda-v13-2.10.0.patch * add postfix-vda-v13-3.10.0.patch - The patch postfix-db6.diff is not more neccessary - Backwards-compatibility safety net. With NEW Postfix installs, you MUST install a main.cf file with the setting "compatibility_level = 2". See conf/main.cf for an example. With UPGRADES of existing Postfix systems, you MUST NOT change the main.cf compatibility_level setting, nor add this setting if it does not exist. Several Postfix default settings have changed with Postfix 3.0. To avoid massive frustration with existing Postfix installations, Postfix 3.0 comes with a safety net that forces Postfix to keep running with backwards-compatible main.cf and master.cf default settings. This safety net depends on the main.cf compatibility_level setting (default: 0). Details are in COMPATIBILITY_README. - Major changes - tls * [Feature 20160207] A new "postfix tls" command to quickly enable opportunistic TLS in the Postfix SMTP client or server, and to manage SMTP server keys and certificates, including certificate signing requests and TLSA DNS records for DANE. * As of the middle of 2015, all supported Postfix releases no longer nable "export" grade ciphers for opportunistic TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for mandatory or opportunistic TLS. * [Incompat 20150719] The default Diffie-Hellman non-export prime was updated from 1024 to 2048 bits, because SMTP clients are starting to reject TLS handshakes with primes smaller than 2048 bits. * [Feature 20160103] The Postfix SMTP client by default enables DANE policies when an MX host has a (DNSSEC) secure TLSA DNS record, even if the MX DNS record was obtained with insecure lookups. The existence of a secure TLSA record implies that the host wants to talk TLS and not plaintext. For details see the smtp_tls_dane_insecure_mx_policy configuration parameter. - Major changes - default settings [Incompat 20141009] The default settings have changed for relay_domains (new: empty, old: $mydestination) and mynetworks_style (new: host, old: subnet). However the backwards-compatibility safety net will prevent these changes from taking effect, giving the system administrator the option to make an old default setting permanent in main.cf or to adopt the new default setting, before turning off backwards compatibility. See COMPATIBILITY_README for details. [Incompat 20141001] A new backwards-compatibility safety net forces Postfix to run with backwards-compatible main.cf and master.cf default settings after an upgrade to a newer but incompatible Postfix version. See COMPATIBILITY_README for details. While the backwards-compatible default settings are in effect, Postfix logs what services or what email would be affected by the incompatible change. Based on this the administrator can make some backwards-compatibility settings permanent in main.cf or master.cf, before turning off backwards compatibility. - Major changes - address verification safety [Feature 20151227] The new address_verify_pending_request_limit parameter introduces a safety limit for the number of address verification probes in the active queue. The default limit is 1/4 of the active queue maximum size. The queue manager enforces the limit by tempfailing probe messages that exceed the limit. This design avoids dependencies on global counters that get out of sync after a process or system crash. Tempfailing verify requests is not as bad as one might think. The Postfix verify cache proactively updates active addresses weeks before they expire. The address_verify_pending_request_limit affects only unknown addresses, and inactive addresses that have expired from the address verify cache (by default, after 31 days). - Major changes - json support [Feature 20151129] Machine-readable, JSON-formatted queue listing with "postqueue -j" (no "mailq" equivalent). The output is a stream of JSON objects, one per queue file. To simplify parsing, each JSON object is formatted as one text line followed by one newline character. See the postqueue(1) manpage for a detailed description of the output format. - Major changes - milter support [Feature 20150523] The milter_macro_defaults feature provides an optional list of macro name=value pairs. These specify default values for Milter macros when no value is available from the SMTP session context. For example, with "milter_macro_defaults = auth_type=TLS", the Postfix SMTP server will send an auth_type of "TLS" to a Milter, unless the remote client authenticates with SASL. This feature was originally implemented for a submission service that may authenticate clients with a TLS certificate, without having to make changes to the code that implements TLS support. - Major changes - output rate control [Feature 20150710] Destination-independent delivery rate delay Support to enforce a destination-independent delay between email deliveries. The following example inserts 20 seconds of delay between all deliveries with the SMTP transport, limiting the delivery rate to at most three messages per minute. /etc/postfix/main.cf: smtp_transport_rate_delay = 20s For details, see the description of default_transport_rate_delay and transport_transport_rate_delay in the postconf(5) manpage. - Major changes - postscreen dnsbl [Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL lookup results Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes that a "not found" result from a DNSBL server will be valid for one hour. This may have been adequate five years ago when postscreen was first implemented, but nowadays, that one hour can result in missed opportunities to block new spambots. To address this, postscreen now respects the TTL of DNSBL "not found" replies, as well as the TTL of DNSWL replies (both "found" and "not found"). The TTL for a "not found" reply is determined according to RFC 2308 (the TTL of an SOA record in the reply). Support for DNSBL or DNSWL reply TTL values is controlled by two configuration parameters: postscreen_dnsbl_min_ttl (default: 60 seconds). This parameter specifies a minimum for the amount of time that a DNSBL or DNSWL result will be cached in the postscreen_cache_map. This prevents an excessive number of postscreen cache updates when a DNSBL or DNSWL server specifies a very small reply TTL. postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour) This parameter specifies a maximum for the amount of time that a DNSBL or DNSWL result will be cached in the postscreen_cache_map. This prevents cache pollution when a DNSBL or DNSWL server specifies a very large reply TTL. The postscreen_dnsbl_ttl parameter is now obsolete, and has become the default value for the new postscreen_dnsbl_max_ttl parameter. - Major changes - sasl auth safety [Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to enforce an optional rate limit on AUTH commands per SMTP client IP address. Similar to other smtpd_client_*_rate_limit features, this enforces a limit on the number of requests per $anvil_rate_time_unit. - Major changes - smtpd policy [Feature 20150913] New SMTPD policy service attribute "policy_context", with a corresponding "smtpd_policy_service_policy_context" configuration parameter. Originally, this was implemented to share the same SMTPD policy service endpoint among multiple check_policy_service clients. - bnc#958329 postfix fails to start when openslp is not installed - upstream update postfix 2.11.7: * The Postfix Milter client aborted with a panic while adding a message header, after adding a short message header with the header_checks PREPEND action. Fixed by invoking the header output function while PREPENDing a message header. * False alarms while scanning the Postfix queue. Fixed by resetting errno before calling readdir(). This defect was introduced 19970309. * The postmulti command produced an incorrect error message. * The postmulti command now refuses to create a new MTA instance when the template main.cf or master.cf file are missing. This is a common problem on Debian-like systems. * Turning on Postfix SMTP server HAProxy support broke TLS wrappermode. Fixed by temporarily using a 1-byte VSTREAM buffer to read the HAProxy connection hand-off information. * The xtext_unquote() function did not propagate error reports from xtext_unquote_append(), causing the decoder to return partial output, instead of rejecting malformed input. The Postfix SMTP server uses this function to parse input for the ENVID and ORCPT parameters, and for XFORWARD and XCLIENT command parameters. - boo#934060: Remove quirky hostname logic from config.postfix * /etc/hostname doesn't contain anything useful * linux.local is no good either * postfix will use `hostname`.localdomain as fallback - postfix-no-md5.patch: replace fingerprint defaults by sha1. bsc#928885 - %verifyscript is a new section, move it out of the %ifdef so the fillups are run afterwards. - upstream update postfix 2.11.6: Default settings have been updated so that they no longer enable export-grade ciphers, and no longer enable the SSLv2 and SSLv3 protocols. - removed postfix-2.11.5_linux4.patch because it's obsolete - Bugfix (introduced: Postfix 2.11): with connection caching enabled (the default), recipients could be given to the wrong mail server. (bsc#944722) - postfix-SuSE.tar.gz/postfix.service: None of nss-lookup.target network.target local-fs.target time-sync.target should be Wanted or Required except by the services the implement the relevant functionality i.e network.target is wanted/required by networkmanager, wicked, systemd-network. other software must be ordered After them, see systemd.special(7) - Fix library symlink generation (boo#928662) - added postfix-2.11.5_linux4.patch: Allow building on kernel 4. Patch taken from: https://groups.google.com/forum/#!topic/mailing.postfix.users/fufS22sMGWY - update to postfix 2.11.5 - Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps ignored the relayhost setting in the case of a DUNNO lookup result. It would use the recipient domain instead. Viktor Dukhovni. Wietse took the pieces of code that enforce the precedence of a sender-dependent relayhost, the global relayhost, and the recipient domain, and put that code together in once place so that it is easier to maintain. File: trivial-rewrite/resolve.c. - Bitrot: prepare for future changes in OpenSSL API. Viktor Dukhovni. File: tls_dane.c. - Incompatibility: specifying "make makefiles" with "CC=command" will no longer override the default WARN setting. - upstream update postfix 2.11.4: Postfix 2.11.4 only: * Fix a core dump when smtp_policy_maps specifies an invalid TLS level. * Fix a missing " in \%s\", in postconf(1) fatal error messages, which violated the C language spec. Reported by Iain Hibbert. All supported releases: * Stop excessive recursion in the cleanup server while recovering from a virtual alias expansion loop. Problem found at Two Sigma. * Stop exponential memory allocation with virtual alias expansion loops. This came to light after fixing the previous problem. - correct pf_daemon_directory in spec. This must be /usr/lib/ - bnc#914086 syntax error in config.postfix - Adapt config.postfix to be able to run on SLE11 too. - Don't install sysvinit script when systemd is used - Make explicit PreReq dependencies conditional only for older systems - Don't try to set explicit attributes to symlinks - Cleanup spec file vith spec-cleaner - bnc#912594 config.postfix creates config based on old options - bnc#911806 config.postfix does not set up correct saslauthd socket directory for chroot - bnc#910265 config.postfix does not upgrade the chroot - bnc#908003 wrong access rights on /usr/sbin/postdrop causes permission denied when trying to send a mail as non root user - bnc#729154 wrong permissions for some postfix components - Remove keyring and things as it is md5 based one no longer accepted by gpg 2.1 - No longer perform gpg validation; osc source_validator does it implicit: + Drop gpg-offline BuildRequires. + No longer execute gpg_verify. - restore previously lost fix: Fri Oct 11 13:32:32 UTC 2013 - matz@suse.de - Ignore errors in %pre/%post. - postfix 2.11.3: * Fix for configurations that prepend message headers with Postfix access maps, policy servers or Milter applications. Postfix now hides its own Received: header from Milters and exposes prepended headers to Milters, regardless of the mechanism used to prepend a header. This fix reverts a partial solution that was released on October 13, 2014, and replaces it with a complete solution. * Portability fix for MacOS X 10.7.x (Darwin 11.x) build procedure. - postfix 2.11.2: * Fix for DMARC implementations based on SPF policy plus DKIM Milter. The PREPEND access/policy action added headers ABOVE Postfix's own Received: header, exposing Postfix's own Received: header to Milters (protocol violation) and hiding the PREPENDed header from Milters. PREPENDed headers are now added BELOW Postfix's own Received: header and remain visible to Milters. * The Postfix SMTP server logged an incorrect client name in reject messages for check_reverse_client_hostname_access and check_reverse_client_hostname_{mx,ns}_access. They replied with the verified client name, instead of the name that was rejected. * The qmqpd daemon crashed with null pointer bug when logging a lost connection while not in a mail transaction. - switch from md5 based signature to one using the SHA-512 digest algorithm supplied by maintainer on ML to pass source_validator - postfix 2.11.1: * With connection caching enabled (the default), recipients could be given to the wrong mail server. * Enforce TLS when TLSA records exist, but all are unusable. * Don't leak memory when TLSA records exist, but all are unusable. * Prepend "-I. -I../../include" to the compiler command-line options, to avoid name clashes with non-Postfix header files. * documentation fixes * logging fixes - fix dynamic_maps patch to enable memcache support, which does not need any libraries - Rename rpmlintrc to %{name}-rpmlintrc. Follow the packaging guidelines. - fix typo in postfix-SuSE/update_chroot.systemd - fix config.postfix * 'insserv amavis' -> 'chkconfig amavis on' - rework main.cf patch * fix virtual stuff * add some dovecot stuff - rework master.cf patch * add some dovecot stuff - The included postfix-mysql.tar.bz2 was using a MySQL 4.1 style of table engine specification. Modified so that the sql uses 'ENGINE=' instead of 'TYPE=' for creating tables. - bnc#816769 - config.postfix issues warnings about missing master.cf - bnc#882033 - Package postfix has changed files according to rpm - bnc#855688 - possible systemd bug: postfix & cifs dependency confict - bnc#863350 - SuSEconfig.postfix complains about modified /etc/postfix/main.cf after updating postfix - replace vda patch: * add postfix-vda-v13-2.10.0.patch * remove postfix-vda-v11-2.9.6.patch - rebase patches - config.postfix * add master.cf support for submission (587) * rework master.cf support for smtps - bnc#862662 - Unable to configure postfix SMTP with forced TLS using YaST2 - Update to 2.11.0 * TLS o Support for PKI-less TLS server certificate verification, where the CA public key or the server certificate is identified via DNSSEC lookup * LMDB database support * master o The master_service_disable parameter value syntax has changed: use "service/type" instead of "service.type". * postconf: o Support for advanced master.cf query and update operations. This was implemented primarily to support automated system management tools. o The postconf command produces more warnings * relay safety New smtpd_relay_restrictions parameter built-in default settings: smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination * postscreen whitelisting Allow a remote SMTP client to skip postscreen(8) tests based on its postscreen_dnsbl_sites score. - Ignore errors in %pre/%post. - two improvements for 13.1 and factory * postfix-opensslconfig.patch call openSSL_config so postfix respects the system's openssl configuration * postfix-SuSE/postfix.service since a few months there is no mail-transfer-agent.target, units must be ordered after a list of smtpd implementations instead. - Proc is not needed in chroot anymore - postfix-main.cf.patch: remove duplicate entry for inet_protocols - fix for warning * unused parameter: virtual_create_maildirsize=yes * unused parameter: virtual_mailbox_extended=yes * rework main.cf.patch - fix rcpostfix for sysvinit systems * /etc/postfix/system/update_postmaps: No such file or directory - rebase patches * vda-v11-2.9.5 -> vda-v11-2.9.6 - fix file postfix-SuSE.tar.gz * made a tar.gz - postfix.spec forces the use of SSL and SASL libraries, so make sure the BuildRequires are there - Add postfix-db6.diff to fix compile abort with libdb-6.0 - Add Source URL, see https://en.opensuse.org/SourceUrls - Add GPG verification - postfix-SuSE/postfix.service do not Require or order after syslog.target as it no longer exists postfix will fail to start in the next systemd version. - Install postfix.service accordingly (/usr/lib/systemd for 12.3 and up or /lib/systemd for older versions). - update to 2,9.6 Bugfix: the local(8) delivery agent dereferenced a null pointer while delivering to null command (for example, "|" in a .forward file). Bugfix: memory leak in program initialization. tls/tls_misc.c. Bugfix: he undocumented OpenSSL X509_pubkey_digest() function is unsuitable for computing certificate PUBLIC KEY fingerprints. Postfix now provides a correct procedure that accounts for the algorithm and parameters in addition to the key data. Specify "tls_legacy_public_key_fingerprints = yes" if you need backwards compatibility. - bnc#796162 - script to assign path elements not working in postfix install Build-0284(iso) - rebase patches * vda-v10-2.8.12 -> vda-v11-2.9.5 (and to be a p0) * main, master, post-instal, ssl-release-buffers (remove version) * dynamic_maps, dynamic_maps_pie, pointer_to_literals - update to 2,9.5 * tls support: Support to turn off the TLSv1.1 and TLSv1.2 protocols: To temporarily turn off problematic protocols globally: /etc/postfix/main.cf: smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 However, it may be better to temporarily turn off problematic protocols for broken sites only: /etc/postfix/main.cf: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy /etc/postfix/tls_policy: example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 * 20111012 To simplify integration with third-party applications, the Postfix sendmail command now always transforms all input lines ending in into UNIX format (lines ending in ). Specify "sendmail_fix_line_endings = strict" to restore historical Postfix behavior (i.e. convert all input lines ending in only if the first line ends in ). * 20120114 Logfile-based alerting systems may need to be updated to look for "error" messages in addition to "fatal" messages. Specify "daemon_table_open_error_is_fatal = yes" to get the historical behavior (immediate termination with "fatal" message). * enable_long_queue_ids Postfix 2.9 introduces support for non-repeating queue IDs (also used as queue file names). These names are encoded in a mix of upper case, lower case and decimal digit characters. Long queue IDs are disabled by default to avoid breaking tools that parse logfiles and that expect queue IDs with the smaller [A-F0-9] character set. * 20111209 memcache lookup and update support. This provides a way to share postscreen(8) or verify(8) caches between Postfix instances. See MEMCACHE_README and memcache_table(5) for details and limitations. * 20111218 To support external SASL authentication, e.g., in an NGINX proxy daemon, the Postfix SMTP server now always checks the smtpd_sender_login_maps table, even without having "smtpd_sasl_auth_enable = yes" in main.cf. * ipv6 o The default inet_protocols value is now "all" instead of "ipv4", meaning use both IPv4 and IPv6. o The default smtp_address_preference value is now "any" instead of "ipv6", meaning choose randomly between IPv6 and IPv4. With this the Postfix SMTP client will have more success delivering mail to sites that have problematic IPv6 configurations. - update to 2.8.13 * 20121029 Workaround: strip datalink suffix from IPv6 addresses returned by the system getaddrinfo() routine. Such suffixes mess up the default mynetworks value, host name/address verification and possibly more. This change obsoletes the 20101108 change that removes datalink suffixes in the SMTP and QMQP servers, but we leave that code alone. File: util/myaddrinfo.c. * 20121013 Cleanup: to compute the LDAP connection cache lookup key, join the numeric fields with null, just like string fields. Viktor Dukhovni. File: global/dict_ldap.c. * 20121010 Bugfix (introduced: Postfix 2.5): memory leak in program initialization. Reported by Coverity. File: tls/tls_misc.c. Bugfix (introduced: Postfix 2.3): memory leak in the unused oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c. * 20121003 Bugfix: the postscreen_access_list feature was case-sensitive in the first character of permit, reject, etc. Reported by Feancis Picabia. File: global/server_acl.c. - rebase dynamic_maps_pie patch - rpmlint * invalid-suse-version-check 1140 * obsolete-suse-version-check 920 (changes file) - bnc#790141 - Command SuSEconfig.postfix reports ERROR - "can not find /lib/YaST/SuSEconfig.functions!!" - bnc#782048 - postfix uses /sbin/conf.d - bnc#784659 - remove SuSEconfig calls from yast2-mail - update to 2.8.12 * 20120730 Bugfix (introduced: 20000314): AUTH is not allowed after MAIL. Timo Sirainen. File: smtpd/smtpd_sasl_proto.c. * 20120702 Bugfix (introduced: 19990127): the BIFF client leaked an unprivileged UDP socket. Fix by Jaroslav Skarvada. File: local/biff_notify.c. * 20120621 Bugfix (introduced: Postfix 2.8): the unused "pass" trigger client could close the wrong file descriptors. File: util/unix_pass_trigger.c. - fix for bnc#771303 * add 'version = 3' to ldap_aliases.cf - rebase patches * main, master, post-install: 2.8.3 -> 2.8.12 * ssl-release-buffers: 2.8.5 -> 2.8.12 * vda-v10: 2.8.9 -> 2.8.12 * dynamic_maps, dynamic_maps_pie, ipv6_disabled, pointer_to_literals - fix changes file - bnc#771811 - postfix update does not regenerate the maps - update to 2.8.11 * 20120520 - Bugfix (introduced Postfix 2.4): the event_drain() function was comparing bitmasks incorrectly causing the program to always wait for the full time limit. This error affected the unused postkick command, but only after s/fifo/unix/ in master.cf. File: util/events.c. - Cleanup: laptop users have always been able to avoid unnecessary disk spin-up by doing s/fifo/unix/ in master.cf (this is currently not supported on Solaris systems). However, to make this work reliably, the "postqueue -f" command must wait until its requests have reached the pickup and qmgr servers before closing the UNIX-domain request sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in. - bnc#753910 - {name} instead of %{name} in postfix .spec - bnc#756452 - VUL-1: postfix: VRFY allows enumerating users - update to 2.8.10 * 20120401 Bitrot: shut up useless warnings about Cyrus SASL call-back function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h, xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c. * 20120422 Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the known TLS protocol list so that protocols can be turned off selectively to work around implementation bugs. Based on a patch by Victor Duchovni. Files: proto/TLS_README.html, proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, tls/tls_server.c. - update to 2.8.9 * 20120217 Cleanup: missing #include statement for bugfix code added 20111226. File: local/unknown.c. * 20120214 Bugfix (introduced: Postfix 2.4): extraneous null assignment caused core dump when postlog emitted the "usage" message. Reported by Kant (fnord.hammer). File: postlog/postlog.c. * 20120202 Bugfix (introduced: Postfix 2.3): the "change header" milter request could replace the wrong header. A long header name could match a shorter one, because a length check was done on the wrong string. Reported by Vladimir Vassiliev. File: cleanup/cleanup_milter.c. - use latest VDA patch (2.8.9) - bnc#756450 - postfix: remove version from banner - add port 587 smtp-auth submission to postfix-fw bnc#756289 - set exit code explicitely in cond_slp, systemd checks for it - Documentation for bnc#751994 - SuSEconfig module postfix does not exist - rcpostfix now updates the aliases too - update to 2.8.8 Bugfixes: tlsproxy(8) stored TLS sessions with a serverID of "tlsproxy" instead of "smtpd", wasting an opportunity for session reuse. File: tlsproxy/tlsproxy.c. missing lookup table entry and terminator, causing proxymap server segfault when postscreen(8) or verify(8) attempted to access their cache via the proxymap server. This could never have worked anyway, because the Postfix 2.8 proxymap protocol does not support cache cleanup. File util/dict.c. the Postfix client sqlite quoting routine returned the unquoted result instead of the quoted text. The opportunities for misuse are limited, because Postfix sqlite files are usually owned by root, and Postfix daemons usually run with non-root privileges so they can't corrupt the database. Problem reported by Rob McGee (rob0). File: global/dict_sqlite.c. the trace service did not distinguish between notifications for a non-bounce or a bounce message. This code pre-dates DSN support and should have been updated when it was re-purposed to handle DSN SUCCESS notifications. Problem reported by Sabahattin Gucukoglu. File: bounce/bounce_trace_service.c. - use latest VDA patch (2.8.5) - bnc#743369 - yast2 mail module does not open the firewall - Set MD5DIR in SuSEconfig.postfix to avoid warnings - bnc738693 - upgrade from 11.4 enables mysql service for systemd - Add postmap rebuild script to systemv init script too - bnc#738900 - cyrus-imapd not receiving mail from postfix - Move the post map rebuild script into the start script - Fix the last change in %post - bnc#728308 - warning output after update the postfix package - update to 2.8.7 Bugfixes: smtpd(8) did not sanitize newline characters in cleanup(8) REJECT messages, causing them to be sent out via SMTP as bare newline characters. smtpd(8) sent multi-line responses from a before-queue content filter as text with bare instead of . Workaround: postscreen sent non-compliant SMTP responses (220- followed by 421) when it could not give a connection to a real smtpd process, causing some remote SMTP clients to bounce mail. - Use the systemd macros in the spec file - only fix files that exists in %post - Use SSL_MODE_RELEASE_BUFFERS if available, see SSL_CTX_set_mode man page and http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html for the full details. - update to 2.8.5 * Bugfix: allow for Milters that send an SMTP server reply without RFC 3463 enhanced status code. Reported by Vladimir Vassiliev. File: milter/milter8.c. - bnc#684304 - server:mail/postfix: Bugs in SuSEconfig chroot setup script - Aplly SASL_SOCKET_DIR patch - Move SuSEconfig.postfix into /usr/sbin/ (FATE#311272: Do not rewrite postfix.cf via SuSEconfig) SuSEconfig.postfix will be executed only once after installation automaticaly. Afterwards only you can start it manually or via yast2 mail module. - Just the first strep forward to systemd, please test out /etc/postfix/system/update_chroot /etc/postfix/system/wait_qmgr /etc/postfix/system/cond_slp and /lib/systemd/system/postfix.service and also fill out the missing description. - rework SuSE patch * add missing SASL stuff in rc.postfix - when chrooted and using SASL o mount -o bind SASL_SOCKET_DIR into postfix CHROOT - update to 2.8.4 o Linux kernel version 3 support. for more info see ChangeLog - bnc#686436 - postfix bounces messages with improper use of 8-bit data in message body - Apply patch - rework master.cf patch o fix receive_override_options line - rework SuSE patch o sysconfig: remove POSTFIX_WITH_POP_BEFORE_SMTP o SuSEconfig: fix receive_override_options line - replace vda patch o 2.8.1 -> 2.8.3 - fix files doc o remove 'doc auxiliary' instead cp to pf_docdir - fix spec for building on all repos - bnc#679187 - suseconfig/postfix: missing dependency - fix master.cf o fix missing - amavis unix - - n - 4 smtp - localhost:10025 inet n - n - - smtpd o add master.cf patch - rework patches o main.cf (add two missing sasl vars) o postfix-SuSE (SuSEconfig, cleanup those vars,...) - rework TLS stuff o reworked main.cf patch o added postfix-SuSE patch o added post-install patch Editing /etc/postfix/master.cf, adding missing entry for tlsmgr service add only if it really does not exist - removed Author from description - updated vda patch o vda-2.7.1 > vda-v10-2.8.1 - fix build for SLE_10 o no fdupes ;) - remove document paths from postfix-files to avoid error messages when postfix-doc is not installed - update to 2.8.3 - VUL-0: postfix memory corruption - bnc#641271 - postfix-2.7.1: init script cannot properly stop multi-instance configurations - update to 2.8.2 * DNSBL/DNSWL: o Support for address patterns in DNS blacklist and whitelist lookup results. o The Postfix SMTP server now supports DNS-based whitelisting with several safety features * Support for read-only sqlite database access. * Alias expansion: o Postfix now reports a temporary delivery error when the result of virtual alias expansion would exceed the virtual_alias_recursion_limit or virtual_alias_expansion_limit. o To avoid repeated delivery to mailing lists with pathological nested alias configurations, the local(8) delivery agent now keeps the owner-alias attribute of a parent alias, when delivering mail to a child alias that does not have its own owner alias. * The Postfix SMTP client no longer appends the local domain when looking up a DNS name without ".". * The SMTP server now supports contact information that is appended to "reject" responses: smtpd_reject_footer * Postfix by default no longer adds a "To: undisclosed-recipients:;" header when no recipient specified in the message header. * tls support: o The Postfix SMTP server now always re-computes the SASL mechanism list after successful completion of the STARTTLS command. o The smtpd_starttls_timeout default value is now stress-dependent. o Postfix no longer appends the system-supplied default CA certificates to the lists specified with *_tls_CAfile or with *_tls_CApath. * New feature: Prototype postscreen(8) server that runs a number of time-consuming checks in parallel for all incoming SMTP connections, before clients are allowed to talk to a real Postfix SMTP server. It detects clients that start talking too soon, or clients that appear on DNS blocklists, or clients that hang up without sending any command. - bnc#667299 - Postfix LICENSE not marked as documentation - add some min LDAP support for virtual LDAP-users o sysconfig "WITH_LDAP" o add ldap_aliases.cf o SuSEconfig.postfix virtual_alias_maps = ... ldap:/etc/postfix/ldap_aliases.cf - update to 2.7.2 * Bugfix (introduced Postfix 2.2): Postfix no longer appends the system default CA certificates to the lists specified with *_tls_CAfile or with *_tls_CApath. This prevents third-party certificates from getting mail relay permission with the permit_tls_all_clientcerts feature. Unfortunately this may cause compatibility problems with configurations that rely on certificate verification for other purposes. To get the old behavior, specify "tls_append_default_CA = yes". Files: tls/tls_certkey.c, tls/tls_misc.c, global/mail_params.h. proto/postconf.proto, mantools/postlink. * Compatibility with Postfix < 2.3: fix 20061207 was incomplete (undoing the change to bounce instead of defer after pipe-to-command delivery fails with a signal). Fix by Thomas Arnett. File: global/pipe_command.c. * Bugfix: the milter_header_checks parser provided only the actions that change the message flow (reject, filter, discard, redirect) but disabled the non-flow actions (warn, replace, prepend, ignore, dunno, ok). File: cleanup/cleanup_milter.c. * Performance: fix for poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1) connections. Problem reported by Mark Martinec. Files: smtpd/smtpd_proxy.c. * Cleanup: don't apply reject_rhsbl_helo to non-domain forms such as network addresses. This would cause false positives with dbl.spamhaus.org. File: smtpd/smtpd_check.c. * Bugfix: the "421" reply after Milter error was overruled by Postfix 1.1 code that replied with "503" for RFC 2821 compliance. We now make an exception for "final" replies, as permitted by RFC. Solution by Victor Duchovni. File: smtpd/smtpd.c. - update vda patch o remove 2.6.1-vda-ng.patch o remove 2.6.1-vda-ng-64bit.patch o add vda-2.7.1.patch - rework main.cf.patch o remove 2.2.9-main.cf.patch o add 2.7.1-main.cf.patch - prereq init scripts network and syslog - Remove obsolate postscripts - bnc#625657 - SuSEconfig.postfix and smtp_use_tls - bnc#622873 - postfix doesn't start if ipv6 is disabled - reworked bnc#606251 stuff (not checked in to Factory) o used my_print_defaults command for parsing of /etc/my.cnf o using quotation marks: "$PF_CHROOT" o added sysconfig option POSTFIX_MYSQL_CONN=(socket,tcp) - bnc#606251 - postfix chrooted mysql.sock lost on mysql restart o Now MYSQL_SOCK_DIR is mounted with '-o bind' to postfix CHROOT - update to 2.7.1 * Bugfix (introduced Postfix 2.6) in the XFORWARD implementation, which sends remote SMTP client attributes through SMTP-based content filters. The Postfix SMTP client did not skip "unknown" SMTP client attributes, causing a syntax error when sending an "unknown" client PORT attribute. * Robustness: skip LDAP queries with non-ASCII search strings, instead of failing with a database lookup error. * Safety: Postfix processes now log a warning when a matchlist has a #comment at the end of a line (for example mynetworks or relay_domains). * Portability: OpenSSL 1.0.0 changes the priority of anonymous cyphers. * Portability: Berkeley DB 5.x is now supported. - fix obviously lost POSTFIX_MYHOSTNAME in SuSEconfig.postfix - New file check_mail_queue. This script checks if there are some mails in the queue and starts postfix if necessary. After delivering the mails postfix will be stoped. - bnc#559145 - Changed Domain name not reflected when sending mail First /var/run/dhcp-hostname will be evaluated - Now POSTFIX_SMTP_TLS_CLIENT is ternary : no yes must - update to 2.7.0 * performance - Periodic cache cleanup for the verify(8) cache database. - Improved before-queue filter performance. * sender reputation - The FILTER action in access maps or header/body_checks now supports sender reputation schemes that dynamically choose the SMTP source IP address. * address verification - The verify(8) service now uses a persistent cache by default. * content filter - The meaning of an empty filter next-hop destination has changed. - The FILTER action in access maps or header/body_checks now supports sender reputation schemes that dynamically choose the SMTP source IP address. * milter - Support for header checks on Milter-generated message headers. Please read /usr/share/doc/packages/postfix/RELEASE_NOTES for details. - revert the change to PreReq openldap-devel, this increases the default installation several MBs - bnc#567569 - Postfix: move ldap support to a separate package - bnc#557239 - postfix delivers mail to user's home instead of /var/spool/mail - rpmlint fixes o init-script-undefined-dependency $network-remotefs - fix for SuSEconfig.postfix o if use_amavis eq "yes" then content_filter "amavis:[127.0.0.1]:10024]" is defined, so removed "-o content_filter=smtp:[127.0.0.1]:10024" for smtp - s#ldconfig#/sbin/ldconfig# - Add support for dovecot as MDA to SuSEconfig. - Package documentation as noarch - Remove postfixs update script. This does not work now. - Fix the %post section add missed %{fillup_only -an mail} - bnc#555814 ? VUL-0: SMTPD_LISTEN_REMOTE="yes" by default - bnc#555732 - Invalid $(hostname -i) usage SuSEconfig.postfix - bnc#547928 ? Postfix does not start during boot process - Avoid append relay multiple times in POSTFIX_MAP_LIST - bnc#549612 ? SuSEconfig.postfix - bnc#540538 ? postfix-2.6.1-10.1 installs new files in /etc/postfix and does not generate .db - bnc#519438 - Postfix: Running chrooted lets qmgr loosing his syslog-socket - remove obsolate version tests from SuSEconfig.postfix - bnc#525825 - when using cyrus in a chroot environment Suseconfig does not create socket /var/lib/imap/socket/lmtp - spec o fdupes if >= 1100 - update to 2.6.1 o merge home:varkoly:Factory and o:F - spec mods o use of getent - rpmlint o remove unneeded dists from examples/chroot-setup/ o postin-without-ldconfig o files-duplicate /usr/share/doc/packages/postfix-doc/html/ o files-duplicate /usr/share/man/man? - added VDA patch o Mailbox / Maildir size limit, known also as "soft quota", to avoid user take all you disk space o Customizable "limit" message when the soft quota limit is reached. NOTE: message is sent to senders, but NOT to the owner of the mailbox. o Limit only 'INBOX', because some people use IMAP and don't want the same limit in IMAP folder that are differents from INBOX. o Support for 'Courier' style Maildir, usefull for people that use courier as pop3/imap server and to get fast soft quota summary. Note that it is also compatible with qmail maildir per default. o Supports for Courier 'maildirsize' file in Maildir folder that is used to read quotas quickly. Note that this option is not actived per default and can be dangerous on some NFS client implementation (like for example Solaris that cache some filesystem operations). o Customisable suffix for Maildir support, when share same external dict between postfix and pop3/imap server sometime "Maildir/" suffix is needed to avoid extra database handling (eg LDAP, MySQL...). - some improvements of SuSEconfig.postfix o POSTFIX_LISTEN: Comma separated list of IP's o POSTFIX_INET_PROTO: ipv4, ipv6, all o POSTFIX_MYHOSTNAME: define SMTPs FQHOSTNAME o POSTFIX_WITH_MYSQL: when using MySQL as backend o POSTFIX_BASIC_SPAM_PREVENTION: "custom" you can now define your own rules - POSTFIX_SMTPD_CLIENT_RESTRICTIONS - POSTFIX_SMTPD_HELO_RESTRICTIONS - POSTFIX_SMTPD_SENDER_RESTRICTIONS - POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS - added helo_access for helo checks - added relay for relaying domain - added MySQL stuff when using MySQL as backend (virtuser) o you should consider postfixAdmin as mgmnt interface o when runninng postfix chrooted: you have to run SUSEconfig each time when you have restarted MySQL because of linking mysql.sock - bnc#439287 - not all POSTFIX_ADD_* values are properly handled by SuSEconfig.postfix - bnc#483208 - Postfix configuration trashed after update - bnc#488268 - SuSEconfig.postfix chroot setup misses /etc/ssl/certs - bnc#465165 - postfix src package - bnc#464869 - SuSEconfig.postfix causes DNS lookup - bnc#460442 - amavisd-new and Postfix need fqdn-hostname in "uname -n" - update to 2.5.6 - The SMTP server did not ask for a client certificate with "smtpd_tls_req_ccert = yes". Reported by Rob Foehl. - Avoid reduced TCP performance when reusing an SMTP connection with a larger than 4096-byte TCP MSS value. In practice, this could happen only with loopback (localhost) connections. - (bnc#442456) - chrooted postfix and saslauthd - fix build - upgrade must not be executed during installation - (bnc#403976) - permissions on /var/lib/postfix changed - (bnc#433916) - postfix should be splitted into postfix and postfix-doc - (bnc#415216) - Postfix RPM Install Displays Multiple Warnings - clean up spec file - Update to Version 2.5 patchlevel 5 * Bugfix (introduced Postfix 2.4): epoll file descriptor leak. With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll file descriptor leak when it executes non-Postfix commands in, for example, user-controlled $HOME/.forward files. * Security: some systems have changed their link() semantics, and will hardlink a symlink, contrary to POSIX and XPG4. Sebastian Krahmer, SuSE. File: util/safe_open.c. The solution introduces the following incompatible change: when the target of mail delivery is a symlink, the parent directory of that symlink must now be writable by root only (in addition to the already existing requirement that the symlink itself is owned by root). This change will break legitimate configurations that deliver mail to a symbolic link in a directory with less restrictive permissions. * Bugfix: dangling pointer in vstring_sprintf_prepend(). File: util/vstring.c. - init script: copy LSB *-Start tags to *-Stop - spec file: removed obsolete rc.config update hooks - (bnc#414959) postfix doesn't have any "Name: " tag in firewall definition - (bnc#405900) SuSEconfig.postfix changes owner and permissions of /tmp if smtpd_tls_CApath is not set - Update to Version 2.5 patchlevel 3 * Cleanup of code * defer delivery when a mailbox file is not owned by the recipient. Requested by Sebastian Krahmer, SuSE. Specify "strict_mailbox_ownership=no" to ignore ownership discrepancies. * Bugfix: null-terminate CN comment string after sanitization. * Bugfix (introduced Postfix 2.0): after "warn_if_reject reject_unlisted_recipient/sender", the SMTP server mistakenly remembered that recipient/sender validation was already done. - (fate#305005) Enable SMTPS in postfix ootb - (bnc#396985) sending of NUL character disallowed by RFC2822 - (bnc#397127) without relay is silent about undeliverable mails - (bnc#389670) - postfix generates invalid config - remove dir /usr/share/omc/svcinfo.d as it is provided now by filesystem - Update to Version 2.5 patchlevel 1 Changes: The Postfix 2.5 "postfix upgrade-configuration" command now works even with Postfix 2.4 or earlier versions of the postfix command. When installing Postfix 2.5.0 without upgrading from an existing master.cf file, the new master.cf file had an incorrect process limit for the proxywrite service. This service is used only by the obscure "smtp_sasl_auth_cache_name" and "lmtp_sasl_auth_cache_name" configuration parameters. Someone needed multi-line support for header/body Milter replies. The LDAP client's TLS support was broken in several ways. - #360572 - postfix %post script leaves lots of backup files in /etc/postfix/ - Update to Version 2.5 patchlevel 0 Major changes - critical - ----------------------- [Incompat 20071224] The protocol to send Milter information from smtpd(8) to cleanup(8) processes was cleaned up. If you use the Milter feature, and upgrade a live Postfix system, you may see an "unexpected record type" warning from a cleanup(8) server process. To prevent this, execute the command "postfix reload". The incompatibility affects only systems that use the Milter feature. It does not cause loss of mail, just a minor delay until the remote SMTP client retries. [Incompat 20071212] The allow_min_user feature now applies to both sender and recipient addresses in SMTP commands. With earlier Postfix versions, only recipients were subject to the allow_min_user feature, and the restriction took effect at mail delivery time, causing mail to be bounced later instead of being rejected immediately. [Incompat 20071206] The "make install" and "make upgrade" procedures now create a Postfix-owned directory for Postfix-writable data files such as caches and random numbers. The location is specified with the "data_directory" parameter (default: "/var/lib/postfix"), and the ownership is specified with the "mail_owner" parameter. [Incompat 20071206] The tlsmgr(8) and verify(8) servers no longer use root privileges when opening the address_verify_map, * _tls_session_cache_database, and tls_random_exchange_name cache files. This avoids a potential security loophole where the ownership of a file (or directory) does not match the trust level of the content of that file (or directory). [Incompat 20071206] The tlsmgr(8) and verify(8) cache files should now be stored as Postfix-owned files under the Postfix-owned data_directory. As a migration aid, attempts to open these files under a non-Postfix directory are redirected to the Postfix-owned data_directory, and a warning is logged. This is an example of the warning messages: Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request to update file /etc/postfix/prng_exch in non-postfix directory /etc/postfix Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix If you wish to continue using a pre-existing tls_random_exchange_name or address_verify_map file, move it to the Postfix-owned data_directory and change ownership from root to Postfix (that is, change ownership to the account specified with the mail_owner configuration parameter). [Feature 20071205] The "make install" and "make upgrade" procedures now create a Postfix-owned directory for Postfix-writable data files such as caches and random numbers. The location is specified with the "data_directory" parameter (default: "/var/lib/postfix"), and the ownership is specified with the "mail_owner" parameter. [Incompat 20071203] The "make upgrade" procedure adds a new service "proxywrite" to the master.cf file, for read/write lookup table access. If you copy your old configuration file over the updated one, you may see warnings in the maillog file like this: connect #xx to subsystem private/proxywrite: No such file or directory To recover, run "postfix upgrade-configuration" again. [Incompat 20070613] The pipe(8) delivery agent no longer allows delivery with the same group ID as the main.cf postdrop group. Major changes - malware defense - ------------------------------ [Feature 20080107] New "pass" service type in master.cf. Written years ago, this allows future front-end daemons to accept all connections from the network, and to hand over connections from well-behaved clients to Postfix. Since this feature uses file descriptor passing, it imposes no overhead once a connection is handed over to Postfix. See master(5) for a few details. [Feature 20070911] Stress-adaptive behavior. When a "public" network service runs into an "all processes are busy" condition, the master(8) daemon logs a warning, restarts the service, and runs it with "-o stress=yes" on the command line (under normal conditions it runs the service with "-o stress=" on the command line). This can be used to make main.cf parameter settings stress dependent, for example: /etc/postfix/main.cf: smtpd_timeout = ${stress?10}${stress:300} smtpd_hard_error_limit = ${stress?1}${stress:20} Translation: under conditions of stress, use an smtpd_timeout value of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1 instead of 20. The syntax is explained in the postconf(5) manpage. The STRESS_README file gives examples of how to mitigate flooding problems. Major changes - tls support - -------------------------- [Incompat 20080109] TLS logging output has changed to make it more useful. Existing logfile parser regular expressions may need adjustment. - More log entries include the "hostnamename[ipaddress]" of the remote SMTP peer. - Certificate trust chain error reports show only the first error certificate (closest to the trust chain root), and the reporting is more human-readable for the most likely errors. - After the completion of the TLS handshake, the session is logged with TLS loglevel >= 1 as either "Untrusted", "Trusted" or "Verified" (SMTP client only). - "Untrusted" means that the certificate trust chain is invalid, or that the root CA is not trusted. - "Trusted" means that the certificate trust chain is valid, and that the root CA is trusted. - "Verified" means that the certificate meets the SMTP client's matching criteria for the destination: - In the case of a destination name match, "Verified" also implies "Trusted". - In the case of a fingerprint match, CA trust is not applicable. - The logging of protocol states with TLS loglevel >= 2 no longer reports bogus error conditions when OpenSSL asks Postfix to refill (or flush) network I/O buffers. This loglevel is for debugging only; use 0 or 1 in production configurations. [Feature 20080109] The Postfix SMTP client has a new "fingerprint" security level. This avoids dependencies on CAs, and relies entirely on bi-lateral exchange of public keys (really self-signed or private CA signed X.509 public key certificates). Scalability is clearly limited. For details, see the fingerprint discussion in TLS_README. [Feature 20080109] The Postfix SMTP server can now use SHA1 instead of MD5 to compute remote SMTP client certificate fingerprints. For backwards compatibility, the default algorithm is MD5. For details, see the "smtpd_tls_fingerprint_digest" parameter in the postconf(5) manual. [Feature 20080109] The maximum certificate trust chain depth (verifydepth) is finally implemented in the Postfix TLS library. Previously, the parameter had no effect. The default depth was changed to 9 (the OpenSSL default) for backwards compatibility. If you have explicity limited the verification depth in main.cf, check that the configured limit meets your needs. See the "lmtp_tls_scert_verifydepth", "smtp_tls_scert_verifydepth" and "smtpd_tls_ccert_verifydepth" parameters in the postconf(5) manual. [Feature 20080109] The selection of SSL/TLS protocols for mandatory TLS can now use exclusion rather than inclusion. Either form is acceptable; see the "lmtp_tls_mandatory_protocols", "smtp_tls_mandatory_protocols" and "smtpd_tls_mandatory_protocols" parameters in the postconf(5) manual. Major changes - scheduler - ------------------------ [Feature 20071130] Revised queue manager with separate mechanisms for per-destination concurrency control and for dead destination detection. The concurrency control supports less-than-1 feedback to allow for more gradual concurrency adjustments, and uses hysteresis to avoid rapid oscillations. A destination is declared "dead" after a configurable number of pseudo-cohorts(*) reports connection or handshake failure. (*) A pseudo-cohort is a number of delivery requests equal to a destination's delivery concurrency. The drawbacks of the old +/-1 feedback scheduler are a) overshoot due to exponential delivery concurrency growth with each pseudo-cohort(*) (5-10-20...); b) throttling down to zero concurrency after a single pseudo-cohort(*) failure. The latter was especially an issue with low-concurrency channels where a single failure could be sufficient to mark a destination as "dead", and suspend further deliveries. New configuration parameters: destination_concurrency_feedback_debug, default_destination_concurrency_positive_feedback, default_destination_concurrency_negative_feedback, default_destination_concurrency_failed_cohort_limit, as well as transport-specific versions of the same. The default parameter settings are backwards compatible with older Postfix versions. This may change after better defaults are field tested. The updated SCHEDULER_README document describes the theory behind the new concurrency scheduler, as well as Patrik Rak's preemptive job scheduler. See postconf(5) for more extensive descriptions of the configuration parameters. Major changes - small/home office - -------------------------------- [Feature 20080115] Preliminary SOHO_README document that combines bits and pieces from other document in one place, so that it is easier to find. This document describes the "mail sending" side only. [Feature 20071202] Output rate control in the queue manager. For example, specify "smtp_destination_rate_delay = 5m", to pause five minutes between message deliveries. More information in the postconf(5) manual under "default_destination_rate_delay". Major changes - smtp client - -------------------------- [Incompat 20080114] The Postfix SMTP client now by default defers mail after a remote SMTP server rejects a SASL authentication attempt. Specify "smtp_sasl_auth_soft_bounce = no" for the old behavior. [Feature 20080114] The Postfix SMTP client can now avoid making repeated SASL login failures with the same server, username and password. To enable this safety feature, specify for example "smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache" (access through the proxy service is required). Instead of trying to SASL authenticate, the Postfix SMTP client defers or bounces mail as controlled with the new smtp_sasl_auth_soft_bounce configuration parameter. [Feature 20071111] Header/body checks are now available in the SMTP client, after the implementation was moved from the cleanup server to a library module. The SMTP client provides only actions that don't change the message delivery time or destination: warn, replace, prepend, ignore, dunno, ok. [Incompat 20070614] By default, the Postfix Cyrus SASL client no longer sends a SASL authoriZation ID (authzid); it sends only the SASL authentiCation ID (authcid) plus the authcid's password. Specify "send_cyrus_sasl_authzid = yes" to get the old behavior. Major changes - smtp server - -------------------------- [Feature 20070724] Not really major. New support for RFC 3848 (Received: headers with ESMTPS, ESMTPA, or ESMTPSA); updated SASL support according to RFC 4954, resulting in small changes to SMTP reply codes and (DSN) enhanced status codes. Major changes - milter - --------------------- [Incompat 20071224] The protocol to send Milter information from smtpd(8) to cleanup(8) processes was cleaned up. If you use the Milter feature, and upgrade a live Postfix system, you may see an "unexpected record type" warning from a cleanup(8) server process. To prevent this, execute the command "postfix reload". The incompatibility affects only systems that use the Milter feature. It does not cause loss of mail, just a minor delay until the remote SMTP client retries. [Feature 20071221] Support for most of the Sendmail 8.14 Milter protocol features. To enable the new features specify "milter_protocol = 6" and link the filter application with a libmilter library from Sendmail 8.14 or later. Sendmail 8.14 Milter features supported at this time: - NR_CONN, NR_HELO, NR_MAIL, NR_RCPT, NR_DATA, NR_UNKN, NR_HDR, NR_EOH, NR_BODY: The filter can tell Postfix that it won't reply to some of the SMTP events that Postfix sends. This makes the protocol less chatty and improves performance. - SKIP: The filter can tell Postfix to skip sending the rest of the message body, which also improves performance. - HDR_LEADSPC: The filter can request that Postfix does not delete the first space character between header name and header value when sending a header to the filter, and that Postfix does not insert a space character between header name and header value when receiving a header from the filter. This fixes a limitation in the old Milter protocol that can break DKIM and DK signatures. - SETSYMLIST: The filter can override one or more of the main.cf milter_xxx_macros parameter settings. Sendmail 8.14 Milter features not supported at this time: - RCPT_REJ: report rejected recipients to the mail filter. - CHGFROM: replace sender, with optional ESMTP command parameters. - ADDRCPT_PAR: add recipient, with optional ESMTP command parameters. It is unclear when (if ever) the missing features will be implemented. SMFIP_RCPT_REJ requires invasive changes in the SMTP server recipient processing and error handling. SMFIR_CHGFROM and SMFIR_ADDRCPT_PAR require ESMTP command-line parsing in the cleanup server. Unfortunately, Sendmail's documentation does not specify what ESMTP options are supported, but only discusses examples of things that don't work. Major changes - address verification - ----------------------------------- [Incompat 20070514] The default sender address for address verification probes was changed from "postmaster" to "double-bounce", so that the Postfix SMTP server no longer causes surprising behavior by excluding "postmaster" from SMTP server access controls. Major changes - ldap - ------------------- [Incompat 20071216] Due to an incompatible API change between OpenLDAP 2.0.11 and 2.0.12, an LDAP client compiled for OpenLDAP version <= 2.0.11 will refuse to work with an OpenLDAP library version >= 2.0.12 and vice versa. Major changes - logging - ---------------------- [Incompat 20080109] TLS logging output has changed to make it more useful. Existing logfile parser regular expressions may need adjustment. - More log entries include the "hostnamename[ipaddress]" of the remote SMTP peer. - Certificate trust chain error reports show only the first error certificate (closest to the trust chain root), and the reporting is more human-readable for the most likely errors. - After the completion of the TLS handshake, the session is logged with TLS loglevel >= 1 as either "Untrusted", "Trusted" or "Verified" (SMTP client only). - "Untrusted" means that the certificate trust chain is invalid, or that the root CA is not trusted. - "Trusted" means that the certificate trust chain is valid, and that the root CA is trusted. - "Verified" means that the certificate meets the SMTP client's matching criteria for the destination: - In the case of a destination name match, "Verified" also implies "Trusted". - In the case of a fingerprint match, CA trust is not applicable. - The logging of protocol states with TLS loglevel >= 2 no longer reports bogus error conditions when OpenSSL asks Postfix to refill (or flush) network I/O buffers. This loglevel is for debugging only; use 0 or 1 in production configurations. [Incompat 20071216] The SMTP "transcript of session" email now includes the remote SMTP server TCP port number. Major changes - loop detection - ----------------------------- [Incompat 20070422] [Incompat 20070422] When the pipe(8) delivery agent is configured to create the optional Delivered-To: header, it now first checks if that same header is already present in the message. If so, the message is returned as undeliverable. This test should have been included with Postfix 2.0 when Delivered-To: support was added to the pipe(8) delivery agent. - Remove previous fix - #301335 - [SuSEconfig]: Postfix module uses stderr - Update to Version 2.4 patchlevel 6 Bugfix (introduced Postfix 2.2.11): TLS client certificate with unparsable canonical name caused the SMTP server's policy client to allocate zero-length memory, triggering an assertion that it shouldn't do such things. File: smtpd/smtpd_check.c. Bugfix (introduced Postfix 2.4) missing initialization of event mask in the event_mask_drain() routine (used by the obsolete postkick(1) command). Found by Coverity. File: util/events.c. Workaround: the flush daemon forces an access time update for the per-destination logfile, to prevent an excessive rate of delivery attempts when the queue file system is mounted with "noatime". File: flush/flush.c. - #330276 ? /sbin/conf.d/SuSEconfig.postfix could copy certs into smtpd_tls_CApath - Use correct SuSEfirewall2 rule directory. - #333629 - saslauthd typo in SuSEconfig.postfix - #331044 - Postfix uses receive_override_options in main.cf - fix the last fix - fix the last fix - Fixing bug: #297622 - SMTPD_LISTEN_REMOTE has no effect - Update to Version 2.4 patchlevel 5 Bugfix: the loopback TCP performance workaround was ineffective due to a wetware bit-flip during code cleanup. File: util/vstream_tweak.c. (patch level 4) Bugfix: the Milter client assumed that a Milter application does not modify the message header or envelope, after that same Milter application has modified the message body of that same email message. This is not a problem with updates by different Milter applications. Problem was triggered by Jose-Marcio Martins da Cruz. Also simplified the handling of queue file update errors. File: milter/milter8.c. Workaround: some non-Cyrus SASL SMTP servers require SASL login without authzid (authoriZation ID), i.e. the client must send only the authcid (authentiCation ID) + the authcid's password. In this case the server is supposed to derive the authzid from the authcid. This works as expected when authenticating to a Cyrus SASL SMTP server. To get the old behavior specify "send_cyrus_sasl_authzid = yes", in which case Postfix sends the (authzid, authcid, password), with the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c. Portability: /dev/poll support for Solaris chroot jail setup scripts. Files: examples/chroot-setup/Solaris8, examples/chroot-setup/Solaris10. Cleanup: Milter client error handling, so that the (Postfix SMTP server's Milter client) does not get out of sync with Milter applications after the (cleanup server's Milter client) encounters some non-recoverable problem. Files: milter/milter8.c, smtpd/smtpd.c. Performance: workaround for poor TCP performance on loopback (127.0.0.1) connections. Problem reported by Mark Martinec. Files: util/vstream_tweak.c, milter/milter8.c, smtp/smtp_connect.c, smtpstone/*source.c. Bugfix: when a milter replied with ACCEPT at or before the first RCPT command, the cleanup server would apply the non_smtpd_milters setting as if the message was a local submission. Problem reported by Jukka Salmi. Also, the cleanup server would get out of sync with the milter when a milter replied with ACCEPT at the DATA command. Files: cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c. - rediffed patches - Update to Version 2.4 patchlevel 3 (patch level 1) Bugfix (introduced Postfix 2.3): segfault with HOLD action in access/header_checks/body_checks on 64-bit platforms. File: cleanup/cleanup_api.c. Portability (introduced 20070325): the fix for hardlinks and symlinks in postfix-install forgot to work around shells where "IFS=/ command" makes the IFS setting permanent. This is allowed by some broken standard, and affects Solaris. File: postfix-install. Portability (introduced 20070212): the workaround for non-existent library bugs with descriptors >= FD_SETSIZE broke with "fcntl F_DUPFD: Invalid argument" on 64-bit Solaris. Files: master/multi_server.c, *qmgr/qmgr_transport.c. Cleanup: on (Linux) platforms that cripple signal handlers with deadlock, "postfix stop" now forcefully stops all the processes in the master's process group, not just the master process alone. File: conf/postfix-script. (patch level 2) Bugfix: don't falsely report "lost connection from localhost[127.0.0.1]" when Postfix is being portscanned. Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. Robustness: recommend a "0" process limit for policy servers to avoid "connection refused" problems when the smtpd process limit exceeds the default process limit. File: proto/SMTPD_POLICY_README.html. Safety: when IPv6 (or IPv4) is turned off, don't treat an IPv6 (or IPv4) connection from e.g. inetd as if it comes from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. Bugfix: Content-Transfer-Encoding: attribute values are case insensitive. File: src/cleanup/cleanup_message.c. Bugfix: mailbox_transport(_maps) and fallback_transport(_maps) were broken when used with the error(8) or discard(8) transports. Cause: insufficient documentation. Files: error/error.c, discard/discard.c. Bugfix (problem introduced Postfix 2.3): when DSN support was introduced it broke "agressive" recipient duplicate elimination with "enable_original_recipient = no". File: cleanup/cleanup_out_recipient.c. Bugfix (introduced Postfix 2.3): the sendmail/postdrop commands would hang when trying to submit a message larger than the per-message size limit. File: postdrop/postdrop.c. Sabotage the saboteur who insists on breaking Postfix by adding gethostbyname() calls that cause maildir delivery to fail when the machine name is not found in /etc/hosts, or that cause Postfix processes to hang when the network is down. (patch level 3) Portability: Victor helpfully pointed out that change 20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c. - Bug 285553 amavisd inconsistency - provide smtp meta-service as well - don't PreRequire /sbin/ip: removed call in SuSEconfig.postfix - dynamic_maps.patch: readded the chunk for dict_tcp and dict_pcre - replaced prereq for postfix with a prereq on %{name} = %{version} - updated to postfix 2.4, patchlevel 0 Major changes - safety * As a safety measure, Postfix now by default creates mailbox dotlock files on all systems. This prevents problems with GNU POP3D which subverts kernel locking by creating a new mailbox file and deleting the old one Major changes - Milter support * The support for Milter header modification requests was revised. With minimal change in the on-disk representation, the code was greatly simplified, and regression tests were updated to ensure that old errors were not re-introduced. The queue file format is entirely backwards compatible with Postfix 2.3. * Support for Milter requests to replace the message body. Postfix now implements all the header/body modification requests that are available with Sendmail 8.13. * A new field is added to the queue file "size" record that specifies the message content length. Postfix 2.3 and older Postfix 2.4 snapshots will ignore this field, and will report the message size as it was before the body was replaced. Major changes - TLS support * The check_smtpd_policy client sends TLS certificate attributes (client ccert_subject, ccert_issuer) only after successful client certificate verification. The reason is that the certification verification status itself is not available in the policy request. * The check_smtpd_policy client sends TLS certificate fingerprint information even when the certificate itself was not verified. * The remote SMTP client TLS certificate fingerprint can be used for access control even when the certificate itself was not verified. * The format of SMTP server TLS session cache lookup keys has changed. The lookup key now includes the master.cf service name. Major changes - performance * Better support for systems that run thousands of Postfix processes. Postfix now supports FreeBSD kqueue(2), Solaris poll(7d) and Linux epoll(4) as more scalable alternatives to the traditional select(2) system call, and uses poll(2) when examining a single file descriptor for readability or writability. These features are supported on sufficiently recent versions of FreeBSD, NetBSD, OpenBSD, Solaris and Linux; support for other systems will be added as evidence becomes available that usable implementations exist. Major changes - delivery status notifications * Small changes were made to the default bounce message templates, to prevent HTML-aware software from hiding or removing the text "", and producing misleading text. * Postfix no longer announces its name in delivery status notifications. Users believe that Wietse provides a free help desk service that solves all their email problems. Major changes - ETRN support * More precise queue flushing with the ETRN, "postqueue -s site", and "sendmail -qRsite" commands, after minimization of race conditions. New per-queue-file flushing with "postqueue -i queueid" and "sendmail -qIqueueid". Major changes - small office/home office support * Postfix no longer requires a domain name. It uses "localdomain" as the default Internet domain name when no domain is specified via main.cf or via the machine's hostname. Major changes - SMTP access control * The check_smtpd_policy client sends TLS certificate attributes (client ccert_subject, ccert_issuer) only after successful client certificate verification. The reason is that the certification verification status itself is not available in the policy request. * The check_smtpd_policy client sends TLS certificate fingerprint information even when the certificate itself was not verified. * The remote SMTP client TLS certificate fingerprint can be used for access control even when the certificate itself was not verified. * The Postfix installation procedure no longer updates main.cf with "unknown_local_recipient_reject_code = 450". Four years after the introduction of mandatory recipient validation, this transitional tool is no longer neeed. - Add pwdutils BuildRequires to allow postinst script to succeed. - Add /usr/share/omc directory. - #247351 - postfix - Ports for SuSEfirewall added via packages - Move postfix.xml into the postfix-SuSE tarball - #228479 - Postfix is configured for inet_protocols=all if selecting ipv4 only support during installation. Now we set both inet_protocols and inet_interfaces to all. This means the available interfaces and protocols will be used. To avoid bogus warnings inet_proto.c was patched. - #251598 - postfix use pointers for literals - #144104 - postfix does not start - Implementing Fate #301840: Postfix XML Service Description Document - Enhancing /etc/sysconfig/postfix descripton to avoid problems like Bug 228678 - Problems with setting up chroot environment if /var/spool is not on same filesystem as /var - moved the dict handling into a preun script instead of postun and do not remove the dict entry on upgrade (#223176) - removed duplicates in the filelists. - #218229 - Postfix SuSEconfig script increases the max_proc line each run in master.cf - #206414 - /usr/lib/sasl2/smtpd.conf misplaced - #202119 ? SuSEconfig script for Postfix incomplete - #202162 ? Postfix 2.3.2 slightly incorrect, Cyrus SASL unavailable - #203174 ? /sbin/conf.d/SuSEconfig.postfix should configure a TLS session cache for postfix 2.2 - #203575 ? postfix-2.2.9-10 chokes without scache - #213589 - No development package/headers for postfix - also add libpostfix-milter.so* - updated to postfix 2.3, patchlevel 2 - Major changes - Name server replies that contain a malformed hostname are now flagged as permanent errors instead of transient errors. - DSN support as described in RFC 3461 .. RFC 3464. - The SMTP client now implements the LMTP protocol. - Milter (mail filter) application support, compatible with Sendmail version 8.13.6 and earlier. - Major changes - SASL authentication - Plug-in support for SASL authentication in the SMTP server and in the SMTP/LMTP client. - The Postfix-with-Cyrus-SASL build procedure has changed. - Support for sender-dependent ISP accounts. - Major changes - SMTP client - The SMTP client now implements the LMTP protocol. - This version addresses a performance stability problem with remote SMTP servers. - Major changes - SMTP server - The Postfix SMTP server now refuses to receive mail from the network if it isn't running with postfix mail_owner privileges. - Optional suppression of remote SMTP client hostname lookup and hostname verification. - SMTPD Access control based on the existence of an address->name mapping - Major changes - TLS - New concept: TLS security levels ("none", "may", "encrypt", "verify" or "secure") in the Postfix SMTP client. - Both the Postfix SMTP client and server can be configured without a client or server certificate. - See /usr/share/doc/packages/postfix/RELEASE_NOTES /usr/share/doc/packages/postfix/TLS_CHANGES /usr/share/doc/packages/postfix/README_FILES/SASL_README for detailed informations. - Only %{conf_backup_dir} is contained by the package not /var/adm/backup - Bugfix: #190639 Default number of processes for postfix - Bugfix: #190270 postfix-postgresql - Bugfix: #98188 - SuSE.tar.gz filename collision in cyrus/postfix SRPMs - Bugfix: #165786 - yast2-mail modul uses obsolate postfix attributes - updated to postfix 2.2, patchlevel 9. - Reasons: Bugfix: the LMTP client would reuse a session after negative reply to the RSET command (which may happen when client and server somehow get out of sync). Bugfix: race condition in the connection caching protocol, causing the SMTP delivery agent to hang after delivering mail, while trying to save a connection. Bugfix: the best_mx_transport, mailbox_transport and fallback_transport features did not write a per-recipient defer logfile record when the target delivery agent was broken. Bugfix: an EHLO I/O error after STARTTLS would be reported as a STARTTLS I/O error. Bugfix: the *SQL, proxy and LDAP maps were not defined in user-land commands such as postqueue. Bugfix: the anvil server would terminate after "max_idle" seconds, even when this was less than the anvil_rate_time_unit interval. Portability: 64-bit support for LINUX chroot script by Keith Owens. Safety: new "smtp_cname_overrides_servername" parameter. Bugfix: mailbox_command_maps was not subject to $name expansion. Bugfix: don't ignore the per-site policy when SSL library initialization fails. Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not override a stronger main.cf policy, while a per-site NONE policy could. Bugfix: a combined TLS per-site (host, recipient) policy of (NONE, MAY) changed a global MUST policy into NONE, and a global MUST_NOPEERMATCH into MAY. The result is now NONE. Problem found by exhaustive simulation. Bugfix: an empty remote_header_rewrite_domain value caused trivial-rewrite to dereference a null pointer, but only in regression tests, not in production. Postfix rewrites addresses in the remote rewriting context only when the remote_header_rewrite_domain parameter value is non-empty. Workaround: a malformed domain name lookup result (such as null MX record) is now treated as a hard error, so that Postfix will no longer repeatedly try to deliver mail until the message expires in the queue. However, this will not reject mail with reject_unknown_sender/recipient_domain. That would require too much change for a stable release. - converted neededforbuild to BuildRequires - Fixing the spec-file - Bugfix: ID#143682 - Spurious (obsoleted?) configuration variable in postfix's main.cf - Bugfix: ID#140173 postfix allows relaying on the whole subnet - Bugfix: ID#144091 postfix doesn't start with the latest kernel - Bugfix: ID#144091 - Postfix makes an entry in slp servre for smtp & smtps - removing openldap from "neededforbuild" - updated to postfix 2.2, patchlevel 6 - added patch ldap_api_changes.patch: openldap2.3 enforces to use "The C LDAP Application Program Interface" - Bugfix Bugzilla ID#104663 - consistent use of variables in postfix init-script - Bugfix Bugzilla ID#104568 - SuSEconfig.postfix doesnt set $PATH properly to find all binaries. - Package the /usr/lib/sendmail -> /usr/sbin/sendmail link [#102947] - Bugfix Bugzilla ID#93884 - package postfix uses -fsigned-char Remove -fsigned-char option for ppc and s390 archs - updated to postfix 2.2, patchlevel 5: - Portability: the connection caching code broke on LP64 systems (inherited from Stevens Network Programming). Files: util/unix_send_fd.c, util/unix_recv_fd.c. This code is back-ported from the Postfix 2.3 snapshot release. - Robustness: the SMTP client now disables connection caching when it is unable to communicate with the scache(8) server, instead of looping forever and not delivering mail. File: global/scache_clnt.c. This code is back-ported from the Postfix 2.3 snapshot release. - Portability: after sending a socket, the scache(8) server now waits for an ACK from the connection cache client before closing the socket that it just sent. Files: scache/scache.c, global/scache_clnt.c. This code is back-ported from the Postfix 2.3 snapshot release. - Portability: on LP64 systems, integer expressions are int, but sizeof() and pointer difference expressions are larger. Point fixes for a few discrepancies with variadic functions that expect int (the permanent fix is to change the receiving modules, but that results in too much change, and is not allowed in the stable release). Files: tls/tls_scache.c, util/clean_env.c, util/vstring.h, smtpstone/qmqp-source.c. - force to set strict_8bitmime to "no" when POSTFIX_MDA != cyrus, because once it is set to "yes", nobody sets it back. - only install /etc/pam.d/smtp if suse_version > 920 - use Prereq instead of Requires for mysql and postgresql subpackages - added /etc/pam.d/smtp configuration file - Fixed build on x86_64: use -fPIC for libraries and -fPIE for the rest - applied dynamic maps patch of LaMont Jones at debian - Fix to SuSEconfig.postfix: only touch tlsmgr line in master.cf, if it is the new one using unix socket instead of fifo - build with -fPIE (not -fpie) to avoid GOT overflow on s390x - updated to postfix 2.2, patchlevel 4 - fixed build using -pie/-fpie (hopefully) - Build using -pie - set strict_8bitmime parameter to yes when using cyrus mailbox delivery - Bugfix ID#66325 - postfix: permissions also ship a postfix.paranoid file with the package with all suid and sgid bits disabled - updated to postfix 2.2, patchlevel 3 - Bugfix ID#75717 - postfix init scripts reports success allthough postfix is not running: use checkproc again instead of "master -t", as "master -t" seems to be broken - updated to postfix 2.2, patchlevel 2 - Bugfix ID#74712, problems with read-only mounting of $chroot/proc: don't mount /var/spool/postfix/proc ro as that results in /proc also mounted ro. - Bugfix ID#74709, postfix configuration and USE_IPV6 in sysconfig/network/config - updated to postfix 2.2, patchlevel 1 Postfix 2.2.1 solves four portability problems that surfaced in the week since the 2.2.0 release, one harmless bug in the TLS session cache cleaning code, and cleans up minor documentation problems. - 2.2.0 is out - update to RC2 - make it compile with gcc4 - RC1 of 2.2 is out - use "usr/sbin/postfix upgrade-configuration" now instead of "etc/postfix/post-install upgrade-package" - removed some @ chars (don't know how they slipped in) - update to current pre 2.2 snapshot (2.2-20050216) 2.2 release could happen next week - added patch needed for the Kolab project (this patch is part of the upcoming postfix 2-2 release), see http://wiki.kolab.org/index.php/Kolab-major-app-patches - s/X-UnitedLinux-Should-Start/Should-Start/ - added long_header.patch long lines piped into postfix sendmail can lead to errors. - Bugfix ID#49307: faster postfix startup: don't use hashed directories if possible: - added patch empty_hash_queue_names.patch to be able to modify hash_queue_names parameter. - added check to %post to change hash_queue_names in case of /var/spool/postfix residing on a reiserfs partition when doing a fresh installation - Bugfix ID#50386 - postfix must prereq /sbin/ip (iproute2) - updated tls+ipv6 patchkit to v1.26 - Bugfix: Incomplete error checking in getaddrinfo() could cause lmtpd to crash with debug_peer_list defined. Carsten Hoeger, SuSE. File: util/match_ops.c - Linux workaround: When mynetworks isn't set, a chrooted process could not read the IPv6 address information from /proc. We now invoke own_inet_addr() before chrooting, while processing main.cf. [backported from 2.2-nonprod snapshot] File: global/mail_params.c - Safety: when IPv6 netmask can't be determined, mynetworks is not set and mynetworks_style = subnet, assume /128 (host only). Until now, Tru64Unix assumed /64 (good for real subnets, but not safe for tunnel ranges etc.). File: util/inet_addr_local.c - Use : in permissions file. - Two fixes to ipv6-patch related bugs: - Bugfix Bugzilla ID#49435 - VUL-0: Postfix, permit_mx_backup, IPv6, chroot - -> Open Relay! - Bugfix Bugzilla ID#49695 - SEGV while lmtp delivery - mount /proc into chroot jail to be able to access /proc/net/if_inet6 - Put options first in find command line. - setting LC_ALL=POSIX in SuSEconfig.postfix - Bugfix Bugzilla ID#46462, postfix should switch biff off - updated to postfix 2.1, patchlevel 5 (several small bugfixes) - updated tls+ipv6 patchkit (there have been some small bugs) - use v4 address 127.0.0.1 as amavisd-new local contact address as amavisd is not listening on any v6 address - also chmod the .db file resulting of a postmap (related to bugfix ID#39045 - Bugfix Bugzilla ID#39045 - tls_per_site table updates in SuSEconfig.postfix introduced POSTFIX_MAP_LIST in /etc/sysconfig/postfix where additional maps maintained by SuSEconfig.postfix can be added - Bugfix Bugzilla ID#45252 - rpm calls SuSEconfig.permissions which calls rpm - > 3 minute timeout Also don't call rpm from SuSEconfig.postfix - Speedup: set timestamp of $TMPDIR/main.cf into the past to workaround postconf safety which is not neccessary, because we do not touch the main.cf, the postfix daemons are using. - added $time to Required-Start in init-script - do not filter locally delivered mail when USE_AMAVIS=yes (don't set content_filter=vscan in main.cf) - removed obsolete vscan service definition from master.cf - use "$MASTER_BIN -t" to check whether postfix is already running in start section of init-script. That's more reliable then checkproc. - Bugfix Bugzilla ID#42995 - SuSEconfig.postfix should ignore .swp and other files in /etc/aliases.d - Bugfix Bugzilla ID#42281, openssl ca segfaults: added missing [ policy_anything ] configuration options to openssl.cnf - updated to postfix 2.1, patchlevel 4 - updated tls+ipv6 patchkit to v1.25 - new feature POSTFIX_REGISTER_SLP in /etc/sysconfig/postfix to be able to totally disable slptool from being started - updated tls+ipv6 patchkit to v1.24: - Bugfix: Prefixlen non-null host portion validation (in CIDR maps for example) yielded incorrect results sometimes because signed arithmetic was used instad of unsigned. - Patch correction: The TLS+IPv6 patch for Postfix 2.1.0 missed the master.cf update (used for new installattions). Added it back. - as tls and ipv6 patches have not been completely ported to postfix 2.1 new documentation system, especially the new postconf(5) manpage is missing the complete ipv6 and tls related configuration parameters, readded the sample-* files from ipv6+tls to %doc/samples - update to postfix 2.1, patchlevel 1: - Patch 01 fixes a signal 11 problem in the check_policy_service feature when SASL support is compiled in but turned off in the SMTP server (smtpd_sasl_auth_enable = no). - added now officially released tls patchkit 0.8.18-2.1.0-0.9.7d to the source package for the user to be able to build a non-ipv6 postfix package - official tls+ipv6 v1.23 patchkit released: - Patch fixes: Several code fixes to make the patch compile and work correctly when compiled without IPv6 support. - Bugfix (Solaris only?): address family length was not updated which could cause client hostname validation errors. File: smtpd/smtpd_peer.c - Portability: added support for Darwin 7.3+. This may need some further testing. - Cleanup: Restructure and redocument interface address retrieval functions. (This reduced the number of preprocessor statements from 99 to 93 ;) File: util/inet_addr_local.c - Cleanup: make several explicit casts to have compilers shut their pie holes about uninteresting things. - update to final postfix v2.1 - Bugfix: changed {main,master}.cf backup path in specfile, but not in SuSEconfig script - update to postfix 2.1 RC5 - update to current postfix 2.1 release candidate (RC4) - Bugfix Bugzilla ID#38569, exit SuSEconfig.postfix if mktemp fails - Bugfix Bugzilla ID#37409 the saslauthd socket is not copied to chroot jail due to a wrong test in SuSEconfig.postfix (used -L instead of -S) - only add ::1 to inet_interfaces when SMTPD_LISTEN_REMOTE=no AND ipv6 is enabled - Bugfix Bug ID#37293, SuSEConfig complains POSTFIX_ADD_* parameters are unknown (in turkish locale settings) added LC_CTYPE=POSIX to SuSEconfig.postfix - updated to tls+ipv6 version 1.22 (related to Bugzilla ID#35884) - Feature: Support "inet_interfaces = IPv4:all" and "inet_interfaces = IPv6:all", to restrict postfix to use either IPv4-only or IPv6-only. A more complete implementation will be part of a future patch. (Slightly modified) patch by Michal Ludvig, SuSE. Files: util/interfaces_to_af.[ch], util/inet_addr_local.c, global/own_inet_addr.c, global/wildcard_inet_addr.[ch], master/master_ent.ch - Bugfix: In Postfix snapshots, a #define was misplaced with the effect that IPv6 subnets were not included in auto- generated $mynetworks (i.e., mynetworks not defined in main.cf, when also mynetworks_style=subnet) on Linux 2.x systems. File: utils/sys_defs.h - now adding ::1 to inet_interfaces when SMTPD_LISTEN_REMOTE=no (related to Bugzilla ID#35884) - enabled ipv6 again - updated to most recent snapshot version 2.0.19-20040312: Patch 19 fixes two low-priority problems: - When mail is submitted at a high rate with the Postfix sendmail command, the pickup daemon is keps busy long enough that it it terminated by the watchdog timer (a feature that prevents Postfix from locking up permanently). - Malformed addresses in SMTP commands could result in table looks with zero-length search strings, causing trouble with NIS lookups. - disable IPv6 patch as it introduces problems for people who do not use IPv6, see Bugzilla ID#35884, "ipv6 mynetworks don't work" - be a nice packager and strictly follow http://www.porcupine.org/postfix-mirror/newdoc/PACKAGE_README.html (added setgid_group=... to post-install upgrade-package) - update to most recent version 2.0.18-20040209 - Bugfix Bugzilla ID#34817, SuSEconfig.postfix doesn't specify direct path to "postconf" and generates errors if run via sudo by a non-root user. - update to postfix 2.0.18-20040205 - enabled tls+ipv6 patch as it is now available for latest pre 2.1 snapshot - finally, the official TLS patchkit of Lutz hit the ground - additional fix for the TLS extensions patch should also fix Bugzilla ID#34218 - fixed the smtp segfault - updated to postfix 2.0.18-20040122 - added new feature for specfile usetls to en/dis-able TLS support - temporary removed TLS support (self adapted patch to most recent postfix snapshot version) as it currently results in smtp segfaulting - update to recent postfix snapshot version 2.0.17-20040120 which will become the next official release 2.1 around next week according to Wietse Venema. - added possibility to compile using the combined IPV6/TLS patch which can be downloaded from http://www.ipnet6.org/postfix/ just set useipv6 to 1 at the top of the specfile. - remove call to ldap_enable_cache (function has been removed from openldap and was already obsolete before (warning was issued back then)) - added openslp register/derigister calls to postfix init-script - add postfix user to group mail in case of POSTFIX_MDA==cyrus to let postfix lmtp access /var/lib/imap/socket/lmtp - Bugfix Bugzilla ID#33421, SMTP-Auth and relaying added permit_sasl_authenticated also to smtpd_recipient_restrictions in SuSEconfig.postfix - always create temp files and always remove them later on - some .spec improvements - Run SuSEconfig after install - Don't build as root - Be nice and clean up after ourselves - update to postfix v2.0.16 - update to tls extensions v0.8.16 - Fix for Bugzilla ID#32114, fixed some if condition syntaxes - fixed example for POSTFIX_RELAYHOST, Bug ID#30756 - updated some sysconfig descriptions - removed relays.osirosoft.com from the examples, Bug ID#30215 - Fix next useradd call - conf/postfix-files as input for /etc/permissions.d/postfix (Bug ID#29915) - generate better amavisd-new master.cf line: limit maxproc to 2 and use brackets around localhost (Bug ID#29917) - use conf/postfix-files as input for directories and permissions for files/directories in/below $queue_directory and $command_directory - use /var/lib/imap/socket/lmtp as lmtp socket in SuSEconfig.postfix and change access modes of /var/lib/imap and /var/lib/imap/socket to let postfix lmtp access the unix socket - Create postfix user as system account [Bug #29611] - Adjust sendmail permissions - Create /var/spool/postfix/public with permissions postfix is using - Add sendmail to /etc/sysconfig/mail - update to Postfix 2.0 Patch 14 - Bugfix Bugzilla ID#28921: missing activation metadata in sysconfig template - new macros for stop/restart of services on rpm update/removal - chown user:group instead of user.group - update to tls extensions 0.8.15-2.0.13-0.9.7b - updated SuSEconfig to use amavisd-new instead of amavis[d]-postfix - update to Postfix 2.0 Patch 13 - After "postfix reload", the master daemon now warns when the inet_interfaces parameter setting has changed, and ignores the change, instead of passing incorrect information to the smtp server. - After the postdrop command change with Postfix 2.0.11, the postcat command no longer recognized "maildrop" queue files as valid. - Mail could bounce when two messages were delivered simultaneously to a non-existent mailbox file. The safe_open() code that prevents race condition exploits will now try a little harder when it actually encounters a race condition. - update to tls extensions 0.8.14-2.0.12-0.9.7b - also change path to smtpd.conf in sysconfig template parameter description dependent on what %{_lib} is set to. - update to postfix 2.0, patchlevel 12 - mkdir -p $RPM_BUILD_ROOT/%{_libdir}/sasl2 instead of $RPM_BUILD_ROOT/usr/lib/sasl2 and we also can build on 64bit archs - package /usr/lib/sasl2/smtpd.conf using %{_libdir}/sasl2/smtpd.conf - added /etc/postfix to filelist - update to postfix 2.0, patchlevel 11 - update to tls extensions 0.8.13-2.0.10-0.9.7b - updated SuSE/master.cf toplevel comments - update to postfix 2.0, patchlevel 10 - remove installed (but unpackaged) file /etc/postfix/aliases - path to ca, certificate and key is relative to $POSTFIX_SSL_PATH, added $POSTFIX_SSL_PATH/ to the relevant parts of SuSEconfig.postfix - correctly handle new POSTFIX_SMTP_TLS_CLIENT parameter in SuSEconfig.postfix (activate/deactivate master.cf entries) - added libxcrypt to chroot jail, Bugzilla ID#25766 - added TLS_CLIENT support, Bugzilla ID#26647 - update to postfix 2.0, patchlevel 9 - fixed neededforbuild - update to postfix 2.0, patchlevel 7 - update to tls extensions 0.8.13-2.0.6-0.9.7a - Bugfix Bugzilla ID#25905, do not restrict mailbox size per default - use checkproc to check if there really is a postfix master process running when there's a pid file lying around. (Bugzilla ID#24910) - update to Postfix 2.0 Patch 06 - Postfix now truncates non-address information in message address headers (comments, etc.) to 250 characters per address. This should rarely present a problem. Reportedly, junk mail from poorly written software can trigger the protection, but that is no great loss. - Some little fixes to documentation. - update to Postfix 2.0 Patch 05 - The SMTP server's hard and soft error limits were off by one. With "smtpd_hard_error_limit = 1", Postfix will now disconnect after the first error, instead of the second one. - The proxymap server could deadlock when the mydestination parameter setting included a proxymapped lookup table. - Some little fixes to documentation. - when updating postfix, check whether post-install changed main/master.cf and update md5sums to not confuse SuSEconfig - when installing postfix on a fresh system, create md5sums in %post to be able to let check_md5_and_move() detect changes that a user might have done without running SuSEconfig before. - no longer remove md5sums of main.cf and master.cf during postinstall, as SuSEconfig then no longer knows, whether main.cf/master.cf had been modified by the user. Disadvantage: as postfix permanently needs basic changes to both main and master.cf, SuSEconfig.postfix will frequently generate .SuSEconfig files although the user did not change anything Bugzilla ID#24432 - update to Postfix 2.0 Patch 04 - The format of maildir filenames is synchronized with the present version of the maildir definition document. This format was already adopted by the 20030126 snapshot release. - The time limit on delivery to external commands was not enforced. This was broken probably some time before the first public Postfix release. - Duplicate elimination after virtual alias expansion works again. This was broken with the introduction of the original recipient attribute. - The local pickup daemon dropped incomplete records from local submissions. This was broken somewhere in the middle of 2002. - Bugfix Bugzilla ID#23675: new service proxymap will not be appended during update - also check whether amavisd-postfix is installed and set up filter section in master.cf - update to Postfix 2.0 Patch 03 - Postfix 2.0 broke relocated table lookup results with mail not rejected at the SMTP port, causing "User has moved to" text to be deleted. - A widely used maildir filename generating algorithm was broken. This affects all Postfix versions with maildir support. Instead of TIME.PID_COUNT.HOST Postfix now uses TIME.DEVICE_INODE.HOST. - Postfix 2.0 gave incorrect FILTER_README instructions for sites that wish to disable virtual alias mapping before the content filter. - postfix-lib64.patch code now integrated in postfix - changed SuSEconfig.postfix and smtpd.conf to use sasl2 - forgot to add tlsmgr to master.cf - Hmmm, just noticed, that suddenly 2.0.0.x became 2.0.x must have missed something... - updated SuSE/master.cf (new proxymap service) - added POSTFIX_ADD_MESSAGE_SIZE_LIMIT as example to sysconfig.postfix (Bugzilla ID#22907) - build using sasl2 - update to postfix v2 (version 2.0.0.2) - added sysconfig metadata to sysconfig templates - updated to new tls extensions - Bugfix Bugzilla ID#21865: don't copy directories into directories when updating chroot jail in cpifnewer() - Update to version 1.11, pl12 - new SuSEconfig.postfix features: . SMTP-AUTH server . SMTP-AUTH client . TLS Server - quote args of tr command - new feature: POSTFIX_ADD_* command in sysconfig/postfix to be able to add any regular postfix command via SuSEconfig - Bugfix Bugzilla ID#21120 added POSTFIX_ADD_MAILBOX_SIZE_LIMIT as example with value 0 (unlimited) - added a header to main.cf explaining that many postfix parameters have been added to the end of main.cf - Bugfix for Bugzilla ID#20754 missed some parameters when restoring main.cf or master.cf from scratch - NULLCLIENT did not work because SuSEconfig searches for the wrong keyword - Bugfix related to Bugzilla IDs 20506, 18298, 19294: masquerade_classes should not be extended by envelope_recipient - added ypbind to X-UnitedLinux-Should-Start in init-script - added restoration mechanism to restore master.cf and/or main.cf if they got deleted by (intention or) accident to SuSEconfig.postfix - added ldap to X-UnitedLinux-Should-Start - Bugfix Bugzilla ID#18298: when setting FROM_HEADER, also unqualified envelope recipients should be qualified to FROM_HEADER, not to myorigin, added envelope_recipient to masquerade_classes - Bugfix Bugzilla ID#18297: %post touches main.cf and master.cf so it may happen, that an update leaves .SuSEconfig files. Remove /var/adm/SuSEconfig/md5/etc/postfix/main.cf and master.cf in %post - Bugfix Bugzilla ID#18301: sendmail and postfix have different opinions on the usage of NULLCLIENT. Moved NULLCLIENT to sysconfig.postfix.POSTFIX_NULLCLIENT - added exim to Conflicts - wait for qmgr in the background for a maximum of 60 seconds - Bugfix for init-script: wait for qmgr to be ready before calling postfix flush - added accidently removed line in master.cf for amavis, Bugzilla ID#17732 - exclude .rpmsave and .rpmorig from /etc/aliases.d expansion - added netcfg to Prereq (/etc/aliases) - added pcre openldap2-client to prereq (Bugzilla ID#17447) - completed Prereq - Bugfix for the handling of POSTFIX_MASQUERADE_DOMAIN and FROM_HEADER - removed main.cf from SuSE.tar.gz - added X-UnitedLinux-Should-Start: cyrus to init-script - set local as default MDA again reason: postfix does not execute any external programs like procmail with uid 0, so root mails will go to /var/mail/nobody, which will confuse people - remove setting of SUSE_RELEASE version in the (E)SMTP banner - removed /etc/aliases from filelist, it's now in netcfg - removed 'q' flag from vscan transport definition, because current amavis versions have a rfc2821_mailbox_addr function - remove old aliases.db files in %post - do not use unset in %post - make procmail the default MDA - use %{_lib} macro to detect platforms with lib64 directories - make chroot jail function lib64 aware - fixed libnsl detection on lib64 systems - ldap_url_search_st is no longer available in OpenLDAP v2.1 added a patch, that uses ldap_url_parse - added new feature POSTFIX_MDA, Bugzilla ID#16720 - changed POSTFIX_BASIC_SPAM_PREVENTION. It can now be set to either off(default), medium or hard - cleaned up SuSEconfig.postfix - prepared for /etc/aliases.d - new FEATURES: POSTFIX_RBL_HOSTS, POSTFIX_BASIC_SPAM_PREVENTION, Bugzilla ID#16383 - moved sample-*.cf files to %{_docdir}/postfix/samples - update to patchlevel 11, version 1.1.11 - new FEATURE: POSTFIX_UPDATE_MAPS - update to patchlevel 10, version 1.1.10 - create required users and groups in %pre install - removed provides of my own packagename... - Bugfix for README.SuSE: POSTFIX_CREATECF is now MAIL_CREATE_CONFIG - update to patchlevel 7, version 1.1.7 - introduced new feature POSTFIX_LAPTOP - update to patchlevel 5, version 1.1.5 - Bugfix: don't check whether POSTFIX_MASQUERADE_DOMAIN is empty or not, because else we won't be able to clear it. - added flags=q to amavis transport definition (link@suse.de): [...] If your postfix is older than snapshot 20010610, leave out the "flags=q" part. However, amavis will not function properly with envelope adresses that contain whitespace in the local-part. This is quite rare, but has been observed a few times. [...] - update to version 1.1.4 (1.1, patchlevel 4) Bugfix (excerpt from HISTORY): .................................................................. off-by-one error, causing a null byte to be written outside dynamically allocated memory in the queue manager with addresses of exactly 100 bytes long, resulting in SIGSEGV on systems with an "exact fit" malloc routine. .................................................................. - added new option SMTPD_LISTEN_REMOTE to /etc/sysconfig/mail which has been introduced by the SuSE dist-team (excerpt): .................................................................. sendmail does have an option to listen only on the local port, this should be the default. A flag "SMTPD_LISTEN_REMOTE" in /etc/sysconfig/mail will be used to decide if port 25 should be opened externally. The sendmail package will send a mail to root explaining this fact. sendmail updates will copy the value of START_SMTPD to this new flag. .................................................................. As this is a totally different behaviour compared to old releases, SMTPD_LISTEN_REMOTE will be set to "yes", if POSTFIX_CREATECF (now MAIL_CREATE_CONFIG) had been set to "yes" before the update. - fillup workaround - hostname handling is still annoying added some piece of code to SuSEconfig.postfix to get a valid hostname - %postinst cleanup: . use rename_sysconfig_variable macro . use remove_and_set macro instead of directly calling fillup - FQHOSTNAME has been removed from /etc/sysconfig/network/config and is now set in /etc/HOSTNAME, which wasn't FQ in the past. * Please, don't change it again* - if POSTFIX_LOCALDOMAINS is set, do not append "$myhostname, localhost.$mydomain" anymore - Also take care of the localhost:10025 mailer definition when setting up chroot options - Do not set myorigin to FROM_HEADER - Bugfix(SuSEconfig.postfix): typo in path to /etc/sysconfig/amavis - SuSEconfig.postfix enhancement: get hostname from hostname -f Bugfix: get FQHOSTNAME from /etc/sysconfig/network/config - added -y to fillup_and_insserv to create startlinks after installation - changed company name to SuSE Linux AG in copyright headers - update to postfix 1.1.3 and tls extensions 0.8.3 minor bugfixes http://groups.yahoo.com/group/postfix-users/message/52953 - Bugfix: Forgot to assign a name to TMPDIR in SuSEconfig.postfix - added resolve_local_panic.patch http://groups.yahoo.com/group/postfix-users/message/52746 - update of tls extensions to 0.8.2 - update to version 1.1.2 - sysconfig.mail changes - renamed cleanup.fillup to sysconfig.postfix.cleanup - added postqueue patch, see http://groups.yahoo.com/group/postfix-users/message/51611 for more details - update to official release version 1.1.0 - moved some stuff to /etc/sysconfig/mail - cleaned up /etc/rc.config access - added some safety checks to SuSEconfig.postfix - update to version 20020115 (release candidate for Postfix official release version 1.1) - some improvements to SuSEconfig.postfix - updated to version 20020107 - added postinstall section to update from previous versions of postfix - Changed /sbin/init.d to /etc/init.d in init script comment - added sender_canonical_maps to SuSEconfig.postfix to let the new YaST2 module setup this map similar to sendmails genericstable - SuSEconfig.postfix shell script is no config file [Bug #12712] - Made initscript more LSB compliant (status codes) - Bugfix for Bugzilla ID#12672 (improve explanation of POSTFIX_LOCALDOMAINS) - robustness enhancement for SuSEconfig.postfix - typo in specfile (master.cf installed as main.cf) - update to version 20011210 - some changes to SuSEconfig.postfix: . added POSTFIX_UPDATE_CHROOT_JAIL variable, see README.SuSE . some cleanups for chroot jail . little bugfixes - moved rc.config.d -> sysconfig - update to version 20011127 - some changes to SuSEconfig.postfix: . added more robustness (Jehova) . do not chown -R postfix to /var/spool/postfix . query for package cyrus-sasl instead of sasl - update to version 20011115 Bugfix for a memory exhaustion bug in smtpd see http://groups.yahoo.com/group/postfix-users/message/46597 - remove START_ variable - some changes to specfile (thanks to Simon J Mudd from whom I copied some code) - fix some SuSEconfig.postfix bugs: . master.cf chroot column can also contain '-' . don't do anything if POSTFIX_CREATECF != yes - update to most recent snapshot version 20011008 - update to pl05 - Bugfix, Bugzilla ID#11914 - ALWAYS create master.cf, even is POSTFIX_CREATECF is set to no, because else chroot mode may not work, Bugzilla ID#11359 - removed an obsolete echo in start section of init-script - Bugfix in init-script: redirect output of postfix start to dev/null and do not use startproc to start postfix - update to tls-extensions v0.7.9 see http://groups.yahoo.com/group/postfix-users/message/41094 for details - update of tls-extensions to 0.7.8 - update of postfix to pl04 - Bugfix: - check if postfix spool is set up before starting postfix - start postfix with postfix start, because postfix-script wouldn't be executed, else. - update of tls-extensions to 0.7.3 - bugfix: remove libs from chroot jail, that are no longer valid, Bugzilla ID#9133 - bugfix: init script was not LSB compliant, Bugzilla ID#9063 - added cyrus to require start in init-script - "bugfix": bootstrap problem cyrus-imapd <-> postfix: cyrus-imapd must run before postfix, but fails to create lmtp socket, because /var/spool/postfix/public directory isn't present. FIX: add it to filelist - install postrop with special SGID modes - improved SuSEconfig.postfix - better main.cf handling - new feature: chroot or not chroot - major bugfix: memory leak in the LDAP client module - minor bugfixes - bzip2 sources - updated to pl02, bugfixrelease - Bugfix for SuSEconfig.postfix: Handling of TIMEZONE variable if set to unappropriate or no value - Improvement: Warnings are printed out in bold - Don't use a RPM macro for version number - update to pl01, bugfixrelease - added libcrack to chroot jail, because it is needed by pam_pwcheck - fixed neededforbuild for openldap - first non-beta of the next postfix generation - v20010228 - added cyrus-sasl-devel to neededforbuild - new version, 20010225 - removed notification message - bugfix: wrong permissions for maildrop directory - update to version 20010128 - now linked against ldaplib2 - bugfix: maildrop must be owned by postfix.root - update to version 20001212 - bugfix: insserv - bugfix: missed openssl in neededforbuilt - renamed to postfix, because a non-crypto version is no longer needed - Bugfix: postfix-script was not executable - Bugfixes: Provides in initscript Use /bin/bash in SuSEconfig.postfix - Update to version 20001210 - startscript sbin -> etc - new version - fix for neededforbuild - fix for master.cf - adopted to new init scheme - fixed neededforbuild - update to version 20001030 - long packagename - added rpm buildroot - fixed neededforbuild - src/util/dict_ldap.c:dict_ldap_lookup(): fix missing **-termination. - s390,ppc: added -fsigned-char compiler option, to fix obscure segfaults. (code is not signed/unsigned-char-clean) - yet another SuSEconfig.postfix bug (incorrect link) - bugfix for SuSEconfig.postfix - bugfix: missed to install new flush service - inititial revision of pfixtls ==== privoxy ==== - Added hardening to systemd service(s) (bsc#1181400). Modified: * privoxy.service ==== python ==== - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. ==== python-Babel ==== - Added BuildRequires: alts - Use libalternatives instead of update-alternatives. ==== python-Mako ==== Version update (1.1.4 -> 1.1.5) - update to 1.1.5: * Fixed some issues with running the test suite which would be revealed by running tests in random order. - Remove obsolete %suse_version %if - Added BuildRequires: alts - Use libalternatives instead of update-alternatives. ==== python-base ==== Subpackages: libpython2_7-1_0 python-xml - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. ==== python-cryptography ==== Version update (3.3.2 -> 3.4.8) - Add disable-RustExtension.patch in order to avoid a build requirement setuptools_rust - Next version (35.0) needs a full Rust toolchain. - Clean runtime, build and test requirements - Disable python2 build: Not supported anymore - update to 3.4.8 - keep new rust support disabled for now to avoid new dependencies ==== python-numpy ==== - The update- and libalternatives logic is required in the standard build, not the hpc flavor - Use libalternatives instead of update-alternatives. ==== python-pandas ==== Version update (1.3.3 -> 1.3.4) - Update to version 1.3.4 * Fixed regression in DataFrame.convert_dtypes() incorrectly converts byte strings to strings (GH43183) * Fixed regression in GroupBy.agg() where it was failing silently with mixed data types along axis=1 and MultiIndex (GH43209) * Fixed regression in merge() with integer and NaN keys failing with outer merge (GH43550) * Fixed regression in DataFrame.corr() raising ValueError with method="spearman" on 32-bit platforms (GH43588) * Fixed performance regression in MultiIndex.equals() (GH43549) * Fixed performance regression in GroupBy.first() and GroupBy.last() with StringDtype (GH41596) * Fixed regression in Series.cat.reorder_categories() failing to update the categories on the Series (GH43232) * Fixed regression in Series.cat.categories() setter failing to update the categories on the Series (GH43334) * Fixed regression in read_csv() raising UnicodeDecodeError exception when memory_map=True (GH43540) * Fixed regression in DataFrame.explode() raising AssertionError when column is any scalar which is not a string (GH43314) * Fixed regression in Series.aggregate() attempting to pass args and kwargs multiple times to the user supplied func in certain cases (GH43357) * Fixed regression when iterating over a DataFrame.groupby.rolling object causing the resulting DataFrames to have an incorrect index if the input groupings were not sorted (GH43386) * Fixed regression in DataFrame.groupby.rolling.cov() and DataFrame.groupby.rolling.corr() computing incorrect results if the input groupings were not sorted (GH43386) * Fixed bug in pandas.DataFrame.groupby.rolling() and pandas.api.indexers.FixedForwardWindowIndexer leading to segfaults and window endpoints being mixed across groups (GH43267) * Fixed bug in GroupBy.mean() with datetimelike values including NaT values returning incorrect results (GH43132) * Fixed bug in Series.aggregate() not passing the first args to the user supplied func in certain cases (GH43357) * Fixed memory leaks in Series.rolling.quantile() and Series.rolling.median() (GH43339) ==== python-rpm ==== Version update (4.16.1.3 -> 4.17.0) - update to rpm-4.17.0 ==== python38 ==== Subpackages: python38-curses python38-dbm python38-tk - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. ==== python38-core ==== Subpackages: libpython3_8-1_0 python38-base - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. ==== python38-documentation ==== - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. ==== qca-qt5 ==== Subpackages: libqca-qt5-2 qca-qt5-plugins - Set LD_LIBRARY_PATH before running tests. ==== rpm ==== Version update (4.16.1.3 -> 4.17.0) Subpackages: librpmbuild9 - update to rpm-4.17.0 - dropped support for berkeley db - archive unpacking failures no longer leave garbage - unified built-in and user-define macro syntax and calling conventions - python generators and debuginfo extraction has been split into a separate upstream project - support for ed25519 signatures - easier rpm macro access in lua - new patches: * python-rpm-packaging.diff * singlefilemode.diff * verbosearg.diff - modified patches: * usr-lib-sysimage-rpm.patch * localetag.diff * brp.diff * findlang.diff * macrosin.diff * rpmqpack.diff * build.diff * whatrequires-doc.diff * remove-brp-strips.diff * fileattrs.diff * langnoc.diff * find-lang-qt-qm.patch * findsupplements.diff * finddebuginfo.diff * finddebuginfo-absolute-links.diff * debugsubpkg.diff * debuglink.diff * debuginfo-mono.patch - dropped patches: * db.diff * dbfsync.diff * dbprivate.diff * dwarf5.diff * ndbglue.diff * pythondistdeps.diff * suspendlock.diff * taggedfileindex.diff * waitlock.diff * add-dwz-single-file-mode-option.patch ==== rpm-config-SUSE ==== Version update (0.g83 -> 0.g89) - Update to version 0.g89: * find-provides.ksyms: Do not set IFS - it is not needed for anything. * find-provides.ksyms: Fix compressed modules. * Allow locale directory to be named "locales" too ==== rsyslog ==== Version update (8.2108.0 -> 8.2110.0) - Upgrade to rsyslog 8.2110.0: * 2021-10-13: config bugfix: global(security.abortonidresolutionfail=) did not work when used with rscript based configuration, it was not checked. * 2021-10-13: config bugfix: global param $privDropToUser did not work correctly The parameter was not implemented for rscript based configuration and did not properly apply to legacy configuration. In essence, it almost always did not work as expected. see also: https://github.com/rsyslog/rsyslog/issues/4642 see also: https://github.com/rsyslog/rsyslog/commit/cbcaf2c7e5b67e5465e47bc7cc67af2eae47bd31 * 2021-10-12: rscript bugfix: ruleset called async when ruleset had queue.type="direct" The call rscript statement is able to call a rule set either synchronously or asynchronously. We did this, because practice showed that both modes are needed. For various reasons we decided to make async calls if the ruleset has a queue assigned and sync if not. To know if a "queue is assigned" we just checked if queue parameters were given. It was overlookeded the case of someone explicitly specifying a "direct queue", aka "no queue". As such, queue="direct" triggered async calls. That in turn meant that when a write operation to a variable was made inside that rule set, other rulesets could or could not see the write. While if was often not seen, this was a data race where the change could also be seen by the outside. This is now fixed. No matter if queue.type="direct" is specified or left out, the call will always by synchronous. Any values written to variables will also be seen by the "outside world" in later processing stages. Note that this has some potential to BREAK EXISTING CONFIGURATIONS. We deem this acceptable because: 1. this was racy at all, so unexpected behaviour could alwas occur 2. it is actually unlikely that someone used the triggering conditions in practice. But we can not outrule this, especially when the configuration was auto-generated. Potential compatibility issues can be solved by defining a small array-memory queue on the ruleset in question instead of specifying direct type. Again, we expect that almost all users will never experience any problems. If you do, however, please let us know: we may add an option to re-enable the bug. * 2021-10-12: ksi bugfix: locking bug fixed in rsksiCtxOpenFile Thanks to Taavi Valjaots for the patch. * 2021-10-11: core bugfix: fix typo in error message Thanks to github user jkschulz for the patch. * 2021-10-11: tcpsrv bugfix: compilation without exceptions tcpsrv.c:992:1: error: label at end of compound statement finalize_it: ^~~~~~~~~~~ Quoting from pthread.h: pthread_cleanup_push and pthread_cleanup_pop are macros and must always be used in matching pairs at the same nesting level of braces. Amends commit bcdd220142ec9eb106550195ba331fd114adb0bd. Thanks to Orgad Shaneh for the patch. * 2021-10-11: mkubernetes bugfix: no connection retry to kubernetes APP When connection to the kubernates API was not possible, mmkubernetes did not retry. This does now happen via regular rsyslog retry mechanism. Thanks to github user jayme-github for the analysis and patch. closes https://github.com/rsyslog/rsyslog/issues/4669 * 2021-10-11: openssl bugfix: Correct gnutlsPriorityString (custom ciphers) behaviour * Only apply default anon ciphers if gnutlsPriorityString is NULL and Authentication Mode is set to anon. Otherwise we do not set them as they overwrite custom Ciphers. * Added two tests for custom cipher configuration (anon/certvalid mode). * Add call for applyGnutlsPriorityString if gnutlsPriorityString changes. * Merged openssl init code from Connect into osslInitSession closes: https://github.com/rsyslog/rsyslog/issues/4686 * 2021-10-11: build issue: handle undefined MAXPATHLEN, PATH_MAX While we handled missing PATH_MAX, we did not handle missing MAXPATHLEN. This happens under GNU/Hurd, because there is no official limit. However, extremely long pathes are extremely uncommon, so we do not want to use slow dynamic alloc each time we need to build pathes. So we impose a limit of 4KiB, which should be fairly enough. Note that this obviously increases stack requirements in GNU/Hurd. As suggested by Michael Biebl, we have now implemented a generic approach to handle this via autoconf. * 2021-09-12: openssl: extended output information on connection failure Now includes the remote client/server IP address in the log output. * 2021-09-12: imhttp enhancements - query parameter ingestion & basic auth support * Basic Authentication support & tests * configured via imhttp option "basicAuthFile". This option should be configured to point to your htpasswd file generated via a standard htpasswd tool. tests: * imhttp-post-payload-basic-auth.sh * imhttp-post-payload-basic-auth-vg.sh * Query parameter ingestion capability & tests use t `addmetadata` option to inject query parameters into metadata for imhttp input. DISTRO PACKAGERS BEWARE: NEW DEPENDENCY FOR IMHTTP: libaprutil (libaprutil1-dev on debian'ish, apr-util-devel on Red Hat) Thanks to Nelson Yen for the patch. * 2021-09-07: testbench bugfix: privdrop tests under root user did not work When running under root, the privdrop tests did not properly work. This patch fixes the issue and skips test where necessary. This also includes some modernization of the related tests. closes https://github.com/rsyslog/rsyslog/issues/4619 * 2021-09-07: core/ratelimiting: fix rate limiting for already parsed messages Rate limiting may not have worked if the considered message had already been parsed (not having NEEDS_PARSING in msgFlags). This affects also imuxsock in its default configuration (useSpecialParser="true" and ratelimit.severity="1") * 2021-09-07: core bugfix: use of property $wday terminates string When $wday is used inside a template, all template parts after it are ignored. For exmaple: template(name="json_filename" type="string" string="/var/log/%$wday%.log") would generate something like "/var/log/0" - the ".log" part would be missing. For the same reason, $wday can not reliably checked in script filters. Thanks to Alain Thivillon for reporting the bug and providing an excellent analysis, which essentiellay was exactly this fix here. closes https://github.com/rsyslog/rsyslog/issues/4670 * 2021-09-07: core/queue bugfix: potential misadressing when queue discarded messages When a discard mark was set, the queue was very busy and discarded messages, a NULL pointer access could happen. Depending on circumstances, several problems could occur, including a SEGFAULT. This is now fixed. closes: https://github.com/rsyslog/rsyslog/issues/4437 * 2021-09-07: imdiga bugfix: iOverallQueueSize calculation could be incorrect This issue only affects testbench and rsyslog development debugging. The active messages counter, used for synchronizing test steps, went wrong when the queue discarded messages on it's consumer thread. Now fixed. * 2021-09-06: gnutls driver: SAN priority did not work correctly on server side PrioritizeSAN was not propagated when accepting a new connection, this is now fixed. Thanks to Attila Lakatos for the patch. * 2021-08-24: config: implement script-equavalent for $PrivDrop* statements closes https://github.com/rsyslog/rsyslog/issues/891 ==== suse-module-tools ==== Version update (16.0.11 -> 16.0.13) - Update to version 16.0.13: * fixup "rpm-script: fix bad exit status in OpenQA (bsc#1191922)" - Update to version 16.0.12: * rpm-script: fix bad exit status in OpenQA (bsc#1191922) * cert-script: Deal with existing $cert.delete file (bsc#1191804). * cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480). * cert-script: Only print mokutil output in verbose mode. ==== systemd-rpm-macros ==== - Use %{load:} instead of %{?load:}: fix build with RPM 4.17. ==== tigervnc ==== Subpackages: libXvnc1 xorg-x11-Xvnc xorg-x11-Xvnc-module - Not using System crypto policies for <= sle15-sp3 (boo#1191394) ==== transactional-update ==== Version update (3.5.6 -> 3.6.0) Subpackages: dracut-transactional-update libtukit0 transactional-update-zypp-config tukit - Version 3.6.0 - Simplify mount hierarchy by just using a single slave bind mount as the root of the update environment; this may avoid the error messages of failed unmounts May fix [boo#1191945] - Version 3.5.7 Various fixes affecting Salt support: - t-u: Don't squash stderr messages into stdout - t-u: Correctly handle case when the snapshot has been deleted due to using --drop-if-no-change: Don't show reboot messages and avoid an awk error message [bsc#1191475] - tukit: Make inotify handler less sensitive / ignore more directories [bsc#1191475] ==== u-boot-rpiarm64 ==== Subpackages: u-boot-rpiarm64-doc Patch queue updated from https://github.com/openSUSE/u-boot.git tumbleweed-2021.10 * Patches added: 0015-Enable-EFI-and-ISO-partitions-suppo.patch - boo#1191966 0016-Revert-video-backlight-fix-pwm-s-du.patch - boo#1187573 ==== virt-manager ==== Subpackages: virt-install virt-manager-common - Add dependency in spec file for python3-gobject-Gdk (bsc#1191705) virt-manager.spec - bsc#1191358 - The Virtual Machine Manager shows disconnected after rebooting virtual machine in Xen mode in SLES15 SP3. virtman-init-viewer-on-reboot.patch ==== yast2-country ==== Version update (4.4.6 -> 4.4.7) Subpackages: yast2-country-data - Use official China timezone Asia/Shanghai (bsc#1187857) - 4.4.7