Packages changed: apparmor audit-secondary avahi boost-base busybox ca-certificates (2+git20210723.27a0476 -> 2+git20211004.3efbea9) chrony compat-usrmerge dracut (055+suse.119.g6c4187af -> 055+suse.129.g7d8c3ce3) e2fsprogs fcoe-utils file (5.40 -> 5.41) glibc haproxy (2.4.4+git0.acb1d0bea -> 2.4.7+git0.b5e51a5e2) helm hwinfo (21.76 -> 21.77) iputils kbd kernel-source (5.14.9 -> 5.14.11) kubernetes1.21 libapparmor libcap (2.51 -> 2.59) libglvnd librsvg (2.52.0 -> 2.52.2) libwebp (1.2.0 -> 1.2.1) libzypp (17.28.4 -> 17.28.6) ncurses (6.2.20210911 -> 6.2.20211002) ndctl nvme-cli open-iscsi open-vm-tools (11.3.0 -> 11.3.5) openssh (8.4p1 -> 8.8p1) pam-config (1.4 -> 1.5) patterns-microos pmdk (1.11.0 -> 1.11.1) python-Jinja2 (3.0.1 -> 3.0.2) python-PrettyTable python-alembic (1.6.5 -> 1.7.4) python-apipkg (1.5 -> 2.1.0) python-distro python-greenlet (1.1.0 -> 1.1.2) python-idna (3.2 -> 3.3) python-more-itertools (8.8.0 -> 8.10.0) python-networkx (2.6.1 -> 2.6.3) python-pyrsistent (0.17.3 -> 0.18.0) python-pytz (2021.1 -> 2021.3) python-zipp (3.5.0 -> 3.6.0) qemu raspberrypi-firmware (2021.03.10 -> 2021.09.30) raspberrypi-firmware-config (2021.03.10 -> 2021.09.30) raspberrypi-firmware-dt (2021.03.15 -> 2021.09.17) rbac-lookup (0.6.4 -> 0.7.1) rdma-core (36.0 -> 37.1) salt systemd (249.4 -> 249.5) systemd-presets-common-SUSE timezone (2021c -> 2021d) tpm2.0-tools (5.1.1 -> 5.2) wireless-regdb (20210421 -> 20210828) xfsprogs xkeyboard-config (2.33 -> 2.34) yomi-formula zypper (1.14.49 -> 1.14.50) === Details === ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532) ==== audit-secondary ==== Subpackages: audit python3-audit system-group-audit - Add CONFIG parameter to %sysusers_generate_pre - Create separate service for augenrules (bsc#1191614, bsc#1181400) * add create-augenrules-service.patch Remove ReadWritePaths=/etc/audit from auditd.service, also removes augenrules call from ExecStartPost. Create augenrules.service with the ReadWritePaths directive above. This makes /etc/audit only accessible by augenrules.service and let auditd.service (and daemon) to be sandboxed again. - Update audit-secondary.spec to accomodate the new service file. ==== avahi ==== Subpackages: libavahi-client3 libavahi-common3 - Add rpmlintrc: Filter shlib-policy-name-error for libdns_sd (boo#1191750). - Remove obsolete translation-update-upstream support (jsc#SLE-21105). ==== boost-base ==== Subpackages: boost-license1_77_0 libboost_thread1_77_0 - make boost-json-devel require boost-container-devel (bsc#1191822) ==== busybox ==== - Create separate 'Warewulf3' (https://github.com/warewulf/warewulf3) flavor of busybox with the additional setting: CONFIG_REBOOT=y CONFIG_SWITCH_ROOT=y CONFIG_CTTYHACK=y (bsc#1191514). ==== ca-certificates ==== Version update (2+git20210723.27a0476 -> 2+git20211004.3efbea9) - Update to version 2+git20211004.3efbea9: * Ensure --root option propagates prefix properly to other scripts ==== chrony ==== Subpackages: chrony-pool-openSUSE - boo#1190926: PrivateDevices is too strict, we might need to access the rtc and ptp devices. - Add back support to build chrony on SLE12. - Drop dependency on asciidoctor. It is only needed for building the HTML documentation which we don't package anyway. ==== compat-usrmerge ==== - Fix logic for detecting conflicts with directories (boo#1191111) ==== dracut ==== Version update (055+suse.119.g6c4187af -> 055+suse.129.g7d8c3ce3) Subpackages: dracut-ima dracut-mkinitrd-deprecated - Update to version 055+suse.129.g7d8c3ce3: * fix(kernel-modules): add blk_mq_alloc_disk and blk_cleanup_disk to blockfuncs (bsc#1190326) * docs: update SUSE maintainers doc * fix(suse): add 60-io-scheduler.rules (bsc#1188713) * revert: remove /sbin/installkernel script from dracut package * spec: modernize specfile constructs ==== e2fsprogs ==== Subpackages: libcom_err2 libext2fs2 - Drop ProtectClock hardening, can cause issues if other device acceess is needed ==== fcoe-utils ==== - Drop ProtectClock hardening, can cause issues if other device acceess is needed ==== file ==== Version update (5.40 -> 5.41) Subpackages: file-magic libmagic1 - Remove file-5.38-allow-readlinkat.dif as already doen in latest file 5.41 - Update to 5.41: * Avinash Sonawane: Fix tzname detection * Fix relationship tests with "search" magic, don't short circuit logic * Fix memory leak in compile mode * PR/272: kiefermat: Only set returnval = 1 when we printed something (in all cases print or !print). This simplifies the logic and fixes the issue in the PR with -k and --mime-type there was no continuation printed before the default case. * PR/270: Don't translate unprintable characters in %s magic formats when -r * PR/269: Avoid undefined behavior with clang (adding offset to NULL) * Add a new flag (f) that requires that the match is a full word, not a partial word match. * Add varint types (unused) * PR/256: mutableVoid: If the file is less than 3 bytes, use the file length to determine type * PR/259: aleksandr.v.novichkov: mime printing through indirect magic is not taken into account, use match directly so that it does. - Remove patches now upstream * file-5.40-1c677c04.patch * file-5.40-3096f87f.patch * file-5.40-4c5fe1ad.patch * file-5.40-6b34436a.patch * file-5.40-749e1ecf.patch * file-5.40-9b0459af.patch * file-5.40-9e2becec.patch * file-5.40-ascii.patch * file-5.40-f0601504.patch * file-5.40-f7705dca.patch - Port patches * file-5.19-biorad.dif * file-5.19-printf.dif * file-5.19-zip2.0.dif * file-5.23-endian.patch * file-5.28-btrfs-image.dif * file-5.38-allow-readlinkat.dif * file-secure_getenv.patch - Port and rename patch file-5.39.dif which is now file-5.41.dif ==== glibc ==== Subpackages: glibc-locale-base - ld-show-auxv-colon.patch: elf: Fix missing colon in LD_SHOW_AUXV output (BZ #282539 - x86-string-control-test.patch: x86-64: Use testl to check __x86_string_control - pthread-kill-fail-after-exit.patch: nptl: pthread_kill, pthread_cancel should not fail after exit (BZ #19193) - pthread-kill-race-thread-exit.patch: nptl: Fix race between pthread_kill and thread exit (BZ #12889) - getcwd-attribute-access.patch: posix: Fix attribute access mode on getcwd (BZ #27476) - pthread-kill-return-esrch.patch: nptl: pthread_kill needs to return ESRCH for old programs (BZ #19193) - pthread-mutexattr-getrobust-np-type.patch: nptl: Fix type of pthread_mutexattr_getrobust_np, pthread_mutexattr_setrobust_np (BZ [#28036]) - setxid-deadlock-blocked-signals.patch: nptl: Avoid setxid deadlock with blocked signals in thread exit (BZ #28361) - pthread-kill-send-specific-thread.patch: nptl: pthread_kill must send signals to a specific thread (BZ #28407) - sysconf-nprocessors-affinity.patch: linux: Revert the use of sched_getaffinity on get_nproc (BZ #28310) - iconv-charmap-close-output.patch: renamed from icon-charmap-close-output.patch ==== haproxy ==== Version update (2.4.4+git0.acb1d0bea -> 2.4.7+git0.b5e51a5e2) - Update to version 2.4.7+git0.b5e51a5e2: * [RELEASE] Released version 2.4.7 * BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule - Update to version 2.4.6+git0.d83fd76a1: * [RELEASE] Released version 2.4.6 * BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release - Update to version 2.4.5+git0.e74a1b34b: * [RELEASE] Released version 2.4.5 * MINOR: tasks: catch TICK_ETERNITY with BUG_ON() in __task_queue() * BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input * BUG/MINOR: tcpcheck: Don't use arg list for default proxies during parsing * MINOR: arg: Be able to forbid unresolved args when building an argument list * BUG/MAJOR: lua: use task_wakeup() to properly run a task once * BUG/MEDIUM: lua: fix wakeup condition from sleep() * MINOR: Makefile: add MEMORY_POOLS to the list of DEBUG_xxx options * DOC: peers: fix doc "enable" statement on "peers" sections * BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers" * MINOR: stream-int: Notify mux when the buffer is not stuck when calling rcv_buf * BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary * MINOR: htx: Add a function to know if the free space wraps * MINOR: htx: Add an HTX flag to know when a message is fragmented * MINOR: stream-int: Set CO_RFL transient/persistent flags apart in si_cs_rcv() * BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM * BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data * BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer * BUG/MINOR: stats: use refcount to protect dynamic server on dump * MINOR: server: return the next srv instance on free_server * BUG/MINOR: server: do not use refcount in free_server in stopping mode * MINOR: global: define MODE_STOPPING * MINOR: server: implement a refcount for dynamic servers * BUG/MINOR: http-ana: increment internal_errors counter on response error * BUG/MINOR: h1-htx: Fix a typo when request parser is reset * BUG/MEDIUM: leastconn: fix rare possibility of divide by zero * BUG/MINOR: server: allow 'enable health' only if check configured * BUILD: threads: fix -Wundef for _POSIX_PRIORITY_SCHEDULING on libmusl * BUILD: halog: fix a -Wundef warning on non-glibc systems * BUILD: compiler: fixed a missing test on defined(__GNUC__) * BUILD: fix dragonfly build again on __read_mostly * BUG/MINOR: vars: do not talk about global section in CLI errors for set-var * BUG/MINOR: vars: truncate the variable name in error reports about scope. * BUG/MINOR: vars: properly set the argument parsing context in the expression * MINOR: sample: add missing ARGC_ entries * BUG/MINOR: vars: improve accuracy of the rules used to check expression validity * BUILD: tools: properly guard __GLIBC__ with defined() * BUILD: ssl: fix two remaining occurrences of #if USE_OPENSSL * BUILD: ssl: next round of build warnings on LIBRESSL_VERSION_NUMBER * BUILD/MINOR: regex: avoid a build warning on USE_PCRE2 with -Wundef * IMPORT: slz: silence a build warning with -Wundef * BUILD/MINOR: ssl: avoid a build warning on LIBRESSL_VERSION with -Wundef * BUILD/MINOR: defaults: eliminate warning on MAXHOSTNAMELEN with -Wundef * BUILD: activity: use #ifdef not #if on USE_MEMORY_PROFILING * MINOR: proc: setting the process to produce a core dump on FreeBSD. * MINOR: tools: add FreeBSD support to get_exec_path() * BUILD: tools: get the absolute path of the current binary on NetBSD. * BUG/MINOR: flt-trace: fix an infinite loop when random-parsing is set * BUG/MINOR: cli/payload: do not search for args inside payload * BUILD: ist: prevent gcc11 maybe-uninitialized warning on istalloc * BUG/MINOR: connection: prevent null deref on mux cleanup task allocation * DOC: management: certificate files must be sanitized before injection * BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check * BUG/MAJOR: mux-h1: Don't eval input data if an error was reported * MINOR: pools: use mallinfo2() when available instead of mallinfo() * MINOR: pools: automatically disable malloc_trim() with external allocators * CLEANUP: pools: factor all malloc_trim() calls into trim_all_pools() * BUG/MINOR: compat: make sure __WORDSIZE is always defined * BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached * CLEANUP: mux-h1: Remove condition rejecting upgrade requests with payload * MINOR: htx: Skip headers with no value when adding a header list to a message * BUG/MEDIUM: mux-h1: Remove "Upgrade:" header for requests with payload * BUG/MINOR: systemd: ExecStartPre must use -Ws * BUG/MINOR: filters: Set right FLT_END analyser depending on channel * BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set * BUG/MEDIUM: http-ana: Reset channels analysers when returning an error * BUG/MINOR: stream: Don't release a stream if FLT_END is still registered * BUG/MINOR: lua: Don't yield in channel.append() and channel.set() * BUG/MINOR: lua: Yield in channel functions only if lua context can yield * MINOR: lua: Add a flag on lua context to know the yield capability at run time ==== helm ==== - use 'v' prefix for the version to match upstream builds - package fish completions ==== hwinfo ==== Version update (21.76 -> 21.77) - merge gh#openSUSE/hwinfo#105 - Use license file from gnu.org - Fix spelling - Add missing final newline - Trim excess whitespace - Simple maintenance improvements - 21.77 ==== iputils ==== - Drop ProtectClock hardening, can cause issues if other device acceess is needed ==== kbd ==== Subpackages: kbd-legacy - regenerated cz-map.patch needed for xkeyboard-config 2.34 update ==== kernel-source ==== Version update (5.14.9 -> 5.14.11) - Linux 5.14.11 (bsc#1012628). - Revert "ARM: imx6q: drop of_platform_default_populate() from init_machine" (bsc#1012628). - Revert "brcmfmac: use ISO3166 country code and 0 rev as fallback" (bsc#1012628). - libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD (bsc#1012628). - perf/x86: Reset destroy callback on event init failure (bsc#1012628). - KVM: x86: nSVM: restore int_vector in svm_clear_vintr (bsc#1012628). - kvm: x86: Add AMD PMU MSRs to msrs_to_save_all[] (bsc#1012628). - KVM: x86: reset pdptrs_from_userspace when exiting smm (bsc#1012628). - KVM: do not shrink halt_poll_ns below grow_start (bsc#1012628). - selftests: KVM: Align SMCCC call with the spec in steal_time (bsc#1012628). - kasan: always respect CONFIG_KASAN_STACK (bsc#1012628). - tools/vm/page-types: remove dependency on opt_file for idle page tracking (bsc#1012628). - block: don't call rq_qos_ops->done_bio if the bio isn't tracked (bsc#1012628). - io_uring: allow conditional reschedule for intensive iterators (bsc#1012628). - x86/insn, tools/x86: Fix undefined behavior due to potential unaligned accesses (bsc#1012628). - smb3: correct smb3 ACL security descriptor (bsc#1012628). - irqchip/gic: Work around broken Renesas integration (bsc#1012628). - scsi: ses: Retry failed Send/Receive Diagnostic commands (bsc#1012628). - thermal/drivers/tsens: Fix wrong check for tzd in irq handlers (bsc#1012628). - nvme-fc: avoid race between time out and tear down (bsc#1012628). - nvme-fc: update hardware queues before using them (bsc#1012628). - swiotlb-xen: ensure to issue well-formed XENMEM_exchange requests (bsc#1012628). - Xen/gntdev: don't ignore kernel unmapping error (bsc#1012628). - selftests: kvm: fix get_run_delay() ignoring fscanf() return warn (bsc#1012628). - selftests: kvm: move get_run_delay() into lib/test_util (bsc#1012628). - selftests:kvm: fix get_trans_hugepagesz() ignoring fscanf() return warn (bsc#1012628). - selftests:kvm: fix get_warnings_count() ignoring fscanf() return warn (bsc#1012628). - selftests: be sure to make khdr before other targets (bsc#1012628). - habanalabs/gaudi: fix LBW RR configuration (bsc#1012628). - habanalabs: fail collective wait when not supported (bsc#1012628). - habanalabs/gaudi: use direct MSI in single mode (bsc#1012628). - usb: dwc2: check return value after calling platform_get_resource() (bsc#1012628). - usb: testusb: Fix for showing the connection speed (bsc#1012628). - scsi: elx: efct: Do not hold lock while calling fc_vport_terminate() (bsc#1012628). - scsi: sd: Free scsi_disk device via put_device() (bsc#1012628). - drm/amdkfd: fix svm_migrate_fini warning (bsc#1012628). - drm/amdkfd: handle svm migrate init error (bsc#1012628). - ext2: fix sleeping in atomic bugs on error (bsc#1012628). - platform/x86: gigabyte-wmi: add support for B550I Aorus Pro AX (bsc#1012628). - sparc64: fix pci_iounmap() when CONFIG_PCI is not set (bsc#1012628). - xen-netback: correct success/error reporting for the SKB-with-fraglist case (bsc#1012628). - net: mdio: introduce a shutdown method to mdio device drivers (bsc#1012628). - btrfs: fix mount failure due to past and transient device flush error (bsc#1012628). - btrfs: replace BUG_ON() in btrfs_csum_one_bio() with proper error handling (bsc#1012628). - nfsd: back channel stuck in SEQ4_STATUS_CB_PATH_DOWN (bsc#1012628). - platform/x86: touchscreen_dmi: Update info for the Chuwi Hi10 Plus (CWI527) tablet (bsc#1012628). - platform/x86: touchscreen_dmi: Add info for the Chuwi HiBook (CWI514) tablet (bsc#1012628). - afs: Add missing vnode validation checks (bsc#1012628). - spi: rockchip: handle zero length transfers without timing out (bsc#1012628). - commit 834dddd - iwlwifi: Fix MODULE_FIRMWARE() for non-existing ucode version (boo#1191417). - commit 6597512 - Linux 5.14.10 (bsc#1012628). - media: hantro: Fix check for single irq (bsc#1012628). - media: cedrus: Fix SUNXI tile size calculation (bsc#1012628). - media: s5p-jpeg: rename JPEG marker constants to prevent build warnings (bsc#1012628). - ASoC: fsl_sai: register platform component before registering cpu dai (bsc#1012628). - ASoC: fsl_esai: register platform component before registering cpu dai (bsc#1012628). - ASoC: fsl_micfil: register platform component before registering cpu dai (bsc#1012628). - ASoC: fsl_spdif: register platform component before registering cpu dai (bsc#1012628). - ASoC: fsl_xcvr: register platform component before registering cpu dai (bsc#1012628). - ASoC: mediatek: common: handle NULL case in suspend/resume function (bsc#1012628). - scsi: elx: efct: Fix void-pointer-to-enum-cast warning for efc_nport_topology (bsc#1012628). - ASoC: SOF: Fix DSP oops stack dump output contents (bsc#1012628). - ASoC: SOF: imx: imx8: Bar index is only valid for IRAM and SRAM types (bsc#1012628). - ASoC: SOF: imx: imx8m: Bar index is only valid for IRAM and SRAM types (bsc#1012628). - pinctrl: qcom: spmi-gpio: correct parent irqspec translation (bsc#1012628). - net/mlx4_en: Resolve bad operstate value (bsc#1012628). - s390/qeth: Fix deadlock in remove_discipline (bsc#1012628). - s390/qeth: fix deadlock during failing recovery (bsc#1012628). - m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal (bsc#1012628). - NIOS2: fix kconfig unmet dependency warning for SERIAL_CORE_CONSOLE (bsc#1012628). - kasan: fix Kconfig check of CC_HAS_WORKING_NOSANITIZE_ADDRESS (bsc#1012628). - HID: amd_sfh: Fix potential NULL pointer dereference (bsc#1012628). - perf test: Fix DWARF unwind for optimized builds (bsc#1012628). - perf iostat: Use system-wide mode if the target cpu_list is unspecified (bsc#1012628). - perf iostat: Fix Segmentation fault from NULL 'struct perf_counts_values *' (bsc#1012628). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (bsc#1012628). - tty: Fix out-of-bound vmalloc access in imageblit (bsc#1012628). - cpufreq: schedutil: Use kobject release() method to free sugov_tunables (bsc#1012628). - scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS (bsc#1012628). - drm/amdgpu: adjust fence driver enable sequence (bsc#1012628). - drm/amdgpu: avoid over-handle of fence driver fini in s3 test (v2) (bsc#1012628). - drm/amdgpu: stop scheduler when calling hw_fini (v2) (bsc#1012628). - cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory (bsc#1012628). - scsi: ufs: ufs-pci: Fix Intel LKF link stability (bsc#1012628). - ALSA: rawmidi: introduce SNDRV_RAWMIDI_IOCTL_USER_PVERSION (bsc#1012628). - ALSA: firewire-motu: fix truncated bytes in message tracepoints (bsc#1012628). - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops (bsc#1012628). - ACPI: NFIT: Use fallback node id when numa info in NFIT table is incorrect (bsc#1012628). - fs-verity: fix signed integer overflow with i_size near S64_MAX (bsc#1012628). - hwmon: (tmp421) handle I2C errors (bsc#1012628). - hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field (bsc#1012628). - hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field (bsc#1012628). - hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field (bsc#1012628). - gpio: pca953x: do not ignore i2c errors (bsc#1012628). - scsi: ufs: Fix illegal offset in UPIU event trace (bsc#1012628). - mac80211: fix use-after-free in CCMP/GCMP RX (bsc#1012628). - platform/x86/intel: hid: Add DMI switches allow list (bsc#1012628). - x86/kvmclock: Move this_cpu_pvti into kvmclock.h (bsc#1012628). - ptp: Fix ptp_kvm_getcrosststamp issue for x86 ptp_kvm (bsc#1012628). - KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect() (bsc#1012628). - KVM: x86: nSVM: don't copy virt_ext from vmcb12 (bsc#1012628). - KVM: x86: Clear KVM's cached guest CR3 at RESET/INIT (bsc#1012628). - KVM: x86: Swap order of CPUID entry "index" vs. "significant flag" checks (bsc#1012628). - KVM: nVMX: Filter out all unsupported controls when eVMCS was activated (bsc#1012628). - KVM: SEV: Update svm_vm_copy_asid_from for SEV-ES (bsc#1012628). - KVM: SEV: Pin guest memory for write for RECEIVE_UPDATE_DATA (bsc#1012628). - KVM: SEV: Acquire vcpu mutex when updating VMSA (bsc#1012628). - KVM: SEV: Allow some commands for mirror VM (bsc#1012628). - KVM: SVM: fix missing sev_decommission in sev_receive_start (bsc#1012628). - KVM: nVMX: Fix nested bus lock VM exit (bsc#1012628). - KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue (bsc#1012628). - mmc: renesas_sdhi: fix regression with hard reset on old SDHIs (bsc#1012628). - media: ir_toy: prevent device from hanging during transmit (bsc#1012628). - RDMA/cma: Do not change route.addr.src_addr.ss_family (bsc#1012628). - RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1012628). - nbd: use shifts rather than multiplies (bsc#1012628). - drm/amd/display: initialize backlight_ramping_override to false (bsc#1012628). - drm/amd/display: Pass PCI deviceid into DC (bsc#1012628). - drm/amd/display: Fix Display Flicker on embedded panels (bsc#1012628). - drm/amdgpu: force exit gfxoff on sdma resume for rmb s0ix (bsc#1012628). - drm/amdgpu: check tiling flags when creating FB on GFX8- (bsc#1012628). - drm/amdgpu: correct initial cp_hqd_quantum for gfx9 (bsc#1012628). - interconnect: qcom: sdm660: Fix id of slv_cnoc_mnoc_cfg (bsc#1012628). - interconnect: qcom: sdm660: Correct NOC_QOS_PRIORITY shift and mask (bsc#1012628). - drm/i915/gvt: fix the usage of ww lock in gvt scheduler (bsc#1012628). - ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 (bsc#1012628). - bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog (bsc#1012628). - IB/cma: Do not send IGMP leaves for sendonly Multicast groups (bsc#1012628). - RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure (bsc#1012628). - bpf, mips: Validate conditional branch offsets (bsc#1012628). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (bsc#1012628). - RDMA/irdma: Skip CQP ring during a reset (bsc#1012628). - RDMA/irdma: Validate number of CQ entries on create CQ (bsc#1012628). - RDMA/irdma: Report correct WC error when transport retry counter is exceeded (bsc#1012628). - RDMA/irdma: Report correct WC error when there are MW bind errors (bsc#1012628). - netfilter: nf_tables: unlink table before deleting it (bsc#1012628). - netfilter: log: work around missing softdep backend module (bsc#1012628). - Revert "mac80211: do not use low data rates for data frames with no ack flag" (bsc#1012628). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (bsc#1012628). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (bsc#1012628). - mac80211: mesh: fix potentially unaligned access (bsc#1012628). - mac80211-hwsim: fix late beacon hrtimer handling (bsc#1012628). - driver core: fw_devlink: Add support for FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD (bsc#1012628). - net: mdiobus: Set FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD for mdiobus parents (bsc#1012628). - sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb (bsc#1012628). - mptcp: don't return sockets in foreign netns (bsc#1012628). - mptcp: allow changing the 'backup' bit when no sockets are open (bsc#1012628). - RDMA/hns: Work around broken constant propagation in gcc 8 (bsc#1012628). - hwmon: (tmp421) report /PVLD condition as fault (bsc#1012628). - hwmon: (tmp421) fix rounding for negative values (bsc#1012628). - net: enetc: fix the incorrect clearing of IF_MODE bits (bsc#1012628). - net: ipv4: Fix rtnexthop len when RTA_FLOW is present (bsc#1012628). - smsc95xx: fix stalled rx after link change (bsc#1012628). - drm/i915/request: fix early tracepoints (bsc#1012628). - drm/i915: Remove warning from the rps worker (bsc#1012628). - dsa: mv88e6xxx: 6161: Use chip wide MAX MTU (bsc#1012628). - dsa: mv88e6xxx: Fix MTU definition (bsc#1012628). - dsa: mv88e6xxx: Include tagger overhead when setting MTU for DSA and CPU ports (bsc#1012628). - e100: fix length calculation in e100_get_regs_len (bsc#1012628). - e100: fix buffer overrun in e100_get_regs (bsc#1012628). - RDMA/hfi1: Fix kernel pointer leak (bsc#1012628). - RDMA/hns: Fix the size setting error when copying CQE in clean_cq() (bsc#1012628). - RDMA/hns: Add the check of the CQE size of the user space (bsc#1012628). - bpf: Exempt CAP_BPF from checks against bpf_jit_limit (bsc#1012628). - libbpf: Fix segfault in static linker for objects without BTF (bsc#1012628). - selftests, bpf: Fix makefile dependencies on libbpf (bsc#1012628). - selftests, bpf: test_lwt_ip_encap: Really disable rp_filter (bsc#1012628). - bpf, x86: Fix bpf mapping of atomic fetch implementation (bsc#1012628). - net: ks8851: fix link error (bsc#1012628). - ionic: fix gathering of debug stats (bsc#1012628). - Revert "block, bfq: honor already-setup queue merges" (bsc#1012628). - scsi: csiostor: Add module softdep on cxgb4 (bsc#1012628). - ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup (bsc#1012628). - net: hns3: do not allow call hns3_nic_net_open repeatedly (bsc#1012628). - net: hns3: remove tc enable checking (bsc#1012628). - net: hns3: don't rollback when destroy mqprio fail (bsc#1012628). - net: hns3: fix mixed flag HCLGE_FLAG_MQPRIO_ENABLE and HCLGE_FLAG_DCB_ENABLE (bsc#1012628). - net: hns3: fix show wrong state when add existing uc mac address (bsc#1012628). - net: hns3: reconstruct function hns3_self_test (bsc#1012628). - net: hns3: fix always enable rx vlan filter problem after selftest (bsc#1012628). - net: hns3: disable firmware compatible features when uninstall PF (bsc#1012628). - net: phy: bcm7xxx: Fixed indirect MMD operations (bsc#1012628). - net: sched: flower: protect fl_walk() with rcu (bsc#1012628). - net: stmmac: fix EEE init issue when paired with EEE capable PHYs (bsc#1012628). - af_unix: fix races in sk_peer_pid and sk_peer_cred accesses (bsc#1012628). - objtool: Teach get_alt_entry() about more relocation types (bsc#1012628). - perf/x86/intel: Update event constraints for ICX (bsc#1012628). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1012628). - sched/fair: Null terminate buffer when updating tunable_scaling (bsc#1012628). - hwmon: (occ) Fix P10 VRM temp sensors (bsc#1012628). - hwmon: (pmbus/mp2975) Add missed POUT attribute for page 1 mp2975 controller (bsc#1012628). - kvm: fix objtool relocation warning (bsc#1012628). - nvme: add command id quirk for apple controllers (bsc#1012628). - elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings (bsc#1012628). - driver core: fw_devlink: Improve handling of cyclic dependencies (bsc#1012628). - debugfs: debugfs_create_file_size(): use IS_ERR to check for error (bsc#1012628). - ipack: ipoctal: fix stack information leak (bsc#1012628). - ipack: ipoctal: fix tty registration race (bsc#1012628). - ipack: ipoctal: fix tty-registration error handling (bsc#1012628). - ipack: ipoctal: fix missing allocation-failure check (bsc#1012628). - ipack: ipoctal: fix module reference leak (bsc#1012628). - ext4: fix loff_t overflow in ext4_max_bitmap_size() (bsc#1012628). - ext4: limit the number of blocks in one ADD_RANGE TLV (bsc#1012628). - ext4: fix reserved space counter leakage (bsc#1012628). - ext4: add error checking to ext4_ext_replay_set_iblocks() (bsc#1012628). - ext4: fix potential infinite loop in ext4_dx_readdir() (bsc#1012628). - ext4: flush s_error_work before journal destroy in ext4_fill_super (bsc#1012628). - HID: u2fzero: ignore incomplete packets without data (bsc#1012628). - net: udp: annotate data race around udp_sk(sk)->corkflag (bsc#1012628). - NIOS2: setup.c: drop unused variable 'dram_start' (bsc#1012628). - usb: hso: remove the bailout parameter (bsc#1012628). - HID: betop: fix slab-out-of-bounds Write in betop_probe (bsc#1012628). - netfilter: ipset: Fix oversized kvmalloc() calls (bsc#1012628). - mm: don't allow oversized kvmalloc() calls (bsc#1012628). - HID: usbhid: free raw_report buffers in usbhid_stop (bsc#1012628). - crypto: aesni - xts_crypt() return if walk.nbytes is 0 (bsc#1012628). - KVM: x86: Handle SRCU initialization failure during page track init (bsc#1012628). - netfilter: conntrack: serialize hash resizes and cleanups (bsc#1012628). - netfilter: nf_tables: Fix oversized kvmalloc() calls (bsc#1012628). - drivers: net: mhi: fix error path in mhi_net_newlink (bsc#1012628). - objtool: print out the symbol type when complaining about it (bsc#1012628). - HID: amd_sfh: Fix potential NULL pointer dereference - take 2 (bsc#1012628). - commit 7c980ba - ALSA: hda: intel: Allow repeatedly probing on codec configuration errors (bsc#1190801). - commit 924f4be - rpm: use _rpmmacrodir (boo#1191384) - commit e350c14 ==== kubernetes1.21 ==== - Bump disk requirements in _constraints to 12GB. Data based on the last successful build consumed storage. ==== libapparmor ==== - add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532) ==== libcap ==== Version update (2.51 -> 2.59) - update to 2.59: * Fixed a potential libcap memory leak by adding a destructor * Major improvement is that there is a path for Linux-PAM compliant applications to support setting Ambient vector Capabilities via pam_cap.so now * Added libcap cap_proc_root() API function * Added color support to captree * Fixed contrib/sucap/su to correctly handle the Inheritable flag * capsh enhancements * getcap -r / now generates readable output * The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now runnable as standalone binaries * The module pam_cap.so now contains support for a default= module argument * Enhanced capsh --suggest to also compare against the capability value names and not just their descriptions * Added capsh --current support * Added a contrib/sucap/su.c pure-capabilities PAM implementation of su * Fix for a corner case infinite loop handling long strings * Added libcap cap_iab_compare() and cap_iab_get_pid() APIs * Added a Go utility, captree, to display the process (and thread) graph along with the POSIX.1e and IAB capabilities of each PID{TID} tree. ==== libglvnd ==== - libglvnd.rpmlintrc * workaround for future buildcheck (boo#1191763) ==== librsvg ==== Version update (2.52.0 -> 2.52.2) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 - Update to version 2.52.2: + New features: - rsvg-convert now supports generating multi-page PDFs in a sensible way. - With one SVG document per page, each page with the SVG's natural size: - rsvg-convert --format=pdf -o out.pdf a.svg b.svg c.svg - With all pages sized as portrait US Letter, and each SVG scaled to fit so that there is a 1in margin around each page: rsvg-convert --format=pdf -o out.pdf \ - -page-width=8.5in --page-height=11in \ - -width=6.5in --height=8.5in --keep-aspect-ratio \ - -top=1in --left=1in a.svg b.svg c.svg Please see the man page for details. - Support elements inside . Also, support the CSS :link pseudo-class for matching against links. - Support the CSS :lang() pseudo-class for matching against an element's xml:lang attribute. - Support the mask-type property from SVG2. + Bugs fixed: - Don't panic when a shorthand property is set to inherit. - Fix regression with the viewport size of interior elements. - Allow length units to be case-insensitive, per SVG2. + Documentation: - There is now a FEATURES.md in the repository, where you can see all the elements, attributes, and properties that librsvg supports. We will be adding detail to this gradually. - For developers, there is now devel-docs/adding-a-property.md with a tutorial on how to add support for new CSS properties. - Update to version 2.52.1: + Fix ordering of tspan inside text elements for right-to-left languages. + Fix text-anchor positioning for right-to-left languages. + Fix regression in computing sizes when an SVG has only one of width/height and a viewBox. + Spec compliance - the writing-mode property applies only to text elements, no to individual tspan elements. + Fix build on big-endian platforms. + Clarify documentation for the rsvg_handle_write() / rsvg_handle_close() deprecated APIs. ==== libwebp ==== Version update (1.2.0 -> 1.2.1) Subpackages: libwebp7 libwebpdemux2 libwebpmux3 - update to 1.2.1: * minor lossless encoder improvements and x86 color conversion speed up * further security related hardening in libwebp & examples * toolchain updates and bug fixes * use more inclusive language within the source ==== libzypp ==== Version update (17.28.4 -> 17.28.6) - Zypper should keep cached files if transaction is aborted (bsc#1190356) Singletrans mode currently does not keep files around if the transaction is aborted. This patch fixes the problem. - Require a minimum number of mirrors for multicurl (bsc#1191609) - Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324) Especially in a VM iterating over all possible fd's to close open ones right before a exec() slows down zypper unnecessarily. This patch uses /proc/self/fd to iterate over open fd's in case rlimit is above 1024. - po: Fix some lost '%' signs in positional args (bsc#1191370) - RepoManager: Don't probe for plaindir repo if URL schema is plugin: (bsc#1191286) - version 17.28.6 (22) - Downloader does not respect checkExistsOnly flag (bsc#1190712) A missing check causes zyppng::Downloader to always download full files even if the checkExistsOnly flag is set. This patch adds the missing logic. - Fix kernel-*-livepatch removal in purge-kernels (bsc#1190815) The kernel-*-livepatch packages are supposed to serve as a stable handle for the ephemeral kernel livepatch packages. See FATE#320268 for details. As part of the kernel live patching ecosystem, kernel-*-livepatch packages should not block the purge-kernels step. - version 17.28.5 (22) ==== ncurses ==== Version update (6.2.20210911 -> 6.2.20211002) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20211002 + use return-value from vsnprintf to reallocate as needed to allow for buffers larger than the screen size (report by "_RuRo_"). + modify tset "-q" option to refrain from modifying terminal modes, to match the documentation. + add section on margins to terminfo.5, adapted from X/Open Curses. + make tput/tset warning messages consistently using alias names when those are used, rather than the underlying program's name. + improve tput usage message for aliases such as clear, by eliminating tput-specific portions. + add a check in toe to ensure that a "termcap file" is text rather than binary. + further build-fixes for OpenBSD 6.9, whose header files differ from - Add ncurses patch 20210925 + add kbeg to xterm+keypad to accommodate termcap applications -TD + add smglp and smgrp to vt420+lrmm, to provide useful data for the "tabs" +m option -TD + build-fix for gcc 3.4.3 with Solaris10, which does not allow forward reference of anonymous struct typedef. + modify tput to allow multiple commands per line. + minor fixes for tset manpage. - Correct offsets of patch ncurses-6.2.dif ==== ndctl ==== - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_ndctl-monitor.service.patch ==== nvme-cli ==== - Drop ProtectClock hardening, can cause issues if other device acceess is needed - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_nvmf-connect@.service.patch ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Fix possible systemd cycle by adding an "obsoletes" for the old libopeniscsiusr for older versions. ==== open-vm-tools ==== Version update (11.3.0 -> 11.3.5) Subpackages: libvmtools0 - Update to 11.3.5 (build 18557794) (boo#1190987) + New/Updated features: - Added a configurable logging capability to the network script. The network script has been updated to: use vmware-toolbox-cmd to query any network logging configuration from the tools.conf file. Use vmtoolsd --cmd "log ..." to log a message to the vmx logfile when the logging handler is configured to "vmx" or when the logfile is full or is not writeable. - The hgfsmounter (mount.vmhgfs) command has been removed from open-vm-tools. The hgfsmounter (mount.vmhgfs) command is no longer used in Linux open-vm-tools. It has been replaced by hgfs-fuse. Therefore, removing all references to the hgfsmounter in Linux builds. + Resolved issues: - Customization: Retry the Linux reboot if telinit is a soft link to systemctl. - Open-vm-tools commands would hang if configured with "--enable-valgrind". + Spec file updates for: - rpmlint errors - arg_xmlsec1 --enable-xmlsec1 for better xmlsec1/libxml2 handling. ==== openssh ==== Version update (8.4p1 -> 8.8p1) Subpackages: openssh-clients openssh-common openssh-server - Version update to 8.8p1: = Security * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege. Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5). = Potentially-incompatible changes * This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for argv conversion. Multiple backslashes were not being dequoted correctly and quoted space in the middle of a string was being incorrectly split. GHPR223 * ssh(1): return non-zero exit status when killed by signal; bz#3281 * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum packet size. Also handle zero-length reads that are not explicitly banned by the spec. - Additional changes from 8.5p1 release: = Security * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. = Potentially-incompatible changes * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. = New features * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. = Bugfixes * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. - Rebased patches: * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-X11_trusted_forwarding.patch * openssh-7.7p1-X_forward_with_disabled_ipv6.patch * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-disable_openssl_abi_check.patch * openssh-7.7p1-eal3.patch * openssh-7.7p1-enable_PAM_by_default.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-host_ident.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-no_fork-no_pid_file.patch * openssh-7.7p1-pam_check_locks.patch * openssh-7.7p1-pts_names_formatting.patch * openssh-7.7p1-remove_xauth_cookies_on_exit.patch * openssh-7.7p1-seccomp_ipc_flock.patch * openssh-7.7p1-seccomp_stat.patch * openssh-7.7p1-send_locale.patch * openssh-7.7p1-sftp_force_permissions.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-7.7p1-systemd-notify.patch * openssh-7.9p1-keygen-preserve-perms.patch * openssh-7.9p1-revert-new-qos-defaults.patch * openssh-8.0p1-gssapi-keyex.patch * openssh-8.1p1-audit.patch * openssh-8.1p1-seccomp-clock_gettime64.patch * openssh-8.1p1-seccomp-clock_nanosleep.patch * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch * openssh-8.1p1-use-openssl-kdf.patch * openssh-8.4p1-vendordir.patch * openssh-fips-ensure-approved-moduli.patch * openssh-link-with-sk.patch * openssh-reenable-dh-group14-sha1-default.patch * openssh-whitelist-syscalls.patch - Removed openssh-fix-ssh-copy-id.patch (fixed upstream). - openssh.keyring: rotated to new key from https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc - sshd-gen-keys-start: - only source sysconfig file if it exists. - create /etc/ssh if it does not exists. Required for image based installation/updates. ==== pam-config ==== Version update (1.4 -> 1.5) - Update to Version 1.5 - Don't print an error message if one of the systemd PAM modules does not exist if creating the *-pc files [bsc#1191528] - Drop pam_systemd_home again [bsc#1191528] ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap - Add xdg-desktop-portal-gnome to gnome pattern - Drop gnome-power-manager Requires: Package is dormant upstream and on it's way to be replaced by new features inside of gnome-control-center. ==== pmdk ==== Version update (1.11.0 -> 1.11.1) Subpackages: libpmem1 libpmemobj1 - Update to PMDK 1.11.1 * Bugfixes: * doc: remove exprimental moniker from libpmem2(7) * common: fix missing sfence in non-temporal memcpy * common: fix a mismatch between prototype and body * common: fix mismatched function args * obj: rename vars clashing with those of a containing block * pmem2: don't force smaller alignment for fsdax mappings * pool: don't trample upon users of localtime() * rpmem: Fix RPMEM_RAW_BUFF_SIZE and LANE_ALIGN_SIZE for powerpc64le ==== python-Jinja2 ==== Version update (3.0.1 -> 3.0.2) - dropped obsolete no-warnings-as-errors.patch - update to 3.0.2 * Fix a loop scoping bug that caused assignments in nested loops to still be referenced outside of it. #1427 * Make compile_templates deterministic for filter and import names. #1452, #1453 * Revert an unintended change that caused Undefined to act like StrictUndefined for the in operator. #1448 * Imported macros have access to the current template globals in async environments. #1494 * PackageLoader will not include a current directory (.) path segment. This allows loading templates from the root of a zip import. #1467 ==== python-PrettyTable ==== - %check: use %pyunittest rpm macro ==== python-alembic ==== Version update (1.6.5 -> 1.7.4) - update to 1.7.4: * Fixed a regression that prevented the use of post write hooks on python version lower than 3.9 * Added missing attributes from context stubs. * Fixed issue where registration of custom ops was prone to failure due to the registration process running exec() on generated code that as of the 1.7 series includes pep-484 annotations, which in the case of end user code would result in name resolution errors when the exec occurs - specfile: * skip python 2 builds * require importlib-resources - update to version 1.7.1: * Corrected "universal wheel" directive in setup.cfg so that building a wheel does not target Python 2. The PyPi files index for 1.7.0 was corrected manually. Pull request courtesy layday. * Fixed issue in generated .pyi files where default values for "Optional" arguments were missing, thereby causing mypy to consider them as required. * Fixed regression in batch mode due to :ticket:`883` where the "auto" mode of batch would fail to accommodate any additional migration directives beyond encountering an "add_column()" directive, due to a mis-application of the conditional logic that was added as part of this change, leading to "recreate" mode not being used in cases where it is required for SQLite such as for unique constraints. - changes from version 1.7.0: * Fixed regression due to :ticket:`803` where the ".info" and ".comment" attributes of "Table" would be lost inside of the :class:`.DropTableOp` class, which when "reversed" into a :class:`.CreateTableOp` would then have lost these elements. Pull request courtesy Nicolas CANIART. * Enhance "version_locations" parsing to handle paths containing spaces. The new configuration option "version_path_separator" specifies the character to use when splitting the "version_locations" string. The default for new configurations is "version_path_separator = os", which will use "os.pathsep" (e.g., ";" on Windows). * Alembic 1.7 now supports Python 3.6 and above; support for prior versions including Python 2.7 has been dropped. * Batch "auto" mode will now select for "recreate" if the "add_column()" operation is used on SQLite, and the column itself meets the criteria for SQLite where ADD COLUMN is not allowed, in this case a functional or parenthesized SQL expression or a "Computed" (i.e. generated) column. * Make the "python-dateutil" library an optional dependency. This library is only required if the "timezone" option is used in the Alembic configuration. An extra require named "tz" is available with "pip install alembic[tz]" to install it. * Re-implemented the "python-editor" dependency as a small internal function to avoid the need for external dependencies. * Named CHECK constraints are now supported by batch mode, and will automatically be part of the recreated table assuming they are named. They also can be explicitly dropped using "op.drop_constraint()". For "unnamed" CHECK constraints, these are still skipped as they cannot be distinguished from the CHECK constraints that are generated by the "Boolean" and "Enum" datatypes. Note that this change may require adjustments to migrations that drop or rename columns which feature an associated named check constraint, such that an additional "op.drop_constraint()" directive should be added for that named constraint as there will no longer be an associated column for it; for the "Boolean" and "Enum" datatypes, an "existing_type" keyword may be passed to "BatchOperations.drop_constraint" as well. * The dependency on "pkg_resources" which is part of "setuptools" has been removed, so there is no longer any runtime dependency on "setuptools". The functionality has been replaced with "importlib.metadata" and "importlib.resources" which are both part of Python std.lib, or via pypy dependency "importlib-metadata" for Python version < 3.8 and "importlib-resources" for Python version < 3.9 (while importlib.resources was added to Python in 3.7, it did not include the "files" API until 3.9). * Created a "test suite" similar to the one for SQLAlchemy, allowing developers of third-party dialects to test their code against a set of Alembic tests that have been specially selected to exercise back-end database operations. At the time of release, third-party dialects that have adopted the Alembic test suite to verify compatibility include `CockroachDB `_ and `SAP ASE (Sybase) `_. * Fixed issue where usage of the PostgreSQL "postgresql_include" option within a :meth:`.Operations.create_index` would raise a KeyError, as the additional column(s) need to be added to the table object used by the construct internally. The issue is equivalent to the SQL Server issue fixed in :ticket:`513`. Pull request courtesy Steven Bronson. * pep-484 type annotations have been added throughout the library. Additionally, stub .pyi files have been added for the "dynamically" generated Alembic modules "alembic.op" and "alembic.config", which include complete function signatures and docstrings, so that the functions in these namespaces will have both IDE support (vscode, pycharm, etc) as well as support for typing tools like Mypy. The files themselves are statically generated from their source functions within the source tree. ==== python-apipkg ==== Version update (1.5 -> 2.1.0) - Update to v2.1.0 * fix race condition for import of modules using apipkg.initpkg in Python 3.3+ by updating existing modules in-place rather than replacing in sys.modules with an apipkg.ApiModule instances. This race condition exists for import statements (and __import__) in Python 3.3+ where sys.modules is checked before obtaining an import lock, and for importlib.import_module in Python 3.11+ for the same reason. - Release 2.0.1 * fix race conditions for attribute creation - Release 2.0.0 * also transfer __spec__ attribute * make py.test hack more specific to avoid hiding real errors * switch from Travis CI to GitHub Actions * modernize package build * reformat code with black - Drop pytest4.patch ==== python-distro ==== - Expliciting setting of locale is not necessary anymore (gh#python-distro/distro#223). ==== python-greenlet ==== Version update (1.1.0 -> 1.1.2) - update to 1.1.2: - Fix a potential crash due to a reference counting error when Python subclasses of ``greenlet.greenlet`` were deallocated. The crash became more common on Python 3.10; on earlier versions, silent memory corruption could result. - Fix a leak of a list object when the last reference to a greenlet was deleted from some other thread than the one to which it belonged. For this to work correctly, you must call a greenlet API like ``getcurrent()`` before the thread owning the greenlet exits: this is a long-standing limitation that can also lead to the leak of a thread's main greenlet if not called; we hope to lift this limitation. Note that in some cases this may also fix leaks of greenlet objects themselves. See `issue 251 - Python 3.10: Tracing or profiling into a spawned greenlet didn't work as expected. See `issue 256 ==== python-idna ==== Version update (3.2 -> 3.3) - update to 3.3: - Update to Unicode 14.0.0 - Update to in-line type annotations - Throw IDNAError exception correctly for some malformed input - Advertise support for Python 3.10 - Improve testing regime on Github - Fix Russian typo in documentation ==== python-more-itertools ==== Version update (8.8.0 -> 8.10.0) - update to 8.10.0: * The type stub for :func:`iter_except` was improved (thanks to MarcinKonowalczyk) * Type stubs now ship with the source release (thanks to saaketp) * The Sphinx docs were improved (thanks to MarcinKonowalczyk) * New functions * :func:`interleave_evenly` (thanks to mbugert) * :func:`repeat_each` (thanks to FinalSh4re) * :func:`chunked_even` (thanks to valtron) * :func:`map_if` (thanks to sassbalint) * :func:`zip_broadcast` (thanks to kalekundert) * Changes to existing functions * The type stub for :func:`chunked` was improved (thanks to PhilMacKay) * The type stubs for :func:`zip_equal` and `zip_offset` were improved (thanks to maffoo) * Building Sphinx docs locally was improved (thanks to MarcinKonowalczyk) ==== python-networkx ==== Version update (2.6.1 -> 2.6.3) - update to 2.6.3: * Fix modularity functions (gh#networkx/networkx#5072) * CI/MAINT: drop gdal tests (gh#networkx/networkx#5068) * modularity_max: provide labels to get_edge_data (gh#networkx/networkx#4965) * Improvements to greedy_modularity_community (gh#networkx/networkx#4996) * use weight arg instead of 'weight' key at greedy_modularity_communities() * modularity_max: breaking the loop when given community size is reached (gh#networkx/networkx#4950) * modularity_max: allow input of desired number of communities * greedy_modularity_communities with digraphs and multi(di)graphs (gh#networkx/networkx#5007) (gh#networkx/networkx#5007) * Allow greedy_modularity_communities to use floating point weights or resolution (gh#networkx/networkx#5065) * change i,j,k notation to u,v,w (no indexes since gh#networkx/networkx#5007) ==== python-pyrsistent ==== Version update (0.17.3 -> 0.18.0) - update to 0.18.0: * Fix #209 Update freeze recurse into pyrsistent data structures and thaw to recurse into lists and dicts * Fix #226, stop using deprecated exception.message. * Fix #211, add union operator to persistent maps. * Fix #194, declare build dependencies through pyproject.toml. * Officially drop Python 3.5 support. * Fix #223, release wheels for all major platforms. * Fix #221, KeyError obscured by TypeError if key is a tuple. * Fix LICENSE file name spelling. * Fix #216, add abstractmethod decorator for CheckedType and ABCMeta for _CheckedTypeMeta. * Fix #228, rename example classes in tests to avoid name clashes with pytest. ==== python-pytz ==== Version update (2021.1 -> 2021.3) - update to 2021.3 * matches tzdata 2021c ==== python-zipp ==== Version update (3.5.0 -> 3.6.0) - update to 3.6.0: * Only ``Path`` is exposed in the public API. * Remove news file intended only for CPython. ==== qemu ==== - Stable fixes from upstream * Patches added: block-introduce-max_hw_iov-for-use-in-sc.patch hmp-Unbreak-change-vnc.patch qemu-nbd-Change-default-cache-mode-to-wr.patch target-arm-Don-t-skip-M-profile-reset-en.patch vhost-vsock-fix-migration-issue-when-seq.patch virtio-mem-pci-Fix-memory-leak-when-crea.patch virtio-net-fix-use-after-unmap-free-for-.patch ==== raspberrypi-firmware ==== Version update (2021.03.10 -> 2021.09.30) - Update to b5257da58c (2021-09-30): * firmware: arm_loader: Allow non-optional reads of current clock See: #1619 * firmware: dispmanx: Demote null eptr from vcos_verify to no warning See: raspberrypi/linux#4592 * firmware: filesystem: sdcard: Probe FAT type in GPT ESD partitions * firmware: tvservice: Add check to warn when running with kms * firmware: filesystem: sdcard: Fix Hybrid GPT partitions See: #1465 * firmware: video_decode: Ensure all buffers are flushed before port disable completes * firmware: arm_loader: Allow hvs interrupt during SET_NOTIFY_DISPLAY_DONE * firmware: arm_display: Allow null buffer in successful call See: raspberrypi/linux#4540 - Update to b80f36b3fb (2021-09-13): * firmware: hdmi_2711: Use HDMI block REPEAT_PIXEL instead of PV See: https://forum.libreelec.tv/thread/24415-le-10-beta-for-i4-force-hdmi-resolution * firmware: DSI display autodetection for kms * firmware: arm_dt: Load overlays for detected cameras * firmware: Make more use of the user-warnings DT property * firmware: arm_loader: Consider required flags from GET_CLOCK_RATE See: #1598 * firmware: arm_loader: Make most arm clock requests required See: #1598 * firmware: firmware: Disable VLL loading from file system See: #1605 * firmware: video_decode: Use the ISP instead of vc_image_convert * firmware: video_decode: Correct support for YVU formats using ISP * firmware: arm_dt: Limit CMA to 256MB if total_mem < 2GB or gpu_mem > 256MB See: #1603 * firmware: hdmi_cec: Remove TX/RX SW_INIT on power_on See: Hexxeh/rpi-firmware#267 See: https://www.raspberrypi.org/forums/viewtopic.php?p=1895082#p1895082 * firmware: cec: Avoid sending messages with kms See: raspberrypi/linux#4460 * firmware: Revert: video_decode: Use the ISP instead of vc_image_convert * firmware: isp: Set the YUV420/YVU420 format stride to 64 byte * arm_loader: Add message to release firmware framebuffer * firmware: video_decode: Use the ISP instead of vc_image_convert * firmware: hdmi-2711: Wait for HDMI hardware scheduler to activate in HDMI mode * firmware: bcm_host: Recognise all Pi 4 variants, add BCM2711 See: raspberrypi/userland#695 * firmware: PoE+ HAT support See: raspberrypi/linux#4367 * firmware: arm_loader: Use Pi4 bootloader MAC_ADDRESS if set * firmware: platform: Apply ARM thermal throttling rules on BCM2711 * firmware: dt-blob.dts: Correct HDMI HPD and EMMC_ENABLE for CM4 See: https://www.raspberrypi.org/forums/viewtopic.php?f=29&p=1858516 * firmware: vcfw/hdmi: CUSTOM modes used for FKMS didn't set RGB quant range correctly See: #1580 * firmware: platform: Remove build-time constant for MICROVOLTS_PER_PIP * firmware: Pi400: Reduce MII clock freq when probing ethernet PHY * firmware: isp: Ensure the VRF is locked when setting up video colour denoise See: raspberrypi/libcamera-apps#19 * firmware: isp: Remove custom EV mappings from camera tunings * firmware: Add support for board-type=0xXX conditional filters in bootloader, bootcode and firmware * firmware: Two UART1 patches See: #1566 * firmware: arm_loader: kernel_old=1 should force kernel_address=0 See: #1561 * firmware: scalerlib: Fix offset applied to x coordinate of YUV10COL image See: https://forum.kodi.tv/showthread.php?tid=361164&pid=3024654#pid3024654 * firmware: vcfw/power: Add a new latch for power_pad_control See: #1552 * firmware: board-info: Fix memsize on 3B+ * firmware: Move core to PLLA and support accurate clk108 See: xbmc/xbmc#19263 * firmware: board_info: Separate memory size from OTP field encoding * firmware: power: Swap DA9090 ADC assignments to match XR77004 * firmware: vl805: Remove redundant log statement and fix warning * firmware: power: Fix DA9090 ADC1 register definition * firmware: arm_loader: Only report clocks arm has set, not siblings * firmware: arm_loader: Don't report clocks set as turbo side effect of arm clock * firmware: arm_loader: 2711: gpu clocks are not dependant * firmware: platform: Need to clear cached versions of get_max_clock_internal vars * firmware: video_decode: For VC1/WMV with no signalled header bytes, use start of 1st buffer See: raspberrypi/linux#4113 - Use smbios overlay to get minimal SMBIOS information through dmidecode (bsc#1183079) ==== raspberrypi-firmware-config ==== Version update (2021.03.10 -> 2021.09.30) - Update to b5257da58c (2021-09-30): * firmware: arm_loader: Allow non-optional reads of current clock See: #1619 * firmware: dispmanx: Demote null eptr from vcos_verify to no warning See: raspberrypi/linux#4592 * firmware: filesystem: sdcard: Probe FAT type in GPT ESD partitions * firmware: tvservice: Add check to warn when running with kms * firmware: filesystem: sdcard: Fix Hybrid GPT partitions See: #1465 * firmware: video_decode: Ensure all buffers are flushed before port disable completes * firmware: arm_loader: Allow hvs interrupt during SET_NOTIFY_DISPLAY_DONE * firmware: arm_display: Allow null buffer in successful call See: raspberrypi/linux#4540 - Update to b80f36b3fb (2021-09-13): * firmware: hdmi_2711: Use HDMI block REPEAT_PIXEL instead of PV See: https://forum.libreelec.tv/thread/24415-le-10-beta-for-i4-force-hdmi-resolution * firmware: DSI display autodetection for kms * firmware: arm_dt: Load overlays for detected cameras * firmware: Make more use of the user-warnings DT property * firmware: arm_loader: Consider required flags from GET_CLOCK_RATE See: #1598 * firmware: arm_loader: Make most arm clock requests required See: #1598 * firmware: firmware: Disable VLL loading from file system See: #1605 * firmware: video_decode: Use the ISP instead of vc_image_convert * firmware: video_decode: Correct support for YVU formats using ISP * firmware: arm_dt: Limit CMA to 256MB if total_mem < 2GB or gpu_mem > 256MB See: #1603 * firmware: hdmi_cec: Remove TX/RX SW_INIT on power_on See: Hexxeh/rpi-firmware#267 See: https://www.raspberrypi.org/forums/viewtopic.php?p=1895082#p1895082 * firmware: cec: Avoid sending messages with kms See: raspberrypi/linux#4460 * firmware: Revert: video_decode: Use the ISP instead of vc_image_convert * firmware: isp: Set the YUV420/YVU420 format stride to 64 byte * arm_loader: Add message to release firmware framebuffer * firmware: video_decode: Use the ISP instead of vc_image_convert * firmware: hdmi-2711: Wait for HDMI hardware scheduler to activate in HDMI mode * firmware: bcm_host: Recognise all Pi 4 variants, add BCM2711 See: raspberrypi/userland#695 * firmware: PoE+ HAT support See: raspberrypi/linux#4367 * firmware: arm_loader: Use Pi4 bootloader MAC_ADDRESS if set * firmware: platform: Apply ARM thermal throttling rules on BCM2711 * firmware: dt-blob.dts: Correct HDMI HPD and EMMC_ENABLE for CM4 See: https://www.raspberrypi.org/forums/viewtopic.php?f=29&p=1858516 * firmware: vcfw/hdmi: CUSTOM modes used for FKMS didn't set RGB quant range correctly See: #1580 * firmware: platform: Remove build-time constant for MICROVOLTS_PER_PIP * firmware: Pi400: Reduce MII clock freq when probing ethernet PHY * firmware: isp: Ensure the VRF is locked when setting up video colour denoise See: raspberrypi/libcamera-apps#19 * firmware: isp: Remove custom EV mappings from camera tunings * firmware: Add support for board-type=0xXX conditional filters in bootloader, bootcode and firmware * firmware: Two UART1 patches See: #1566 * firmware: arm_loader: kernel_old=1 should force kernel_address=0 See: #1561 * firmware: scalerlib: Fix offset applied to x coordinate of YUV10COL image See: https://forum.kodi.tv/showthread.php?tid=361164&pid=3024654#pid3024654 * firmware: vcfw/power: Add a new latch for power_pad_control See: #1552 * firmware: board-info: Fix memsize on 3B+ * firmware: Move core to PLLA and support accurate clk108 See: xbmc/xbmc#19263 * firmware: board_info: Separate memory size from OTP field encoding * firmware: power: Swap DA9090 ADC assignments to match XR77004 * firmware: vl805: Remove redundant log statement and fix warning * firmware: power: Fix DA9090 ADC1 register definition * firmware: arm_loader: Only report clocks arm has set, not siblings * firmware: arm_loader: Don't report clocks set as turbo side effect of arm clock * firmware: arm_loader: 2711: gpu clocks are not dependant * firmware: platform: Need to clear cached versions of get_max_clock_internal vars * firmware: video_decode: For VC1/WMV with no signalled header bytes, use start of 1st buffer See: raspberrypi/linux#4113 ==== raspberrypi-firmware-dt ==== Version update (2021.03.15 -> 2021.09.17) - Update to 2425833c7ff5 (2021-09-17) * Switch to 5.14 branch * Drop upstream-overlay-rpi-poe.patch ==== rbac-lookup ==== Version update (0.6.4 -> 0.7.1) - Update to version 0.7.1: * Mac M1 Support * Update documentation from template * Update README.md ==== rdma-core ==== Version update (36.0 -> 37.1) Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1 - Update to rdma-core v37.1 (jsc#SLE-18381, jsc#SLE-19249) - Bugfixes on all providers - Fix cmake flags to correct paths for .pc files ==== salt ==== Subpackages: python3-salt salt-master salt-minion salt-standalone-formulas-configuration salt-transactional-update - Fix issues with salt-ssh's extra-filerefs - Added: * fix-issues-with-salt-ssh-s-extra-filerefs.patch - Fix crash when calling manage.not_alive runners - Added: * fix-crash-when-calling-manage.not_alive-runners.patch - Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446) - Added: * 3003.3-do-not-consider-skipped-targets-as-failed-for.patch ==== systemd ==== Version update (249.4 -> 249.5) Subpackages: libsystemd0 libudev1 systemd-sysvinit udev - Import commit 8521f8d22fd44400289fcea03493ebd7f8b1487d (merge of v249.5) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/355e113ce193e5e2d195278c57d47f9a1b00ae46...8521f8d22fd44400289fcea03493ebd7f8b1487d - Import commit 355e113ce193e5e2d195278c57d47f9a1b00ae46 3b4a005095 meson: add missing include directory when using xkbcommon 4c4e642712 meson: allow extra net naming schemes to be defined during configuration (jsc#SLE-18514) 78466e4464 meson: drop the list of valid net naming schemes b9a2098f9d netif-naming: inline one iterator variable d7fbbc5e74 Add remaining supported schemes as options for default-net-naming-scheme - Rename %{gnu-efi} into %{sd_boot} Build conditionals (%bcond_with and %bcond_without) are used to define a specific feature of systemd. "gnu-efi" is rather an implemenation detail. Also not really sure what "efi" option alone is useful for since systemd-boot & co depends on "gnu-efi". - Enable sd_boot support for aarch64 - Ghost own directories /var/log/journal and /var/log/journal/remote again rpmlint no more complain about the setgid bit, see sr#923496. - Overwriting rootprefix= is only required when split-usr is enabled - Rename %usrmerged into %split_usr - Suppress PAM warning when the credentials for user@.service service are established (bsc#1190515) systemd-user PAM service needs to define a default implementation of pam_setcred() otherwise the fallback (defined by /etc/pam.d/other) is used, which consists of pam_warn.so + pam_deny.so, and will throw a warning each time a user logs in. - No need to install upstream pam configuration file "systemd-user" It's overwritten by the SUSE version anyway. ==== systemd-presets-common-SUSE ==== - Haveged as a daemon is no longer required since kernel 5.6 do not enable by default. ==== timezone ==== Version update (2021c -> 2021d) - timezone update 2021d: * Fiji suspends DST for the 2021/2022 season * 'zic -r' marks unspecified timestamps with "-00" ==== tpm2.0-tools ==== Version update (5.1.1 -> 5.2) - Update to version 5.2: + tpm2_nvextend: * Added option -n, --name to specify the name of the nvindex in hex bytes. This is used when cpHash ought to be calculated without dispatching the TPM2_NV_Extend command to the TPM. + tpm2_nvread: * Added option --rphash=FILE to specify ile path to record the hash of the response parameters. This is commonly termed as rpHash. * Added option -n, --name to specify the name of the nvindex in hex bytes. This is used when cpHash ought to be calculated without dispatching the TPM2_NVRead command to the TPM. * Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters. + tpm2_nvsetbits: * Added option --rphash=FILE to specify file path to record the hash of the response parameters. This is commonly termed as rpHash. * Added option -S, --session to specify to specify an auxiliary session for auditing and or encryption/decryption of the parameters. * Added option -n, --name to specify the name of the nvindex in hex bytes. This is used when cpHash ought to be calculated without dispatching the TPM2_NV_SetBits command to the TPM. + tpm2_createprimary: * Support public-key output at creation time in various public-key formats. + tpm2_create: * Support public-key output at creation time in various public-key formats. + tpm2_print: * Support outputing public key in various public key formats over the default YAML output. Supports taking -u output from tpm2_create and converting it to a PEM or DER file format. + tpm2_import: * Add support for importing keys with sealed-data-blobs. + tpm2_rsaencrypt, tpm2_rsadecrypt: * Add support for specifying the hash algorithm with oaep. + tpm2_pcrread, tpm2_quote: * Add option -F, --pcrs_format to specify PCR format selection for the binary blob in the PCR output file. 'values' will output a binary blob of the PCR values. 'serialized' will output a binary blob of the PCR values in the form of serialized data structure in little endian format. + tpm2_eventlog: * Add support for decoding StartupLocality. * Add support for printing the partition information. * Add support for reading eventlogs longer than 64kb including from /sys/kernel/security/tpm0/binary_bios-measurements. + tpm2_duplicate: * Add option -L, --policy to specify an authorization policy to be associated with the duplicated object. * Added support for external key duplication without needing the TCTI. + tools: * Enhance error message on invalid passwords when sessions cannot be used. + lib/tpm2_options: * Add option to specify fake tcti which is required in cases where sapi ctx is required to be initialized for retrieving command parameters without invoking the tcti to talk to the TPM. + openssl: * Dropped support for OpenSSL < 1.1.0 * Add support for OpenSSL 3.0.0 + Support added to make the repository documentation and man pages available live on readthedocs. + Bug-fixes: * tpm2_import: Don't allow setting passwords for imported object with -p option as the tool doesn't modify the TPM2B_SENSITIVE structure. Added appropriate logging to indicate using tpm2_changeauth after import. * lib/tpm2_util.c: The function to calculate pHash algorithm returned error when input session is a password session and the only session in the command. * lib/tpm2_alg_util.c: Fix an error where oaep was parsed under ECC. * tpm2_sign: Fix segfaults when tool does not find TPM resources (TPM or RM). * tpm2_makecredential: Fix an issue where reading input from stdin could result in unsupported data size larger than the largest digest size. * tpm2_loadexternal: Fix an issue where restricted attribute could not be set. * lib/tpm2_nv_util.h: The NV index size is dependent on different data sets read from the GetCapability structures because there is a dependency on the NV operation type: Define vs Read vs Write vs Extend. Fix a sane default in the case where GetCapability fails or fails to report the specific property/ data set. This is especially true because some properties are TPM implementation dependent. * tpm2_createpolicy: Fix an issue where tool exited silently without reporting an error if wrong pcr string is specified. * lib/tpm2_alg_util: add error message on public init to prevent tools from dying silently, add an error message. * tpm2_import: fix an issue where an imported hmac object scheme was NULL. While allowed, it was inconsistent with other tools like tpm2_create which set the scheme as hmac->sha256 when generating a keyedhash object. - Drop patches already in upstream: + 0001-tpm2_checkquote-fix-uninitialized-variable.patch + 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch + 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch ==== wireless-regdb ==== Version update (20210421 -> 20210828) - Update to version 20210828: * wireless-regdb: update regulatory database based on preceding changes * Update regulatory rules for Ecuador (EC) * wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz * wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz * wireless-regdb: update regulatory database based on preceding changes * wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US * wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US * wireless-regdb: recent FCC report and order allows 5850-5895 immediately * wireless-regdb: update 5725-5850 MHz rule for GB ==== xfsprogs ==== - move fsck.xfs, mkfs.xfs and xfs_repair from /sbin to /usr/sbin (bsc#1191105) The default rpmbuild %configure macro passes --sbindir=/usr/sbin to every configure script, but the xfsprogs configure script ignores it when --exec-prefix is also set. Unset --exec-prefix since it is not really required (all other paths are explicitly passed via the rpm configure macro), so that the --sbindir is respected. ==== xkeyboard-config ==== Version update (2.33 -> 2.34) - update to version 2.34 * xml2lst: use dynamic Perl path * Resolved 101key Old Hungarian II * Old turkish f layout (with pc104 support) added. * Fix wrong key symbol name * Added International Phonetic Alphabet (QWERTY) * gitlab CI: update to latest ci-templates * Hellenic keyboard perfected. * lt: Place sterling symbol on AD03, layer 4 (with E and euro) * Use single guillemots on L4 (not less/greater) where L3 has guillemots * Added English (Dvorak, Macintosh) based on the MacOS dvorak layout * Accommodate uppercase/lowercase ß, long s, §; deduplicate ? * Move left/right quotes one key to the right, place lower quotes on AB04 * Update symbols/it adding credits and reference for fur lang * lt/us: Inherit AE09/AE10 from latin * Add Russian GOST layouts * Add Polish(lefty) layout * Add Arabic(Ergoarabic) keyboard layout * translation sync * Hebrew translation added ==== yomi-formula ==== - Ignore libudev1 dependency for Enterprise Linux. ==== zypper ==== Version update (1.14.49 -> 1.14.50) Subpackages: zypper-needs-restarting - Fix compiler warning. - zypper.conf: New option whether to collect subcommands found in $PATH (fixes #379) +[subcommand] i + +## Whether to look for subcommands in $PATH +## +## If a subcommand is not found in the zypper_execdir, the wrapper +## will look in the rest of your $PATH for it. Thus, it's possible +## to write local zypper extensions that don't live in system space. +## See section SUBCOMMANDS in the zypper manpage. +## +## Valid values: boolean +## Default value: yes +## +# seachSubcommandInPath = yes. - help subcommand: show path of command found in $PATH. - version 1.14.50