Packages changed: CoreFreq (1.87.1_k5.14.9_1 -> 1.87.4_k5.14.9_1) ImageMagick (7.1.0.8 -> 7.1.0.9) Mesa-drivers apache2-mod_php7 bash-completion checkmedia (5.4 -> 6.1) codec2 firewalld (1.0.0 -> 1.0.1) freerdp gcr (3.40.0 -> 3.41.0) git glibc hwdata (0.351 -> 0.352) hwinfo (21.76 -> 21.77) libHX (3.26 -> 4.0.1) libqb (2.0.2+20201203.def947e -> 2.0.3+20210303.404adbc) libreoffice (7.1.5.2 -> 7.2.2.1) libvirt (7.7.0 -> 7.8.0) libx86emu (3.2 -> 3.3) libzypp (17.28.4 -> 17.28.5) lirc luajit man mariadb mdadm open-iscsi openssh (8.4p1 -> 8.8p1) openssh-askpass-gnome (8.4p1 -> 8.8p1) patterns-gnome pcsc-lite (1.9.3 -> 1.9.4) php7 polkit-default-privs (1550+20210818.b0c41fd -> 1550+20211008.9751669) publicsuffix (20210928 -> 20211006) pulseaudio python-libvirt-python (7.7.0 -> 7.8.0) rubygem-bootsnap (1.7.7 -> 1.9.1) rubygem-marcel (1.0.1 -> 1.0.2) rubygem-puma (5.4.0 -> 5.5.0) rubygem-rubocop (1.19.1 -> 1.22.1) rubygem-rubocop-ast (1.11.0 -> 1.12.0) rubygem-spring (2.1.1 -> 3.0.0) rubygem-unicode-display_width (2.0.0 -> 2.1.0) virt-manager virtualbox virtualbox-kmp xwayland yarn (1.22.11 -> 1.22.13) yast2-trans (84.87.20210914.a5d6b81b64 -> 84.87.20210929.6d3a97ea50) === Details === ==== CoreFreq ==== Version update (1.87.1_k5.14.9_1 -> 1.87.4_k5.14.9_1) - Update to version 1.87.4 - fixed service hardening preventing daemon to start (boo#1191509) - added modprobe_corefreqd.service.patch to load/unload kernel module on service start/stop. Do not load module on boot anymore - fixed leap15_3.patch including unnessary junk ==== ImageMagick ==== Version update (7.1.0.8 -> 7.1.0.9) Subpackages: ImageMagick-config-7-SUSE ImageMagick-extra libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - previous version updates fixed also: CVE-2018-10805,CVE-2018-11624,CVE-2018-11625,CVE-2018-12599,CVE-2018-12600, CVE-2018-14434,CVE-2018-14435,CVE-2018-14436,CVE-2018-14437,CVE-2018-16323, CVE-2018-16328,CVE-2018-16329,CVE-2018-16412,CVE-2018-16413,CVE-2018-16640, CVE-2018-16641,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645, CVE-2018-17966,CVE-2018-18024,CVE-2018-18544,CVE-2018-20467,CVE-2019-10650, CVE-2019-11007,CVE-2019-11008,CVE-2019-11470,CVE-2019-11472,CVE-2019-11505, CVE-2019-11506,CVE-2019-11597,CVE-2019-11598,CVE-2019-12974,CVE-2019-12975, CVE-2019-12976,CVE-2019-12977,CVE-2019-12978,CVE-2019-12979,CVE-2019-13133, CVE-2019-13134,CVE-2019-13135,CVE-2019-13136,CVE-2019-13137,CVE-2019-13295, CVE-2019-13296,CVE-2019-13297,CVE-2019-13298,CVE-2019-13299,CVE-2019-13300, CVE-2019-13301,CVE-2019-13302,CVE-2019-13303,CVE-2019-13304,CVE-2019-13305, CVE-2019-13306,CVE-2019-13307,CVE-2019-13308,CVE-2019-13309,CVE-2019-13310, CVE-2019-13311,CVE-2019-13391,CVE-2019-13454,CVE-2019-14980,CVE-2019-14981, CVE-2019-15139,CVE-2019-15140,CVE-2019-15141,CVE-2019-16708,CVE-2019-16709, CVE-2019-16710,CVE-2019-16711,CVE-2019-16712,CVE-2019-16713,CVE-2019-19948, CVE-2019-19949,CVE-2019-7175,CVE-2019-7395,CVE-2019-7396,CVE-2019-7397, CVE-2019-7398,CVE-2019-9956,CVE-2020-19667,CVE-2020-25664,CVE-2020-25665, CVE-2020-25666,CVE-2020-25674,CVE-2020-25675,CVE-2020-25676,CVE-2020-27560, CVE-2020-27750,CVE-2020-27751,CVE-2020-27752,CVE-2020-27753,CVE-2020-27754, CVE-2020-27755,CVE-2020-27756,CVE-2020-27757,CVE-2020-27758,CVE-2020-27759, CVE-2020-27760,CVE-2020-27761,CVE-2020-27762,CVE-2020-27763,CVE-2020-27764, CVE-2020-27765,CVE-2020-27766,CVE-2020-27767,CVE-2020-27768,CVE-2020-27769, CVE-2020-27770,CVE-2020-27771,CVE-2020-27772,CVE-2020-27773,CVE-2020-27774, CVE-2020-27775,CVE-2020-27776,CVE-2020-29599,CVE-2021-20241,CVE-2021-20311, CVE-2021-20312,CVE-2021-20313,CVE-2021-20241,CVE-2021-20243,CVE-2021-20244, CVE-2021-20246 (bsc#1094741,bsc#1094742,bsc#1094745,bsc#1095812,bsc#1096200,bsc#1096203, bsc#1098545,bsc#1098546,bsc#1102003,bsc#1102004,bsc#1102005,bsc#1102007, bsc#1106254,bsc#1106855,bsc#1106857,bsc#1106858,bsc#1106989,bsc#1106996, bsc#1107604,bsc#1107609,bsc#1107612,bsc#1107616,bsc#1107618,bsc#1107619, bsc#1110746,bsc#1111069,bsc#1111072,bsc#1113064,bsc#1120381,bsc#1124365, bsc#1124366,bsc#1124367,bsc#1124368,bsc#1128649,bsc#1130330,bsc#1131317, bsc#1132054,bsc#1132060,bsc#1133204,bsc#1133205,bsc#1133498,bsc#1133501, bsc#1136732,bsc#1138464,bsc#1139884,bsc#1139885,bsc#1139886,bsc#1140100, bsc#1140102,bsc#1140103,bsc#1140104,bsc#1140105,bsc#1140106,bsc#1140110, bsc#1140111,bsc#1140501,bsc#1140513,bsc#1140520,bsc#1140534,bsc#1140538, bsc#1140543,bsc#1140545,bsc#1140547,bsc#1140549,bsc#1140552,bsc#1140554, bsc#1140664,bsc#1140665,bsc#1140666,bsc#1140667,bsc#1140668,bsc#1140669, bsc#1140673,bsc#1141171,bsc#1146065,bsc#1146068,bsc#1146211,bsc#1146212, bsc#1146213,bsc#1151781,bsc#1151782,bsc#1151783,bsc#1151784,bsc#1151785, bsc#1151786,bsc#1159861,bsc#1160369,bsc#1161194,bsc#1178067,bsc#1179103, bsc#1179202,bsc#1179208,bsc#1179212,bsc#1179221,bsc#1179223,bsc#1179240, bsc#1179244,bsc#1179260,bsc#1179268,bsc#1179269,bsc#1179276,bsc#1179278, bsc#1179281,bsc#1179285,bsc#1179311,bsc#1179312,bsc#1179313,bsc#1179315, bsc#1179317,bsc#1179321,bsc#1179322,bsc#1179327,bsc#1179333,bsc#1179336, bsc#1179338,bsc#1179339,bsc#1179343,bsc#1179345,bsc#1179346,bsc#1179347, bsc#1179361,bsc#1179362,bsc#1179397,bsc#1179753,bsc#1182335,bsc#1184624, bsc#1184626,bsc#1184627,bsc#1184628,bsc#1182335,bsc#1182336,bsc#1182325, bsc#1182337) - version update to 7.1.0.9: * Squash a dump truck load of VisualStudio compiler warnings. * improved algorithm for automatic calculation of word breaks and pointsize for caption and labels. * improve wrapping between words and within words (reference https://github.com/ImageMagick/ImageMagick/discussions/4227). - added patches disable Contrast test for i586 on SLE 15 + ImageMagick-filter.t-disable-Contrast.patch ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_intel libvulkan_radeon libxatracker2 - Fix build with LLVM 13: * U_gallivm-add-new-wrapper-around-Module.patch * U_gallivm-fix-FTBFS-on-i386-with-LLVM-13.patch ==== apache2-mod_php7 ==== - previous version updates fixes also: CVE-2020-7068,CVE-2020-7069,CVE-2020-7070,CVE-2020-7071, CVE-2021-21702,CVE-2021-21704,CVE-2021-21705 bsc#1175223,bsc#1177351,bsc#1177352,bsc#1180706, bsc#1182049,bsc#1188035,bsc#1188037 ==== bash-completion ==== - Add patch boo1190929-9af4afd0.patch for boo#1190929 add support for compeletion modinfo completion recognize .ko.zst as well as .ko.bz2 ==== checkmedia ==== Version update (5.4 -> 6.1) - merge gh#openSUSE/checkmedia#16 - fix auto-detecting a suitable signature location for rh media - 6.1 - merge gh#openSUSE/checkmedia#15 - add --version option to tagmedia - use volume id if app id is missing for nice output - add support for rh style meta data and digest calculation - extend fragment calculation to suse style - show signee if signature is ok - add --create-signature option - fix large file support - updated unit tests - enhance documentation - add new and shiny README.adoc - 6.0 ==== codec2 ==== - Added a patch moved-freedv_callback_rx_sym-into-internal-header.patch to fix building gnuradio (patch taken from upstream) - Drop handcrafted generation of the pkgconfig file - Remove "-Wno-dev" ==== firewalld ==== Version update (1.0.0 -> 1.0.1) Subpackages: firewalld-bash-completion firewalld-lang firewalld-zsh-completion python3-firewall - Update to 1.0.1: * keep linux capability CAP_SYS_MODULE * UPnP Client: actually allow SSDP traffic * Fix RPM macros to test if firewall-cmd is executable ==== freerdp ==== Subpackages: libfreerdp2 libwinpr2 - Finally nailed it: CMAKE_INSTALL_LIBDIR is absolute on Leaps and relative on TW, but freerdp requires the relative variant. Fixes boo#1190919 - Remove freerdp-fix-plugin-path.patch again, the problem was introduced/fixed by cmake changes ==== gcr ==== Version update (3.40.0 -> 3.41.0) Subpackages: gcr-data gcr-lang gcr-prompter gcr-ssh-askpass gcr-viewer libgck-1-0 libgcr-3-1 typelib-1_0-Gck-1 typelib-1_0-Gcr-3 - Update to version 3.41.0: + Port ssh-agent from gnome-keyring. + build: Fix parallel build failure due to missing marshal dependency. + Fix warnings by dropping `volatile` for g_once_init_inter locations. + tests: More robust against GTask unref race condition. + Updated translations. - Add pkgconfig(libsecret-1), pkgconfig(libsystemd), pkgconfig(systemd) and openssh-clients BuildRequires: Build new standalone ssh-agent, and split it out in own sub-package. ==== git ==== Subpackages: git-core git-cvs git-daemon git-email git-gui git-svn git-web gitk perl-Git - Added hardening to systemd service(s) (bsc#1181400). Modified: * git-daemon.service ==== glibc ==== Subpackages: glibc-32bit glibc-devel glibc-extra glibc-lang glibc-locale glibc-locale-base nscd - ld-show-auxv-colon.patch: elf: Fix missing colon in LD_SHOW_AUXV output (BZ #282539 - x86-string-control-test.patch: x86-64: Use testl to check __x86_string_control - pthread-kill-fail-after-exit.patch: nptl: pthread_kill, pthread_cancel should not fail after exit (BZ #19193) - pthread-kill-race-thread-exit.patch: nptl: Fix race between pthread_kill and thread exit (BZ #12889) - getcwd-attribute-access.patch: posix: Fix attribute access mode on getcwd (BZ #27476) - pthread-kill-return-esrch.patch: nptl: pthread_kill needs to return ESRCH for old programs (BZ #19193) - pthread-mutexattr-getrobust-np-type.patch: nptl: Fix type of pthread_mutexattr_getrobust_np, pthread_mutexattr_setrobust_np (BZ [#28036]) - setxid-deadlock-blocked-signals.patch: nptl: Avoid setxid deadlock with blocked signals in thread exit (BZ #28361) - pthread-kill-send-specific-thread.patch: nptl: pthread_kill must send signals to a specific thread (BZ #28407) - sysconf-nprocessors-affinity.patch: linux: Revert the use of sched_getaffinity on get_nproc (BZ #28310) - iconv-charmap-close-output.patch: renamed from icon-charmap-close-output.patch ==== hwdata ==== Version update (0.351 -> 0.352) - Update to version 0.352 (bsc#1191375: + Updated pci, usb and vendor ids. ==== hwinfo ==== Version update (21.76 -> 21.77) - merge gh#openSUSE/hwinfo#105 - Use license file from gnu.org - Fix spelling - Add missing final newline - Trim excess whitespace - Simple maintenance improvements - 21.77 ==== libHX ==== Version update (3.26 -> 4.0.1) Subpackages: libHX32 libHX32-32bit - Update to release 4.0.1 * lib: add ``HX_slurp_fd``, ``HX_slurp_file`` * proc: add ``HXproc_switch_user`` * proc: add ``HXproc_top_fd`` * socket: add ``HX_socket_from_env`` * opt: add ``HXOPT_KEEP_ARGV`` flag ==== libqb ==== Version update (2.0.2+20201203.def947e -> 2.0.3+20210303.404adbc) - Update to version 2.0.3+20210303.404adbc (v2.0.3): - syslog: Add a message-id parameter for messages (gh#ClusterLabs/libqb#433) - timers: Add some locking (gh#ClusterLabs/libqb#436) - ipcc: Have a few goes at tidying up after a dead server (gh#ClusterLabs/libqb#434) - strlcpy: Check for maxlen underflow (gh#ClusterLabs/libqb#432) - doxygen2man: fix printing of lines starting with '.' (gh#ClusterLabs/libqb#431) - doxygen2man: ignore all-whitespace brief descriptions (gh#ClusterLabs/libqb#430) ==== libreoffice ==== Version update (7.1.5.2 -> 7.2.2.1) Subpackages: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-writer libreofficekit - Update to 7.2.2.1 - Refresh pld-skia-patches.patch - Fix bsc#1189813: LO-L3: Shadow effect for tables in PPTX partly incorrect * bsc1189813.patch - Add vendored poppler to use for all codestreams except Tumbleweed. - Use vendored boost for all codestreams except Tumbleweed. Update boost vendored version. - Update to 7.2.1.2: * LO minor release - Added patch: * pld-skia-patches.patch * skia-freetype2.11.patch ==== libvirt ==== Version update (7.7.0 -> 7.8.0) Subpackages: libvirt-client libvirt-daemon libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs - lxc: controller: Fix container launch on cgroup v1 1b9ce05c-lxc-fix-cgroupV1.patch boo#1183247 - tools: Fix virt-host-validate SEV detection 3f9c1a4b-fix-host-validate-sev.patch boo#1188715 - Update to libvirt 7.8.0 - jsc#SLE-18260 - Many incremental improvements and bug fixes, see https://libvirt.org/news.html - Dropped patches: b75a16ae-libxl-improve-die-id.patch, 65fab900-libxl-fix-driver-reload.patch, 51eb680b-libxl-dont-autostart-on-reload.patch - spec: Fix hangs during package update bsc#1177902, bsc#1190693 - spec: Don't add --timeout arg to /etc/sysconfig/libvirtd when running in traditional mode without socket activation bsc#1190695 ==== libx86emu ==== Version update (3.2 -> 3.3) - merge gh#wfeldt/libx86emu#34 - Migrate CI to GitHub Actions - 3.3 ==== libzypp ==== Version update (17.28.4 -> 17.28.5) - Downloader does not respect checkExistsOnly flag (bsc#1190712) A missing check causes zyppng::Downloader to always download full files even if the checkExistsOnly flag is set. This patch adds the missing logic. - Fix kernel-*-livepatch removal in purge-kernels (bsc#1190815) The kernel-*-livepatch packages are supposed to serve as a stable handle for the ephemeral kernel livepatch packages. See FATE#320268 for details. As part of the kernel live patching ecosystem, kernel-*-livepatch packages should not block the purge-kernels step. - version 17.28.5 (22) ==== lirc ==== - Revert "Require typelib packages": better to have rpm auto-detect them. - Add gobject-introspection BuildRequires to have the typelib dep scanner on board. - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_irexec.service.patch * harden_lircd-uinput.service.patch * harden_lircd.service.patch * harden_lircmd.service.patch - Require typelib packages, otherwise lirc-setup fails to start. ==== luajit ==== - Exclude s390x for now. There is a not-yet-upstreamed port available, but we would need to rebase it for our release. ==== man ==== - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_man-db.service.patch Modified: * man-db-create.service ==== mariadb ==== Subpackages: libmariadbd19 mariadb-client mariadb-errormessages - Fix socket address in mariadb@.socket file ==== mdadm ==== - Install mdadm in _sbindir rather than /sbin. This is more appropriate now that we have a merged-/usr. (bsc#1191076) ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Fix possible systemd cycle by adding an "obsoletes" for the old libopeniscsiusr for older versions. ==== openssh ==== Version update (8.4p1 -> 8.8p1) Subpackages: openssh-clients openssh-common openssh-server - Version update to 8.8p1: = Security * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege. Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5). = Potentially-incompatible changes * This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for argv conversion. Multiple backslashes were not being dequoted correctly and quoted space in the middle of a string was being incorrectly split. GHPR223 * ssh(1): return non-zero exit status when killed by signal; bz#3281 * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum packet size. Also handle zero-length reads that are not explicitly banned by the spec. - Additional changes from 8.5p1 release: = Security * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. = Potentially-incompatible changes * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. = New features * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. = Bugfixes * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. - Rebased patches: * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-X11_trusted_forwarding.patch * openssh-7.7p1-X_forward_with_disabled_ipv6.patch * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-disable_openssl_abi_check.patch * openssh-7.7p1-eal3.patch * openssh-7.7p1-enable_PAM_by_default.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-host_ident.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-no_fork-no_pid_file.patch * openssh-7.7p1-pam_check_locks.patch * openssh-7.7p1-pts_names_formatting.patch * openssh-7.7p1-remove_xauth_cookies_on_exit.patch * openssh-7.7p1-seccomp_ipc_flock.patch * openssh-7.7p1-seccomp_stat.patch * openssh-7.7p1-send_locale.patch * openssh-7.7p1-sftp_force_permissions.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-7.7p1-systemd-notify.patch * openssh-7.9p1-keygen-preserve-perms.patch * openssh-7.9p1-revert-new-qos-defaults.patch * openssh-8.0p1-gssapi-keyex.patch * openssh-8.1p1-audit.patch * openssh-8.1p1-seccomp-clock_gettime64.patch * openssh-8.1p1-seccomp-clock_nanosleep.patch * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch * openssh-8.1p1-use-openssl-kdf.patch * openssh-8.4p1-vendordir.patch * openssh-fips-ensure-approved-moduli.patch * openssh-link-with-sk.patch * openssh-reenable-dh-group14-sha1-default.patch * openssh-whitelist-syscalls.patch - Removed openssh-fix-ssh-copy-id.patch (fixed upstream). - openssh.keyring: rotated to new key from https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc - sshd-gen-keys-start: - only source sysconfig file if it exists. - create /etc/ssh if it does not exists. Required for image based installation/updates. ==== openssh-askpass-gnome ==== Version update (8.4p1 -> 8.8p1) - Version upgrade to 8.8p1 * No changes for askpass, see main package changelog for details ==== patterns-gnome ==== Subpackages: patterns-gnome-gnome patterns-gnome-gnome_basic patterns-gnome-gnome_basis patterns-gnome-gnome_basis_opt patterns-gnome-gnome_games patterns-gnome-gnome_imaging patterns-gnome-gnome_internet patterns-gnome-gnome_multimedia patterns-gnome-gnome_office patterns-gnome-gnome_utilities patterns-gnome-gnome_x11 patterns-gnome-gnome_yast patterns-gnome-sw_management_gnome - Drop gnome-power-manager Recommends: Package is dormant upstream and on its way to be replaced by new features inside of gnome-control-center. ==== pcsc-lite ==== Version update (1.9.3 -> 1.9.4) Subpackages: libpcsclite1 - version 1.9.4 * fix a memory leak when libusb is used for hotplug (i.e. non-Linux systems) ==== php7 ==== Subpackages: php7-cli php7-ctype php7-dom php7-gd php7-gettext php7-iconv php7-json php7-mbstring php7-mysql php7-openssl php7-pdo php7-sqlite php7-tokenizer php7-xmlreader php7-xmlwriter - previous version updates fixes also: CVE-2020-7068,CVE-2020-7069,CVE-2020-7070,CVE-2020-7071, CVE-2021-21702,CVE-2021-21704,CVE-2021-21705 bsc#1175223,bsc#1177351,bsc#1177352,bsc#1180706, bsc#1182049,bsc#1188035,bsc#1188037 ==== polkit-default-privs ==== Version update (1550+20210818.b0c41fd -> 1550+20211008.9751669) - drop backward compatibility symlink in /etc/polkit-default-privs.standard. rpmlint 2.0 is now in Factory and the check there directly uses the profile in /usr/etc/polkit-default-privs/profiles/standard. - drop polkit-whitelisting sub-package. This is now handled in rpmlint 2.0 internally. - Update to version 1550+20211008.9751669: * whitelist power-profiles-daemon actions (bsc#1189900) * cleanup: remove polkit-rules-whitelist.json ==== publicsuffix ==== Version update (20210928 -> 20211006) - Update to version 20211006: * Update Pull Request Template to add clarity * util: gTLD data autopull updates for 2021-10-01T15:13:10 UTC (#1445) ==== pulseaudio ==== Subpackages: libpulse-mainloop-glib0 libpulse0 pulseaudio-bash-completion pulseaudio-gdm-hooks pulseaudio-lang pulseaudio-module-bluetooth pulseaudio-module-gsettings pulseaudio-module-x11 pulseaudio-module-zeroconf pulseaudio-utils pulseaudio-zsh-completion - Make system-user-pulse noarch - Split sysusers.d file to separate package as needed by brltty (bsc#1191465) ==== python-libvirt-python ==== Version update (7.7.0 -> 7.8.0) - Update to 7.8.0 - Add all new APIs and constants in libvirt 7.8.0 - jsc#SLE-18260 ==== rubygem-bootsnap ==== Version update (1.7.7 -> 1.9.1) Subpackages: ruby2.7-rubygem-bootsnap ruby3.0-rubygem-bootsnap - updated to version 1.9.1 * Removed a forgotten debug statement in JSON precompilation ==== rubygem-marcel ==== Version update (1.0.1 -> 1.0.2) - updated to version 1.0.2 * Include Apache license in gem release. (a525d5b) * Prefer audio/x-wav for WAV audio files. (#45) * Prefer application/x-x509-ca-cert for Privacy-Enhanced Mail certificates. (#46) * Prefer audio/flac for FLAC audio files. (#47) * Prefer audio/aac for Advanced Audio Coding audio files. (#49) * Prefer application/vnd.ms-access for Microsodt Access DB files. (#50) * Support text/x-scss and text/x-sass stylesheets. (#52) * Support encrypted Microsoft Access DB files. (#53) * Prefer application/x-ole-storage for Microsoft Office files. (#54) * Prefer text/markdown for Markdown files. (#55) * Prefer audio/mpc for Musepack audio files. (#56) * Support audio/webm audio files. (#58) * Support image/avif images files. (#63) ==== rubygem-puma ==== Version update (5.4.0 -> 5.5.0) - updated to version 5.5.0 * Features * Automatic SSL certificate provisioning for localhost, via localhost gem ([#2610], [#2257]) * add support for the PROXY protocol (v1 only) ([#2654], [#2651]) * Add a semantic CLI option for no config file ([#2689]) * Bugfixes * More elaborate exception handling - lets some dead pumas die. ([#2700], [#2699]) * allow multiple after_worker_fork hooks ([#2690]) * Preserve BUNDLE_APP_CONFIG on worker fork ([#2688], [#2687]) * Performance * Fix performance of server-side SSL connection close. ([#2675]) ==== rubygem-rubocop ==== Version update (1.19.1 -> 1.22.1) - updated to version 1.22.1 [#]# 1.22.1 (2021-10-04) [#]## Bug fixes * [#10143](https://github.com/rubocop/rubocop/issues/10143): Fix an error for `Lint/RequireRelativeSelfPath` when using a variable as an argument of `require_relative`. ([@koic][]) * [#10140](https://github.com/rubocop/rubocop/issues/10140): Fix false positive for `Layout/DotPosition` when a heredoc receives a method on the same line as the start sigil in `trailing` style. ([@dvandersluis][]) * [#10148](https://github.com/rubocop/rubocop/issues/10148): Fix `Style/QuotedSymbols` handling escaped characters incorrectly. ([@dvandersluis][]) * [#10145](https://github.com/rubocop/rubocop/issues/10145): Update `Style/SelectByRegexp` to ignore cases where the receiver appears to be a hash. ([@dvandersluis][]) [#]# 1.22.0 (2021-09-29) [#]## New features * [#8431](https://github.com/rubocop/rubocop/issues/8431): Add `Safety` section to documentation for all cops that are `Safe: false` or `SafeAutoCorrect: false`. ([@dvandersluis][]) * [#10132](https://github.com/rubocop/rubocop/issues/10132): Reorganize output of `rubocop --help` for better clarity. ([@dvandersluis][]) * [#10111](https://github.com/rubocop/rubocop/pull/10111): Add new `Style/NumberedParametersLimit` cop. ([@dvandersluis][]) * [#10025](https://github.com/rubocop/rubocop/pull/10025): Changed cop `SpaceInsideParens` to include a `compact` style. ([@itay-grudev][]) * [#10084](https://github.com/rubocop/rubocop/issues/10084): Add new `Lint/RequireRelativeSelfPath` cop. ([@koic][]) * [#8327](https://github.com/rubocop/rubocop/issues/8327): Add new cop `Style/SelectByRegexp`. ([@dvandersluis][]) * [#10100](https://github.com/rubocop/rubocop/pull/10100): Add new `Style/NumberedParameters` cop. ([@Hugo-Hache][]) * [#10103](https://github.com/rubocop/rubocop/issues/10103): Add `AllowHttpProtocol` option to `Bundler/InsecureProtocolSource`. ([@koic][]) * [#10102](https://github.com/rubocop/rubocop/pull/10102): Add new `Security/IoMethods` cop. ([@koic][]) [#]## Bug fixes * [#10110](https://github.com/rubocop/rubocop/issues/10110): Update `Layout/DotPosition` to be able to handle heredocs. ([@dvandersluis][]) * [#10134](https://github.com/rubocop/rubocop/issues/10134): Update `Style/MutableConstant` to not consider multiline uninterpolated strings as unfrozen in ruby 3.0. ([@dvandersluis][]) * [#10124](https://github.com/rubocop/rubocop/pull/10124): Fix `Layout/RedundantLineBreak` adding extra space within method chains. ([@dvandersluis][]) * [#10118](https://github.com/rubocop/rubocop/issues/10118): Fix crash with `Style/RedundantSort` when the block doesn't only contain a single `send` node. ([@dvandersluis][]) * [#10135](https://github.com/rubocop/rubocop/issues/10135): Fix `Style/WordArray` to exclude files in `--auto-gen-config` when `percent` style is given but brackets are required. ([@dvandersluis][]) * [#10090](https://github.com/rubocop/rubocop/issues/10090): Fix a false negative for `Style/ArgumentsForwarding` when using only kwrest arg. ([@koic][]) * [#10099](https://github.com/rubocop/rubocop/pull/10099): Update`Style/RedundantFreeze` to stop considering `ENV` values as immutable. ([@byroot][]) * [#10078](https://github.com/rubocop/rubocop/pull/10078): Fix `Layout/LineLength` reported length when ignoring directive comments. ([@dvandersluis][]) * [#9934](https://github.com/rubocop/rubocop/issues/9934): Fix configuration loading to not raise an error for an obsolete ruby version that is subsequently overridden. ([@dvandersluis][]) * [#10136](https://github.com/rubocop/rubocop/issues/10136): Update `Lint/AssignmentInCondition` to not consider assignments within blocks in conditions. ([@dvandersluis][]) * [#9588](https://github.com/rubocop/rubocop/issues/9588): Fix causing a variable to be shadowed from outside the rescue block in the logic of Naming/RescuedExceptionsVariableName. ([@lilisako][]) * [#10096](https://github.com/rubocop/rubocop/issues/10096): Fix `Lint/AmbiguousOperatorPrecedence` with `and`/`or` operators. ([@dvandersluis][]) * [#10106](https://github.com/rubocop/rubocop/issues/10106): Fix `Style/RedundantSelf` for pattern matching. ([@dvandersluis][]) * [#10066](https://github.com/rubocop/rubocop/issues/10066): Fix how `MinDigits` is calculated for `Style/NumericLiterals` when generating a configuration file. ([@dvandersluis][]) [#]## Changes * [#10088](https://github.com/rubocop/rubocop/pull/10088): Update `Lint/BooleanSymbol` to be `SafeAutoCorrect: false` rather than `Safe: false`. ([@dvandersluis][]) * [#10122](https://github.com/rubocop/rubocop/pull/10122): Update `Style/RedundantSort` to be unsafe, and revert the special case for `size` from [#10061](https://github.com/rubocop/rubocop/pull/10061). ([@dvandersluis][]) * [#10130](https://github.com/rubocop/rubocop/issues/10130): Update `Lint/ElseLayout` to be able to handle an `else` with only a single line. ([@dvandersluis][]) [#]# 1.21.0 (2021-09-13) [#]## New features * [#7849](https://github.com/rubocop/rubocop/issues/7849): Add new `Lint/AmbiguousOperatorPrecedence` cop. ([@dvandersluis][]) * [#9061](https://github.com/rubocop/rubocop/issues/9061): Add new `Lint/IncompatibleIoSelectWithFiberScheduler` cop. ([@koic][]) [#]## Bug fixes * [#10067](https://github.com/rubocop/rubocop/pull/10067): Fix an error for `Lint/NumberConversion` when using nested number conversion methods. ([@koic][]) * [#10054](https://github.com/rubocop/rubocop/pull/10054): Fix a false positive for `Layout/SpaceAroundOperators` when match operators between `<<` and `+=`. ([@koic][]) * [#10061](https://github.com/rubocop/rubocop/issues/10061): Fix a false positive for `Style/RedundantSort` when using `size` method in the block. ([@koic][]) * [#10063](https://github.com/rubocop/rubocop/pull/10063): Fix a false positive for `Layout/SingleLineBlockChain` when method call chained on a new line after a single line block with trailing dot. ([@koic][]) * [#10064](https://github.com/rubocop/rubocop/pull/10064): Fix `Style/ExplicitBlockArgument` corrector assuming any existing block argument was named `block`. ([@byroot][]) * [#10070](https://github.com/rubocop/rubocop/issues/10070): Fix a false positive for `Style/MutableConstant` when using non-interpolated heredoc in Ruby 3.0. ([@koic][]) [#]## Changes * [#9674](https://github.com/rubocop/rubocop/issues/9674): Disable `Style/AsciiComments` by default. ([@dvandersluis][]) * [#10051](https://github.com/rubocop/rubocop/pull/10051): Improve the messaging for `Style/Documentation` to be more clear about what class/module needs documentation. ([@dvandersluis][]) * [#10074](https://github.com/rubocop/rubocop/pull/10074): Update `Naming/InclusiveLanguage` to be disabled by default. ([@dvandersluis][]) * [#10068](https://github.com/rubocop/rubocop/pull/10068): Mark `Style/AndOr` as unsafe auto-correction. ([@koic][]) [#]# 1.20.0 (2021-08-26) [#]## New features * [#10040](https://github.com/rubocop/rubocop/pull/10040): Make `Lint/Debugger` aware of debug.rb. ([@koic][]) * [#9580](https://github.com/rubocop/rubocop/issues/9580): Add a new cop that enforces which bundler gem file to use. ([@gregfletch][]) [#]## Bug fixes * [#10033](https://github.com/rubocop/rubocop/issues/10033): Fix an incorrect auto-correct for `Style/BlockDelimiters` when there is a comment after the closing brace and using method chanin. ([@koic][]) * [#6630](https://github.com/rubocop/rubocop/issues/6630): Updated `Style/CommentAnnotation` to be able to handle multiword keyword phrases. ([@dvandersluis][]) * [#7836](https://github.com/rubocop/rubocop/issues/7836): Update `Style/BlockDelimeters` to add `begin`...`end` when converting a block containing `rescue` or `ensure` to braces. ([@dvandersluis][]) * [#10031](https://github.com/rubocop/rubocop/issues/10031): Fix a false positive for `Style/HashExcept` when comparing with hash value. ([@koic][]) [#]## Changes * [#10034](https://github.com/rubocop/rubocop/pull/10034): Add `RubyJard` debugger calls to Lint/Debugger/DebuggerMethods. ([@DanielVartanov][]) * [#10006](https://github.com/rubocop/rubocop/pull/10006): Interpolated string literals are no longer frozen since Ruby 3.0. ([@splattael][]) * [#9328](https://github.com/rubocop/rubocop/issues/9328): Recognize shareable_constant_value magic comment. ([@thearjunmdas][], [@caalberts][]) * [#10036](https://github.com/rubocop/rubocop/issues/10036): Mark `Style/StructInheritance` as unsafe auto-correction. ([@koic][]) ==== rubygem-rubocop-ast ==== Version update (1.11.0 -> 1.12.0) - updated to version 1.12.0 [#]## Bug fixes * [#208](https://github.com/rubocop/rubocop-ast/issues/208): Update `MethodDispatchNode#block_literal?` to return true for `numblock`s. ([@dvandersluis][]) ==== rubygem-spring ==== Version update (2.1.1 -> 3.0.0) Subpackages: ruby2.7-rubygem-spring ruby3.0-rubygem-spring - updated to version 3.0.0 * Require applications to have reloading enabled in the managed environments. * Require Ruby 2.5. * Require Rails 5.2. ==== rubygem-unicode-display_width ==== Version update (2.0.0 -> 2.1.0) - updated to version 2.1.0 * Unicode 14.0 ==== virt-manager ==== Subpackages: virt-install virt-manager-common - bsc#1191356 - virt-manager should not depend on gtk4 Modified files: virt-manager.spec virtman-dont-specify-gtksource-version.patch virtman-dont-specify-vte-version.patch - jsc#SLE-20856 Dev: KVM: Enable vfio-ccw and vfio-ap in virt-* tools 965480e8-virt-install-add-mediated-device.patch ==== virtualbox ==== Subpackages: virtualbox-guest-tools virtualbox-guest-x11 - Fix ldconfig invocation in scriptlets - Remove vbox-fix-usb-rules.sh from qt package to avoid file conflict - Fix build failures in Leap 15.1 and Leap 15.2 due to kmk_sed issues. - Finish UsrMerge for VirtualBox components (boo#1191104). ==== virtualbox-kmp ==== - Fix ldconfig invocation in scriptlets - Remove vbox-fix-usb-rules.sh from qt package to avoid file conflict - Fix build failures in Leap 15.1 and Leap 15.2 due to kmk_sed issues. - Finish UsrMerge for VirtualBox components (boo#1191104). ==== xwayland ==== - Specfile cleanup ==== yarn ==== Version update (1.22.11 -> 1.22.13) - update to 1.22.13: https://github.com/yarnpkg/yarn/releases/tag/v1.22.13 ==== yast2-trans ==== Version update (84.87.20210914.a5d6b81b64 -> 84.87.20210929.6d3a97ea50) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20210929.6d3a97ea50: * New POT for text domain 'nfs'. * New POT for text domain 'network'. * Translated using Weblate (Italian) * Translated using Weblate (Italian) * Translated using Weblate (Italian) * New POT for text domain 'cluster'. * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * New POT for text domain 'network'. * Translated using Weblate (Greek) * Translated using Weblate (Greek) * New POT for text domain 'add-on'. * Translated using Weblate (Czech) * New POT for text domain 'base'. * Translated using Weblate (Portuguese (Brazil)) * Translated using Weblate (Portuguese (Brazil)) * Translated using Weblate (Slovak) * Translated using Weblate (Dutch) * Translated using Weblate (Catalan) * Translated using Weblate (Japanese) * New POT for text domain 'packager'. * New POT for text domain 'online-update'. * New POT for text domain 'bootloader'. * New POT for text domain 'base'. * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish) * Translated using Weblate (Turkish)