Packages changed: bubblewrap (0.9.0 -> 0.10.0) ffmpeg-6 libnftnl (1.2.6 -> 1.2.7) lvm2 lvm2-device-mapper lz4 openSUSE-release (20240815 -> 20240816) python-kiwi (10.0.27 -> 10.1.2) texlive unbound (1.20.0 -> 1.21.0) === Details === ==== bubblewrap ==== Version update (0.9.0 -> 0.10.0) Subpackages: bubblewrap-zsh-completion - Update to version v0.10.0: * New features: Add the --[ro-]bind-fd option, which can be used to mount a filesystem represented by a file descriptor without time-of-check/time-of-use attacks. This is needed when resolving CVE-2024-42472 in Flatpak. * Other changes: Fix some confusing syntax in SetupOpFlag (no functional change). ==== ffmpeg-6 ==== Subpackages: libavcodec60 libavfilter9 libavformat60 libavutil58 libpostproc57 libswresample4 libswscale7 - Remove ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch and ffmpeg-6-CVE-2024-32228.patch to make the bot happy. - Renumber patches. - Disable ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch and ffmpeg-6-CVE-2024-32228.patch as they brake compilation with BUILD_ORIG enabled, i.e. Packman. ==== libnftnl ==== Version update (1.2.6 -> 1.2.7) - Update to release 1.2.7 * Avoid potential use-after-free when clearing set's expression list * Avoid misc buffer overflows in attribute setters * Implement nftnl_obj_unset symbol already exported in libnftnl.map * Remove unimplemented symbols from libnftnl.map * Validate per-expression and per-object attribute value and data length * Fix synproxy object setter with unaligned data ==== lvm2 ==== Subpackages: liblvm2cmd2_03 - lvm2-monitor.service fails to start (boo#1228854) + bug-1228854_lvm2-monitor-service-start-after-system-fully-booted.patch ==== lvm2-device-mapper ==== Subpackages: device-mapper libdevmapper-event1_03 libdevmapper1_03 - lvm2-monitor.service fails to start (boo#1228854) + bug-1228854_lvm2-monitor-service-start-after-system-fully-booted.patch ==== lz4 ==== Subpackages: liblz4-1 liblz4-1-x86-64-v3 - Switch to cmake build system: Creates extra cmake modules for consuming projects ==== openSUSE-release ==== Version update (20240815 -> 20240816) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== python-kiwi ==== Version update (10.0.27 -> 10.1.2) - Bump version: 10.1.1 → 10.1.2 - Improve error reporting for remote deployment Add new method called show_log_and_quit which displays the written error log file as a file box to the user - Update test-image-orthos integration test Update the test such that you can also build it locally. Change the remote installation target to be a ramdisk for easy testing of remote deployments - Setup default minimum volume size per filesystem The former method provided a static value but there are huge differences for the minimum size requirement of a filesystem. For example extX is fine with 30MB whereas XFS requires 300MB. This commit adds a more dynamic default value based on the used filesystem. - Increase default volume size So far 30MB was set as default volume size which is by far too small for a number of filesystems, e.g btrfs and also XFS. This commit increases the default volume size such that all modern filesystems builds if the default volume size is used. - Update test-image-raid Apart from testing raid this integration test also tests a certain LVM volume setup. The test has been updated to use the btrfs filesystem because it has the most strict size requirements. - Bump version: 10.1.0 → 10.1.1 - Mandatory package scripts for Debian bootstrap Make sure to run some mandatory package pre/post scripts such that settings like /etc/passwd, a root user, etc.. exists. This action can also be done in post_bootstrap.sh but I think it's better to do this in the core code - Bump version: 10.0.28 → 10.1.0 - kiwi no longer uses debootstrap For building Debian based images we used debootstrap to bootstrap an empty root until apt-get could be used to complete the job. This has now changed such hat apt-get is also used for bootstrapping a new system. The concept and also potential alternatives to the way kiwi bootstraps Debian based systems can be found here: * https://osinside.github.io/kiwi/working_with_images/build_without_debianbootstrap.html Due to the drop of debootstrap it might happen that package lists of existing image descriptions needs to be extended with packages that were formerly pulled in by debootstrap but did not get properly pulled in with the new apt based bootstrap. As reference please check out the integration tests from here: * https://github.com/OSInside/kiwi/tree/main/build-tests/x86/ubuntu * https://github.com/OSInside/kiwi/tree/main/build-tests/x86/debian Thanks - Bump version: 10.0.27 → 10.0.28 - Update documentation kiwi no longer uses debootstrap - Fix test_process_result_bundle_as_rpm - Fix Debian/Ubuntu integration tests Remove package hacks for debootstrap, explicitly add required packages and or configurations. - Drop types-pkg_resources Got removed from PyPI - Fix test_process_result_bundle_as_rpm os.path.basename was called on a MagicMock object which sometimes confused pytest - Fix kiwi-repart restrictions The kiwi repart dracut module reads a profile file and if it does not exists it dies in the initrd. However, that profile file is not mandatory for the main resize functionality. Thus this commit turns this into a warning message. In addition the module-setup for 90kiwi-repart makes sure to include the required and optional profile files. This Fixes bsc#1228118 ==== texlive ==== - Added -Wno-error=incompatible-pointer-types to optflags to work around boo#1228342 and enable build with GCC 14 on 32bit architectures. ==== unbound ==== Version update (1.20.0 -> 1.21.0) Subpackages: libunbound8 unbound-anchor - Update to 1.21.0: Security Fixes: * Merge #1073: fix null pointer dereference issue in function ub_ctx_set_fwd. [CVE-2024-43167, bsc#1229068] Features: * Fix #1071: [FR] Clear both in-memory and cachedb module cache with `unbound-control flush*` commands. * Fix #144: Port ipset to BSD pf tables. * Add dnstap-sample-rate that logs only 1/N messages, for high volume server environments. Thanks Dan Luther. * Add root key 38696 from 2024 for DNSSEC validation. It is added to the default root keys in unbound-anchor. The content can be inspected with `unbound-anchor -l`. * Merge #1090: Cookie secret file. Adds `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store cookie secrets for EDNS COOKIE secret rollover. The remote control add_cookie_secret, activate_cookie_secret and drop_cookie_secret commands can be used for rollover, the command print_cookie_secrets shows the values in use. Bug Fixes: * Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich. * Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University and Reichman University). * Merge #1062: Fix potential overflow bug while parsing port in function cfg_mark_ports. * Fix for #1062: declaration before statement, avoid print of null, and redundant check for array size. * Fix to squelch udp connect errors in the log at low verbosity about invalid argument for IPv6 link local addresses. * Fix when the mesh jostle is exceeded that nameserver targets are marked as resolved, so that the lookup is not stuck on the requestlist. * Add missing common functions to tdir tests. * Merge #1070: Fix rtt assignement for low values of infra-cache-max-rtt. * Merge #1069: Fix unbound-control stdin commands for multi-process Unbounds. * Fix unbound-control commands that read stdin in multi-process operation (local_zones_remove, local_zones, local_datas_remove, local_datas, view_local_datas_remove, view_local_datas). They will be properly distributed to all processes. dump_cache and load_cache are no longer supported in multi-process operation. * Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir now checks both single and multi process/thread operation. * Fix to print a parse error when config is read with no name for a forward-zone, stub-zone or view. * Fix for parse end of forward-zone, stub-zone and view. * Fix for #1064: Fix that cachedb expired messages are considered insecure, and thus can be served to clients when dnssec is enabled. * Fix #1059: Intermittent DNS blocking failure with local-zone and always_nxdomain. Addition of local_zones dynamically via unbound-control was not finding the zone's parent correctly. * Fix #1064: Unbound 1.20 Cachedb broken? * Fix unused variable warning on compilation with no thread support. * unbound-control-setup: check openssl availability before doing anything, patch from Michael Tokarev. * Update patch to remove 'command' shell builtin and update error text. * Fix to enable that SERVFAIL is cached, for a short period, for more cases. In the cases where limits are exceeded. * Fix spelling of tcp-idle-timeout docs, from Michael Tokarev. * Merge #1078: Only check old pid if no username. * Fix #1079: tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0. * Fix for #1079: fix RPZ taglist in iterator callback that no client info is like no taglist intersection. * Fix to squelch connection reset by peer errors from log. And fix that the tcp read errors are labeled as initial for the first calls. * Merge #1080: AddressSanitizer detection in tdir tests and memory leak fixes. * Fix memory leak when reload_keep_cache is used and num-threads changes. * Fix memory leak on exit for unbound-dnstap-socket; creates false negatives during testing. * Fix memory leak in setup of dsa sig. * Fix typos for 'the the' in text. * Fix validation for repeated use of a DNAME record. * Add unit test for validation of repeated use of a DNAME record. * Fix #1091: Build fails with OpenSSL >= 3.0 built with OPENSSL_NO_DEPRECATED. * Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by adding helpful text for the Python interpreter version and allowing the default pkg-config unavailability error message to be shown. * Fix pkg-config availability check in dnstap/dnstap.m4 and systemd.m4. * Explicitly set the RD bit for the mesh query flags when prefetching. These queries have no waiting client but they need to be treated as recursive. * Fix ip-ratelimit-cookie setting, it was not applied. * Fix to remove unused include from the readzone test program. ... changelog too long, skipping 91 lines ... example.conf.