Removed rpms
============
- alsa-oss-32bit
- alsa-plugins-32bit
- gettext-runtime-32bit
- glibc-32bit
- cyrus-sasl-plain-32bit
- glibc-locale-base-32bit
- krb5-32bit
- libFLAC8-32bit
- libacl1-32bit
- libavahi-client3-32bit
- libblkid1-32bit
- libbz2-1-32bit
- libdbus-1-3-32bit
- libfontconfig1-32bit
- libgcrypt20-32bit
- libglib-2_0-0-32bit
- libkeyutils1-32bit
- liblua5_3-5-32bit
- libmount1-32bit
- libnss_usrfiles2-32bit
- libogg0-32bit
- libssh4-32bit
- libtevent0-32bit
- libunistring2-32bit
- libvorbis0-32bit
- libxcb1-32bit
- samba-ad-dc-libs-32bit
- qemu-ipxe
- libBasicUsageEnvironment1
- libXau6-32bit
- libattr1-32bit
- libbrotlicommon1-32bit
- libcap2-32bit
- libcom_err2-32bit
- libcurl4-32bit
- libffi7-32bit
- libgnutls30-32bit
- libjansson4-32bit
- libldap-2_4-2-32bit
- libnghttp2-14-32bit
- libnsl2-32bit
- libpng16-16-32bit
- libpsl5-32bit
- libpwquality1-32bit
- libsasl2-3-32bit
- libsndfile1-32bit
- libtalloc2-32bit
- libtextstyle0-32bit
- nss-mdns-32bit
- pam_pwquality-32bit
- qemu-seabios
- qemu-sgabios
- rpm-32bit
Added rpms
==========
- cyrus-sasl-plain-32bit
- glibc-locale-base-32bit
- alsa-oss-32bit
- alsa-plugins-32bit
- gettext-runtime-32bit
- glibc-32bit
- libXau6-32bit
- libattr1-32bit
- libbrotlicommon1-32bit
- libcap2-32bit
- libcom_err2-32bit
- libcurl4-32bit
- libffi7-32bit
- libgnutls30-32bit
- libjansson4-32bit
- libldap-2_4-2-32bit
- libnghttp2-14-32bit
- libnsl2-32bit
- libpng16-16-32bit
- libpsl5-32bit
- libpwquality1-32bit
- libsasl2-3-32bit
- libsndfile1-32bit
- libtalloc2-32bit
- libtextstyle0-32bit
- nss-mdns-32bit
- pam_pwquality-32bit
- rpm-32bit
- qemu-seabios
- qemu-sgabios
- krb5-32bit
- libBasicUsageEnvironment2
- libFLAC8-32bit
- libacl1-32bit
- libavahi-client3-32bit
- libblkid1-32bit
- libbz2-1-32bit
- libdbus-1-3-32bit
- libfontconfig1-32bit
- libgcrypt20-32bit
- libglib-2_0-0-32bit
- libkeyutils1-32bit
- liblua5_3-5-32bit
- libmount1-32bit
- libnss_usrfiles2-32bit
- libogg0-32bit
- libssh4-32bit
- libtevent0-32bit
- libunistring2-32bit
- libvorbis0-32bit
- libxcb1-32bit
- qemu-ipxe
- samba-ad-dc-libs-32bit
- wicked-nbft
Package Source Changes
======================
ImageMagick
+ fix CVE-2022-44267 [bsc#1207982], denial of service when parsing a PNG image
+ fix CVE-2022-44268 [bsc#1207983], arbitrary file disclosure when parsing a PNG image
+ + ImageMagick-CVE-2022-44267,44268.patch
+
+- security update
+- added patches
NetworkManager-applet
+- Add meson-0.61-build-fix.patch to fix the build on meson >= 0.61
+ (jsc#PED-2644, glgo#GNOME/network-manager-applet!107)
+
acl
+- test: Add helper library to fake passwd/group files
+- quote: escape literal backslashes (bsc#953659).
+- Added patch:
+ * 0001-test-Add-helper-library-to-fake-passwd-group-files.patch
+ * 0002-quote-escape-literal-backslashes.patch
+
+- refresh acl-2.2.52-tests.patch to work with perl 5.26
+
+- BuildRequires gettext-tools-mini instead of gettext-tools: as
+ acl is part of the bootstrap, we want to try to keep the dep
+ chain as small as possible.
+
+- Remove --with-pic that's just for static libraries.
+- Replace %__-type macro indirections.
+ Replace old $RPM_ by their macro equivalents for consistency.
+ Make the macro style consistent across the file again.
+
+- reenable full Larg File Support for i586
+
+- Make it possible to disable tests (for Ring0)
+- Add BuildRequires: system-user-daemon for the testsuite
+
+- Add BuildRequires for system user bin needed by test suite
+
+- Update to git snapshot dated 21 Sep 2015.
+ - Added:
+ * 0001-Install-the-libraries-to-the-appropriate-directory.patch
+ * 0002-setfacl.1-fix-typo-inclu-de-include.patch
+ * 0003-test-fix-insufficient-quoting-of.patch
+ * 0004-Makefile-rename-configure.in-to-configure.ac.patch
+ * 0005-Bad-markup-in-acl.5-page.patch
+ * 0006-.gitignore-ignore-and-config.h.in.patch
+ * 0007-Use-autoreconf-rather-than-autoconf-to-regenerate-th.patch
+ * 0008-libacl-Make-sure-that-acl_from_text-always-sets-errn.patch
+ * 0009-libacl-fix-SIGSEGV-of-getfacl-e-on-overly-long-group.patch
+ * 0010-punt-debian-rpm-packaging-logic.patch
+ * 0011-move-gettext-logic-into-misc.h.patch
+ * 0012-test-make-running-parallel-out-of-tree-safe.patch
+ * 0013-modernize-build-system.patch
+ * 0014-po-regenerate-files-after-move.patch
+ * 0015-build-drop-aclincludedir-use-pkgincludedir.patch
+ * 0016-build-make-use-of-an-aux-dir-to-stow-away-helper-scr.patch
+ * 0017-build-ship-a-pkgconfig-file-for-libacl.patch
+ * 0018-read_acl_-comments-seq-rename-line-to-lineno.patch
+ * 0019-read_acl_-comments-seq-switch-to-next_line.patch
+ * 0020-telldir-return-value-and-seekdir-second-parameters-a.patch
+ * 0021-mark-libmisc-funcs-as-hidden-so-they-are-not-exporte.patch
+ * 0022-add-__acl_-prefixes-to-internal-symbols.patch
+ * 0023-cp.test-Check-permissions-of-the-right-file.patch
+ * 0024-libacl-acl_set_file-Remove-unnecesary-racy-check.patch
+ * 0025-fix-compilation-with-latest-xattr-git.patch
+ * 0026-getfacl-Fix-memory-leak.patch
+ * 0027-Fix-the-display-block-nesting-in-acl.5.patch
+ * 0028-setfacl-man-page-Minor-wording-improvements.patch
+ * 0029-getfacl-Fix-minor-resource-leak.patch
+ * 0030-Do-not-export-symbols-that-are-not-supposed-to-be-ex.patch
+ * 0031-walk_tree-mark-internal-variables-as-static.patch
+ * 0032-ignore-configure.lineno.patch
+- Signficant spec file restructuring due to 0013-modernize-build-system.patch
+- removed builddefs.in.diff
+
+- Reduce size of filelist by using wildcards;
+ remove %doc (some locations are always %doc),
+ remove %attr (files already have proper permissions)
+
+- add acl-2.2.52-tests.patch and enable tests, check section taken
+ from Fedora package
+
+- remove gpg-offline calls from bootstrap package
+
+- Update to new upstream release 2.2.52
+ * This release fixes a few build system issues that were found and
+ merges in a tree walking bug fix.
+- Remove acl-fiximplicit.patch (merged upstream),
+ config-guess-sub-update.diff (no longer applies)
+- Sync baselibs.conf with in-.spec obsoletes/provides.
+
+- add gpg checking
+
+- use source url
+
+- Add config-guess-sub-update.diff:
+ update config.guess/sub to latest state for AArch64
+
+- Use OS byteswapping routines, application already Includes
+ "endian.h" but then goes ahead defining ad-hoc equivalent
+ functionality (0001-Use-OS-byteswapping-macros.patch)
+
+- remove useless automake deps
+
+- patch license to follow spdx.org standard
+
+- license update: GPL-2.0+;LGPL-2.1+
+ SPDX format
+
+- add automake as buildrequire to avoid implicit dependency
+
+- Fix provides/Obsoletes
+
+- Implement shlib package (libacl1)
+- Enable libacl-devel on all baselib arches
+
+- upgrade to 2.2.51
+ - Test fixes
+
+- upgrade to 2.2.50
+ - OPTIONS in man pages should be a section heading, not a subsection heading
+ - Fix a typo in the setfacl man page
+ - setfacl: Clarify that removing a non-existent acl entry is not an error
+ - Prevent setfacl --restore from SIGSEGV on malformed restore file
+ - setfacl: make sure that -R only calls stat(2) on symlinks when it needs to
+ - libacl: fix potential null pointer dereference
+ - setfacl: fix restore crash on malformed input
+ - setfacl: print useful error from read_acl_comments
+ - setfacl: changing owner and when S_ISUID should be set --restore fix
+
+- use %_smp_mflags
+
+- add baselibs.conf as a source
+- adjust baselibs.conf for SPARC
+
+- readded incorrectly removed libattr-devel requires in -devel
+
+- fixed implicit strchr() usage.
+
+- do not package static libraries
+- fix -devel package dependencies
+
+- Version bump to 2.2.48
+ - Document the new flags comments
+ - Include the S_ISUID, S_ISGID, S_ISVTX flags in the getfacl output, and restore them with "setfacl --restore=file".
+ - Make sure that getfacl -R only calls stat(2) on symlinks when it needs to
+ - Stop quoting nonprintable characters in the getfacl output
+ - Avoid unnecessary but destructive chown calls
+ - Clarify license notice
+
alsa-oss
-- use https for urls
-
-- Drop the superfluous buildreq alsa-topology-devel again;
- it's no longer mandatory
-
-- Fix build breakage by the new alsa update; now it requires
- alsa-topology-devel
-
-- Avoid repetition of name in summary. Update description.
-
-- Update to alsa-oss 1.1.8 (bsc#1181571):
- Fix the build with the recent glibc
-- Remove obsoleted patch:
- remove-libio.patch:
-
-- remove-libio.patch: don't use obsolete <libio.h>
-
-- Remove old kludges
-- Run spec-cleaner
-
-- Update to alsa-oss 1.1.6:
- * Change FSF address (Franklin Street)
-- Use %license file tag
-
-- Updated to alsa-oss 1.0.28:
- All pervious fix patches are obsoleted:
- 0002-Add-AM_MAINTAINER_MODE-enable-to-configure.in.patch
- 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch
- 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch
-
-- Fix for dmix with unaligned sample rate:
- 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch
- 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch
-
apr-util
+- security fix CVE-2022-25147, bsc#1207866: buffer overflow
+ possible with specially crafted input
+ + added patch apr-util-CVE-2022-25147.patch
+
bind
+- Update to release 9.16.37
+ Security Fixes:
+ * An UPDATE message flood could cause named to exhaust all
+ available memory. This flaw was addressed by adding a new
+ update-quota option that controls the maximum number of
+ outstanding DNS UPDATE messages that named can hold in a queue
+ at any given time (default: 100). (CVE-2022-3094)
+ * named could crash with an assertion failure when an RRSIG query
+ was received and stale-answer-client-timeout was set to a
+ non-zero value. This has been fixed. (CVE-2022-3736)
+ * named running as a resolver with the
+ stale-answer-client-timeout option set to any value greater
+ than 0 could crash with an assertion failure, when the
+ recursive-clients soft quota was reached. This has been fixed.
+ (CVE-2022-3924)
+ New Features:
+ * The new update-quota option can be used to control the number
+ of simultaneous DNS UPDATE messages that can be processed to
+ update an authoritative zone on a primary server, or forwarded
+ to the primary server by a secondary server. The default is
+ 100. A new statistics counter has also been added to record
+ events when this quota is exceeded, and the version numbers for
+ the XML and JSON statistics schemas have been updated.
+ Feature Changes:
+ * The Differentiated Services Code Point (DSCP) feature in BIND
+ has been deprecated. Configuring DSCP values in named.conf now
+ causes a warning to be logged. Note that this feature has only
+ been partly operational since the new Network Manager was
+ introduced in BIND 9.16.0.
+ * The catalog zone implementation has been optimized to work with
+ hundreds of thousands of member zones.
+ Bug Fixes:
+ * In certain query resolution scenarios (e.g. when following
+ CNAME records), named configured to answer from stale cache
+ could return a SERVFAIL response despite a usable, non-stale
+ answer being present in the cache. This has been fixed.
+ [bsc#1207471, bsc#1207473, bsc#1207475, jsc#SLE-24600]
+
+- Update to release 9.16.36
+ Feature Changes:
+ * The auto-dnssec option has been deprecated and will be removed
+ in a future BIND 9.19.x release. Please migrate to
+ dnssec-policy.
+ Bug Fixes:
+ * When a catalog zone was removed from the configuration, in some
+ cases a dangling pointer could cause the named process to
+ crash.
+ * When a zone was deleted from a server, a key management object
+ related to that zone was inadvertently kept in memory and only
+ released upon shutdown. This could lead to constantly
+ increasing memory use on servers with a high rate of changes
+ affecting the set of zones being served.
+ * In certain cases, named waited for the resolution of
+ outstanding recursive queries to finish before shutting down.
+ * The zone <name>/<class>: final reference detached log message
+ was moved from the INFO log level to the DEBUG(1) log level to
+ prevent the named-checkzone tool from superfluously logging
+ this message in non-debug mode.
+ [jsc#SLE-24600]
+
chromium
+- Chromium 110.0.5481.77 (boo#1208029):
+ * CVE-2023-0696: Type Confusion in V8
+ * CVE-2023-0697: Inappropriate implementation in Full screen mode
+ * CVE-2023-0698: Out of bounds read in WebRTC
+ * CVE-2023-0699: Use after free in GPU
+ * CVE-2023-0700: Inappropriate implementation in Download
+ * CVE-2023-0701: Heap buffer overflow in WebUI
+ * CVE-2023-0702: Type Confusion in Data Transfer
+ * CVE-2023-0703: Type Confusion in DevTools
+ * CVE-2023-0704: Insufficient policy enforcement in DevTools
+ * CVE-2023-0705: Integer overflow in Core
+ * Various fixes from internal audits, fuzzing and other initiatives
+- build with bundled libavif
+- dropped patches:
+ * chromium-109-compiler.patch
+ * chromium-icu72-3.patch
+- added patches:
+ * chromium-110-compiler.patch
+ * chromium-110-system-libffi.patch
+ * chromium-110-NativeThemeBase-fabs.patch
+ * chromium-110-CredentialUIEntry-const.patch
+ * chromium-110-DarkModeLABColorSpace-pow.patch
+ * v8-move-the-Stack-object-from-ThreadLocalTop.patch
+
curl
+- Security Fix: [bsc#1207992, CVE-2023-23916]
+ * HTTP multi-header compression denial of service
+ * Add curl-CVE-2023-23916.patch
+
+- Security Fixes:
+ * HSTS ignored on multiple requests [bsc#1207990, CVE-2023-23914]
+ * HSTS amnesia with --parallel [bsc#1207991, CVE-2023-23915]
+ * Add curl-CVE-2023-23914-23915.patch
+
cyrus-sasl
-- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
- in plugins/sql.c (bsc#1196036)
- o add upstream patch:
- 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
-
-- postfix: sasl authentication with password fails (bsc#1194265)
- Add config parameter --with-dblib=gdbm
-- Avoid converting of /etc/sasldb2 by every update. Convert
- /etc/sasldb2 only if it is a Berkeley DB
-
-- CVE-2020-8032: cyrus-sasl: Local privilege escalation to root
- due to insecure tmp file usage. (bsc#1180669)
- Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary
- files.
-
-- Remove Berkeley DB dependency (JIRA#SLE-12190)
- The packages cyrus-sasl and cyrus-sasl-saslauthd are built
- without Berkely DB support. gdbm will be used instead of BDB.
- The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built
- with Berkely DB support.
-- Update to 2.1.27
- * Added support for OpenSSL 1.1
- * Added support for lmdb
- * Lots of build fixes
- * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech
- * DIGEST-MD5 plugin:
- Fixed memory leaks
- Fixed a segfault when looking for non-existent reauth cache
- Prevent client from going from step 3 back to step 2
- Allow cmusaslsecretDIGEST-MD5 property to be disabled
- * GSSAPI plugin:
- Added support for retrieving negotiated SSF
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF
- Properly compute maxbufsize AFTER security layers have been set
- * SCRAM plugin:
- Added support for SCRAM-SHA-256
- * LOGIN plugin:
- Don’t prompt client for password until requested by server
- * NTLM plugin:
- Fixed crash due to uninitialized HMAC context
-- Replace references to /var/adm/fillup-templates with new
- %_fillupdir macro (boo#1069468)
-- bsc#983938 `After=syslog.target` left-overs in several unit files
-- added patches:
- fix_libpq-fe_include.diff for fixing including libpq-fe.h
-- removed patches obsoleted by upstream changes:
- * shared_link_on_ppc.patch
- * cyrus-sasl-2.1.27-openssl-1.1.0.patch
- * 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
- * 0003-Check-return-error-from-gss_wrap_size_limit.patch
- * 0004-Add-support-for-retrieving-the-mech_ssf.patch
- * 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
- * cyrus-sasl-fix-logging-in-gssapi.patch
-
-- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
- * Add 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch
- * Add 0003-Check-return-error-from-gss_wrap_size_limit.patch
- * Add 0004-Add-support-for-retrieving-the-mech_ssf.patch
-- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
- * Add 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch
-
-- added backport-patch cyrus-sasl-bug587.patch which fixes
- off-by-one error in _sasl_add_string function
- (see CVE-2019-19906 bsc#1159635)
-
-- bnc#1044840 syslog is polluted with messages "GSSAPI client step 1"
- By server context the connection will be sent to the log function.
- Client content does not have log level information. I.e. there is no
- way to stop DEBUG level logs nece I've removed it.
- * add cyrus-sasl-fix-logging-in-gssapi.patch
-
-- OpenSSL 1.1 support (bsc#1055463)
- * add cyrus-sasl-2.1.27-openssl-1.1.0.patch from Fedora
-
-- added cyrus-sasl-issue-402.patch to fix
- SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize #402
- (see https://github.com/cyrusimap/cyrus-sasl/issues/402)
-
-- bnc#1026825 saslauthd: :set_auth_mech : unknown authentication mechanism: kerberos5
-
-- really use SASLAUTHD_PARAMS variable (bnc#938657)
-
-- bnc#908883 cyrus-sasl-scram refers to wrong RFC
-
-- Make sure /usr/sbin/rcsaslauthd exists
-
dbus-1
+- Fix a potential crash that could be triggered by an invalid signature.
+ (CVE-2022-42010, bsc#1204111)
+ * fix-upstream-CVE-2022-42010.patch
+- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
+ bsc#1204112)
+ * fix-upstream-CVE-2022-42011.patch
+- A message in non-native endianness with out-of-band Unix file descriptors
+ would cause a use-after-free and possible memory corruption CVE-2022-42012,
+ bsc#1204113)
+ * fix-upstream-CVE-2022-42012.patch
+- Disable asserts (bsc#1087072)
+- Refreshed patches
+ * fix-upstream-CVE-2020-35512.patch
+
+- Remove pointless %%post scriptlet leveraging non-existent systemd env
+ variables
+ FIRST_ARG has been used in our systemd macros, but this has now been gone for
+ years. Thus the true branch of the if has never been executed for years and is
+ only causing warnings when installing dbus.
+
+- Add missing patch for CVE-2020-12049
+ * fix-upstream-CVE-2020-12049_2.patch
+
+- Fix CVE-2020-12049 truncated messages lead to resource exhaustion
+ (CVE-2020-12049, bsc#1172505)
+ * fix-upstream-CVE-2020-12049.patch
+- Rebased fix-CVE-2019-12749.patch
+
+- Fix CVE-2020-35512 - shared UID's caused issues (CVE-2020-35512 bsc#1187105)
+ * fix-upstream-userdb-constpointer.patch
+ * fix-upstream-CVE-2020-35512.patch
+
+- Fix CVE-2019-12749 Authentication bypass (CVE-2019-12749 bsc#1137832)
+ * added fix-CVE-2019-12749.patch
+
+- Make libdbus-1-3 own the %{_datadir}/dbus-1/system.d directory
+
+- Use %license instead of %doc [bsc#1082318]
+
+- Avoid bashisms in scriptlets.
+
+- Avoid ugly error message from %pre(install) script when installing
+ for the first time.
+
+- Don't spit out a warning if /usr/bin/dbus-daemon does not exist
+ when we run the pre-script.
+
+- Swap a missed libdir to libexecdir
+
+- Do not hide errors during useradd.
+
+- Fix dbus-daemon-launch-helper to use proper ref to libexecdir
+
+- use %{_libexecdir}/dbus-1 as libexecdir
+
+- Update to 1.12.2
+ Deprecations:
+ • Eavesdropping is officially deprecated in favour of BecomeMonitor.
+ See the release notes for spec version 0.31 (in dbus 1.11.14).
+ • [Unix] Flag files in /var/run/console/${username} are deprecated.
+ See the release notes for 1.11.18.
+ New APIs:
+ • <allow> and <deny> rules in dbus-daemon configuration can now
+ include send_broadcast="true", send_broadcast="false",
+ max_unix_fds="N", min_unix_fds="N" (for some integer N).
+ See the release notes for 1.11.18.
+ • dbus_try_get_local_machine_id() is like
+ dbus_get_local_machine_id(), but returns a DBusError.
+ • New APIs around DBusMessageIter to simplify cleanup.
+ See the release notes for 1.11.16.
+ • The message bus daemon now implements the standard Introspectable,
+ Peer and Properties interfaces. See the release notes for
+ dbus 1.11.14 and spec version 0.31.
+ • DTDs for introspection XML and bus configuration are installed.
+ • [Unix] A new unix:dir=… address family resembles unix:tmpdir=… but
+ never uses Linux abstract sockets, which is advantageous for
+ containers. On non-Linux it is equivalent to unix:tmpdir=….
+ See the release notes for dbus 1.11.14 and spec version 0.31.
+ • [Unix] New option "dbus-launch --exit-with-x11".
+ • [Unix] Session managers can create transient .service files in
+ $XDG_RUNTIME_DIR/dbus-1/services. See the release notes for 1.11.12.
+ • [Unix] A sysusers.d snippet can create the messagebus user on-demand.
+ Miscellaneous behaviour changes:
+ • [Unix] The session bus now logs to syslog if it was started by
+ dbus-launch.
+ • [Unix] Internal warnings are logged to syslog if configured.
+ • [Unix] Exceeding an anti-DoS limit is logged to syslog if configured,
+ or to stderr.
+- Enabled "make check test suite"
+- Patches removed, fixed upstream
+ * fix-upstream-drop-install-sections-from-user-services.patch
+ * fix-upstream-increase-backlog.patch
+ * fix-upstream-timeout-reset-1.patch
+ * fix-upstream-timeout-reset-2.patch
+
+- boo#1027201 dbus-daemon not found
+- boo#978477 systemd reseting under heavy load
+ * fix-upstream-timeout-reset-1.patch
+ * fix-upstream-timeout-reset-2.patch
+
+- boo#1027200 don't generate machine-id in %post systemd will do it
+ on first boot.
+- swap usage of /bin/false to /usr/bin/false
+- Use libexecdir=%{_libdir}/dbus-1 rather then /lib/dbus-1
+
+- No need to set --libdir anymore now that prefix is /usr/bin,
+ * fixes boo#1047532
+- No need to set --bindir, bindir in dbus-1-x11 was incorrect
+- Other fixes required to properly change prefix
+- Don't pass --with-initscripts we don't use them anymore.
+
+- Update to 1.10.20
+ * Fixes:
+ + Fix a reference leak when blocking on a pending call on a
+ connection that has been disconnected (fdo#101481, Shin-ichi
+ MORITA)
+ + Don't put timestamps in the Doxygen-generated documentation,
+ for closer-to-reproducible builds (fdo#100692, Simon
+ McVittie)
+ + Avoid an assertion failure when connecting to a
+ semicolon-separated series of addresses, one of which fails
+ (fdo#101257, Simon McVittie)
+ * Documentation:
+ + Update git URIs in HACKING document to sync up with
+ cgit.freedesktop.org (fdo#100715, Simon McVittie)
+
+- swap to /usr/bin bsc#1029968
+- Add the following fixes from SLE12
+ * bsc#980928 increase listen() backlog of AF_UNIX sockets to
+ SOMAXCONN fix-upstream-increase-backlog.patch
+- The following bugs were already fixed but are missing changelog
+ entries
+ * bsc#867256 (No longer applicable)
+ * bsc#916785 (No longer applicable)
+ * bsc#1012564 (Not applicable)
+ * fdo#90004 (Fixed Upstream)
+- Rename the following patches as a tidy up
+ * dbus-log-deny.patch to feature-suse-log-deny.patch
+ * dbus-do-autolaunch.patch feature-suse-do-autolaunch.patch
+ * 0001-Add-RefuseManualStartStop.patch to
+ feature-suse-refuse-manual-start-stop.patch
+ * 0001-Drop-Install-sections-from-user-services.patch to
+ fix-upstream-drop-install-sections-from-user-services.patch
+
+- Update to 1.10.18
+ * Fixes
+ + Re-order dbus-daemon startup so that on SELinux systems, the
+ thread that reads AVC notifications retains the ability to
+ write to the audit log (fdo#92832, Debian #857660; Laurent
+ Bigonville)
+ + Fix a harmless read overflow and some memory leaks in a unit
+ test (fdo#100568, Philip Withnall)
+
+- Update to 1.10.16
+ Fixes:
+ * Prevent symlink attacks in the nonce-tcp transport on Unix that could
+ allow an attacker to overwrite a file named "nonce", in a directory
+ that the user running dbus-daemon can write, with a random value
+ known only to the user running dbus-daemon. This is unlikely to be
+ exploitable in practice, particularly since the nonce-tcp transport
+ is really only useful on Windows.
+ (fd.o #99828, Simon McVittie) (bsc#1025950)
+ * Avoid symlink attacks in the "embedded tests", which are not enabled
+ by default and should never be enabled in production builds of dbus.
+ (fd.o #99828, Simon McVittie) (bsc#1025951)
+ * Work around an undesired effect of the fix for CVE-2014-3637
+ (fd.o #80559), in which processes that frequently send fds, such as
+ logind during a flood of new PAM sessions, can get disconnected for
+ continuously having at least one fd "in flight" for too long;
+ dbus-daemon interprets that as a potential denial of service attack.
+ The workaround is to disable that check for uid 0 process such as
+ logind, with a message in the system log. The bug remains open while
+ we look for a more general solution.
+ (fd.o #95263, LP#1591411; Simon McVittie)
+ * Don't run the test test-dbus-launch-x11.sh if X11 autolaunching
+ was disabled at compile time. That test is not expected to work
+ in that configuration. (fd.o #98665, Simon McVittie)
+ Enhancements:
+ * Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian
+ stable and Debian testing in addition to the older Ubuntu that is
+ the default (fd.o #98889, Simon McVittie)
+
+- A note for scripts bsc#974092 (remove sysvinit script) is already
+ fixed here.
+
+- Don't restart dbus on upgrade - Includes temporary work around
+ for last version boo#1020301
+- Add 0001-Add-RefuseManualStartStop.patch don't allow users to Manually
+ start or stop dbus.
+
+- Add systemd unit files to start session bus via systemd
+- Added patch:
+ * 0001-Drop-Install-sections-from-user-services.patch
+ + remove install section from socket unit because it does not
+ need to be enabled explicitly (see fdo#92402)
+
+- Requires systemd >= 209 and drop the compatibility pkg-config
+ names that don't exist in newer systemd
+
+- Drop useless --with-pic which is only for static libs
+- Abort installation when user/group creation fails
+- Avoid calling %service_* more than once
+
+- Build the dbus-1 package without X in the dbus-1.spec
+- Move the dbus-launch.nox11 to the dbus-1 package and install
+ it by default
+- Build devel-doc package in dbus-1.spec and don't build any
+ documentation in dbus-1-x11
+- Make dbus-1-x11 package contains only the X11-enabled dbus-launch
+- Fix some rpmlint warnings
+- Delete the dbus-1-x11.spec.in file, since maintaining it is
+ more complicated then keeping in sync a dbus-1-x11.spec file of
+ less then 120 lines
+
+- Create new subpackage: dbus-1-nox11
+ - contains dbus-launch without x11 support
+- Rename dbus-launch to dbus-launch.x11
+- use update-alternatives to switch between dbus-launch with and
+ without X11
+- Solves [bnc#934214]
+
+- Update to 1.10.12
+ * Security fixes:
+ + Do not treat ActivationFailure message received from
+ root-owned systemd name as a format string. In principle this
+ is a security vulnerability, but we do not believe it is
+ exploitable in practice, because only privileged processes can
+ own the org.freedesktop.systemd1 bus name, and systemd does
+ not appear to send activation failures that contain "%".
+ Please note that this probably *was* exploitable in dbus
+ versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing
+ check which at the time was only thought to be a denial of
+ service vulnerability (CVE-2015-0245). If you are still
+ running one of those versions, patch or upgrade immediately.
+ (fdo#98157, bsc#1003898, Simon McVittie)
+ * Other fixes:
+ + Harden dbus-daemon against malicious or incorrect
+ ActivationFailure messages by rejecting them if they do not
+ come from a privileged process, or if systemd activation is
+ not enabled (fdo#98157, Simon McVittie)
+ + Avoid undefined behaviour when setting reply serial number
+ without going via union DBusBasicValue (fdo#98035, Marc Mutz)
+ + autogen.sh: fail cleanly if autoconf fails (Simon McVittie)
+
+- Moved dbus-run-session from dbus-1-x11 to dbus-1 (bdo#836296)
+
+- Update to 1.10.10
+ * Fixes:
+ + On Linux, when dbus-daemon is run with reduced susceptibility
+ to the OOM killer (typically via systemd), do not let child
+ processes inherit that setting (fdo#32851;
+ Kimmo Hämäläinen, WaLyong Cho)
+ + Output valid shell syntax in ~/.dbus/session-bus/ if the bus
+ address contains a semicolon (fdo#94746, Thiago Macieira)
+ + Fix memory leaks and thread safety in subprocess starting on
+ Windows (fdo#95191, Ralf Habacker)
+ + Do not require systemd to have a service file if using it for
+ activation (fdo#93194; Simon McVittie; backport from 1.11.0)
+ + Stop test-dbus-daemon incorrectly failing on platforms that
+ cannot discover the process ID of clients (fdo#96653,
+ РуÑлан Ижбулатов)
+ + In tests that exercise correct handling of crashing D-Bus
+ services, suppress Windows crash handler (fdo#95155;
+ Yiyang Fei, Ralf Habacker)
+ + Explicitly check for stdint.h (Ioan-Adrian Ratiu)
+ + update-activation-environment: produce better diagnostics on
+ error (fdo#96653, Simon McVittie)
+ + Don't fail the build with an unused const variable warning
+ under gcc 6 (fdo#97282; Thomas Zimmermann, Simon McVittie)
+ + Merge dbus-1.10-ci branch, containing backports from 1.11.0
+ in build/test code to support continuous integration
+ (fdo#93194, Simon McVittie)
+ - Avoid -Wunused-label when compiling with libselinux but no
+ libaudit
+ - In development builds, allow OOM tests to be disabled as
+ documented
+ - Accept and ignore the --tap argument in all "embedded
+ tests", and run all automated tests with that argument for
+ better diagnostics
+ - Fix the systemd activation test under CMake by installing
+ the required files
+ - In Automake, fix shell syntax for installcheck-local with
+ no DESTDIR
+ - In Automake, don't try to run manual tests in installcheck
+ - In CMake, don't run manual-tcp test as an automated test
+ - Add travis-ci.org build machinery
+
+- Update to 1.10.8
+ * Fixes:
+ + Enable "large file support" on systems where it exists:
+ dbus-daemon is not expected to open large files, but it might
+ need to stat files that happen to have large inode numbers
+ (fdo#93545, Hongxu Jia)
+ + Eliminate padding inside DBusMessageIter on 64-bit platforms,
+ which might result in a pedantic C compiler not copying the
+ entire contents of a DBusMessageIter; statically assert that
+ this is not an ABI change in practice (fdo#94136, Simon
+ McVittie)
+ + Document dbus-test-tool echo --sleep-ms=N instead of
+ incorrect --sleep=N (fdo#94244, Dmitri Iouchtchenko)
+ + Correctly report test failures in C tests from run-test.sh
+ (fdo#93379; amit tewari, Simon McVittie)
+ + When tests are enabled, run all the marshal-validate tests,
+ not just the even-numbered ones (fdo#93908, Nick Lewycky)
+ + Correct the expected error from one marshal-validate test,
+ which was previously not run due to the above bug(fdo#93908,
+ Simon McVittie)
+
+- Update to 1.10.6
+ * Fixes:
+ - On Unix when running tests as root, don't assert that root
+ and the dbus-daemon user can still call
+ UpdateActivationEnvironment; assert that those privileged
+ users can call BecomeMonitor instead (fdo#93036, Simon
+ McVittie)
+ - On Windows, fix a memory leak in the autolaunch transport
+ (fdo#92899, Simon McVittie)
+ - On Windows Autotools builds, don't run tests that rely on
+ dbus-run-session and other Unix-specifics (fdo#92899, Simon
+ McVittie)
+
+- Update to 1.10.4
+ * Changes between 1.10.2 and 1.10.4
+ - Enhancements:
+ + GetConnectionCredentials, GetConnectionUnixUser and
+ GetConnectionUnixProcessID with argument
+ "org.freedesktop.DBus" will now return details of the
+ dbus-daemon itself. This is required to be able to call
+ SetEnvironment on systemd. (fdo#92857, Jan Alexander
+ Steffens)
+ - Fixes:
+ + Make UpdateActivationEnvironment always fail with
+ AccessDenied on the system bus. Previously, it was
+ possible to configure it so root could call it, but the
+ environment variables were not actually used, because the
+ launch helper would discard them. (fdo#92857, Jan Alexander
+ Steffens)
+ + On Unix with --systemd-activation on a user bus, make
+ UpdateActivationEnvironment pass on its arguments to
+ systemd's SetEnvironment method, solving inconsistency
+ between the environments used for traditional activation
+ and systemd user-service activation. (fdo#92857, Jan
+ Alexander Steffens)
+ + On Windows, don't crash if <syslog/> or --syslog is used
+ (fdo#92538, Ralf Habacker)
+ + On Windows, fix a memory leak when setting a DBusError from
+ a Windows error (fdo#92721, Ralf Habacker)
+ + On Windows, don't go into infinite recursion if we abort the
+ process with backtraces enabled (fdo#92721, Ralf Habacker)
+ + Fix various failing tests, variously on Windows and
+ cross-platform:
+ . don't test system.conf features (users, groups) that only
+ make sense on the system bus, which is not supported on
+ Windows
+ . don't call _dbus_warn() when we skip a test, since it is
+ fatal
+ . fix computation of expected <standard_session_servicedirs/>
+ . when running TAP tests, translate newlines to Unix format,
+ fixing cross-compiled tests under Wine on Linux
+ . don't stress-test refcounting under Wine, where it's
+ really slow
+ . stop assuming that a message looped-back to the test will
+ be received immediately
+ . skip some system bus tests on Windows since they make no
+ sense there (fdo#92538, fdo#92721; Ralf Habacker, Simon
+ McVittie)
+ * Changes between 1.10.0 and 1.10.2
+ - Fixes:
+ + Correct error handling for activation: if there are multiple
+ attempts to activate the same service and it fails
+ immediately, the first attempt would get the correct reply,
+ but the rest would time out. We now send the same error
+ reply to each attempt. (fdo#92200, Simon McVittie)
+ + If BecomeMonitor is called with a syntactically invalid
+ match rule, don't crash with an assertion failure, fixing a
+ regression in 1.9.10. This was not exploitable as a denial
+ of service, because the check for a privileged user is done
+ first. (fdo#92298, Simon McVittie)
+ + On Linux with --enable-user-session, add the bus address to
+ the environment of systemd services for better backwards
+ compatibility (fdo#92612, Jan Alexander Steffens)
+ + On Windows, fix the logic for replacing the installation
+ prefix in service files' Exec lines (fdo#83539; Milan Crha,
+ Simon McVittie)
+ + On Windows, if installed in the conventional layout with
+ ${prefix}/etc and ${prefix}/share, use relative paths
+ between bus configuration files to allow the tree to be
+ relocated (fdo#92028, Simon McVittie)
+ + Make more of the regression tests pass in Windows builds
+ (fdo#92538, Simon McVittie)
+ * Summary of major changes since 1.8.0:
+ - The basic setup for the well-known system and session buses is
+ now done in read-only files in ${datadir} (normally /usr/share).
+ - AppArmor integration has been merged, with features similar to
+ the pre-existing SELinux integration. It is mostly compatible
+ with the patches previously shipped by Ubuntu, with one
+ significant change: Ubuntu's GetConnectionAppArmorSecurityContext
+ method has been superseded by GetConnectionCredentials and was
+ not included.
+ - The --enable-user-session configure option can be enabled
+ by OS integrators intending to use systemd to provide a
+ session bus per user (in effect, treating all concurrent
+ graphical and non-graphical login sessions as one large session).
+ - The new listenable address mode "unix:runtime=yes" listens on
+ $XDG_RUNTIME_DIR/bus, the same AF_UNIX socket used by the
+ systemd user session. libdbus and "dbus-launch --autolaunch"
+ will connect to this address by default. GLib >= 2.45.3 and
+ sd-bus >= 209 have a matching default.
+ - All executables are now dynamically linked to libdbus-1.
+ Previously, some executables, most notably dbus-daemon, were
+ statically linked to a specially-compiled variant of libdbus.
+ This results in various private functions in the _dbus
+ namespace being exposed by the shared library. These are not
+ API, and must not be used outside the dbus source tree.
+ - On platforms with ELF symbol versioning, all public symbols
+ are versioned LIBDBUS_1_3.
+ * New bus APIs:
+ - org.freedesktop.DBus.GetConnectionCredentials returns
+ LinuxSecurityLabel where supported
+ - org.freedesktop.DBus.Monitoring interface (privileged)
+ . BecomeMonitor method supersedes match rules with eavesdrop=true,
+ which are now deprecated
+ - org.freedesktop.DBus.Stats interface (semi-privileged)
+ . now enabled by default
+ . new GetAllMatchRules method
+ - org.freedesktop.DBus.Verbose interface (not normally compiled)
+ . toggles the effect of DBUS_VERBOSE
+ * New executables:
+ - dbus-test-tool
+ - dbus-update-activation-environment
+ * New optional dependencies:
+ - The systemd: pseudo-transport requires libsystemd or libsd-daemon
+ - Complete documentation requires Ducktype and yelp-tools
+ - Full test coverage requires GLib 2.36 and PyGI
+ - AppArmor integration requires libapparmor and optionally libaudit
+ * Dependencies removed:
+ - dbus-glib
+
+- Update to 1.8.20:
+ * Fixes:
+ - Fix a memory leak when GetConnectionCredentials() succeeds
+ (fdo#91008, Jacek Bukarewicz)
+ - Ensure that dbus-monitor does not reply to messages intended
+ for others (fdo#90952, Simon McVittie)
+
+- Account for openSUSE:Leap in the conditional for chosing right
+ local state directories (boo#941352)
+
+- Move common-begin sections around to make pre_checkin work again
+- Unconditionally build with systemd features, there are no cycles
+ now, systemd no longer buildrequires dbus-1-devel
+
+- Update to 1.8.18:
+ * Security hardening:
+ - On Unix platforms, change the default configuration for the
+ session bus to only allow EXTERNAL authentication (secure
+ kernel-mediated credentials-passing), as was already done for
+ the system bus.
+ This avoids falling back to DBUS_COOKIE_SHA1, which relies on
+ strongly unpredictable pseudo-random numbers; under certain
+ circumstances (/dev/urandom unreadable or malloc() returns
+ NULL), dbus could fall back to using rand(), which does not
+ have the desired unpredictability. The fallback to rand() has
+ not been changed in this stable-branch since the necessary
+ code changes for correct error-handling are rather intrusive.
+ If you are using D-Bus over the (unencrypted!) tcp: or
+ nonce-tcp: transport, in conjunction with DBUS_COOKIE_SHA1
+ and a shared home directory using NFS or similar, you will
+ need to reconfigure the session bus to accept DBUS_COOKIE_SHA1
+ by commenting out the <auth> element. This configuration is
+ not recommended. (bsc#931066, fdo#90414, Simon McVittie)
+ * Other fixes:
+ - Add locking to DBusCounter's reference count and notify
+ function (fdo#89297, Adrian Szyndela)
+ - Ensure that DBusTransport's reference count is protected by
+ the corresponding DBusConnection's lock (fdo#90312,
+ Adrian Szyndela)
+ - On Windows, listen on the same port for IPv4 and IPv6
+ (previously broken by an endianness mistake), and fix a
+ failure to bind TCP sockets on approximately 1 attempt in 256
+ (fdo#87999, Ralf Habacker)
+ - Correctly release DBusServer mutex before early-return if we
+ run out of memory while copying authentication mechanisms
+ (fdo#90021, Ralf Habacker)
+ - Correctly initialize all fields of DBusTypeReader (fdo#90021,
+ Ralf Habacker, Simon McVittie)
+ - Fix some missing \n in verbose (debug log) messages
+ (fdo#90021, Ralf Habacker)
+ - Clean up some memory leaks in test code (fdo#90021,
+ Ralf Habacker)
+
+- Sync changes from SLE12 conditionalized for suse_version <= 1315
+
+- Update to 1.8.16:
+ * Security fixes:
+ - Do not allow non-uid-0 processes to send forged
+ ActivationFailure messages. On Linux systems with systemd
+ activation, this would allow a local denial of service:
+ unprivileged processes could flood the bus with these forged
+ messages, winning the race with the actual service activation
+ and causing an error reply to be sent back when service
+ auto-activation was requested. This does not prevent the real
+ service from being started, so it only works while the real
+ service is not running. (CVE-2015-0245, fdo#88811, bnc#916343;
+ Simon McVittie)
+ * Other fixes:
+ - fix a Windows build failure (fdo#88009, Ralf Habacker)
+ - on Windows, allow up to 8K connections to the dbus-daemon
+ instead of the previous 64, completing a previous fix which
+ only worked under Autotools (fdo#71297, Ralf Habacker)
+
+- Update to 1.8.14
+ * Security hardening:
+ - Do not allow calls to UpdateActivationEnvironment from uids
+ other than the uid of the dbus-daemon. If a system service
+ installs unsafe security policy rules that allow arbitrary
+ method calls (such as CVE-2014-8148) then this prevents
+ memory consumption and possible privilege escalation via
+ UpdateActivationEnvironment.
+ We believe that in practice, privilege escalation here is
+ avoided by dbus-daemon-launch-helper sanitizing its
+ environment; but it seems better to be safe.
+ - Do not allow calls to UpdateActivationEnvironment or the
+ Stats interface on object paths other than
+ /org/freedesktop/DBus. Some system services install unsafe
+ security policy rules that allow arbitrary method calls to
+ any destination, method and interface with a specified object
+ path; while less bad than allowing arbitrary method calls,
+ these security policies are still harmful, since dbus-daemon
+ normally offers the same API on all object paths and other
+ system services might behave similarly.
+ * Other fixes:
+ - Add missing initialization so GetExtendedTcpTable doesn't
+ crash on Windows Vista SP0 (fdo#77008, Ilya A. Tkachenko)
+
+- Update to 1.8.12:
+ * Fixes:
+ - Partially revert the CVE-2014-3639 patch by increasing the
+ default authentication timeout on the system bus from 5
+ seconds back to 30 seconds, since this has been reported to
+ cause boot regressions for some users, mostly with parallel
+ boot (systemd) on slower hardware.
+ On fast systems where local users are considered particularly
+ hostile, administrators can return to the 5 second timeout
+ (or any other value in milliseconds) by saving this as
+ /etc/dbus-1/system-local.conf:
+ <busconfig>
+ <limit name="auth_timeout">5000</limit>
+ </busconfig>
+ (fdo#86431, Simon McVittie)
+ - Add a message in syslog/the Journal when the auth_timeout is
+ exceeded (fdo#86431, Simon McVittie)
+ - Send back an AccessDenied error if the addressed recipient is
+ not allowed to receive a message (and in builds with
+ assertions enabled, don't assert under the same conditions).
+ (fdo#86194, Jacek Bukarewicz)
+
+- Update to 1.8.10:
+ * Security fixes:
+ - Increase dbus-daemon's RLIMIT_NOFILE rlimit to 65536
+ so that CVE-2014-3636 part A cannot exhaust the system bus'
+ file descriptors, completing the incomplete fix in 1.8.8.
+ (CVE-2014-7824, fdo#85105; Simon McVittie, Alban Crequy)
+
f2fs-tools
+- Replace transitional %usrmerged macro with regular version check (boo#1206798)
+
flac
+- Fix out of bound write in append_to_verify_fifo_interleaved_
+ (CVE-2021-0561 bsc#1196660):
+ libFlac-Exit-at-EOS-in-verify-mode.patch
+
+- Fix memory leak (CVE-2020-0487 bsc#1180112):
+ stream_decoder.c-Fix-a-memory-leak.patch
+
+- Fix out-of-bounds access (CVE-2020-0499 bsc#1180099):
+ libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
+
+- Fix memory leak in read_metadata_vorbiscomment_() function
+ (CVE-2017-6888, bsc#1091045):
+ flac-CVE-2017-6888.patch
+
+- Update to version 1.3.2
+ * Fix undefined behaviour using GCC/Clang UBSAN (erikd).
+ * General hardening via fuzz testing with AFL (erikd and
+ others).
+ * General code improvements (lvqcl, erikd and others).
+ * Add FLAC in MP4 specification docs (Ralph Giles).
+ * Fix some cppcheck warnings (erikd).
+ * Assume all currently used OSes support SSE2.
+ flac:
+ * Fix potential infinite loop on flac-to-flac conversion
+ (erikd).
+ * Add WAVEFORMATEXTENSIBLE to WAV (as needed) when
+ decoding (lvqcl).
+ * Only write vorbis-comments if they are non-empty.
+ * Error out if decoding RAW with bits != (8|16|24).
+ metaflac:
+ * Add --scan-replay-gain option.
+ libraries:
+ * CPU detection cleanup and fixes (Julian Calaby, erikd
+ and lvqcl).
+ * Fix two stream decoder bugs (Max Kellermann).
+ * Fix a NULL dereference bug (on a malformed file).
+ * Changed the LPC order guess for a slight compression
+ improvement, particularly for classical music
+ (Martijn van Beurden).
+ * Improved encoding speed on older Intel CPUs.
+ * Fixed a seeking bug when decoding certain files
+ (Miroslav Lichvar).
+ * Put an upper bound (32768) on the number of seek
+ points.
+ * Fix potential memory leaks.
+ * Support 64bit brword/bwword allowing
+ FLAC__BYTES_PER_WORD to be set to 8 (disabled by
+ default).
+ * Fix an out-of-bounds heap read.
+- Refreshed flac-cflags.patch
+
+- Drop patch that should be upstreamed first, otherwise we will
+ have to keep it ofrever:
+ * flac-ocloexec.patch
+- Drop wrong patch:
+ * flac-fix-pkgconfig.patch
+ + If using this change you get assert.h include overriden in your
+ project by the one from FLAC/ which is not what upstream desired
+ If packages fail to build they should fix their include
+
+- Build documentation as noarch
+
+- Cleanup spec file with spec-cleaner
+- Update url
+- Remove no longer needed patches
+ * flac-fix-CVE-2014-8962.patch
+ * flac-fix-CVE-2014-9028.patch
+ * 0001-getopt_long-not-broken-here.patch
+- Remove following as benefit of using openssl is small
+ * 0001-Allow-use-of-openSSL.patch
+- Add flac-cflags.patch
+- Use doxygen to build documentation
+- Split documentation to separate package
+- Update to 1.3.1
+ * Improved decoding efficiency of all bit depths but especially
+ so for 24 bits for IA32 architecture (lvqcl and Miroslav Lichvar).
+ * Faster encoding using SSE and AVX (lvqcl).
+ * Fixed bartlett, bartlett_hann and triangle functions.
+ * New apodization functions partial_tukey and punchout_tukey for
+ improved compression (Martijn van Beurden).
+ * Retuned compression presets to incorporate new apodization
+ functions (Martijn van Beurden).
+ * Fix -Wcast-align warnings on armhf architecture (Erik de
+ Castro Lopo).
+ * Help output documentation improvements.
+ * I/O buffering improvements on Windows to reduce disk
+ fragmentation when writing files.
+ * Only write vorbis-comments if they are non-empty.
+ * Fix symbol visibility in XMMS plugin.
+ * Many fixes and improvements across all the build systems.
+ * Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962
+ (heap read overflow)
+
+- A couple of security fixes:
+ * flac-fix-CVE-2014-8962.patch:
+ arbitrary code execution by a stack overflow (CVE-2014-8962,
+ bnc#906831)
+ * flac-fix-CVE-2014-9028.patch:
+ Heap overflow via specially crafted .flac files (CVE-2014-9028,
+ bnc#907016)
+
+- Update to final upstream release 1.3.0
+ * No user-visible changes
+- More robust make install call
+
freerdp
+- Multiple CVE fixes (bsc#1205512)
+ + Add freerdp-Added-missing-length-checks-in-zgfx_decompress_segme.patch
+ * Fixes CVE-2022-39316 & CVE-2022-39317
+ + Add freerdp-CVE-2022-39320.patch
+ * Added missing length check in urb_control_transfer
+ + Add freerdp-CVE-2022-39347.patch
+ * Fix path validation in drive channel
+ + Add freerdp-CVE-2022-41877.patch
+ * Fixed missing stream length check in drive_file_query_directory
+
gnome-chess
+- Update to version 43.1:
+ + Fix build with latest valac.
+ + Fix keyboard shortcuts dialog.
+ + Updated translations.
+
gnome-sudoku
+- Update to version 43.1:
+ + Revert "Fix redundant undo stack entries for earmarks".
+ + Warnings when solution to puzzle is violated no longer consider
+ earmarks.
+ + Updated translations.
+
gnutls
-- FIPS: Change all the 140-2 references to FIPS 140-3 in order to
- account for the new FIPS certification [bsc#1207346]
- * Add gnutls-FIPS-140-3-references.patch
-
-- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183]
- * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch
-
-- Fix AVX CPU feature detection for OSXSAVE [bsc#1203299]
- * Fixes a SIGILL termination at the verzoupper instruction when
- trying to run GnuTLS on a Linux kernel with the noxsave command
- line parameter set. Relevant mostly for virutal systems.
- * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1282
- * Add gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch
-
-- FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146]
- * Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch
-
-- FIPS: Make XTS key check failure not fatal [bsc#1203779]
- * Add gnutls-Make-XTS-key-check-failure-not-fatal.patch
-
-- FIPS: Zeroize the calculated hmac and new_hmac in the
- check_binary_integrity() function. [bsc#1191021]
- * Add gnutls-FIPS-Zeroize-check_binary_integrity.patch
-
-- FIPS: Additional modifications to the SLI. [bsc#1190698]
- * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2().
- * Mark HMAC keylength less than 112 bits as non-approved in
- gnutls_pbkfd2().
- * Adapt the pbkdf2 selftest and the regression tests accordingly.
- * Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch
-
-- FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941]
- * Add new dependency on jitterentropy
- * Add gnutls-FIPS-jitterentropy.patch
-
-- Security fix: [bsc#1202020, CVE-2022-2509]
- * Fixed double free during verification of pkcs7 signatures
- * Add gnutls-CVE-2022-2509.patch
-
-- FIPS:
- * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979]
- - gnutls_fips140_run_self_tests now properly releases fips_context
-
-- FIPS:
- * Add gnutls_ECDSA_signing.patch [bsc#1190698]
- - Check minimum keylength for symmetric key generation
- - Only allows ECDSA signature with valid set of hashes
- (SHA2 and SHA3)
- * Add gnutls-FIPS-force-self-test.patch [bsc#1198979]
- - Provides interface for running library self tests on-demand
- - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598
-
-- FIPS: Make sure zeroization is performed in all API functions
- * Add gnutls-zeroization-API-functions.patch [bsc#1191021]
- * Upsream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1573
-
-- FIPS: Add missing requirements for the SLI [bsc#1190698]
- * Remove 3DES from FIPS approved algorithms:
- - gnutls-Remove-3DES-from-FIPS-approved-algos.patch
- - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1570
- * DRBG service (gnutls_rnd) should be considered approved:
- - gnutls-Add-missing-FIPS-service-indicator-transitions.patch
- - gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch
- - gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch
- - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1569
-
-- FIPS: Mark AES-GCM as approved in the TLS context [bsc#1194907]
- * Add gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch
- * Upstream issue: https://gitlab.com/gnutls/gnutls/issues/1311
-
-- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
- * The IG 10.3.A and SP800-132 require some minimum parameters for
- the salt length, password length and iteration count. These
- parameters should be also used in the KAT.
- * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch
- * Upstream: https://gitlab.com/gnutls/gnutls/merge_requests/1561
-- Enable to run the regression tests also in FIPS mode.
-
-- Update to 3.7.3: [bsc#1190698, bsc#1190796]
- * libgnutls: The allowlisting configuration mode has been added
- to the system-wide settings. In this mode, all the algorithms
- are initially marked as insecure or disabled, while the
- applications can re-enable them either through the [overrides]
- section of the configuration file or the new API (#1172).
- * The build infrastructure no longer depends on GNU AutoGen for
- generating command-line option handling, template file parsing
- in certtool, and documentation generation (#773, #774). This
- change also removes run-time or bundled dependency on the
- libopts library, and requires Python 3.6 or later to regenerate
- the distribution tarball. Note that this brings in known backward
- incompatibility in command-line tools, such as long options are
- now case sensitive, while previously they were treated in a case
- insensitive manner: for example --RSA is no longer a valid option
- of certtool. The existing scripts using GnuTLS tools may need
- adjustment for this change.
- * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
- and used as a gnutls_privkey_t (#594). The code was originally written
- for the OpenConnect VPN project by David Woodhouse. To generate such
- blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
- https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
- or the tpm2_encodeobject tool from unreleased tpm2-tools.
- * libgnutls: The library now transparently enables Linux KTLS (kernel
- TLS) when the feature is compiled in with --enable-ktls configuration
- option (#1113). If the KTLS initialization fails it automatically falls
- back to the user space implementation.
- * certtool: The certtool command can now read the Certificate Transparency
- (RFC 6962) SCT extension (#232). New API functions are also provided to
- access and manipulate the extension values.
- * certtool: The certtool command can now generate, manipulate, and evaluate
- x25519 and x448 public keys, private keys, and certificates.
- * libgnutls: Disabling a hashing algorithm through "insecure-hash"
- configuration directive now also disables TLS ciphersuites that use it
- as a PRF algorithm.
- * libgnutls: PKCS#12 files are now created with modern algorithms by default
- (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and
- HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with
- PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
- default PBKDF2 iteration count has been increased to 600000.
- * libgnutls: PKCS#12 keys derived using GOST algorithm now uses
- HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity,
- to conform with the latest TC-26 requirements (#1225).
- * libgnutls: The library now provides a means to report the status
- of approved cryptographic operations (!1465). To adhere to the
- FIPS140-3 IG 2.4.C., this complements the existing mechanism to
- prohibit the use of unapproved algorithms by making the library
- unusable state.
- * gnutls-cli: The gnutls-cli command now provides a --list-config
- option to print the library configuration (!1508).
- * libgnutls: Fixed possible race condition in
- gnutls_x509_trust_list_verify_crt2 when a single trust list object
- is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17,
- CVSS: low]
- * API and ABI modifications:
- GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in
- gnutls_privkey_flags_t
- GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in
- gnutls_certificate_verify_flags
- gnutls_ecc_curve_set_enabled: Added.
- gnutls_sign_set_secure: Added.
- gnutls_sign_set_secure_for_certs: Added.
- gnutls_digest_set_secure: Added.
- gnutls_protocol_set_enabled: Added.
- gnutls_fips140_context_init: New function
- gnutls_fips140_context_deinit: New function
- gnutls_fips140_push_context: New function
- gnutls_fips140_pop_context: New function
- gnutls_fips140_get_operation_state: New function
- gnutls_fips140_operation_state_t: New enum
- gnutls_transport_is_ktls_enabled: New function
- gnutls_get_library_configuration: New function
- * Remove patches fixed in the update:
- - gnutls-FIPS-module-version.patch
- - gnutls-FIPS-service-indicator.patch
- - gnutls-FIPS-service-indicator-public-key.patch
- - gnutls-FIPS-service-indicator-symmetric-key.patch
- - gnutls-FIPS-RSA-PSS-flags.patch
- - gnutls-FIPS-RSA-mod-sizes.patch
-
-- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468]
- * Add gnutls-FIPS-disable-failing-tests.patch
- * Remove patches:
- - gnutls-temporarily_disable_broken_guile_reauth_test.patch
- - gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
- - disable-psk-file-test.patch
-
-- FIPS: Provide module identifier and version [bsc#1190796]
- * Add configurable options to output the module name/identifier
- (--with-fips140-module-name) and the module version
- (--with-fips140-module-version).
- * Add the CLI option list-config that reports the configuration
- of the library.
- * Add gnutls-FIPS-module-version.patch
-
-- FIPS: Provide a service-level indicator [bsc#1190698]
- * Add support for a "service indicator" as required in
- the FIPS140-3 Implementation Guidance in section 2.4.C
- * Add patches:
- - gnutls-FIPS-service-indicator.patch
- - gnutls-FIPS-service-indicator-public-key.patch
- - gnutls-FIPS-service-indicator-symmetric-key.patch
- - gnutls-FIPS-RSA-PSS-flags.patch
-
-- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008]
- * fips: allow more RSA modulus sizes
- * Add gnutls-FIPS-RSA-mod-sizes.patch
- * Delete gnutls-3.6.7-fips-rsa-4096.patch
-
-- Drop bogus condition "> 1550": that would mean 'more recent than
- Tumbleweed' which is technically impossible, as Tumbleweed is the
- leading project (and the condition causes issues as Tumbleweed
- needs to move away from 1550 due to CODE 15 SP5 plans).
-
-- Add crypto-policies support in SLE-15-SP4 [jsc#SLE-20287]
-
-- Account for the libnettle soname bump [jsc#SLE-19765]
-
-- Update to 3.7.2 in SLE-15-SP4: [jsc#SLE-19765, jsc#SLE-18139]
- - Add gnutls-temporarily_disable_broken_guile_reauth_test.patch
- - Rebased patches:
- * disable-psk-file-test.patch
- * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
- * gnutls-fips_mode_enabled.patch
- - Remove patches merged upstream:
- * gnutls-CVE-2020-11501.patch
- * gnutls-CVE-2020-13777.patch
- * gnutls-CVE-2020-24659.patch
- * gnutls-CVE-2021-20231.patch
- * gnutls-CVE-2021-20232.patch
- * gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
- * gnutls-fips_XTS_key_check.patch
- * 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
- * 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
- * 0003-x509-trigger-fallback-verification-path-when-cert-is.patch
- * 0004-tests-add-test-case-for-certificate-chain-supersedin.patch
- * 0001-Add-Full-Public-Key-Check-for-DH.patch
- * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch
- * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch
- * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch
- * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch
- * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch
- * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch
- * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch
- * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch
- * 0001-dh-check-validity-of-Z-before-export.patch
- * 0002-ecdh-check-validity-of-P-before-export.patch
- * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch
- * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch
- * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch
- * 0001-Vendor-in-XTS-functionality-from-Nettle.patch
- * 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch
- * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
- * gnutls-3.6.7-fix-FTBFS-2024.patch
- * gnutls-3.6.7-reproducible-date.patch
-
-- Update to version 3.7.2
- * Added Linux kernel AF_ALG based acceleration
- * Fixed timing of early data exchange
- * The priority string option DISABLE_TLS13_COMPAT_MODE was added
- to disable TLS 1.3 middlebox compatibility mode
- * The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
- GNUTLS_NO_IMPLICIT_INIT to reflect the purpose
- * certtool:
- * When signing a CSR, CRL distribution point (CDP) is no
- longer copied from the signing CA by default
- * When producing certificates and certificate requests, subject
- DN components that are provided individually will now be
- ordered by assumed scale
-
-- Add gnutls-3.6.7-fix-FTBFS-2024.patch to let tests pass after 2024 (boo#1186579)
-- Add gnutls-3.6.7-reproducible-date.patch to override build date (boo#1047218)
-
-- Security fix: [bsc#1183456, CVE-2021-20232]
- * A use after free issue in client_send_params
- in lib/ext/pre_shared_key.c may lead to memory
- corruption and other potential consequences.
-- Add gnutls-CVE-2021-20232.patch
-
-- Security fix: [bsc#1183457, CVE-2021-20231]
- * A use after free issue in client sending key_share extension
- may lead to memory corruption and other consequences.
-- Add gnutls-CVE-2021-20231.patch
-
-- Update to 3.7.1:
- [bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231]
- * Fixed potential use-after-free in sending "key_share" and
- "pre_shared_key" extensions.
- * Fixed a regression in handling duplicated certs in a chain.
- * Fixed sending of session ID in TLS 1.3 middlebox compatibility
- mode. In that mode the client shall always send a non-zero
- session ID to make the handshake resemble the TLS 1.2
- resumption; this was not true in the previous versions.
- * Removed dependency on the external 'fipscheck' package,
- when compiled with --enable-fips140-mode.
- * Added padlock acceleration for AES-192-CBC.
-- Remove patches upstream:
- * gnutls-gnutls-cli-debug.patch
- * gnutls-ignore-duplicate-certificates.patch
- * gnutls-test-fixes.patch
-
-- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565]
- * Don't unset system priority settings in gnutls-cli-debug.sh
- * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387
-- Add gnutls-gnutls-cli-debug.patch
-
-- Fix: Test certificates in tests/testpkcs11-certs have expired
- * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135
-- Add gnutls-test-fixes.patch
-
-- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates
- * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131
-- Add gnutls-ignore-duplicate-certificates.patch
-
-- Update to 3.7.0
- * Depend on nettle 3.6
- * Added a new API that provides a callback function to retrieve
- missing certificates from incomplete certificate chains
- * Added a new API that provides a callback function to output the
- complete path to the trusted root during certificate chain
- verification
- * OIDs exposed as gnutls_datum_t no longer account for the
- terminating null bytes, while the data field is null terminated.
- The affected API functions are: gnutls_ocsp_req_get_extension,
- gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
- * Added a new set of API to enable QUIC implementation
- * The crypto implementation override APIs deprecated in 3.6.9 are
- now no-op
- * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
- * Support for padlock has been fixed to make it work with Zhaoxin CPU
- * The maximum PIN length for PKCS #11 has been increased from 31
- bytes to 255 bytes
-- Remove patch fixed upstream:
- * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
-- Fix threading bug in libgnutls [bsc#1173434]
- * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044
-
-- Avoid spurious audit messages about incompatible signature algorithms
- (bsc#1172695)
- * add 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch
-
-- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
-- FIPS: Add TLS KDF selftest (bsc#1176671)
- * add gnutls-FIPS-TLS_KDF_selftest.patch
-
-- Escape rpm command %%expand when used in comment.
-
-- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
-
-- FIPS: Add TLS KDF selftest (bsc#1176671)
- * add gnutls-FIPS-TLS_KDF_selftest.patch
-
-- Fix heap buffer overflow in handshake with no_renegotiation alert sent
- * CVE-2020-24659 (bsc#1176181)
-- add gnutls-CVE-2020-24659.patch
-
-- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
-- add patches
- * 0001-Add-Full-Public-Key-Check-for-DH.patch
- * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch
- * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch
- * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch
- * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch
- * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch
- * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch
- * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch
- * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch
- * 0001-dh-check-validity-of-Z-before-export.patch
- * 0002-ecdh-check-validity-of-P-before-export.patch
- * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch
- * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch
- * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch
-- drop obsolete gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
-
-- Update to 3.6.15
- * libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
- [GNUTLS-SA-2020-09-04, CVSS: medium]
- * libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now
- indicates that with a false return value (!1306).
- * libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked
- accordingly to SP800-56A rev 3 (!1295, !1299).
- * libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than
- the size of the internal base64 blob (#1025).
- * libgnutls: Certificate verification failue due to OCSP must-stapling is not
- honered is now correctly marked with the GNUTLS_CERT_INVALID flag
- * libgnutls: The audit log message for weak hashes is no longer printed twice
- * libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is
- disabled in the priority string. Previously, even when TLS 1.2 is explicitly
- disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is
- enabled (#1054).
-- drop upstreamed patches:
- * gnutls-detect_nettle_so.patch
- * 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
-
-- Correctly detect gmp, nettle, and hogweed libraries (bsc#1172666)
- * add gnutls-detect_nettle_so.patch
-
-- Fix a memory leak that could lead to a DoS attack against Samba
- servers (bsc#1172663)
- * add 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
-- Temporarily disable broken guile reauth test (bsc#1171565)
- * add gnutls-temporarily_disable_broken_guile_reauth_test.patch
-
-- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction)
- The TLS server would not bind the session ticket encryption key with a
- value supplied by the application until the initial key rotation, allowing
- attacker to bypass authentication in TLS 1.3 and recover previous
- conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
- * add patches:
- + gnutls-CVE-2020-13777.patch
-- Fixed handling of certificate chain with cross-signed intermediate
- CA certificates (#1008). (bsc#1172461)
- * add patches:
- + 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch
- + 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
- + 0003-x509-trigger-fallback-verification-path-when-cert-is.patch
- + 0004-tests-add-test-case-for-certificate-chain-supersedin.patch
-
-- Update to 3.6.14
- * libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
- The TLS server would not bind the session ticket encryption key with a
- value supplied by the application until the initial key rotation, allowing
- attacker to bypass authentication in TLS 1.3 and recover previous
- conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
- [GNUTLS-SA-2020-06-03, CVSS: high]
- * libgnutls: Fixed handling of certificate chain with cross-signed
- intermediate CA certificates (#1008). (bsc#1172461)
- * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
- * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
- (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
- Key Identifier (AKI) properly (#989, #991).
- * certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
- * libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
- Also both accelerated and non-accelerated implementations check key block
- according to FIPS-140-2 IG A.9 (!1233).
- * libgnutls: Added support for AES-SIV ciphers (#463).
- * libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
- * libgnutls: No longer use internal symbols exported from Nettle (!1235)
- * API and ABI modifications:
- GNUTLS_CIPHER_AES_128_SIV: Added
- GNUTLS_CIPHER_AES_256_SIV: Added
- GNUTLS_CIPHER_AES_192_GCM: Added
- gnutls_pkcs7_print_signature_info: Added
-- Add key D605848ED7E69871: public key "Daiki Ueno <ueno@unixuser.org>" to
- the keyring
-- Drop gnutls-fips_correct_nettle_soversion.patch (upstream)
-
-- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)
- * add gnutls-3.6.7-fips-rsa-4096.patch
-
-- Don't check for /etc/system-fips which we don't have (bsc#1169992)
- * add gnutls-fips_mode_enabled.patch
-
-- Backport AES XTS support (bsc#1168835)
- * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch
- * add gnutls-fips_XTS_key_check.patch
-
-- Use correct nettle .so version when looking for a FIPS checksum
- (bsc#1166635)
- * add gnutls-fips_correct_nettle_soversion.patch
-
-- Update to 3.6.13
- * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support)
- The DTLS client would not contribute any randomness to the DTLS negotiation,
- breaking the security guarantees of the DTLS protocol (#960)
- [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
- * libgnutls: Added new APIs to access KDF algorithms (#813).
- * libgnutls: Added new callback gnutls_keylog_func that enables a custom
- logging functionality.
- * libgnutls: Added support for non-null terminated usernames in PSK
- negotiation (#586).
- * gnutls-cli-debug: Improved support for old servers that only support
- SSL 3.0.
-
-- Fix zero random value in DTLS client hello
- (CVE-2020-11501, bsc#1168345)
- * add gnutls-CVE-2020-11501.patch
-
-- Split off FIPS checksums into a separate libgnutls30-hmac
- subpackage (bsc#1152692)
- * update baselibs.conf
-
-- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue
- * No longer truncate output IV if input is shorter than block size.
- * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch
-
-- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test
- * Added Diffie Hellman public key verification test.
- * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch
-
-- gnutls 3.6.12
- * libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
- to identify sessions that client request OCSP status request (#829).
- * libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
- signature algorithm (RFC 8032) under TLS (#86).
- * libgnutls: Added the default-priority-string option to system configuration;
- it allows overriding the compiled-in default-priority-string.
- * libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
- draft-smyshlyaev-tls12-gost-suites-07).
- By default this ciphersuite is disabled. It can be enabled by adding
- +GOST to priority string. In the future this priority string may enable
- other GOST ciphersuites as well. Note, that server will fail to negotiate
- GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
- is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
- are enabled on GnuTLS-based servers.
- * libgnutls: added priority shortcuts for different GOST categories like
- CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
- * libgnutls: Reject certificates with invalid time fields. That is we reject
- certificates with invalid characters in Time fields, or invalid time formatting
- To continue accepting the invalid form compile with --disable-strict-der-time
- * libgnutls: Reject certificates which contain duplicate extensions. We were
- previously printing warnings when printing such a certificate, but that is
- not always sufficient to flag such certificates as invalid. Instead we now
- refuse to import them (#887).
- * libgnutls: If a CA is found in the trusted list, check in addition to
- time validity, whether the algorithms comply to the expected level prior
- to accepting it. This addresses the problem of accepting CAs which would
- have been marked as insecure otherwise (#877).
- * libgnutls: The min-verification-profile from system configuration applies
- for all certificate verifications, not only under TLS. The configuration can
- be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
- * libgnutls: The stapled OCSP certificate verification adheres to the convention
- used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.
- * libgnutls: On client side only send OCSP staples if they have been requested
- by the server, and on server side always advertise that we support OCSP stapling
- * libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
- with gnutls_ocsp_req_t but const.
- * certtool: Added the --verify-profile option to set a certificate
- verification profile. Use '--verify-profile low' for certificate verification
- to apply the 'NORMAL' verification profile.
- * certtool: The add_extension template option is considered even when generating
- a certificate from a certificate request.
-
-- gnutls 3.6.11.1:
- * libgnutls: Corrected issue with TLS 1.2 session ticket
- handling as client during resumption
- * libgnutls: gnutls_base64_decode2() succeeds decoding the empty
- string to the empty string. This is a behavioral change of the
- API but it conforms to the RFC4648 expectations
- * libgnutls: Fixed AES-CFB8 implementation, when input is shorter
- than the block size. Fix backported from nettle.
- * certtool: CRL distribution points will be set in CA
- certificates even when non self-signed
- * gnutls-cli/serv: added raw public-key handling capabilities
- (RFC7250). Key material can be set via the --rawpkkeyfile and
- - -rawpkfile flags.
-
-- gnutls 3.6.10:
- * Add support for deterministic ECDSA/DSA (RFC6979)
- * Add functions for in-place encryption/decryption of data buffers
- * server now selects the highest TLS protocol version, if TLS 1.3
- is enabled and the client advertises an older protocol version
- first
- * Add support for GOST 28147-89 cipher in CNT (GOST counter) mode
- and MAC generation based on GOST 28147-89 (IMIT)
- * certtool: when outputting an encrypted private key do not
- insert the textual description of it
-
-- Install checksums for binary integrity verification which are
- required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
-
-- gnutls 3.6.9:
- * add support for copying digest or MAC contexts
- * Mark the crypto implementation override APIs as deprecated
- * Add support for AES-GMAC, as a separate to GCM, MAC algorithm
- * Add support for Generalname registeredID
- * The priority configuration was enhanced to allow more elaborate
- system-wide configuration of the library
-- includes changes from 3.6.8:
- * Add support for AES-XTS cipher
- * Fix calculation of Streebog digests
- * During Diffie-Hellman operations in TLS, verify that the peer's
- public key is on the right subgroup (y^q=1 mod p), when q is
- available (under TLS 1.3 and under earlier versions when RFC7919
- parameters are used).
- * Apply STD3 ASCII rules in gnutls_idna_map() to prevent
- hostname/domain crafting via IDNA conversion
- * certtool: allow the digital signature key usage flag in CA
- certificates
- * gnutls-cli/serv: add the --keymatexport and --keymatexportsize
- options. These allow testing the RFC5705 using these tools
-- drop patches to re-enable tests:
- * disable-psk-file-test.patch
- * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-
-- Explicitly require libnettle 3.4.1 (bsc#1134856)
- * The RSA decryption code was rewritten in GnuTLS 3.6.5 in order
- to fix CVE-2018-16868, the new implementation makes use of a new
- rsa_sec_decrypt() function introduced in libnettle 3.4.1
- * libnettle was recently updated to the 3.4.1 version but we need
- to add explicit dependency on it to prevent missing symbol errors
- with the older versions
-
-- Restored autoreconf in build.
-- Removed gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
- since the version requirements of required libraries are once again
- automatically determined.
-- Added gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch because it is a
- better patch name for handling the '--with-guile-site-dir=' problem in
- 3.6.7.
-
-- Trim useless %if..%endif guards that do not affect the build.
-- Fix language errors in description again.
-
-- Update gnutls to 3.6.7
- * * libgnutls, gnutls tools: Every gnutls_free() will automatically set
- the free'd pointer to NULL. This prevents possible use-after-free and
- double free issues. Use-after-free will be turned into NULL dereference.
- The counter-measure does not extend to applications using gnutls_free().
- * * libgnutls: Fixed a memory corruption (double free) vulnerability in the
- certificate verification API. Reported by Tavis Ormandy; addressed with
- the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829)
- * * libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages;
- Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836)
- * * libgnutls: enforce key usage limitations on certificates more actively.
- Previously we would enforce it for TLS1.2 protocol, now we enforce it
- even when TLS1.3 is negotiated, or on client certificates as well. When
- an inappropriate for TLS1.3 certificate is seen on the credentials structure
- GnuTLS will disable TLS1.3 support for that session (#690).
- * * libgnutls: the default number of tickets sent under TLS 1.3 was increased to
- two. This makes it easier for clients which perform multiple connections
- to the server to use the tickets sent by a default server.
- * * libgnutls: enforce the equality of the two signature parameters fields in
- a certificate. We were already enforcing the signature algorithm, but there
- was a bug in parameter checking code.
- * * libgnutls: fixed issue preventing sending and receiving from different
- threads when false start was enabled (#713).
- * * libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
- session, as non-writeable security officer sessions are undefined in PKCS#11
- (#721).
- * * libgnutls: no longer send downgrade sentinel in TLS 1.3.
- Previously the sentinel value was embedded to early in version
- negotiation and was sent even on TLS 1.3. It is now sent only when
- TLS 1.2 or earlier is negotiated (#689).
- * * gnutls-cli: Added option --logfile to redirect informational messages output.
-- Disabled dane support since dane is not shipped with SLE-15
-- Changed configure script to hardware guile site directory since command-line
- option '--with-guile-site-dir=' was removed from the configure script in 3.6.7.
- * * Modified gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
-- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix
- compilation issues on PPC
-- Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification
- and padding oracle verification (in 3.6.5) [bsc#1118087] (CVE-2018-16868)
-
-- FATE#327114 - Update gnutls to 3.6.6 to support TLS 1.3
- * * libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
- on the public key (#640).
- * * libgnutls: Added support for raw public-key authentication as defined in RFC7250.
- Raw public-keys can be negotiated by enabling the corresponding certificate
- types via the priority strings. The raw public-key mechanism must be explicitly
- enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280).
- * * libgnutls: When on server or client side we are sending no extensions we do
- not set an empty extensions field but we rather remove that field competely.
- This solves a regression since 3.5.x and improves compatibility of the server
- side with certain clients.
- * * libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
- the CKA_SIGN is not set (#667).
- * * libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
- disable extensions at all cases, while providing a functional session. This
- also implies that when specified, TLS1.3 is disabled.
- * * libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
- The previous definition was non-functional (#609).
- * Removed patches:
- 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch
- 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
- 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
- 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
- * Added Patches:
- * * disable failing psk-file test (race condition):
- disable-psk-file-test.patch
- * * Patch configure script to accept specific versions of autotools and guile
- that are present in SUSE-SLE15. (A bug prevents configure from accepting
- a range of compatible versions. Upstream's solution is to hardwire for
- the most current versions.)
- gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch
- * Modified:
- * * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-- drop no longer needed gnutls-enbale-guile-2.2.patch
-- refresh disable-psk-file-test.patch
-
-- Update to 3.6.5
- * * libgnutls: Provide the option of transparent re-handshake/reauthentication
- when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
- * * libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
- * * libgnutls: The priority functions will ignore and not enable TLS1.3 if
- requested with legacy TLS versions enabled but not TLS1.2. That is because
- if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
- servers which do not support TLS1.3 will negotiate TLS1.2 which will be
- rejected by the client as disabled (#621).
- * * libgnutls: Change RSA decryption to use a new side-channel silent function.
- This addresses a security issue where memory access patterns as well as timing
- on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
- attacks. Side-channel resistant code is slower due to the need to mask
- access and timings. When used in TLS the new functions cause RSA based
- handshakes to be between 13% and 28% slower on average (Numbers are indicative,
- the tests where performed on a relatively modern Intel CPU, results vary
- depending on the CPU and architecture used). This change makes nettle 3.4.1
- the minimum requirement of gnutls (#630). [CVSS: medium]
- * * libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
- in the priority string. It is only accepted as legacy option and is ignored.
- * * libgnutls: Added support for EdDSA under PKCS#11 (#417)
- * * libgnutls: Added support for AES-CFB8 cipher (#357)
- * * libgnutls: Added support for AES-CMAC MAC (#351)
- * * libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers
- have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
- S-BOXes). They are fixed now.
- * * libgnutls: Added support for GOST key unmasking and unwrapped GOST private
- keys parsing, as specified in R 50.1.112-2016.
- * * gnutls-serv: It applies the default settings when no --priority option is given,
- using gnutls_set_default_priority().
- * * p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
- option (#561)
- * * certtool: Add parameter --no-text that prevents certtool from outputting
- text before PEM-encoded private key, public key, certificate, CRL or CSR.
-- minimum required libnettle is now 3.4.1
-- refresh
- * disable-psk-file-test.patch
- * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-
-- search for guile-2.2 during configure, part of boo#1117121
- add patches:
- * gnutls-enbale-guile-2.2.patch: search for guile-2.2
- refresh patches:
- * disable-psk-file-test.patch: disable psk-file in Makefile.am
-
-- Temporarily disable failing psk-file test (race condition)
- * add disable-psk-file-test.patch
-
-- Version update to 3.6.4 (bsc#1111757):
- * * libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
- * * libgnutls: Corrected regression since 3.6.3 in the callbacks set with
- gnutls_certificate_set_retrieve_function() which could not handle the case where
- no certificates were returned, or the callbacks were set to NULL (see #528).
- * * libgnutls: gnutls_handshake() on server returns early on handshake when no
- certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
- is specified.
- * * libgnutls: Added session ticket key rotation on server side with TOTP.
- The key set with gnutls_session_ticket_enable_server() is used as a
- master key to generate time-based keys for tickets. The rotation
- relates to the gnutls_db_set_cache_expiration() period.
- * * libgnutls: The 'record size limit' extension is added and preferred to the
- 'max record size' extension when possible.
- * * libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
- This addresses the problem where the CA certificate doesn't have a subject key
- identifier whereas the end certificates have an authority key identifier (#569)
- * * libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
- gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
- and export GOST parameters in the "native" little endian format used for these
- curves. This is an intentional incompatible change with 3.6.3.
- * * libgnutls: Added support for seperately negotiating client and server certificate types
- as defined in RFC7250. This mechanism must be explicitly enabled via the
- GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().
-- Drop upstreamed patch:
- * gnutls-3.6.3-backport-upstream-fixes.patch
-
-- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch
- test/Makefile.in as autoreconf does not work
-
-- Backport of upstream fixes (boo#1108450)
- * gnutls-3.6.3-backport-upstream-fixes.patch
- Fixes taken from upstream commits:
- * * 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
- * * 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
- * * 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")
- The patch was taken from https://github.com/weechat/weechat/issues/1231
-
-- Security update
- Improve mitigations against Lucky 13 class of attacks
- * "Just in Time" PRIME + PROBE cache-based side channel attack
- can lead to plaintext recovery (CVE-2018-10846, bsc#1105460)
- * HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of
- wrong constant (CVE-2018-10845, bsc#1105459)
- * HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not
- enough dummy function calls (CVE-2018-10844, bsc#1105437)
- * add patches:
- 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch
- 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch
- 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch
- 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch
-
-- Update to 3.6.3
- Fixes security issues:
- CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
- (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
- Other Changes:
- * * libgnutls: Introduced support for draft-ietf-tls-tls13-28
- * * libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
- earlier and TLS 1.3.
- * * Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
- * * Provide a uniform cipher list across supported TLS protocols
- * * The SSL 3.0 protocol is disabled on compile-time by default.
- * * libgnutls: Introduced function to switch the current FIPS140-2 operational
- mode
- * * libgnutls: Introduced low-level function to assist applications attempting client
- hello extension parsing, prior to GnuTLS' parsing of the message.
- * * libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
- modifications to the certificate.
- * * libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
- which are preferred by the server.
- * * Improved counter-measures for TLS CBC record padding.
- * * Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
- of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
- * * libgnutls: gnutls_privkey_import_ext4() was enhanced with the
- GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
- * * libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
- gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
- unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
- change for these functions which make them err towards safety.
- * * libgnutls: improved aarch64 cpu features detection by using getauxval().
- * * certtool: It is now possible to specify certificate and serial CRL numbers greater
- than 2**63-2 as a hex-encoded string both when prompted and in a template file.
- Default certificate serial numbers are now fully random.
-- don't run autoreconf to avoid pulling in gtk-doc
-
-- Require pkgconfig(autoopts) for building
-
-- Simplify the DANE support %ifdef condition
- * build with DANE on openSUSE only
-
-- Adjust RPM groups. Drop %if..%endif guards that are idempotent.
-
-- build without DANE support on SLE-15, as it doesn't have unbound
- (bsc#1086428)
-
-- add back refreshed gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
- the dtls-resume test still keeps randomly failing on PPC
-
-- remove gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
- patch does not apply any more and apparently the build
- suceeds even if the formerly flaky testcase is run (bsc#1086579)
-
-- gnutls.keyring: Nikos key refreshed to be unexpired
-
-- GnuTLS 3.6.2:
- * libgnutls: When verifying against a self signed certificate ignore issuer.
- That is, ignore issuer when checking the issuer's parameters strength,
- resolving issue #347 which caused self signed certificates to be
- additionally marked as of insufficient security level.
- * libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
- MTU calculation now, it correctly accounts for the fixed overhead due to
- padding (as 1 byte), while at the same time considers the rest of the
- padding as part of data MTU.
- * libgnutls: Address issue of loading of all PKCS#11 modules on startup
- on systems with a PKCS#11 trust store (as opposed to a file trust store).
- Introduced a multi-stage initialization which loads the trust modules, and
- other modules are deferred for the first pure PKCS#11 request.
- * libgnutls: The SRP authentication will reject any parameters outside
- RFC5054. This protects any client from potential MitM due to insecure
- parameters. That also brings SRP in par with the RFC7919 changes to
- Diffie-Hellman.
- * libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
- for SRP authentication.
- * libgnutls: Addressed issue in the accelerated code affecting
- interoperability with versions of nettle >= 3.4.
- * libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
- * libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
- Vitezslav Cizek).
- * srptool: the --create-conf option no longer includes 1024-bit parameters.
- * p11tool: Fixed the deletion of objects in batch mode.
-- Dropped gnutls-check_aes_keysize.patch as it is included upstream now.
-
-- Use %license (boo#1082318)
-
-- Sanity check key size in SSSE3 AES cipher implementation (bsc#1074303)
- * add gnutls-check_aes_keysize.patch
-
-- GnuTLS 3.6.1:
- * Fix interoperability issue with openssl when safe renegotiation
- was used
- * gnutls_x509_crl_sign, gnutls_x509_crt_sign,
- gnutls_x509_crq_sign, were modified to sign with a better
- algorithm than SHA1. They will now sign with an algorithm that
- corresponds to the security level of the signer's key.
- * gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
- accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That
- will signal the function to auto-detect an appropriate hash
- algorithm to use.
- * Remove support for signature algorithms using SHA2-224 in TLS.
- TLS 1.3 no longer uses SHA2-224 and it was never a widespread
- algorithm in TLS 1.2
- * Refuse to use client certificates containing disallowed
- algorithms for a session, reverting a change on 3.5.5
- * Refuse to resume a session which had a different SNI advertised
- That improves RFC6066 support in server side.
- * p11tool: Mark all generated objects as sensitive by default.
- * p11tool: added options --sign-params and --hash. This allows
- testing signature with multiple algorithms, including RSA-PSS.
-
-- Disable flaky dtls_resume test on Power
- * add gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
-
-- GnuTLS 3.6.0:
- * Introduce a lock-free random generator which operates per-
- thread and eliminates random-generator related bottlenecks in
- multi-threaded operation.
- * Replace the Salsa20 random generator with one based on CHACHA.
- The goal is to reduce code needed in cache (CHACHA is also
- used for TLS), and the number of primitives used by the
- library. That does not affect the AES-DRBG random generator
- used in FIPS140-2 mode.
- * Add support for RSA-PSS key type as well as signatures in
- certificates, and TLS key exchange
- * Add support for Ed25519 signing in certificates and TLS key
- exchange following draft-ietf-tls-rfc4492bis-17
- * Enable X25519 key exchange by default, following
- draft-ietf-tls-rfc4492bis-17.
- * Add support for Diffie-Hellman group negotiation following
- RFC7919.
- * Introduce various sanity checks on certificate import
- * Introduce gnutls_x509_crt_set_flags(). This function can set
- flags in the crt structure. The only flag supported at the
- moment is GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the
- certificate sanity checks on import.
- * PKIX certificates with unknown critical extensions are rejected
- on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS
- * Refuse to generate a certificate with an illegal version, or an
- illegal serial number. That is, gnutls_x509_crt_set_version()
- and gnutls_x509_crt_set_serial(), will fail on input considered
- to be invalid in RFC5280.
- * Call to gnutls_record_send() and gnutls_record_recv() prior to
- handshake being complete are now refused
- * Add support for PKCS#12 files with no salt (zero length) in
- their password encoding, and PKCS#12 files using SHA384 and
- SHA512 as MAC.
- * libgnutls: Exported functions to encode and decode DSA and ECDSA
- r,s values.
- * Add new callback setting function to gnutls_privkey_t for
- external keys. The new function (gnutls_privkey_import_ext4),
- allows signing in addition to previous algorithms (RSA PKCS#1
- 1.5, DSA, ECDSA), with RSA-PSS and Ed25519 keys.
- * Introduce the %VERIFY_ALLOW_BROKEN and
- %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string options. These
- allows enabling all broken and SHA1-based signature algorithms
- in certificate verification, respectively.
- * 3DES-CBC is no longer included in the default priorities list.
- It has to be explicitly enabled, e.g., with a string like
- "NORMAL:+3DES-CBC".
- * SHA1 was marked as insecure for signing certificates.
- Verification of certificates signed with SHA1 is now considered
- insecure and will fail, unless flags intended to enable broken
- algorithms are set. Other uses of SHA1 are still allowed.
- * RIPEMD160 was marked as insecure for certificate signatures.
- Verification of certificates signed with RIPEMD160 hash
- algorithm is now considered insecure and will fail, unless
- flags intended to enable broken algorithms are set.
- * No longer enable SECP192R1 and SECP224R1 by default on TLS
- handshakes. These curves were rarely used for that purpose,
- provide no advantage over x25519 and were deprecated by TLS 1.3.
- * Remove support for DEFLATE, or any other compression method.
- * OpenPGP authentication was removed; the resulting library is ABI
- compatible, with the openpgp related functions being stubs that
- fail on invocation.
- Drop gnutls-broken-openpgp-tests.patch, no longer required.
- * Remove support for libidn (i.e., IDNA2003); gnutls can now be
- compiled only with libidn2 which provides IDNA2008.
- * certtool: The option '--load-ca-certificate' can now accept
- PKCS#11 URLs in addition to files.
- * certtool: The option '--load-crl' can now be used when
- generating PKCS#12 files (i.e., in conjunction with '--to-p12' option).
- * certtool: Keys with provable RSA and DSA parameters are now
- only read and exported from PKCS#8 form, following
- draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
- This removes support for the previous a non-standard key format.
- * certtool: Added support for generating, printing and handling
- RSA-PSS and Ed25519 keys and certificates.
- * certtool: the parameters --rsa, --dsa and --ecdsa to
- - -generate-privkey are now deprecated, replaced by the
- - -key-type option.
- * p11tool: The --generate-rsa, --generate-ecc and --generate-dsa
- options were replaced by the --generate-privkey option.
- * psktool: Generate 256-bit keys by default.
- * gnutls-server: Increase request buffer size to 16kb, and added
- the --alpn and --alpn-fatal options, allowing testing of ALPN
- negotiation.
- * Enables FIPS 140-2 mode during build
-
-- Buildrequire iproute2: the test suite calls /usr/bin/ss and as
- such we have to ensure to pull it in.
-
-- GnuTLS 3.5.15:
- * libgnutls: Disable hardware acceleration on aarch64/ilp32 mode
- * certtool: Keys with provable RSA and DSA parameters are now
- only exported in PKCS#8 form
-
-- RPM group fix. Diversification of summaries.
-- Avoid aims and future plans in description. Say what it does now.
-
-- Drop the deprecated openssl compat ; discussed and suggested by
- vcizek
-- Cleanup a bit with spec-cleaner
-
-- GnuTLS 3.5.14:
- * Handle specially HSMs which request explicit authentication
- * he GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login on HSMs
- * do not set leading zeros when copying integers on HSMs
- * Fix issue discovering certain OCSP signers, and improved the
- discovery of OCSP signer in the case where the Subject Public
- Key identifier field matches
- * ensure OCSP responses are saved with --save-ocsp even if
- certificate verification fails.
-
-- GnuTLS 3.5.13:
- * libgnutls: fixed issue with AES-GCM in-place encryption and
- decryption in aarch64
- * libgnutls: no longer parse the ResponseID field of the status
- response TLS extension. The field is not used by GnuTLS nor is
- made available to calling applications. That addresses a null
- pointer dereference on server side caused by packets containing
- the ResponseID field. GNUTLS-SA-2017-4, bsc#1043398
- * libgnutls: tolerate certificates which do not have strict DER
- time encoding. It is possible using 3rd party tools to generate
- certificates with time fields that do not conform to DER
- requirements. Since 3.4.x these certificates were rejected and
- cannot be used with GnuTLS, however that caused problems with
- existing private certificate infrastructures, which were
- relying on such certificates. Tolerate reading and using these
- certificates.
- * minitasn1: updated to libtasn1 4.11.
- * certtool: allow multiple certificates to be used in --p7-sign
- with the --load-certificate option
-
-- GnuTLS 3.5.12:
- * libgnutls: gnutls_x509_crt_check_hostname2() no longer matches
- IP addresses against DNS fields of certificate (CN or DNSname).
- The previous behavior was to tolerate some misconfigured
- servers, but that was non-standard and skipped any IP
- constraints present in higher level certificates.
- * libgnutls: when converting to IDNA2008, fallback to IDNA2003
- (i.e., transitional encoding) if the domain cannot be converted.
- That provides maximum compatibility with browsers like firefox
- that perform the same conversion.
- * libgnutls: fix issue in RSA-PSK client callback which resulted
- in no username being sent to the peer
- * libgnutls: fix regression causing stapled extensions in trust
- modules not to be considered.
- * certtool: introduced the email_protection_key option. This
- option was introduced in documentation for certtool without an
- implementation of it. It is a shortcut for option
- 'key_purpose_oid = 1.3.6.1.5.5.7.3.4'.
- * certtool: made printing of key ID and key PIN consistent
- between certificates, public keys, and private keys. That is
- the private key printing now uses the same format as the rest.
- * gnutls-cli: introduced the --sni-hostname option. This allows
- overriding the hostname advertised to the peer.
-
-- skip trust-store tests to avoid build cycle with
- ca-certificates-mozilla, add gnutls-3.5.11-skip-trust-store-tests.patch
-
-- GnuTLS 3.5.11:
- * gnutls.pc: do not include libtool options into Libs.private.
- * libgnutls: Fixed issue when rehandshaking without a client certificate in
- a session which initially used one
- * libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
- certificate parsing (bsc#1038337)
- * libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
- That allows PKCS#11 operations such as signing to be performed with the
- same object from multiple threads.
- * libgnutls: when disabling OpenPGP authentication, the resulting library
- is ABI compatible (will openpgp related functions being stubs that fail
- on invocation).
-
-- call gzip -n to make build fully reproducible
-
-- update to 3.5.10
- * addresses GNUTLS-SA-2017-3 CVE-2017-7869 bsc#1034173
- * gnutls.pc: do not include libidn2 in Requires.private
- * libgnutls: optimized access to subject alternative names (SANs) in parsed
- certificates
- * libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
- when printing certificate information.
- * libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
- flags can be set from the gnutls_certificate_verify_flags enumeration.
- This allows the functions to pass the same flags available for certificates
- to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
- GNUTLS_VERIFY_ALLOW_BROKEN).
- * libgnutls: gnutls_store_commitment() can accept flag
- GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
- in applications which use SHA1 for example, after SHA1 is deprecated.
- * certtool: No longer ignore the 'add_critical_extension' template option if
- the 'add_extension' option is not present.
- * gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
- starttls-proto command- drop gnutls-3.5.9-pkgconfig.patch (upstream)
-- drop gnutls-3.5.9-pkgconfig.patch (upstream)
-- remove unknown --disable-srp flag (bsc#901857)
-
-- disable the deprecated OpenPGP authentication support
- * see https://gitlab.com/gnutls/gnutls/issues/102
-- add gnutls-broken-openpgp-tests.patch
-
-- GnuTLS 3.5.9:
- * libgnutls: OpenPGP references removed, functionality deprecated
- * libgnutls: Improve detection of AVX support
- * libgnutls: Add support for IDNA2008 with libidn2 FATE#321897
- * p11tool: re-use ID from corresponding objects when writing
- certificates.
- * API and ABI modifications:
- gnutls_idna_map: Added
- gnutls_idna_reverse_map: Added
-- prevent pkgconfig issues due to libidn2 when building with GnuTLS
- add gnutls-3.5.9-pkgconfig.patch
-
-- Version 3.5.8 (released 2016-01-09)
- * libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
- functions will not leave the verification profiles field to an
- undefined state. The last call will take precedence.
- * libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
- by PKCS#8 decryption functions when an invalid key is provided. This
- addresses regression on decrypting certain PKCS#8 keys.
- * libgnutls: Introduced option to override the default priority string
- used by the library. The intention is to allow support of system-wide
- priority strings (as set with --with-system-priority-file). The
- configure option is --with-default-priority-string.
- * libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
- This prevents crashes when decrypting malformed PKCS#8 keys.
- * libgnutls: Fix crash on the loading of malformed private keys with certain
- parameters set to zero.
- * libgnutls: Fix double free in certificate information printing. If the PKIX
- extension proxy was set with a policy language set but no policy specified,
- that could lead to a double free.
- * libgnutls: Addressed memory leaks in client and server side error paths
- (issues found using oss-fuzz project)
- * libgnutls: Addressed memory leaks in X.509 certificate printing error paths
- (issues found using oss-fuzz project)
- * libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
- parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)
- * libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
- (issues found using oss-fuzz project)
-- security issues fixed: GNUTLS-SA-2017-1 GNUTLS-SA-2017-2
-
-- GnuTLS 3.5.7, the next stable branch, with the following
- highlights:
- * SHA3 as a certificate signature algorithm
- * X25519 (formerly curve25519) for ephemeral EC diffie-hellman
- key exchange
- * TLS false start
- * New APIs to access the Shawe-Taylor-based provable RSA and DSA
- parameter generation
- * Prevent the change of identity on rehandshakes by default
-
-- GnuTLS 3.4.17:
- * libgnutls: Introduced time and constraints checks in the end
- certificate in the gnutls_x509_crt_verify_data2() and
- gnutls_pkcs7_verify_direct() functions.
- * libgnutls: Set limits on the maximum number of alerts handled.
- That is, applications using gnutls could be tricked into an
- busy loop if the peer sends continuously alert messages.
- Applications which set a maximum handshake time (via
- gnutls_handshake_set_timeout) will eventually recover but
- others may remain in a busy loops indefinitely. This is related
- but not identical to CVE-2016-8610, due to the difference in
- alert handling of the libraries (gnutls delegates that handling
- to applications). boo#1005879
- * libgnutls: Enhanced the PKCS#7 parser to allow decoding old
- (pre-rfc5652) structures with arbitrary encapsulated content.
- * libgnutls: Backported cipher priorities order from 3.5.x branch
- That adds CHACHA20-POLY1305 ciphersuite to SECURE priority
- strings.
- * certtool: When exporting a CRQ in DER format ensure no text data
- are intermixed.
- * API and ABI modifications:
- gnutls_pkcs7_get_embedded_data_oid: Added
-- includes changes from 3.4.16:
- * libgnutls: Ensure proper cleanups on
- gnutls_certificate_set_*key() failures due to key mismatch.
- This prevents leaks or double freeing on such failures.
- * libgnutls: Increased the maximum size of the handshake message
- hash. This will allow the library to cope better with larger
- packets, as the ones offered by current TLS 1.3 drafts.
- * libgnutls: Allow to use client certificates despite them
- containing disallowed algorithms for a session. That allows for
- example a client to use DSA-SHA1 due to his old DSA
- certificate, without requiring him to enable DSA-SHA1 (and thus
- make it acceptable for the server's certificate).
- * guile: Backported all improvements from 3.5.x branch.
- * guile: Update code to the I/O port API of Guile >= 2.1.4
- This makes sure the GnuTLS bindings will work with the
- forthcoming 2.2 stable series of Guile, of which 2.1 is a
- preview.
-
-- GnuTLS 3.4.15:
- * libgnutls: Corrected the comparison of the serial size in OCSP
- response. Previously the OCSP certificate check wouldn't verify
- the serial length and could succeed in cases it shouldn't
- (GNUTLS-SA-2016-3).
- * libgnutls: Fixes in gnutls_x509_crt_list_import2, which was
- ignoring flags if all certificates in the list fit within the
- initially allocated memory.
- * libgnutls: Corrected issue which made
- gnutls_certificate_get_x509_crt() to return invalid pointers
- when returned more than a single certificate.
- * libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the
- complete chain.
- * libgnutls: Added support for decrypting PKCS#8 files which use
- the HMAC-SHA256 as PRF.
- * libgnutls: Addressed issue with PKCS#11 signature generation on
- ECDSA keys. The signature is now written as unsigned integers
- into the DSASignatureValue structure. Previously signed
- integers could be written depending on what the underlying
- module would produce. Addresses #122.
-- fix build error for 13.2, 42.1 and 42.2
-
-- GnuTLS 3.4.14:
- * libgnutls: Address issue when utilizing the p11-kit trust store
- for certificate verification (GNUTLS-SA-2016-2, boo#988276)
- * libgnutls: Fixed DTLS handshake packet reconstruction.
- * libgnutls: Fixed issues with PKCS#11 reading of sensitive
- objects from SafeNet Network HSM
- * libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER
-- drop upstreamed
- 0001-tests-use-datefudge-in-name-constraints-test.patch
-
-- Fix a problem with expired test certificate by using datefudge
- (boo#987139)
- * add 0001-tests-use-datefudge-in-name-constraints-test.patch
-
-- Version 3.4.13 (released 2016-06-06)
- * libgnutls: Consider the SSLKEYLOGFILE environment to be compatible with
- NSS instead of using a separate variable; in addition append any keys to
- the file instead of overwriting it.
- * libgnutls: use secure_getenv() where available to obtain environment
- variables. Addresses GNUTLS-SA-2016-1.
-- Version 3.4.12 (released 2016-05-20)
- * libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default. This
- cipher is prioritized after AES-GCM.
- * libgnutls: Fixes in gnutls_privkey_import_ecc_raw().
- * libgnutls: Fixed gnutls_pkcs11_get_raw_issuer() usage with the
- GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. Previously that
- operation could fail on certain PKCS#11 modules.
- * libgnutls: gnutls_pkcs11_obj_import_url() and gnutls_x509_crt_import_url()
- can accept the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag.
- * libgnutls: gnutls_certificate_set_key() was enhanced to import the DNS
- name of the certificates if the provided names are NULL.
- * libgnutls: when receiving SNI names, only save and expose to application
- the supported DNS names.
- * libgnutls: when importing the certificate names at the
- gnutls_certificate_set* functions, only consider the CN as a fallback
- if DNS names are provided via the alternative name extension.
- * gnutls-cli: on OCSP verification do not fail if we have a single valid
- reply. Report and reproducer by Thomas Klute.
- * libgnutls: The GNUTLS_KEYLOGFILE environment variable can be used to
- log session keys in client side. These session keys are compatible with
- the NSS Key Log Format and can be used to decrypt the session for
- debugging using wireshark.
-
-- enabled guile support
-- removed duplicates
-
-- Updated to 3.4.11
- * Version 3.4.11 (released 2016-04-11)
- * * libgnutls: Fixes in gnutls_record_get/set_state() with DTLS.
- Reported by Fridolin Pokorny.
- * * libgnutls: Fixes in DSA key generation under PKCS #11. Report and
- patches by Jan Vcelak.
- * * libgnutls: Corrected behavior of ALPN extension parsing during
- session resumption. Report and patches by Yuriy M. Kaminskiy.
- * * libgnutls: Corrected regression (since 3.4.0) in
- gnutls_server_name_set() which caused it not to accept non-null-
- terminated hostnames. Reported by Tim Ruehsen.
- * * libgnutls: Corrected printing of the IP Adress name constraints.
- * * ocsptool: use HTTP/1.0 for requests. This avoids issue with servers
- serving chunk encoding which ocsptool doesn't support. Reported by
- Thomas Klute.
- * * certtool: do not require a CA for OCSP signing tag. This follows the
- recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate
- OCSP signing to another certificate without requiring it to be a CA.
- Reported by Thomas Klute.
- * Version 3.4.10 (released 2016-03-03)
- * * libgnutls: Eliminated issues preventing buffers more than 2^32 bytes
- to be used with hashing functions.
- * * libgnutls: Corrected leaks and other issues in
- gnutls_x509_crt_list_import().
- * * libgnutls: Fixes in DSA key handling for PKCS #11. Report and
- patches by Jan Vcelak.
- * * libgnutls: Several fixes to prevent relying on undefined behavior
- of C (found with libubsan).
- * Version 3.4.9 (released 2016-02-03)
- * * libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would
- negotiate the last commonly supported protocol, rather than the
- first. Reported by Remi Denis-Courmont (#63).
- * * libgnutls: Tolerate empty DN fields in informational output
- functions.
- * * libgnutls: Corrected regression causes by incorrect fix in
- gnutls_x509_ext_export_key_usage() at 3.4.8 release.
-
-- follow the work in the unbound package and use the
- libunbound-devel symbol for the buildrequires. we override it for
- the distro build with libunbound-devel-mini to avoid build loops.
-
-- reenable dane support, require unbound-devel bsc#964346
-- split out libgnutls-dane-devel to try to avoid build cycle.
-
-- Update to 3.4.8
- All changes since 3.4.4:
- * libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey()
- when used with PKCS #11 keys.
- * libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import
- their public keys from either a public key object or a certificate.
- That is, because private keys do not contain all the required
- parameters for a direct import.
- * libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11
- tokens.
- * libgnutls: Fixed out-of-bounds read in
- gnutls_x509_ext_export_key_usage()
- * libgnutls: The CHACHA20-POLY1305 ciphersuites were updated to
- conform to draft-ietf-tls-chacha20-poly1305-02.
- * libgnutls: Several fixes in PKCS #7 signing which improve
- compatibility with the MacOSX tools.
- * libgnutls: The max-record extension not negotiated on DTLS. This
- resolves issue with the max-record being negotiated but ignored.
- * certtool: Added the --p7-include-cert and --p7-show-data options.
- * libgnutls: Properly require TLS 1.2 in all CBC-SHA256 and CBC-SHA384
- ciphersuites. This solves an interoperability issue with openssl.
- * libgnutls: Corrected the setting of salt size in
- gnutls_pkcs12_mac_info().
- * libgnutls: On a rehandshake allow switching from anonymous to ECDHE
- and DHE ciphersuites.
- * libgnutls: Corrected regression from 3.3.x which prevented
- ARCFOUR128 from using arbitrary key sizes.
- * libgnutls: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs
- skipping the implicit global initialization.
- * gnutls.pc: Don't include libtool specific options to link flags.
- * tools: Better support for FTP AUTH TLS negotiation
- * libgnutls: Added new simple verification functions. That avoids the
- need to install a callback to perform certificate verification. See
- doc/examples/ex-client-x509.c for usage.
- * libgnutls: Introduced the security parameter 'future' which is at
- the 256-bit level of security, and 'ultra' was aligned to its
- documented size at 192-bits.
- * libgnutls: When writing a certificate into a PKCS #11 token, ensure
- that CKA_SERIAL_NUMBER and CKA_ISSUER are written.
- * libgnutls: Allow the presence of legacy ciphers and key exchanges in
- priority strings and consider them a no-op.
- * libgnutls: Handle the extended master secret as a mandatory
- extension. That fixes incompatibility issues with Chromium (#45).
- * libgnutls: Added the ability to copy a public key into a PKCS #11
- token.
- * tools: Added support for LDAP and XMPP negotiation for STARTTLS.
- * p11tool: Allow writing a public key into a PKCS #11 token.
- * certtool: Key generation security level was switched to HIGH. That
- is, by default the tool generates 3072 bit keys for RSA and DSA.
- * libgnutls: When re-importing CRLs to a trust list ensure that there
- no duplicate entries.
- * certtool: Removed any arbitrary limits imposed on input file sizes
- and maximum number of certificates imported.
- * certtool: Allow specifying fixed dates on CRL generation.
- * gnutls-cli-debug: Added check for inappropriate fallback support
- (RFC7507).
-
-- Update to 3.4.4
- This update contains a fix for a denial of service vulnerability:
- * Allow the parsing of very long DNs. Also fixes double free
- in DN decoding [GNUTLS-SA-2015-3]. boo#941794 CVE-2015-6251
- Other changes:
- * Add high level API (gnutls_prf_rfc5705) to access the PRF as
- specified by RFC5705.
- * Link to trousers (TPM library) dynamically when this
- functionality is requested. (disabled in SUSE package)
- * Fix issue with server side sending the status request extension
- even when not requested.
- * Add support for RFC7507 by introducing the %FALLBACK_SCSV
- priority string option.
- * gnutls_pkcs11_privkey_generate2() will store the generated
- public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY
- flag is specified.
- * Correct regression from 3.4.3 in loading PKCS #8 keys as fallback.
- * API and ABI modifications:
- gnutls_prf_rfc5705: Added
- gnutls_hex_encode2: Added
- gnutls_hex_decode2: Added
-- build with autogen for libopts compatibility
-- fix failures in test suite, add upstream commits
- 0001-certtool-lifted-limits-on-file-size-to-load.patch
- 0002-certtool-eliminated-memory-leaks-due-to-new-cert-loa.patch
-
-- update to 3.4.3
- * * libgnutls: Follow closely RFC5280 recommendations and use UTCTime for
- dates prior to 2050.
- * * libgnutls: Force 16-byte alignment to all input to ciphers (previously it
- was done only when cryptodev was enabled).
- * * libgnutls: Removed support for pthread_atfork() as it has undefined
- semantics when used with dlopen(), and may lead to a crash.
- * * libgnutls: corrected failure when importing plain files
- with gnutls_x509_privkey_import2(), and a password was provided.
- * * libgnutls: Don't reject certificates if a CA has the URI or IP address
- name constraints, and the end certificate doesn't have an IP address
- name or a URI set.
- * * libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites.
- * * p11tool: Added --list-token-urls option, and print the token module name
- in list-tokens.
- * * libgnutls: DTLS blocking API is more robust against infinite blocking,
- and will notify of more possible timeouts.
- * * libgnutls: corrected regression with Camellia-256-GCM cipher. Reported
- by Manuel Pegourie-Gonnard.
- * * libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
- allows to disable SIGPIPE for writes done within gnutls.
- * * libgnutls: Enhanced the PKCS #7 API to allow signing and verification
- of structures. API moved to gnutls/pkcs7.h header.
- * * certtool: Added options to generate PKCS #7 bundles and signed
- structures.
-- includes changes from 3.4.2:
- * DTLS blocking API is more robust against infinite blocking,
- and will notify of more possible timeouts.
- * Correct regression with Camellia-256-GCM cipher.
- * Introduce the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
- allows to disable SIGPIPE for writes done within gnutls.
- * Enhance the PKCS #7 API to allow signing and verification
- of structures. Move API to gnutls/pkcs7.h header.
- * certtool: Added options to generate PKCS #7 bundles and signed
- structures.
-
-- disable testsuite run against valgrind on aarch64
-
-- Updated to 3.4.1 (released 2015-05-03)
- * * libgnutls: gnutls_certificate_get_ours: will return the certificate even
- if a callback was used to send it.
- * * libgnutls: Check for invalid length in the X.509 version field. Without
- the check certificates with invalid length would be detected as having an
- arbitrary version. Reported by Hanno Böck.
- * * libgnutls: Handle DNS name constraints with a leading dot. Patch by
- Fotis Loukos.
- * * libgnutls: Updated system-keys support for windows to compile in more
- versions of mingw. Patch by Tim Kosse.
- * * libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
- Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. bsc#929690
- * * libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout
- by default. That caused issues with non-blocking programs.
- * * certtool: It can generate SHA256 key IDs.
- * * gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos.
- * * API and ABI modifications: gnutls_x509_crt_get_pk_ecc_raw: Added
-- gnutls-fix-double-mans.patch: fixed upstream
-
-- Disable buggy valgrind on armv7l
-
-- updated to 3.4.0 (released 2015-04-08)
- * * libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
- ciphersuites. The former are enabled by default, the latter need to be
- explicitly enabled, since they reduce the overall security level.
- * * libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
- draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
- That is currently provided as technology preview and is not enabled by
- default, since there are no assigned ciphersuite points by IETF and there
- is no guarrantee of compatibility between draft versions. The ciphersuite
- priority string to enable it is "+CHACHA20-POLY1305".
- * * libgnutls: Added support for encrypt-then-authenticate in CBC
- ciphersuites (RFC7366 -taking into account its errata text). This is
- enabled by default and can be disabled using the %NO_ETM priority
- string.
- * * libgnutls: Added support for the extended master secret
- (triple-handshake fix) following draft-ietf-tls-session-hash-02.
- * * libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).
- * * libgnutls: SSL 3.0 is no longer included in the default priorities
- list. It has to be explicitly enabled, e.g., with a string like
- "NORMAL:+VERS-SSL3.0".
- * * libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
- list. It has to be explicitly enabled, e.g., with a string like
- "NORMAL:+ARCFOUR-128".
- * * libgnutls: DSA signatures and DHE-DSS are no longer included in the
- default priorities list. They have to be explicitly enabled, e.g., with
- a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
- DSA ciphersuites were dropped because they had no deployment at all
- on the internet, to justify their inclusion.
- * * libgnutls: The priority string EXPORT was completely removed. The string
- was already defunc as support for the EXPORT ciphersuites was removed in
- GnuTLS 3.2.0.
- * * libgnutls: Added API to utilize system specific private keys in
- "gnutls/system-keys.h". It is currently provided as technology preview
- and is restricted to windows CNG keys.
- * * libgnutls: gnutls_x509_crt_check_hostname() and friends will use
- RFC6125 comparison of hostnames. That introduces a dependency on libidn.
- * * libgnutls: Depend on p11-kit 0.23.1 to comply with the final
- PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21).
- * * libgnutls: Depend on nettle 3.1.
- * * libgnutls: Use getrandom() or getentropy() when available. That
- avoids the complexity of file descriptor handling and issues with
- applications closing all open file descriptors on startup.
- * * libgnutls: Use pthread_atfork() to detect fork when available.
- * * libgnutls: The gnutls_handshake() process will enforce a timeout by
- default.
- * * libgnutls: If a key purpose (extended key usage) is specified for verification,
- it is applied into intermediate certificates. The verification result
- GNUTLS_CERT_PURPOSE_MISMATCH is also introduced.
- * * libgnutls: When gnutls_certificate_set_x509_key_file2() is used in
- combination with PKCS #11, or TPM URLs, it will utilize the provided
- password as PIN if required. That removes the requirement for the
- application to set a callback for PINs in that case.
- * * libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are
- restricted to the corresponding protocols only, and the VERS-ALL
- string is introduced to catch all possible protocols.
- * * libgnutls: Added helper functions to obtain information on PKCS #8
- structures.
- * * libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t
- will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED.
- * * libgnutls: Added functions to export and set the record state. That
- allows for gnutls_record_send() and recv() to be offloaded (to kernel,
- hardware or any other subsystem).
- * * libgnutls: Added the ability to register application specific URL
- types, which express certificates and keys using gnutls_register_custom_url().
- * * libgnutls: Added API to override existing ciphers, digests and MACs, e.g.,
- to override AES-GCM using a system-specific accelerator. That is, (crypto.h)
- gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(),
- gnutls_crypto_register_mac(), and gnutls_crypto_register_digest().
- * * libgnutls: Added gnutls_ext_register() to register custom extensions.
- Contributed by Thierry Quemerais.
- * * libgnutls: Added gnutls_supplemental_register() to register custom
- supplemental data handshake messages. Contributed by Thierry Quemerais.
- * * libgnutls-openssl: it is no longer built by default.
- * * certtool: Added --p8-info option, which will print PKCS #8 information
- even if the password is not available.
- * * certtool: --key-info option will print PKCS #8 encryption information
- when available.
- * * certtool: Added the --key-id and --fingerprint options.
- * * certtool: Added the --verify-hostname, --verify-email and --verify-purpose
- options to be used in certificate chain verification, to simulate verification
- for specific hostname and key purpose (extended key usage).
- * * certtool: --p12-info option will print PKCS #12 MAC and cipher information
- when available.
- * * certtool: it will print the A-label (ACE) names in addition to UTF-8.
- * * p11tool: added options --set-id and --set-label.
- * * gnutls-cli: added options --priority-list and --save-cert.
- * * guile: Deprecated priority API has been removed. The old priority API,
- which had been deprecated for some time, is now gone; use 'set-session-priorities!'
- instead.
- * * guile: Remove RSA parameters and related procedures. This API had been
- deprecated.
- * * guile: Fix compilation on MinGW. Previously only the static version of the
- 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.
-
-- updated to 3.3.13 (released 2015-03-30)
- * * libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo
- structures use BER to decode them (requires libtasn1 4.3). That allows
- to decode some more complex structures.
- * * libgnutls: When an end-certificate with no name is present and there
- are CA name constraints, don't reject the certificate. This follows RFC5280
- advice closely. Reported by Fotis Loukos.
- * * libgnutls: Fixed handling of supplemental data with types > 255.
- Patch by Thierry Quemerais.
- * * libgnutls: Fixed double free in the parsing of CRL distribution points certificate
- extension. Reported by Robert Święcki.
- * * libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That
- protocol is not enabled by default (used by openconnect VPN).
- * * libgnutls: The maximum user data send size is set to be the same for
- block and non-block ciphersuites. This addresses a regression with wine:
- https://bugs.winehq.org/show_bug.cgi?id=37500
- * * libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN,
- and CKA_DECRYPT when needed.
- * * libgnutls: Allow names with zero size to be set using
- gnutls_server_name_set(). That will disable the Server Name Indication.
- Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2
-- new main library major version .so.30
-- requires new libnettle >= 3.1, p11-kit-devel >= 0.23.1
-- Now need to configure --enable-openssl-compatibility (might go away)
-- added gnutls-fix-double-mans.patch: avoid double installing manpages
-- dropped gnutls-3.0.26-skip-test-fwrite.patch: does not seem to be needed
- anymore
-- install_info_delete moved from %postun to %preun
-
-- for DANE support, use bcond_with
-- for tpm support, same
-- note p11-kit >= 0.20.7 requirement
-- note libtasn1 3.9 requirement (built-in lib used otherwise)
-
-- disable trousers and unbound again for now, as it causes too long
- build cycles.
-
-- added unbound-devel (for DANE) and trousers-devel (for TPM support)
-- removed now upstreamed gnutls-implement-trust-store-dir-3.2.8.diff
-- libgnutls-dane0 new library added
-- updated to 3.3.13 (released 2015-02-25)
- * * libgnutls: Enable AESNI in GCM on x86
- * * libgnutls: Fixes in DTLS message handling
- * * libgnutls: Check certificate algorithm consistency, i.e.,
- check whether the signatureAlgorithm field matches the signature
- field inside TBSCertificate.
- * * gnutls-cli: Fixes in OCSP verification.
-- Version 3.3.12 (released 2015-01-17)
- * * libgnutls: When negotiating TLS use the lowest enabled version in
- the client hello, rather than the lowest supported. In addition, do
- not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0
- is the only protocol supported. That addresses issues with servers that
- immediately drop the connection when the encounter SSL 3.0 as the record
- version number. See:
- http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html
- * * libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters.
- * * libgnutls: Handle zero length plaintext for VIA PadLock functions.
- This solves a potential crash on AES encryption for small size plaintext.
- Patch by Matthias-Christian Ott.
- * * libgnutls: In DTLS don't combine multiple packets which exceed MTU.
- Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715
- * * libgnutls: In DTLS decode all handshake packets present in a record
- packet, in a single pass. Reported by Andreas Schultz.
- https://savannah.gnu.org/support/?108712
- * * libgnutls: When importing a CA file with a PKCS #11 URL, simply
- import the certificates, if the URL specifies objects, rather than
- treating it as trust module.
- * * libgnutls: When importing a PKCS #11 URL and we know the type of
- object we are importing, don't require the object type in the URL.
- * * libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2
- was used by the server.
- * * certtool: --pubkey-info will also attempt to load a public key from stdin.
- * * gnutls-cli: Added --starttls-proto option. That allows to specify a
- protocol for starttls negotiation.
-- Version 3.3.11 (released 2014-12-11)
- * * libgnutls: Corrected regression introduced in 3.3.9 related to
- session renegotiation. Reported by Dan Winship.
- * * libgnutls: Corrected parsing issue with OCSP responses.
-- Version 3.3.10 (released 2014-11-10)
- * * libgnutls: Refuse to import v1 or v2 certificates that contain
- extensions.
- * * libgnutls: Fixes in usage of PKCS #11 token callback
- * * libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used
- with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag.
- Reported by David Woodhouse.
- * * libgnutls: Removed superfluous random generator refresh on every call
- of gnutls_deinit(). That reduces load and usage of /dev/urandom.
- * * libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
- Reported by Sean Burford [GNUTLS-SA-2014-5].
- * * libgnutls: When gnutls_global_init() is called for a second time, it
- will check whether the /dev/urandom fd kept is still open and matches
- the original one. That behavior works around issues with servers that
- close all file descriptors.
- * * libgnutls: Corrected behavior with PKCS #11 objects that are marked
- as CKA_ALWAYS_AUTHENTICATE.
- * * certtool: The default cipher for PKCS #12 structures is 3des-pkcs12.
- That option is more compatible than AES or RC4.
-- Version 3.3.9 (released 2014-10-13)
- * * libgnutls: Fixes in the transparent import of PKCS #11 certificates.
- Reported by Joseph Peruski.
- * * libgnutls: Fixed issue with unexpected non-fatal errors resetting the
- handshake's hash buffer, in applications using the heartbeat extension
- or DTLS. Reported by Joeri de Ruiter.
- * * libgnutls: When both a trust module and additional CAs are present
- account the latter as well; reported by David Woodhouse.
- * * libgnutls: added GNUTLS_TL_GET_COPY flag for
- gnutls_x509_trust_list_get_issuer(). That allows the function to be used
- in a thread safe way when PKCS #11 trust modules are in use.
- * * libgnutls: fix issue in DTLS retransmission when session tickets
- were in use; reported by Manuel Pégourié-Gonnard.
- * * libgnutls-dane: Do not require the CA on a ca match to be direct CA.
- * * libgnutls: Prevent abort() in library if getrusage() fails. Try to
- detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
- * * guile: new 'set-session-server-name!' procedure; see the manual for
- details.
- * * certtool: The authority key identifier will be set in a certificate only
- if the CA's subject key identifier is set.
-- Version 3.3.8 (released 2014-09-18)
- * * libgnutls: Updates in the name constraints checks. No name constraints
- will be checked for intermediate certificates. As our support for name
- constraints is limited to e-mail addresses in DNS names, it is pointless
- to check them on intermediate certificates.
- * * libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
- object listing would fail completely if a single object could not be exported.
- * * libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
- by retrieving them in large batches. Report and suggestion by David
- Woodhouse.
- * * libgnutls: Fixed issue with certificates being sanitized by gnutls prior
- to signature verification. That resulted to certain non-DER compliant modifications
- of valid certificates, being corrected by libtasn1's parser and restructured as
- the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
- Codenomicon.
- * * libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
- strings with embedded spaces and escaped commas.
- * * libgnutls: when comparing a CA certificate with the trusted list compare
- the name and key only instead of the whole certificate. That is to handle
- cases where a CA certificate was superceded by a different one with the same
- name and the same key.
- * * libgnutls: when verifying a certificate against a p11-kit trusted
- module, use the attached extensions in the module to override the CA's
- extensions (that requires p11-kit 0.20.7).
- * * libgnutls: In DTLS prevent sending zero-size fragments in certain cases
- of MTU split. Reported by Manuel Pégourié-Gonnard.
- * * libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
- verifying using a hostname and a purpose (extended key usage). That
- enhances PKCS #11 trust module verification, as it can now check the purpose
- when this function is used.
- * * libgnutls: Corrected gnutls_x509_crl_verify() which would always report
- a CRL signature as invalid. Reported by Armin Burgmeier.
- * * libgnutls: added option --disable-padlock to allow disabling the padlock
- CPU acceleration.
- * * p11tool: when listing tokens, list their type as well.
- * * p11tool: when listing objects from a trust module print any attached
- extensions on certificates.
-- Version 3.3.7 (released 2014-08-24)
- * * libgnutls: Added function to export the public key of a PKCS #11
- private key. Contributed by Wolfgang Meyer zu Bergsten.
- * * libgnutls: Explicitly set the exponent in PKCS #11 key generation.
- That improves compatibility with certain PKCS #11 modules. Contributed by
- Wolfgang Meyer zu Bergsten.
- * * libgnutls: When generating a PKCS #11 private key allow setting
- the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten.
- * * libgnutls: gnutls_pkcs11_privkey_t will always hold an open session
- to the key.
- * * libgnutls: bundle replacements of inet_pton and inet_aton if not
- available.
- * * libgnutls: initialize parameters variable on PKCS #8 decryption.
- * * libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
- algorithms.
- * * libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125
- requirement of checking the Common Name (CN) part of DN only if there is
- a single CN present in the certificate.
- * * libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used
- to force the FIPS mode, when set to 1.
- * * libgnutls: In DTLS ignore only errors that relate to unexpected packets
- and decryption failures.
- * * p11tool: Added --info parameter.
- * * certtool: Added --mark-wrap parameter.
- * * danetool: --check will attempt to retrieve the server's certificate
- chain and verify against it.
- * * danetool/gnutls-cli-debug: Added --app-proto parameters which can
- be used to enforce starttls (currently only SMTP and IMAP) on the connection.
- * * danetool: Added openssl linking exception, to allow linking
- with libunbound.
-- Version 3.3.6 (released 2014-07-23)
- * * libgnutls: Use inet_ntop to print IP addresses when available
- * * libgnutls: gnutls_x509_crt_check_hostname and friends will also check
- IP addresses, and match documented behavior. Reported by David Woodhouse.
- * * libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024
- bit parameters.
- * * libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens
- being usable after a reinitialization.
- * * libgnutls: fixed PKCS #11 private key operations after a fork.
- * * libgnutls: fixed PKCS #11 ECDSA key generation.
- * * libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to
- explicitly enable/disable the use of certain CPU capabilities. Note that CPU
- detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel
- CPU. The currently available options are:
- 0x1: Disable all run-time detected optimizations
- 0x2: Enable AES-NI
- 0x4: Enable SSSE3
- 0x8: Enable PCLMUL
- 0x100000: Enable VIA padlock
- 0x200000: Enable VIA PHE
- 0x400000: Enable VIA PHE SHA512
- * * libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott.
- * * p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set.
- * * p11tool: ask for label when one isn't provided.
- * * p11tool: added --batch parameter to disable any interactivity.
- * * p11tool: will not implicitly enable so-login for certain types of
- objects. That avoids issues with tokens that require different login
- types.
- * * certtool/p11tool: Added the --curve parameter which allows to explicitly
- specify the curve to use.
-- Version 3.3.5 (released 2014-06-26)
- * * libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit().
- These functions provide a variant of gnutls_record_recv() that avoids
- the final memcpy of data.
- * * libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a
- faster variant of gnutls_x509_crl_get_crt_serial() when coping with
- very large structures.
- * * libgnutls: When the decoding of a printable DN element fails, then treat
- it as unknown and print its hex value rather than failing. That works around
- an issue in a TURKTRST root certificate which improperly encodes the
- X520countryName element.
- * * libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number
- of certificates present in a PKCS #11 token when loading it.
- * * libgnutls: Allow the post client hello callback to put the handshake on
- hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
- * * certtool: option --to-p12 will now consider --load-ca-certificate
- * * certtol: Added option to specify the PKCS #12 friendly name on command line.
- * * p11tool: Allow marking a certificate copied to a token as a CA.
-- Version 3.3.4 (released 2014-05-31)
- * * libgnutls: Updated Andy Polyakov's assembly code. That prevents a
- crash on certain CPUs.
-- Version 3.3.3 (released 2014-05-30)
- * * libgnutls: Eliminated memory corruption issue in Server Hello parsing.
- Issue reported by Joonas Kuorilehto of Codenomicon.
- * * libgnutls: gnutls_global_set_mutex() was modified to operate with the
- new initialization process.
- * * libgnutls: Increased the maximum certificate size buffer
- in the PKCS #11 subsystem.
- * * libgnutls: Check the return code of getpwuid_r() instead of relying
- on the result value. That avoids issue in certain systems, when using
- tofu authentication and the home path cannot be determined. Issue reported
- by Viktor Dukhovni.
- * * libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to
- create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552
- * * gnutls-cli: --dane will only check the end certificate if PKIX validation
- has been disabled.
- * * gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot
- be emulated with the implicit initialization of gnutls.
- * * certtool: Allow multiple organizations and organizational unit names to
- be specified in a template.
- * * certtool: Warn when invalid configuration options are set to a template.
- * * ocsptool: Include path in ocsp request. This resolves #108582
- (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.
-- Version 3.3.2 (released 2014-05-06)
- * * libgnutls: Added the 'very weak' certificate verification profile
- that corresponds to 64-bit security level.
- * * libgnutls: Corrected file descriptor leak on random generator
- initialization.
- * * libgnutls: Corrected file descriptor leak on PSK password file
- reading. Issue identified using the Codenomicon TLS test suite.
- * * libgnutls: Avoid deinitialization if initialization has failed.
- * * libgnutls: null-terminate othername alternative names.
- * * libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly
- on a PKCS #11 trust list.
- * * libgnutls: Several small bug fixes identified using valgrind and
- the Codenomicon TLS test suite.
- * * libgnutls-dane: Accept a certificate using DANE if there is at least one
- entry that matches the certificate. Patch by simon [at] arlott.org.
- * * libgnutls-guile: Fixed compilation issue.
- * * certtool: Allow exporting a CRL on DER format.
- * * certtool: The ECDSA keys generated by default use the SECP256R1 curve
- which is supported more widely than the previously used SECP224R1.
-- Version 3.3.1 (released 2014-04-19)
- * * libgnutls: Enforce more strict checks to heartbeat messages
- concerning padding and payload. Suggested by Peter Dettman.
- * * libgnutls: Allow decoding PKCS #8 files with ECC parameters
- from openssl.
- * * libgnutls: Several small bug fixes found by coverity.
- * * libgnutls: The conditionally available self-test functions
- were moved to self-test.h.
- * * libgnutls: Fixed issue with the check of incoming data when two
- different recv and send pointers have been specified. Reported and
- investigated by JMRecio.
- * * libgnutls: Fixed issue in the RSA-PSK key exchange, which would
- result to illegal memory access if a server hint was provided. Reported
- by André Klitzing.
- * * libgnutls: Fixed client memory leak in the PSK key exchange, if a
- server hint was provided.
- * * libgnutls: Corrected the *get_*_othername_oid() functions.
-- Version 3.3.0 (released 2014-04-10)
- * * libgnutls: The initialization of the library was moved to a
- constructor. That is, gnutls_global_init() is no longer required
- unless linking with a static library or a system that does not
- support library constructors.
- * * libgnutls: static libraries are not built by default.
- * * libgnutls: PKCS #11 initialization is delayed to first usage.
- That avoids long delays in gnutls initialization due to broken PKCS #11
- modules.
- * * libgnutls: The PKCS #11 subsystem is re-initialized "automatically"
- on the first PKCS #11 API call after a fork.
- * * libgnutls: certificate verification profiles were introduced
- that can be specified as flags to verification functions. They
- are enumerations in gnutls_certificate_verification_profiles_t
- and can be converted to flags for use in a verification function
- using GNUTLS_PROFILE_TO_VFLAGS().
- * * libgnutls: Added the ability to read system-specific initial
- keywords, if they are prefixed with '@'. That allows a compile-time
- specified configuration file to be used to read pre-configured priority
- strings from. That can be used to impose system specific policies.
- * * libgnutls: Increased the default security level of priority
- strings (NORMAL and PFS strings require at minimum a 1008 DH prime),
- and set a verification profile by default. The LEGACY keyword is
- introduced to set the old defaults.
- * * libgnutls: Added support for the name constraints PKIX extension.
- Currently only DNS names and e-mails are supported (no URIs, IPs
- or DNs).
- * * libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to
- SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL.
- * * libgnutls: Added new API in x509-ext.h to handle X.509 extensions.
- This API handles the X.509 extensions in isolation, allowing to parse
- similarly formatted extensions stored in other structures.
- * * libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS
- can be used to specify a particular subgroup as the number of bits in
- gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256).
- * * libgnutls: DH parameter generation is now delegated to nettle.
- That unfortunately has the side-effect that DH parameters longer than
- 3072 bits, cannot be generated (not without a nettle update).
- * * libgnutls: Separated nonce RNG from the main RNG. The nonce
- random number generator is based on salsa20/12.
- * * libgnutls: The buffer alignment provided to crypto backend is
- enforced to be 16-byte aligned, when compiled with cryptodev
- support. That allows certain cryptodev drivers to operate more
- efficiently.
- * * libgnutls: Return error when a public/private key pair that doesn't
- match is set into a credentials structure.
- * * libgnutls: Depend on p11-kit 0.20.0 or later.
- * * libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has
- been removed. It was not approved by IETF.
- * * libgnutls: The experimental xssl library is removed from the gnutls
- distribution.
- * * libgnutls: Reduced the number of gnulib modules used in the main library.
- * * libgnutls: Added priority string %DISABLE_WILDCARDS.
- * * libgnutls: Added the more extensible verification function
- gnutls_certificate_verify_peers(), that allows checking, in addition
- to a peer's DNS hostname, for the key purpose of the end certificate
- (via PKIX extended key usage).
- * * certtool: Timestamps for serial numbers were increased to 8 bytes,
- and in batch mode to 12 (appended with 4 random bytes).
- * * certtool: When no CRL number is provided (or value set to -1), then
- a time-based number will be used, similarly to the serial generation
- number in certificates.
- * * certtool: Print the SHA256 fingerprint of a certificate in addition
- to SHA1.
- * * libgnutls: Added --enable-fips140-mode configuration option (unsupported).
- That option enables (when running on FIPS140-enabled system):
- o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes)
- o The DRBG-CTR-AES256 deterministic random generator from SP800-90A.
- o Self-tests on initialization on ciphers/MACs, public key algorithms
- and the random generator.
- o HMAC-SHA256 verification of the library on load.
- o MD5 is included for TLS purposes but cannot be used by the high level
- hashing functions.
- o All ciphers except AES are disabled.
- o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5).
- o All keys (temporal and long term) are zeroized after use.
- o Security levels are adjusted to the FIPS140-2 recommendations (rather
- than ECRYPT).
-
-- build with PIE for commandline tools
-
-- Updated to 3.2.21 (released 2014-12-11)
- - libgnutls: Corrected regression introduced in 3.2.19 related to
- session renegotiation. Reported by Dan Winship.
- - libgnutls: Corrected parsing issue with OCSP responses.
-
-- Updated to 3.2.20 (released 2014-11-10)
- * * libgnutls: Removed superfluous random generator refresh on every
- call of gnutls_deinit(). That reduces load and usage of /dev/urandom.
- * * libgnutls: Corrected issue in export of ECC parameters to X9.63
- format. Reported by Sean Burford [GNUTLS-SA-2014-5].
- (CVE-2014-8564 bnc#904603)
-- Updated to 3.2.19 (released 2014-10-13)
- * * libgnutls: Fixes in the transparent import of PKCS #11 certificates.
- Reported by Joseph Peruski.
- * * libgnutls: Fixed issue with unexpected non-fatal errors resetting the
- handshake's hash buffer, in applications using the heartbeat extension
- or DTLS. Reported by Joeri de Ruiter.
- * * libgnutls: fix issue in DTLS retransmission when session tickets were
- in use; reported by Manuel Pégourié-Gonnard.
- * * libgnutls: Prevent abort() in library if getrusage() fails. Try to
- detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
- * * guile: new 'set-session-server-name!' procedure; see the manual
- for details.
-
graphite2
+- fixed license string [bsc#1207676]:
+ LGPL-2.1-or-later OR MPL-2.0 OR GPL-2.0-or-later
+
-- Remove harfbuzz dep. Breaks another buildcycle.
- This effectively means we are not running tests. No functional
- changes otherwise.
-
-- Remove texlive dep to remove dep circle.
-
-- Use rpath so the tests work.
-
-- Enable the tests. They work on 13.1 but fail on Factory...
-
-- Version bump to 1.2.4:
- * Various bugfixes
- * Expanded testsuite
-- Remove graphite2-arm.patch - applied upstream
-- Add patches from debian:
- * soname.diff
- * no-specific-nunit-version.diff
-- Run^Wdocument tests and generate documentation
-
-- Use cmake macros for nice and tidy setup.
-
-- Add baselibs.conf and provide libgraphite2-3-32bit, which is at
- this moment required by harfbuzz.
-
-- graphite2-arm.patch :Fix build in arm and possible other platforms, we should
- notuse -nodefaultlibs as a linker flag and let the system
- do its job automatically.
-- freetype-devel should be freetype2-devel
-
-- license update: LGPL-2.1+ or GPL-2.0+ or MPL-1.1
- See License file (most source code notices concur)
-
-- Whitespace trying to figure out why spec file is interpreted as
- binary.
-
-- Fix desc not to mention libexttextcat.
-
-- Initial commit version 1.2.0.
-
hugin
+- Update to 2022.0.0:
+ https://hugin.sourceforge.io/releases/2022.0.0/en.shtml
+- Remove xdg-data.patch (accepted upstream)
+
kernel-default
+- aquantia: Do not purge addresses when setting the number of
+ rings (jsc#PED-1530).
+- commit 39a03b2
+
+- net: atlantic: macsec: clear encryption keys from the stack
+ (jsc#PED-1530).
+- commit 643f719
+
+- atlantic: fix deadlock at aq_nic_stop (jsc#PED-1530).
+- commit 4a9a64f
+
+- net: atlantic: fix potential memory leak in aq_ndev_close()
+ (jsc#PED-1530).
+- commit 719db2f
+
+- net: atlantic: remove aq_nic_deinit() when resume
+ (jsc#PED-1530).
+- commit ff2f581
+
+- net: atlantic: remove deep parameter on suspend/resume functions
+ (jsc#PED-1530).
+- commit 9e96b4d
+
+- net: atlantic:fix repeated words in comments (jsc#PED-1530).
+- commit d6d4ffb
+
+- net: atlantic: verify hw_head_ lies within TX buffer ring
+ (jsc#PED-1530).
+- commit 7059ede
+
+- net: atlantic: add check for MAX_SKB_FRAGS (jsc#PED-1530).
+- commit e719b81
+
+- net: atlantic: reduce scope of is_rsc_complete (jsc#PED-1530).
+- commit b04c254
+
+- net: atlantic: fix "frag[0] not initialized" (jsc#PED-1530).
+- commit 0263576
+
+- Update
+ patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch
+ (bsc#1207361 bsc#1207036 CVE-2023-23454).
+- commit 521fdca
+
+- Update
+ patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch
+ (bsc#1207361 bc#1207125 CVE-2023-23455).
+- commit c8b6243
+
+- io_uring/poll: fix poll_refs race with cancelation (bsc#1207511
+ CVE-2023-0468).
+- io_uring: make poll refs more robust (bsc#1207511
+ CVE-2023-0468).
+- io_uring: cmpxchg for poll arm refs release (bsc#1207511
+ CVE-2023-0468).
+- io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468).
+- io_uring: update res mask in io_poll_check_events (bsc#1207511
+ CVE-2023-0468).
+- commit 4fe9bfe
+
+- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and
+ wakeups (bsc#1207100).
+- eventfd: provide a eventfd_signal_mask() helper (bsc#1207100).
+- eventpoll: add EPOLL_URING_WAKE poll wakeup flag (bsc#1207100).
+- commit 9e5a117
+
+- fbdev: Fix invalid page access after closing deferred I/O
+ devices (bsc#1207284).
+- commit 6a8d940
+
+- ipmi:ssif: Add 60ms time internal between write retries
+ (bsc#1206459).
+- ipmi:ssif: Increase the message retry time (bsc#1206459).
+- commit 14626c0
+
kernel-kvmsmall
+- aquantia: Do not purge addresses when setting the number of
+ rings (jsc#PED-1530).
+- commit 39a03b2
+
+- net: atlantic: macsec: clear encryption keys from the stack
+ (jsc#PED-1530).
+- commit 643f719
+
+- atlantic: fix deadlock at aq_nic_stop (jsc#PED-1530).
+- commit 4a9a64f
+
+- net: atlantic: fix potential memory leak in aq_ndev_close()
+ (jsc#PED-1530).
+- commit 719db2f
+
+- net: atlantic: remove aq_nic_deinit() when resume
+ (jsc#PED-1530).
+- commit ff2f581
+
+- net: atlantic: remove deep parameter on suspend/resume functions
+ (jsc#PED-1530).
+- commit 9e96b4d
+
+- net: atlantic:fix repeated words in comments (jsc#PED-1530).
+- commit d6d4ffb
+
+- net: atlantic: verify hw_head_ lies within TX buffer ring
+ (jsc#PED-1530).
+- commit 7059ede
+
+- net: atlantic: add check for MAX_SKB_FRAGS (jsc#PED-1530).
+- commit e719b81
+
+- net: atlantic: reduce scope of is_rsc_complete (jsc#PED-1530).
+- commit b04c254
+
+- net: atlantic: fix "frag[0] not initialized" (jsc#PED-1530).
+- commit 0263576
+
+- Update
+ patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch
+ (bsc#1207361 bsc#1207036 CVE-2023-23454).
+- commit 521fdca
+
+- Update
+ patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch
+ (bsc#1207361 bc#1207125 CVE-2023-23455).
+- commit c8b6243
+
+- io_uring/poll: fix poll_refs race with cancelation (bsc#1207511
+ CVE-2023-0468).
+- io_uring: make poll refs more robust (bsc#1207511
+ CVE-2023-0468).
+- io_uring: cmpxchg for poll arm refs release (bsc#1207511
+ CVE-2023-0468).
+- io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468).
+- io_uring: update res mask in io_poll_check_events (bsc#1207511
+ CVE-2023-0468).
+- commit 4fe9bfe
+
+- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and
+ wakeups (bsc#1207100).
+- eventfd: provide a eventfd_signal_mask() helper (bsc#1207100).
+- eventpoll: add EPOLL_URING_WAKE poll wakeup flag (bsc#1207100).
+- commit 9e5a117
+
+- fbdev: Fix invalid page access after closing deferred I/O
+ devices (bsc#1207284).
+- commit 6a8d940
+
+- ipmi:ssif: Add 60ms time internal between write retries
+ (bsc#1206459).
+- ipmi:ssif: Increase the message retry time (bsc#1206459).
+- commit 14626c0
+
keyutils
+- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
+
+- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+,
+ the library is just LGPL-2.1+) (bsc#1180603)
+
+- update to 1.6.3:
+ * Revert the change notifications that were using /dev/watch_queue.
+ * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
+ * Allow "keyctl supports" to retrieve raw capability data.
+ * Allow "keyctl id" to turn a symbolic key ID into a numeric ID.
+ * Allow "keyctl new_session" to name the keyring.
+ * Allow "keyctl add/padd/etc." to take hex-encoded data.
+ * Add "keyctl watch*" to expose kernel change notifications on keys.
+ * Add caps for namespacing and notifications.
+ * Set a default TTL on keys that upcall for name resolution.
+ * Explicitly clear memory after it's held sensitive information.
+ * Various manual page fixes.
+ * Fix C++-related errors.
+ * Add support for keyctl_move().
+ * Add support for keyctl_capabilities().
+ * Make key=val list optional for various public-key ops.
+ * Fix system call signature for KEYCTL_PKEY_QUERY.
+ * Fix 'keyctl pkey_query' argument passing.
+ * Use keyctl_read_alloc() in dump_key_tree_aux().
+ * Various manual page fixes.
+- spec-cleaner run (fixup failing homepage url)
+
+- prepare usrmerge (boo#1029961)
+
+- updated to 1.6
+ - Apply various specfile cleanups from Fedora.
+ - request-key: Provide a command line option to suppress helper execution.
+ - request-key: Find least-wildcard match rather than first match.
+ - Remove the dependency on MIT Kerberos.
+ - Fix some error messages
+ - keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
+ - Fix doc and comment typos.
+ - Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
+ - Add pkg-config support for finding libkeyutils.
+- upstream isn't offering PGP signatures for the source tarballs anymore
+
+- Replace krb5-devel BuildRequires with pkgconfig(krb5): Allow OBS
+ to shortcut the ring0 bootstrap cycle by also using krb5-mini.
+
+- add upstream signing key and verify source signature
+
+- updated to 1.5.11 (bsc#1113013)
+ - Add keyring restriction support.
+ - Add KDF support to the Diffie-Helman function.
+ - DNS: Add support for AFS config files and SRV records
+
+- Use %license (boo#1082318)
+
+- add keyutils-devel for baselibs, to allow biarch LTP builds.
+ (bsc#1061591)
+
+- updated to 1.5.10
+ - added "dh_compute" callback
+ - manpage improvements
+
+- move binaries from /bin to /usr/bin (bsc#1029969)
+- keyutils-usr-move.patch: also adjust the request-key.conf file
+
+- keyutils-nodate.patch: avoid including the timestamp. bsc#916180
+
krb5
+- Fix integer overflows in PAC parsing; (CVE-2022-42898);
+ (bso#15203), (bsc#1205126).
+- Added patches:
+ * 0010-Fix-integer-overflows-in-PAC-parsing.patch
+
+- Update to 1.19.2
+ * Fix a denial of service attack against the KDC encrypted challenge
+ code; (CVE-2021-36222);
+ * Fix a memory leak when gss_inquire_cred() is called without a
+ credential handle.
+- Changes from 1.19.1
+ * Fix a linking issue with Samba.
+ * Better support multiple pkinit_identities values by checking whether
+ certificates can be loaded for each value.
+- Changes from 1.19
+ Administrator experience
+ * When a client keytab is present, the GSSAPI krb5 mech will refresh
+ credentials even if the current credentials were acquired manually.
+ * It is now harder to accidentally delete the K/M entry from a KDB.
+ Developer experience
+ * gss_acquire_cred_from() now supports the "password" and "verify"
+ options, allowing credentials to be acquired via password and
+ verified using a keytab key.
+ * When an application accepts a GSS security context, the new
+ GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
+ both provided matching channel bindings.
+ * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
+ to identify the desired client principal by certificate.
+ * PKINIT certauth modules can now cause the hw-authent flag to be set
+ in issued tickets.
+ * The krb5_init_creds_step() API will now issue the same password
+ expiration warnings as krb5_get_init_creds_password().
+ Protocol evolution
+ * Added client and KDC support for Microsoft's Resource-Based Constrained
+ Delegation, which allows cross-realm S4U2Proxy requests. A third-party
+ database module is required for KDC support.
+ * kadmin/admin is now the preferred server principal name for kadmin
+ connections, and the host-based form is no longer created by default.
+ The client will still try the host-based form as a fallback.
+ * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
+ extension, which causes channel bindings to be required for the
+ initiator if the acceptor provided them. The client will send this
+ option if the client_aware_gss_bindings profile option is set.
+ User experience
+ * kinit will now issue a warning if the des3-cbc-sha1 encryption type is
+ used in the reply. This encryption type will be deprecated and removed
+ in future releases.
+ * Added kvno flags --out-cache, --no-store, and --cached-only
+ (inspired by Heimdal's kgetcred).
+- Changes from 1.18.3
+ * Fix a denial of service vulnerability when decoding Kerberos
+ protocol messages.
+ * Fix a locking issue with the LMDB KDB module which could cause
+ KDC and kadmind processes to lose access to the database.
+ * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
+ and unloaded while libkrb5support remains loaded.
+- Changes from 1.18.2
+ * Fix a SPNEGO regression where an acceptor using the default credential
+ would improperly filter mechanisms, causing a negotiation failure.
+ * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
+ principal's first key has a single-DES enctype.
+ * Add stub functions to allow old versions of OpenSSL libcrypto to link
+ against libkrb5.
+ * Fix a NegoEx bug where the client name and delegated credential might
+ not be reported.
+- Changes from 1.18.1
+ * Fix a crash when qualifying short hostnames when the system has
+ no primary DNS domain.
+ * Fix a regression when an application imports "service@" as a GSS
+ host-based name for its acceptor credential handle.
+ * Fix KDC enforcement of auth indicators when they are modified by
+ the KDB module.
+ * Fix removal of require_auth string attributes when the LDAP KDB
+ module is used.
+ * Fix a compile error when building with musl libc on Linux.
+ * Fix a compile error when building with gcc 4.x.
+ * Change the KDC constrained delegation precedence order for consistency
+ with Windows KDCs.
+- Changes from 1.18
+ Administrator experience:
+ * Remove support for single-DES encryption types.
+ * Change the replay cache format to be more efficient and robust.
+ Replay cache filenames using the new format end with ".rcache2"
+ by default.
+ * setuid programs will automatically ignore environment variables
+ that normally affect krb5 API functions, even if the caller does
+ not use krb5_init_secure_context().
+ * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
+ credential forwarding during GSSAPI authentication unless the KDC
+ sets the ok-as-delegate bit in the service ticket.
+ * Use the permitted_enctypes krb5.conf setting as the default value
+ for default_tkt_enctypes and default_tgs_enctypes.
+ Developer experience:
+ * Implement krb5_cc_remove_cred() for all credential cache types.
+ * Add the krb5_pac_get_client_info() API to get the client account
+ name from a PAC.
+ Protocol evolution:
+ * Add KDC support for S4U2Self requests where the user is identified
+ by X.509 certificate. (Requires support for certificate lookup from
+ a third-party KDB module.)
+ * Remove support for an old ("draft 9") variant of PKINIT.
+ * Add support for Microsoft NegoEx. (Requires one or more third-party
+ GSS modules implementing NegoEx mechanisms.)
+ User experience:
+ * Add support for "dns_canonicalize_hostname=fallback", causing
+ host-based principal names to be tried first without DNS
+ canonicalization, and again with DNS canonicalization if the
+ un-canonicalized server is not found.
+ * Expand single-component hostnames in host-based principal names
+ when DNS canonicalization is not used, adding the system's first DNS
+ search path as a suffix. Add a "qualify_shortname" krb5.conf relation
+ to override this suffix or disable expansion.
+ * Honor the transited-policy-checked ticket flag on application servers,
+ eliminating the requirement to configure capaths on servers in some
+ scenarios.
+ Code quality:
+ * The libkrb5 serialization code (used to export and import krb5 GSS
+ security contexts) has been simplified and made type-safe.
+ * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
+ messages has been revised to conform to current coding practices.
+ * The test suite has been modified to work with macOS System Integrity
+ Protection enabled.
+ * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
+ can always be tested.
+- Changes from 1.17.1
+ * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin.
+ * Fix a bug preventing time skew correction from working when a KCM
+ credential cache is used.
+- Changes from 1.17:
+ Administrator experience:
+ * A new Kerberos database module using the Lightning Memory-Mapped
+ Database library (LMDB) has been added. The LMDB KDB module should
+ be more performant and more robust than the DB2 module, and may
+ become the default module for new databases in a future release.
+ * "kdb5_util dump" will no longer dump policy entries when specific
+ principal names are requested.
+ Developer experience:
+ * The new krb5_get_etype_info() API can be used to retrieve enctype,
+ salt, and string-to-key parameters from the KDC for a client
+ principal.
+ * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
+ principal names to be used with GSS-API functions.
+ * KDC and kadmind modules which call com_err() will now write to the
+ log file in a format more consistent with other log messages.
+ * Programs which use large numbers of memory credential caches should
+ perform better.
+ Protocol evolution:
+ * The SPAKE pre-authentication mechanism is now supported. This
+ mechanism protects against password dictionary attacks without
+ requiring any additional infrastructure such as certificates. SPAKE
+ is enabled by default on clients, but must be manually enabled on
+ the KDC for this release.
+ * PKINIT freshness tokens are now supported. Freshness tokens can
+ protect against scenarios where an attacker uses temporary access to
+ a smart card to generate authentication requests for the future.
+ * Password change operations now prefer TCP over UDP, to avoid
+ spurious error messages about replays when a response packet is
+ dropped.
+ * The KDC now supports cross-realm S4U2Self requests when used with a
+ third-party KDB module such as Samba's. The client code for
+ cross-realm S4U2Self requests is also now more robust.
+ User experience:
+ * The new ktutil addent -f flag can be used to fetch salt information
+ from the KDC for password-based keys.
+ * The new kdestroy -p option can be used to destroy a credential cache
+ within a collection by client principal name.
+ * The Kerberos man page has been restored, and documents the
+ environment variables that affect programs using the Kerberos
+ library.
+ Code quality:
+ * Python test scripts now use Python 3.
+ * Python test scripts now display markers in verbose output, making it
+ easier to find where a failure occurred within the scripts.
+ * The Windows build system has been simplified and updated to work
+ with more recent versions of Visual Studio. A large volume of
+ unused Windows-specific code has been removed. Visual Studio 2013
+ or later is now required.
+- Replace old $RPM_* shell vars
+- Removal of SuSEfirewall2 service since SuSEfirewall2 has been replaced
+ by firewalld
+- Remove cruft to support distributions older than SLE 12
+- Use macros where applicable
+- Switch to pkgconfig style dependencies
+- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
+ notation: libexecdir is likely changing away from /usr/lib to
+ /usr/libexec
+- Build with full Cyrus SASL support. Negotiating SASL credentials with
+ an EXTERNAL bind mechanism requires interaction. Kerberos provides its
+ own interaction function that skips all interaction, thus preventing the
+ mechanism from working.
+- Removed patches:
+ * 0007-krb5-1.12-ksu-path.patch
+ * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
+ * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
+- Renamed patches:
+ * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
+ * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
+ * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
+ * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
+ * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch =>
+ 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
+
+- Fix KDC null pointer dereference via a FAST inner body that
+ lacks a server field; (CVE-2021-37750); (bsc#1189929);
+- Added patches:
+ * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
+
+- Fix KDC null deref on bad encrypted challenge; (CVE-2021-36222);
+ (bsc#1188571);
+- Added patches:
+ * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
+
+- Use /run instead of /var/run for daemon PID files; (bsc#1185163);
+
+- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196);
+ (bsc#1178512);
+- Added patches:
+ * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
+
+- Fix prefix reported by krb5-config, libraries and headers are not
+ installed under /usr/lib/mit prefix. (bsc#1174079)
+
+- Update logrotate script, call systemd to reload the services
+ instead of init-scripts. (boo#1169357)
+
+- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);
+ (bsc#1144047);
+
+- Move LDAP schema files from /usr/share/doc/packages/krb5 to
+ /usr/share/kerberos/ldap; (bsc#1134217);
+
+- Upgrade to 1.16.3
+ * Fix a regression in the MEMORY credential cache type which could cause
+ client programs to crash.
+ * MEMORY credential caches will not be listed in the global collection,
+ with the exception of the default credential cache if it is of type MEMORY.
+ * Remove an incorrect assertion in the KDC which could be used to cause
+ a crash [CVE-2018-20217].
+ * Fix bugs with concurrent use of MEMORY ccache handles.
+ * Fix a KDC crash when falling back between multiple OTP tokens configured
+ for a principal entry.
+ * Fix memory bugs when gss_add_cred() is used to create a new credential,
+ and fix a bug where it ignores the desired_name.
+ * Fix the behavior of gss_inquire_cred_by_mech() when the credential does
+ not contain an element of the requested mechanism.
+ * Make cross-realm S4U2Self requests work on the client when no
+ default_realm is configured.
+ * Add a kerberos(7) man page containing documentation of the environment
+ variables that affect Kerberos programs.
+- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
+ by transactional updates; (bsc#1100126);
+- Rename patches:
+ * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
+ * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
+ * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
+ * krb5-1.6.3-gssapi_improve_errormessages.dif to
+ 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
+ * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
+ * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
+ * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
+ * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
+ * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
+
+- Upgrade to 1.16.1
+ * kdc client cert matching on client principal entry
+ * Allow ktutil addent command to ignore key version and use
+ non-default salt string.
+ * add kpropd pidfile support
+ * enable "encrypted_challenge_indicator" realm option on tickets
+ obtained using FAST encrypted challenge pre-authentication.
+ * dates through 2106 accepted
+ * KDC support for trivially renewable tickets
+ * stop caching referral and alternate cross-realm TGTs to prevent
+ duplicate credential cache entries
+
+- BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package
+ so it is avaiable for krb5-client as well.
+
+- Upgrade to 1.15.3
+ * Fix flaws in LDAP DN checking, including a null dereference KDC
+ crash which could be triggered by kadmin clients with administrative
+ privileges [CVE-2018-5729, CVE-2018-5730].
+ * Fix a KDC PKINIT memory leak.
+ * Fix a small KDC memory leak on transited or authdata errors when
+ processing TGS requests.
+ * Fix a null dereference when the KDC sends a large TGS reply.
+ * Fix "kdestroy -A" with the KCM credential cache type.
+ * Fix the handling of capaths "." values.
+ * Fix handling of repeated subsection specifications in profile files
+ (such as when multiple included files specify relations in the same
+ subsection).
+
+- Added support for /etc/krb5.conf.d/ for configuration snippets
+
+- Replace references to /var/adm/fillup-templates with new
+ %_fillupdir macro (boo#1069468)
+
+- Remove build dependency doxygen, python-Cheetah, python-Sphinx,
+ python-libxml2, python-lxml, most of which are python 2 programs.
+ Consequently remove -doc subpackage. Users are encouraged to use
+ online documentation. (bsc#1066461)
+
+- Update package descriptions.
+
+- Upgrade to 1.15.2
+ * Fix a KDC denial of service vulnerability caused by unset status
+ strings [CVE-2017-11368]
+ * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
+ * Fix kadm5 setkey operation with LDAP KDB module
+ * Use a ten-second timeout after successful connection for HTTPS KDC
+ requests, as we do for TCP requests
+ * Fix client null dereference when KDC offers encrypted challenge
+ without FAST
+ * Ignore dotfiles when processing profile includedir directive
+ * Improve documentation
+
+- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
+ in order to improve client security in handling service principle
+ names. (bsc#1054028)
+
+- Prevent kadmind.service startup failure caused by absence of
+ LDAP service. (bsc#903543)
+
+- There is no change made about the package itself, this is only
+ copying over some changelog texts from SLE package:
+- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
+ krb5: denial of service in krb5_read_message
+- bug#912002 owned by varkoly@suse.com: VUL-0
+ CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
+ krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
+- bug#910458 owned by varkoly@suse.com: VUL-1
+ CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries
+- bug#928978 owned by varkoly@suse.com: VUL-0
+ CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading
+ to requires_preauth bypass
+- bug#910457 owned by varkoly@suse.com: VUL-1
+ CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy
+ name as a password policy name
+- bug#991088 owned by hguo@suse.com: VUL-1
+ CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted
+- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires
+- [fate#320326](https://fate.suse.com/320326)
+- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference
+ from \cite
+
+- Remove wrong PreRequires from krb5
+
+- use HTTPS project and source URLs
+
+- use source urls.
+- krb5.keyring: Added Greg Hudson
+
+- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch
+- Upgrade to 1.15.1
+ * Allow KDB modules to determine how the e_data field of principal
+ fields is freed
+ * Fix udp_preference_limit when the KDC location is configured with
+ SRV records
+ * Fix KDC and kadmind startup on some IPv4-only systems
+ * Fix the processing of PKINIT certificate matching rules which have
+ two components and no explicit relation
+ * Improve documentation
+
+- remove useless environment.pickle to make build-compare happy
+
+- Introduce patch
+ krb5-1.15-fix_kdb_free_principal_e_data.patch
+ to fix freeing of e_data in the kdb principal
+
+- Upgrade to 1.15
+- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2
+- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since
+ file is not available in upstream source anymore
+- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15
+- Upgrade from 1.14.4 to 1.15 - major changes:
+ Administrator experience:
+ * Add support to kadmin for remote extraction of current keys without
+ changing them (requires a special kadmin permission that is excluded
+ from the wildcard permission), with the exception of highly
+ protected keys.
+ * Add a lockdown_keys principal attribute to prevent retrieval of the
+ principal's keys (old or new) via the kadmin protocol. In newly
+ created databases, this attribute is set on the krbtgt and kadmin
+ principals.
+ * Restore recursive dump capability for DB2 back end, so sites can
+ more easily recover from database corruption resulting from power
+ failure events.
+ * Add DNS auto-discovery of KDC and kpasswd servers from URI records,
+ in addition to SRV records. URI records can convey TCP and UDP
+ servers and master KDC status in a single DNS lookup, and can also
+ point to HTTPS proxy servers.
+ * Add support for password history to the LDAP back end.
+ * Add support for principal renaming to the LDAP back end.
+ * Use the getrandom system call on supported Linux kernels to avoid
+ blocking problems when getting entropy from the operating system.
+ * In the PKINIT client, use the correct DigestInfo encoding for PKCS
+ [#1] signatures, so that some especially strict smart cards will work.
+ Code quality:
+ * Clean up numerous compilation warnings.
+ * Remove various infrequently built modules, including some preauth
+ modules that were not built by default.
+ Developer experience:
+ * Add support for building with OpenSSL 1.1.
+ * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
+ authenticators in the replay cache. This helps sites that must
+ build with FIPS 140 conformant libraries that lack MD5.
+ Protocol evolution:
+ * Add support for the AES-SHA2 enctypes, which allows sites to conform
+ to Suite B crypto requirements.
+- Upgrade from 1.14.3 to 1.14.4 - major changes:
+ * Fix some rare btree data corruption bugs
+ * Fix numerous minor memory leaks
+ * Improve portability (Linux-ppc64el, FreeBSD)
+ * Improve some error messages
+ * Improve documentation
+
+- add pam configuration file required for ksu
+ just use a copy of "su" one from Tumbleweed
+
+- Upgrade from 1.14.2 to 1.14.3:
+ * Improve some error messages
+ * Improve documentation
+ * Allow a principal with nonexistent policy to bypass the minimum
+ password lifetime check, consistent with other aspects of
+ nonexistent policies
+ * Fix a rare KDC denial of service vulnerability when anonymous client
+ principals are restricted to obtaining TGTs only [CVE-2016-3120]
+
+- Remove comments breaking post scripts.
+
+- Do no use systemd_requires macros in main package, it adds
+ unneeded dependencies which pulls systemd into minimal chroot.
+- Only call %insserv_prereq when building for pre-systemd
+ distributions.
+- Optimise some %post/%postun when only /sbin/ldconfig is called.
+
+- Remove source file ccapi/common/win/OldCC/autolock.hxx
+ that is not needed and does not carry an acceptable license.
+ (bsc#968111)
+
+- removed obsolete patches:
+ * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+ * krb5-mechglue_inqure_attrs.patch
+- Upgrade from 1.14.1 to 1.14.2:
+ * Fix a moderate-severity vulnerability in the LDAP KDC back end that
+ could be exploited by a privileged kadmin user [CVE-2016-3119]
+ * Improve documentation
+ * Fix some interactions with GSSAPI interposer mechanisms
+
+- Upgrade from 1.14 to 1.14.1:
+ * Remove expired patches:
+ 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
+ 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
+ 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+ krbdev.mit.edu-8301.patch
+ * Replace source archives:
+ krb5-1.14.tar.gz ->
+ krb5-1.14.1.tar.gz
+ krb5-1.14.tar.gz.asc ->
+ krb5-1.14.1.tar.gz.asc
+ * Adjust line numbers in:
+ krb5-fix_interposer.patch
+
+- Introduce patch
+ 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+ to fix CVE-2016-3119 (bsc#971942)
+
+- Remove krb5-mini pieces from spec file.
+ Hence remove pre_checkin.sh
+- Remove expired macros and other minor clean-ups in spec file.
+
+- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character
+ with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
+ (bsc#963968)
+- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request
+ with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
+ (bsc#963975)
+- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
+ with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+ (bsc#963964)
+
+- Add two patches from Fedora, fixing two crashes:
+ * krb5-fix_interposer.patch
+ * krb5-mechglue_inqure_attrs.patch
+
+- Update to 1.14
+- dropped krb5-kvno-230379.patch
+- added krbdev.mit.edu-8301.patch fixing wrong function call
+ Major changes in 1.14 (2015-11-20)
+ Administrator experience:
+ * Add a new kdb5_util tabdump command to provide reporting-friendly
+ tabular dump formats (tab-separated or CSV) for the KDC database.
+ Unlike the normal dump format, each output table has a fixed number
+ of fields. Some tables include human-readable forms of data that
+ are opaque in ordinary dump files. This format is also suitable for
+ importing into relational databases for complex queries.
+ * Add support to kadmin and kadmin.local for specifying a single
+ command line following any global options, where the command
+ arguments are split by the shell--for example, "kadmin getprinc
+ principalname". Commands issued this way do not prompt for
+ confirmation or display warning messages, and exit with non-zero
+ status if the operation fails.
+ * Accept the same principal flag names in kadmin as we do for the
+ default_principal_flags kdc.conf variable, and vice versa. Also
+ accept flag specifiers in the form that kadmin prints, as well as
+ hexadecimal numbers.
+ * Remove the triple-DES and RC4 encryption types from the default
+ value of supported_enctypes, which determines the default key and
+ salt types for new password-derived keys. By default, keys will
+ only created only for AES128 and AES256. This mitigates some types
+ of password guessing attacks.
+ * Add support for directory names in the KRB5_CONFIG and
+ KRB5_KDC_PROFILE environment variables.
+ * Add support for authentication indicators, which are ticket
+ annotations to indicate the strength of the initial authentication.
+ Add support for the "require_auth" string attribute, which can be
+ set on server principal entries to require an indicator when
+ authenticating to the server.
+ * Add support for key version numbers larger than 255 in keytab files,
+ and for version numbers up to 65535 in KDC databases.
+ * Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
+ during pre-authentication, corresponding to the client's most
+ preferred encryption type.
+ * Add support for server name identification (SNI) when proxying KDC
+ requests over HTTPS.
+ * Add support for the err_fmt profile parameter, which can be used to
+ generate custom-formatted error messages.
+ Code quality:
+ * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+ could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+ [CVE-2015-2698]
+ * Fix build_principal memory bug that could cause a KDC
+ crash. [CVE-2015-2697]
+ Developer experience:
+ * Change gss_acquire_cred_with_password() to acquire credentials into
+ a private memory credential cache. Applications can use
+ gss_store_cred() to make the resulting credentials visible to other
+ processes.
+ * Change gss_acquire_cred() and SPNEGO not to acquire credentials for
+ IAKERB or for non-standard variants of the krb5 mechanism OID unless
+ explicitly requested. (SPNEGO will still accept the Microsoft
+ variant of the krb5 mechanism OID during negotiation.)
+ * Change gss_accept_sec_context() not to accept tokens for IAKERB or
+ for non-standard variants of the krb5 mechanism OID unless an
+ acceptor credential is acquired for those mechanisms.
+ * Change gss_acquire_cred() to immediately resolve credentials if the
+ time_rec parameter is not NULL, so that a correct expiration time
+ can be returned. Normally credential resolution is delayed until
+ the target name is known.
+ * Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
+ which can be used by plugin modules or applications to add prefixes
+ to existing detailed error messages.
+ * Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
+ implement the RFC 6113 PRF+ operation and key derivation using PRF+.
+ * Add support for pre-authentication mechanisms which use multiple
+ round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
+ code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
+ interface; these callbacks can be used to save marshalled state
+ information in an encrypted cookie for the next request.
+ * Add a client_key() callback to the kdcpreauth interface to retrieve
+ the chosen client key, corresponding to the ETYPE-INFO2 entry sent
+ by the KDC.
+ * Add an add_auth_indicator() callback to the kdcpreauth interface,
+ allowing pre-authentication modules to assert authentication
+ indicators.
+ * Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
+ suppress sending the confidentiality and integrity flags in GSS
+ initiator tokens unless they are requested by the caller. These
+ flags control the negotiated SASL security layer for the Microsoft
+ GSS-SPNEGO SASL mechanism.
+ * Make the FILE credential cache implementation less prone to
+ corruption issues in multi-threaded programs, especially on
+ platforms with support for open file description locks.
+ Performance:
+ * On slave KDCs, poll the master KDC immediately after processing a
+ full resync, and do not require two full resyncs after the master
+ KDC's log file is reset.
+ User experience:
+ * Make gss_accept_sec_context() accept tickets near their expiration
+ but within clock skew tolerances, rather than rejecting them
+ immediately after the server's view of the ticket expiration time.
+
+- Update to 1.13.3
+- removed patches for security fixes now in upstream source:
+ 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+ 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+ 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+ 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+ Major changes in 1.13.3 (2015-12-04)
+ This is a bug fix release. The krb5-1.13 release series is in
+ maintenance, and for new deployments, installers should prefer the
+ krb5-1.14 release series or later.
+ * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+ could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+ [CVE-2015-2698]
+ * Fix build_principal memory bug that could cause a KDC
+ crash. [CVE-2015-2697]
+ * Allow an iprop slave to receive full resyncs from KDCs running
+ krb5-1.10 or earlier.
+
+- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+ to fix a memory corruption regression introduced by resolution of
+ CVE-2015-2698. bsc#954204
+
+- Make kadmin.local man page available without having to install krb5-client. bsc#948011
+- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+ to fix build_principal memory bug [CVE-2015-2697] bsc#952190
+- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+ to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
+- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+ to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
+
+- Let server depend on libev (module of libverto). This was the
+ preferred implementation before the seperation of libverto from krb.
+
+- Drop libverto and libverto-libev Requires from the -server
+ package: those package names don't exist and the shared libs
+ are pulled in automatically.
+
+- Unconditionally buildrequire libverto-devel: krb5-mini also
+ depends on it.
+
+- pre_checkin.sh aligned changes between krb5/krb5-mini
+- added krb5.keyring
+
+- update to krb5 1.13.2
+- DES transition
+ ==============
+ The Data Encryption Standard (DES) is widely recognized as weak. The
+ krb5-1.7 release contains measures to encourage sites to migrate away
+- From using single-DES cryptosystems. Among these is a configuration
+ variable that enables "weak" enctypes, which defaults to "false"
+ beginning with krb5-1.8.
+ Major changes in 1.13.2 (2015-05-08)
+ This is a bug fix release.
+ * Fix a minor vulnerability in krb5_read_message, which is primarily
+ used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
+ * Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
+ [CVE-2015-2694]
+ * Fix some issues with the LDAP KDC database back end.
+ * Fix an iteration-related memory leak in the DB2 KDC database back
+ end.
+ * Fix issues with some less-used kadm5.acl functionality.
+ * Improve documentation.
+
+- Use externally built libverto
+
+- update to krb5 1.13.1
+ Major changes in 1.13.1 (2015-02-11)
+ This is a bug fix release.
+ * Fix multiple vulnerabilities in the LDAP KDC back end.
+ [CVE-2014-5354] [CVE-2014-5353]
+ * Fix multiple kadmind vulnerabilities, some of which are based in the
+ gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
+ CVE-2014-9422 CVE-2014-9423]
+
+- Update to krb5 1.13
+ * Add support for accessing KDCs via an HTTPS proxy server using the
+ MS-KKDCP protocol.
+ * Add support for hierarchical incremental propagation, where slaves
+ can act as intermediates between an upstream master and other downstream
+ slaves.
+ * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf
+ files in addition to /etc/gss/mech.
+ * Add support to the LDAP KDB module for binding to the LDAP server using
+ SASL.
+ * The KDC listens for TCP connections by default.
+ * Fix a minor key disclosure vulnerability where using the "keepold" option
+ to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
+ * Add client support for the Kerberos Cache Manager protocol. If the host
+ is running a Heimdal kcm daemon, caches served by the daemon can be
+ accessed with the KCM: cache type.
+ * When built on OS X 10.7 and higher, use "KCM:" as the default cache type,
+ unless overridden by command-line options or krb5-config values.
+ * Add support for doing unlocked database dumps for the DB2 KDC back end,
+ which would allow the KDC and kadmind to continue accessing the database
+ during lengthy database dumps.
+- Removed patches, useless or upstreamed
+ * krb5-1.9-kprop-mktemp.patch
+ * krb5-1.10-ksu-access.patch
+ * krb5-1.12-doxygen.patch
+ * bnc#897874-CVE-2014-5351.diff
+ * krb5-1.13-work-around-replay-cache-creation-race.patch
+ * krb5-1.10-kpasswd_tcp.patch
+- Refreshed patches
+ * krb5-1.12-pam.patch
+ * krb5-1.12-selinux-label.patch
+ * krb5-1.7-doublelog.patch
+
less
+- Apply "cve-2022-46663.patch" to fix a vulnerability in less that
+ could be exploited for denial-of-service attacks or even remote
+ code execution by printing specially crafted escape sequences to
+ the terminal. [CVE-2022-46663, bsc#1207815]
+
libmwaw
+- update to 0.3.21 (jsc#PED-1785):
+ * add debug code to read some private rsrc data
+ + allow to read some MacWrite which does not have printer informations
+ * add a parser for Scoop files
+ * add a parser for ScriptWriter files
+ * add a parser for ReadySetGo 1-4 files
+
libogg
+- Orthographic fixes to descriptions. RPM group fix.
+
+- Update to version 1.3.2
+ * Fix an bug in oggpack_writecopy().
+
+- Xiph libogg 1.3.1
+ * Guard against very large packets.
+ * Respect the configure --docdir override.
+ * Documentation fixes.
+- fix SLE build
+
+- own aclocal directory
+
+- -O20 optimization level does not exist, use -O3
+
+- updated to version 1.3.0
+ * Add ogg_stream_flush_fill() call
+ This produces longer packets on flush, similar to
+ what ogg_stream_pageout_fill() does for single pages.
+- run spec-cleaner on it
+- remove "SLES10 -> SLES11 upgrade path" parts since the upgrade
+ already happened and anyway the entry in bugzilla is not public
+
+- replace _service with real file
+
+- update to version 1.2.2
+ * Build fix (types correction) for Mac OS X
+ * Update win32 project files to Visual Studio 2008
+ * ogg_stream_pageout_fill documentation fix
+
+- update to version 1.2.1
+ * Various build updates (see SVN)
+ * Add ogg_stream_pageout_fill() to API to allow applications
+ greater explicit flexibility in page sizing.
+ * Documentation updates including multiplexing description,
+ terminology and API (incl. ogg_packet_clear(),
+ ogg_stream_pageout_fill())
+ * Correct possible buffer overwrite in stream encoding on 32 bit
+ when a single packet exceed 250MB.
+ * Correct read-buffer overrun [without side effects] under
+ similar circumstances.
+ * Update unit testing to work properly with new page spill
+ heuristic.
+ * Alter default flushing behavior to span less often and use
+ larger page sizes when packet sizes are large.
+ * Build fixes for additional compilers
+ * Documentation updates
+- run spec-cleaner
+- removed configure.dif (reapply if -fsigned-char causes problems)
+- removed libogg-compile-warning-fix.diff (upstreamed)
+
+- add baselibs.conf as a source
+
libpng16
-- security update
-- added patches
- CVE-2019-7317 [bsc#1124211]
- + libpng16-CVE-2019-7317.patch
-
-- asan_build: build ASAN included
-- debug_build: build more suitable for debugging, install pngcp
-- usecase example: [bsc#1121624]
-
-- security update:
- * CVE-2018-13785 [bsc#1100687]
- + libpng16-CVE-2018-13785.patch
-
-- check with -j1
-
-- Fix SRPM group and grammar issues.
-
-- removed obsoleted Obsoletes
-
-- update to 1.6.34:
- * Removed contrib/pngsuite/i*.png; some of these were incorrect
- and caused test failures.
-- includes 1.6.33:
- * Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added
- missing parenthesis in contrib/pngminus/pnm2png.c
- * Fixed off-by-one error in png_do_check_palette_indexes()
- * Initialize png_handler.row_ptr in libpng_read_fuzzer.cc
- to fix shortlived oss-fuzz issue 3234.
- * Compute a larger limit on IDAT because some applications write
- a deflate buffer for each row
- * Use current date (DATE) instead of release-date (RDATE) in last
- changed date of contrib/oss-fuzz files.
- * Enabled ARM support in CMakeLists.txt
- * Fixed incorrect typecast of some arguments to png_malloc() and
- png_calloc() that were png_uint_32 instead of png_alloc_size_t
- * Use pnglibconf.h.prebuilt when building for ANDROID with cmake
- * Initialize memory allocated by png_inflate to zero, using
- memset, to stop an oss-fuzz "use of uninitialized value"
- detection in png_set_text_2() due to truncated iTXt or zTXt
- chunk.
- * Initialize memory allocated by png_read_buffer to zero, using
- memset, to stop an oss-fuzz "use of uninitialized value"
- detection in png_icc_check_tag_table() due to truncated iCCP
- chunk.
- * Removed redundant tests
- * Added an interlaced version of each file in contrib/pngsuite.
- * Relocate new memset() call in pngrutil.c
- * Add support for loading images with associated alpha in the
- Simplified API
- * Revert contrib/oss-fuzz/libpng_read_fuzzer.cc to libpng-1.6.32
- state
- * Initialize png_handler.row_ptr in libpng_read_fuzzer.cc
- * Add end_info structure and png_read_end() to the libpng fuzzer
-- includes 1.6.32:
- * Avoid possible NULL dereference in png_handle_eXIf when
- benign_errors are allowed. Avoid leaking the input buffer
- "eXIf_buf".
- * Eliminated png_ptr->num_exif member from pngstruct.h and added
- num_exif to arguments for png_get_eXIf() and png_set_eXIf().
- * Added calls to png_handle_eXIf(() in pngread.c and
- png_write_eXIf() in pngwrite.c, and made various other fixes
- to png_write_eXIf().
- * Changed name of png_get_eXIF and png_set_eXIf() to
- png_get_eXIf_1() and png_set_eXIf_1(), respectively, to avoid
- breaking API compatibility with libpng-1.6.31.
- * Updated contrib/libtests/pngunknown.c with eXIf chunk.
- * Initialized btoa[] in pngstest.c
- * Stop memory leak when returning from png_handle_eXIf() with an
- error
- * Replaced local eXIf_buf with info_ptr-eXIf_buf in png_handle_eXIf().
- * Update libpng.3 and libpng-manual.txt about eXIf functions.
- * Restored png_get_eXIf() and png_set_eXIf() to maintain API
- compatability.
- * Removed png_get_eXIf_1() and png_set_eXIf_1().
- * Check length of all chunks except IDAT against user limit to
- fix an OSS-fuzz issue (Fixes CVE-2017-12652)
- * Check length of IDAT against maximum possible IDAT size,
- accounting for height, rowbytes, interlacing and zlib/deflate
- overhead.
- * Restored png_get_eXIf_1() and png_set_eXIf_1(), because
- strlen(eXIf_buf) does not work (the eXIf chunk data can
- contain zeroes).
- * Revised symlink creation, no longer using deprecated cmake
- LOCATION feature
- * Fixed five-byte error in the calculation of IDAT maximum
- possible size.
- * Moved chunk-length check into a png_check_chunk_length()
- private function
- * Moved bad pngs from tests to contrib/libtests/crashers
- * Moved testing of bad pngs into a separate
- tests/pngtest-badpngs script
- * Added the --xfail (expected FAIL) option to pngtest.c. It
- writes XFAIL in the output but PASS for the libpng test.
- * Require cmake-3.0.2 in CMakeLists.txt
- * Fix "const" declaration info_ptr argument to png_get_eXIf_1()
- and the num_exif argument to png_get_eXIf_1()
- * Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks().
- * Added huge_IDAT.png and empty_ancillary_chunks.png to
- testpngs/crashers.
- * Make pngtest --strict, --relax, --xfail options imply -m
- (multiple).
- * Removed unused chunk_name parameter from png_check_chunk_length().
- * Relocated setting free_me for eXIf data, to stop an OSS-fuzz'
- leak.
- * Initialize profile_header[] in png_handle_iCCP() to fix
- OSS-fuzz issue.
- * Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix
- OSS-fuzz UMR.
- * Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue.
- * Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(),
- to account for the minimum 'deflate' stream, and relocate the
- test to a point after the keyword has been read.
- * Check that the eXIf chunk has at least 2 bytes and begins with
- "II" or "MM".
- * Added a set of "huge_xxxx_chunk.png" files to
- contrib/testpngs/crashers, one for each known chunk type, with
- length = 2GB-1.
- * Check for 0 return from png_get_rowbytes() and added some
- (size_t) typecasts in contrib/pngminus/*.c to stop some Coverity
- issues (162705, 162706, and 162707).
- * Renamed chunks in contrib/testpngs/crashers to avoid having
- files whose names differ only in case; this causes problems with
- some platforms
- * Added contrib/oss-fuzz directory which contains files used by
- the oss-fuzz project
-- cleanup with spec-cleaner
-
-- update to 1.6.31:
- * Guard the definition of _POSIX_SOURCE in pngpriv.h.
- * Revised pngpriv.h to work around failure to compile
- arm/filter_neon.S.
- * Added "Requires: zlib" to libpng.pc.in.
- * Added special case for FreeBSD in arm/filter_neon.S.
- * Changed "int" to "png_size_t" in intel/filter_sse2.c to prevent
- possible integer overflow.
- * Added eXIf chunk support.
-- remove upstreamed
- 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch
-
-- Drop png-version-info-only.patch, it has no effect after applying
- 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch
- Both patches achieve the same, prefer the upstream version
-
-- Add 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch
- Fix build on ARM
-
-- png-version-info-only.patch: fix missing PNG_VERSION_INFO_ONLY check
-
-- update to 1.6.30:
- Revised documentation of png_get_error_ptr() in the libpng manual.
- Document need to check for integer overflow when allocating a pixel
- buffer for multiple rows in contrib/gregbook, contrib/pngminus,
- example.c, and in the manual (suggested by Jaeseung Choi). This
- is similar to the bug reported against pngquant in CVE-2016-5735.
- Check for integer overflow in contrib/visupng and contrib/tools/genpng.
- Do not double evaluate CMAKE_SYSTEM_PROCESSOR in CMakeLists.txt.
- Avoid writing an empty IDAT when the last IDAT exactly fills the
- compression buffer (bug report by Brian Baird). This bug was
- introduced in libpng-1.6.0.
- Add a reference to the libpng.download site in README.
-
-- update to 1.6.29:
- Moved SSE2 optimization code into the main libpng source directory.
- Configure libpng with "configure --enable-intel-sse" or compile
- libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it.
- Added code for PowerPC VSX optimisation (Vadim Barkov).
- Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer).
-
-- update to 1.6.28: fix build issues
-
-- update to 1.6.27: fixes CVE-2016-10087
-
-- update to 1.6.26:
- Fixed handling zero length IDAT in pngfix (bug report by Agostino Sarubbo,
- bugfix by John Bowler).
- Do not issue a png_error() on read in png_set_pCAL() because
- png_handle_pCAL has allocated memory that libpng needs to free.
- Issue a png_benign_error instead of a png_error on ADLER32 mismatch
- while decoding compressed data chunks.
- Changed PNG_ZLIB_VERNUM to ZLIB_VERNUM in pngpriv.h, pngstruct.h, and
- pngrutil.c.
- If CRC handling of critical chunks has been set to PNG_CRC_QUIET_USE,
- ignore the ADLER32 checksum in the IDAT chunk as well as the chunk CRCs.
- Issue png_benign_error() on ADLER32 checksum mismatch instead of
- png_error().
- Updated the documentation about CRC and ADLER32 handling.
- Fixed offsets in contrib/intel/intel_sse.patch
- Changed integer constant 4294967294 to unsigned 4294967294U in pngconf.h
- to avoid a signed/unsigned compare in the preprocessor.
- Use zlib-1.2.8.1 inflateValidate() instead of inflateReset2() to
- optionally avoid ADLER32 evaluation.
-
-- update to 1.6.25:
- Reject oversized iCCP profile immediately.
- Conditionally compile png_inflate().
- Don't install pngcp; it conflicts with pngcp in the pngtools package.
- Added MIPS support (Mandar Sahastrabuddhe <
-
-- update to 1.6.24:
- Avoid potential overflow of the PNG_IMAGE_SIZE macro.
- Correct filter heuristic overflow handling.
- Use a more efficient absolute value calculation on SSE2.
- Added pngcp.
- etc. see ANNOUNCE
-
-- Update to new upstream release 1.6.23
- * Fixes a potential memleak in png_set_tRNS.
- * Fixed the progressive reader to handle empty first IDAT
- chunk properly.
- * Added tests in pngvalid.c to check zero-length IDAT chunks
- in various positions.
- * Fixed the sequential reader to handle these more robustly.
- * Corrected progressive read input buffer in pngvalid.c.
- * Moved sse2 prototype from pngpriv.h to
- contrib/intel/intel_sse.patch.
- * Fixed undefined behavior in png_push_save_buffer().
- Do not call memcpy() with a null source, even if count is zero.
- * Fixed bad link to RFC2083 in png.5.
-
-- update to 1.6.22:
- Added a png_image_write_to_memory() API and a number of assist macros
- to allow an application that uses the simplified API write to bypass
- stdio and write directly to memory.
- Relaxed limit checks on gamma values in pngrtran.c. As suggested in
- the comments gamma values outside the range currently permitted
- by png_set_alpha_mode are useful for HDR data encoding. These values
- are already permitted by png_set_gamma so it is reasonable caution to
- extend the png_set_alpha_mode range as HDR imaging systems are starting
- to emerge.
- Restored "& 0xff" in png_save_uint_16() and png_save_uint_32() that
- were accidentally removed from libpng-1.6.17.
- Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h
- (Robert C. Seacord).
- Added INTEL-SSE2 support (Mike Klein and Matt Sarett, Google, Inc.).
- SSE filter speed improvements for bpp=3:
- memcpy-free implementations of load3() / store3().
- Added PNG_FAST_FILTERS macro (defined as
- PNG_FILTER_NONE|PNG_FILTER_SUB|PNG_FILTER_UP).
-
-- Update to new upstream release 1.6.21
- * Widened the 'limit' check on the internally calculated error limits in
- the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error
- checks) and changed the check to only operate in non-release builds
- (base build type not RC or RELEASE.)
- * Fixed undefined behavior in pngvalid.c, undefined because
- (png_byte) << shift is undefined if it changes the signed bit
- (because png_byte is promoted to int). The libpng exported functions
- png_get_uint_32 and png_get_uint_16 handle this.
-
-- update to 1.6.20:
- Avoid potential pointer overflow/underflow in png_handle_sPLT() and
- png_handle_pCAL() (Bug report by John Regehr).
- Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
- not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
- vulnerability.
- Backported tests from libpng-1.7.0beta69.
- Fixed an error in handling of bad zlib CMINFO field in pngfix, found by
- American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't
- immediately fault a bad CMINFO field; instead a 'too far back' error
- happens later (at least some times). pngfix failed to limit CMINFO to
- the allowed values but then assumed that window_bits was in range,
- triggering an assert. The bug is mostly harmless; the PNG file cannot
- be fixed.
- In libpng 1.6 zlib initialization was changed to use the window size
- in the zlib stream, not a fixed value. This causes some invalid images,
- where CINFO is too large, to display 'correctly' if the rest of the
- data is valid. This provides a workaround for zlib versions where the
- error arises (ones that support the API change to use the window size
- in the stream).
-
-- update to 1.6.19:
- Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
- Fixed uninitialized variable in contrib/gregbook/rpng2-x.c
- Fixed the recently reported 1's complement security issue.
- Fixed png_save_int_32 when int is not 2's complement by replacing
- the value that is illegal in the PNG spec, in both signed and
- unsigned values, with 0.
- etc., see ANNOUNCE and CHANGES for details
-- removed: libpng-rgb_to_gray-checks.patch (upstreamed)
-
-- drop unknown configure switch
-
-- Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c.
- + libpng-rgb_to_gray-checks.patch
-
-- updated to 1.6.17:
- Corrected the width limit calculation in png_check_IHDR().
- Removed user limits from pngfix. Also pass NULL pointers to
- png_read_row to skip the unnecessary row de-interlace stuff.
- Implement previously untested cases of libpng transforms in pngvalid.c
- Fixed byte order in 2-byte filler, in png_do_read_filler().
- Made the check for out-of-range values in png_set_tRNS() detect
- values that are exactly 2^bit_depth, and work on 16-bit platforms.
- Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47.
- Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and
- pngset.c to avoid warnings about dead code.
- Do not build png_product2() when it is unused.
- Display user limits in the output from pngtest.
- Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column
- and 1-million-row default limits in pnglibconf.dfa, that can be reset
- by the user at build time or run time. This provides a more robust
- defense against DOS and as-yet undiscovered overflows.
- Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default.
- Allow user to call png_get_IHDR() with NULL arguments (Reuben Hawkins).
- Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block
- of png.h.
- Free the unknown_chunks structure even when it contains no data.
- Fixed simplified 8-bit-linear to sRGB alpha. The calculated alpha
- value was wrong. It's not clear if this affected the final stored
- value; in the obvious code path the upper and lower 8-bits of the
- alpha value were identical and the alpha was truncated to 8-bits
- rather than dividing by 257 (John Bowler).
-
-- build with PNG_SAFE_LIMITS_SUPPORTED [bnc#912076], [bnc#912929]
-
-- updated to 1.6.16:
- * Restored a test on width that was removed from png.c at libpng-1.6.9
- (Bug report by Alex Eubanks).
- * Fixed an overflow in png_combine_row with very wide interlaced images.
-
-- updated to 1.6.15:
- * Avoid out-of-bounds memory access in png_user_version_check().
- * Fixed incorrect handling of the iTXt compression.
- * Free all allocated memory in pngimage.
- * Fixed array size calculations to avoid warnings.
- etc. see ANNOUNCE
-
libpsl
-- fix [bsc#1197771] - FTBFS: libpsl won't compile on SP4
-- added patches
- https://github.com/rockdaboot/libpsl/commit/f364cea73e351ce62e0b337fd1fbc21e70b52d56
- + libpsl-fix-test-data.patch
-
-- update to 0.20.1:
- * Fix issue introduced with PSL_TYPE_NO_STAR_RULE in V0.20.0
- * Fix SO_VERSION to 8:0:3
- * Improve unit tests
-
-- Use %license (boo#1082318)
-
-- update to 0.20.0:
- * Remove hard-coded gcc flag in Makefile.am
- * Prevent excessive CPU cycles on large inputs
- * New flag PSL_TYPE_NO_STAR_RULE to skip star rule
-
-- Make sure to use python3 during build instead of calling env
-
-- update to 0.19.1:
- * New function psl_free_string()
- * psl_make_dafsa now works with python2 and python3
- * psl_*count() functions now return -1 if info is not available
- * Fixed unsigned integer overflow in _mem_is_ascii()
- * Add -fsanitize-address-use-after-scope to --enable-asan if
- available
-
-- update to 0.18.0:
- * Fix order of files in psl_latest()
- * Add fuzzing architecture
- * Fix memleak in _psl_is_public_suffix()
- * Add configure option --enable-asan (Address sanitizer)
- * Add configure option --enable-usan (Undefined sanitizer)
- * Add configure option --enable-cfi (Control Flow Integrity)
- * Fix finding libidn2 for static builds
- * Fix use of uninitialized stack value
- * Fix buffer overflow in libicu build
- * Use libidn2 as default for builds (former libicu)
- * Add pkg-config support for libidn and libidn2
-
-- Use idn2 runtime instead of libicu - as libicu requires 30MB
- of unicode data - while idn2 is already part of minimal system
-
-- libpsl 0.17.0:
- * Use TR46 non-transitional for IDNA (libicu, libidn2 >= 0.14)
- * Fix coverage upload from TravisCI to Coveralls
- * New tests to cover psl_latest() and psl_dist_filename()
-
-- libpsl 0.16.1:
- This version enables consumers of the library to dynamically load
- the latest public suffix data from a binary data file in the
- publicsuffix package which can then updated without re-building
- libpsl.
- * Add functions psl_latest() and psl_dist_filename()
- * Do not taint out variable on error in psl_str_to_utf8lower()
- * Replace psl2c by psl-make-dafsa
-- correct licenses for package and subpackages
-- package HTML docs in -devel package
-
-- libpsl 0.15.0:
- * Python3 compatibility for psl-make-dafsa
- * Support for UTF-8 in DAFSA data
- * Skip punycode conversion if DAFSA has UTF-8
- * Better code coverage by test suite
- * Code cleanup and enhancements
- * Install man pages for psl-make-dafsa and psl
- * Enhancements to the documentation
-
-- libpsl 0.14.0:
- * Remove unneeded libraries from tools/psl link step
- * Use https instead of http where possible
- * Add man page for tools/psl
- * Add header magic to DAFSA files
- * Rename make_dafsa.py to psl-make-dafsa
- * Add man page for psl-make-dafsa
-
-- libpsl 0.13.0:
- * Use tests.txt as PSL test file by default
- * Slightly shorter DAFSA array when sorting input
- * Check for python 2.7+ in configure.ac
- * Fix python3 incompatibilities in make_dafsa.py
-
-- Add baselibs.conf
-
-- libpsl 0.12.0 (libpsl.so.5 5:0:0)
- * Remove psl_builtin_compile_time()
- * Add function psl_is_public_suffix2()
- * Avoid libicu dependency with --enable-runtime=no
-- drop upstreamed 0001-Remove-include-of-bits-stat.h.patch
-
-- fix SLE 11 build:
- * adding 0001-Remove-include-of-bits-stat.h.patch
- * skip IDN feature
-- update descriptions and categories
-
-- initial package for libpsl based on Fedora Spec
-
libreoffice
+- Update to 7.4.3.2 (jsc#PED-1785):
+ You can check for 7.4 release notes here:
+ https://wiki.documentfoundation.org/ReleaseNotes/7.4
+ You can check for each minor release notes here:
+ https://wiki.documentfoundation.org/Releases/7.4.3/RC2
+ https://wiki.documentfoundation.org/Releases/7.4.3/RC1
+ https://wiki.documentfoundation.org/Releases/7.4.2/RC3
+ https://wiki.documentfoundation.org/Releases/7.4.2/RC2
+ https://wiki.documentfoundation.org/Releases/7.4.2/RC1
+ https://wiki.documentfoundation.org/Releases/7.4.1/RC2
+ https://wiki.documentfoundation.org/Releases/7.4.1/RC1
+ https://wiki.documentfoundation.org/Releases/7.4.0/RC3
+ https://wiki.documentfoundation.org/Releases/7.4.0/RC2
+ https://wiki.documentfoundation.org/Releases/7.4.0/RC1
+- Updated bundled dependencies:
+ * boost_1_77_0.tar.xz -> boost_1_79_0.tar.xz
+ * curl-7.83.1.tar.xz -> curl-7.86.0.tar.xz
+ * icu4c-70_1-data.zip -> icu4c-71_1-data.zip
+ * icu4c-70_1-src.tgz -> icu4c-71_1-src.tgz
+ * pdfium-4699.tar.gz2 -> pdfium-5058.tar.bz2
+ * poppler-21.11.0.tar.xz -> poppler-22.09.0.tar.xz
+ * poppler-data-0.4.10.tar.gz -> poppler-data-0.4.11.tar.gz
+ * skia-m97-a7230803d64ae9d44f4e1282444801119a3ae967.tar.xz
+ - > skia-m103-b301ff025004c9cd82816c86c547588e6c24b466.tar.xz
+- Added patches:
+ * fix_harfbuzz_on_sle12_sp5.patch
+ * fix_webp_on_sle12_sp5.patch
+ * use-fixmath-shared-library.patch
+- Refresh fix_gtk_popover_on_3.20.patch
+- Removed upstreamed patches:
+ * bsc1197498.patch
+ * bsc1200009.patch
+ * bsc1201093.patch
+ * bsc1202032.patch
+ * bsc1202114.patch
+ * CVE-2022-3140-4.patch
+
libsndfile
-- Fix heap buffer overflow in flac_buffer_copy (CVE-2021-4156,
- bsc#1194006):
- libsndfile-CVE-2021-4156.patch
-
-- Fix heap buffer overflow vulnerability in msadpcm_decode_block
- (CVE-2021-3246, bsc#1188540):
- ms_adpcm-Fix-and-extend-size-checks.patch
-
-- Fix segfault in wav conversion due to the invalid loop count
- (CVE-2018-19758, bsc#1117954):
- libsndfile-wav-loop-count-fix.patch
-
-- Fix buffer overflow in sndfile-deinterleave, which isn't really a
- security issue (bsc#1100167, CVE-2018-13139, bsc#1116993,
- CVE-2018-19432):
- sndfile-deinterlace-channels-check.patch
-
-- Use license file tag
-
-- Fix potential overflow in d2alaw_array() (CVE-2017-17456,
- bsc#1071777):
- libsndfile-CVE-2017-17456-alaw-range-check.patch
-- Fix potential overflow in d2ulaw_array() (CVE-2017-17457,
- bsc#1071767):
- libsndfile-CVE-2017-17457-ulaw-range-check.patch
-
-- Fix VUL-0: divide-by-zero error exists in the function
- double64_init() in double64.c (CVE-2017-14634, bsc#1059911):
- 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
-- Tentative fix for VUL-0: out of bounds read in the function
- d2alaw_array() in alaw.c (CVE-2017-14245, bsc#1059912) and
- VUL-0: out of bounds read in the function d2ulaw_array() in
- ulaw.c (CVE-2017-14246, bsc#1059913):
- 0031-sfe_copy_data_fp-check-value-of-max-variable.patch
-
-- Fix Heap-based Buffer Overflow in the psf_binheader_writef
- (CVE-2017-12562, bsc#1052476):
- 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
-
-- Fix out-of-bounds read memory access in the aiff_read_chanmap()
- (CVE-2017-6892, bsc#1043978):
- 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
-
-- Fix FLAC buffer overflows (CVE-2017-8361 CVE-2017-8363
- CVE-2017-8365 CVE-2017-8362 bsc#1036944 bsc#1036945 bsc#1036946
- bsc#1036943):
- 0001-FLAC-Fix-a-buffer-read-overrun.patch
- 0002-src-flac.c-Fix-a-buffer-read-overflow.patch
-
-- Update to version 1.0.27:
- * Fix a seek regression in 1.0.26
- * Add metadata read/write for CAF and RF64
- * FIx PAF endian-ness issue
-- Update to version 1.0.28
- * Fix buffer overruns in FLAC and ID3 handling code
- (CVE-2017-7585, CVE-2017-7586, bsc#1033054, bsc#1033053)
- * Reduce default header memory requirements
- * Fix detection of Large File Support for 32 bit systems.
-- Obsoleted patch:
- libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
-
-- Fix spec file to enable builds on non opensuse OS
-
-- Update to version 1.0.26:
- * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805.
- * Add ALAC/CAF support. Minor bug fixes and improvements.
-- Refreshed patches:
- sndfile-ocloexec.patch
- libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
-- Removed obsoleted patches:
- libsndfile-example-fix.diff
- libsndfile-fix-header-read-CVE-2015-7805.patch
- libsndfile-paf-zero-division-fix.diff
- libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
- libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch
- sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
- sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
-
-- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-7805, bsc#953516)
- libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
- libsndfile-fix-header-read-CVE-2015-7805.patch
-- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-8075, bsc#953519)
- libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
-- Fix the build with SLE11-SP3 due to AM_SILENT_RULE macro
-
-- VUL-1: libsndfile DoS/divide-by-zero (CVE-2014-9756, bsc#953521):
- libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch
-
-- Cleanup spec file with spec-cleaner
-- Add gpg signature
-- Remove old ppc provides/obsoletes
-
-- VUL-0: two buffer read overflows in sd2_parse_rsrc_fork()
- (CVE-2014-9496, bnc#911796): backported upstream fix patches
- sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
- sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
-
libxcb
+- u_don-t-flag-extra-reply-in-xcb_take_socket.patch
+ * Fix IO errors with KWin in combination with NVIDIA driver.
+ (bnc#1101560)
+
+- Update to version 1.13
+ * As with xcb-proto, this release mainly enables multi-planar buffers in
+ DRI3 v1.2 via support for variable-sized lists of FDs, and enables
+ sending GenericEvents to other clients. Present v1.2 and RandR v1.6
+ did not require any specific library changes.
+- supersedes U_add-support-for-eventstruct.patch,
+ u_build_python3.patch
+
+- Really conditionalize the python3 option to allow us building
+ without any python2 present
+ * u_build_python3.patch
+- Convert to pkgconfig style deps
+- Format bit with spec-cleaner
+
+- Enable xinput extension. (bnc#1074249)
+- U_add-support-for-eventstruct.patch
+ * Update xinput to the state when it was enabled by default
+ upstream.
+
+- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
+ * Prevent infinite loop also in case DISPLAY is non-local.
+
+- Use spaces instead of tabs in the patches (as does the original
+ source code) to avoid confusion.
+- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
+ * If authentication (with *stage == 0) failed and the variable
+ XAUTHLOCALHOSTNAME wasn't set, we were never getting to stage 2
+ in the original patch, causing calls to xcb_connect_to_display
+ to be stuck in an infinite loop.
+ Now we also go to stage 2 if the variable isn't set.
+
+- fixes build against python3 (package rename of
+ python-xcb-proto-devel to python3-xcb-proto-devel)
+
+- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
+ * Modify this patch to do what it say - retry not only if the current hostname is
+ not found in the xauthority file, but also when it is rejected by X server.
+ (bnc#1043221)
+
+- Update to version 1.12
+ * here is a new version of libxcb for you to enjoy. The
+ highlights are the same as for the new xcb-proto release:
+ xinput support, RandR 1.5 and an automatic alignment checker.
+- removed libxcb-xevie0/libxcb-xprint0 subpackages
+
+- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch:
+ If auth with credentials for hostname fails retry with XAUTHLOCALHOSTNAME
+ (boo#906622).
+
+- Update to version 1.11.1:
+ This fixes some threading-related bugs with
+ xcb_wait_for_special_event() and adds 64-bit versions of
+ functions that work with sequence numbers.
+
live555
+- update to 2023.01.19:
+ - By default, we no longer compile "groupsock/NetAddress.cpp" for Windows to use
+ "gethostbyname()", because of a report that this breaks IPv6 name resolution.
+
+- update to 2023.01.11:
+ * Updated the "BasicTaskScheduler"/"DelayQueue" implementation to make the 'token counter'
+ a field of the task scheduler object, rather than having it be a static variable.
+ This avoids potential problems if an application uses more than one thread (with each thread
+ having its own task scheduler).
+
mozilla-nss
+- update to NSS 3.79.4 (bsc#1208138)
+ * Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
+ (CVE-2023-0767)
+
nghttp2
-- security update
-- added patches
- fix CVE-2020-11080 [bsc#1181358], HTTP/2 Large Settings Frame DoS
- + nghttp2-CVE-2020-11080.patch
-
-- Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and
- cilium-proxy (bsc#1166481)
- * lib: Add nghttp2_check_authority as public API
- * lib: Fix the bug that stream is closed with wrong error code
- * lib: Faster huffman encoding and decoding
- * build: Avoid filename collision of static and dynamic lib
- * build: Add new flag ENABLE_STATIC_CRT for Windows
- * build: cmake: Support building nghttpx with systemd
- * third-party: Update neverbleed to fix memory leak
- * nghttpx: Fix bug that mruby is incorrectly shared between
- backends
- * nghttpx: Reconnect h1 backend if it lost connection before
- sending headers
- * nghttpx: Returns 408 if backend timed out before sending
- headers
- * nghttpx: Fix request stal
-
-- Conditionally remove dependecy on jemalloc for SLE-12
-
-- Require correct library from devel package - boo#1125689
-
-- Update to version 1.39.2 (bsc#1146184, bsc#1146182):
- * This release fixes CVE-2019-9511 “Data Dribble†and CVE-2019-9513
- “Resource Loop†vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
- frames cause Denial of Service by consuming CPU time. Check out
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- for details. For nghttpx, additionally limiting inbound traffic by
- - -read-rate and --read-burst options is quite effective against
- this kind of attack.
- * Add nghttp2_option_set_max_outbound_ack API function
- * nghttpx: Fix request stall
-
-- Update to version 1.39.1:
- * This release fixes the bug that log-level is not set with
- cmd-line or configuration file. It also fixes FPE with default
- backend.
-- Changes for version 1.39.0:
- * libnghttp2 now ignores content-length in 200 response to
- CONNECT request as per RFC 7230.
- * mruby has been upgraded to 2.0.1.
- * libnghttp2-asio now supports boost-1.70.
- * http-parser has been replaced with llhttp.
- * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
- or 200 to CONNECT.
-- Drop no longer needed boost170.patch
-
-- Update to 1.38.0:
- * This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry.
- * It also fixes the bug that HTTP/1.1 chunked request stalls.
- * Now nghttpx does not log authorization request header field value with -LINFO.
- * This release fixes possible backend stall when header and request body are sent in their own packets.
- * The backend option gets weight parameter to influence backend selection.
- * This release fixes compile error with BoringSSL.
-- Add patch from upstream to build with new boost bsc#1134616:
- * boost170.patch
-
-- Update to 1.36.0
- * build: disable shared library if ENABLE_SHARED_LIB is off
- * third-party: use http-parser to v2.9.0 (GH-1294)
- * third-party: Update mruby to 2.0.0
- * nghttpx: Pool h1 backend connection per address (GH-1292)
- * nghttpx: Randomize backend address round robin order per thread
- (GH-1291)
- * nghttpx: Fix getting long SNs for openssl < 1.1 (GH-1287)
- * h2load: add an option to write per-request logs (GH-1256)
- * asio: added access to # of the current server port (GH-1257)
-
-- Use multibuild to not pull in python3 in first build, nghttp2
- is low in the system
-
-- Update to version 1.35.1:
- * nghttpx: Fix broken trailing slash handling (GH-1276)
-- Changes for version 1.35:
- * build: cmake: Fix libevent version detection (Patch from Jan Kundrát) (GH-1238)
- * lib: Use __has_declspec_attribute for shared builds (Patch from Don) (GH-1222)
- * src: Require C++14 language feature
- * nghttpx: Write mruby send_info early
- * nghttpx: Fix assertion failure on mruby send_info with HTTP/1 frontend
- * h2load: Handle HTTP/1 non-final response (GH-1259)
- * h2load: Clarify that time for connect includes TLS handshake
-
-- Update to version 1.34.0: (bsc#1112438, FATE#326776)
- * lib: Implement RFC 8441 :protocol support
- * nghttpx: Add read/write-timeout parameters to backend option
- * nghttpx: Fix mruby parameter validation in backend option
- * nghttpx: Implement RFC 8441 Bootstrapping WebSocket with HTTP/2
- * nghttpx: Update neverbleed to fix OpenSSL 1.1.1 issues
- * nghttpx: Update mruby 1.4.1
- * nghttpx: Add mruby env.tls_handshake_finished
- * nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
- * nghttpx: Add RFC 8470 Early-Data header field support
- * nghttpx: Add RFC 8446 TLSv1.3 0-RTT early data support
-
-- Update to version 1.33.0:
- * lib: Tweak nghttp2_session_set_stream_user_data
- * lib: Fix handling of SETTINGS_MAX_CONCURRENT_STREAMS.
- * lib: Implement ORIGIN frame
- * asio: support definition of local endpoint for cleartext
- client session
- * integration: Remove remaining SPDY code from the integration tests
- * nghttpx: Fix worker process crash with neverbleed write error
- * nghttpx: Support per-backend mruby script
- * nghttpx: Fix stream reset if data from client is arrived before
- dconn is attached
-
-- Update to version 1.32.0:
- * lib: Ignore all input after calling session_terminate_session
- * lib: Fix treatment of padding
- * lib: Don't allow 101 HTTP status code because HTTP/2 removes
- HTTP Upgrade
- * build: add ENABLE_STATIC_LIB option to build static lib
- * third-party: Upgrade neverbleed to the latest master
- * asio: Support client side SNI
- * src: Compile with libressl 2.7.2
- * src: Allow building without NPN
- * h2load: -r and --duration are mutually exclusive
-
-- Version umpdate to 1.31.1:
- * Fix bsc#1088639 CVE-2018-1000168
- * https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
-
-- Version update to 1.31.0:
- * lib: Add nghttp2_session_set_user_data() public API function (GH-1137)
- * src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro (GH-1128)
- * nghttpx: Close listening socket on graceful shutdown
- * nghttpx: Add an option to accept expired client certificate (GH-1126)
- * nghttpx: Add mruby tls_client_not_before, and tls_client_not_after (GH-1123)
- * nghttpx: Fix potential memory leak
- * lib: Allow PING frame to be sent after GOAWAY (GH-1103)
- * nghttpx: Fix bug that h1 backend idle timeout expires sooner
- * nghttpx: Stop overwrite of first header on mruby call to env.req.set_header(..) (Patch from Dylan Plecki) (GH-1119)
- * nghttpx: Add upgrade-scheme parameter to backend option (GH-1099)
- * nghttpx: Fix missing ALPN validation (--npn-list) (GH-1094)
- * nghttpx: Remember which resource is pushed for RFC 8297 (GH-1101)
-
-- Drop spdylay dependency as it is deprecated since version 1.28.0
- and removed from cofnigure.ac since 1.29.0
-
-- Use %license (boo#1082318)
-
-- Update to version 1.29.0:
- * lib: Use NGHTTP2_REFUSED_STREAM for streams which are closed by
- GOAWAY
- * build: Remove SPDY
- * build: Fix CMAKE_MODULE_PATH
- * nghttpx: Revert "nghttpx: Use an existing h2 backend connection
- as much as possible"
- * nghttpx: Write API request body in temporary file
- * nghttpx: Increase api-max-request-body
- * nghttpx: Faster configuration loading with lots of backends
- * nghttpx: Fix crash with --backend-http-proxy-uri option
-
-- Export PYTHON=/usr/bin/python3 before running configure: allow to
- build without (comnplete) python2 in the buildroot. In any case
- we only ship python3-bindings already.
-
-- Upodate to version 1.28.0:
- * lib: Add nghttp2_error_callback2
- * build: Add deprecation warning when spdylay support is enabled
- * Switch to clang-format-5.0
- * examples: Make client and server work with libevent-2.1.8
- * third-party: Update neverbleed
- * integration: Fix issues reported by the go vet tool.
- * nghttpx: Fix affinity retry
- * nghttpx: Fix stalled backend connection on retry
- * nghttpx: Cookie based session affinity
- * nghttpx: Expose additional TLS related variables to mruby and
- accesslog
-
-- Drop forgotten python2 build dependency
-
-- Update to version 1.27.0:
- * h2load: Print out h2 header fields with --verbose option
- * nghttpx: Send non-final response to HTTP/1.1 or HTTP/2 client
- only
-- Changes for version 1.26.0:
- * docs: Fix some typos in the nghttpx how-to
- * h2load: Fix bug that timing script stalls with -m1
- * h2load: Reservoir sampling (GH-984)
- * h2load: Add timing-based load-testing in h2load
-- Switch to python3 support
-
-- Don't use jemalloc on ppc or %arm, where it is broken.
-
-- Update to version 1.25.0:
- * lib: add nghttp2_rcbuf_is_static() (Patch from Anna Henningsen) (GH-983)
- * nghttpx: Fix bug that forwarded for is not affected by proxy protocol (GH-979)
- * nghttpx: Update mruby to 1.3.0 (GH-957)
-
-- Drop doc building
-- Rename python subpackage to python2
-
-- Update to version 1.24.0:
- * doc: README.rst: fix typo (Patch from Simone Basso) (GH-947)
- * doc: fix up grammar in submit_trailer docs (Patch from Benjamin Peterson) (GH-945)
- * doc: fix cleaning in out-of-tree builds (Patch from Benjamin Peterson) (GH-938)
- * nghttp: Fix bug that upgrade fails if reason-phrase is missing (GH-949)
- * nghttpx: Verify OCSP response using trusted CA certificates (GH-943)
- * nghttpx: Set default minimum TLS version to TLSv1.2 (GH-937)
-- Changes for version 1.23.1:
- * nghttpx: Fix crash in OCSP response verification
-- Changes for version 1.23.0:
- * lib: nghttp2_session: Allow for compiling library with -DNDEBUG set (Patch from Angus Gratton) (GH-919)
- * lib: Treat incoming invalid regular header field as stream error (GH-900)
- * lib: Call nghttp2_on_invalid_frame_callback if altsvc validation fails (GH-904)
- * doc: spelling mistake in arguments to build nghttp apps (Patch from Soham Sinha) (GH-925)
- * doc: Add notes for installation on linux systems (Patch from Tapanito) (GH-917)
- * doc: Clarify the effect of nghttp2_option_set_no_http_messaging
- * nghttpx: Verify OCSP response (GH-929)
- * nghttpx: Fix certificate selection based on pub key algorithm (GH-924)
- * nghttpx: Fix certificate indexing bug
- * nghttpx: Run OCSP at startup (GH-922)
- * nghttpx: Wildcard path matching (GH-914)
- * nghttpx: Forward multiple via, xff, and xfp header fields (GH-903)
- * nghttp: Add -y, --no-verify-peer option to suppress peer verify warn (GH-906)
-
-- Update to version 1.22.0:
- * lib: Add missing free call on error in inflight_settings_new() (Patch from lstefani) (GH-884)
- * asio: Support specifying stream priority via session::submit() (Patch from Matt Way) (GH-881)
- * nghttpx: Clarify --conf option behaviour
- * nghttpx: Add $tls_sni access log variable (GH-896)
- * nghttpx: Rename ssl_* log variables as tls_* (GH-895)
- * nghttpx: Fix path matching bug (GH-894)
- * nghttpx: SNI based backend server selection (GH-892)
- * nghttpx: Enable signed_certificate_timestamp extension for TLSv1.3 (GH-878)
- * nghttpx: Add options for X-Forwarded-Proto header field (GH-872)
- * nghttpx: Add --single-process option (GH-869)
- * nghttpx: Use 502 as server error code
- * nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl
- * nghttp: Verify server certificate and show warning if it fails (GH-870)
- * integration: Use nip.io instead of xip.io
-
-- Update to version 1.21.1:
- * asio: Fix crash if connect takes longer time than ping interval (GH-866)
- * nghttpx: Fix bug that 204 from h1 backend is always treated as error (GH-871)
-- Changes for version 1.21.0:
- * lib: Fix nghttp2_session_want_write (GH-832)
- * doc: Document pkg-config path usage
- * build: Eliminate U macro; Instead use (void)VAR for better compiler compatibility.
- * src: BoringSSL supports SSL_CTX_set_{min,max}_proto_version. (Patch from Piotr Sikora) (GH-853)
- * src: Use Mozilla's "Modern compatibility" ciphers by default
- * src: nghttp2_gzip: fix this statement may fall through [-Werror=implicit-fallthrough=] found by gcc7 (Patch from Alexis La Goutte) (GH-823)
- * nghttpx: Print version number with -v option
- * nghttpx: Enable X25519 with boringssl
- * nghttpx: Retry getaddrinfo without AI_ADDRCONFIG (GH-858)
- * nghttpx: Failing to listen on server socket is fatal error
- * nghttpx: Escape certain characters in access log (GH-856)
- * nghttpx: Ignore further input if connection is going to close
- * nghttpx: Don't call functions which are not async-signal-safe after fork but before execv in multithreaded process.
- * nghttpx: Enable backend pattern matching with http2-proxy (GH-733)
- * asio: client: Send PING after 30 seconds idle (GH-847)
-
-- Update to version 1.20.0:
- * lib: nghttp2_session: fix The 'then' statement is equivalent to the subsequent code fragment found by PVS Studio (V523) (Patch from Alexis La Goutte) (GH-814)
- * lib: Add nghttp2_option_set_no_closed_streams (GH-810)
- * build: Disable spdylay detection by default
- * build: Add --with-systemd option to configure
- * fuzz: Add fuzzer for oss-fuzz (GH-799)
- * src: Enable TLSv1.3 if it is supported by OpenSSL (or BoringSSL) (GH-816)
- * src: h2 requires >= TLSv1.2
- * asio: More graceful stop of nghttp2::asio_http2::server::http2 (Patch from Amir Pakdel) (GH-805)
- * asio: Holding more shared_ptrs instead of raw ptrs to make sure called objects don't get deleted. (Patch from clemahieu)
- * asio: Fix infinite loop in acceptor handler (Patch from clemahieu) (GH-794)
- * asio: close_stream erases from streams_ while it's being iterated over. (Patch from clemahieu) (GH-795)
- * nghttpx: Strip version number from server header field
- * nghttpx: Add --single-worker option
- * nghttpx: Fix bug that send_reply does not participate graceful shutdown
- * nghttpx: Add --frontend-max-requests option
- * nghttpx: Enable stream-write-timeout by default
- * nghttpx: Fix stream write timer handling
- * nghttpx: Add configrevision API endpoint (GH-820)
- * nghttpx: Redirect to HTTPS URI with redirect-if-not-tls parameter (GH-819)
- * nghttpx: Update log time stamp in millisecond interval
- * nghttpx: Better error message when private key and certificate are missing
- * nghttpx: Fix bug that old config is used during reloading configuration
- * nghttpx: Specify TLS protocol by version range (GH-809)
- * nghttpx: Send SIGQUIT to the original master process (GH-807)
- * nghttpx: Restrict HTTP major and minor in 0 or 1
- * nghttpx: Drop privilege of neverbleed daemon first
- * nghttpx: add systemd support (Patch from Tomasz Torcz) (GH-802)
- * nghttpx: Fix crash on SIGHUP with multi thread configuration (GH-801)
- * nghttpx: Send 1xx non-final response using mruby script (GH-800)
- * nghttpx: Select certificate by client's supported signature algorithm (GH-792)
- * nghttpx: Recommend POST for backendconfig API request
- * nghttpx: Don't build PSK features with LibreSSL (Patch from Bernard Spil) (GH-789)
- * nghttp: add support for link rel="preload" for --get-assets (Patch from Benedikt Christoph Wolters) (GH-791)
- * h2load: Fix wrong req_stat updates
- * h2load: Explicitly count the number of requests left and inflight
- * integration: Fix deprecation warnings
- * integration: Redirect nghttpx stdout/stderr to test driver's stdout/stderr
-- Changes for version 1.19.0:
- * lib: Fix memory leak of nghttp2_stream object in server side nghttp2_session object
- * Fix issues found by PVS Studio (Patch from Alexis La Goutte) (GH-769)
- * doc: Update README file to write about the issue of Alpine Linux's inability to replace malloc (Patch from makovich) (GH-768)
- * build: Compile with Android NDK r13b using clang
- * src: Fix assertion error with boringssl
- * nghttp: Take into account scheme and port when parsing HTML links
- * nghttp: Fix authority for --get-assets if IP address is used in conjunction with user-defined :authority header (Patch from Benedikt Christoph Wolters) (GH-783)
- * nghttpx: Add --accesslog-write-early option (GH-777)
- * nghttpx: Fix access.log timestamp (GH-778)
- * nghttpx: Show default cipher list in -h
- * nghttpx: Add client-ciphers option
- * nghttpx: Add client-no-http2-cipher-black-list option
- * nghttpx: Fix the bug that no-http2-cipher-black-list does not work on backend HTTP/2 connections.
- * nghttpx: Add --client-psk-secret option to enable PSK in backend (GH-612)
- * nghttpx: Add --psk-secret option to enable PSK in frontend connection (GH-612)
- * nghttpx: Enable SCT with OpenSSL 1.1.0
- * nghttpx: Add proxyproto to frontend option to accept PROXY protocol (GH-765)
- * h2load: Show default cipher list in -h
- * h2load: Show custom server temp key such as X25519
- * h2load: Fix incorrect return value from spdylay_send_callback
-- Changes for version 1.18.1:
- * nghttpx: Fix assertion error in libev ev_io_start (GH-759)
- * nghttpx: Handle c-ares success without result
- * nghttpx: Fix bug that DNS timeout was erroneously disabled (GH-763)
- * nghttpx: Fix bug that DNS timeout was ignored (GH-763)
-
-- use individual libboost-*-devel packages instead of boost-devel
-
-- Update to version 1.18.0:
- * lib: Accept and ignore content-length: 0 in 204 response for now
- * build: Use pkg-config to detect libxml2
- * build: Require c-ares to compile applications under src
- * build: Add Windows CI via AppVeyor (Patch from Alexis La Goutte)
- * examples: Delete tiny-nghttpd
- * nghttpx: Retry h1 backend request if first write fails (GH-757)
- * nghttpx: Keep reading after backend write failed (GH-756)
- * nghttpx: Add frontend-keep-alive-timeout option (GH-755)
- * nghttpx: New error log format (GH-749)
- * nghttpx: Fix bug that fetch-ocsp-response does not work with OpenSSL 1.1.0 (GH-742)
- * nghttpx: Backend API call allows non-numeric host with dns parameter (GH-731)
- * nghttpx: Lookup backend host name dynamically (GH-721)
- * nghttpx: Accept and ignore content-length: 0 in 204 response for now (GH-735)
- * nghttpx: Wait for child process to exit
-
-- Update to version 1.17.0:
- * lib: Disallow content-length in 1xx, 204, or 200 to a CONNECT request (GH-722)
- * lib: Avoid memcpy against NULL src
- * build: MSVC version resource support (Patch from Remo E) (GH-718)
- * asio: server: Call on_close callback on connection close (GH-729)
- * nghttpx: Fix frequent crash with --backend-http-proxy-uri
- * nghttpx: Robust backend read timeout
- * nghttpx: Fix bug that mishandles response header from h1 backend
- * nghttpx: Fix bug that zero-length POST is not forwarded (GH-726)
- * nghttpx: Remove optional reason-phrase from SPDY :status
- * nghttpx: Header key and value must be string in mruby script
- * nghttpx: Strip content-length with 204 or 200 to CONNECT in mruby (GH-722)
- * nghttpx: Strict handling for Content-Length or Transfer-Encoding in h1 (GH-722)
- * nghttpx: Fix compilation with BoringSSL (Patch from dalf) (GH-717)
- * nghttpd, nghttpx, asio: Add missing mandatory SP after status code
-
-- Update to version 1.16.1:
- * lib: Prevent undefined behavior in decode_length
- * nghttpx: Fix bug which may crash nghttpx if non-final response
- is forwarded from origin server to HTTP/1.1 client
-- Changes for version 1.16.0:
- * lib: Add nghttp2_set_debug_vprintf_callback to take advantage
- of DEBUGF statements in when building DEBUGBUILD.
- * Update .clang-format for clang-format-3.9
- * build: Make it possible to include nghttp2/CMakeLists.txt in
- another project using add_subdirectory.
- * third-party: Update http-parser to
- feae95a3a69f111bc1897b9048d9acbc290992f9
- * asio: Fix crash when end() is called outside nghttp2 callback
- * nghttpx: Add --backend-connect-timeout option
- * nghttpx: Add TLS signed_certificate_timestamp extension support
- * nghttpx: Add --ecdh-curves option to specify list of named
- curves
- * h2load: Add --header-table-size and --encoder-header-table-size
- options
-
-- Update to version 1.15.0:
- * lib: Add nghttp2_option_set_max_deflate_dynamic_table_size()
- API function (GH-684)
- * lib: Allow NGHTTP2_ERR_PAUSE from
- nghttp2_data_source_read_callback (GH-671)
- * lib: Add nghttp2_session_get_hd_deflate_dynamic_table_size()
- and nghttp2_session_get_hd_inflate_dynamic_table_size() API
- functions to get current HPACK dynamic table size (GH-664)
- * lib: Add nghttp2_session_get_local_settings() API function
- * lib: Add nghttp2_session_get_local_window_size() and
- nghttp2_session_get_stream_local_window_size() API functions
- * build: Add -lsocket -lnsl to APPLDFLAGS for solaris build
- * neverbleed: Update neverbleed to support ECDSA certificate
- * doc: Mention --enable-lib-only configure option in README
- * integration: Fix test failure with go1.7.1
- * src: Fix compile error with openssl 1.1.0
- * nghttpx: Improve performance with HTTP/1.1 backend when
- request body is involved
- * nghttpx: Use std::atomic_* overloads for std::shared_ptr if
- available
- * nghttpx: Migrate backend stream to another h2 session on
- graceful shutdown
- * nghttpx: Add option to specify HPACK encoder/decoder dynamic
- table size
- * nghttpx: Log client address
- * nghttpx: Add tls_sni to mruby Nghttpx::Env class
- * nghttpx: Add --frontend-http2-window-size option, and its
- family functions
- * nghttpx: Add experimental TCP optimization for h2 frontend
- * nghttpx: Workaround for std::make_shared bug in Xcode7, 7.1,
- and 7.2 (GH-670)
- * nghttpx: Fix bug that bytes are doubly counted to rate limit
- for TLS connections
- * nghttpx: Add --no-server-rewrite option not to rewrite server
- header field (GH-667)
- * nghttpx: Retry if backend h1 connection cannot be established
- due to timeout
- * nghttpx: Reset stream if invalid header field is received in h2
- * nghttpx: Add --server-name option to change server response
- header field (GH-667)
- * nghttpd: Add --encoder-header-table-size option
- * nghttp: Add --encoder-header-table-size option
- * python: Support ALPN, require Python 3.5
-
-- Update to version 1.14.0:
- * lib: Make emit_header() return void since it always succeed
- * lib: Add nghttp2_hd_deflate_hd_vec() deflate API to support
- multiple buffer input
- * lib: since hd_inflate_commit_indexed() always return 0,
- remove the return value check in nghttp2_hd_inflate_hd_nv()
- * lib: Use memeq() instead of lstreq() in lookup_token()
- * lib: More strict stream state handling
- * lib: Modify genlibtokenlookup.py to remove redundant header
- comparisons and remove inline qualifier of lookup_token()
- in genlibtokenlookup.py
- * lib: Fix wrong tree operation to avoid cycle
- * lib: Make get_max_index() return the max index in frame,
- so we don't need to do extra calculation
- * lib: Add nghttp2_on_invalid_header_callback
- * lib: Log frame's stream ID for header debug logging
- * doc: Remove old doc about differential encoding in HPACK
- * doc: Document about ALPN in nghttpx howto
- * nghttpx: Log error code from getsockopt(SO_ERROR) on first
- write event
- * nghttpx: Don't change pushed stream's priority
- * nghttpx: Log backend connection failure in WARN level
- * nghttpx: Fix bug that api and healthmon parameters do not work
- with http2 proxy
- * nghttpx: Add access log variable for backend host and port
- * nghttpx: Use copy instead of const reference of backend group
- * nghttpx: Reload configuration with SIGHUP
- * nghttp: Adjust weight according to Firefox stable
- * nghttp: Call error callback when invalid header field is
- received and ignored
- * nghttp: Allow multiple -p option
- * deflatehd: Call nghttp2_hd_deflate_change_table_size only
- if table size is changed from default
-
-- Update to version 1.13.0:
- * lib: Cancel non-DATA frame transmission from
- nghttp2_before_frame_send_callback
- * doc: Fix warning with Sphinx 1.4
- * build: Work with Android NDK r12b
- * nghttpx: Use consistent hashing for client IP based session
- affinity
- * nghttpx: Fix FTBFS on armel by explicitly including the header
- * nghttpx: Cast to double to fix build with gcc 4.8 on Solaris 11
- * nghttpx: Fix build error with libressl
- * examples: Fix compile error with OpenSSL v1.1.0-beta2
-
-- Update to version 1.12.0:
- * Add nghttp2_session_set_local_window_size API function
- * Add nghttp2_option_set_max_send_header_block_length API
- function (GH-613)
- * Fix warning: declaration of 'free' shadows a global declaration
- (Patch from Alexis La Goutte)
- * examples: Add ALPN support to tutorial client/server (GH-614)
- * nghttpx: Reduce TTFB with large number of incoming connections
- * nghttpx: Rewrite read timer handling
- * nghttpx: Clean up neverbleed AF_UNIX socket
- * nghttpx: Add --backend-max-backoff option
- * nghttpx: Use 16KiB buffer for reading to match TLS record size
- * nghttpx: Add healthmon parameter to -f option to enable health
- monitor mode
- * nghttpx: Receive reference of std::mt19937, not making a copy
- * nghttpx: Fix bug that backend never return to online (GH-615)
- * nghttpx: Implement client IP based session affinity
- * nghttpx: Add --api-max-request-body option to set maximum API
- request body size
- * nghttpx: Add api parameter to --frontend option to mark API
- endpoint
- * h2load: Add content-length header field for HTTP/2 and SPDY as
- well
- * h2load: Implement HTTP/1 upload (GH-611)
-
-- Update to 1.11.1
- * lib: Add nghttp2_hd_inflate_hd2() and deprecate
- nghttp2_hd_inflate_hd()
- * lib: Avoid 0-length DATA if NGHTTP2_DATA_FLAG_NO_END_STREAM is set
- * lib: Fix bug that PING flags are ignored in nghttp2_submit_ping
- * integration: Workaround runtime error: cgo argument has Go pointer
- to Go pointer
- * nghttp: Eliminate zero length DATA frame at the end if possible
- * nghttpd: Set content-length in status response
- * nghttpx: Add sni keyword to --backend option
- * nghttpx: Allow mixed protocol and TLS settings among backends under
- same pattern
- * nghttpx: Don't add 0-length DATA when response HEADERS bears
- END_STREAM flag
- * nghttpx: Don't add chunked encoded response body for HEAD request
- * nghttpx: Don't use CN if we have dNSName or iPAddress field
- * nghttpx: Just call execv instead of execve to pass environ
- * nghttpx: Make SETTINGS timeout value configurable
- * nghttpx: Save PID file after it is ready to accept connections
- * nghttpx: Treat backend failure if SETTINGS is not received within
- timeout
- * nghttpx: Wait for SETTINGS ACK to make sure that backend h2 server
- is alive
-
-- Update to 1.10.0
- * Pass unknown SETTINGS values to nghttp2_on_frame_recv_callback
- * Add ALTSVC frame support
- * Run error callback when peer does not send initial SETTINGS
- frame
- * Update http-parser
- * Update sphinx_rtd_theme
- * nghttp: add an --expect-continue option
- * nghttpx: Fix downstream connect callback called early
- * nghttpx: Truncate too long -b option signature
- * nghttpx: Fix bug that server push from mruby script did not
- work
- * nghttpx: Try next HTTP/1 backend address when connection
- cannot be made
- * nghttpx: Retry next HTTP/2 backend address when connection
- cannot be made
- * nghttpx: Enable link header field based push for non-final
- response
- * nghttpx: Detect online/offline state of backend servers
- * nghttpx: Better load balancing between backend HTTP/2 servers
- * nghttpx: Fix crash with backend failure
-
-- Update to 1.9.2
- * nghttpx: Fix crash with backend failure
- * nghttpx: Better distribute load to backend h2 servers
- * nghttpx: Fix error messages on deprecated mode
- * nghttpx: Fix bug that logger wrote string which was not
- NULL-terminated
- * nghttpx: Fix bug that proxy with HTTP/1.1 CONNECT did not work
-
-- Update to 1.9.1
- * nghttpx: Fix bug that backend tls keyword did not work with -s
- option
- * nghttpx: Fix handing stream after connection check was failed
-- Changes for 1.9.0
- * lib: Add nghttp2_error_callback to tell application human
- readable error message
- * lib: Reference counted HPACK name/value pair, adding
- * nghttp2_on_header_callback2
- * lib: Add nghttp2_option_set_no_auto_ping_ack() option
- * lib: Add nghttp2_http2_strerror() to return HTTP/2 error code
- string
- * build: Makefile.msvc enhancements (Patch from Jan-E)
- * build: Lower libev version requirement (Patch from Peter Wu)
- * build: cmake build support (Patch from Peter Wu)
- * asio: Fix bug that server event loop breaks with exception
- * integration: Disable tests that sometimes break randomly on
- travis
- * integration: do not use recursive target (Patch from Peter Wu)
- * h2load: Fix bug that it did not try to connect to server again
- * h2load: Fix bug that initial max concurrent streams was too
- large
- * nghttpx: Memcached connection encryption with tls keyword
- * nghttpx: Enable/disable TLS per frontend address
- * nghttpx: Configure TLS per backend routing pattern
- * nghttpx: Workaround for Ubuntu 15.04 which does not
- value-initialize on std::make_shared.
- * nghttpx: Add --error-page option to set custom error pages
- * nghttpx: Add wildcard host routing
- * nghttpx: Change read timeout reset timing
- * nghttpx: Don't push if Link header field includes nopush
- * nghttpx: Deprecate backend-http1-connections-per-host in favor
- of backend-connections-per-host
- * nghttpx: Restructure mode settings, removing --http2-bridge,
- - -client, and --client-proxy options
- * nghttpx: Deprecate backend-http1-connections-per-frontend in
- favor of backend-connections-per-frontend
- * nghttpx: Don't share session which is already in draining
- state
- * nghttpx: Effectively disable backend HTTP/2 connection flow
- control
- * nghttpx: Add --frontend-http2-max-concurrent-streams and
- - -backend-http2-max-concurrent-streams, and deprecate
- - -http2-max-concurrent-streams option
- * nghttpx: Deprecate --backend-http2-connections-per-worker
- option
- * nghttpx: Share TLS session cache between HTTP/2 and HTTP/1
- backend
- * nghttpx: Rewrite backend HTTP/2 connection coalesce strategy
-
-- Update to 1.8.0
- * Add Architecture documents (work in progress)
- * List all contributors in AUTHORS
- * doc: fix out-of-tree doc builds (Patch from Peter Wu)
- * Wrap AM_PATH_XML2 by m4_ifdef to handle the case when
- _PATH_XML2 is not found
- * Fix configure script for non-gcc, clang build
- * Document compiling apps and include h2load in configure (Patch
- from David Beitey)
- * Don't check for dlopen/libdl on *BSD (Patch from Bernard Spil)
- * Don't taint CXXFLAGS from AX_CXX_COMPILE_STDCXX_11
- * Fixing Windows Makefile version detection (Patch from Reza
- Tavakoli)
- * lib: Tokenize extra HTTP header fields
- * lib: Fix typo in HAVE_CONFIG_H name (Patch from Peter Wu)
- * lib: Add HTTP/2 extension framework to send and receive
- non-critical frames
- * tests: remove unused macros (Patch from Peter Wu)
- * src: Update default cipher list
- * src: Fix compile error with gcc-6 which enables C++14 by default
- * asio: client: Fix connect timeout does not work, return from cb
- if session stopped, removing client::session::connect_timeout()
- functon
- * nghttpd: Start SETTINGS timer after it is written to output
- buffer
- * nghttpd: Add trailer header field to status responses
- * nghttpd: Add -w and -W options to change window size
- * nghttpx: Worker wide blocker which is used when socket(2) is
- failed
- * nghttpx: ConnectBlocker per backend address
- * nghttpx: Interleave text/html pushed resources with associated
- resource
- * nghttpx: Add headers given in add-response-headers for mruby
- response
- * nghttpx: Deprecate --backend-ipv4 and --backend-ipv6 in favor
- of --backend-address-family
- * nghttpx: Add options to specify address family of memcached
- connections
- * nghttpx: Add encryption support for TLS ticket key retrieval
- * nghttpx: Add TLS support for session cache memcached connection
- * nghttpx: Refactor blacklisted cipher suite check (Patch from
- Jay Satiro)
- * nghttpx: Add TLS support for HTTP/1 backend
- * nghttpx: Add request-header-field-buffer and
- max-request-header-fields options, deprecating
- header-field-buffer and max-header-fields options.
- * nghttpx: Add --no-http2-cipher-black-list to allow black listed
- cipher suite
- * nghttpx: Limit header fields from backend
- * nghttpx: Fix bug that IPv6 address in Forwarded "for" is not
- quoted-string
- * nghttpx: Support multiple frontend addresses
- * integration-tests: support out-of-tree tests (Patch from Peter
- Wu)
- * examples: fix compile warnings (Patch from Peter Wu)
-- Drop upstreamed nghttp2-c++14.patch
-
-- Update to 1.7.1
- * Fix CVE-2016-1544 (boo#966514)
-
-- Add nghttp2-c++14.patch to properly guard make_unique templates.
- [bsc#964140]
-
-- Update to 1.7.0
- * Reset (RST_STREAM) stream if flow control window gets overflow
- * Validate :authroity, host, and :scheme value more strictly
- * Check request/response submission error based side of session
- * Strict outgoing idle stream detection
- * Return error from nghttp2_submit_{headers,request} when self
- dependency is made
- * Add -ldl to APPLDFLAGS for static openssl linking
- * asio: Stop acceptor on server::http2::stop
- * asio: Rename http2::get_io_services() as http2::io_services()
- * h2load: Support UNIX domain socket
- * h2load: Improve readability of traffic numbers
- * h2load: Remove "auto" for -m option
- * h2load: Show progress in rate mode
- * h2load: Perform sampling for request and connection timings to
- reduce memory consumption
- * nghttpd: Add --no-content-length option to omit content-length
- in response
- * nghttpx: Interleave pushed streams with the associated stream
- if pushed streams are javascript and CSS resources
- * nghttpx: The initial value of request/response buffer is
- increased to 128K
- * nghttpx: Fix bug that --listener-disable-timeout option is not
- used
- * nghttpx: Don't emit :authority if request does not contain
- authority information
- * nghttpx: Add clarification of quotes in configuration file
- * nghttpx: Don't allow certain characters in host and :scheme
- header field
- * nghttpx: Add RFC 7239 Forwarded header field support
- * nghttpx: Fix crash when running on IPv6 only (Patch from Vernon
- Tang)
- * nghttpx: Take into account of trailers when applying
- max_header_fields
- * nghttpx: Don't apply max_header_fields and header_field_buffer
- limit to response
- * nghttpx: Strict validation for header fields given in
- configuration
- * nghttpx: header value should not be lower-cased (Patch from
- ayanamist)
-
-- fixed typo in libnghttp2_asio1 [bsc#962914]
-
-- Update to 1.6.0
- * Fix heap-use-after-free bug when handling idle streams
- * Strict error handling for frames which are not allowed after
- closed (remote)
- * Set max number of outgoing concurrent streams to 100 by
- default
- * Keep incoming streams only at server side
- * Create stream object for pushed resource during
- nghttp2_submit_push_promise()
- * Add nghttp2_session_create_idle_stream() API
- * Handle response in nghttp2_on_begin_frame_callback
- * Add --lib-only configure option
- * Compile with OpenSSL 1.1.0-pre1
- * Fix build when OpenSSL 1.0.2 is not available (patch from
- Sunpoet Po-Chuan Hsieh)
- * asio: Add connect and read timeout to client API
- * asio: Add TLS handshake and read timeout to server API
- * asio: Added access to a requests remote endpoint (patch from
- Andreas Pohl)
- * asio: libnghttp2_asio: Added io_service accessors (patch from
- Andreas Pohl)
- * h2load: Add req/s min, max, mean and sd for clients
- * h2load: Fix broken connection times
-
-- Update to 1.5.0
- * Fix bug that nghttp2_session_find_stream(session, 0) returned
- NULL
- * Add nghttp2_session_change_stream_priority() to change stream
- priority without sending PRIORITY frame
- * Add nghttp2_session_check_server_session() API
- * Consider to use CANCEL error code when closing streams with
- GOAWAY
- * Don't send push response if GOAWAY has been received
- * Use error code CANCEL to reset pushed reserved stream from
- remote
- * Add nghttp2_session_upgrade2(), deprecate
- nghttp2_session_upgrade()
- * Workaround HTTP upgrade with HEAD request in
- nghttp2_session_upgrade()
- * Introduce NGHTTP2_NV_FLAG_NO_COPY_NAME and
- NGHTTP2_NV_FLAG_NO_COPY_VALUE
- * Add nghttp2_session_check_request_allowed() API function
- * Switch to clang-format-3.6
- * Update mruby to 1.2.0
- * tests: fix broken linkage with --disable-static (Patch from
- Kamil Dudka)
- * python: Send RST_STREAM if remote side is not closed and
- response finished
- * asio: client: call on_error when connection is dropped
- * asio: ALPN support
- * h2load: Add --h1 option to force http/1.1 for both http and
- https URI
- * h2load: Fix crash when dealing with "connection: close" form
- HTTP/1.1 server
- * h2load: h2load goes into infinite loop when timing script file
- starts with 0.0 in first line (Patch from Kit Chan)
- * h2load: Override user-agent with -H option
- * h2load: Print "space savings" to measure header compression
- efficiency
- * h2load: Stream error should be counted toward errored
- * h2load: Show application protocol with OpenSSL < 1.0.2
- * nghttpx: Don't send RST_STREAM to h2 backend if backend is
- disconnected state
- * nghttpx: Support server push from HTTP/2 backend
- * nghttpx: Fix bug that causes connection failure with backend
- proxy URI
- * nghttpx: Use --backend-tls-sni-field to verify certificate
- hostname
- * nghttpx: Log :authority as $http_host if available
- * nghttpd: Fix crash with CONNECT request
- * nghttpd: Defered eviction of cached fd using timer
- * nghttpd: Read /etc/mime.types to set content-type header field
- * nghttp: Record request method to output it in har correctly
- * nghttp: Use method given in -H with ":method" in HTTP Upgrade
-- Drop nghttp2-1.4.0-fix-tests.patch (now in upstream)
-
-- Enable spdy and more example applications
-
-- Update to 1.4.0:
- * lib: Don't always expect dynamic table size update.
- * lib: Shrink to the minimum table size seen in local SETTINGS.
- * lib: Add new error code NGHTTP2_ERR_PAUSE to send_data_callback.
- * lib: Avoid excessive WINDOW_UPDATE queuing.
- * lib: Return fatal error if flooding is detected to close
- session immediately.
- * lib: Return type of nghttp2_submit_trailer is int.
- * lib: Don't send WINDOW_UPDATE with 0 increment.
- * lib: Fix bug that headers in CONTINUATION were ignored after
- HEADERS with padding.
- * package: Use -fvisibility=hidden for internal functions.
- * package: Show more information in configure summary.
- * package: Add PIDFile directive to systemd service.
- * package: Fix daemon upgrade when running under systemd.
- * app: Compile with BoringSSL.
- * nghttp: Allow multiple -c option occurrence, and take min and
- last value.
- * nghttpd: Fix leak when server failed to listen to given port.
- * nghttpx: Add TLS dynamic record size behaviour command line
- options.
- * nghttpx: Reduce default timeouts for read sockets to 1m.
- * nghttpx: Fix bug that PUT is replaced with POST.
- * nghttpx: Change mruby script handling.
- * nghttpx: Added support for RFC 7413 (TCP Fast Open) on nghttpx
- proxy listening connections.
- * nghttpx: Add neverbleed support.
- * h2load: Don't DOS our server!
- * h2load: Use duration syntax for timeouts.
- * h2load: Support subsecond rate period.
- * h2load: Simplify rate mode.
- * h2load: Add option for user-definable rate period.
- * h2load: Reuse SSL/TLS session.
- * h2load: Reconnect server on connection: close.
- * h2load: Don't exit in the case of no ALPN protocol overlap.
- * integration: Update go's http2 package URI.
-- Add missing baselibs.conf.
-- Add nghttp2-1.4.0-fix-tests.patch from commit 4825009.
-- Small spec cleanup.
-
-- Update to 1.3.4
- * Make traditional init script fail if new config file is broken
- (Patch from Janusz Dziemidowicz)
- * nghttpx-logrotate: Don't use killall since we have multiple
- processes
- * nghttpx: Fix improper signal handling
-- Changes for 1.3.3
- * Fix bug in padding handling of DATA frame
- * Use hash table for dynamic table lookup
- * More warning flags for --enable-werror
- * Update mruby
- * h2load: HTTP/1.1 support (Patch from Lucas Pardue)
- * nghttpx: Do not try to set TCP_NODELAY when frontend is an
- UNIX socket (Patch from Janusz Dziemidowicz)
- * nghttpx: Chown UNIX domain socket to user specified as --user
- * nghttpx: Split monolithic one process into control and worker
- processes
- * nghttpx: Handle SSL/TLS data following PROXY protocol line
-- Changes for 1.3.2
- * Check header block limit after new stream is opened
- * nghttp: Show error if HEADERS frame cannot be sent for
- whatever reason
- * nghttpx: Fix assertion failure on TLS handshake
- * nghttpx: Add x-http2-push header field for pushed resource
- * nghttpx: Fix compile error with --disable-threads
-
-- Update to 1.3.1
- * Avoid usage of typeof and replace __builtin_offsetof with
- offsetof
- * Honor stream->weight even if stream->last_writelen is 0
- * Compile third-party libraries if hpack-tools is enabled
- * nghttpx-init: Start nghttpx with --daemon
- * Bundle sphinxcontrib.rubydomain https://bitbucket.org/birkenfeld/sphinx-contrib/src/default/rubydomain/
- * Bundle mruby
- * h2load: Record TTFB on first byte of response body, rather
- than first socket read
- * h2load: Improve checking for timing script input, prevent
- false positive in certain situations
- * nghttpx: Implement PROXY protocol version 1
- (--accept-proxy-protocol option)
- * nghttpx: Allow link header server push for HTTP/2 backend
- as well
- * nghttpx: Don't initiate push if client disabled push
- * nghttpx: Allow absolute URI in Link header field for push
- * nghttpx: Fix crash with multi workers and QUIT signal
- * nghttpx: Add mruby support which is disabled by default
- (use --with-mruby configure option to enable it)
- * nghttpx: Drop connection before TLS finish if h2 requirement
- is not fulfilled
-- Fix typo in previous changelog entry
-
-- Update to 1.3.1
- * Limit the number of incoming reserved (remote) streams
- * Add stream public API
- * Rewrite priority tree handling
- * Fix parallel make distcheck
- * Define it and itprep recursive target if
- AM_EXTRA_RECURSIVE_TARGETS is defined
- * fetch-ocsp-response: Handle spurious openssl exist status 0
- * nghttpx: Use nghttp2::ssl::DEFAULT_CIPHER_LIST for backend TLS
- connection
- * nghttpx: Don't allow blacked listed cipher suites for HTTP/2
- connection
- * nghttpx: better handle /dev/stderr and /dev/stdout (Patch from
- Tomasz Buchert)
- * nghttpd: GOAWAY if SSL/TLS requirements for HTTP/2 are not met
- * nghttpd: Return date header field for 304
- * nghttpd: Support HEAD request
- * h2load: Add Timing-script and base URI support (Patch from
- Lucas Pardue)
- * h2load: Add timeout options (Patch from Nora)
-- Fix typo in changelog
-
-- Update to 1.2.1
- * doc: Reword the HPACK tutorial (Patch from Tom Harwood)
- * nghttpx: Fix stability issues
- * h2load: Fix crash if -r > -n
-
-- Update to 1.2.0
- * Fix crash if response or data is submitted to closing stream
- * Header table size UINT32_MAX must be accepted
- * Use PROTOCOL_ERROR against DATA sent to idle stream
- * Allow multiple in-flight SETTINGS
- * Strictly check occurrence of dynamic table size update
- * Fix configure warning that 'missing' is missing or too old
- * Fix rm: cannot remove ‘*.rst’: No such file or directory when
- "make clean" (Patch from Alexis La Goutte)
- * doc: Reword some of the server and client tutorial (Patch
- from Tom Harwood)
- * src: Remove monotonic_clock replacement macro for gcc-4.6
- * nghttpx: Add TLS ticket key sharing among nghttpx instances
- using memcached
- * nghttpx: Add shared session cache using memcached
- * nghttpx: Set SSL/TLS session timeout to 12 hours
- * nghttpx: Enable session resumption on HTTP/2 backend
- * nghttpx: Don't rewrite host header field by default
- * nghttpx: Generate new ticket key every 1hr and its life time
- is now 12hrs
- * nghttpx: Don't reuse backend connection if it is not clean
- * nghttpx: Add AES-256-CBC encryption for TLS session ticket
- * nghttpd: Fix the bug that 304 response has non-empty body
- * h2load: Add -r and -C options to h2load (Patch from
- Nora Shoemaker)
-- Changes for 1.1.2
- * Fix linker error with libnghttp2_asio
- * Allow custom installation location for Python bindings
-- Drop no longer needed missing_nghttp2_timegm.patch
-
-- Update to 1.1.1
- * nghttpx: Fix various stability issues and memory leak bug
-- Changes for 1.1.0
- * Fix DATA is not consumed if nghttp2_http_on_data_chunk failed
- * nghttp2_submit_response and nghttp2_submit_headers may return
- * NGHTTP2_ERR_DATA_EXIST
- * msvc build fixes and enchantments (Patch from Gabi Davar)
- * Compile with IRIX gcc-4.7 (Patch from Klaus Ziegler)
- * nghttp: Add --max-concurrent-streams option
- * nghttp: Add comment on HAR on pushed objects (Patch from
- acesso)
- * nghttpx: Add --include option to read additional configuration
- from given file
- * nghttpx: Add backend routing based on request host and path by
- extending -b option
- * nghttpx: Allow log variable to be enclosed by curly braces for
- disambiguation
- * nghttpx: Add log variables related to SSL/TLS connection
- * h2load: Add --ciphers option
-- Add patches
- * missing_nghttp2_timegm.patch to fix building of asio library
- * nghttp2-remove-python-build.patch to fix python bindings
- installation when autotools are used
-
-- Update to 1.0.5
- * Add STREAM_DEP_DEBUG macro switch to enable runtime validation
- of depedency tree
- * Fix another bug in priority handling; sibling's item is not
- queued when ancestor's item is detached
- * nghttpx: Fix crash with --http2-bridge and both frontend and
- backend TLS
-
-- Update to 1.0.4
- * Fix assertion failure in stream_update_dep_on_detach_item
- (GH-264)
-- Changes for 1.0.3
- * Fix bug that idle self-depending PRIORITY is not handled
- gracefully
- * Optimize dependency based priority code to Firefox style tree
- * enable third-party for asio_lib too (Patch from Mike
- Frysinger)
- * fetch-ocsp-response: Support LibreSSL, and include port in
- ocsp_host
- * src: Support compile with LibreSSL
- * nghttpx: Fix bug that x-forwarded-proto header field does not
- reflect frontend scheme on HTTP/2 backend
- * nghttpx: Validate :path on SPDY frontend
-
-- Update to 1.0.2
- * Fix bug that data are not consumed for connection in race
- condition (GH-253)
- * Define NGHTTP2_EXTERN to __declspec(dllimport) when using
- nghttp2 for Windows build
- * Translate fetch-ocsp-response into Python
- * libevent-client: Fix bug that path is broken if URI does not
- contain path part
- * python: Call on_close callback when connection is lost for
- server session
- * python: Expose client certificate, if available (Patch from
- Fabian Wiesel)
- * python: Catch and log failure to set TCP_NODELAY (Patch from
- Fabian Wiesel)
- * nghttpx: Add --add-request-header option
- * nghttpx: Make WebSocket upgrade work
- * nghttpx: Fix bug that END_STREAM is not set in backend for
- POST with Upgrade
- * nghttpx: Don't send "Expect" header field twice
-
-- Update to 1.0.1
- * Include stdint.h instead of inttypes.h when compiled with MSVC
- < 2013
- * Fix invalid memory free on out-of-memory handling
- * integration: Use our own copy of golang spdy package
- * android: Don't link zlib bundled with android NDK
- * Dockerfile.android: Update NDK ver, and ubuntu; build and link
- zlib
- * src, examples: Fix up OpenSSL initialization
- * nghttpx: Allow HTTP Upgrade from POST request if response
- header has not been sent to the client
- * nghttpx: Fix bug that PUSH_PROMISE is sent after associated
- response HEADERS
- * nghttpd: Close connection after settings timeout and GOAWAY
- was sent
- * h2load: Fix bug that NPN fails if ALPN is enabled
-
-- Update to 1.0.0
- * v1.0.0 introduced backward incompatible changes from 0.7
- series. Read https://nghttp2.org/documentation/package_README.html#migration-from-v0-7-15-or-earlier
- to migrate from older version to this latest version.
-- Changes for 0.7.15
- * Hopefully, this is the last release for 0.7.x series.
- Development continues in 1.x series.
- * Access violation in buffers (GH-232) (Patch from Etienne Cimon)
- * Retry finding jemalloc lib by je_malloc_stats_print (GH-233)
- * inflatehd: Fix crash if 'wire' value is not string (GH-235)
- * nghttpx: Revert 585af93 to fix crash with TLS (GH-234)
- * nghttpd: Add --echo-upload option to send back request body
-
-- Update to 0.7.14
- * Fix global-buffer-overflow in HPACK code
- * Fix doc for nghttp2_select_next_protocol
- * Fix bug that promised stream was not reset on decompression
- error
- * Add systemd and upstart configuration file for nghttpx
- (Patch from Zhuoyun Wei)
- * Improve nghttpx logrotate configuration file (Patch from
- Zhuoyun Wei)
- * Update sphinx_rtd_theme
- * h2load: Update h2load to give connect time and ttfb stats
- (Patch from ericcarlschwartz)
- * nghttpd: Add -m, --max-concurrent-streams option
- * nghttpx: Log absolute URI for HTTP/2 or client proxy request
- * nghttpx: Add --header-field-buffer and --max-header-fields
- options
- * nghttp: Fix assertion error if very large value is given to -t
-
-- Update to 0.7.13
- * Fix bug that promised stream was not reset by returning
- NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE from
- nghttp2_on_header_callback. Instead, associated stream was reset.
- * Allow NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE from
- nghttp2_on_begin_headers_callback
- * h2load: Effectively disable flow control by setting large
- window size
- * asio: Graceful shutdown and joinable server (Patch from
- Xiaoguang Sun)
-
-- Update to 0.7.12
- * Fix bug that nghttp2_session_set_next_stream_id accepts invalid
- stream_id
- * HPACK: Rewrite static header table handling
- * HPACK: Never index authorization and small cookie header field
- * Don't install libnghttp2_asio headers if they are disabled
- * doc: Specify program directive so that hyperlink to option is
- correctly pointed to the intended location
- * asio: client: Call error_cb on error occurred in do_read and
- do_write (Fixes GH-207)
- * nghttp: Add --no-push option to disable server push
- * nghttp: Show stream ID in statistics output
- * nghttp: Remove --dep-idle option
- * nghttp: Use same priority anchor nodes as Firefox does
- * nghttpx: Don't push resource if link header has non empty
- loadpolicy
- * nghttpx: Add logging for somewhat important events (logs,
- tickets, and ocsp)
- * nghttpx: Set Downstream to stream user data on HTTP Upgrade
- to h2
-
-- Update to 0.7.11
- * nghttpx: Fix waitpid race condition in ocsp response update
- * nghttp: Consider user-provided :authority header field for SNI
- as well as host header field
-- Changes for 0.7.10
- * Make sure that nghttp2 license is MIT license
- * Add nghttp2_session_consume_{connection,stream} to consume
- bytes independent
- * Add nghttp2_send_data_callback to send DATA payload without
- copying "static inline" fix for build with VS2013 (Patch from
- Remo E)
- * Update lib/Makefile.msvc (Patch from Remo E)
- * Remove dependency on libws2_32 on Windows build
- * Define NGHTTP2_EXTERN macro to export function for Windows
- build
- * doc: Generate API doc per function
- * python: Add async body generation support
- * python: Fix pseudo-header field ordering bug
- * nghttpx: Redirect stderr to errorlog file
- * nghttpx: Fix bug that data buffered in SSL object are not
- read
- * nghttpx: Remove --tls-ctx-per-worker option
- * nghttpx: Add OCSP stapling feature
-
-- Enable python bindings
-- Update to 0.7.9
- * Implements h2-14 protocol (http://tools.ietf.org/html/draft-ietf-httpbis-http2-14)
- * Implements HPACK 09 (http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-09)
- * h2load: Fix crash if -t > -c
- * h2load: Add -d option to upload data to server
- * nghttpx: Forward only "trailers" keyword in te when forwarding HTTP/2 backend
- * nghttpx: Fix PUSH_PROMISE header field corruption [GH-194]
- * nghttpx: Fix te header field is duplicated when forwarding HTTP/2 backend
- * nghttp, nghttpd: Add --hexdump option to hexdump incoming traffic.
- * examples: Place AM_CPPFLAGS first to use in-package header files first [GH-192]
-- Changes for 0.7.8
- * Implements h2-14 protocol (http://tools.ietf.org/html/draft-ietf-httpbis-http2-14)
- * Implements HPACK 09 (http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-09)
- * Validate :path header field for http or https URI scheme
- * NULL-terminate header field name and value presented by callback
- * README.rst: Cleaned up the grammar a bit (Patch from Ross Smith II)
- * h2load: fix for segfault by reserving correct worker count (Patch from Stefan Eissing)
-
-- Avoid shipping documentation redundantly. Set RPM groups.
-
-- Fix rpm group
-
-- Update to 0.7.5
- * Implements h2-14 protocol
- (http://tools.ietf.org/html/draft-ietf-httpbis-http2-14)
- * Implements HPACK 09
- (http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-09)
- * Validate HTTP semantics by default
- * Add nghttp2_option_set_no_http_messaging() API function
- * Update http-parser
- * nghttp, nghttpd, nghttpx: Use "sensitive" to indicate
- "never indexed" header field
- * nghttp, nghttpd, nghttpx, h2load: Select/announce h2 in
- ALPN/NPN
- * nghttp: Fix unaligned field output in --stat
- * nghttp: Fix -H does not work with -u upgrade request
- * nghttp: Update resource timing terminology according to
- Resource Timing TR
- * nghttpd: Add -a option which takes an address parameter that
- allows nghttpd to bind to a non-default address. Patch
- from Brian Card
- * nghttpx: Use omit minor version in case of HTTP/2 in via
- header and access log
- * nghttpx: Support UNIX domain socket on both frontend and backend
- * nghttpx: Fix crash in http/1 backend when backend returns more
- bytes than CL
- * nghttpx: Cast configuration value to rlim_t to avoid compile
- error on 32bit
- * nghttpx: Fix 1 second delay in HTTP/2 backend connection
- * nghttpx: Fix request re-submission bug in HTTP/2 backend
- * asio-sv2: Fix compile error with OS X
-
-- Initial packaging of 0.7.4
-
perl-Image-ExifTool
+- Update to 12.54:
+ - Increased precision of Sony FocusDistance2 conversion
+ - Decode a number of new Apple tags (thanks Frank Rupprecht)
+ - Fixed bug writing QuickTime-format files which have a zero-sized mdat (ie.
+ media data extends to end of file) which would cause an incorrect mdat size
+ to be written
+ - Added support for a number of new XMP tags written by ACR 15.1
+ - Added a new Nikon LensID
+ - Decode timed GPS from Lamax S9 dual dashcam MOV videos
+ - Decode a number of new Nikon tags (thanks Warren Hatch)
+ - Decode a couple of new Canon tags (thanks John Moyer)
+ - Decode FujiFilm BWMagentaGreen tag
+ - Enable block-write of EXIF to JXL files
+ - Accept values of "now" and "Z" when writing EXIF OffsetTime tags
+ - Changed priority of XMP when reading/writing HEIC files so that it is no
+ longer preferred as with other QuickTime-based formats
+ - Changed family 1 group name of Canon DR4 tags from CanonVRD to CanonDR4 to
+ allow newer tags to be differentiated from older ones. The family 0 group
+ name for both remains CanonVRD
+ - Patched to recognize JXL EXIF box with non-zero header length
+ - Patched to avoid runtime error when writing a PDF with an Info dictionary
+ which was stored incorrectly as a direct object
+ - Fixed problem writing EXIF to JXL images where a new EXIF box was created
+ even if one previously existed
+
+- Update to 12.52:
+ - Added a few new Nikon LensID's (thanks LibRaw and Chris)
+ - Added Slovak translations (thanks Peter Bagin)
+ - Made SphericalVideoXML readable/writable as a block
+ - Improved handling of Matroska metadata tags, including language support
+ - Improved French translations (thanks Philippe Bonnaure of GraphicConverter)
+ - Improved Composite:GPSAltitude conversion to honour -lang setting
+ - Improved -v2 messages to indicate files extracted from zip archives
+ - Added a new Olympus LensType (thanks Herb)
+ - Extract C2PA JUMBF metadata from PNG images and extract C2PA Salt values
+ - Decode NikonSettings for Z9 firmware 3.0 (thanks Warren Hatch)
+ - Decode additional camm metadata from Insta360 Pro2 MP4 videos
+ - Improved Verbose output when writing Composite tags to add a "+" sign to
+ indicate related tags that are being written
+ - Enhanced -geotag option CSV format to support GPSImgDirection column
+ - Fixed problem where -w+ option didn't work in Windows if there were Unicode
+ characters in the path name
+ - Fixed problem where only the last image of the sequence was extracted
+ (multiple times) when using -ee2 to extract embedded images from FLIR SEQ
+ files
+ - Fixed issue where GPS reference directions may be unknowingly written when
+ using ExifTool 12.44 or later to write GPSLatitude or GPSLongitude without
+ specifying a group name. The fix was to Avoid writing the Composite tags
+ unless the Composite group is specified explicitly
+ - Fixed -geotag to write orientation and track tags even if some tags in the
+ category were missing
+ - Fixed inconsistency in selecting which tag to output with the -json option
+ when multiple tags with the same JSON key exist and the -TAG# feature is
+ used to disable print conversion
+ - Fixed problem writing QuickTime:PlayListID
+ - Fixed problem writing QuickTime tags when specifying tag ID (ie. family 7
+ group) as well as a language code
+
tiff
+ * CVE-2022-48281 [bsc#1207413]
+ + tiff-CVE-2022-48281.patch
+
+- security update:
transmission
+- Apply downstream patch from Gentoo to fix a crash with openSSL 3
+ (boo#1207914):
+ * transmission-3.00-openssl-3.patch
+
+- boo#1207555: Transmission can't open Bittorrent v2 torrents
+ Add transmission-hybrid-torrent-length.patch
+
xf86-input-joystick
+- Update to version 1.6.4
+ * Fix quoting in man page synopsis section
+ * Update README for gitlab migration
+ * Update configure.ac bug URL for gitlab migration
+ * Fix spelling/wording issues
+ * gitlab CI: add a basic build test
+ * gitlab CI: stop requiring Signed-off-by in commits
+ * autogen.sh: Implement GNOME Build API
+ * autogen.sh: use quoted string variables
+ * Adapt to USB HID header changes on NetBSD-8.99.9.
+ * autogen: add default patch prefix
+ * configure: Drop AM_MAINTAINER_MODE
+ * autogen.sh: use exec instead of waiting for configure to finish
+
xf86-video-voodoo
+- update to 1.2.6:
+ * Remove miInitializeBackingStore
+ Stop using deprecated xf86PciInfo.h
+ Fix spelling/wording issues
+ Build xz tarballs instead of bzip2
+ Update configure.ac bug URL for gitlab migration
+ autogen: add default patch prefix
+ autogen.sh: use quoted string variables
+ autogen.sh: use exec instead of waiting for configure to finish
+ autogen.sh: Honor NOCONFIGURE=1
+ configure: Drop AM_MAINTAINER_MODE
+ don't use PCITAG in struct anymore
+- drop U_don-t-use-PCITAG-in-struct-anymore.patch (upstream)
+
yast2-bootloader
+- make secure boot for ppc64 consistent with how secure boot works
+ on other architectures (bsc#1206295)
+- 4.5.8
+
yast2-iscsi-client
+- Expose all core functionality from IscsiClientLib, with options
+ to suppress usage of pop-ups (related t gh#yast/d-installer#402).
+
+- Finish client: copy the content of both /etc/iscsi and
+ /var/lib/iscsi (bsc#1207374).
+- Finish client: never enable both the iscsid socket and the
+ service (partial fix for bsc#1207839).
+- 4.5.7
+
yast2-network
+- Fix calling method read on nil crash in bootloader caused by
+ not restoring SCR chroot in save_network client when running
+ in autoyast (bsc#1207968)
+- 4.5.16
+
yast2-packager
+- Prevent crash if nil dependencies instead of [] (bsc#1208068)
+- 4.5.14
+