Packages changed:
apparmor
audit-secondary
avahi
boost-base
busybox
ca-certificates (2+git20210723.27a0476 -> 2+git20211004.3efbea9)
chrony
compat-usrmerge
dracut (055+suse.119.g6c4187af -> 055+suse.129.g7d8c3ce3)
e2fsprogs
fcoe-utils
file (5.40 -> 5.41)
glibc
haproxy (2.4.4+git0.acb1d0bea -> 2.4.7+git0.b5e51a5e2)
helm
hwinfo (21.76 -> 21.77)
iputils
kbd
kernel-source (5.14.9 -> 5.14.11)
kubernetes1.21
libapparmor
libcap (2.51 -> 2.59)
libglvnd
librsvg (2.52.0 -> 2.52.2)
libwebp (1.2.0 -> 1.2.1)
libzypp (17.28.4 -> 17.28.6)
ncurses (6.2.20210911 -> 6.2.20211002)
ndctl
nvme-cli
open-iscsi
open-vm-tools (11.3.0 -> 11.3.5)
openssh (8.4p1 -> 8.8p1)
pam-config (1.4 -> 1.5)
patterns-microos
pmdk (1.11.0 -> 1.11.1)
python-Jinja2 (3.0.1 -> 3.0.2)
python-PrettyTable
python-alembic (1.6.5 -> 1.7.4)
python-apipkg (1.5 -> 2.1.0)
python-distro
python-greenlet (1.1.0 -> 1.1.2)
python-idna (3.2 -> 3.3)
python-more-itertools (8.8.0 -> 8.10.0)
python-networkx (2.6.1 -> 2.6.3)
python-pyrsistent (0.17.3 -> 0.18.0)
python-pytz (2021.1 -> 2021.3)
python-zipp (3.5.0 -> 3.6.0)
qemu
raspberrypi-firmware (2021.03.10 -> 2021.09.30)
raspberrypi-firmware-config (2021.03.10 -> 2021.09.30)
raspberrypi-firmware-dt (2021.03.15 -> 2021.09.17)
rbac-lookup (0.6.4 -> 0.7.1)
rdma-core (36.0 -> 37.1)
salt
systemd (249.4 -> 249.5)
systemd-presets-common-SUSE
timezone (2021c -> 2021d)
tpm2.0-tools (5.1.1 -> 5.2)
wireless-regdb (20210421 -> 20210828)
xfsprogs
xkeyboard-config (2.33 -> 2.34)
yomi-formula
zypper (1.14.49 -> 1.14.50)
=== Details ===
==== apparmor ====
Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor
- add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532)
==== audit-secondary ====
Subpackages: audit python3-audit system-group-audit
- Add CONFIG parameter to %sysusers_generate_pre
- Create separate service for augenrules (bsc#1191614, bsc#1181400)
* add create-augenrules-service.patch
Remove ReadWritePaths=/etc/audit from auditd.service, also removes
augenrules call from ExecStartPost.
Create augenrules.service with the ReadWritePaths directive above.
This makes /etc/audit only accessible by augenrules.service and
let auditd.service (and daemon) to be sandboxed again.
- Update audit-secondary.spec to accomodate the new service file.
==== avahi ====
Subpackages: libavahi-client3 libavahi-common3
- Add rpmlintrc: Filter shlib-policy-name-error for libdns_sd
(boo#1191750).
- Remove obsolete translation-update-upstream support
(jsc#SLE-21105).
==== boost-base ====
Subpackages: boost-license1_77_0 libboost_thread1_77_0
- make boost-json-devel require boost-container-devel (bsc#1191822)
==== busybox ====
- Create separate 'Warewulf3' (https://github.com/warewulf/warewulf3)
flavor of busybox with the
additional setting:
CONFIG_REBOOT=y
CONFIG_SWITCH_ROOT=y
CONFIG_CTTYHACK=y
(bsc#1191514).
==== ca-certificates ====
Version update (2+git20210723.27a0476 -> 2+git20211004.3efbea9)
- Update to version 2+git20211004.3efbea9:
* Ensure --root option propagates prefix properly to other scripts
==== chrony ====
Subpackages: chrony-pool-openSUSE
- boo#1190926: PrivateDevices is too strict, we might need to
access the rtc and ptp devices.
- Add back support to build chrony on SLE12.
- Drop dependency on asciidoctor. It is only needed for building
the HTML documentation which we don't package anyway.
==== compat-usrmerge ====
- Fix logic for detecting conflicts with directories (boo#1191111)
==== dracut ====
Version update (055+suse.119.g6c4187af -> 055+suse.129.g7d8c3ce3)
Subpackages: dracut-ima dracut-mkinitrd-deprecated
- Update to version 055+suse.129.g7d8c3ce3:
* fix(kernel-modules): add blk_mq_alloc_disk and blk_cleanup_disk to blockfuncs (bsc#1190326)
* docs: update SUSE maintainers doc
* fix(suse): add 60-io-scheduler.rules (bsc#1188713)
* revert: remove /sbin/installkernel script from dracut package
* spec: modernize specfile constructs
==== e2fsprogs ====
Subpackages: libcom_err2 libext2fs2
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
==== fcoe-utils ====
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
==== file ====
Version update (5.40 -> 5.41)
Subpackages: file-magic libmagic1
- Remove file-5.38-allow-readlinkat.dif as already doen in latest
file 5.41
- Update to 5.41:
* Avinash Sonawane: Fix tzname detection
* Fix relationship tests with "search" magic, don't short circuit
logic
* Fix memory leak in compile mode
* PR/272: kiefermat: Only set returnval = 1 when we printed something
(in all cases print or !print). This simplifies the logic and fixes
the issue in the PR with -k and --mime-type there was no continuation
printed before the default case.
* PR/270: Don't translate unprintable characters in %s magic formats
when -r
* PR/269: Avoid undefined behavior with clang (adding offset to NULL)
* Add a new flag (f) that requires that the match is a full word,
not a partial word match.
* Add varint types (unused)
* PR/256: mutableVoid: If the file is less than 3 bytes, use the file
length to determine type
* PR/259: aleksandr.v.novichkov: mime printing through indirect magic
is not taken into account, use match directly so that it does.
- Remove patches now upstream
* file-5.40-1c677c04.patch
* file-5.40-3096f87f.patch
* file-5.40-4c5fe1ad.patch
* file-5.40-6b34436a.patch
* file-5.40-749e1ecf.patch
* file-5.40-9b0459af.patch
* file-5.40-9e2becec.patch
* file-5.40-ascii.patch
* file-5.40-f0601504.patch
* file-5.40-f7705dca.patch
- Port patches
* file-5.19-biorad.dif
* file-5.19-printf.dif
* file-5.19-zip2.0.dif
* file-5.23-endian.patch
* file-5.28-btrfs-image.dif
* file-5.38-allow-readlinkat.dif
* file-secure_getenv.patch
- Port and rename patch file-5.39.dif which is now file-5.41.dif
==== glibc ====
Subpackages: glibc-locale-base
- ld-show-auxv-colon.patch: elf: Fix missing colon in LD_SHOW_AUXV output
(BZ #282539
- x86-string-control-test.patch: x86-64: Use testl to check
__x86_string_control
- pthread-kill-fail-after-exit.patch: nptl: pthread_kill, pthread_cancel
should not fail after exit (BZ #19193)
- pthread-kill-race-thread-exit.patch: nptl: Fix race between pthread_kill
and thread exit (BZ #12889)
- getcwd-attribute-access.patch: posix: Fix attribute access mode on
getcwd (BZ #27476)
- pthread-kill-return-esrch.patch: nptl: pthread_kill needs to return
ESRCH for old programs (BZ #19193)
- pthread-mutexattr-getrobust-np-type.patch: nptl: Fix type of
pthread_mutexattr_getrobust_np, pthread_mutexattr_setrobust_np (BZ
[#28036])
- setxid-deadlock-blocked-signals.patch: nptl: Avoid setxid deadlock with
blocked signals in thread exit (BZ #28361)
- pthread-kill-send-specific-thread.patch: nptl: pthread_kill must send
signals to a specific thread (BZ #28407)
- sysconf-nprocessors-affinity.patch: linux: Revert the use of
sched_getaffinity on get_nproc (BZ #28310)
- iconv-charmap-close-output.patch: renamed from
icon-charmap-close-output.patch
==== haproxy ====
Version update (2.4.4+git0.acb1d0bea -> 2.4.7+git0.b5e51a5e2)
- Update to version 2.4.7+git0.b5e51a5e2:
* [RELEASE] Released version 2.4.7
* BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule
- Update to version 2.4.6+git0.d83fd76a1:
* [RELEASE] Released version 2.4.6
* BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release
- Update to version 2.4.5+git0.e74a1b34b:
* [RELEASE] Released version 2.4.5
* MINOR: tasks: catch TICK_ETERNITY with BUG_ON() in __task_queue()
* BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input
* BUG/MINOR: tcpcheck: Don't use arg list for default proxies during parsing
* MINOR: arg: Be able to forbid unresolved args when building an argument list
* BUG/MAJOR: lua: use task_wakeup() to properly run a task once
* BUG/MEDIUM: lua: fix wakeup condition from sleep()
* MINOR: Makefile: add MEMORY_POOLS to the list of DEBUG_xxx options
* DOC: peers: fix doc "enable" statement on "peers" sections
* BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers"
* MINOR: stream-int: Notify mux when the buffer is not stuck when calling rcv_buf
* BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary
* MINOR: htx: Add a function to know if the free space wraps
* MINOR: htx: Add an HTX flag to know when a message is fragmented
* MINOR: stream-int: Set CO_RFL transient/persistent flags apart in si_cs_rcv()
* BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM
* BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data
* BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer
* BUG/MINOR: stats: use refcount to protect dynamic server on dump
* MINOR: server: return the next srv instance on free_server
* BUG/MINOR: server: do not use refcount in free_server in stopping mode
* MINOR: global: define MODE_STOPPING
* MINOR: server: implement a refcount for dynamic servers
* BUG/MINOR: http-ana: increment internal_errors counter on response error
* BUG/MINOR: h1-htx: Fix a typo when request parser is reset
* BUG/MEDIUM: leastconn: fix rare possibility of divide by zero
* BUG/MINOR: server: allow 'enable health' only if check configured
* BUILD: threads: fix -Wundef for _POSIX_PRIORITY_SCHEDULING on libmusl
* BUILD: halog: fix a -Wundef warning on non-glibc systems
* BUILD: compiler: fixed a missing test on defined(__GNUC__)
* BUILD: fix dragonfly build again on __read_mostly
* BUG/MINOR: vars: do not talk about global section in CLI errors for set-var
* BUG/MINOR: vars: truncate the variable name in error reports about scope.
* BUG/MINOR: vars: properly set the argument parsing context in the expression
* MINOR: sample: add missing ARGC_ entries
* BUG/MINOR: vars: improve accuracy of the rules used to check expression validity
* BUILD: tools: properly guard __GLIBC__ with defined()
* BUILD: ssl: fix two remaining occurrences of #if USE_OPENSSL
* BUILD: ssl: next round of build warnings on LIBRESSL_VERSION_NUMBER
* BUILD/MINOR: regex: avoid a build warning on USE_PCRE2 with -Wundef
* IMPORT: slz: silence a build warning with -Wundef
* BUILD/MINOR: ssl: avoid a build warning on LIBRESSL_VERSION with -Wundef
* BUILD/MINOR: defaults: eliminate warning on MAXHOSTNAMELEN with -Wundef
* BUILD: activity: use #ifdef not #if on USE_MEMORY_PROFILING
* MINOR: proc: setting the process to produce a core dump on FreeBSD.
* MINOR: tools: add FreeBSD support to get_exec_path()
* BUILD: tools: get the absolute path of the current binary on NetBSD.
* BUG/MINOR: flt-trace: fix an infinite loop when random-parsing is set
* BUG/MINOR: cli/payload: do not search for args inside payload
* BUILD: ist: prevent gcc11 maybe-uninitialized warning on istalloc
* BUG/MINOR: connection: prevent null deref on mux cleanup task allocation
* DOC: management: certificate files must be sanitized before injection
* BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check
* BUG/MAJOR: mux-h1: Don't eval input data if an error was reported
* MINOR: pools: use mallinfo2() when available instead of mallinfo()
* MINOR: pools: automatically disable malloc_trim() with external allocators
* CLEANUP: pools: factor all malloc_trim() calls into trim_all_pools()
* BUG/MINOR: compat: make sure __WORDSIZE is always defined
* BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached
* CLEANUP: mux-h1: Remove condition rejecting upgrade requests with payload
* MINOR: htx: Skip headers with no value when adding a header list to a message
* BUG/MEDIUM: mux-h1: Remove "Upgrade:" header for requests with payload
* BUG/MINOR: systemd: ExecStartPre must use -Ws
* BUG/MINOR: filters: Set right FLT_END analyser depending on channel
* BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set
* BUG/MEDIUM: http-ana: Reset channels analysers when returning an error
* BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
* BUG/MINOR: lua: Don't yield in channel.append() and channel.set()
* BUG/MINOR: lua: Yield in channel functions only if lua context can yield
* MINOR: lua: Add a flag on lua context to know the yield capability at run time
==== helm ====
- use 'v' prefix for the version to match upstream builds
- package fish completions
==== hwinfo ====
Version update (21.76 -> 21.77)
- merge gh#openSUSE/hwinfo#105
- Use license file from gnu.org
- Fix spelling
- Add missing final newline
- Trim excess whitespace
- Simple maintenance improvements
- 21.77
==== iputils ====
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
==== kbd ====
Subpackages: kbd-legacy
- regenerated cz-map.patch needed for xkeyboard-config 2.34 update
==== kernel-source ====
Version update (5.14.9 -> 5.14.11)
- Linux 5.14.11 (bsc#1012628).
- Revert "ARM: imx6q: drop of_platform_default_populate() from
init_machine" (bsc#1012628).
- Revert "brcmfmac: use ISO3166 country code and 0 rev as
fallback" (bsc#1012628).
- libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870
SSD (bsc#1012628).
- perf/x86: Reset destroy callback on event init failure
(bsc#1012628).
- KVM: x86: nSVM: restore int_vector in svm_clear_vintr
(bsc#1012628).
- kvm: x86: Add AMD PMU MSRs to msrs_to_save_all[] (bsc#1012628).
- KVM: x86: reset pdptrs_from_userspace when exiting smm
(bsc#1012628).
- KVM: do not shrink halt_poll_ns below grow_start (bsc#1012628).
- selftests: KVM: Align SMCCC call with the spec in steal_time
(bsc#1012628).
- kasan: always respect CONFIG_KASAN_STACK (bsc#1012628).
- tools/vm/page-types: remove dependency on opt_file for idle
page tracking (bsc#1012628).
- block: don't call rq_qos_ops->done_bio if the bio isn't tracked
(bsc#1012628).
- io_uring: allow conditional reschedule for intensive iterators
(bsc#1012628).
- x86/insn, tools/x86: Fix undefined behavior due to potential
unaligned accesses (bsc#1012628).
- smb3: correct smb3 ACL security descriptor (bsc#1012628).
- irqchip/gic: Work around broken Renesas integration
(bsc#1012628).
- scsi: ses: Retry failed Send/Receive Diagnostic commands
(bsc#1012628).
- thermal/drivers/tsens: Fix wrong check for tzd in irq handlers
(bsc#1012628).
- nvme-fc: avoid race between time out and tear down
(bsc#1012628).
- nvme-fc: update hardware queues before using them (bsc#1012628).
- swiotlb-xen: ensure to issue well-formed XENMEM_exchange
requests (bsc#1012628).
- Xen/gntdev: don't ignore kernel unmapping error (bsc#1012628).
- selftests: kvm: fix get_run_delay() ignoring fscanf() return
warn (bsc#1012628).
- selftests: kvm: move get_run_delay() into lib/test_util
(bsc#1012628).
- selftests:kvm: fix get_trans_hugepagesz() ignoring fscanf()
return warn (bsc#1012628).
- selftests:kvm: fix get_warnings_count() ignoring fscanf()
return warn (bsc#1012628).
- selftests: be sure to make khdr before other targets
(bsc#1012628).
- habanalabs/gaudi: fix LBW RR configuration (bsc#1012628).
- habanalabs: fail collective wait when not supported
(bsc#1012628).
- habanalabs/gaudi: use direct MSI in single mode (bsc#1012628).
- usb: dwc2: check return value after calling
platform_get_resource() (bsc#1012628).
- usb: testusb: Fix for showing the connection speed
(bsc#1012628).
- scsi: elx: efct: Do not hold lock while calling
fc_vport_terminate() (bsc#1012628).
- scsi: sd: Free scsi_disk device via put_device() (bsc#1012628).
- drm/amdkfd: fix svm_migrate_fini warning (bsc#1012628).
- drm/amdkfd: handle svm migrate init error (bsc#1012628).
- ext2: fix sleeping in atomic bugs on error (bsc#1012628).
- platform/x86: gigabyte-wmi: add support for B550I Aorus Pro AX
(bsc#1012628).
- sparc64: fix pci_iounmap() when CONFIG_PCI is not set
(bsc#1012628).
- xen-netback: correct success/error reporting for the
SKB-with-fraglist case (bsc#1012628).
- net: mdio: introduce a shutdown method to mdio device drivers
(bsc#1012628).
- btrfs: fix mount failure due to past and transient device
flush error (bsc#1012628).
- btrfs: replace BUG_ON() in btrfs_csum_one_bio() with proper
error handling (bsc#1012628).
- nfsd: back channel stuck in SEQ4_STATUS_CB_PATH_DOWN
(bsc#1012628).
- platform/x86: touchscreen_dmi: Update info for the Chuwi Hi10
Plus (CWI527) tablet (bsc#1012628).
- platform/x86: touchscreen_dmi: Add info for the Chuwi HiBook
(CWI514) tablet (bsc#1012628).
- afs: Add missing vnode validation checks (bsc#1012628).
- spi: rockchip: handle zero length transfers without timing out
(bsc#1012628).
- commit 834dddd
- iwlwifi: Fix MODULE_FIRMWARE() for non-existing ucode version
(boo#1191417).
- commit 6597512
- Linux 5.14.10 (bsc#1012628).
- media: hantro: Fix check for single irq (bsc#1012628).
- media: cedrus: Fix SUNXI tile size calculation (bsc#1012628).
- media: s5p-jpeg: rename JPEG marker constants to prevent build
warnings (bsc#1012628).
- ASoC: fsl_sai: register platform component before registering
cpu dai (bsc#1012628).
- ASoC: fsl_esai: register platform component before registering
cpu dai (bsc#1012628).
- ASoC: fsl_micfil: register platform component before registering
cpu dai (bsc#1012628).
- ASoC: fsl_spdif: register platform component before registering
cpu dai (bsc#1012628).
- ASoC: fsl_xcvr: register platform component before registering
cpu dai (bsc#1012628).
- ASoC: mediatek: common: handle NULL case in suspend/resume
function (bsc#1012628).
- scsi: elx: efct: Fix void-pointer-to-enum-cast warning for
efc_nport_topology (bsc#1012628).
- ASoC: SOF: Fix DSP oops stack dump output contents
(bsc#1012628).
- ASoC: SOF: imx: imx8: Bar index is only valid for IRAM and
SRAM types (bsc#1012628).
- ASoC: SOF: imx: imx8m: Bar index is only valid for IRAM and
SRAM types (bsc#1012628).
- pinctrl: qcom: spmi-gpio: correct parent irqspec translation
(bsc#1012628).
- net/mlx4_en: Resolve bad operstate value (bsc#1012628).
- s390/qeth: Fix deadlock in remove_discipline (bsc#1012628).
- s390/qeth: fix deadlock during failing recovery (bsc#1012628).
- m68k: Update ->thread.esp0 before calling syscall_trace()
in ret_from_signal (bsc#1012628).
- NIOS2: fix kconfig unmet dependency warning for
SERIAL_CORE_CONSOLE (bsc#1012628).
- kasan: fix Kconfig check of CC_HAS_WORKING_NOSANITIZE_ADDRESS
(bsc#1012628).
- HID: amd_sfh: Fix potential NULL pointer dereference
(bsc#1012628).
- perf test: Fix DWARF unwind for optimized builds (bsc#1012628).
- perf iostat: Use system-wide mode if the target cpu_list is
unspecified (bsc#1012628).
- perf iostat: Fix Segmentation fault from NULL 'struct
perf_counts_values *' (bsc#1012628).
- watchdog/sb_watchdog: fix compilation problem due to
COMPILE_TEST (bsc#1012628).
- tty: Fix out-of-bound vmalloc access in imageblit (bsc#1012628).
- cpufreq: schedutil: Use kobject release() method to free
sugov_tunables (bsc#1012628).
- scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS
(bsc#1012628).
- drm/amdgpu: adjust fence driver enable sequence (bsc#1012628).
- drm/amdgpu: avoid over-handle of fence driver fini in s3 test
(v2) (bsc#1012628).
- drm/amdgpu: stop scheduler when calling hw_fini (v2)
(bsc#1012628).
- cpufreq: schedutil: Destroy mutex before kobject_put() frees
the memory (bsc#1012628).
- scsi: ufs: ufs-pci: Fix Intel LKF link stability (bsc#1012628).
- ALSA: rawmidi: introduce SNDRV_RAWMIDI_IOCTL_USER_PVERSION
(bsc#1012628).
- ALSA: firewire-motu: fix truncated bytes in message tracepoints
(bsc#1012628).
- ALSA: hda/realtek: Quirks to enable speaker output for Lenovo
Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops
(bsc#1012628).
- ACPI: NFIT: Use fallback node id when numa info in NFIT table
is incorrect (bsc#1012628).
- fs-verity: fix signed integer overflow with i_size near S64_MAX
(bsc#1012628).
- hwmon: (tmp421) handle I2C errors (bsc#1012628).
- hwmon: (w83793) Fix NULL pointer dereference by removing
unnecessary structure field (bsc#1012628).
- hwmon: (w83792d) Fix NULL pointer dereference by removing
unnecessary structure field (bsc#1012628).
- hwmon: (w83791d) Fix NULL pointer dereference by removing
unnecessary structure field (bsc#1012628).
- gpio: pca953x: do not ignore i2c errors (bsc#1012628).
- scsi: ufs: Fix illegal offset in UPIU event trace (bsc#1012628).
- mac80211: fix use-after-free in CCMP/GCMP RX (bsc#1012628).
- platform/x86/intel: hid: Add DMI switches allow list
(bsc#1012628).
- x86/kvmclock: Move this_cpu_pvti into kvmclock.h (bsc#1012628).
- ptp: Fix ptp_kvm_getcrosststamp issue for x86 ptp_kvm
(bsc#1012628).
- KVM: x86: Fix stack-out-of-bounds memory access from
ioapic_write_indirect() (bsc#1012628).
- KVM: x86: nSVM: don't copy virt_ext from vmcb12 (bsc#1012628).
- KVM: x86: Clear KVM's cached guest CR3 at RESET/INIT
(bsc#1012628).
- KVM: x86: Swap order of CPUID entry "index" vs. "significant
flag" checks (bsc#1012628).
- KVM: nVMX: Filter out all unsupported controls when eVMCS was
activated (bsc#1012628).
- KVM: SEV: Update svm_vm_copy_asid_from for SEV-ES (bsc#1012628).
- KVM: SEV: Pin guest memory for write for RECEIVE_UPDATE_DATA
(bsc#1012628).
- KVM: SEV: Acquire vcpu mutex when updating VMSA (bsc#1012628).
- KVM: SEV: Allow some commands for mirror VM (bsc#1012628).
- KVM: SVM: fix missing sev_decommission in sev_receive_start
(bsc#1012628).
- KVM: nVMX: Fix nested bus lock VM exit (bsc#1012628).
- KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue
(bsc#1012628).
- mmc: renesas_sdhi: fix regression with hard reset on old SDHIs
(bsc#1012628).
- media: ir_toy: prevent device from hanging during transmit
(bsc#1012628).
- RDMA/cma: Do not change route.addr.src_addr.ss_family
(bsc#1012628).
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing
more requests (bsc#1012628).
- nbd: use shifts rather than multiplies (bsc#1012628).
- drm/amd/display: initialize backlight_ramping_override to false
(bsc#1012628).
- drm/amd/display: Pass PCI deviceid into DC (bsc#1012628).
- drm/amd/display: Fix Display Flicker on embedded panels
(bsc#1012628).
- drm/amdgpu: force exit gfxoff on sdma resume for rmb s0ix
(bsc#1012628).
- drm/amdgpu: check tiling flags when creating FB on GFX8-
(bsc#1012628).
- drm/amdgpu: correct initial cp_hqd_quantum for gfx9
(bsc#1012628).
- interconnect: qcom: sdm660: Fix id of slv_cnoc_mnoc_cfg
(bsc#1012628).
- interconnect: qcom: sdm660: Correct NOC_QOS_PRIORITY shift
and mask (bsc#1012628).
- drm/i915/gvt: fix the usage of ww lock in gvt scheduler
(bsc#1012628).
- ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
(bsc#1012628).
- bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog
(bsc#1012628).
- IB/cma: Do not send IGMP leaves for sendonly Multicast groups
(bsc#1012628).
- RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure
(bsc#1012628).
- bpf, mips: Validate conditional branch offsets (bsc#1012628).
- hwmon: (mlxreg-fan) Return non-zero value when fan current
state is enforced from sysfs (bsc#1012628).
- RDMA/irdma: Skip CQP ring during a reset (bsc#1012628).
- RDMA/irdma: Validate number of CQ entries on create CQ
(bsc#1012628).
- RDMA/irdma: Report correct WC error when transport retry
counter is exceeded (bsc#1012628).
- RDMA/irdma: Report correct WC error when there are MW bind
errors (bsc#1012628).
- netfilter: nf_tables: unlink table before deleting it
(bsc#1012628).
- netfilter: log: work around missing softdep backend module
(bsc#1012628).
- Revert "mac80211: do not use low data rates for data frames
with no ack flag" (bsc#1012628).
- mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
(bsc#1012628).
- mac80211: limit injected vht mcs/nss in
ieee80211_parse_tx_radiotap (bsc#1012628).
- mac80211: mesh: fix potentially unaligned access (bsc#1012628).
- mac80211-hwsim: fix late beacon hrtimer handling (bsc#1012628).
- driver core: fw_devlink: Add support for
FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD (bsc#1012628).
- net: mdiobus: Set FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD for
mdiobus parents (bsc#1012628).
- sctp: break out if skb_header_pointer returns NULL in
sctp_rcv_ootb (bsc#1012628).
- mptcp: don't return sockets in foreign netns (bsc#1012628).
- mptcp: allow changing the 'backup' bit when no sockets are open
(bsc#1012628).
- RDMA/hns: Work around broken constant propagation in gcc 8
(bsc#1012628).
- hwmon: (tmp421) report /PVLD condition as fault (bsc#1012628).
- hwmon: (tmp421) fix rounding for negative values (bsc#1012628).
- net: enetc: fix the incorrect clearing of IF_MODE bits
(bsc#1012628).
- net: ipv4: Fix rtnexthop len when RTA_FLOW is present
(bsc#1012628).
- smsc95xx: fix stalled rx after link change (bsc#1012628).
- drm/i915/request: fix early tracepoints (bsc#1012628).
- drm/i915: Remove warning from the rps worker (bsc#1012628).
- dsa: mv88e6xxx: 6161: Use chip wide MAX MTU (bsc#1012628).
- dsa: mv88e6xxx: Fix MTU definition (bsc#1012628).
- dsa: mv88e6xxx: Include tagger overhead when setting MTU for
DSA and CPU ports (bsc#1012628).
- e100: fix length calculation in e100_get_regs_len (bsc#1012628).
- e100: fix buffer overrun in e100_get_regs (bsc#1012628).
- RDMA/hfi1: Fix kernel pointer leak (bsc#1012628).
- RDMA/hns: Fix the size setting error when copying CQE in
clean_cq() (bsc#1012628).
- RDMA/hns: Add the check of the CQE size of the user space
(bsc#1012628).
- bpf: Exempt CAP_BPF from checks against bpf_jit_limit
(bsc#1012628).
- libbpf: Fix segfault in static linker for objects without BTF
(bsc#1012628).
- selftests, bpf: Fix makefile dependencies on libbpf
(bsc#1012628).
- selftests, bpf: test_lwt_ip_encap: Really disable rp_filter
(bsc#1012628).
- bpf, x86: Fix bpf mapping of atomic fetch implementation
(bsc#1012628).
- net: ks8851: fix link error (bsc#1012628).
- ionic: fix gathering of debug stats (bsc#1012628).
- Revert "block, bfq: honor already-setup queue merges"
(bsc#1012628).
- scsi: csiostor: Add module softdep on cxgb4 (bsc#1012628).
- ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup
(bsc#1012628).
- net: hns3: do not allow call hns3_nic_net_open repeatedly
(bsc#1012628).
- net: hns3: remove tc enable checking (bsc#1012628).
- net: hns3: don't rollback when destroy mqprio fail
(bsc#1012628).
- net: hns3: fix mixed flag HCLGE_FLAG_MQPRIO_ENABLE and
HCLGE_FLAG_DCB_ENABLE (bsc#1012628).
- net: hns3: fix show wrong state when add existing uc mac address
(bsc#1012628).
- net: hns3: reconstruct function hns3_self_test (bsc#1012628).
- net: hns3: fix always enable rx vlan filter problem after
selftest (bsc#1012628).
- net: hns3: disable firmware compatible features when uninstall
PF (bsc#1012628).
- net: phy: bcm7xxx: Fixed indirect MMD operations (bsc#1012628).
- net: sched: flower: protect fl_walk() with rcu (bsc#1012628).
- net: stmmac: fix EEE init issue when paired with EEE capable
PHYs (bsc#1012628).
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
(bsc#1012628).
- objtool: Teach get_alt_entry() about more relocation types
(bsc#1012628).
- perf/x86/intel: Update event constraints for ICX (bsc#1012628).
- sched/fair: Add ancestors of unthrottled undecayed cfs_rq
(bsc#1012628).
- sched/fair: Null terminate buffer when updating tunable_scaling
(bsc#1012628).
- hwmon: (occ) Fix P10 VRM temp sensors (bsc#1012628).
- hwmon: (pmbus/mp2975) Add missed POUT attribute for page 1
mp2975 controller (bsc#1012628).
- kvm: fix objtool relocation warning (bsc#1012628).
- nvme: add command id quirk for apple controllers (bsc#1012628).
- elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
(bsc#1012628).
- driver core: fw_devlink: Improve handling of cyclic dependencies
(bsc#1012628).
- debugfs: debugfs_create_file_size(): use IS_ERR to check for
error (bsc#1012628).
- ipack: ipoctal: fix stack information leak (bsc#1012628).
- ipack: ipoctal: fix tty registration race (bsc#1012628).
- ipack: ipoctal: fix tty-registration error handling
(bsc#1012628).
- ipack: ipoctal: fix missing allocation-failure check
(bsc#1012628).
- ipack: ipoctal: fix module reference leak (bsc#1012628).
- ext4: fix loff_t overflow in ext4_max_bitmap_size()
(bsc#1012628).
- ext4: limit the number of blocks in one ADD_RANGE TLV
(bsc#1012628).
- ext4: fix reserved space counter leakage (bsc#1012628).
- ext4: add error checking to ext4_ext_replay_set_iblocks()
(bsc#1012628).
- ext4: fix potential infinite loop in ext4_dx_readdir()
(bsc#1012628).
- ext4: flush s_error_work before journal destroy in
ext4_fill_super (bsc#1012628).
- HID: u2fzero: ignore incomplete packets without data
(bsc#1012628).
- net: udp: annotate data race around udp_sk(sk)->corkflag
(bsc#1012628).
- NIOS2: setup.c: drop unused variable 'dram_start' (bsc#1012628).
- usb: hso: remove the bailout parameter (bsc#1012628).
- HID: betop: fix slab-out-of-bounds Write in betop_probe
(bsc#1012628).
- netfilter: ipset: Fix oversized kvmalloc() calls (bsc#1012628).
- mm: don't allow oversized kvmalloc() calls (bsc#1012628).
- HID: usbhid: free raw_report buffers in usbhid_stop
(bsc#1012628).
- crypto: aesni - xts_crypt() return if walk.nbytes is 0
(bsc#1012628).
- KVM: x86: Handle SRCU initialization failure during page track
init (bsc#1012628).
- netfilter: conntrack: serialize hash resizes and cleanups
(bsc#1012628).
- netfilter: nf_tables: Fix oversized kvmalloc() calls
(bsc#1012628).
- drivers: net: mhi: fix error path in mhi_net_newlink
(bsc#1012628).
- objtool: print out the symbol type when complaining about it
(bsc#1012628).
- HID: amd_sfh: Fix potential NULL pointer dereference - take 2
(bsc#1012628).
- commit 7c980ba
- ALSA: hda: intel: Allow repeatedly probing on codec
configuration errors (bsc#1190801).
- commit 924f4be
- rpm: use _rpmmacrodir (boo#1191384)
- commit e350c14
==== kubernetes1.21 ====
- Bump disk requirements in _constraints to 12GB. Data based on the
last successful build consumed storage.
==== libapparmor ====
- add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532)
==== libcap ====
Version update (2.51 -> 2.59)
- update to 2.59:
* Fixed a potential libcap memory leak by adding a destructor
* Major improvement is that there is a path for Linux-PAM compliant
applications to support setting Ambient vector Capabilities via pam_cap.so now
* Added libcap cap_proc_root() API function
* Added color support to captree
* Fixed contrib/sucap/su to correctly handle the Inheritable flag
* capsh enhancements
* getcap -r / now generates readable output
* The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now
runnable as standalone binaries
* The module pam_cap.so now contains support for a default=<IAB> module argument
* Enhanced capsh --suggest to also compare against the capability value names
and not just their descriptions
* Added capsh --current support
* Added a contrib/sucap/su.c pure-capabilities PAM implementation of su
* Fix for a corner case infinite loop handling long strings
* Added libcap cap_iab_compare() and cap_iab_get_pid() APIs
* Added a Go utility, captree, to display the process (and thread) graph along with
the POSIX.1e and IAB capabilities of each PID{TID} tree.
==== libglvnd ====
- libglvnd.rpmlintrc
* workaround for future buildcheck (boo#1191763)
==== librsvg ====
Version update (2.52.0 -> 2.52.2)
Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2
- Update to version 2.52.2:
+ New features:
- rsvg-convert now supports generating multi-page PDFs in a
sensible way.
- With one SVG document per page, each page with the SVG's
natural size:
- rsvg-convert --format=pdf -o out.pdf a.svg b.svg c.svg
- With all pages sized as portrait US Letter, and each SVG
scaled to fit so that there is a 1in margin around each page:
rsvg-convert --format=pdf -o out.pdf \
- -page-width=8.5in --page-height=11in \
- -width=6.5in --height=8.5in --keep-aspect-ratio \
- -top=1in --left=1in a.svg b.svg c.svg
Please see the man page for details.
- Support <a> elements inside <text>. Also, support the CSS
:link pseudo-class for matching against links.
- Support the CSS :lang() pseudo-class for matching against an
element's xml:lang attribute.
- Support the mask-type property from SVG2.
+ Bugs fixed:
- Don't panic when a shorthand property is set to inherit.
- Fix regression with the viewport size of interior <svg>
elements.
- Allow length units to be case-insensitive, per SVG2.
+ Documentation:
- There is now a FEATURES.md in the repository, where you can
see all the elements, attributes, and properties that librsvg
supports. We will be adding detail to this gradually.
- For developers, there is now devel-docs/adding-a-property.md
with a tutorial on how to add support for new CSS properties.
- Update to version 2.52.1:
+ Fix ordering of tspan inside text elements for right-to-left
languages.
+ Fix text-anchor positioning for right-to-left languages.
+ Fix regression in computing sizes when an SVG has only one of
width/height and a viewBox.
+ Spec compliance - the writing-mode property applies only to
text elements, no to individual tspan elements.
+ Fix build on big-endian platforms.
+ Clarify documentation for the rsvg_handle_write() /
rsvg_handle_close() deprecated APIs.
==== libwebp ====
Version update (1.2.0 -> 1.2.1)
Subpackages: libwebp7 libwebpdemux2 libwebpmux3
- update to 1.2.1:
* minor lossless encoder improvements and x86 color conversion
speed up
* further security related hardening in libwebp & examples
* toolchain updates and bug fixes
* use more inclusive language within the source
==== libzypp ====
Version update (17.28.4 -> 17.28.6)
- Zypper should keep cached files if transaction is aborted
(bsc#1190356)
Singletrans mode currently does not keep files around if the
transaction is aborted. This patch fixes the problem.
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Use procfs to detect nr of open fd's if rlimit is too high
(bsc#1191324)
Especially in a VM iterating over all possible fd's to close open
ones right before a exec() slows down zypper unnecessarily. This
patch uses /proc/self/fd to iterate over open fd's in case rlimit
is above 1024.
- po: Fix some lost '%' signs in positional args (bsc#1191370)
- RepoManager: Don't probe for plaindir repo if URL schema is
plugin: (bsc#1191286)
- version 17.28.6 (22)
- Downloader does not respect checkExistsOnly flag (bsc#1190712)
A missing check causes zyppng::Downloader to always download full
files even if the checkExistsOnly flag is set. This patch adds
the missing logic.
- Fix kernel-*-livepatch removal in purge-kernels (bsc#1190815)
The kernel-*-livepatch packages are supposed to serve as a stable
handle for the ephemeral kernel livepatch packages. See
FATE#320268 for details. As part of the kernel live patching
ecosystem, kernel-*-livepatch packages should not block the
purge-kernels step.
- version 17.28.5 (22)
==== ncurses ====
Version update (6.2.20210911 -> 6.2.20211002)
Subpackages: libncurses6 ncurses-utils terminfo-base
- Add ncurses patch 20211002
+ use return-value from vsnprintf to reallocate as needed to allow for
buffers larger than the screen size (report by "_RuRo_").
+ modify tset "-q" option to refrain from modifying terminal modes, to
match the documentation.
+ add section on margins to terminfo.5, adapted from X/Open Curses.
+ make tput/tset warning messages consistently using alias names when
those are used, rather than the underlying program's name.
+ improve tput usage message for aliases such as clear, by eliminating
tput-specific portions.
+ add a check in toe to ensure that a "termcap file" is text rather
than binary.
+ further build-fixes for OpenBSD 6.9, whose header files differ from
- Add ncurses patch 20210925
+ add kbeg to xterm+keypad to accommodate termcap applications -TD
+ add smglp and smgrp to vt420+lrmm, to provide useful data for the
"tabs" +m option -TD
+ build-fix for gcc 3.4.3 with Solaris10, which does not allow forward
reference of anonymous struct typedef.
+ modify tput to allow multiple commands per line.
+ minor fixes for tset manpage.
- Correct offsets of patch ncurses-6.2.dif
==== ndctl ====
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_ndctl-monitor.service.patch
==== nvme-cli ====
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_nvmf-connect@.service.patch
==== open-iscsi ====
Subpackages: iscsiuio libopeniscsiusr0_2_0
- Fix possible systemd cycle by adding an "obsoletes" for
the old libopeniscsiusr for older versions.
==== open-vm-tools ====
Version update (11.3.0 -> 11.3.5)
Subpackages: libvmtools0
- Update to 11.3.5 (build 18557794) (boo#1190987)
+ New/Updated features:
- Added a configurable logging capability to the network script.
The network script has been updated to:
use vmware-toolbox-cmd to query any network logging configuration from
the tools.conf file. Use vmtoolsd --cmd "log ..." to log a message to
the vmx logfile when the logging handler is configured to "vmx" or when
the logfile is full or is not writeable.
- The hgfsmounter (mount.vmhgfs) command has been removed from
open-vm-tools.
The hgfsmounter (mount.vmhgfs) command is no longer used in
Linux open-vm-tools. It has been replaced by hgfs-fuse. Therefore,
removing all references to the hgfsmounter in Linux builds.
+ Resolved issues:
- Customization: Retry the Linux reboot if telinit is a soft link to
systemctl.
- Open-vm-tools commands would hang if configured with "--enable-valgrind".
+ Spec file updates for:
- rpmlint errors
- arg_xmlsec1 --enable-xmlsec1 for better xmlsec1/libxml2 handling.
==== openssh ====
Version update (8.4p1 -> 8.8p1)
Subpackages: openssh-clients openssh-common openssh-server
- Version update to 8.8p1:
= Security
* sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
= Potentially-incompatible changes
* This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K.
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options.
= New features
* ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
directive to accept a "none" argument to specify the default
behaviour.
= Bugfixes
* scp(1): when using the SFTP protocol, continue transferring files
after a transfer error occurs, better matching original scp/rcp
behaviour.
* ssh(1): fixed a number of memory leaks in multiplexing,
* ssh-keygen(1): avoid crash when using the -Y find-principals
command.
* A number of documentation and manual improvements, including
bz#3340, PR139, PR215, PR241, PR257
- Additional changes from 8.7p1 release:
= Potentially-incompatible changes
* scp(1): this release changes the behaviour of remote to remote
copies (e.g. "scp host-a:/path host-b:") to transfer through the
local host by default. This was previously available via the -3
flag. This mode avoids the need to expose credentials on the
origin hop, avoids triplicate interpretation of filenames by the
shell (by the local system, the copy origin and the destination)
and, in conjunction with the SFTP support for scp(1) mentioned
below, allows use of all authentication methods to the remote
hosts (previously, only non-interactive methods could be used).
A -R flag has been added to select the old behaviour.
* ssh(1)/sshd(8): both the client and server are now using a
stricter configuration file parser. The new parser uses more
shell-like rules for quotes, space and escape characters. It is
also more strict in rejecting configurations that include options
lacking arguments. Previously some options (e.g. DenyUsers) could
appear on a line with no subsequent arguments. This release will
reject such configurations. The new parser will also reject
configurations with unterminated quotes and multiple '='
characters after the option name.
* ssh(1): when using SSHFP DNS records for host key verification,
ssh(1) will verify all matching records instead of just those
with the specific signature type requested. This may cause host
key verification problems if stale SSHFP records of a different
or legacy signature type exist alongside other records for a
particular host. bz#3322
* ssh-keygen(1): when generating a FIDO key and specifying an
explicit attestation challenge (using -Ochallenge), the challenge
will now be hashed by the builtin security key middleware. This
removes the (undocumented) requirement that challenges be exactly
32 bytes in length and matches the expectations of libfido2.
* sshd(8): environment="..." directives in authorized_keys files are
now first-match-wins and limited to 1024 discrete environment
variable names.
= New features
* scp(1): experimental support for transfers using the SFTP protocol
as a replacement for the venerable SCP/RCP protocol that it has
traditionally used. SFTP offers more predictable filename handling
and does not require expansion of glob(3) patterns via the shell
on the remote side.
* sftp-server(8): add a protocol extension to support expansion of
~/ and ~user/ prefixed paths. This was added to support these
paths when used by scp(1) while in SFTP mode.
* ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to
the ssh(1) -f flag. GHPR231
* ssh(1): add a StdinNull directive to ssh_config(5) that allows the
config file to do the same thing as -n does on the ssh(1) command-
line. GHPR231
* ssh(1): add a SessionType directive to ssh_config, allowing the
configuration file to offer equivalent control to the -N (no
session) and -s (subsystem) command-line flags. GHPR231
* ssh-keygen(1): allowed signers files used by ssh-keygen(1)
signatures now support listing key validity intervals alongside
they key, and ssh-keygen(1) can optionally check during signature
verification whether a specified time falls inside this interval.
This feature is intended for use by git to support signing and
verifying objects using ssh keys.
* ssh-keygen(8): support printing of the full public key in a sshsig
signature via a -Oprint-pubkey flag.
= Bugfixes
* ssh(1)/sshd(8): start time-based re-keying exactly on schedule in
the client and server mainloops. Previously the re-key timeout
could expire but re-keying would not start until a packet was sent
or received, causing a spin in select() if the connection was
quiescent.
* ssh-keygen(1): avoid Y2038 problem in printing certificate
validity lifetimes. Dates past 2^31-1 seconds since epoch were
displayed incorrectly on some platforms. bz#3329
* scp(1): allow spaces to appear in usernames for local to remote
and scp -3 remote to remote copies. bz#1164
* ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
in favour of KbdInteractiveAuthentication. The former is what was in
SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
treated as somewhat but not entirely equivalent. We retain the old
name as a deprecated alias so configuration files continue to work
as well as a reference in the man page for people looking for it.
bz#3303
* ssh(1)/ssh-add(1)/ssh-keygen(1): fix decoding of X.509 subject name
when extracting a key from a PKCS#11 certificate. bz#3327
* ssh(1): restore blocking status on stdio fds before close. ssh(1)
needs file descriptors in non-blocking mode to operate but it was
not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell,
bz#3280 and GHPR246
* ssh(1)/sshd(8): switch both client and server mainloops from
select(3) to pselect(3). Avoids race conditions where a signal
may arrive immediately before select(3) and not be processed until
an event fires. bz#2158
* ssh(1): sessions started with ControlPersist were incorrectly
executing a shell when the -N (no shell) option was specified.
bz#3290
* ssh(1): check if IPQoS or TunnelDevice are already set before
overriding. Prevents values in config files from overriding values
supplied on the command line. bz#3319
* ssh(1): fix debug message when finding a private key to match a
certificate being attempted for user authentication. Previously it
would print the certificate's path, whereas it was supposed to be
showing the private key's path. GHPR247
* sshd(8): match host certificates against host public keys, not
private keys. Allows use of certificates with private keys held in
a ssh-agent. bz#3524
* ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which
allows RSA/SHA2 signatures for public key authentication but fails
to advertise this correctly via SSH2_MSG_EXT_INFO. This causes
clients of these server to incorrectly match
PubkeyAcceptedAlgorithmse and potentially refuse to offer valid
keys. bz#3213
* sftp(1)/scp(1): degrade gracefully if a sftp-server offers the
limits@openssh.com extension but fails when the client tries to
invoke it. bz#3318
* ssh(1): allow ssh_config SetEnv to override $TERM, which is
otherwise handled specially by the protocol. Useful in ~/.ssh/config
to set TERM to something generic (e.g. "xterm" instead of
"xterm-256color") for destinations that lack terminfo entries.
* sftp-server(8): the limits@openssh.com extension was incorrectly
marked as an operation that writes to the filesystem, which made it
unavailable in sftp-server read-only mode. bz#3318
* ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when
the update removed more host keys than remain present.
* Many manual page fixes.
- Additional changes from 8.6p1 release:
= Security
* sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
option was enabled with a set of patterns that activated logging
in code that runs in the low-privilege sandboxed sshd process, the
log messages were constructed in such a way that printf(3) format
strings could effectively be specified the low-privilege code.
= New features
* sftp-server(8): add a new limits@openssh.com protocol extension
that allows a client to discover various server limits, including
maximum packet size and maximum read/write length.
* sftp(1): use the new limits@openssh.com extension (when available)
to select better transfer lengths in the client.
* sshd(8): Add ModuliFile keyword to sshd_config to specify the
location of the "moduli" file containing the groups for DH-GEX.
* unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to
enable printing of the elapsed time in seconds of each test.
= Bugfixes
* ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in
manual pages with the current default. GHPR174
* ssh(1): ensure that pkcs11_del_provider() is called before exit.
GHPR234
* ssh(1), sshd(8): fix problems in string->argv conversion. Multiple
backslashes were not being dequoted correctly and quoted space in
the middle of a string was being incorrectly split. GHPR223
* ssh(1): return non-zero exit status when killed by signal; bz#3281
* sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum
packet size. Also handle zero-length reads that are not explicitly
banned by the spec.
- Additional changes from 8.5p1 release:
= Security
* ssh-agent(1): fixed a double-free memory corruption that was
introduced in OpenSSH 8.2 . We treat all such memory faults as
potentially exploitable. This bug could be reached by an attacker
with access to the agent socket.
= Potentially-incompatible changes
* ssh(1), sshd(8): this release changes the first-preference signature
algorithm from ECDSA to ED25519.
* ssh(1), sshd(8): set the TOS/DSCP specified in the configuration
for interactive use prior to TCP connect. The connection phase of
the SSH session is time-sensitive and often explicitly interactive.
The ultimate interactive/bulk TOS/DSCP will be set after
authentication completes.
* ssh(1), sshd(8): remove the pre-standardization cipher
rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before
it was standardized in RFC4253 (2006), has been deprecated and
disabled by default since OpenSSH 7.2 (2016) and was only briefly
documented in ssh.1 in 2001.
* ssh(1), sshd(8): update/replace the experimental post-quantum
hybrid key exchange method based on Streamlined NTRU Prime coupled
with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org
method is replaced with sntrup761x25519-sha512@openssh.com.
* ssh(1): disable CheckHostIP by default. It provides insignificant
benefits while making key rotation significantly more difficult,
especially for hosts behind IP-based load-balancers.
= New features
* ssh(1): this release enables UpdateHostkeys by default subject to
some conservative preconditions:
- The key was matched in the UserKnownHostsFile (and not in the
GlobalKnownHostsFile).
- The same key does not exist under another name.
- A certificate host key is not in use.
- known_hosts contains no matching wildcard hostname pattern.
- VerifyHostKeyDNS is not enabled.
- The default UserKnownHostsFile is in use.
* ssh(1), sshd(8): add a new LogVerbose configuration directive for
that allows forcing maximum debug logging by file/function/line
pattern-lists.
* ssh(1): when prompting the user to accept a new hostkey, display
any other host names/addresses already associated with the key.
* ssh(1): allow UserKnownHostsFile=none to indicate that no
known_hosts file should be used to identify host keys.
* ssh(1): add a ssh_config KnownHostsCommand option that allows the
client to obtain known_hosts data from a command in addition to
the usual files.
* ssh(1): add a ssh_config PermitRemoteOpen option that allows the
client to restrict the destination when RemoteForward is used
with SOCKS.
* ssh(1): for FIDO keys, if a signature operation fails with a
"incorrect PIN" reason and no PIN was initially requested from the
user, then request a PIN and retry the operation. This supports
some biometric devices that fall back to requiring PIN when reading
of the biometric failed, and devices that require PINs for all
hosted credentials.
* sshd(8): implement client address-based rate-limiting via new
sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
directives that provide more fine-grained control on a per-origin
address basis than the global MaxStartups limit.
= Bugfixes
* ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
make it easier to determine which connection they are associated
with in cases like scp -3, ProxyJump, etc. bz#3224
* sshd(8): fix sshd_config SetEnv directives located inside Match
blocks. GHPR201
* ssh(1): when requesting a FIDO token touch on stderr, inform the
user once the touch has been recorded.
* ssh(1): prevent integer overflow when ridiculously large
ConnectTimeout values are specified, capping the effective value
(for most platforms) at 24 days. bz#3229
* ssh(1): consider the ECDSA key subtype when ordering host key
algorithms in the client.
* ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
that it control allowed key algorithms, when this option actually
specifies the signature algorithms that are accepted. The previous
name remains available as an alias. bz#3253
* ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
* sftp-server(8): add missing lsetstat@openssh.com documentation
and advertisement in the server's SSH2_FXP_VERSION hello packet.
* ssh(1), sshd(8): more strictly enforce KEX state-machine by
banning packet types once they are received. Fixes memleak caused
by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
* sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
platforms instead of being limited by LONG_MAX. bz#3206
* Minor man page fixes (capitalization, commas, etc.) bz#3223
* sftp(1): when doing an sftp recursive upload or download of a
read-only directory, ensure that the directory is created with
write and execute permissions in the interim so that the transfer
can actually complete, then set the directory permission as the
final step. bz#3222
* ssh-keygen(1): document the -Z, check the validity of its argument
earlier and provide a better error message if it's not correct.
bz#2879
* ssh(1): ignore comments at the end of config lines in ssh_config,
similar to what we already do for sshd_config. bz#2320
* sshd_config(5): mention that DisableForwarding is valid in a
sshd_config Match block. bz3239
* sftp(1): fix incorrect sorting of "ls -ltr" under some
circumstances. bz3248.
* ssh(1), sshd(8): fix potential integer truncation of (unlikely)
timeout values. bz#3250
* ssh(1): make hostbased authentication send the signature algorithm
in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
This make HostbasedAcceptedAlgorithms do what it is supposed to -
filter on signature algorithm and not key type.
- Rebased patches:
* openssh-7.7p1-IPv6_X_forwarding.patch
* openssh-7.7p1-X11_trusted_forwarding.patch
* openssh-7.7p1-X_forward_with_disabled_ipv6.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-cavstest-kdf.patch
* openssh-7.7p1-disable_openssl_abi_check.patch
* openssh-7.7p1-eal3.patch
* openssh-7.7p1-enable_PAM_by_default.patch
* openssh-7.7p1-fips.patch
* openssh-7.7p1-fips_checks.patch
* openssh-7.7p1-host_ident.patch
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
* openssh-7.7p1-ldap.patch
* openssh-7.7p1-no_fork-no_pid_file.patch
* openssh-7.7p1-pam_check_locks.patch
* openssh-7.7p1-pts_names_formatting.patch
* openssh-7.7p1-remove_xauth_cookies_on_exit.patch
* openssh-7.7p1-seccomp_ipc_flock.patch
* openssh-7.7p1-seccomp_stat.patch
* openssh-7.7p1-send_locale.patch
* openssh-7.7p1-sftp_force_permissions.patch
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
* openssh-7.7p1-systemd-notify.patch
* openssh-7.9p1-keygen-preserve-perms.patch
* openssh-7.9p1-revert-new-qos-defaults.patch
* openssh-8.0p1-gssapi-keyex.patch
* openssh-8.1p1-audit.patch
* openssh-8.1p1-seccomp-clock_gettime64.patch
* openssh-8.1p1-seccomp-clock_nanosleep.patch
* openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
* openssh-8.1p1-use-openssl-kdf.patch
* openssh-8.4p1-vendordir.patch
* openssh-fips-ensure-approved-moduli.patch
* openssh-link-with-sk.patch
* openssh-reenable-dh-group14-sha1-default.patch
* openssh-whitelist-syscalls.patch
- Removed openssh-fix-ssh-copy-id.patch (fixed upstream).
- openssh.keyring: rotated to new key from https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
- sshd-gen-keys-start:
- only source sysconfig file if it exists.
- create /etc/ssh if it does not exists.
Required for image based installation/updates.
==== pam-config ====
Version update (1.4 -> 1.5)
- Update to Version 1.5
- Don't print an error message if one of the systemd PAM modules
does not exist if creating the *-pc files [bsc#1191528]
- Drop pam_systemd_home again [bsc#1191528]
==== patterns-microos ====
Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap
- Add xdg-desktop-portal-gnome to gnome pattern
- Drop gnome-power-manager Requires: Package is dormant upstream
and on it's way to be replaced by new features inside of
gnome-control-center.
==== pmdk ====
Version update (1.11.0 -> 1.11.1)
Subpackages: libpmem1 libpmemobj1
- Update to PMDK 1.11.1
* Bugfixes:
* doc: remove exprimental moniker from libpmem2(7)
* common: fix missing sfence in non-temporal memcpy
* common: fix a mismatch between prototype and body
* common: fix mismatched function args
* obj: rename vars clashing with those of a containing block
* pmem2: don't force smaller alignment for fsdax mappings
* pool: don't trample upon users of localtime()
* rpmem: Fix RPMEM_RAW_BUFF_SIZE and LANE_ALIGN_SIZE for powerpc64le
==== python-Jinja2 ====
Version update (3.0.1 -> 3.0.2)
- dropped obsolete no-warnings-as-errors.patch
- update to 3.0.2
* Fix a loop scoping bug that caused assignments in nested loops to still
be referenced outside of it. #1427
* Make compile_templates deterministic for filter and import names. #1452, #1453
* Revert an unintended change that caused Undefined to act like
StrictUndefined for the in operator. #1448
* Imported macros have access to the current template globals in async
environments. #1494
* PackageLoader will not include a current directory (.) path segment.
This allows loading templates from the root of a zip import. #1467
==== python-PrettyTable ====
- %check: use %pyunittest rpm macro
==== python-alembic ====
Version update (1.6.5 -> 1.7.4)
- update to 1.7.4:
* Fixed a regression that prevented the use of post write hooks on python
version lower than 3.9
* Added missing attributes from context stubs.
* Fixed issue where registration of custom ops was prone to failure due to
the registration process running exec() on generated code that as of the
1.7 series includes pep-484 annotations, which in the case of end user code
would result in name resolution errors when the exec occurs
- specfile:
* skip python 2 builds
* require importlib-resources
- update to version 1.7.1:
* Corrected "universal wheel" directive in setup.cfg so that
building a wheel does not target Python 2. The PyPi files index
for 1.7.0 was corrected manually. Pull request courtesy layday.
* Fixed issue in generated .pyi files where default values for
"Optional" arguments were missing, thereby causing mypy to
consider them as required.
* Fixed regression in batch mode due to :ticket:`883` where the
"auto" mode of batch would fail to accommodate any additional
migration directives beyond encountering an "add_column()"
directive, due to a mis-application of the conditional logic that
was added as part of this change, leading to "recreate" mode not
being used in cases where it is required for SQLite such as for
unique constraints.
- changes from version 1.7.0:
* Fixed regression due to :ticket:`803` where the ".info" and
".comment" attributes of "Table" would be lost inside of the
:class:`.DropTableOp` class, which when "reversed" into a
:class:`.CreateTableOp` would then have lost these elements. Pull
request courtesy Nicolas CANIART.
* Enhance "version_locations" parsing to handle paths containing
spaces. The new configuration option "version_path_separator"
specifies the character to use when splitting the
"version_locations" string. The default for new configurations is
"version_path_separator = os", which will use "os.pathsep" (e.g.,
";" on Windows).
* Alembic 1.7 now supports Python 3.6 and above; support for prior
versions including Python 2.7 has been dropped.
* Batch "auto" mode will now select for "recreate" if the
"add_column()" operation is used on SQLite, and the column itself
meets the criteria for SQLite where ADD COLUMN is not allowed, in
this case a functional or parenthesized SQL expression or a
"Computed" (i.e. generated) column.
* Make the "python-dateutil" library an optional dependency. This
library is only required if the "timezone" option is used in the
Alembic configuration. An extra require named "tz" is available
with "pip install alembic[tz]" to install it.
* Re-implemented the "python-editor" dependency as a small internal
function to avoid the need for external dependencies.
* Named CHECK constraints are now supported by batch mode, and will
automatically be part of the recreated table assuming they are
named. They also can be explicitly dropped using
"op.drop_constraint()". For "unnamed" CHECK constraints, these are
still skipped as they cannot be distinguished from the CHECK
constraints that are generated by the "Boolean" and "Enum"
datatypes. Note that this change may require adjustments to
migrations that drop or rename columns which feature an associated
named check constraint, such that an additional
"op.drop_constraint()" directive should be added for that named
constraint as there will no longer be an associated column for it;
for the "Boolean" and "Enum" datatypes, an "existing_type" keyword
may be passed to "BatchOperations.drop_constraint" as well.
* The dependency on "pkg_resources" which is part of "setuptools"
has been removed, so there is no longer any runtime dependency on
"setuptools". The functionality has been replaced with
"importlib.metadata" and "importlib.resources" which are both part
of Python std.lib, or via pypy dependency "importlib-metadata" for
Python version < 3.8 and "importlib-resources" for Python version
< 3.9 (while importlib.resources was added to Python in 3.7, it
did not include the "files" API until 3.9).
* Created a "test suite" similar to the one for SQLAlchemy, allowing
developers of third-party dialects to test their code against a
set of Alembic tests that have been specially selected to exercise
back-end database operations. At the time of release, third-party
dialects that have adopted the Alembic test suite to verify
compatibility include `CockroachDB
<https://pypi.org/project/sqlalchemy-cockroachdb/>`_ and `SAP ASE
(Sybase) <https://pypi.org/project/sqlalchemy-sybase/>`_.
* Fixed issue where usage of the PostgreSQL "postgresql_include"
option within a :meth:`.Operations.create_index` would raise a
KeyError, as the additional column(s) need to be added to the
table object used by the construct internally. The issue is
equivalent to the SQL Server issue fixed in :ticket:`513`. Pull
request courtesy Steven Bronson.
* pep-484 type annotations have been added throughout the library.
Additionally, stub .pyi files have been added for the
"dynamically" generated Alembic modules "alembic.op" and
"alembic.config", which include complete function signatures and
docstrings, so that the functions in these namespaces will have
both IDE support (vscode, pycharm, etc) as well as support for
typing tools like Mypy. The files themselves are statically
generated from their source functions within the source tree.
==== python-apipkg ====
Version update (1.5 -> 2.1.0)
- Update to v2.1.0
* fix race condition for import of modules using apipkg.initpkg
in Python 3.3+ by updating existing modules in-place rather
than replacing in sys.modules with an apipkg.ApiModule
instances. This race condition exists for import statements
(and __import__) in Python 3.3+ where sys.modules is checked
before obtaining an import lock, and for
importlib.import_module in Python 3.11+ for the same reason.
- Release 2.0.1
* fix race conditions for attribute creation
- Release 2.0.0
* also transfer __spec__ attribute
* make py.test hack more specific to avoid hiding real errors
* switch from Travis CI to GitHub Actions
* modernize package build
* reformat code with black
- Drop pytest4.patch
==== python-distro ====
- Expliciting setting of locale is not necessary anymore
(gh#python-distro/distro#223).
==== python-greenlet ====
Version update (1.1.0 -> 1.1.2)
- update to 1.1.2:
- Fix a potential crash due to a reference counting error when Python
subclasses of ``greenlet.greenlet`` were deallocated. The crash
became more common on Python 3.10; on earlier versions, silent
memory corruption could result.
- Fix a leak of a list object when the last reference to a greenlet
was deleted from some other thread than the one to which it
belonged. For this to work correctly, you must call a greenlet API
like ``getcurrent()`` before the thread owning the greenlet exits:
this is a long-standing limitation that can also lead to the leak of
a thread's main greenlet if not called; we hope to lift this
limitation. Note that in some cases this may also fix leaks of
greenlet objects themselves. See `issue 251
- Python 3.10: Tracing or profiling into a spawned greenlet didn't
work as expected. See `issue 256
==== python-idna ====
Version update (3.2 -> 3.3)
- update to 3.3:
- Update to Unicode 14.0.0
- Update to in-line type annotations
- Throw IDNAError exception correctly for some malformed input
- Advertise support for Python 3.10
- Improve testing regime on Github
- Fix Russian typo in documentation
==== python-more-itertools ====
Version update (8.8.0 -> 8.10.0)
- update to 8.10.0:
* The type stub for :func:`iter_except` was improved (thanks to MarcinKonowalczyk)
* Type stubs now ship with the source release (thanks to saaketp)
* The Sphinx docs were improved (thanks to MarcinKonowalczyk)
* New functions
* :func:`interleave_evenly` (thanks to mbugert)
* :func:`repeat_each` (thanks to FinalSh4re)
* :func:`chunked_even` (thanks to valtron)
* :func:`map_if` (thanks to sassbalint)
* :func:`zip_broadcast` (thanks to kalekundert)
* Changes to existing functions
* The type stub for :func:`chunked` was improved (thanks to PhilMacKay)
* The type stubs for :func:`zip_equal` and `zip_offset` were improved (thanks to maffoo)
* Building Sphinx docs locally was improved (thanks to MarcinKonowalczyk)
==== python-networkx ====
Version update (2.6.1 -> 2.6.3)
- update to 2.6.3:
* Fix modularity functions (gh#networkx/networkx#5072)
* CI/MAINT: drop gdal tests (gh#networkx/networkx#5068)
* modularity_max: provide labels to get_edge_data (gh#networkx/networkx#4965)
* Improvements to greedy_modularity_community (gh#networkx/networkx#4996)
* use weight arg instead of 'weight' key at greedy_modularity_communities()
* modularity_max: breaking the loop when given community size is reached (gh#networkx/networkx#4950)
* modularity_max: allow input of desired number of communities
* greedy_modularity_communities with digraphs and multi(di)graphs (gh#networkx/networkx#5007) (gh#networkx/networkx#5007)
* Allow greedy_modularity_communities to use floating point weights or resolution (gh#networkx/networkx#5065)
* change i,j,k notation to u,v,w (no indexes since gh#networkx/networkx#5007)
==== python-pyrsistent ====
Version update (0.17.3 -> 0.18.0)
- update to 0.18.0:
* Fix #209 Update freeze recurse into pyrsistent data structures and thaw to
recurse into lists and dicts
* Fix #226, stop using deprecated exception.message.
* Fix #211, add union operator to persistent maps.
* Fix #194, declare build dependencies through pyproject.toml.
* Officially drop Python 3.5 support.
* Fix #223, release wheels for all major platforms.
* Fix #221, KeyError obscured by TypeError if key is a tuple.
* Fix LICENSE file name spelling.
* Fix #216, add abstractmethod decorator for CheckedType and ABCMeta for
_CheckedTypeMeta.
* Fix #228, rename example classes in tests to avoid name clashes with pytest.
==== python-pytz ====
Version update (2021.1 -> 2021.3)
- update to 2021.3
* matches tzdata 2021c
==== python-zipp ====
Version update (3.5.0 -> 3.6.0)
- update to 3.6.0:
* Only ``Path`` is exposed in the public API.
* Remove news file intended only for CPython.
==== qemu ====
- Stable fixes from upstream
* Patches added:
block-introduce-max_hw_iov-for-use-in-sc.patch
hmp-Unbreak-change-vnc.patch
qemu-nbd-Change-default-cache-mode-to-wr.patch
target-arm-Don-t-skip-M-profile-reset-en.patch
vhost-vsock-fix-migration-issue-when-seq.patch
virtio-mem-pci-Fix-memory-leak-when-crea.patch
virtio-net-fix-use-after-unmap-free-for-.patch
==== raspberrypi-firmware ====
Version update (2021.03.10 -> 2021.09.30)
- Update to b5257da58c (2021-09-30):
* firmware: arm_loader: Allow non-optional reads of current clock
See: #1619
* firmware: dispmanx: Demote null eptr from vcos_verify to no warning
See: raspberrypi/linux#4592
* firmware: filesystem: sdcard: Probe FAT type in GPT ESD partitions
* firmware: tvservice: Add check to warn when running with kms
* firmware: filesystem: sdcard: Fix Hybrid GPT partitions
See: #1465
* firmware: video_decode: Ensure all buffers are flushed before
port disable completes
* firmware: arm_loader: Allow hvs interrupt during SET_NOTIFY_DISPLAY_DONE
* firmware: arm_display: Allow null buffer in successful call
See: raspberrypi/linux#4540
- Update to b80f36b3fb (2021-09-13):
* firmware: hdmi_2711: Use HDMI block REPEAT_PIXEL instead of PV
See: https://forum.libreelec.tv/thread/24415-le-10-beta-for-i4-force-hdmi-resolution
* firmware: DSI display autodetection for kms
* firmware: arm_dt: Load overlays for detected cameras
* firmware: Make more use of the user-warnings DT property
* firmware: arm_loader: Consider required flags from GET_CLOCK_RATE
See: #1598
* firmware: arm_loader: Make most arm clock requests required
See: #1598
* firmware: firmware: Disable VLL loading from file system
See: #1605
* firmware: video_decode: Use the ISP instead of vc_image_convert
* firmware: video_decode: Correct support for YVU formats using ISP
* firmware: arm_dt: Limit CMA to 256MB if total_mem < 2GB or gpu_mem > 256MB
See: #1603
* firmware: hdmi_cec: Remove TX/RX SW_INIT on power_on
See: Hexxeh/rpi-firmware#267
See: https://www.raspberrypi.org/forums/viewtopic.php?p=1895082#p1895082
* firmware: cec: Avoid sending messages with kms
See: raspberrypi/linux#4460
* firmware: Revert: video_decode: Use the ISP instead of vc_image_convert
* firmware: isp: Set the YUV420/YVU420 format stride to 64 byte
* arm_loader: Add message to release firmware framebuffer
* firmware: video_decode: Use the ISP instead of vc_image_convert
* firmware: hdmi-2711: Wait for HDMI hardware scheduler to activate in HDMI mode
* firmware: bcm_host: Recognise all Pi 4 variants, add BCM2711
See: raspberrypi/userland#695
* firmware: PoE+ HAT support
See: raspberrypi/linux#4367
* firmware: arm_loader: Use Pi4 bootloader MAC_ADDRESS if set
* firmware: platform: Apply ARM thermal throttling rules on BCM2711
* firmware: dt-blob.dts: Correct HDMI HPD and EMMC_ENABLE for CM4
See: https://www.raspberrypi.org/forums/viewtopic.php?f=29&p=1858516
* firmware: vcfw/hdmi: CUSTOM modes used for FKMS didn't set RGB quant range correctly
See: #1580
* firmware: platform: Remove build-time constant for MICROVOLTS_PER_PIP
* firmware: Pi400: Reduce MII clock freq when probing ethernet PHY
* firmware: isp: Ensure the VRF is locked when setting up video colour denoise
See: raspberrypi/libcamera-apps#19
* firmware: isp: Remove custom EV mappings from camera tunings
* firmware: Add support for board-type=0xXX conditional filters in bootloader, bootcode and firmware
* firmware: Two UART1 patches
See: #1566
* firmware: arm_loader: kernel_old=1 should force kernel_address=0
See: #1561
* firmware: scalerlib: Fix offset applied to x coordinate of YUV10COL image
See: https://forum.kodi.tv/showthread.php?tid=361164&pid=3024654#pid3024654
* firmware: vcfw/power: Add a new latch for power_pad_control
See: #1552
* firmware: board-info: Fix memsize on 3B+
* firmware: Move core to PLLA and support accurate clk108
See: xbmc/xbmc#19263
* firmware: board_info: Separate memory size from OTP field encoding
* firmware: power: Swap DA9090 ADC assignments to match XR77004
* firmware: vl805: Remove redundant log statement and fix warning
* firmware: power: Fix DA9090 ADC1 register definition
* firmware: arm_loader: Only report clocks arm has set, not siblings
* firmware: arm_loader: Don't report clocks set as turbo side effect of arm clock
* firmware: arm_loader: 2711: gpu clocks are not dependant
* firmware: platform: Need to clear cached versions of get_max_clock_internal vars
* firmware: video_decode: For VC1/WMV with no signalled header bytes, use start of 1st buffer
See: raspberrypi/linux#4113
- Use smbios overlay to get minimal SMBIOS information through dmidecode (bsc#1183079)
==== raspberrypi-firmware-config ====
Version update (2021.03.10 -> 2021.09.30)
- Update to b5257da58c (2021-09-30):
* firmware: arm_loader: Allow non-optional reads of current clock
See: #1619
* firmware: dispmanx: Demote null eptr from vcos_verify to no warning
See: raspberrypi/linux#4592
* firmware: filesystem: sdcard: Probe FAT type in GPT ESD partitions
* firmware: tvservice: Add check to warn when running with kms
* firmware: filesystem: sdcard: Fix Hybrid GPT partitions
See: #1465
* firmware: video_decode: Ensure all buffers are flushed before
port disable completes
* firmware: arm_loader: Allow hvs interrupt during SET_NOTIFY_DISPLAY_DONE
* firmware: arm_display: Allow null buffer in successful call
See: raspberrypi/linux#4540
- Update to b80f36b3fb (2021-09-13):
* firmware: hdmi_2711: Use HDMI block REPEAT_PIXEL instead of PV
See: https://forum.libreelec.tv/thread/24415-le-10-beta-for-i4-force-hdmi-resolution
* firmware: DSI display autodetection for kms
* firmware: arm_dt: Load overlays for detected cameras
* firmware: Make more use of the user-warnings DT property
* firmware: arm_loader: Consider required flags from GET_CLOCK_RATE
See: #1598
* firmware: arm_loader: Make most arm clock requests required
See: #1598
* firmware: firmware: Disable VLL loading from file system
See: #1605
* firmware: video_decode: Use the ISP instead of vc_image_convert
* firmware: video_decode: Correct support for YVU formats using ISP
* firmware: arm_dt: Limit CMA to 256MB if total_mem < 2GB or gpu_mem > 256MB
See: #1603
* firmware: hdmi_cec: Remove TX/RX SW_INIT on power_on
See: Hexxeh/rpi-firmware#267
See: https://www.raspberrypi.org/forums/viewtopic.php?p=1895082#p1895082
* firmware: cec: Avoid sending messages with kms
See: raspberrypi/linux#4460
* firmware: Revert: video_decode: Use the ISP instead of vc_image_convert
* firmware: isp: Set the YUV420/YVU420 format stride to 64 byte
* arm_loader: Add message to release firmware framebuffer
* firmware: video_decode: Use the ISP instead of vc_image_convert
* firmware: hdmi-2711: Wait for HDMI hardware scheduler to activate in HDMI mode
* firmware: bcm_host: Recognise all Pi 4 variants, add BCM2711
See: raspberrypi/userland#695
* firmware: PoE+ HAT support
See: raspberrypi/linux#4367
* firmware: arm_loader: Use Pi4 bootloader MAC_ADDRESS if set
* firmware: platform: Apply ARM thermal throttling rules on BCM2711
* firmware: dt-blob.dts: Correct HDMI HPD and EMMC_ENABLE for CM4
See: https://www.raspberrypi.org/forums/viewtopic.php?f=29&p=1858516
* firmware: vcfw/hdmi: CUSTOM modes used for FKMS didn't set RGB quant range correctly
See: #1580
* firmware: platform: Remove build-time constant for MICROVOLTS_PER_PIP
* firmware: Pi400: Reduce MII clock freq when probing ethernet PHY
* firmware: isp: Ensure the VRF is locked when setting up video colour denoise
See: raspberrypi/libcamera-apps#19
* firmware: isp: Remove custom EV mappings from camera tunings
* firmware: Add support for board-type=0xXX conditional filters in bootloader, bootcode and firmware
* firmware: Two UART1 patches
See: #1566
* firmware: arm_loader: kernel_old=1 should force kernel_address=0
See: #1561
* firmware: scalerlib: Fix offset applied to x coordinate of YUV10COL image
See: https://forum.kodi.tv/showthread.php?tid=361164&pid=3024654#pid3024654
* firmware: vcfw/power: Add a new latch for power_pad_control
See: #1552
* firmware: board-info: Fix memsize on 3B+
* firmware: Move core to PLLA and support accurate clk108
See: xbmc/xbmc#19263
* firmware: board_info: Separate memory size from OTP field encoding
* firmware: power: Swap DA9090 ADC assignments to match XR77004
* firmware: vl805: Remove redundant log statement and fix warning
* firmware: power: Fix DA9090 ADC1 register definition
* firmware: arm_loader: Only report clocks arm has set, not siblings
* firmware: arm_loader: Don't report clocks set as turbo side effect of arm clock
* firmware: arm_loader: 2711: gpu clocks are not dependant
* firmware: platform: Need to clear cached versions of get_max_clock_internal vars
* firmware: video_decode: For VC1/WMV with no signalled header bytes, use start of 1st buffer
See: raspberrypi/linux#4113
==== raspberrypi-firmware-dt ====
Version update (2021.03.15 -> 2021.09.17)
- Update to 2425833c7ff5 (2021-09-17)
* Switch to 5.14 branch
* Drop upstream-overlay-rpi-poe.patch
==== rbac-lookup ====
Version update (0.6.4 -> 0.7.1)
- Update to version 0.7.1:
* Mac M1 Support
* Update documentation from template
* Update README.md
==== rdma-core ====
Version update (36.0 -> 37.1)
Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1
- Update to rdma-core v37.1 (jsc#SLE-18381, jsc#SLE-19249)
- Bugfixes on all providers
- Fix cmake flags to correct paths for .pc files
==== salt ====
Subpackages: python3-salt salt-master salt-minion salt-standalone-formulas-configuration salt-transactional-update
- Fix issues with salt-ssh's extra-filerefs
- Added:
* fix-issues-with-salt-ssh-s-extra-filerefs.patch
- Fix crash when calling manage.not_alive runners
- Added:
* fix-crash-when-calling-manage.not_alive-runners.patch
- Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446)
- Added:
* 3003.3-do-not-consider-skipped-targets-as-failed-for.patch
==== systemd ====
Version update (249.4 -> 249.5)
Subpackages: libsystemd0 libudev1 systemd-sysvinit udev
- Import commit 8521f8d22fd44400289fcea03493ebd7f8b1487d (merge of v249.5)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/355e113ce193e5e2d195278c57d47f9a1b00ae46...8521f8d22fd44400289fcea03493ebd7f8b1487d
- Import commit 355e113ce193e5e2d195278c57d47f9a1b00ae46
3b4a005095 meson: add missing include directory when using xkbcommon
4c4e642712 meson: allow extra net naming schemes to be defined during configuration (jsc#SLE-18514)
78466e4464 meson: drop the list of valid net naming schemes
b9a2098f9d netif-naming: inline one iterator variable
d7fbbc5e74 Add remaining supported schemes as options for default-net-naming-scheme
- Rename %{gnu-efi} into %{sd_boot}
Build conditionals (%bcond_with and %bcond_without) are used to
define a specific feature of systemd. "gnu-efi" is rather an
implemenation detail. Also not really sure what "efi" option alone
is useful for since systemd-boot & co depends on "gnu-efi".
- Enable sd_boot support for aarch64
- Ghost own directories /var/log/journal and /var/log/journal/remote again
rpmlint no more complain about the setgid bit, see sr#923496.
- Overwriting rootprefix= is only required when split-usr is enabled
- Rename %usrmerged into %split_usr
- Suppress PAM warning when the credentials for user@.service service
are established (bsc#1190515)
systemd-user PAM service needs to define a default implementation of
pam_setcred() otherwise the fallback (defined by /etc/pam.d/other)
is used, which consists of pam_warn.so + pam_deny.so, and will throw
a warning each time a user logs in.
- No need to install upstream pam configuration file "systemd-user"
It's overwritten by the SUSE version anyway.
==== systemd-presets-common-SUSE ====
- Haveged as a daemon is no longer required since kernel 5.6
do not enable by default.
==== timezone ====
Version update (2021c -> 2021d)
- timezone update 2021d:
* Fiji suspends DST for the 2021/2022 season
* 'zic -r' marks unspecified timestamps with "-00"
==== tpm2.0-tools ====
Version update (5.1.1 -> 5.2)
- Update to version 5.2:
+ tpm2_nvextend:
* Added option -n, --name to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated
without dispatching the TPM2_NV_Extend command to the TPM.
+ tpm2_nvread:
* Added option --rphash=FILE to specify ile path to record the
hash of the response parameters. This is commonly termed as
rpHash.
* Added option -n, --name to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated
without dispatching the TPM2_NVRead command to the TPM.
* Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the
parameters.
+ tpm2_nvsetbits:
* Added option --rphash=FILE to specify file path to record the
hash of the response parameters. This is commonly termed as
rpHash.
* Added option -S, --session to specify to specify an auxiliary
session for auditing and or encryption/decryption of the
parameters.
* Added option -n, --name to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated
without dispatching the TPM2_NV_SetBits command to the TPM.
+ tpm2_createprimary:
* Support public-key output at creation time in various public-key
formats.
+ tpm2_create:
* Support public-key output at creation time in various public-key
formats.
+ tpm2_print:
* Support outputing public key in various public key formats over
the default YAML output. Supports taking -u output from
tpm2_create and converting it to a PEM or DER file format.
+ tpm2_import:
* Add support for importing keys with sealed-data-blobs.
+ tpm2_rsaencrypt, tpm2_rsadecrypt:
* Add support for specifying the hash algorithm with oaep.
+ tpm2_pcrread, tpm2_quote:
* Add option -F, --pcrs_format to specify PCR format selection for
the binary blob in the PCR output file. 'values' will output a
binary blob of the PCR values. 'serialized' will output a binary
blob of the PCR values in the form of serialized data structure
in little endian format.
+ tpm2_eventlog:
* Add support for decoding StartupLocality.
* Add support for printing the partition information.
* Add support for reading eventlogs longer than 64kb including
from /sys/kernel/security/tpm0/binary_bios-measurements.
+ tpm2_duplicate:
* Add option -L, --policy to specify an authorization policy to be
associated with the duplicated object.
* Added support for external key duplication without needing the
TCTI.
+ tools:
* Enhance error message on invalid passwords when sessions cannot
be used.
+ lib/tpm2_options:
* Add option to specify fake tcti which is required in cases where
sapi ctx is required to be initialized for retrieving command
parameters without invoking the tcti to talk to the TPM.
+ openssl:
* Dropped support for OpenSSL < 1.1.0
* Add support for OpenSSL 3.0.0
+ Support added to make the repository documentation and man pages
available live on readthedocs.
+ Bug-fixes:
* tpm2_import: Don't allow setting passwords for imported object
with -p option as the tool doesn't modify the TPM2B_SENSITIVE
structure. Added appropriate logging to indicate using
tpm2_changeauth after import.
* lib/tpm2_util.c: The function to calculate pHash algorithm
returned error when input session is a password session and the
only session in the command.
* lib/tpm2_alg_util.c: Fix an error where oaep was parsed under
ECC.
* tpm2_sign: Fix segfaults when tool does not find TPM resources
(TPM or RM).
* tpm2_makecredential: Fix an issue where reading input from stdin
could result in unsupported data size larger than the largest
digest size.
* tpm2_loadexternal: Fix an issue where restricted attribute could
not be set.
* lib/tpm2_nv_util.h: The NV index size is dependent on different
data sets read from the GetCapability structures because there
is a dependency on the NV operation type: Define vs Read vs
Write vs Extend. Fix a sane default in the case where
GetCapability fails or fails to report the specific property/
data set. This is especially true because some properties are
TPM implementation dependent.
* tpm2_createpolicy: Fix an issue where tool exited silently
without reporting an error if wrong pcr string is specified.
* lib/tpm2_alg_util: add error message on public init to prevent
tools from dying silently, add an error message.
* tpm2_import: fix an issue where an imported hmac object scheme
was NULL. While allowed, it was inconsistent with other tools
like tpm2_create which set the scheme as hmac->sha256 when
generating a keyedhash object.
- Drop patches already in upstream:
+ 0001-tpm2_checkquote-fix-uninitialized-variable.patch
+ 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch
+ 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch
==== wireless-regdb ====
Version update (20210421 -> 20210828)
- Update to version 20210828:
* wireless-regdb: update regulatory database based on preceding changes
* Update regulatory rules for Ecuador (EC)
* wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
* wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
* wireless-regdb: update regulatory database based on preceding changes
* wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
* wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
* wireless-regdb: recent FCC report and order allows 5850-5895 immediately
* wireless-regdb: update 5725-5850 MHz rule for GB
==== xfsprogs ====
- move fsck.xfs, mkfs.xfs and xfs_repair from /sbin to /usr/sbin
(bsc#1191105)
The default rpmbuild %configure macro passes --sbindir=/usr/sbin to
every configure script, but the xfsprogs configure script ignores it
when --exec-prefix is also set. Unset --exec-prefix since it is not
really required (all other paths are explicitly passed via the rpm
configure macro), so that the --sbindir is respected.
==== xkeyboard-config ====
Version update (2.33 -> 2.34)
- update to version 2.34
* xml2lst: use dynamic Perl path
* Resolved 101key Old Hungarian II
* Old turkish f layout (with pc104 support) added.
* Fix wrong key symbol name
* Added International Phonetic Alphabet (QWERTY)
* gitlab CI: update to latest ci-templates
* Hellenic keyboard perfected.
* lt: Place sterling symbol on AD03, layer 4 (with E and euro)
* Use single guillemots on L4 (not less/greater) where L3 has guillemots
* Added English (Dvorak, Macintosh) based on the MacOS dvorak layout
* Accommodate uppercase/lowercase ß, long s, §; deduplicate ?
* Move left/right quotes one key to the right, place lower quotes on AB04
* Update symbols/it adding credits and reference for fur lang
* lt/us: Inherit AE09/AE10 from latin
* Add Russian GOST layouts
* Add Polish(lefty) layout
* Add Arabic(Ergoarabic) keyboard layout
* translation sync
* Hebrew translation added
==== yomi-formula ====
- Ignore libudev1 dependency for Enterprise Linux.
==== zypper ====
Version update (1.14.49 -> 1.14.50)
Subpackages: zypper-needs-restarting
- Fix compiler warning.
- zypper.conf: New option whether to collect subcommands found in
$PATH (fixes #379)
+[subcommand] i
+
+## Whether to look for subcommands in $PATH
+##
+## If a subcommand is not found in the zypper_execdir, the wrapper
+## will look in the rest of your $PATH for it. Thus, it's possible
+## to write local zypper extensions that don't live in system space.
+## See section SUBCOMMANDS in the zypper manpage.
+##
+## Valid values: boolean
+## Default value: yes
+##
+# seachSubcommandInPath = yes.
- help subcommand: show path of command found in $PATH.
- version 1.14.50