December 2019 - openSUSE Factory - openSUSE Mailing Lists

[opensuse-factory] New Tumbleweed snapshot 20191210 released!
by Dominique Leuenberger 12 Dec '19

12 Dec '19

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&versio… Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: ibus-libpinyin libnma moonjit obs-service-source_validator (0.18 -> 0.19) pam_mount patterns-base perl-Text-Unidecode remmina (1.3.6 -> 1.3.7) virt-manager xtables-addons (3.6_k5.3.12_1 -> 3.7_k5.3.12_1) === Details === ==== ibus-libpinyin ==== - Update ibus-libpinyin.spec: Remove dependence to pyxdg, because it has been removed since 1.6.92 (bnc#1158513). ==== libnma ==== Subpackages: libnma0 typelib-1_0-NMA-1_0 - Require nma-data by libnma0: the library references the org.gnome.nm-applet schema, which is packaged in nma-data (boo#1157889). ==== moonjit ==== - Obsolete/provide lua51-luajit as it was the old luajit name ==== obs-service-source_validator ==== Version update (0.18 -> 0.19) - Update to version 0.19: * allow _multibuild to handle multiple specs * The --buildflavor option was missing from the help output * 70-baselibs: do not run subshells * allow -MACRO ending for changes file on multibuild setups * skip source files checks for product definition directories * Add missing dependency to the debian/control file ==== pam_mount ==== Subpackages: libcryptmount0 libcryptmount0-32bit pam_mount-32bit - Systemd-user must be prevented from invoking pam_mount.so in the "session" management group eg by invoking pam_succeed_if.so to skip the pam_mount entry when systemd-user is calling pam_{open,close}_session. [bsc#1153630, bsc1153630-prevent-systemd-from-calling-pam_mount.patch] ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-documentation patterns-base-enhanced_base patterns-base-minimal_base patterns-base-sw_management patterns-base-transactional_base patterns-base-x11 patterns-base-x11_enhanced - Drop Obsoletes: pattern() = readonly_root_tools: RPM only honors obsoletes against package names, so this obsoletes is in fact useless. WithRPM 4.15, there is a syntax check which even disallows Obsoletes against non-valid names. ==== perl-Text-Unidecode ==== - Convert description into proper UTF-8: RPM 4.15 fails with non-UTF/non-ASCII texts. ==== remmina ==== Version update (1.3.6 -> 1.3.7) Subpackages: remmina-lang remmina-plugin-rdp remmina-plugin-secret remmina-plugin-vnc remmina-plugin-xdmcp - Added remmina-1.3.7-libfreerdp-2.0.0-rc4.patch to be compatibile with libfreerdp-2.0.0-rc4 - Update to new upstream release 1.3.7 * Huge improvements in translations * Better authentication MessagePanel API * Adding hidden proxy/socks settings for the RDP plugin * Debian Lintian, appstream and AppImage detected issues fixes * Tooltips in the remmina profile editor * Fix for issue #1949 (and #1968). It also relocates --version and --full-version in local istance. * Enumerate and share all local printers. * Manually specify more then one printer&driver when connecting via RDP * Printer sharing remediation * Remove useless includes * VTE is a suggested package * AppImage path fixes * Using remmina image for gnome 3.28 * Fix crash when clicking AR-button * Various Fixes !1931 * Fix RDP failed auth after credentials panel: big rework on plugin connection close flow ==== virt-manager ==== Subpackages: virt-install virt-manager-common - bsc#1157144 - [s390][virt-manager] There was the black screen from guest graphical console during guest installation virtinst-s390x-disable-graphics.patch - bsc#1158227 - virt-manager: Fix duplicate entries in the operating system URL drop down menu virtman-show-suse-install-repos.patch - Upstream bug fix (bsc#1027942) 29f9f5f2-virt-xml-fix-defined_xml_is_unchanged.patch - Drop virtman-default-to-xen-pv.patch - Refreshed virtinst-add-pvh-support.patch virtinst-modify-gui-defaults.patch virt-manager.changes virt-manager.spec virtman-allow-creating-i686-vm.patch virtman-python2-to-python3-conversion.patch ==== xtables-addons ==== Version update (3.6_k5.3.12_1 -> 3.7_k5.3.12_1) - Update to release 3.7 * xt_geoip: fix in6_addr little-endian byte swapping -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

1 0

[opensuse-factory] openSUSE:Factory - Build fail notification
by DimStar / Dominique Leuenberger 11 Dec '19

11 Dec '19

Dear Package maintainers and hackers. Below package(s) in openSUSE:Factory have been failing to build for at least 4 weeks. We tried to send out notifications to the configured bugowner/maintainers of the package(s), but so far no fix has been submitted. This probably means that the maintainer/bugowner did not yet find the time to look into the matter and he/she would certainly appreciate help to get this sorted. - opam Unless somebody is stepping up and submitting fixes, the listed package(s) are going to be removed from openSUSE:Factory. Kind regards, DimStar / Dominique Leuenberger <dimstar(a)opensuse.org>

1 0

[opensuse-factory] zypper: "Downloaded data exceeded the expected filesize"
by Michael Ströder 10 Dec '19

10 Dec '19

HI! AFAICT there was an update of zypper package recently in snapshot 20191207. Are there any known regressions? Because I now get error messages like this: Downloaded data exceeded the expected filesize '41.0 KiB' of 'https://download.opensuse.org/repositories/home:/stroeder:/AE-DIR:/py3/open…'. Ciao, Michael. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

2 1

[opensuse-factory] New Tumbleweed snapshot 20191207 released!
by Dominique Leuenberger 10 Dec '19

10 Dec '19

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&versio… Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: ImageMagick (7.0.9.1 -> 7.0.9.6) binutils ceph (14.2.4.373+gc3e67ed133 -> 15.0.0.7456+ge089cead79) cyrus-sasl dnsmasq dwz fribidi git gpg2 (2.2.17 -> 2.2.18) hwdata (0.329 -> 0.330) icewm (1.5.4 -> 1.6.3) libnftnl (1.1.4 -> 1.1.5) libsndfile libsolv (0.7.7 -> 0.7.9) libvirt (5.9.0 -> 5.10.0) libvirt-glib (2.0.0 -> 3.0.0) libxml2 (2.9.9 -> 2.9.10) libxml2-python (2.9.9 -> 2.9.10) libxslt (1.1.33 -> 1.1.34) libyui-qt-graph (2.45.3 -> 2.45.5) libzypp (17.15.0 -> 17.17.0) linux-glibc-devel (5.3 -> 5.4) lirc mariadb-connector-c (3.1.4 -> 3.1.5) nano (4.5 -> 4.6) openssl ovmf (201908 -> 201911) perl perl-HTTP-Cookies (6.07 -> 6.08) perl-Socket6 (0.28 -> 0.29) perl-X500-DN perl-XML-LibXML (2.0134 -> 2.0201) perl-XML-LibXSLT permissions (1550_20191118 -> 1550_20191205) postfix (3.4.7 -> 3.4.8) python python-PyYAML (5.1.2 -> 5.2) python-base python-h2 python-libvirt-python (5.9.0 -> 5.10.0) python-lxml python-psutil (5.6.5 -> 5.6.7) python-pywbem (0.11.0 -> 0.14.6) python-simplejson (3.16.1 -> 3.17.0) rdma-core read-only-root-fs (1.0+git20191112.42add9e -> 1.0+git20191203.3f7cc07) salt (2019.2.0 -> 2019.2.2) sensors (3.5.0 -> 3.6.0) sssd (2.2.0 -> 2.2.2) tcsh (6.21.00 -> 6.22.02) transactional-update (2.17 -> 2.20) v4l2loopback (0.12.2_k5.3.12_1 -> 0.12.3_k5.3.12_1) vim (8.1.2233 -> 8.1.2383) xfce4-branding-openSUSE (4.14+20191008 -> 4.14+20191207) zypper (1.14.32 -> 1.14.33) === Details === ==== ImageMagick ==== Version update (7.0.9.1 -> 7.0.9.6) Subpackages: ImageMagick-config-7-SUSE ImageMagick-extra libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI7 libMagickWand-7_Q16HDRI7 perl-PerlMagick - version update to 7.0.9.6 * Increase the maximum number of bezier coordinates (reference https://github.com/ImageMagick/ImageMagick/issues/1784) * Santize "'" from SHOW and WIN delegates under Linux, '"\' for Windows (thanks to Enzo Puig). * Correct for TGA orientation (reference https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=34757) * The result for -compose Copy -extent on a MYK image is CMYK (reference https://imagemagick.org/discourse-server/viewtopic.php?f=3&t=37118) * Fix potential buffer overflow when reading a fax image (alert from Justin). * Support dng:use-camera-wb option. - added patches https://github.com/ImageMagick/ImageMagick/issues/1792 + ImageMagick-targa.patch - version update to 7.0.9.5 * Ensure Ascii85 compression is thread safe. * Santize ';' from SHOW and WIN delegates. * Add exception parameter to CMS transform methods. * Output exception there is an attempt to perform an operation not allowed by the security policy * JPEG and JPG are aliases in coder security policy. * Fixed numerous issues posted to GitHub ==== binutils ==== Subpackages: binutils-devel - Add binutils-fix-invalid-op-errata.diff to fix various build fails on aarch64 (PR25210, bsc#1157755). - Add add-ulp-section.diff for user space live patching. ==== ceph ==== Version update (14.2.4.373+gc3e67ed133 -> 15.0.0.7456+ge089cead79) Subpackages: librados2 librbd1 - Update to 15.0.0-7456-ge089cead79: + rebase on tip of upstream master, SHA1 e4b3036422df70e3c911240e3bba6a8bd3e9c792 - Update to 15.0.0-7219-g353896020b: + rebase on tip of upstream master, SHA1 7ffb5d9e79207da81af933f4e95655e16558c739 - Update to 14.2.4-386-g73475e3ee1: + os/bluestore: consolidate extents from the same device only (bsc#1156282) - Update to 14.2.4-378-gac1bcd6547: + qa/suse: move dashboard-e2e to tier3 and add debugging code to src/script/dashboard_e2e_tests.sh ==== cyrus-sasl ==== Subpackages: cyrus-sasl-crammd5 cyrus-sasl-devel cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-plain libsasl2-3 libsasl2-3-32bit - added backport-patch cyrus-sasl-bug587.patch which fixes off-by-one error in _sasl_add_string function (see https://github.com/cyrusimap/cyrus-sasl/issues/587) ==== dnsmasq ==== - Remove redundant %else without meaning (if/else/else/endif?) ==== dwz ==== - Fix assertion failure 'refd != NULL' in write_die [swo#24169]. * dwz-fix-refd-NULL-assertion-in-write_die.patch - Fix assertion failure 'off == cu_size' in recompute_abbrevs [swo#24764]. * dwz-fix-assertion-off-cu_size-in-recompute_abbrevs.patch ==== fribidi ==== Subpackages: libfribidi0 libfribidi0-32bit - Use %make_build macros. ==== git ==== Subpackages: git-core git-cvs git-daemon git-email git-gui git-svn git-web gitk - Guard xmlto/sgml-skel BuildRequires by docs bcond. - Fix building with asciidoctor and without DocBook4 stylesheets: * Add 0002-Also-use-DocBook-5-stylesheet-when-generating-HTML-o.patch * Refresh 0001-DOC-Move-to-DocBook-5-when-using-asciidoctor.patch - Spec file cleanup, remove conditionals for obsolete/EOLed distros. - Drop curl (executable) BuildRequires, only required by some skipped tests (skipped as these have an apache2 prerequisite). - added patch git-skip-test-s390x-aarch64-fail.patch * workaround for bsc#1156651 ==== gpg2 ==== Version update (2.2.17 -> 2.2.18) Subpackages: gpg2-lang - Update to 2.2.18 [bsc#1157900, CVE-2019-14855] * gpg: Changed the way keys are detected on a smartcards; this allows the use of non-OpenPGP cards. In the case of a not very likely regression the new option --use-only-openpgp-card is available. [#4681] * gpg: The commands --full-gen-key and --quick-gen-key now allow direct key generation from supported cards. [#4681] * gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures. This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust. Note that this includes all key signature created with dsa1024 keys. The new option --allow-weak-key-signatues can be used to override the new and safer behaviour. [#4755,CVE-2019-14855] * gpg: Improve performance for import of large keyblocks. [#4592] * gpg: Implement a keybox compression run. [#4644] * gpg: Show warnings from dirmngr about redirect and certificate problems (details require --verbose as usual). * gpg: Allow to pass the empty string for the passphrase if the '--passphase=' syntax is used. [#4633] * gpg: Fix printing of the KDF object attributes. * gpg: Avoid surprises with --locate-external-key and certain - -auto-key-locate settings. [#4662] * gpg: Improve selection of best matching key. [#4713] * gpg: Delete key binding signature when deletring a subkey. [#4665,#4457] * gpg: Fix a potential loss of key sigantures during import with self-sigs-only active. [#4628] * gpg: Silence "marked as ultimately trusted" diagnostics if option --quiet is used. [#4634] * gpg: Silence some diagnostics during in key listsing even with option --verbose. [#4627] * gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652] * gpgsm: Support AES-256 keys. * gpgsm: Fix a bug in triggering a keybox compression run if - -faked-system-time is used. * dirmngr: System CA certificates are no longer used for the SKS pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594] * dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces to avoid long timeouts. [#4165] * scd: Fix BWI value for APDU level transfers to make Gemalto Ezio Shield and Trustica Cryptoucan work. [#4654,#4566] * wkd: gpg-wks-client --install-key now installs the required policy file. - Rebase patches: * gnupg-2.2.8-files-are-digests.patch * gnupg-add_legacy_FIPS_mode_option.patch ==== hwdata ==== Version update (0.329 -> 0.330) - Update to version 0.330: * Updated pci, usb and vendor ids. ==== icewm ==== Version update (1.5.4 -> 1.6.3) Subpackages: icewm-config-upstream icewm-default icewm-lang icewm-lite - Update to 1.6.3 * Much improved 32-bit icon drawing * Add --trace=conf,icon option for path logging * Several portability fixes for FreeBSD * Update taskbar geometry on screen resize * Support PNG format for theme image files * Improved support for depcrecated linux.xpm * Highlight current workspace on startup * Fix for themable cursors * Fix for cmake build * Fix for rpm build * Updated man pages * Updated translations - Changes from 1.5.4 * Configurable X11 terminal to avoid dependency on xterm * Fix support for themable cursors for gdk-pixbuf * Fix Xft font corruption in 32-bit alpha mode * Fix frame depth for 32-bit apps in 24-bit mode * Enable tilde and $HOME expansion for icon paths * Restore old behavior of ColorQuickSwitchActive for vertical switching * IceSh addWorkspace, prop commands plus -Prop, -Role options * IceSh fix getWorkspace for sticky windows, fix getOpacity, improve sync * Expand installation prefix in default configuration files and manpages * Fix typos in documentation and update Spanish translation * Better icewm-session manpage * Compile on GCC 9.2 without warning * Improve CMake compilation * IceWM splash image * Silence icehelp * Allow a taskbarbg.xpm or taskbarbg.png with transparency for a translucent taskbar * Don't use composite on systray when using 24-bit RGB visuals for issue #374 * Update translations * Use lzip instead of xz * Add support for 32-bit RGBA visuals if Alpha is enabled. * Colors can have a [100] opacity prefix, where 100 is a percentage from 1 to 100. * Colors can also be specified in "rgba:" form. * Alpha channels in icons are preserved and drawn if Alpha is enabled. * Support showing a splash image on startup. * Icesh has new commands sizeto, pid, systray, xembed, motif, symbols. * Icesh supports filtering on and modifying gravity properties. * New winoption "startClose" to immediately close unwanted windows. * Several improvements to CMake builds. * _NET_SYSTEM_TRAY_ORIENTATION and _NET_SYSTEM_TRAY_VISUAL are now supported. * Nearly unlimited number of workspaces. * New option TaskBarWorkspacesLimit to limit number of workspaces shown on taskbar. * Workspace names can be edited on taskbar. * Change default WorkspaceStatusTime to 700 milliseconds. * Optimizations of resource usage on startup of icewm. * Restore TaskBarFullscreenAutoShow for issue #361. * Don't focus frame under mouse for ClickToFocus in issues #355 and #358. * Only update if WM_NORMAL_HINTS has really changed for Xephyr in #353. * Only update if WIN_HINTS has really changed. * Fix icesh -last filter. Fix icesh toggleState for #354. * Add another xrandr setup where second screen is primary. * Remove support for EsounD. * Add many new icesh features. * Support opacity in icesh, icewmhint, winoptions. * Set window type on all icewm windows. * Set WM_CLASS on all icewm windows. * Updated translations. * More support for clang C++11. ==== libnftnl ==== Version update (1.1.4 -> 1.1.5) - Update to release 1.1.5 * flowtable: add support for handle attribute * obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data() ==== libsndfile ==== - Remove build dependencies for progs subpackage from library: * alsa-devel, only needed for the examples * sqlite3-devel, only needed for the regression test - Only build library, pass --disable-full-suite to configure ==== libsolv ==== Version update (0.7.7 -> 0.7.9) Subpackages: libsolv-devel libsolv-tools python3-solv ruby-solv - support conda constrains dependencies - bump version to 0.7.9 - support arch<->noarch package changes when creating patch conflicts from the updateinfo data - support for SOLVER_BLACKLIST jobs that block the installation of matched packages unless they are directly selected by an SOLVER_INSTALL job - libsolv now also parses the patch status in the updateinfo parser - new solvable_matchessolvable() function - bump version to 0.7.8 ==== libvirt ==== Version update (5.9.0 -> 5.10.0) Subpackages: libvirt-bash-completion libvirt-client libvirt-daemon libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs - Update to libvirt 5.10.0 - bsc#1157149 - Many incremental improvements and bug fixes, see https://libvirt.org/news.html - Dropped patches: 2552752f-libxl-fix-lock-manager-lock-ordering.patch - Added patches: 0a65cba4-news-fix.patch - spec: Enable 'libvirt' firewalld zone for firewalld >= 0.7.0 boo#1157766 ==== libvirt-glib ==== Version update (2.0.0 -> 3.0.0) Subpackages: libvirt-glib-1_0-0 typelib-1_0-LibvirtGLib-1_0 - Update to version 3.0.0 + Add support for bochs video device + Add API to query firmware config + Improve testing coverage + Validate min/max glib API versions in use + Remove deprecated G_PARAM_PRIVATE + Fix docs build linking problems + Convert python demos to be python 3 compatible & use modern best practice for pyobject introspection bindings + Add API to query domain capaibilities + Refresh translations + Simplify build process for handling translations + Fix some memory leaks + Add API for setting storage volume features + boo#1158282 ==== libxml2 ==== Version update (2.9.9 -> 2.9.10) Subpackages: libxml2-2 libxml2-2-32bit libxml2-devel libxml2-tools - Since libxml2-2.9.10 perl-XML-LibXSLT fails to build: [bsc#1157450] * Revert upstream commit to make xmlFreeNodeList non-recursive https://github.com/GNOME/libxml2/commit/0762c9b69ba01628f72eada1c64ff3d361f… - Add patch libxml2-xmlFreeNodeList-recursive.patch - Version update to 2.9.10: * Portability: + Fix exponent digits when running tests under old MSVC + Work around buggy ceil() function on AIX + Don't call printf with NULL string in runtest.c + Switched from unsigned long to ptrdiff_t in parser.c + timsort.h: support older GCCs + Make configure.ac work with older pkg-config * Bug Fixes: + Fix for conditional sections at end of document + Make sure that Python tests exit with error code + Audit memory error handling in xpath.c + Fix error code in xmlTextWriterStartDocument + Fix integer overflow when counting written bytes + Fix uninitialized memory access in HTML parser + Fix memory leak in xmlSchemaValAtomicType + Disallow conditional sections in internal subset + Fix use-after-free in xmlTextReaderFreeNodeList + Fix Regextests + Fix empty branch in regex + Fix integer overflow in entity recursion check + Don't read external entities or XIncludes from stdin + Fix Schema determinism check of ##other namespaces + Fix potential null deref in xmlSchemaIDCFillNodeTables + Fix potential memory leak in xmlBufBackToBuffer + Fix error message when processing XIncludes with fallbacks + Fix memory leak in xmlRegEpxFromParse + 14:00 is a valid timezone for xs:dateTime + Fix memory leak in xmlParseBalancedChunkMemoryRecover + Fix potential null deref in xmlRelaxNGParsePatterns + Misleading error message with xs:{min|max}Inclusive + Fix memory leak in xmlXIncludeLoadTxt + Partial fix for comparison of xs:durations + Fix null deref in xmlreader buffer + Fix unability to RelaxNG-validate grammar with choice-based name class + Fix unability to validate ambiguously constructed interleave for RelaxNG + Fix possible null dereference in xmlXPathIdFunction + fix memory leak in xmlAllocOutputBuffer + Fix unsigned int overflow + dict.h: gcc 2.95 doesn't allow multiple storage classes + Fix another code path in xmlParseQName + Make sure that xmlParseQName returns NULL in error case + Fix build without reader but with pattern + Fix memory leak in xmlAllocOutputBufferInternal error path + Fix unsigned integer overflow + Fix return value of xmlOutputBufferWrite + Fix parser termination from "Double hyphen within comment" error + Fix call stack overflow in xmlFreePattern + Fix null deref in previous commit + Fix memory leaks in xmlXPathParseNameComplex error paths + Check for integer overflow in xmlXPtrEvalChildSeq + Fix xmllint dump of XPath namespace nodes + Fix float casts in xmlXPathSubstringFunction + Fix null deref in xmlregexp error path + Fix null pointer dereference in xmlTextReaderReadOuterXml + Fix memory leaks in xmlParseStartTag2 error paths + Fix memory leak in xmlSAX2StartElement + Fix commit "Memory leak in xmlFreeID (xmlreader.c)" + Fix NULL pointer deref in xmlTextReaderValidateEntity + Memory leak in xmlFreeTextReader + Memory leak in xmlFreeID (xmlreader.c) * Improvements: + Propagate memory errors in valuePush + Propagate memory errors in xmlXPathCompExprAdd + Make xmlFreeDocElementContent non-recursive + Avoid ignored attribute warnings under GCC + Make xmlDumpElementContent non-recursive + Make apibuild.py ignore ATTRIBUTE_NO_SANITIZE + Mark xmlExp* symbols as removed + Make xmlParseConditionalSections non-recursive + Adjust expected error in Python tests + Make xmlTextReaderFreeNodeList non-recursive + Make xmlFreeNodeList non-recursive + Make xmlParseContent and xmlParseElement non-recursive + Remove executable bit from non-executable files + Fix expected output of test/schemas/any4 + Optimize build instructions in README + xml2-config.in: Output CFLAGS and LIBS on the same line + xml2-config: Add a --dynamic switch to print only shared libraries + Annotate functions with __attribute__((no_sanitize)) + Fix warnings when compiling without reader or push parser + Remove unused member `doc` in xmlSaveCtxt + Limit recursion depth in xmlXPathCompOpEvalPredicate + Remove -Wno-array-bounds + Remove unreachable code in xmlXPathCountFunction + Improve XPath predicate and filter evaluation + Limit recursion depth in xmlXPathOptimizeExpression + Disable hash randomization when fuzzing + Optional recursion limit when parsing XPath expressions + Optional recursion limit when evaluating XPath expressions + Use break statements in xmlXPathCompOpEval + Optional XPath operation limit + Fix compilation with --with-minimum + Check XPath stack after calling functions + Remove debug printf in xmlreader.c + Always define LIBXML_THREAD_ENABLED when enabled + Fix unused function warning in testapi.c + Remove unneeded function pointer casts + Fix -Wcast-function-type warnings (GCC 8) + Fix -Wformat-truncation warnings (GCC 8) * Cleanups: + Rebuild docs + Disable xmlExp regex code + Remove redundant code in xmlRelaxNGValidateState + Remove redundant code in xmlXPathCompRelationalExpr - Rebase patch fix-perl.diff ==== libxml2-python ==== Version update (2.9.9 -> 2.9.10) - Since libxml2-2.9.10 perl-XML-LibXSLT fails to build: [bsc#1157450] * Revert upstream commit to make xmlFreeNodeList non-recursive https://github.com/GNOME/libxml2/commit/0762c9b69ba01628f72eada1c64ff3d361f… - Add patch libxml2-xmlFreeNodeList-recursive.patch - Version update to 2.9.10: * Portability: + Fix exponent digits when running tests under old MSVC + Work around buggy ceil() function on AIX + Don't call printf with NULL string in runtest.c + Switched from unsigned long to ptrdiff_t in parser.c + timsort.h: support older GCCs + Make configure.ac work with older pkg-config * Bug Fixes: + Fix for conditional sections at end of document + Make sure that Python tests exit with error code + Audit memory error handling in xpath.c + Fix error code in xmlTextWriterStartDocument + Fix integer overflow when counting written bytes + Fix uninitialized memory access in HTML parser + Fix memory leak in xmlSchemaValAtomicType + Disallow conditional sections in internal subset + Fix use-after-free in xmlTextReaderFreeNodeList + Fix Regextests + Fix empty branch in regex + Fix integer overflow in entity recursion check + Don't read external entities or XIncludes from stdin + Fix Schema determinism check of ##other namespaces + Fix potential null deref in xmlSchemaIDCFillNodeTables + Fix potential memory leak in xmlBufBackToBuffer + Fix error message when processing XIncludes with fallbacks + Fix memory leak in xmlRegEpxFromParse + 14:00 is a valid timezone for xs:dateTime + Fix memory leak in xmlParseBalancedChunkMemoryRecover + Fix potential null deref in xmlRelaxNGParsePatterns + Misleading error message with xs:{min|max}Inclusive + Fix memory leak in xmlXIncludeLoadTxt + Partial fix for comparison of xs:durations + Fix null deref in xmlreader buffer + Fix unability to RelaxNG-validate grammar with choice-based name class + Fix unability to validate ambiguously constructed interleave for RelaxNG + Fix possible null dereference in xmlXPathIdFunction + fix memory leak in xmlAllocOutputBuffer + Fix unsigned int overflow + dict.h: gcc 2.95 doesn't allow multiple storage classes + Fix another code path in xmlParseQName + Make sure that xmlParseQName returns NULL in error case + Fix build without reader but with pattern + Fix memory leak in xmlAllocOutputBufferInternal error path + Fix unsigned integer overflow + Fix return value of xmlOutputBufferWrite + Fix parser termination from "Double hyphen within comment" error + Fix call stack overflow in xmlFreePattern + Fix null deref in previous commit + Fix memory leaks in xmlXPathParseNameComplex error paths + Check for integer overflow in xmlXPtrEvalChildSeq + Fix xmllint dump of XPath namespace nodes + Fix float casts in xmlXPathSubstringFunction + Fix null deref in xmlregexp error path + Fix null pointer dereference in xmlTextReaderReadOuterXml + Fix memory leaks in xmlParseStartTag2 error paths + Fix memory leak in xmlSAX2StartElement + Fix commit "Memory leak in xmlFreeID (xmlreader.c)" + Fix NULL pointer deref in xmlTextReaderValidateEntity + Memory leak in xmlFreeTextReader + Memory leak in xmlFreeID (xmlreader.c) * Improvements: + Propagate memory errors in valuePush + Propagate memory errors in xmlXPathCompExprAdd + Make xmlFreeDocElementContent non-recursive + Avoid ignored attribute warnings under GCC + Make xmlDumpElementContent non-recursive + Make apibuild.py ignore ATTRIBUTE_NO_SANITIZE + Mark xmlExp* symbols as removed + Make xmlParseConditionalSections non-recursive + Adjust expected error in Python tests + Make xmlTextReaderFreeNodeList non-recursive + Make xmlFreeNodeList non-recursive + Make xmlParseContent and xmlParseElement non-recursive + Remove executable bit from non-executable files + Fix expected output of test/schemas/any4 + Optimize build instructions in README + xml2-config.in: Output CFLAGS and LIBS on the same line + xml2-config: Add a --dynamic switch to print only shared libraries + Annotate functions with __attribute__((no_sanitize)) + Fix warnings when compiling without reader or push parser + Remove unused member `doc` in xmlSaveCtxt + Limit recursion depth in xmlXPathCompOpEvalPredicate + Remove -Wno-array-bounds + Remove unreachable code in xmlXPathCountFunction + Improve XPath predicate and filter evaluation + Limit recursion depth in xmlXPathOptimizeExpression + Disable hash randomization when fuzzing + Optional recursion limit when parsing XPath expressions + Optional recursion limit when evaluating XPath expressions + Use break statements in xmlXPathCompOpEval + Optional XPath operation limit + Fix compilation with --with-minimum + Check XPath stack after calling functions + Remove debug printf in xmlreader.c + Always define LIBXML_THREAD_ENABLED when enabled + Fix unused function warning in testapi.c + Remove unneeded function pointer casts + Fix -Wcast-function-type warnings (GCC 8) + Fix -Wformat-truncation warnings (GCC 8) * Cleanups: + Rebuild docs + Disable xmlExp regex code + Remove redundant code in xmlRelaxNGValidateState + Remove redundant code in xmlXPathCompRelationalExpr - Rebase patch fix-perl.diff ==== libxslt ==== Version update (1.1.33 -> 1.1.34) Subpackages: libxslt-tools libxslt1 - Update to 1.1.34: Oct 30 2019 * Documentation: - Fix EXSLT web pages, Regenerate web pages - Fix Git link in news.html - Minor documentation fixes after recent changes - Regenerate symbols and API docs - Regenerate EXSLT website * Portability: - Remove stubs when compiling without debugger or profiler - configure.ac: Invoke PKG_CHECK_MODULES for building shared libraries - configure.ac: Conditionally determine whether xml2-config should pass shared libraries or static libraries - xslt-config.in: Fix broken --prefix=DIR support - libexslt.pc.in: Do not expose private library dependencies unless invoked - libxslt.pc.in: Do not expose private library dependencies unless invoked - Fix -Wformat-overflow warning (GCC 9) - Stop including ansidecl.h - Remove WIN32_EXTRA_* variables - Build without winsock * Bug Fixes: - xsl:template without name and match attributes should not be allowed - Make sure that Python tests exit with error code - Improve handling of invalid UTF-8 in format-number - Fix dangling pointer in xsltCopyText - Fix memory leak in pattern compilation error path - Fix uninitialized read with UTF-8 grouping chars - Fix integer overflow in FORMAT_GYEAR - Fix performance regression with xsl:number - Backup XPath context node in xsltInitCtxtKey - Fix unsigned integer overflow in date.c - Fix insertion of xsl:fallback content - Avoid quadratic behavior in xsltSaveResultTo - Fix numbering in non-Latin scripts - Fix uninitialized read of xsl:number token - Fix integer overflow in _exsltDateDayInWeek - Rework xsltAttrVT allocation - Fix check of xsltTestCompMatch return value - Fix security framework bypass - Use xmlNewTextChild in EXSLT dyn:map - Fix float casts in exsltDateDuration - Always set context node before calling XPath iterators - Fix attribute precedence with xsl:use-attribute-sets - Backup context node in exsltFuncFunctionFunction - Initialize ctxt->output before evaluating global vars - Fix memory leak in EXSLT functions error path * Improvements: - Fix -Wimplicit-fallthrough warnings - Adjust number of API index pages - Make xsltCompileRelativePathPattern non-recursive - Check that crypto:rc4_decrypt produces valid UTF-8 - Avoid recursion in keys.c:skipPredicate - xslt-config.in: Simply handling of $all_flags - xslt-config.in: Add a --dynamic option to --libs - xslt-config.in: Simplify basic library handling - xslt-config.in: Remove unused variable - xslt-config: Simply handling of --cflags - Improve fuzzers - Always reuse XPath context - Compile with -Wextra - Make profiler support optional - Hide unused code when compiling without debugger - Reorganize fuzzing code - Optional operation limit - Improve seed corpus and dictionary - Reuse XPath context when compiling stylesheets - Reuse XPath context in dyn:map - Reuse XPath context in saxon:expression - Add libFuzzer targets - Adjust error message in expected test output - Change bug tracker URL - Change git repo URL - Regenerate NEWS - Fix misleading indentation in security.c * Cleanups: - Remove empty TODO file - Remove generated file libxsltclass.txt from version control - Rebuild docs - Rebase patch libxslt-config-fixes.patch - Remove patches fixed upstream: * libxslt-CVE-2019-11068.patch * libxslt-CVE-2019-13117.patch * libxslt-CVE-2019-13118.patch * libxslt-CVE-2019-18197.patch ==== libyui-qt-graph ==== Version update (2.45.3 -> 2.45.5) - Do not require graphviz-devel for the doc package (bsc#1157916) - 2.45.5 - Respect backslashes (graphviz escString) in texts (bsc#1157916) - 2.45.4 ==== libzypp ==== Version update (17.15.0 -> 17.17.0) - Introduce PurgeKernels class (bsc#1155198) Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules. - Add solver jobs for retracted packages and ptfs. Support for ptf packages and retract ed patches. - Do not enforce 'en' being in RequestedLocales (bsc#1155678) If the user decides to have a system without explicit language support he may do so. - Pass correct posttrans script argument (fixes #190) - BuildRequires: libsolv-devel >= 0.7.8. - version 17.17.0 (12) - Expose new libsolv API via C++ counterparts (openSUSE/zypper#214) - BuildRequires: libsolv-devel >= 0.7.7 - version 17.16.0 (12) ==== linux-glibc-devel ==== Version update (5.3 -> 5.4) - Update to kernel headers 5.4 ==== lirc ==== - Use python3-base BuildRequires instead of full python3 - Drop doxygen BuildRequires, the api-docs are bundled in the source tarball and not regenerated, and are not even packaged. - Move the portaudio based IR receiver driver behind a bcond - the alsa based driver does the same, uses less resources, and does not need an extra library. ==== mariadb-connector-c ==== Version update (3.1.4 -> 3.1.5) - New upstream version 3.1.5 [bsc#1156669] * MDEV-20469: Plugin dialog could not be loaded (wrong path) * ODBC-440: Fixed typo in sha256_password cmake configuration * CONC-418: For unknown/not handled schannel error codes FormatMessage function will be used instead of returning "Unknown error" message. ==== nano ==== Version update (4.5 -> 4.6) Subpackages: nano-lang - update to 4.6: * re-introduce the formatter command (M-F) * ^T will try to run 'hunspell' before 'spell', because it checks spelling for the locale's language and understands UTF-8 * Multiple errors or warnings on startup will no longer slow nano down but will be indicated on the status bar with trailing dots ==== openssl ==== Subpackages: libopenssl-devel - Remove Obsoletes: pkgconfig(*): Only package names can be obsoleted. Until RPM 4.15, those lines were simply ineffective and being ignored, but with RPM 4.15 they result in an error. ==== ovmf ==== Version update (201908 -> 201911) Subpackages: qemu-ovmf-x86_64 - Update to edk2-stable201911 + SecurityPkg: Fix TPM2 ACPI measurement + MdeModulePkg: Enable variable runtime cache by default + OvmfPkg: Disable variable runtime cache + MdeModulePkg/Variable: Add RT GetVariable() cache support + CryptoPkg: Upgrade OpenSSL to 1.1.1d + MdePkg-UefiSpec.h: Add UEFI 2.8 new memory attributes + MdePkg/UefiFileHandleLib: Fix potential NULL dereference + NetworkPkg/HttpDxe: Set the HostName for the verification (CVE-2019-14553) + NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver (CVE-2019-14553) + CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals as such (CVE-2019-14553) + CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" (CVE-2019-14553) + MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost (CVE-2019-14553) + MdeModulePkg/BdsDxe: Fix PlatformRecovery issue + NetworkPkg/SnpDxe: Add PCD to remove ExitBootServices event from SNP driver + MdeModulePkg: Update to support SmBios 3.3.0 + UefiCpuPkg/MpInitLib: honor the platform's boot CPU count in AP detection + SecurityPkg/Tcg2: Add Support Laml, Lasa for TPM2 ACPI + OvmfPkg/PlatformDxe: fix EFI_HII_HANDLE parameters of internal functions + OvmfPkg/VirtioNetDxe: fix SignalEvent() call + OvmfPkg/XenBusDxe: fix UninstallMultipleProtocolInterfaces() call + NetworkPkg/Ip4Dxe: fix NetLibDestroyServiceChild() call + MdeModulePkg/ScsiDiskDxe: Support Storage Security Command Protocol + MdePkg: Implement SCSI commands for Security Protocol In/Out + MdeModulePkg/TerminalDxe: Enhance the arrow keys support + MdeModulePkg/UefiBootManager: Unload image on EFI_SECURITY_VIOLATION + MdeModulePkg/DxeCapsuleLibFmp: Unload image on EFI_SECURITY_VIOLATION + MdeModulePkg: Extend the support keyboard type of Terminal console + UefiCpuPkg/CpuExceptionHandlerLib: Fix split lock + UefiCpuPkg: Fix potential spinLock issue in SmmStartupThisAp + UefiCpuPkg/PiSmmCpu: Enable 5L paging only when phy addr line > 48 + OvmfPkg/EnrollDefaultKeys: clean up Base64Decode() retval handling + ArmVirtPkg/PlatformBootManagerLib: unload image on EFI_SECURITY_VIOLATION + ShellPkg/ShellPkg.dsc AARCH64: enable stack protector + ArmVirtPkg/ArmVirtPrePiUniCoreRelocatable: revert to PIE linking + BaseTools/GenFw AARCH64: fix up GOT based relative relocations + ShellPkg/Pci.c: Update supported link speed to PCI5.0 + PcAtChipsetPkg: add PcdRealTimeClockUpdateTimeout + UefiCpuPkg: Add PcdCpuSmmRestrictedMemoryAccess + ShellPkg/CommandLib: avoid NULL derefence and memory leak + MdePkg/DxeHstiLib: Added checks to improve error handling + BaseTools: Support more file types in build cache + UefiCpuPkg/SecCore: get AllSecPpiList after SecPlatformMain - Update openssl to 1.1.1d + Add openssl-fix-syntax-error.patch to fix a syntax error - Drop ovmf-bsc1153072-fix-invalid-https-cert.patch + Already upstreamed ==== perl ==== Subpackages: perl-base perl-doc - Add perl-Adapt-Configure-to-GCC-version-10.patch in order to fix boo#1158254. ==== perl-HTTP-Cookies ==== Version update (6.07 -> 6.08) - updated to 6.08 see /usr/share/doc/packages/perl-HTTP-Cookies/Changes 6.08 2019-12-02 15:58:32Z - allow different "ignore_discard" value at save() time (GH#2) (Alex Peters) ==== perl-Socket6 ==== Version update (0.28 -> 0.29) - Add manual license BSD-3-Clause to cpanspec.yml Limit description to 2 paragraphs - updated to 0.29 see /usr/share/doc/packages/perl-Socket6/ChangeLog 2018-09-30 Hajimu UMEMOTO <ume(a)mahoroba.org> * Socket6.pm: Bump version number to 0.29. * Socket6.xs: Updates the tests for handling the correct headers on NetBSD and DragonFly BSD. Submitted by: Sevan Janiyan <venture37 [...] geeklan.co.uk> ==== perl-X500-DN ==== - No mix between numbered and unnumbered patches: RPM 4.15 finally no longer supports that. ==== perl-XML-LibXML ==== Version update (2.0134 -> 2.0201) - Update to 2.0201 2.0201 2019-05-25 - Set MIN_PERL_VERSION to 5.8.1. - Alien::Libxml2 Makefile.PL cleanups. - Update the README for grammar and info. - Link to XML-LibXML "by Example" - https://github.com/shlomif/perl-XML-LibXML/pull/36 - Thanks to @Grinnz . 2.0200 2019-03-23 - Convert to use Alien::Libxml2 . - https://github.com/shlomif/perl-XML-LibXML/pull/30 - Thanks to @genio and @plicease . ==== perl-XML-LibXSLT ==== - Fix basic test that fails when build and run time versions are the same * Add patch perl-XML-LibXSLT-lib-versions.patch - Update spec file * Use https and metacpan.org * Use license tag for the LICENSE file * Add cpanspec.yml file ==== permissions ==== Version update (1550_20191118 -> 1550_20191205) Subpackages: chkstat permissions-config permissions-doc - Update to version 20191205: * fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690) - Update to version 20191122: * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) ==== postfix ==== Version update (3.4.7 -> 3.4.8) Subpackages: postfix-doc - Update to 3.4.8: * Fix for an Exim interoperability problem when postscreen after-220 checks are enabled. Bug introduced in Postfix 3.4: the code that detected "PIPELINING after BDAT" looked at the wrong variable. The warning now says "BDAT without valid RCPT", and the error is no longer treated as a command PIPELINING error, thus allowing mail to be delivered. Meanwhile, Exim has been fixed to stop sending BDAT commands when postscreen rejects all RCPT commands. * Usability bug, introduced in Postfix 3.4: the parser for key/certificate chain files rejected inputs that contain an EC PARAMETERS object. While this is technically correct (the documentation says what types are allowed) this is surprising behavior because the legacy cert/key parameters will accept such inputs. For now, the parser skips object types that it does not know about for usability, and logs a warning because ignoring inputs is not kosher. * Bug introduced in Postfix 2.8: don't gratuitously enable all after-220 tests when only one such test is enabled. This made selective tests impossible with 'good' clients. This will be fixed in older Postfix versions at some later time. ==== python ==== Subpackages: python-curses python-tk - Move /etc/pythonstart script to shared-python-startup package. - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792 - Add adapted-from-F00251-change-user-install-location.patch fixing pip/distutils to install into /usr/local. - Update to 2.7.17: - a bug fix release in the Python 2.7.x series. It is expected to be the penultimate release for Python 2.7. - Removed patches included upstream: - CVE-2018-20852-cookie-domain-check.patch - CVE-2019-16935-xmlrpc-doc-server_title.patch - CVE-2019-9636-netloc-no-decompose-characters.patch - CVE-2019-9947-no-ctrl-char-http.patch - CVE-2019-9948-avoid_local-file.patch - python-2.7.14-CVE-2018-1000030-1.patch - python-2.7.14-CVE-2018-1000030-2.patch - Renamed remove-static-libpython.diff and python-bsddb6.diff to remove-static-libpython.patch and python-bsddb6.patch to unify filenames. - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py - Add bpo36302-sort-module-sources.patch (boo#1041090) - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, CVE-2019-16056] - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. - Skip test_urllib2_localnet that randomly fails in OBS - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 - Set _lto_cflags to nil as it will prevent to propage LTO for Python modules that are built in a separate package. - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. - bsc#1130847 (CVE-2019-9948) add CVE-2019-9948-avoid_local-file.patch removing unnecessary (and potentially harmful) URL scheme local-file://. - bsc#1129346: add CVE-2019-9636-netloc-no-decompose-characters.patch Characters in the netloc attribute that decompose under NFKC normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ``#``, ``@``, or ``:`` will raise a ValueError. If the URL is decomposed before parsing, or is not a Unicode string, no error will be raised (CVE-2019-9636). Upstream commits e37ef41 and 507bd8c. - Update to 2.7.16: * bugfix-only release: complete list of changes on https://github.com/python/cpython/blob/2.7/Misc/NEWS.d/2.7.16rc1.rst * Removed openssl-111.patch and CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch which are fully included in the tarball. * Updated patches to apply cleanly: CVE-2019-5010-null-defer-x509-cert-DOS.patch bpo36160-init-sysconfig_vars.patch do-not-use-non-ascii-in-test_ssl.patch openssl-111-middlebox-compat.patch openssl-111-ssl_options.patch python-2.5.1-sqlite.patch python-2.6-gettext-plurals.patch python-2.7-dirs.patch python-2.7.2-fix_date_time_compiler.patch python-2.7.4-canonicalize2.patch python-2.7.5-multilib.patch python-2.7.9-ssl_ca_path.patch python-bsddb6.diff remove-static-libpython.patch * Update python-2.7.5-multilib.patch to pass with new platlib regime. - bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing bpo-34623. - bsc#1073748: add bpo-29347-dereferencing-undefined-pointers.patch PyWeakref_NewProxy(a)Objects/weakrefobject.c creates new isntance of PyWeakReference struct and does not intialize wr_prev and wr_next of new isntance. These pointers can have garbage and point to random memory locations. Python should not crash while destroying the isntance created in the same interpreter function. As per my understanding, both wr_prev and wr_next of PyWeakReference instance should be initialized to NULL to avoid segfault. - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch fixing bpo-35746. An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. - Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. - Add patch openssl-111.patch to work with openssl-1.1.1 (bsc#1113755) - Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] - Apply "CVE-2018-1061-DOS-via-regexp-difflib.patch" to prevent low-grade poplib REDOS (CVE-2018-1060) and to prevent difflib REDOS (CVE-2018-1061). Prior to this patch mail server's timestamp was susceptible to catastrophic backtracking on long evil response from the server. Also, it was susceptible to catastrophic backtracking, which was a potential DOS vector. [bsc#1088004 and bsc#1088009, CVE-2018-1061 and CVE-2018-1060] - Apply "CVE-2017-18207.patch" to add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this check, attackers could cause a denial of service (divide-by-zero error and application crash) via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] - Apply "python-sorted_tar.patch" (bsc#1086001, boo#1081750) sort tarfile output directory listing - update to 2.7.15 * dozens of bugfixes, see NEWS for details - removed obsolete patches: * python-ncurses-6.0-accessors.patch * python-fix-shebang.patch * gcc8-miscompilation-fix.patch - add patch from upstream: * do-not-use-non-ascii-in-test_ssl.patch - Add gcc8-miscompilation-fix.patch (boo#1084650). - Apply "python-2.7.14-CVE-2017-1000158.patch" to prevent integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution. [bsc#1068664, CVE-2017-1000158] - exclude test_socket & test_subprocess for PowerPC boo#1078485 (same ref as previous change) - Add python-skip_random_failing_tests.patch bypass boo#1078485 and exclude many tests for PowerPC - Add patch python-fix-shebang.patch to fix bsc#1078326 ==== python-PyYAML ==== Version update (5.1.2 -> 5.2) - update to 5.2 * A more flexible fix for custom tag constructors * Change default loader for yaml.add_constructor * Change default loader for add_implicit_resolver, add_path_resolver * Move constructor for object/apply to UnsafeConstructor * Fix logic for quoting special characters ==== python-base ==== Subpackages: libpython2_7-1_0 python-xml - Move /etc/pythonstart script to shared-python-startup package. - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792 - Add adapted-from-F00251-change-user-install-location.patch fixing pip/distutils to install into /usr/local. ==== python-h2 ==== - Skip one test that is flaky ==== python-libvirt-python ==== Version update (5.9.0 -> 5.10.0) - Update to 5.10.0 - Add all new APIs and constants in libvirt 5.10.0 ==== python-lxml ==== Subpackages: python-lxml-doc python3-lxml - Add lxml-libxml-2.9.10.patch: Fix build against libxml 2.9.10. ==== python-psutil ==== Version update (5.6.5 -> 5.6.7) - update to version 5.6.7: * Bug fixes + 1630: [Windows] can't compile source distribution due to C syntax error. - changes from version 5.6.6: * Bug fixes + 1179: [Linux] Process cmdline() now takes into account misbehaving processes renaming the command line and using inappropriate chars to separate args. + 1616: use of Py_DECREF instead of Py_CLEAR will result in double free and segfault (CVE). (patch by Riccardo Schirone) + 1619: [OpenBSD] compilation fails due to C syntax error. (patch by Nathan Houghton) ==== python-pywbem ==== Version update (0.11.0 -> 0.14.6) - Cleanup specfile - Install license correctly - Add missing dependency on python-pbr - Update to version 0.14.6: Lots of changes, additions, and deprecations, see full list at: https://pywbem.readthedocs.io/en/stable_0.14/changes.html#pywbem-0-14-6 ==== python-simplejson ==== Version update (3.16.1 -> 3.17.0) - specfile: * update copyright year - update to version 3.17.0: * Updated documentation to be Python 3 first, and have removed documentation notes about version changes that occurred more than five years ago. https://github.com/simplejson/simplejson/pull/257 https://github.com/simplejson/simplejson/pull/254 * Update build matrix for Python 3.8 https://github.com/simplejson/simplejson/pull/255 https://github.com/simplejson/simplejson/pull/256 ==== rdma-core ==== Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1 - Add Broadcom fixes (bsc#1157891) - bnxt_re-lib-Add-remaining-pci-ids-for-gen-P5-devices.patch - bnxt_re-lib-Recognize-additional-5750x-device-ID-s.patch ==== read-only-root-fs ==== Version update (1.0+git20191112.42add9e -> 1.0+git20191203.3f7cc07) - Update to version 1.0+git20191203.3f7cc07: * Workaround /var being RO during systemd-journal-flush (boo#1156421) ==== salt ==== Version update (2019.2.0 -> 2019.2.2) Subpackages: python3-salt salt-master salt-minion - Prevent test_mod_del_repo_multiline_values to fail - Read repo info without using interpolation (bsc#1135656) - Requires vs BuildRequires - Limiting M2Crypto to >= SLE15 - Replacing pycrypto with M2Crypto - Fix for log checking in x509 test - Update to 2019.2.2 release - Added: * fix-for-log-checking-in-x509-test.patch * prevent-test_mod_del_repo_multiline_values-to-fail.patch * read-repo-info-without-using-interpolation-bsc-11356.patch - Modified: * async-batch-implementation.patch * add-hold-unhold-functions.patch * adds-the-possibility-to-also-use-downloadonly-in-kwa.patch * decide-if-the-source-should-be-actually-skipped.patch * allow-passing-kwargs-to-pkg.list_downloaded-bsc-1140.patch * add-batch_presence_ping_timeout-and-batch_presence_p.patch * run-salt-master-as-dedicated-salt-user.patch * run-salt-api-as-user-salt-bsc-1064520.patch * fix-unit-test-for-grains-core.patch * add-environment-variable-to-know-if-yum-is-invoked-f.patch * fix-async-batch-multiple-done-events.patch * activate-all-beacons-sources-config-pillar-grains.patch * fix-for-older-mock-module.patch * do-not-break-repo-files-with-multiple-line-values-on.patch * fall-back-to-pymysql.patch * add-missing-fun-for-returns-from-wfunc-executions.patch * loosen-azure-sdk-dependencies-in-azurearm-cloud-driv.patch * add-virt.volume_infos-and-virt.volume_delete.patch * fix-issue-2068-test.patch * switch-firewalld-state-to-use-change_interface.patch * make-aptpkg.list_repos-compatible-on-enabled-disable.patch * fix-ipv6-scope-bsc-1108557.patch * 2019.2.0-pr-54196-backport-173.patch * do-not-make-ansiblegate-to-crash-on-python3-minions.patch * x509-fixes-111.patch * prevent-ansiblegate-unit-tests-to-fail-on-ubuntu.patch * fix-zypper.list_pkgs-to-be-aligned-with-pkg-state.patch * add-cpe_name-for-osversion-grain-parsing-u-49946.patch * fix-failing-unit-tests-for-batch-async.patch * temporary-fix-extend-the-whitelist-of-allowed-comman.patch * improve-batch_async-to-release-consumed-memory-bsc-1.patch * batch.py-avoid-exception-when-minion-does-not-respon.patch * preserve-already-defined-destructive_tests-and-expen.patch * virt.volume_infos-fix-for-single-vm.patch * move-server_id-deprecation-warning-to-reduce-log-spa.patch * include-aliases-in-the-fqdns-grains.patch * don-t-call-zypper-with-more-than-one-no-refresh.patch * add-custom-suse-capabilities-as-grains.patch * get-os_arch-also-without-rpm-package-installed.patch * add-saltssh-multi-version-support-across-python-inte.patch * accumulated-changes-required-for-yomi-165.patch * use-adler32-algorithm-to-compute-string-checksums.patch * remove-arch-from-name-when-pkg.list_pkgs-is-called-w.patch * use-current-ioloop-for-the-localclient-instance-of-b.patch * remove-virt.pool_delete-fast-parameter-178.patch * add-multi-file-support-and-globbing-to-the-filetree-.patch * use-threadpool-from-multiprocessing.pool-to-avoid-le.patch * prevent-systemd-run-description-issue-when-running-a.patch * integration-of-msi-authentication-with-azurearm-clou.patch * virt.volume_infos-needs-to-ignore-inactive-pools-174.patch * virt-1.volume_infos-fix-for-single-vm.patch * add-supportconfig-module-for-remote-calls-and-saltss.patch * avoid-excessive-syslogging-by-watchdog-cronjob-58.patch * strip-trailing-from-repo.uri-when-comparing-repos-in.patch * preserving-signature-in-module.run-state-u-50049.patch * fix-zypper-pkg.list_pkgs-expectation-and-dpkg-mockin.patch * fix-aptpkg-systemd-call-bsc-1143301.patch * calculate-fqdns-in-parallel-to-avoid-blockings-bsc-1.patch * remove-unnecessary-yield-causing-badyielderror-bsc-1.patch * debian-info_installed-compatibility-50453.patch * add-standalone-configuration-file-for-enabling-packa.patch * accumulated-changes-from-yomi-167.patch * add-virt.all_capabilities.patch * fix-memory-leak-produced-by-batch-async-find_jobs-me.patch * do-not-report-patches-as-installed-when-not-all-the-.patch * support-config-non-root-permission-issues-fixes-u-50.patch * add-all_versions-parameter-to-include-all-installed-.patch * fixes-cve-2018-15750-cve-2018-15751.patch * fix-bsc-1065792.patch * enable-passing-a-unix_socket-for-mysql-returners-bsc.patch * avoid-traceback-when-http.query-request-cannot-be-pe.patch * restore-default-behaviour-of-pkg-list-return.patch * take-checksums-arg-into-account-for-postgres.datadir.patch * early-feature-support-config.patch * provide-the-missing-features-required-for-yomi-yet-o.patch * implement-network.fqdns-module-function-bsc-1134860-.patch * fix-virt.full_info-176.patch * checking-for-jid-before-returning-data.patch * virt.volume_infos-silence-libvirt-error-message-175.patch * do-not-crash-when-there-are-ipv6-established-connect.patch * fix-for-suse-expanded-support-detection.patch * fix-a-wrong-rebase-in-test_core.py-180.patch * add-ppc64le-as-a-valid-rpm-package-architecture.patch * make-profiles-a-package.patch * bugfix-any-unicode-string-of-length-16-will-raise-ty.patch * fix-git_pillar-merging-across-multiple-__env__-repos.patch * return-the-expected-powerpc-os-arch-bsc-1117995.patch * fix-async-batch-race-conditions.patch * do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch - Removed: * fix-syndic-start-issue.patch * prevent-already-reading-continuous-exception-message.patch * virt.pool_running-fix-pool-start.patch * azurefs-gracefully-handle-attributeerror.patch * virt-handle-whitespaces-in-vm-names.patch * mount-fix-extra-t-parameter.patch * try-except-undefineflags-as-this-operation-is-not-su.patch ==== sensors ==== Version update (3.5.0 -> 3.6.0) Subpackages: libsensors4 - Removed upstreamed patch lm_sensors-3.4.0-sensors-detect-ppc64le.patch - Update to version 3.6.0: + configs: Added a number of new configuration files + fancontrol: AVERAGE env variable can be used to set the number of previous readings to average + Makefile: The MACHINE variable has been renamed to ARCH + sensord: Add an option -1/--oneline to print chip and adapter on the same line + sensors: Fixed a stray comma bug in the JSON output * Fixed Fahrenheit conversion with raw and JSON output * Scale voltage and current values in the default output format + sensors-detect: Add detection of AMD Family 17h, models 30h, 70h * Add detection of some AMD Family 15h models * Add detection of AMD Family 16h model 30h power sensors * Add detection of Hygon Family 18h thermal sensors * Add detection of Nuvoton NCT6797D * Add detection of Nuvoton NCT6798D * Add detection of Nuvoton NCT6112D/NCT6114D/NCT6116D * Fix printing CPU info on non-x86 arches * Fix printing lm_sensors version * Mark Fintek F75387SG/RG as supported by the f75375s driver ==== sssd ==== Version update (2.2.0 -> 2.2.2) Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-32bit sssd-krb5-common sssd-ldap - Update to release 2.2.2 * New options were added which allow sssd-kcm to handle bigger data. See manual pages for max_ccaches, max_uid_caches and max_ccache_size. * SSSD can now automatically refresh cached user data from subdomains in IPA/AD trust. * Fixed issue with SSSD hanging when connecting to non-responsive server with ldaps://. * SSSD is now restarted by systemd after crashes. ==== tcsh ==== Version update (6.21.00 -> 6.22.02) Subpackages: tcsh-lang - Update to tcsh bug fix version V6.22.02 - 20191204 * Fix version in configure.ac - Drop patches * tcsh-6.21.0-history-file-locking.patch As upstream introduced its own history file locking * tcsh-6.18.03-history-merge.dif To respect upstream history merge handling * tcsh-6.19.00-history-file-locking-order.patch Not required due dropped tcsh-6.21.0-history-file-locking.patch * tcsh-6.20.00-avoid-dotlock-for-fcntl.patch Not required due dropped tcsh-6.21.0-history-file-locking.patch * tcsh-6.18.01-history-stderror-jmp.patch Not required due dropped tcsh-6.21.0-history-file-locking.patch - Update to tcsh bug fix version V6.22.01 - 20191201 * undo PR/88: Preserve empty arguments in :q, since it breaks $ set x="" $ alias test "echo "\""$x:q"\"" is working." $ alias test echo " - Update to tcsh bug fix version V6.22.00 - 20191128 * PR/113: Sobomax: avoid infinite loops for -c commands when stdout is not a tty. * Avoid infinite loops during history loads when merging, print a better error for errors during history load. * PR/88: Preserve empty arguments in :q * PR/94: Small apple issues (SAVESIGVEC, HOSTTYPE) * PR/81: Fix range matching issue where we were comparing with the range character instead of the start of range. [l-z]* would match foo - Drop patch tcsh-6.21.00-sighup-deadlock.patch as now superfluous - Port patches * tcsh-6.17.06-dspmbyte.dif * tcsh-6.18.01-history-stderror-jmp.patch * tcsh-6.19.00-history-file-locking-order.patch * tcsh-6.20.00-avoid-dotlock-for-fcntl.patch * tcsh-6.21.0-history-file-locking.patch * tcsh-6.21.00-sighup-deadlock.patch * tcsh-6.21.00.dif ==== transactional-update ==== Version update (2.17 -> 2.20) Subpackages: transactional-update-zypp-config - Update to version 2.20 - Add the option `--continue` to extend an existing snapshot. This can be used to perform multiple operations before rebooting into the new state. [gh#openSUSE/transactional-update#16] - Make sure the dracut service to print warnings on /etc overlay conflicts also runs in the pre-made images. - Add "none" reboot method - Remove conflicting overlay artifacts in case an existing overlay directory will be reused ==== v4l2loopback ==== Version update (0.12.2_k5.3.12_1 -> 0.12.3_k5.3.12_1) - Update to version 0.12.3 * v4l2lookback: Port to kernel 5.4+ * Set video_device->device_caps for linux>4.7.0 * Set some more device_caps * Update issue templates ==== vim ==== Version update (8.1.2233 -> 8.1.2383) Subpackages: gvim vim-data vim-data-common - Updated to version 8.1.2383, fixes the following problems + refreshed patches: vim-7.3-help_tags.patch vim-7.3-name_vimrc.patch vim-8.1.0297-dump3.patch * Cannot get the Vim command line arguments. * get_short_pathname() fails depending on encoding. * "C" with 'virtualedit' set does not include multi-byte char. * Ml_get error if pattern matches beyond last line. * Mode() result after usign "r" depends on whether CURSOR_SHAPE is defined. (Christian Brabandt) * Error in docs tags goes unnoticed. * Popup window width changes when scrolling. * Match highlight does not combine with 'wincolor'. * Creating docs tags uses user preferences. (Tony Mechelynck) * 'wrapscan' is not used for "gn". * Third character of 'listchars' tab shows in wrong place when 'breakindent' is set. * Some tests are still in old style. * "make vimtags" does not work in runtime/doc. * CTRL-W dot does not work in a terminal when modifyOtherKeys is enabled. * "make vimtags" does not print any message. * CTRL-U and CTRL-D don't work in popup window. * ":term command" may not work without a shell. * Compiler warning for int size. * Using "which" to check for an executable is not reliable. * May get hit-enter prompt after entering a number. (Malcolm Rowe) * Running tests may leave XfakeHOME behind. * With modifyOtherKeys set 'noesckeys' doesn't work. (James McCoy) * Unpack assignment in function not recognized. * 'noesckeys' test fails in GUI. * There are two test files for :let. * When popup with "botleft" does not fit it flips incorrectly. * Position unknown for a mouse click in a popup window. * Compiler warning for uninitialized variable. (Tony Mechelynck) * Spell file flag zero is not recognized. * Tags file with very long line stops using binary search. * "gf" is not tested in Visual mode. * Build error if FEAT_TAG_BINS is not defined. (John Marriott) * Test may hang at more prompt. * Wrong default when "pos" is changed with popup_atcursor(). * Newlines in 'balloonexpr' result only work in the GUI. * Using "seesion" looks like a mistake. * Terminal window is not updated when info popup changes. * Using "cd" with "exe" may fail. * Computation of highlight attributes is too complicated. * Crash when passing partial to substitute(). * 'showbreak' cannot be set for one window. * Crash when passing many arguments through a partial. (Andy Massimino) * Missed on use of p_sbr. * Compiler warning for unused variable. (Tony Mechelynck) * Padding in structures wastes memory. * Using border highlight in popup window leaks memory. * Using EndOfBuffer highlight in popup does not look good. * Not using all space when popup with "topleft" flips to above. * After :diffsplit closing the window does not disable diff. * Autocommand test fails. * Memory leak when executing command in a terminal. * v:mouse_winid not set on click in popup window. * Join adds trailing space when second line is empty. (Brennan Vincent) * Cursor position wrong when characters are concealed and asearch causes a scroll. * If buffer of popup is in another window cursorline sign shows. * Text properties are not combined with syntax by default. * The ex_vimgrep() function is too long. * Missing part of 8.1.2296. * ConPTY in MS-Windows 1909 is still wrong. * Redraw breaks going through list of popup windows. * :lockmarks does not work for '[ and ']. * Cursor in wrong position after horizontal scroll. * Cannot get the mouse position when getting a mouse click. * No warning for wrong entry in translations. * Double and triple clicks are not tested. * Positioning popup doesn't work for buffer-local textprop. * Deleting text before zero-width textprop removes it. * Compiler warning for argument type. * No proper test for directory changes in quickfix. * Warning for missing function prototype. * "line:" field in tags file not used. * Debugging where a delay comes from is not easy. * vi' sometimes does not select anything. * Not always using the right window when jumping to an error. * FORTIFY_SOURCE can also be present in CPPFLAGS. * No test for spell affix file with flag on suffix. * Compiler warning for int size. * Insufficient test coverage for quickfix. * Cannot select all text with the mouse. (John Marriott) * Quickfix test fails in very big terminal. * Width of scrollbar in popup menu not taken into account. * Crash when using balloon with empty line. * Cannot parse a date/time string. * Cannot build with Hangul input. * A few hangul input pieces remain. * Mouse multiple click test is a bit flaky. * vi' does not always work when 'selection' is exclusive. * The option.c file is still very big. * Missing file in refactoring. * With modifyOtherKeys CTRL-^ doesn't work. * Possible NULL pointer dereference in popup_locate(). (Coverity) * Error message for function arguments may use NULL pointer. (Coverity) * When an expr mapping moves the cursor it is not restored. * Double-click time sometimes miscomputed. * Using Visual mark sith :s gives E20 if not set. * Insufficient testing for quickfix. * Quickfix test fails under valgrind and asan. * Not so easy to interrupt a script programatically. * Random number generator in Vim script is slow. * Using time() for srand() is not very random. * .cjs files are not recognized as Javascript. * CTRL-R CTRL-R doesn't work with modifyOtherKeys. * :const cannot be followed by "| endif". * :lockvar and :unlockvar cannot be followed by "| endif". * Other text for CTRL-V in Insert mode with modifyOtherKeys. * 'wincolor' not used for > for not fitting double width char. Also: popup drawn on right half of double width character looks wrong. * rand() does not use the best algorithm. * No test with wrong argument for rand(). * Cannot build without FEAT_FLOAT. (John Marriott) * Quickfix test coverage can still be improved. * Cannot place signs in a popup window. (Maxim Kim) * ml_get error when accessing Visual area in 'statusline'. * Missing tests for recent popupwin changes. * Using old C style comments. * Registers are not sufficiently tested. * Using old C style comments. * Cannot build with quickfix and without text properties. * Build problems on VMS. * FEAT_TEXT_PROP is a confusing name. * Cannot build with +popupwin but without +quickfix. (John Marriott) * Unused parts of libvterm are included. * No suffucient testing for registers. * Preprocessor indents are incorrect. * GUI: when losing focus a pending operator is executed. * Using old C style comments. * Not all register related code is covered by tests. ==== xfce4-branding-openSUSE ==== Version update (4.14+20191008 -> 4.14+20191207) Subpackages: exo-branding-openSUSE libgarcon-branding-openSUSE libxfce4ui-branding-openSUSE openSUSE-xfce-icon-theme thunar-volman-branding-openSUSE xfce4-notifyd-branding-openSUSE xfce4-panel-branding-openSUSE xfce4-power-manager-branding-openSUSE xfce4-session-branding-openSUSE xfce4-settings-branding-openSUSE xfdesktop-branding-openSUSE xfwm4-branding-openSUSE - Update to version 4.14+20191207: * Fix YaST desktop file ==== zypper ==== Version update (1.14.32 -> 1.14.33) Subpackages: zypper-aptitude zypper-log zypper-needs-restarting - Introduce purge-kernels command (bsc#1155198) Adds a new zypper command to cleanup all obsolete kernels as configured by the user. - Request root privs for zypper addlocale and removelocale. - Load only target resolvables for removelocale. - Load only target resolvables for zypper rm (bsc#1157377) - Fix broken search by filelist (bsc#1135114 ) - zypper-log: Replace python by a bash script (fixes#304, fixes#306, bsc#1156158) - locales: do not sort out requested locales which are not available (bsc#1155678) - list_patches_by_issue: rewrite table output and add xml output (bsc#1154805) Prevent listing duplicate matches in tables. XML result is provided within the new <list-patches-byissue> element. - list-patches: XML add patch <issue-date> and <issue-list> (bsc#1154805) - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298) - Always execute commit when adding/removing locales (fixes bsc#1155205) - man page: fix description of --table-style,-s (bsc#1154804) - Provide reverse search in zypper (fixes #214) This patch adds a new set of switches to zypper to support searching reverse dependencies for a package or a set of packages. - BuildRequires: libzypp-devel >= 17.16.1. - version 1.14.33 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

1 0

[opensuse-factory] Re: Request 753991 changed to accepted (submit graphics/blender)
by Hans-Peter Jansen 09 Dec '19

09 Dec '19

Hi Dave, Am Mittwoch, 4. Dezember 2019, 16:00:00 CET schrieb Dave Plater: > Visit https://build.opensuse.org/request/show/753991 > > State of request 753991 was changed by plater: > > review -> accepted > > Comment: > When it gets to Factory will submit to Leap:15.2 but you should push OIDN > so long > > Actions: > - submit home:frispete:blender/blender-281 => graphics/blender OIDN was accepted to Leap:15.2 now. 15.2 is ready for full featured Blender 2.81! Cheers, Pete -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

1 0

[opensuse-factory] Leap 15.2 Build 535.2 released!
by Ludwig Nussel 09 Dec '19

09 Dec '19

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.2&bui… https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&q… When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3… to record your testing efforts and use bugzilla to report bugs. Packages changed: apr-util autoyast2 (4.2.21 -> 4.2.22) bluez ceph (14.2.4.386+g73475e3ee1 -> 15.0.0.7686+g54042e1a06) cpio digikam (6.3.0 -> 6.4.0) e2fsprogs exo (0.12.9 -> 0.12.10) freerdp gnuhealth gnuhealth-client gpg2 hyper-v libarchive libidn2 (2.0.4 -> 2.2.0) libqt5-qttranslations (5.12.5 -> 5.12.6) libqt5-qtvirtualkeyboard (5.12.5 -> 5.12.6) libstorage-ng (4.2.27 -> 4.2.34) libwacom man-pages mcelog (1.64 -> 1.66) ncurses neon openslp openssl (1.1.0i -> 1.1.1d) openssl-1_1 (1.1.0i -> 1.1.1d) perl-IO-Socket-SSL (2.052 -> 2.066) perl-Net-SSLeay (1.81 -> 1.88) polkit-default-privs (13.2+20191015.280c25b -> 13.2+20191128.c2eb3f7) postfix (3.3.1 -> 3.4.7) proteus (4.6.5 -> 4.6.9) python-base python-cryptography python-pyOpenSSL python3-base (3.6.5 -> 3.6.9) qemu (4.1.0 -> 4.1.93) rdma-core (25.1 -> 26.1) release-notes-openSUSE (15.1.20190513 -> 15.2.20191125) tmux (2.9a -> 3.0a) trytond (4.6.21 -> 4.6.22) trytond_account (4.6.10 -> 4.6.11) trytond_account_product (4.6.1 -> 4.6.2) trytond_product (4.6.0 -> 4.6.1) trytond_stock_supply (4.6.2 -> 4.6.4) wicked (0.6.54 -> 0.6.60) xen (4.13.0_02 -> 4.13.0_03) yast2 (4.2.38 -> 4.2.45) yast2-add-on (4.2.9 -> 4.2.11) yast2-bootloader (4.2.12 -> 4.2.13) yast2-network (4.2.30 -> 4.2.34) yast2-packager (4.2.32 -> 4.2.36) yast2-pkg-bindings (4.2.2 -> 4.2.3) yast2-samba-server (4.2.1 -> 4.2.2) yast2-security (4.2.5 -> 4.2.7) yast2-storage-ng (4.2.57 -> 4.2.59) yast2-tune (4.2.1 -> 4.2.2) yast2-update (4.2.10 -> 4.2.11) yast2-users (4.2.5 -> 4.2.6) === Details === ==== apr-util ==== - Add missing zlib-devel build dependency which used to be pulled in by libopenssl-devel. The package fails to build since the openssl upgrade to 1.1.1 (bsc#1149792) ==== autoyast2 ==== Version update (4.2.21 -> 4.2.22) Subpackages: autoyast2-installation - Using Y2Packager::Resolvable.any? and Y2Packager::Resolvable.find in order to decrease the required memory (bsc#1132650, bsc#1140037). - 4.2.22 ==== bluez ==== Subpackages: libbluetooth3 - Add hcidump-Fixed-malformed-segment-frame-length.patch * Ensure the L2CAP SDUs whose length field match the actual frame length.(bsc#1013712)(CVE-2016-9798) - Modify bluez.changes: Remove (bsc#1013712)(CVE-2016-9798) tag from patch hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch ==== ceph ==== Version update (14.2.4.386+g73475e3ee1 -> 15.0.0.7686+g54042e1a06) Subpackages: librados2 librbd1 - Update to 15.0.0-7686-g54042e1a06: + rebase on tip of upstream master, SHA1 2c06beb5ec38c8b9f7bd84152da3f5708de8d0c0 * Revert "Merge pull request #16715 from adamemerson/wip-I-Object!" (bsc#1157443) * spec: add explicit openssh dependency to ceph-mgr-ssh (bsc#1157527) - Update to 15.0.0-7456-ge089cead79: + rebase on tip of upstream master, SHA1 e4b3036422df70e3c911240e3bba6a8bd3e9c792 - Update to 15.0.0-7219-g353896020b: + rebase on tip of upstream master, SHA1 7ffb5d9e79207da81af933f4e95655e16558c739 ==== cpio ==== Subpackages: cpio-lang cpio-mt - add cpio-2.12-CVE-2019-14866.patch to fix a security issue where cpio does not properly validate the values written in the header of a TAR file through the to_oct() function [bsc#1155199] [CVE-2019-14866] ==== digikam ==== Version update (6.3.0 -> 6.4.0) Subpackages: digikam-lang digikam-plugins libdigikamcore6 showfoto - Add patch to make it build with exiv2 0.26 on Leap 15: * 0001-Revert-Exiv2-is-now-released-with-exported-targets-u.patch (boo#1156937) - Update to latest upstream 6.4.0 source tarball - Update to 6.4.0 * https://www.digikam.org/news/2019-11-09-6.4.0_release_announcement/ - New features (from NEWS): General : new RawImport plugin interface to delegate Raw decoding function to extra engine with ImageEditor. General : new DImg plugin interface to externalize image loaders from core implementation. General : new HEIC image loader compatible with media generated by Apple devices. Import : add new option to convert on the fly to HEIC lossless format while downloading. ImageEditor: add new setting from setup dialog to select right Raw Import plugin. ImageEditor: add new clone tool to fix artifacts on image. ImageEditor: add new tool to import RAW image using UFRaw. ImageEditor: add new tool to import RAW image using RawTherapee. ImageEditor: add new tool to import RAW image using DarkTable. BQM : add new tool to convert to HEIC format. - 75 bugs fixed ==== e2fsprogs ==== Subpackages: libcom_err2 libcom_err2-32bit libext2fs2 - resize2fs-Make-minimum-size-estimates-more-reliable.patch: resize2fs: Make minimum size estimates more reliable for mounted fs (bsc#1154295) ==== exo ==== Version update (0.12.9 -> 0.12.10) Subpackages: exo-data exo-helpers exo-lang exo-tools libexo-1-0 libexo-2-0 - Update to version 0.12.10 - Fix typeahead search regression (bxo#16191) - Translation Updates ==== freerdp ==== Subpackages: libfreerdp2 libwinpr2 - Add freerdp-Fix-realloc-return-handling.patch: Fix realloc return handling that results in memory leaks (boo#1153163, boo#1153164, gh#FreeRDP/FreeRDP#5645, CVE-2019-17177, CVE-2019-17178) ==== gnuhealth ==== - demo.diff to update installation script for demo-db added ==== gnuhealth-client ==== - camera.diff added plugins changed from *latest* to version 3.4.x ==== gpg2 ==== Subpackages: gpg2-lang - Remove self-buildrequire [bsc#1152755] ==== hyper-v ==== - Update lsvmbus interpreter from python(1) to python3(1) again because only SLE12 lacked proper python3 support (bsc#1093910) - async name resolution in kvp_daemon (bsc#1100758) - kvp: eliminate 'may be used uninitialized' warning (89eb4d8d) - fix typos in toolchain (2d35c660) - fixed Python pep8/flake8 warnings for lsvmbus (5912e791) - Replace GPLv2 boilerplate/reference with SPDX (43aa3132) - Fix a warning of buffer overflow with gcc 8.0.1 (4fcba780) - fcopy: set 'error' in case an unknown operation was requested (c2d68afb) - Update lsvmbus interpreter from python3(1) to python(1) because SLE12 lacks python3 support (bsc#1093910) - vss: fix loop device detection (07136793) - Fix IP reporting by KVP daemon with SRIOV (4ba63412) - Fix a bug in the key delete code (86503bd3) - fix compiler warnings about major/target_fname (1330fc35) - PRIVATE hyper-v.compare-with-upstream.sh - hyper-v.tools.hv.hv_vss_daemon.c: Include <sys/sysmacros.h> for major ==== libarchive ==== Subpackages: bsdtar libarchive13 - Added patch: * CVE-2019-18408.patch Fixes use-after-free in a certain ARCHIVE_FAILED situation (bsc#1155079) ==== libidn2 ==== Version update (2.0.4 -> 2.2.0) Subpackages: libidn2-0 libidn2-0-32bit - Update to version 2.2.0 CVE-2019-12290 bsc#1154884: * Perform A-Label roundtrip for lookup functions by default * Stricter check of input to punycode decoder * Fix punycode decoding with no ASCII chars but given delimiter * Fix 'idn2 --no-tr64' (was a no-op) * Allow _ as a basic code point in domain labels * Fail building documentation if 'ronn' isn't installed * git tag changed to reflect https://semver.org/ - update to 2.1.1 CVE-2019-18224 bsc#1154887: * Revert SONAME bump from release 2.1.0 * Fix NULL dereference in idn2_register_u8() and idn2_register_ul() * Fix free of random value in idn2_to_ascii_4i() * Improved fuzzer (which found the above issues) * Check for valid unicode input in punycode encoder * Avoid excessive CPU usage in punycode encoding with large inputs * Deprecate idn2_to_ascii_4i() in favor of idn2_to_ascii_4i2() * Restrict output length of idn2_to_ascii_4i() to 63 bytes - update to 2.1.0: * Two internal functions are no longer exposed, soname bump * Fix label length check for idn2_register_u8() * Add missing error messages to idn2_strerror_name() - update to 2.0.5: * Switch the default library behavior to IDNA2008 as amended by TR#46 (non-transitional). That default behavior is enabled when no flags are specified to function calls. Applications can utilize the %IDN2_NO_TR46 flag to switch to the unamended IDNA2008. This is done in the interest of interoperability based on the fact that this is what application writers care about rather than strict compliance with a particular protocol * Fixed memory leak in idn2_to_unicode_8zlz() * Return error (IDN2_ICONV_FAIL) on charset conversion errors * Fixed issue with STD3 rules applying in non-transitional TR46 mode * idn2: added option --usestd3asciirules - put translations into libidn2-lang - correct location of install_info_prereq macro to be on tools ==== libqt5-qttranslations ==== Version update (5.12.5 -> 5.12.6) - Update to 5.12.6: * New bugfix release * For more details please see: * http://code.qt.io/cgit/qt/qttranslations.git/plain/dist/changes-5.12.6/?h=v… ==== libqt5-qtvirtualkeyboard ==== Version update (5.12.5 -> 5.12.6) Subpackages: libQt5HunspellInputMethod5 libQt5VirtualKeyboard5 libqt5-qtvirtualkeyboard-hunspell - Update to 5.12.6: * New bugfix release * For more details please see: * http://code.qt.io/cgit/qt/qtvirtualkeyboard.git/plain/dist/changes-5.12.6/?… ==== libstorage-ng ==== Version update (4.2.27 -> 4.2.34) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Estonian) (bsc#1149754) - 4.2.34 - merge gh#openSUSE/libstorage-ng#683 - extended unit test (bsc#1135341) - updated documentation (bsc#1149148) - added internal check - fixed typo - 4.2.33 - merge gh#openSUSE/libstorage-ng#682 - merge gh#openSUSE/libstorage-ng#681 - Translated using Weblate (Danish) (bsc#1149754) - Translated using Weblate (Estonian) (bsc#1149754) - fixed handling of btrfs subvolumes with special (regex control) characters in the path (bsc#1135341) - 4.2.32 - merge gh#openSUSE/libstorage-ng#680 - fixed escaping of graphviz escString (bsc#1157916) - 4.2.31 - Translated using Weblate (Estonian) (bsc#1149754) - 4.2.30 - merge gh#openSUSE/libstorage-ng#679 - use estimation from resize2fs for min size of ext4 (bsc#1149148) - use 64bit feature forr max size of ext4 - separated parser for ntfsresize output - added example programs - added unit tests - extended exception logging - cleanup - consistent naming of example programs - changed path of resize2fs to /usr/sbin - improved calculation of resize information - 4.2.29 - merge gh#openSUSE/libstorage-ng#678 - Only join entries when path matches - Select the most reasonable mount point - Add unit tests - Update version - Bind mount workaround - 4.2.28 ==== libwacom ==== Subpackages: libwacom-data libwacom2 - Add 174.patch (https://patch-diff.githubusercontent.com/raw/linuxwacom/libwacom/pull/174.p…) + Disable deprecated symbol test when using LTO. ==== man-pages ==== - correct documentation of tcp_fack, document tcp_recovery - added patches [bsc#1154701] + man-pages-tcp_fack.patch ==== mcelog ==== Version update (1.64 -> 1.66) - Update to version 1.66 (jira SLE-10087, jira SLE-8853): * mcelog: Add support for Icelake server, Icelake-D, and Snow Ridge M email.patch -> Patched with fuzz, refresh needed - Update to version 1.65: * mcelog: Add Cascade Lake to supported models ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add patches CVE-2019-17594.patch for bsc#1154036 -- CVE-2019-17594: heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c CVE-2019-17595.patch for bsc#1154037 -- CVE-2019-17595: heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c ==== neon ==== - Drop unnecessary requirement for OpenSSL 1.1.1 - Apply neon-0.30.2_ssl-fix_timeout_retvals.patch only when building with OpenSSL 1.1.1 - Sync sources with Factory to fix build with openssl 1.1.1 (bsc#1149792) ==== openslp ==== Subpackages: openslp-32bit - Add missing zlib build dependency, which used to be pulled in by libopenssl-devel. The package fails to build since the openssl upgrade to 1.1.1 (bsc#1149792) ==== openssl ==== Version update (1.1.0i -> 1.1.1d) - Update to 1.1.1d release - Upgrade to 1.1.1c release to get TLS 1.3 support (jsc#SLE-9135, bsc#1148799) ==== openssl-1_1 ==== Version update (1.1.0i -> 1.1.1d) Subpackages: libopenssl1_1 libopenssl1_1-32bit - Fixed EVP_PBE_scrypt() to allow NULL salt values. * Revealed by nodejs12 during bsc#1149572. * Modified openssl-jsc-SLE-8789-backport_KDF.patch - Update to 1.1.1d (bsc#1133925, jsc#SLE-6430) * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. (bsc#1150247, CVE-2019-1549) * Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. (bsc#1150003, CVE-2019-1547) * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. (bsc#1150250, CVE-2019-1563) * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling EC_GROUP_new_from_ecpkparameters()/EC_GROUP_new_from_ecparameters(). * Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems. * Changed DH_check to accept parameters with order q and 2q subgroups. With order 2q subgroups the bit 0 of the private key is not secret but DH_generate_key works around that by clearing bit 0 of the private key for those. This avoids leaking bit 0 of the private key. * Significantly reduce secure memory usage by the randomness pools. * Revert the DEVRANDOM_WAIT feature for Linux systems - drop 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch (upstream) - refresh patches * openssl-1.1.0-no-html.patch * openssl-jsc-SLE-8789-backport_KDF.patch - To avoid seperate certification of openssh server / client move the SSH KDF (Key Derivation Function) into openssl. * jsc#SLE-8789 * Sourced from commit 8d76481b189b7195ef932e0fb8f0e23ab0120771#diff-a9562bc75317360a2e6b8b0748956e34 in openssl master (introduce the SSH KDF) and commit 5a285addbf39f91d567f95f04b2b41764127950d in openssl master (backport EVP/KDF API framework) * added openssl-jsc-SLE-8789-backport_KDF.patch - Upgrade to 1.1.1c (jsc#SLE-9135, bsc#1148799) * Support for TLSv1.3 added * Allow GNU style "make variables" to be used with Configure. * Add a STORE module (OSSL_STORE) * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes * Add multi-prime RSA (RFC 8017) support * Add SM3 implemented according to GB/T 32905-2016 * Add SM4 implemented according to GB/T 32907-2016. * Add 'Maximum Fragment Length' TLS extension negotiation and support * Add ARIA support * Add SHA3 * Rewrite of devcrypto engine * Add support for SipHash * Grand redesign of the OpenSSL random generator - drop FIPS support * don't build with FIPS mode (not supported in 1.1.1) - drop FIPS patches * openssl-fips-clearerror.patch * openssl-fips_disallow_ENGINE_loading.patch * openssl-fips-dont-fall-back-to-default-digest.patch * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips-fix-odd-rsakeybits.patch * openssl-fips-rsagen-d-bits.patch * openssl-fips-selftests_in_nonfips_mode.patch * openssl-rsakeygen-minimum-distance.patch * openssl-1.1.0-fips.patch - add TLS 1.3 ciphers to DEFAULT_SUSE - merge openssl-1.0.1e-add-suse-default-cipher.patch and openssl-1.0.1e-add-test-suse-default-cipher-suite.patch to openssl-DEFAULT_SUSE_cipher.patch - Use upstream patch for the locale crash (bsc#1135550) * https://github.com/openssl/openssl/pull/8966 * add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch - drop patches (upstream): * openssl-Bleichenbachers_CAT.patch * openssl-CVE-2018-0734.patch * openssl-CVE-2018-0735.patch * openssl-CVE-2019-1543.patch * openssl-disable_rsa_keygen_tests_with_small_modulus.patch * openssl-dsa_paramgen2_check.patch * openssl-One_and_Done.patch * openssl-speed_skip_binary_curves_NO_EC2M.patch * openssl-static-deps.patch * openssl-urandom-reseeding.patch * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch * 0001-DSA-mod-inverse-fix.patch * 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch * 0001-apps-speed-fix-segfault-while-looking-up-algorithm-n.patch - drop s390x patches (rebased): * 0002-s390x-assembly-pack-add-KMA-code-path-for-aes-ctr.patch * 0003-crypto-aes-asm-aes-s390x.pl-replace-decrypt-flag-by-.patch * 0004-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch * 0005-s390x-assembly-pack-add-KMAC-code-path-for-aes-ccm.patch * 0006-s390x-assembly-pack-add-KM-code-path-for-aes-ecb.patch * 0007-s390x-assembly-pack-add-KMO-code-path-for-aes-ofb.patch * 0008-s390x-assembly-pack-add-KMF-code-path-for-aes-cfb-cf.patch * 0009-Fix-undefined-behavior-in-s390x-aes-gcm-ccm.patch * 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch * 0001-s390x-assembly-pack-extend-s390x-capability-vector.patch - add s390x patches: * 0001-s390x-assembly-pack-perlasm-support.patch * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch * 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch * 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch * 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch ==== perl-IO-Socket-SSL ==== Version update (2.052 -> 2.066) - Remove not needed README.Win32 from the files section. - Cleaned spec file with spec-cleaner. - updated to 2.066 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.066 - fix test t/verify_partial_chain.t by using the newly exposed function can_partial_chain instead of guessing (wrongly) if the functionality is available - updated to 2.065 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.065 - make sure that Net::SSLeay::CTX_get0_param is defined before using X509_V_FLAG_PARTIAL_CHAIN. Net::SSLeay 1.85 defined only the second with LibreSSL 2.7.4 but not the first https://rt.cpan.org/Ticket/Display.html?id=128716 - prefer AES for server side cipher default since it is usually hardware-accelerated - updated to 2.064 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.064 - make algorithm for fingerprint optional, i.e. detect based on length of fingerprint - https://rt.cpan.org/Ticket/Display.html?id=127773 - fix t/sessions.t and improve stability of t/verify_hostname.t on windows - use CTX_set_ecdh_auto when needed (OpenSSL 1.0.2) if explicit curves are set - update fingerprints for live tests 2.063 - support for both RSA and ECDSA certificate on same domain - update PublicSuffix - Refuse to build if Net::SSLeay is compiled with one version of OpenSSL but then linked against another API-incompatible version (ie. more than just the patchlevel differs). - updated to 2.062 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.062 - Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and OpenSSL (1.1.0+). This makes leaf certificates or intermediate certificates in the trust store be usable as full trust anchors too. - updated to 2.061 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.061 - Support for TLS 1.3 session reuse. Needs Net::SSLeay 1.86+. Note that the previous (and undocumented) API for the session cache has been changed. - Support for multiple curves, automatic setting of curves and setting of supported curves in client. Needs Net::SSLeay 1.86+. - Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when client certificates are provided. Thanks to jorton[AT]redhat[DOT]com. Needs Net::SSLeay 1.86+. - Removed patch: IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch - prevent flaky test failures with openssl 1.1.1 on overloaded systems(bsc#1108977) * https://rt.cpan.org/Public/Bug/Display.html?id=126899 * add IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch - updated to 2.060 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes - updated to 2.059 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.058 2018/08/15 - fix memleak when CRL are used. Thanks to Franz Skale for report and patch https://rt.cpan.org/Ticket/Display.html?id=125867 - fix memleak when using stop_SSL and threads, reported by Paul Evans https://rt.cpan.org/Ticket/Display.html?id=125867#txn-1797132 - updated to 2.058 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.058 2018/07/19 - fix t/session_ticket.t: it failed with OpenSSL 1.1.* since this version expects the extKeyUsage of clientAuth in the client cert also to be allowed by the CA if CA uses extKeyUsage - updated to 2.057 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.057 2018/07/18 - fix memory leak which occured with explicit stop_SSL in connection with non-blocking sockets or timeout - https://rt.cpan.org/Ticket/Display.html?id=125867 Thanks to Paul Evans for reporting - fix redefine warnings in case Socket6 is installed but neither IO::Socket::IP nor IO::Socket::INET6 - https://rt.cpan.org/Ticket/Display.html?id=124963 - IO::Socket::SSL::Intercept - optional 'serial' argument can be starting number or callback to create serial number based on the original certificate - new function get_session_reused to check if a session got reused - IO::Socket::SSL::Utils::CERT_asHash: fingerprint_xxx now set to the correct value - updated to 2.056 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.056 2018/02/19 - Intercept - fix creation of serial number: base it on binary digest instead of treating hex fingerprint as binary. Allow use of own serial numbers again. - t/io-socket-ip.t - skip test if no IPv6 support on system RT#124464 - update PublicSuffix - updated to 2.055 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.055 2018/02/15 - use SNI also if hostname was given all-uppercase - Utils::CERT_create - don't add authority key for issuer since Chrome does not like this - Intercept: - change behavior of code based cache to better support synchronizing within multiprocess/threaded setups - don't use counter for serial number but somehow base it on original certificate in order to avoid conflicts with reuse of serial numbers after restart - RT#124431 - better support platforms w/o IPv6 - RT#124306 - spelling fixes in documentation - ignore Mozilla::CA - updated to 2.054 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.054 2018/01/22 - added missing test certificates to MANIFEST 2.053 2018/01/21 - small behavior fixes - if SSL_fingerprint is used and matches don't check for OCSP - Utils::CERT_create - small fixes to properly specific purpose, ability to use predefined complex purpose but disable some features - update PublicSuffix - updates for documentation, especially regarding pitfalls with forking or using non-blocking sockets. Spelling fixes. - test fixes and improvements - stability improvements for live tests - regenerate certificate in certs/ and make sure they are limited to the correct purpose. Checkin program used to generate certificates. - adjust tests since certificates have changed and some tests used certificates intended for client authentication as server certificates, which now no longer works - updated to 2.052 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.052 2017/10/22 - disable NPN support if LibreSSL>=2.6.1 is detected since they've replaced the functions with dummies instead of removing NPN completly or setting OPENSSL_NO_NEXTPROTONEG - t/01loadmodule.t shows more output helpful in debugging problems - update fingerprints for extenal tests - update documentation to make behavior of syswrite more clear - update to 2.051 - syswrite: if SSL_write sets SSL_ERROR_SYSCALL but no $! (as seen with OpenSSL 1.1.0 on Windows) set $! to EPIPE to propagate a useful error up https://github.com/noxxi/p5-io-socket-ssl/issues/62 - removed unecessary settings of SSL_version and SSL_cipher_list from tests - protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not supported as is the case with openssl versions in latest Debian (buster) - fixed problem caused by typo in the context of session cache https://github.com/noxxi/p5-io-socket-ssl/issues/60 - update PublicSuffix information from publicsuffix.org - fixed small memory leaks during destruction of socket and context, RT#120643 - better fix for problem which 2.046 tried to fix but broke LWP this way - cleanup everything in DESTROY and make sure to start with a fresh %{*self} in configure_SSL because it can happen that a GLOB gets used again without calling DESTROY (https://github.com/noxxi/p5-io-socket-ssl/issues/56) - fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL objects -> github pull#55 - optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD if perl is compiled w/o thread support - small fix in t/protocol_version.t to use older versions of Net::SSLeay with openssl build w/o SSLv3 support - when setting SSL_keepSocketOnError to true the socket will not be closed on fatal error. This is a modified version of https://github.com/noxxi/p5-io-socket-ssl/pull/53/ - protect various 'eval'-based capability detections at startup with a localized __DIE__ handler. This way dynamically requiring IO::Socket::SSL as done by various third party software should cause less problems even if there is a global __DIE__ handler which does not properly deal with 'eval'. - make t/session_ticket.t work with OpenSSL 1.1.0. With this version the session does not get reused any longer if it was not properly closed which is now done using an explicit close by the client which causes a proper SSL_shutdown - enable session ticket callback with Net::SSLeay>=1.80 - leave session ticket callback off for now until the needed patch is included in Net::SSLeay. See https://rt.cpan.org/Ticket/Display.html?id=116118#txn-1696146 - fix detection of default CA path for OpenSSL 1.1.x - Utils::CERT_asHash now includes the signature algorithm used - Utils::CERT_asHash can now deal with large serial numbers - OpenSSL 1.1.0c changed the behavior of SSL_read so that it now returns -1 on EOF without proper SSL shutdown. Since it looks like that this behavior will be kept at least for 1.1.1+ adapt to the changed API by treating errno=NOERR on SSL_ERROR_SYSCALL as EOF. - restrict session ticket callback to Net::SSLeay 1.79+ since version before contains bug. Add test for session reuse - extend SSL fingerprint to pubkey digest, i.e. 'sha1$pub$xxxxxx....' - fix t/external/ocsp.t to use different server (under my control) to check OCSP stapling - fix session cache del_session: it freed the session but did not properly remove it from the cache. Further reuse causes crash. - disable OCSP support when Net::SSLeay 1.75..1.77 is used, see RT#116795 - move handling of global SSL arguments into creation of context, so that these get also applied when creating a context only. - support for session ticket reuse over multiple contexts and processes (if supported by Net::SSLeay) - small optimizations, like saving various Net::SSLeay constants into variables and access variables instead of calling the constant sub all the time - make t/dhe.t work with openssl 1.1.0 - Set session id context only on the server side. Even if the documentation for SSL_CTX_set_session_id_context makes clear that this function is server side only it actually affects hndling of session reuse on the client side too and can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session in different context" at the client. - Utils::CERT_create - don't add given extensions again if they were already added. Firefox croaks with sec_error_extension_value_invalid if (specific?) extensions are given twice. - assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates with the reverse order as in the PKCS12 file, because that's what it does. - support for creating ECC keys in Utils once supported by Net::SSLeay - remove internal sub session_cache and access cache directly (faster) - fix del_session method in case a single item was in the cache - use SSL_session_key as the real key for the cache and not some derivate of it, so that it works to remove the entry using the same key - add del_session method to session cache - only added Changes for 2.026 - update default server and client ciphers based on recommendation of Mozilla and what the current browsers use. Notably this finally disables RC4 for the client (was disabled for server long ago) and adds CHACHA20. - drop perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch (upstream) - updated to 2.025 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.025 2016/04/04 - Resolved memleak if SSL_crl_file was used: RT#113257, RT#113530 Thanks to avi[DOT]maslati[AT]forescout[DOT]com and mark[DOT]kurman[AT]gmail[DOT]com for reporting the problem - updated to 2.024 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.024 2016/02/06 - Work around issue where the connect fails on systems having only a loopback interface and where IO::Socket::IP is used as super class (default when available). Since IO::Socket::IP sets AI_ADDRCONFIG by default connect to localhost would fail on this systems. This happened at least for the tests, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813796 Workaround is to explicitely set GetAddrInfoFlags to 0 if no GetAddrInfoFlags is set but the Family/Domain is given. In this case AI_ADDRCONFIG would not be useful anyway but would cause at most harm. 2.023 2016/01/30 - OpenSSL 1.0.2f changed the behavior of SSL shutdown in case the TLS connection was not fully established (commit: f73c737c7ac908c5d6407c419769123392a3b0a9). This somehow resulted in Net::SSLeay::shutdown returning 0 (i.e. keep trying) which caused an endless loop. It will now ignore this result in case the TLS connection was not yet established and consider the TLS connection closed instead. 2.022 2015/12/10 - fix stringification of IPv6 inside subjectAltNames in Utils::CERT_asHash. Thanks to Mark.Martinec[AT]ijs[DOT]si for reporting in #110253 2.021 2015/12/02 - Fixes for documentation and typos thanks to DavsX and jwilk. - Update PublicSuffx with latest version from publicsuffix.org 2.020 2015/09/20 - support multiple directories in SSL_ca_path as proposed in RT#106711 by dr1027[AT]evocat[DOT]ne. Directories can be given as array or as string with a path separator, see documentation. - typos fixed thanks to jwilk https://github.com/noxxi/p5-io-socket-ssl/pull/34 2.019 2015/09/01 - work around different behavior of getnameinfo from Socket and Socket6 by using a different wrapper depending on which module I use for IPv6. Thanks to bluhm for reporting. 2.018 2015/08/27 - RT#106687 - startssl.t failed on darwin with old openssl since server requested client certificate but offered also anon ciphers 2.017 2015/08/24 - checks for readability of files/dirs for certificates and CA no longer use - r because this is not safe when ACLs are used. Thanks to BBYRD, RT#106295 - new method sock_certificate similar to peer_certificate based on idea of Paul Evans, RT#105733 - get_fingerprint can now take optional certificate as argument and compute the fingerprint of it. Useful in connection with sock_certificate. - check for both EWOULDBLOCK and EAGAIN since these codes are different on some platforms. Thanks to Andy Grundman, RT#106573 - enforce default verification scheme if none was specified, i.e. no longer just warn but accept. If really no verification is wanted a scheme of 'none' must be explicitly specified. - support different cipher suites per SNI hosts - remove perl-IO-Socket-SSL_fix_offline.patch - add perl-IO-Socket-SSL_fix_offline.patch to fix build in OBS with updated perl - updated to 2.016 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes - updated to 2.015 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.014 2015/05/13 - work around problem with IO::Socket::INET6 on windows, by explicitly using Domain AF_INET in the tests. Fixes RT#104226 reported by CHORNY - updated to 2.014 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.014 2015/05/05 - Utils::CERT_create - work around problems with authorityInfoAccess, where OpenSSL i2v does not create the same string as v2i expects - Intercept - don't clone some specific extensions which make only sense with the original certificate - updated to 2.013 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes - add DHE-RSA to the default client cipher list to support PFS with older machines (bnc#924976) * added perl-IO-Socket-SSL_add_DHE-RSA_to_default_client_cipher_list.patch - add cpanspec.yml to support automatic version updates (see http://lists.opensuse.org/opensuse-packaging/2015-04/msg00084.html) - updated to 2.012 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.012 2014/02/02 - fix t/ocsp.t in case no HTTP::Tiny is installed 2.011 2014/02/01 - fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling #101855 - added option 'purpose' to Utils::CERT_create to get better control of the certificates purpose. Default is 'server,client' for non-CA (contrary to only 'server' before) - removed RC4 from default cipher suites on the server site https://github.com/noxxi/p5-io-socket-ssl/issues/22 - refactoring of some tests using Test::More thanks to Sweet-kid and the 2015 Pull Request Challenge 2.010 2014/01/14 - new options SSL_client_ca_file and SSL_client_ca to let the server send the list of acceptable CAs for the client certificate. - t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay. RT#101485, thanks to TEAM. 2.009 2014/01/12 - remove util/analyze.pl. This tool is now together with other SSL tools in https://github.com/noxxi/p5-ssl-tools - added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) thanks to TEAM, RT#101452 2.008 2014/12/16 - work around recent OCSP verification errors for revoked.grc.com (badly signed OCSP response, Firefox also complains about it) in test t/external/ocsp.t. - util/analyze.pl - report more details about preferred cipher for specific TLS versions 2.007 2014/11/26 - make getline/readline fall back to super class if class is not sslified yet, i.e. behave the same as sysread, syswrite etc. This fixes RT#100529 2.006 2014/11/22 - Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead of EAGAIN. While this is the same on UNIX it is different on Windows and socket operations return there (WSA)EWOULDBLOCK and not EAGAIN. Enable non-blocking tests on Windows too. - make PublicSuffix::_default_data thread safe - update PublicSuffix with latest list from publicsuffix.org 2.005 2014/11/15 - next try to fix t/protocol_version.t for OpenSSL w/o SSLv3 support 2.004 2014/11/15 - only test fix: fix t/protocol_version.t to deal with OpenSSL installations which are compiled without SSLv3 support. 2.003 2014/11/14 - make SSLv3 available even if the SSL library disables it by default in SSL_CTX_new (like done in LibreSSL). Default will stay to disable SSLv3, so this will be only done when setting SSL_version explicitly. - fix possible segmentation fault when trying to use an invalid certificate, reported by Nick Andrew. - Use only the ICANN part of the default public suffix list and not the private domains. This makes existing exceptions for s3.amazonaws.com and googleapis.com obsolete. Thanks to Gervase Markham from mozilla.org. 2.002 2014/10/21 - fix check for (invalid) IPv4 when validating hostname against certificate. Do not use inet_aton any longer because it can cause DNS lookups for malformed IP. RT#99448, thanks to justincase[AT]yopmail[DOT]com. - Update PublicSuffix with latest version from publicsuffix.org - lots of new top level domains. - Add exception to PublicSuffix for s3.amazonaws.com - RT#99702, thanks to cpan[AT]cpanel[DOT]net. 2.001 2014/10/21 - Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security. Thanks to Heikki Vatiainen for suggesting. - Update external tests with currently expected fingerprints of hosts. - Some fixes to make it still work on 5.8.1. 2.000 2014/10/15 - consider SSL3.0 as broken because of POODLE and disable it by default. - Skip live tests without asking if environment NO_NETWORK_TESTING is set. Thanks to ntyni[AT]debian[DOT]org for suggestion. - skip tests which require fork on non-default windows setups without proper fork. Thanks to SHAY for https://github.com/noxxi/p5-io-socket-ssl/pull/18 1.999 2014/10/09 - make sure we don't use version 0.30 of IO::Socket::IP - make sure that PeerHost is checked on all places where PeerAddr is checked, because these are synonyms and IO::Socket::IP prefers PeerHost while others prefer PeerAddr. Also accept PeerService additionally to PeerPort. See https://github.com/noxxi/p5-io-socket-ssl/issues/16 for details. - add ability to use client certificates and to overwrite hostname with util/analyze-ssl.pl. 1.998 2014/09/07 - make client authentication work at the server side when SNI is in by use having CA path and other settings in all SSL contexts instead of only the main one. Based on code from lundstrom[DOT]jerry[AT]gmail[DOT]com, https://github.com/noxxi/p5-io-socket-ssl/pull/15 ==== perl-Net-SSLeay ==== Version update (1.81 -> 1.88) - Update to 1.88 1.88 2019-05-10 - New stable release incorporating all changes from developer releases 1.86_01 to 1.86_11. - From this release, Net-SSLeay is switching to an "odd/even" developer/stable release version numbering system, like that of many core modules (e.g. ExtUtils::MakeMaker): developer releases will have an odd minor version number (and the usual "_xx" suffix), and stable releases will have an even minor version number. This means there is no Net-SSLeay 1.87. - Summary of major changes since version 1.85: - Mike McCauley has stepped down as maintainer. The new maintainers are Chris Novakovic, Heikki Vatiainen and Tuure Vartiainen. - The source code has moved from the now-defunct Debian Subversion server (alioth.debian.org) to GitHub (https://github.com/radiator-software/p5-net-ssleay) - Net-SSLeay is provided under the terms of the Artistic License 2.0 - this has been the case since version 1.66, but references to other licenses remained in the source code, causing ambiguity. - Perl 5.8.1 or newer is now required to use Net-SSLeay. This has already been the case for some time in practice, as the test suite hasn't fully passed on Perl 5.6 for several years. - Much-improved compatibility with OpenSSL 1.1.1, and improved support for TLS 1.3. - Fixed a long-standing bug in cb_data_advanced_put() that caused memory leaks when callbacks were frequently added and removed. - Support in the test suite for "hardened" OpenSSL configurations that set a default security level of 2 or higher (e.g., in the OpenSSL packages that ship with recent versions of Debian, Fedora and Ubuntu). 1.86_11 2019-05-08 - Clarified Net-SSLeay's licensing terms: the module distribution has been released under the terms of the Artistic License 2.0 since version 1.66; references to other licenses have been removed. Fixes RT#106314. Thanks to Kent Fredric for pointing out the ambiguity. - Replace the HTTPS hosts in the external tests (some of which were no longer online) with more resilient ones. Closes issue #26. 1.86_10 2019-05-04 - Use locally-generated certificate chain in local tests rather than the Twitter one, which changes regularly and breaks the test suite unnecessarily. Fixes RT#129201. Thanks to Petr Písa? for the report and patch, and Steffen Ullrich for an alternative patch suggestion. - In t/local/09_ctx_new.t, rather than checking that the functions (CTX_)get_min_proto_version and (CTX_)get_max_proto_version return 0x0000 (indicating the lowest and highest versions supported by libssl respectively, which is not the case if a run-time configuration is enforcing a different minimum or maximum), just check whether the returned value is one of those mentioned on the SSL_CTX_set_min_proto_version(3) man page. Partially fixes RT#128025. Thanks to Slaven Rezi? and Dmytro Zagashev for the downstream reports. - Move from 1024-bit keys/certificates to 2048-bit keys/certificates across the entire test suite. This removes the need to manually set the security level to 1 in tests that used the old keys, and fixes large numbers of test failures on modern Linux distributions that set the minimum OpenSSL security level to 2. Fixes RT#126270 and the remainder of RT#128025. Thanks to Petr Písa? and Slaven Rezi? for the downstream reports. - In t/local/06_tcpecho.t and t/local/07_sslecho.t, connect to 127.0.0.1 instead of localhost. This fixes these tests when executed inside a network sandbox that disrupts the behaviour of gethostbyname(). Fixes RT#128207. Thanks to Kent Fredric for the downstream report. 1.86_09 2019-03-12 - Add missing files to MANIFEST that prevented tests from passing when installing from the 1.86_08 release tarball. 1.86_08 2019-03-12 - Add and fix functions needed to properly implement client side session reuse for TLS 1.3 with using CTX_sess_set_new_cb. Newly exposed functions: SSL_SESSION_dup and SSL_SESSION_up_ref. Fixed functions: i2d_SSL_SESSION and d2i_SSL_SESSION. Thanks to Steffen Ullrich. - Add functions functions to allow reading multiple pems from file and creating untrusted chain: These functions allow you to: - Read in a PEM file with multiple certificates as a STACK_OF(X509_INFO) - Determine the size of the STACK_OF(X509_INFO) and value at an index, which allows you to loop over the stack. - Retrieve the X509 structure from each X509_INFO structure in the stack. Then you can create a new STACK_OF(X509) and push the X509 structures onto the new stack. You can then pass this STACK_OF(X509) to X509_STORE_CTX_init which will allow you to add additional untrusted certificates to the chain for verification. Exposed functions are: PEM_X509_INFO_read_bio sk_X509_INFO_num sk_X509_INFO_value sk_X509_INFO_free sk_X509_new_null sk_X509_free sk_X509_push New function implemented by Net::SSLeay: P_X509_INFO_get_x509 Thanks to Marc Reisner. - Add functions and constants that are necessary to verify a certificate using a hash directory outside of an SSL/TLS connection. Newly exposed functions: X509_STORE_CTX_init X509_STORE_CTX_free X509_STORE_new X509_STORE_free X509_STORE_add_lookup X509_LOOKUP_hash_dir X509_LOOKUP_add_dir Newly exposed constants: X509_FILETYPE_ASN1 X509_FILETYPE_DEFAULT X509_FILETYPE_PEM Thanks to Marc Reisner. - Declare n_a in ssleay_set_psk_client_callback_invoke and ssleay_ctx_set_psk_client_callback_invoke to avoid a compilation error with Perl versions below 5.8.8. Fixes RT#128030. Thanks to Graham Ollis for the report. - Add X509_get0_serialNumber. Thanks to Marc Reisner. - Enable Travis CI for LibreSSL 2.2.1, 2.7.5, 2.8.3 and 2.9.0 on Perl 5.20 and more recent. - Expose the following functions for curve and group selection: - CTX_set_ecdh_auto, set_ecdh_auto - CTX_set1_curves_list, set1_curves_list - CTX_set1_groups_list, set1_groups_list Thanks to Steffen Ullrich. - Update to 1.86_07 1.86_07 2018-12-13 - Net::SSLeay::RSA_generate_key() now prefers using RSA_generate_key_ex. This avois deprecated RSA_generate_key and allows removing the only Android specific code in SSLeay.xs. Fixes RT#127593. Thanks to Rouven Weiler. - SSL_CTX_get0_param, SSL_CTX_get0_param, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip and X509_VERIFY_PARAM_set1_ip_asc added in 1.83 for OpenSSL 1.0.2 and later are now available with LibreSSL 2.7.0 and later. - get_keyblock_size() now gets the MAC secret size from the cipher on LibreSSL 2.7.0 and later, rather than reaching into libssl internals. This effectively takes the OpenSSL 1.1 code path for LibreSSL 2.7.0 instead of the OpenSSL 1.0 code path. Thanks to Alexander Bluhm. - get_client_random and get_server_random now use API functions supported by LibreSSL 2.7.0 and later. Thanks to Alexander Bluhm. - Add X509_check_host(), X509_check_email(), X509_check_ip(), and X509_check_ip_asc() for LibreSSL 2.5.0 and later. Thanks to Alexander Bluhm. - OpenSSL_version() and OpenSSL_version_num() are available with LibreSSL 2.7.0 and later. Thanks to Alexander Bluhm. - Use OPENSSL_cleanse() instead of memset(). Fixes RT#116599. Thanks to A. Sinan Unur. 1.86_06 2018-09-29 - Net::SSLeay::read() and SSL_peek() now check SSL_get_error() for SSL_ERROR_ZERO_RETURN for return values <= 0 to make Net::SSLeay::read() behave more like underlying OpenSSL function SSL_read(). Convenience function ssl_read_all() now does an automatic retry when ERROR_WANT_READ or ERROR_WANT_WRITE is returned with Net::SSLeay::read(). Convenience function ssl_read_until() now uses Net::SSLeay::ssl_read_all() instead of Net::SSLeay::read(). Tests 07_sslecho.t and 36_verify.t were also updated to use ssl_read_all() and ssl_write_all(). The tests now also disable TLSv1.3 session tickets and ignore SIGPIPE to avoid this signal when the client has finished before server has sent session tickets and called Net::SSLeay::accept(). Thanks to Petr Pisar and Sebastian Andrzej Siewior for the patches (in #RT125218). - Fix a memory leak in cb_data_advanced_put. Fixes RT#127131. Noticed, investigated and patched by Paul Evans. Thanks! - Enable OpenSSL 1.1.1-pre9 with Travis CI. - Add SSL_CTX_set_num_tickets, SSL_CTX_get_num_tickets, SSL_set_num_ticket and SSL_get_num_tickets for controlling the number of TLSv1.3 session tickets that are issued. Add tests in 44_sess.t. Parts taken from a larger patch by Petr Pisar of RedHat. - Add SSL_CTX_set_ciphersuites and SSL_set_ciphersuites for configuring the available TLSv1.3 ciphersuites. Add tests in 43_misc_functions.t and clarify SSL_client_version tests. - Add SSL_CTX_set_security_level, SSL_CTX_get_security_level, SSL_set_security_level and SSL_get_security_level. Add new test file 65_security_level.t. All courtesy of Damyan Ivanov of Debian project. - Fix export_keying_material return value check and context handling. SSL_export_keying_material use_context is now correctly set to non-zero value when context is an empty string. This affects values exported with TLSv1.2 and earlier. Update documentation in NetSSLeay.pod and add tests in t/local/45_export.t. - Add RAND_priv_bytes. Add new test file t/local/10_rand.t for RAND_bytes, RAND_pseudo_bytes, RAND_priv_bytes, RAND_status, RAND_poll, RAND_file_name and RAND_load_file. - Update documentation for RAND_*bytes return values and RAND_file_name behaviour with LibreSSL. - Add SSL_SESSION_is_resumable. Add and update tests in 44_sess.t. - Set OpenSSL security level to 1 in tests that use the test suite's (1024-bit) RSA keys, which allows the test suite to pass when Net-SSLeay is built against an OpenSSL with a higher default security level. Fixes RT#126987. Thanks to Petr Pisar (in RT#126270) and Damyan Ivanov (in RT#126987) for the reports and patches, and to Damyan Ivanov for the preferred patch. - Add SSL_CTX_sess_set_new_cb and SSL_CTX_sess_set_remove_cb. Add new test file 44_sess.t for these and future session related tests for which no specific test file is needed. - Add SSL_get_version, SSL_client_version and SSL_is_dtls. - Add SSL_peek_ex, SSL_read_ex, SSL_write_ex and SSL_has_pending. Add tests in t/local/11_read.t - Add SSL_CTX_set_post_handshake_auth contributed by Paul Howarth. Add SSL_set_post_handshake_auth, SSL_verify_client_post_handshake and constant SSL_VERIFY_POST_HANDSHAKE. - Applied a patch to set_cert_and_key() from Damyan Ivanov, Debian Perl Group. This function now returns errors from library's error stack only when an underlying routine fails. Unrelated errors are now skipped. Fixes RT#126988. - Add support for TLSv1.3 via $Net::SSLeay::ssl_version. - Enhance t/local/43_misc_functions.t get_keyblock_size test to work better with AEAD ciphers. - Add constants SSL_OP_ENABLE_MIDDLEBOX_COMPAT and SSL_OP_NO_ANTI_REPLAY for TLSv1.3 - Fix compile time DEFINE=-DSHOW_XS_DEBUG to work with non-threaded Perls. Fixes RT#127027. Thanks to SREZIC for the report. Also fix other minor compile warnings. 1.86_05 2018-08-22 - Net-SSLeay now requires at least Perl 5.8.1. This is a formalisation of what has been the de facto case for some time, as the distribution hasn't compiled and passed its tests on Perl 5.005 for several years. - Increment Net::SSLeay::Handle's version number to keep it in sync with Net::SSLeay's, thus satisfying Kwalitee's consistent_version metric. - Re-enable the d2i_X509_bio() test in t/local/33_x509_create_cert.t for LibreSSL. Thanks to Alexander Bluhm. - Automatically detect new library names on Windows for OpenSSL 1.1.0 onwards (libcrypto, libssl). Fixes part of RT#121084. Thanks to Jean-Damien Durand. - Fix a typo preventing OpenSSL libraries built with the VC compiler (i.e. ones with a ".lib" suffix) from being automatically detected on Windows. Fixes part of RT#121084. Thanks to Jean-Damien Durand. - Add missing call to va_end() following va_start() in TRACE(). Fixes RT#126028. Thanks to Jitka Plesnikova. - Added SSL_in_init() and the related functions for all libraries and their versions. All return 0 or 1 as documented by OpenSSL 1.1.1. Use of these functions is recommended over using constants returned by get_state() and state(). New constants TLS_ST_*, used by OpenSSL 1.1.0 and later, will not be made available by Net::SSLeay. 1.86_04 2018-07-30 - Re-add SSLv3_method() for OpenSSL 1.0.2 and above. Fixes RT#101484. - Don't expose ENGINE-related functions when building against OpenSSL builds without ENGINE support. Fixes RT#121538. Thanks to Paul Green. - Automatically detect OpenSSL 1.0.x on VMS, and update VMS installation instructions to reflect removal of Module::Install from the build system. Fixes RT#124388. Thanks to Craig A. Berry. - Prevent memory leak in OCSP_cert2ids() and OCSP_response_verify(). Fixes RT#125273. Thanks to Steffen Ullrich. 1.86_03 2018-07-19 - Convert packaging to ExtUtils::MakeMaker. Thanks to mohawk2. - Module::Install is no longer a prerequisite when building from the reposistory. - Re-apply patch from ETJ permitting configure and build in places with a space in the name. 1.86_02 2018-07-06 - Removed inc/ from repository. Module::Install is now a prerequisite when building from the repository. This allowed also removing "." from Makefile.PL lib path which was added in version 1.81. These updates require no changes when building from release packages. They also help AppVeyor builds to work better with old Perls. - Added CONTRIBUTING.md, reformatted the previous Changes entry to use CPAN::Changes::Spec guidelines and removed unused version control tags from comments. 1.86_01 2018-07-04 [Version control system change] - Chris Novakovic did a full conversion from the old Debian hosted SVN repository to git. - Fixes to commit metadata, branches and tags that git-svn couldn't handle or had no way of handling, were done manually or semi-automatically afterwards. For instance, the "git-svn-id:" lines that git-svn appends to commit messages were kept because Mike used SVN revision numbers in RT replies to indicate when bugs had been fixed/patches applied (which may be useful for future reference). - All commits were replayed onto a single master branch rather than having separate dead-end branches for the old SVN version tags (as this seems more "git-like"). - New lightweight tags were created for each public release going back as far as the start of the SVN repository using data from MetaCPAN (cross-referencing with the changelog when it wasn't clear when a release was cut from the SVN repo). - Florian's and Mike's email addresses were mapped to git author/committer IDs [Continuous integration] - Travis CI configuration was added for automated testing on Linux using 64 bit Ubuntu Trusty. Build matrix dimensions are: Perl 5.8 - 5.26 x OpenSSL 0.9.8zh - 1.1.0h. Only the currently latest version for each major Perl and OpenSSL release is chosen. - AppVeyor configuration was added for automated testing on Windows. Build matrix dimensions are: Perl 5.8 - 5.26 x 32bit and 64bit Perl environment x Windows Server 2012R2 and Windows Server 2016. The Perl environment is Strawberry Perl and its OpenSSL is used with builds. Only the latest major versions are used, similarly to Travis CI. Net-SSLeay PPM and PPD files are made available as artifacts. - Added README.md with link to master branch build and test status. Did minor updates to README and other misc files. [Release packaging] - Files t/local/43_misc_functions.t and t/local/65_ticket_sharing_2.t were missing from MANIFEST. - Updated inc/ directory with Module::Install 1.19. Updated Makefile.PL author and resource information. Synced SSLeay.pm under ext/ with the latest changes under inc/. Reordered use imports so that META.yml gets correctly regenerated. More Module::Install related changes will follow. [Repository amd maintainer change] - Net::SSLeay functionality was not changed in this release. Work was done to switch version contorol systems, add automated testing, update module packaging and change the primary maintainer. This coincided with the decommission of previous code repository service on alioth.debian.org. - The module is now primarily maintained by Tuure Vartiainen and Heikki Vatiainen of Radiator Software. The new repository location is https://github.com/radiator-software/p5-net-ssleay - Dropped patches merged upstream: * Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch * Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch * Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch * Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch * Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch - Expose SSL_CTX_set_post_handshake_auth * https://github.com/radiator-software/p5-net-ssleay/pull/68 - add Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch - Fix build on SLE-12 * apparently %autopatch needs to be followed by an empty line there - Add patches to support openssl 1.1.1 from Fedora * Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch * Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch * Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch * Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch - Version update to 1.85: * Removal of many deprecated calls from 1.1.x series - Add dependency over zlib-devel, previously added by openssl devel - Make sure all tests are run ==== polkit-default-privs ==== Version update (13.2+20191015.280c25b -> 13.2+20191128.c2eb3f7) - Update to version 13.2+20191128.c2eb3f7: * fix ModemManager1.Time whitelisting (bsc#1156961) - Update to version 13.2+20191122.eb9cc80: * whitelist org.freedesktop.ModemManager1.Modem.Time (bsc#1156961) * kcm_sddm: incremental addition of new rules (bsc#1145182) ==== postfix ==== Version update (3.3.1 -> 3.4.7) - Backport deprecated-RES_INSECURE1.patch in order to fix boo#1149705. - Update to 3.4.7: * Robustness: the tlsproxy(8) daemon could go into a loop, logging a flood of error messages. Problem reported by Andreas Schulze after enabling SMTP/TLS connection reuse. * Workaround: OpenSSL changed an SSL_Shutdown() non-error result value into an error result value, causing logfile noise. * Configuration: the new 'TLS fast shutdown' parameter name was implemented incorrectly. The documentation said "tls_fast_shutdown_enable", but the code said "tls_fast_shutdown". This was fixed by changing the code, because no-one is expected to override the default. * Performance: workaround for poor TCP loopback performance on LINUX, where getsockopt(..., TCP_MAXSEG, ...) reports a bogus TCP maximal segment size that is 1/2 to 1/3 of the real MSS. To avoid client-side Nagle delays or server-side delayed ACKs caused by multiple smaller-than-MSS writes, Postfix chooses a VSTREAM buffer size that is a small multiple of the reported bogus MSS. This workaround increases the multiplier from 2x to 4x. * Robustness: the Postfix Dovecot client could segfault (null pointer read) or cause an SMTP server assertion to fail when talking to a fake Dovecot server. The Postfix Dovecot client now logs a proper error instead. - bsc#1120757 L3: File Permissions->Paranoid can cause a system hang Break loop if postfix has no permission in spool directory. - add postfix-avoid-infinit-loop-if-no-permission.patch - fix for boo#1144946 mydestination - missing default localhost * update config.postfix - bsc#1142881 - mkpostfixcert from Postfix still uses md - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld, see [1]. [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html - update example POSTFIX_BASIC_SPAM_PREVENTION: permit_mynetworks for * POSTFIX_SMTPD_HELO_RESTRICTIONS * POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS - fix for: Can't connect to local MySQL server through socket '/run/mysql/mysql.sock' * update config.postfix * update update_chroot.systemd - Update to 3.4.6: * Workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With "tls_fast_shutdown_enable = yes" (the default), Postfix no longer waits for the TLS peer to respond to a TLS 'close' request. This is recommended with TLSv1.0 and later. * Fixed a too-strict censoring filter that broke multiline Milter responses for header/body events. Problem report by Andreas Thienemann. * The code to reset Postfix SMTP server command counts was not called after a HaProxy handshake failure, causing stale numbers to be reported. Problem report by Joseph Ward. * postconf(5) documentation: tlsext_padding is not a tls_ssl_options feature. * smtp(8) documentation: updated the BUGS section text about Postfix support to reuse open TLS connections. * Portability: added "#undef sun" to util/unix_dgram_connect.c. - Ensure that postfix is member of all groups as before. - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini - Drop the omc config fate#301838: * it is obsolete since SLE11 - bsc#1104543 config.postfix does not start tlsmgr in master.cf when using POSTFIX_SMTP_TLS_CLIENT="must". Applyed the proposed patch. - Update to 3.4.5: Bugfix (introduced: Postfix 3.0): LMTP connections over UNIX-domain sockets were cached but not reused, due to a cache lookup key mismatch. Therefore, idle cached connections could exhaust LMTP server resources, resulting in two-second pauses between email deliveries. This problem was investigated by Juliana Rodrigueiro. File: smtp/smtp_connect.c. - Update to 3.4.4 o Incompatible changes - The Postfix SMTP server announces CHUNKING (BDAT command) by default. In the unlikely case that this breaks some important remote SMTP client, disable the feature as follows: /etc/postfix/main.cf: [#] The logging alternative: smtpd_discard_ehlo_keywords = chunking [#] The non-logging alternative: smtpd_discard_ehlo_keywords = chunking, silent_discard - This introduces a new master.cf service 'postlog' with type 'unix-dgram' that is used by the new postlogd(8) daemon. Before backing out to an older Postfix version, edit the master.cf file and remove the postlog entry. - Postfix 3.4 drops support for OpenSSL 1.0.1 - To avoid performance loss under load, the tlsproxy(8) daemon now requires a zero process limit in master.cf (this setting is provided with the default master.cf file). By default, a tlsproxy(8) process will retire after several hours. - To set the tlsproxy process limit to zero: postconf -F tlsproxy/unix/process_limit=0 postfix reload o Major changes - Postfix SMTP server support for RFC 3030 CHUNKING (the BDAT command) without BINARYMIME, in both smtpd(8) and postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions, and smtpd_proxy_filter. See BDAT_README for more. - Support for logging to file or stdout, instead of using syslog. - Logging to file solves a usability problem for MacOS, and eliminates multiple problems with systemd-based systems. - Logging to stdout is useful when Postfix runs in a container, as it eliminates a syslogd dependency. - Better handling of undocumented(!) Linux behavior whether or not signals are delivered to a PID=1 process. - Support for (key, list of filenames) in map source text. Currently, this feature is used only by tls_server_sni_maps. - Automatic retirement: dnsblog(8) and tlsproxy(8) process will now voluntarily retire after after max_idle*max_use, or some sane limit if either limit is disabled. Without this, a process could stay busy for days or more. - Postfix SMTP client support for multiple deliveries per TLS-encrypted connection. This is primarily to improve mail delivery performance for destinations that throttle clients when they don't combine deliveries. This feature is enabled with "smtp_tls_connection_reuse=yes" in main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps. It supports all Postfix TLS security levels including dane and dane-only. - SNI support in the Postfix SMTP server, the Postfix SMTP client, and in the tlsproxy(8) daemon (both server and client roles). See the postconf(5) documentation for the new tls_server_sni_maps and smtp_tls_servername parameters. - Support for files that contain multiple (key, certificate, trust chain) instances. This was required to implement server-side SNI table lookups, but it also eliminates the need for separate cert/key files for RSA, DSA, Elliptic Curve, and so on. - Support for smtpd_reject_footer_maps (as well as the postscreen variant postscreen_reject_footer_maps) for more informative reject messages. This is indexed with the Postfix SMTP server response text, and overrides the footer specified with smtpd_reject_footer. One will want to use a pcre: or regexp: map with this. o Bugfixes - Andreas Schulze discovered that reject_multi_recipient_bounce was producing false rejects with BDAT commands. This problem already existed with Postfix 2.2 smtpd_end_of_data_restrictons. Postfix 3.4.4 fixes both. - postfix-linux45.patch: support also newer kernels -- pretend we are still at kernel 3. Note that there are no conditionals for LINUX3 or LINUX4. And LINUX5 was generated, but not tested in the code which caused build failures. - skip set -x and fix version update changes entry - Update to 3.3.3 * When the master daemon runs with PID=1 (init mode), it will now reap child processes from non-Postfix code running in the same container, instead of terminating with a panic. * Bugfix (introduced: postfix-2.11): with posttls-finger, connections to unix-domain servers always resulted in "Failed to establish session" even after a connection was established. Jaroslav Skarva. File: posttls-finger/posttls-finger.c. * Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes, table lookups could casefold the search string when searching a lookup table that does not use fixed-string keys (regexp, pcre, tcp, etc.). Historically, Postfix would not case-fold the search string with such tables. File: util/dict_utf8.c. - PostrgeSQL's pg_config is meant for linking server extensions, use libpq's pkg-config instead, if available. This is needed to fix build with PostgreSQL 11. - rework config.postfix * disable commenting of smtpd_sasl_path/smtpd_sasl_type no need to comment, cause it is set to default anyway and 'uncommenting' would place it at end of file then which is not wanted - rework postfix-main.cf.patch * disable virtual_alias_domains cause (default: $virtual_alias_maps) - rework config.postfix * disable PCONF of virtual_alias_domains virtual_alias_maps will be set anyway to the correct value * extend virtual_alias_maps with - mysql_virtual_alias_domain_maps.cf - mysql_virtual_alias_domain_catchall_maps.cf - rework postfix-mysql, added * mysql_virtual_alias_domain_maps.cf * mysql_virtual_alias_domain_catchall_maps.cf needed for reject_unverified_recipient - binary hardening: link with full RELRO - Update to 3.3.2 * Support for OpenSSL 1.1.1 and TLSv1.3. * Bugfixes: - smtpd_discard_ehlo_keywords could not disable "SMTPUTF8", because some lookup table was using "EHLO_MASK_SMTPUTF8" instead. - minor memory leak in DANE support when minting issuer certs. - The Postfix build did not abort if the m4 command was not installed, resulting in a broken postconf command. - add POSTFIX_RELAY_DOMAINS * more flexibility to add to relay_domains without breaking config.postfix * rework restriction examples in sysconf.postfix based on postfix-buch.com (2. edtion by Hildebrandt, Koetter) - disable weak cipher: RC4 after check with https://ssl-tools.net/mailservers - update config.postfix * don't reject mail from authenticated users even if reject_unknown_client_hostname would match, add permit_sasl_authenticated to all restrictions requires smtpd_delay_reject = yes - update postfix-main.cf.patch * recover removed setting smtpd_sasl_path and smtpd_sasl_type, set to default value config.postfix will not 'enable' (remove #) var, but place modified (enabled) var at end of file, far away from place where it should be - rebase patches * fix-postfix-script.patch * postfix-vda-v14-3.0.3.patch * postfix-linux45.patch * postfix-master.cf.patch * pointer_to_literals.patch * postfix-no-md5.patch - bsc#1092939 - Postfixes postconf gives a lot of LDAP related warnings o add m4 as buildrequires, as proposed. - Add zlib-devel as buildrequires, previously included from openssl-devel - bsc#1087471 Unreleased Postfix update breaks SUSE Manager o Removing setting smtpd_sasl_path and smtpd_sasl_type to empty - Update to 3.3.1 * Postfix did not support running as a PID=1 process, which complicated Postfix deployment in containers. The "postfix start-fg" command will now run the Postfix master daemon as a PID=1 process if possible. Thanks for inputs from Andreas Schulze, Eray Aslan, and Viktor Dukhovni. * Segfault in the postconf(1) command after it could not open a Postfix database configuration file due to a file permission error (dereferencing a null pointer). Reported by Andreas Hasenack, fixed by Viktor Dukhovni. * The luser_relay feature became a black hole, when the luser_relay parameter was set to a non-existent local address (i.e. mail disappeared silently). Reported by J?rgen Thomsen. * Missing error propagation in the tlsproxy(8) daemon could result in a segfault after TLS handshake error (dereferencing a 0xffff...ffff pointer). This daemon handles the TLS protocol when a non-whitelisted client sends a STARTTLS command to postscreen(8). - remove pre-requirements on sysvinit(network) and sysvinit(syslog). There seems to be no good reason for that other than blowing up the dependencies (bsc#1092408). - bsc#1071807 postfix-SuSE/config.postfix: only reload postfix if the actual service is running. This prevents spurious and irrelevant error messages in system logs. - bsc#1082514 autoyast: postfix gets not set myhostname properly - set to localhost - Refresh spec-file via spec-cleaner and manual optinizations. * Add %license macro. * Set license to IPL-1.0 OR EPL-2.0. - Update to 3.3.0 * http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.… * Dual license: in addition to the historical IBM Public License 1.0, Postfix is now also distributed with the more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. * The postconf command now warns about unknown parameter names in a Postfix database configuration file. As with other unknown parameter names, these warnings can help to find typos early. * Container support: Postfix 3.3 will run in the foreground with "postfix start-fg". This requires that Postfix multi-instance support is disabled (the default). To collect Postfix syslog information on the container's host, mount the host's /dev/log socket into the container, for example with "docker run -v /dev/log:/dev/log ...other options...", and specify a distinct Postfix syslog_name setting in the container (for example with "postconf syslog_name=the-name-here"). * Milter support: applications can now send RET and ENVID parameters in SMFIR_CHGFROM (change envelope sender) requests. * Postfix-generated From: headers with 'full name' information are now formatted as "From: name <address>" by default. Specify "header_from_format = obsolete" to get the earlier form "From: address (name)". * Interoperability: when Postfix IPv6 and IPv4 support are both enabled, the Postfix SMTP client will now relax MX preferences and attempt to schedule similar numbers of IPv4 and IPv6 addresses. This works around mail delivery problems when a destination announces lots of primary MX addresses on IPv6, but is reachable only over IPv4 (or vice versa). The new behavior is controlled with the smtp_balance_mx_inet_protocols parameter. * Compatibility safety net: with compatibility_level < 1, the Postfix SMTP server now warns for mail that would be blocked by the Postfix 2.10 smtpd_relay_restrictions feature, without blocking that mail. There still is a steady trickle of sites that upgrade from an earlier Postfix version. - bsc#1065411 Package postfix should require package system-user-nobody - bsc#1080772 postfix smtpd throttle getting "hello" if no sasl auth was configured - Fix usage of fillup_only:-y is not a valid option to this macro. - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - Don't mark postfix.service as config file, this is no config file. - Some of the Requires(pre) are needed for post-install and at runtime, fix the requires. - update to 3.2.4 * DANE interoperability. Postfix builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS records associated with an intermediate CA certificate. Problem report and initial fix by Erwan Legrand. * Missing dynamicmaps support in the Postfix sendmail command. This broke authorized_submit_users settings that use a dynamically-loaded map type. Problem reported by Ulrich Zehl. - bnc#1059512 L3: Postfix Problem The applied changes breaks existing postfix configurations because daemon_directory was not adapted to the new value. - fix build for SLE * nothing provides libnsl-devel * add bcond_with libnsl - bnc#1059512 L3: Postfix Problem To manage multiple Postfix instances on a single host requires that daemon_directory and shlib_directory is different to avoid use of the shared directories also as per-instance directories. For this reason daemon_directory was set to /usr/lib/postfix/bin/. shlib_directory stands /usr/lib/postfix/. - bnc#1016491 postfix raported to log "warning: group or other writable:" on each symlink in config. * Add fix-postfix-script.patch - update to 3.2.3 * Extension propagation was broken with "recipient_delimiter = .". This change reverts a change that was trying to be too clever. * The postqueue command would abort with a panic message after it experienced an output write error while listing the mail queue. This change restores a write error check that was lost with the Postfix 3.2 rewrite of the vbuf_print formatter. * Restored sanity checks for dynamically-specified width and precision in format strings (%*, %.*, and %*.*). These checks were lost with the Postfix 3.2 rewrite of the vbuf_print formatter. - Add libnsl-devel build requires for glibc obsoleting libnsl - bnc#1045264 L3: postmap problem * Applying proposed patch of leen.meyer(a)ziggo.nl in bnc#771811 - update to 3.2.2 * Security: Berkeley DB versions 2 and later try to read settings from a file DB_CONFIG in the current directory. This undocumented feature may introduce undisclosed vulnerabilities resulting in privilege escalation with Postfix set-gid programs (postdrop, postqueue) before they chdir to the Postfix queue directory, and with the postmap and postalias commands depending on whether the user's current directory is writable by other users. This fix does not change Postfix behavior for Berkeley DB versions < 3, but it does reduce postmap and postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6. * The SMTP server receive_override_options were not restored at the end of an SMTP session, after the options were modified by an smtpd_milter_maps setting of "DISABLE". Milter support remained disabled for the life time of the smtpd process. * After the Postfix 3.2 address/domain table lookup overhaul, the check_sender_access and check_recipient_access features ignored a non-default parent_domain_matches_subdomains setting. - revert changes of postfix-main.cf.patch from rev=261 * config.postfix will not 'enable' (remove #) var, but place modified (enabled) var at end of file, far away from place where it should be * keep vars enabled but empty - Some cleanups * Fix SUSE postfix-files to avoid chown errors (anyway this file seems to be obsolete) * Avoid installing shared libraries twice * Refresh patch postfix-linux45.patch - update postfix-master.cf.patch * recover lost (with 3.2.0 update) submission, smtps sections * merge with upstream update - update config.postfix * update master.cf generation for submission - rebase patches against 3.2.0 * pointer_to_literals.patch * postfix-no-md5.patch * postfix-ssl-release-buffers.patch * postfix-vda-v14-3.0.3.patch - Require system group mail - Use mail group name instead of GID - update to 3.2.0 - [Feature 20170128] Postfix 3.2 fixes the handling of address extensions with email addresses that contain spaces. For example, the virtual_alias_maps, canonical_maps, and smtp_generic_maps features now correctly propagate an address extension from "aa bb+ext"@example.com to "cc dd+ext"@other.example, instead of producing broken output. - [Feature 20161008] "PASS" and "STRIP" actions in header/body_checks. "STRIP" is similar to "IGNORE" but also logs the action, and "PASS" disables header, body, and Milter inspection for the remainder of the message content. Contributed by Hobbit. - [Feature 20160330] The collate.pl script by Viktor Dukhovni for grouping Postfix logfile records into "sessions" based on queue ID and process ID information. It's in the auxiliary/collate directory of the Postfix source tree. - [Feature 20160527] Postfix 3.2 cidr tables support if/endif and negation (by prepending ! to a pattern), just like regexp and pcre tables. The primarily purpose is to improve readability of complex tables. See the cidr_table(5) manpage for syntax details. - [Incompat 20160925] In the Postfix MySQL database client, the default option_group value has changed to "client", to enable reading of "client" option group settings in the MySQL options file. This fixes a "not found" problem with Postfix queries that contain UTF8-encoded non-ASCII text. Specify an empty option_group value (option_group =) to get backwards-compatible behavior. - [Feature 20161217] Stored-procedure support for MySQL databases. Contributed by John Fawcett. See mysql_table(5) for instructions. - [Feature 20170128] The postmap command, and the inline: and texthash: maps now support spaces in left-hand field of the lookup table "source text". Use double quotes (") around a left-hand field that contains spaces, and use backslash (\) to protect embedded quotes in a left-hand field. There is no change in the processing of the right-hand field. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - [Feature 20161024] smtpd_milter_maps support for per-client Milter configuration that overrides smtpd_milters, and that has the same syntax. A lookup result of "DISABLE" turns off Milter support. See MILTER_README.html for details. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - [Incompat 20170129] The postqueue command no longer forces all message arrival times to be reported in UTC. To get the old behavior, set TZ=UTC in main.cf:import_environment (this override is not recommended, as it affects all Postfix utities and daemons). - [Incompat 20161227] For safety reasons, the sendmail -C option must specify an authorized directory: the default configuration directory, a directory that is listed in the default main.cf file with alternate_config_directories or multi_instance_directories, or the command must be invoked with root privileges (UID 0 and EUID 0). This mitigates a recurring problem with the PHP mail() function. - [Feature 20160625] The Postfix SMTP server now passes remote client and local server network address and port information to the Cyrus SASL library. Build with ``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"'' for backwards compatibility. - [Feature 20161103] Postfix 3.2 disables the 'transitional' compatibility between the IDNA2003 and IDNA2008 standards for internationalized domain names (domain names beyond the limits of US-ASCII). This change makes Postfix behavior consistent with contemporary web browsers. It affects the handling of some corner cases such as German sz and Greek zeta. See http://unicode.org/cldr/utility/idna.jsp for more examples. Specify "enable_idna2003_compatibility = yes" to restore historical behavior (but keep in mind that the rest of the world may not make that same choice). - [Feature 20160828] Fixes for deprecated OpenSSL 1.1.0 API features, so that Postfix will build without depending on backwards-compatibility support. [Incompat 20161204] Postfix 3.2 removes tentative features that were implemented before the DANE spec was finalized: - Support for certificate usage PKIX-EE(1), - The ability to disable digest agility (Postfix now behaves as if "tls_dane_digest_agility = on"), and - The ability to disable support for "TLSA 2 [01] [12]" records that specify the digest of a trust anchor (Postfix now behaves as if "tls_dane_trust_anchor_digest_enable = yes). - [Feature 20161217] Postfix 3.2 enables elliptic curve negotiation with OpenSSL >= 1.0.2. This changes the default smtpd_tls_eecdh_grade setting to "auto", and introduces a new parameter tls_eecdh_auto_curves with the names of curves that may be negotiated. The default tls_eecdh_auto_curves setting is determined at compile time, and depends on the Postfix and OpenSSL versions. At runtime, Postfix will skip curve names that aren't supported by the OpenSSL library. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - refresh postfix-master.cf.patch - make sure that system users can be created in %pre - Fix requires: - shadow is needed for postfix-mysql pre-install section - insserv is not needed if systemd is used - update postfix-mysql * update mysql_*.cf files * update postfix-mysql.sql (INNODB, utf8) - update postfix-main.cf.patch * uncomment smtpd_sasl_path, smtpd_sasl_type can be changed via POSTFIX_SMTP_AUTH_SERVICE=(cyrus,dovecot) * add option for smtp_tls_policy_maps (commented) - update postfix-master.cf.patch * fix indentation of submission, smtps options for correct enabling via config.postfix - update config.postfix * fix sync of CA certificates * fix master.cf generation for submission, smtps - rebase postfix-vda-v14-3.0.3.patch - FATE#322322 Update postfix to version 3.X Merging changes with SLES12-SP2 Removeved patches: add_missed_library.patch bnc#947707.diff dynamic_maps.patch postfix-db6.diff postfix-opensslconfig.patch bnc#947519.diff dynamic_maps_pie.patch postfix-post-install.patch These are included in the new version of postfix - Remove references to SuSEconfig.postfix from sysconfig docs. (bsc#871575) - bnc#947519 SuSEconfig.postfix should enforce umask 022 - bnc#947707 mail generated by Amavis being prevented from being re-adressed by /etc/postfix/virtual - bnc#972346 /usr/sbin/SuSEconfig.postfix is wrong - postfix-linux45.patch: handle Linux 4.x and Linux 5.x (used by aarch64) (bsc#940289) - update to 3.1.4 * The postscreen daemon did not merge the client test status information for concurrent sessions from the same IP address. * The Postfix SMTP server falsely rejected a sender address when validating a sender address with "smtpd_reject_unlisted_recipient = yes" or with "reject_unlisted_sender". Cause: the address validation code did not query sender_canonical_maps. * The virtual delivery agent did not detect failure to skip to the end of a mailbox file, so that mail would be delivered to the beginning of the file. This could happen when a mailbox file was already larger than the virtual mailbox size limit. * The postsuper logged an incorrect rename operation count after creating a missing directory. * The Postfix SMTP server falsely rejected mail when a sender-dependent "error" transport was configured. Cause: the SMTP server address validation code was not updated when the sender_dependent_default_transport_maps feature was introduced. * The Postfix SMTP server falsely rejected an SMTPUTF8 sender address, when "smtpd_delay_reject = no". * The "postfix tls deploy-server-cert" command used the wrong certificate and key file. This was caused by a cut-and-paste error in the postfix-tls-script file. - improve config.postfix * improve SASL stuff * add POSTFIX_SMTP_AUTH_SERVICE=(cyrus|dovecot) - improve config.postfix * improve with MySQL stuff - update vda patch to latest available * remove postfix-vda-v13-3.10.0.patch * add postfix-vda-v14-3.0.3.patch - rebase patches (and to be p0) * pointer_to_literals.patch * postfix-main.cf.patch * postfix-master.cf.patch * postfix-no-md5.patch * postfix-ssl-release-buffers.patch - add /etc/postfix/ssl as default DIR for SSL stuff * cacerts -> ../../ssl/certs/ * certs/ - revert POSTFIX_SSL_PATH from '/etc/ssl' to '/etc/postfix/ssl' - improve config.postfix * revert smtpd_tls_CApath to POSTFIX_SSL_PATH/cacerts which is a symlink to /etc/ssl/certs Without reverting, 'gen_CA' would create files which would then be on the previous defined 'sslpath(/etc/ssl)/certs' (smtpd_tls_CApath) Cert reqs would be placed in 'sslpath(/etc/ssl)/certs/postfixreq.pem' which is not a good idea. * mkchroot: sync '/etc/postfix/ssl' to chroot * improve PCONF for smtp{,d}_tls_{cert,key}_file, adding/removing from main.cf, show warning if enabled and file is missing - update to 3.1.3: * The Postfix SMTP server did not reset a previous session's failed/total command counts before rejecting a client that exceeds request or concurrency rates. This resulted in incorrect failed/total command counts being logged at the end of the rejected session. * The unionmap multi-table interface did not propagate table lookup errors, resulting in false "user unknown" responses. * The documentation was updated with a workaround for false "not found" errors with MySQL map queries that contain UTF8-encoded text. The workaround is to specify "option_group = client" in Postfix MySQL configuration files. This will be the default setting with Postfix 3.2 and later. - update to 3.1.2: * Changes to make Postfix build with OpenSSL 1.1.0. * The makedefs script ignored readme_directory=pathname overrides. Fix by Todd C. Olson. * The tls_session_ticket_cipher documentation says that the default cipher for TLS session tickets is aes-256-cbc, but the implemented default was aes-128-cbc. Note that TLS session ticket keys are rotated after 1/2 hour, to limit the impact of attacks on session ticket keys. - postfix-post-install.patch: remove empty patch - fix Changelog cause of Factory decline - Fix typo in config.postfix - bnc#981097 config.postfix creates broken main.cf for tls client configuration - bnc#981099 /etc/sysconfig/postfix: POSTFIX_SMTP_TLS_CLIENT incomplete - update to 3.1.1: - The new address_verify_pending_request_limit parameter introduces a safety limit for the number of address verification probes in the active queue. The default limit is 1/4 of the active queue maximum size. The queue manager enforces the limit by tempfailing probe messages that exceed the limit. This design avoids dependencies on global counters that get out of sync after a process or system crash. - Machine-readable, JSON-formatted queue listing with "postqueue -j" (no "mailq" equivalent). - The milter_macro_defaults feature provides an optional list of macro name=value pairs. These specify default values for Milter macros when no value is available from the SMTP session context. - Support to enforce a destination-independent delay between email deliveries. The following example inserts 20 seconds of delay between all deliveries with the SMTP transport, limiting the delivery rate to at most three messages per minute. smtp_transport_rate_delay = 20s - Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes that a "not found" result from a DNSBL server will be valid for one hour. This may have been adequate five years ago when postscreen was first implemented, but nowadays, that one hour can result in missed opportunities to block new spambots. To address this, postscreen now respects the TTL of DNSBL "not found" replies, as well as the TTL of DNSWL replies (both "found" and "not found"). The TTL for a "not found" reply is determined according to RFC 2308 (the TTL of an SOA record in the reply). Support for DNSBL or DNSWL reply TTL values is controlled by two configuration parameters: postscreen_dnsbl_min_ttl (default: 60 seconds). postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour) The postscreen_dnsbl_ttl parameter is now obsolete, and has become the default value for the new postscreen_dnsbl_max_ttl parameter. - New "smtpd_client_auth_rate_limit" feature, to enforce an optional rate limit on AUTH commands per SMTP client IP address. Similar to other smtpd_client_*_rate_limit features, this enforces a limit on the number of requests per $anvil_rate_time_unit. - New SMTPD policy service attribute "policy_context", with a corresponding "smtpd_policy_service_policy_context" configuration parameter. Originally, this was implemented to share the same SMTPD policy service endpoint among multiple check_policy_service clients. - A new "postfix tls" command to quickly enable opportunistic TLS in the Postfix SMTP client or server, and to manage SMTP server keys and certificates, including certificate signing requests and TLSA DNS records for DANE. - build with working support for SMTPUTF8 - fix build on sle11 by pointing _libexecdir to /usr/lib all the time. - some distros did not pull pkgconfig indirectly. pull it directly. - fix building the dynamic maps: the old build had postgresql e.g. with missing symbols. - convert to AUXLIBS_* instead of plain AUXLIBS which is needed for proper dynamic maps. - reordered the CCARGS and AUXLIBS* lines to group by feature - use pkgconfig or *_config tools where possible - picked up signed char from fedora spec file - enable lmdb support: new BR lmdb-devel, new subpackage postfix-lmdb. - don't delete vmail user/groups - update to 3.1.0 - Since version 3.0 postfix supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients. Thats why the patches dynamic_maps.patch and dynamic_maps_pie.patch could be removed. - Adapting all the patches to postfix 3.1.0 - remove obsolete patches * add_missed_library.patch * postfix-opensslconfig.patch - update vda patch * remove postfix-vda-v13-2.10.0.patch * add postfix-vda-v13-3.10.0.patch - The patch postfix-db6.diff is not more neccessary - Backwards-compatibility safety net. With NEW Postfix installs, you MUST install a main.cf file with the setting "compatibility_level = 2". See conf/main.cf for an example. With UPGRADES of existing Postfix systems, you MUST NOT change the main.cf compatibility_level setting, nor add this setting if it does not exist. Several Postfix default settings have changed with Postfix 3.0. To avoid massive frustration with existing Postfix installations, Postfix 3.0 comes with a safety net that forces Postfix to keep running with backwards-compatible main.cf and master.cf default settings. This safety net depends on the main.cf compatibility_level setting (default: 0). Details are in COMPATIBILITY_README. - Major changes - tls * [Feature 20160207] A new "postfix tls" command to quickly enable opportunistic TLS in the Postfix SMTP client or server, and to manage SMTP server keys and certificates, including certificate signing requests and TLSA DNS records for DANE. * As of the middle of 2015, all supported Postfix releases no longer nable "export" grade ciphers for opportunistic TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for mandatory or opportunistic TLS. * [Incompat 20150719] The default Diffie-Hellman non-export prime was updated from 1024 to 2048 bits, because SMTP clients are starting to reject TLS handshakes with primes smaller than 2048 bits. * [Feature 20160103] The Postfix SMTP client by default enables DANE policies when an MX host has a (DNSSEC) secure TLSA DNS record, even if the MX DNS record was obtained with insecure lookups. The existence of a secure TLSA record implies that the host wants to talk TLS and not plaintext. For details see the smtp_tls_dane_insecure_mx_policy configuration parameter. - Major changes - default settings [Incompat 20141009] The default settings have changed for relay_domains (new: empty, old: $mydestination) and mynetworks_style (new: host, old: subnet). However the backwards-compatibility safety net will prevent these changes from taking effect, giving the system administrator the option to make an old default setting permanent in main.cf or to adopt the new default setting, before turning off backwards compatibility. See COMPATIBILITY_README for details. [Incompat 20141001] A new backwards-compatibility safety net forces Postfix to run with backwards-compatible main.cf and master.cf default settings after an upgrade to a newer but incompatible Postfix version. See COMPATIBILITY_README for details. While the backwards-compatible default settings are in effect, Postfix logs what services or what email would be affected by the incompatible change. Based on this the administrator can make some backwards-compatibility settings permanent in main.cf or master.cf, before turning off backwards compatibility. - Major changes - address verification safety [Feature 20151227] The new address_verify_pending_request_limit parameter introduces a safety limit for the number of address verification probes in the active queue. The default limit is 1/4 of the active queue maximum size. The queue manager enforces the limit by tempfailing probe messages that exceed the limit. This design avoids dependencies on global counters that get out of sync after a process or system crash. Tempfailing verify requests is not as bad as one might think. The Postfix verify cache proactively updates active addresses weeks before they expire. The address_verify_pending_request_limit affects only unknown addresses, and inactive addresses that have expired from the address verify cache (by default, after 31 days). - Major changes - json support [Feature 20151129] Machine-readable, JSON-formatted queue listing with "postqueue -j" (no "mailq" equivalent). The output is a stream of JSON objects, one per queue file. To simplify parsing, each JSON object is formatted as one text line followed by one newline character. See the postqueue(1) manpage for a detailed description of the output format. - Major changes - milter support [Feature 20150523] The milter_macro_defaults feature provides an optional list of macro name=value pairs. These specify default values for Milter macros when no value is available from the SMTP session context. For example, with "milter_macro_defaults = auth_type=TLS", the Postfix SMTP server will send an auth_type of "TLS" to a Milter, unless the remote client authenticates with SASL. This feature was originally implemented for a submission service that may authenticate clients with a TLS certificate, without having to make changes to the code that implements TLS support. - Major changes - output rate control [Feature 20150710] Destination-independent delivery rate delay Support to enforce a destination-independent delay between email deliveries. The following example inserts 20 seconds of delay between all deliveries with the SMTP transport, limiting the delivery rate to at most three messages per minute. /etc/postfix/main.cf: smtp_transport_rate_delay = 20s For details, see the description of default_transport_rate_delay and transport_transport_rate_delay in the postconf(5) manpage. - Major changes - postscreen dnsbl [Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL lookup results Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes that a "not found" result from a DNSBL server will be valid for one hour. This may have been adequate five years ago when postscreen was first implemented, but nowadays, that one hour can result in missed opportunities to block new spambots. To address this, postscreen now respects the TTL of DNSBL "not found" replies, as well as the TTL of DNSWL replies (both "found" and "not found"). The TTL for a "not found" reply is determined according to RFC 2308 (the TTL of an SOA record in the reply). Support for DNSBL or DNSWL reply TTL values is controlled by two configuration parameters: postscreen_dnsbl_min_ttl (default: 60 seconds). This parameter specifies a minimum for the amount of time that a DNSBL or DNSWL result will be cached in the postscreen_cache_map. This prevents an excessive number of postscreen cache updates when a DNSBL or DNSWL server specifies a very small reply TTL. postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour) This parameter specifies a maximum for the amount of time that a DNSBL or DNSWL result will be cached in the postscreen_cache_map. This prevents cache pollution when a DNSBL or DNSWL server specifies a very large reply TTL. The postscreen_dnsbl_ttl parameter is now obsolete, and has become the default value for the new postscreen_dnsbl_max_ttl parameter. - Major changes - sasl auth safety [Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to enforce an optional rate limit on AUTH commands per SMTP client IP address. Similar to other smtpd_client_*_rate_limit features, this enforces a limit on the number of requests per $anvil_rate_time_unit. - Major changes - smtpd policy [Feature 20150913] New SMTPD policy service attribute "policy_context", with a corresponding "smtpd_policy_service_policy_context" configuration parameter. Originally, this was implemented to share the same SMTPD policy service endpoint among multiple check_policy_service clients. - bnc#958329 postfix fails to start when openslp is not installed - upstream update postfix 2.11.7: * The Postfix Milter client aborted with a panic while adding a message header, after adding a short message header with the header_checks PREPEND action. Fixed by invoking the header output function while PREPENDing a message header. * False alarms while scanning the Postfix queue. Fixed by resetting errno before calling readdir(). This defect was introduced 19970309. * The postmulti command produced an incorrect error message. * The postmulti command now refuses to create a new MTA instance when the template main.cf or master.cf file are missing. This is a common problem on Debian-like systems. * Turning on Postfix SMTP server HAProxy support broke TLS wrappermode. Fixed by temporarily using a 1-byte VSTREAM buffer to read the HAProxy connection hand-off information. * The xtext_unquote() function did not propagate error reports from xtext_unquote_append(), causing the decoder to return partial output, instead of rejecting malformed input. The Postfix SMTP server uses this function to parse input for the ENVID and ORCPT parameters, and for XFORWARD and XCLIENT command parameters. - boo#934060: Remove quirky hostname logic from config.postfix * /etc/hostname doesn't contain anything useful * linux.local is no good either * postfix will use `hostname`.localdomain as fallback - postfix-no-md5.patch: replace fingerprint defaults by sha1. bsc#928885 - %verifyscript is a new section, move it out of the %ifdef so the fillups are run afterwards. - upstream update postfix 2.11.6: Default settings have been updated so that they no longer enable export-grade ciphers, and no longer enable the SSLv2 and SSLv3 protocols. - removed postfix-2.11.5_linux4.patch because it's obsolete - Bugfix (introduced: Postfix 2.11): with connection caching enabled (the default), recipients could be given to the wrong mail server. (bsc#944722) - postfix-SuSE.tar.gz/postfix.service: None of nss-lookup.target network.target local-fs.target time-sync.target should be Wanted or Required except by the services the implement the relevant functionality i.e network.target is wanted/required by networkmanager, wicked, systemd-network. other software must be ordered After them, see systemd.special(7) - Fix library symlink generation (boo#928662) - added postfix-2.11.5_linux4.patch: Allow building on kernel 4. Patch taken from: https://groups.google.com/forum/#!topic/mailing.postfix.users/fufS22sMGWY - update to postfix 2.11.5 - Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps ignored the relayhost setting in the case of a DUNNO lookup result. It would use the recipient domain instead. Viktor Dukhovni. Wietse took the pieces of code that enforce the precedence of a sender-dependent relayhost, the global relayhost, and the recipient domain, and put that code together in once place so that it is easier to maintain. File: trivial-rewrite/resolve.c. - Bitrot: prepare for future changes in OpenSSL API. Viktor Dukhovni. File: tls_dane.c. - Incompatibility: specifying "make makefiles" with "CC=command" will no longer override the default WARN setting. - upstream update postfix 2.11.4: Postfix 2.11.4 only: * Fix a core dump when smtp_policy_maps specifies an invalid TLS level. * Fix a missing " in \%s\", in postconf(1) fatal error messages, which violated the C language spec. Reported by Iain Hibbert. All supported releases: * Stop excessive recursion in the cleanup server while recovering from a virtual alias expansion loop. Problem found at Two Sigma. * Stop exponential memory allocation with virtual alias expansion loops. This came to light after fixing the previous problem. - correct pf_daemon_directory in spec. This must be /usr/lib/ - bnc#914086 syntax error in config.postfix - Adapt config.postfix to be able to run on SLE11 too. - Don't install sysvinit script when systemd is used - Make explicit PreReq dependencies conditional only for older systems - Don't try to set explicit attributes to symlinks - Cleanup spec file vith spec-cleaner - bnc#912594 config.postfix creates config based on old options - bnc#911806 config.postfix does not set up correct saslauthd socket directory for chroot - bnc#910265 config.postfix does not upgrade the chroot - bnc#908003 wrong access rights on /usr/sbin/postdrop causes permission denied when trying to send a mail as non root user - bnc#729154 wrong permissions for some postfix components - Remove keyring and things as it is md5 based one no longer accepted by gpg 2.1 - No longer perform gpg validation; osc source_validator does it implicit: + Drop gpg-offline BuildRequires. + No longer execute gpg_verify. - restore previously lost fix: Fri Oct 11 13:32:32 UTC 2013 - matz(a)suse.de - Ignore errors in %pre/%post. - postfix 2.11.3: * Fix for configurations that prepend message headers with Postfix access maps, policy servers or Milter applications. Postfix now hides its own Received: header from Milters and exposes prepended headers to Milters, regardless of the mechanism used to prepend a header. This fix reverts a partial solution that was released on October 13, 2014, and replaces it with a complete solution. * Portability fix for MacOS X 10.7.x (Darwin 11.x) build procedure. - postfix 2.11.2: * Fix for DMARC implementations based on SPF policy plus DKIM Milter. The PREPEND access/policy action added headers ABOVE Postfix's own Received: header, exposing Postfix's own Received: header to Milters (protocol violation) and hiding the PREPENDed header from Milters. PREPENDed headers are now added BELOW Postfix's own Received: header and remain visible to Milters. * The Postfix SMTP server logged an incorrect client name in reject messages for check_reverse_client_hostname_access and check_reverse_client_hostname_{mx,ns}_access. They replied with the verified client name, instead of the name that was rejected. * The qmqpd daemon crashed with null pointer bug when logging a lost connection while not in a mail transaction. ==== proteus ==== Version update (4.6.5 -> 4.6.9) - Version 4.6.9 - Bugfix Release - Version 4.6.8 - Bugfix Release - Version 4.6.7 - Bugfix Release - Version 4.6.6 - Bugfix Release ==== python-base ==== Subpackages: libpython2_7-1_0 python-xml - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792 - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, CVE-2019-16056] ==== python-cryptography ==== - Add openSSL_111d.patch to make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792. ==== python-pyOpenSSL ==== - Add openSSL_111d.patch (bsc#1149792) fixing incompatibility with OpenSSL 1.1.1d. ==== python3-base ==== Version update (3.6.5 -> 3.6.9) Subpackages: libpython3_6m1_0 - Stop building qthelp documentation. Recent qhelpgenerator-qt5 is not compatible with the generated source files. Fixes bsc#1158158 - Add CVE-2019-16935-xmlrpc-doc-server_title.patch fixing bsc#1153238 (aka CVE-2019-16935) fixing a reflected XSS in python/Lib/DocXMLRPCServer.py - Add bpo-36576-skip_tests_for_OpenSSL-111.patch (originally from bpo#36576) skipping tests failing with OpenSSL 1.1.1. Fixes bsc#1149792 - Add bpo36263-Fix_hashlib_scrypt.patch which works around bsc#1151490 - Add CVE-2019-16056-email-parse-addr.patch fixing the email module wrongly parses email addresses [bsc#1149955, CVE-2019-16056] - jsc#PM-1350 bsc#1149121 Update python3 to the last version of the 3.6 line. This is just a bugfix release with no changes in functionality. - The following patches were included in the upstream release as so they can be removed in the package: - CVE-2018-20852-cookie-domain-check.patch - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-10160-netloc-port-regression.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - CVE-2019-9947-no-ctrl-char-http.patch - Patch bpo23395-PyErr_SetInterrupt-signal.patch has been reapplied on the upstream base without changing any functionality. - Add patch aarch64-prolong-timeout.patch to fix failing test_utime_current_old test. - boo#1141853 (CVE-2018-20852) add CVE-2018-20852-cookie-domain-check.patch fixing http.cookiejar.DefaultPolicy.domain_return_ok which did not correctly validate the domain: it could be tricked into sending cookies to the wrong server. - bsc#1138459: add CVE-2019-10160-netloc-port-regression.patch which fixes regression introduced by the previous patch. (CVE-2019-10160) Upstream gh#python/cpython#13812 - bsc#1094814: Add bpo23395-PyErr_SetInterrupt-signal.patch to handle situation when the SIGINT signal is ignored or not handled - Update to 3.6.8: - bugfixes only - removed patches (subsumed in the upstream tarball): - CVE-2018-20406-pickle_LONG_BINPUT.patch - refreshed patches: - CVE-2019-5010-null-defer-x509-cert-DOS.patch - CVE-2019-9636-urlsplit-NFKC-norm.patch - Python-3.0b1-record-rpm.patch - python-3.3.0b1-fix_date_time_compiler.patch - python-3.3.0b1-test-posix_fadvise.patch - python-3.3.3-skip-distutils-test_sysconfig_module.patch - python-3.6.0-multilib-new.patch - python3-sorted_tar.patch - subprocess-raise-timeout.patch - switch off LTO and PGO optimization (bsc#1133452) - bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch Address the issue by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a ValueError to be raised. ==== qemu ==== Version update (4.1.0 -> 4.1.93) Subpackages: qemu-block-curl qemu-block-rbd qemu-block-ssh qemu-guest-agent qemu-ipxe qemu-ksm qemu-seabios qemu-sgabios qemu-tools qemu-ui-curses qemu-ui-gtk qemu-ui-sdl qemu-vgabios qemu-x86 - Update to v4.2.0-rc3: See http://wiki.qemu.org/ChangeLog/4.2 * Patches dropped (upstream unless otherwise noted): ati-add-edid-support.patch ati-vga-add-rage128-edid-support.patch ati-vga-fix-ati_read.patch ati-vga-make-i2c-register-and-bits-confi.patch ati-vga-make-less-verbose.patch ati-vga-try-vga-ddc-first.patch Disable-Waddress-of-packed-member-for-GC.patch hdata-vpd-fix-printing-char-0x00.patch target-i386-add-PSCHANGE_NO-bit-for-the-.patch target-i386-Export-TAA_NO-bit-to-guests.patch vbe-add-edid-support.patch vga-add-ati-bios-tables.patch vga-add-atiext-driver.patch vga-make-memcpy_high-public.patch vga-move-modelist-from-bochsvga.c-to-new.patch * Patches added: Enable-cross-compile-prefix-for-C-compil.patch ensure-headers-included-are-compatible-w.patch roms-Makefile-enable-cross-compile-for-b.patch * Add qemu-ui-spice-app package containing ui-spice-app.so * Add qemu-microvm package containing bios-microvm.bin - Add descriptors for the 128k and 256k SeaBios firmware images - For the record, the following issues reported for SUSE SLE15-SP1 are either fixed in this current package, or are otherwise not an issue: bsc#1079730 bsc#1098403 bsc#1111025 bsc#1128106 bsc#1133031 bsc#1134883 bsc#1135210 bsc#1135902 bsc#1136540 bsc#1136778 bsc#1138534 bsc#1140402 bsc#1143794 bsc#1145379 bsc#1144087 bsc#1145427 bsc#1145436 bsc#1145774 bsc#1146873 bsc#1149811 bsc#1152506 bsc#1155812 bsc#1156642 CVE-2018-12207 CVE-2019-5008 CVE-2019-11135 CVE-2019-12068 CVE-2019-12155 CVE-2019-13164 CVE-2019-14378 CVE-2019-15890, and the following feature requests are satisfied by this package: fate#327410 fate#327764 fate#327796 jira-SLE-4883 jira-SLE-6132 jira-SLE-6237 jira-SLE-6754 - Expose pschange-mc-no "feature", indicating CPU does not have the page size change machine check vulnerability (CVE-2018-12207 bsc#1155812) target-i386-add-PSCHANGE_NO-bit-for-the-.patch - Expose taa-no "feature", indicating CPU does not have the TSX Async Abort vulnerability. (CVE-2019-11135 bsc#1152506) target-i386-Export-TAA_NO-bit-to-guests.patch Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.1 - Update to v4.1.1, a stable, bug-fix-only release * Besides incorporating the following fixes we already carried, it includes about the same number of other, similar type fixes which we hadn't yet incorporated. * Patches dropped (subsumed by stable update): block-Add-bdrv_co_get_self_request.patch block-create-Do-not-abort-if-a-block-dri.patch block-file-posix-Let-post-EOF-fallocate-.patch block-file-posix-Reduce-xfsctl-use.patch block-io-refactor-padding.patch blockjob-update-nodes-head-while-removin.patch block-Make-wait-mark-serialising-request.patch block-nfs-tear-down-aio-before-nfs_close.patch coroutine-Add-qemu_co_mutex_assert_locke.patch curl-Check-completion-in-curl_multi_do.patch curl-Handle-success-in-multi_check_compl.patch curl-Keep-pointer-to-the-CURLState-in-CU.patch curl-Keep-socket-until-the-end-of-curl_s.patch curl-Pass-CURLSocket-to-curl_multi_do.patch curl-Report-only-ready-sockets.patch hw-arm-boot.c-Set-NSACR.-CP11-CP10-for-N.patch hw-core-loader-Fix-possible-crash-in-rom.patch make-release-pull-in-edk2-submodules-so-.patch memory-Provide-an-equality-function-for-.patch mirror-Keep-mirror_top_bs-drained-after-.patch pr-manager-Fix-invalid-g_free-crash-bug.patch qcow2-bitmap-Fix-uint64_t-left-shift-ove.patch qcow2-Fix-corruption-bug-in-qcow2_detect.patch qcow2-Fix-QCOW2_COMPRESSED_SECTOR_MASK.patch qcow2-Fix-the-calculation-of-the-maximum.patch roms-Makefile.edk2-don-t-pull-in-submodu.patch s390-PCI-fix-IOMMU-region-init.patch s390x-tcg-Fix-VERIM-with-32-64-bit-eleme.patch target-alpha-fix-tlb_fill-trap_arg2-valu.patch target-arm-Don-t-abort-on-M-profile-exce.patch target-arm-Free-TCG-temps-in-trans_VMOV_.patch util-iov-introduce-qemu_iovec_init_exten.patch vhost-Fix-memory-region-section-comparis.patch vpc-Return-0-from-vpc_co_create-on-succe.patch Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.1 - Fix %arm builds - Fix two issues with qcow2 image processing which could affect disk integrity qcow2-Fix-QCOW2_COMPRESSED_SECTOR_MASK.patch qcow2-bitmap-Fix-uint64_t-left-shift-ove.patch - Work around a host kernel xfs bug which can result in qcow2 image corruption block-io-refactor-padding.patch util-iov-introduce-qemu_iovec_init_exten.patch block-Make-wait-mark-serialising-request.patch block-Add-bdrv_co_get_self_request.patch block-file-posix-Let-post-EOF-fallocate-.patch - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.1 - Correct package names in _constraints after switch to multibuild. ==== rdma-core ==== Version update (25.1 -> 26.1) Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1 - Add Broadcom fixes (bsc#1157891) - bnxt_re-lib-Add-remaining-pci-ids-for-gen-P5-devices.patch - bnxt_re-lib-Recognize-additional-5750x-device-ID-s.patch - Update to rdma-core v26.1 (jsc#SLE-8388, jsc#SLE-8394, jsc#SLE-8463, jsc#SLE-8399, jsc#SLE-8254, jsc#SLE-9840, jsc#SLE-9763, jsc#SLE-9925, jsc#SLE-9846, jsc#SLE-9913, jsc#SLE-9729, jsc#SLE-8666) ==== release-notes-openSUSE ==== Version update (15.1.20190513 -> 15.2.20191125) - Update to 15.2 ==== tmux ==== Version update (2.9a -> 3.0a) - Update to v3.0a * A lot of changes since v2.9a, please see the included CHANGES file. ==== trytond ==== Version update (4.6.21 -> 4.6.22) - Version 4.6.22 - Bugfix Release ==== trytond_account ==== Version update (4.6.10 -> 4.6.11) - Version 4.6.11 - Bugfix Release ==== trytond_account_product ==== Version update (4.6.1 -> 4.6.2) - Version 4.6.2 - Bugfix Release ==== trytond_product ==== Version update (4.6.0 -> 4.6.1) - Version 4.6.1 - Bugfix Release ==== trytond_stock_supply ==== Version update (4.6.2 -> 4.6.4) - Version 4.6.4 - Bugfix Release - Version 4.6.3 - Bugfix Release ==== wicked ==== Version update (0.6.54 -> 0.6.60) Subpackages: wicked-service - version 0.6.60 - libwicked: fix versioning and packaging (bsc#1143182,bsc#1132977) shipping the internal helper library inside of the wicked package. - version 0.6.57 - dhcp6: omit noprefixroute with address-length (bsc#1150972) Permit to assume that the address prefix-length override specified in the config is a valid on-link prefix length, to let the kernel create a route for this prefix. - dhcp6: differentiated mode=auto resolving from RA (bsc#1150183) Fixed to not trigger to report an error when ipv6 RA is not available or the received RA disables dhcp while mode is set to auto, but to deliver a 'deferred' results. - version 0.6.56 - dhcp6: initial support to request prefix for delegations (jsc#SLE-5936) - dhcp6: set the noprefixroute address option (bsc#1132280) - version 0.6.55 - dhcp6: do not default to a /64 address prefix-length (bsc#1132280) Add an address-length aka DHCLIENT6_ADDRESS_LENGTH ifcfg option, which permits to specify explicit prefix-length to use for the DHCPv6 address and override detection using RA prefix info and a default to /128. - time: use boot time for timer instead of real time (bsc#1129986) - dhcp: Consistently log dhcp xid and enabled to log dhcp6 timings line. - dhcp6: lower unexpected xid messages to debug level - systemd: change to depend on udev settle service (bsc#1136034,bsc#1132774) Calling udevadm settle directly caused systemd to kill wicked services. - bridge: honour ifcfg LLADDR and set link address (bsc#1042123,boo#1142670) - rfkill: fix switch statement to check enum variable not a constant (bsc#1140117) - man: ifcfg-ovs-bridge(5): recommend STARTMODE=nfsroot - dhcp4: nullify defer timer pointer when timeout (openSUSE/wicked#798,bsc#1142214) - dhcp4: fix to request routing options when custom options are used (bsc#1132326) - testing: add ifbind.sh helper script allowing to test hotplugging ==== xen ==== Version update (4.13.0_02 -> 4.13.0_03) - Update to Xen 4.13.0 RC3 release xen-4.13.0-testing-src.tar.bz2 - Drop python38-build.patch ==== yast2 ==== Version update (4.2.38 -> 4.2.45) Subpackages: yast2-logs - Do not crash while reading the product info (related to bsc#1132650 and bsc#1140037). - 4.2.45 - Do not crash when no base product is found (related to bsc#1132650 and bsc#1140037). - 4.2.44 - Using Y2Packager::Resolvable.any? and Y2Packager::Resolvable.find in order to decrease the required memory (bsc#1132650, bsc#1140037). - 4.2.43 - Network: drop support for obsolete network device types (jsc#SLE-7753) - 4.2.42 - Use /etc/login.defs.d/70-yast.defs to write login.defs values that are overridden by YaST (related to bsc#1155735). - 4.2.41 - add is_wsl function to detect wsl (boo#1154962) - 4.2.40 - bsc#1155735, bsc#1157541: - Read /usr/etc/login.defs. - Write login.defs configuration to /etc/login.defs.d/. - 4.2.39 ==== yast2-add-on ==== Version update (4.2.9 -> 4.2.11) - Fixed crash when cloning the system (bsc#1158247) - 4.2.11 ==== yast2-bootloader ==== Version update (4.2.12 -> 4.2.13) - Abort the execution when the module run without enough permissions (related to bsc#1137688). - 4.2.13 ==== yast2-network ==== Version update (4.2.30 -> 4.2.34) - Drop support for obsolete network device types (jsc#SLE-7753) - 4.2.34 - Fix wireless mode and auth_mode initialization (bsc#1157394) - 4.2.33 - Added a special type for the "Unknown" interfaces omitting them from the interfaces list (bsc#1156285) - 4.2.32 - Ignores invalid udev rules parts (bsc#1157361) - 4.2.31 ==== yast2-packager ==== Version update (4.2.32 -> 4.2.36) - Moved resolvable class to yast2 package (bsc1140037). - 4.2.36 - Fix a typo in the "Extension and Module Selection" screen (bsc#1157789). - 4.2.35 - Show beta warning only once (bsc#1156629). - 4.2.34 ==== yast2-pkg-bindings ==== Version update (4.2.2 -> 4.2.3) - Fixed Pkg.Resolvables() to return the license text when requested (bsc#1158247) - 4.2.3 ==== yast2-samba-server ==== Version update (4.2.1 -> 4.2.2) - Fix failing Samba.GetServiceStatus old testsuite forcing and import of 'Directory' (bsc#1155923) - 4.2.2 ==== yast2-security ==== Version update (4.2.5 -> 4.2.7) - bsc#1155735, bsc#1157541: - Read /usr/etc/login.defs. - Write login.defs configuration to /etc/login.defs.d/. - 4.2.7 - Change default encryption method from DES to SHA512 (bsc#1157541, CVE-2019-3700). - 4.2.6 ==== yast2-storage-ng ==== Version update (4.2.57 -> 4.2.59) - Set passno to 2 for the ESP (bsc#1135523) - 4.2.59 - Detect root mount point probed as inactive (e.g., as result of a snapshot rollback without rebooting the system). - Related to bsc#1124581. - 4.2.58 ==== yast2-tune ==== Version update (4.2.1 -> 4.2.2) - Abort the execution when the bootloader cannot be read (related to bsc#1137688). - 4.2.2 ==== yast2-update ==== Version update (4.2.10 -> 4.2.11) - Using Y2Packager::Resolvable.any? and Y2Packager::Resolvable.find in order to decrease the required memory (bsc#1132650, bsc#1140037). - 4.2.11 ==== yast2-users ==== Version update (4.2.5 -> 4.2.6) - bsc#1155735, bsc#1157541: - Read /usr/etc/login.defs. - Write login.defs configuration to /etc/login.defs.d/. - 4.2.6 N��r��y隊Z)z{.��r�+�맲��r��z�^�ˬz��N�(�֜��^� ޭ隊Z)z{.��r�+��0��Ǩ�

1 0

[opensuse-factory] New Tumbleweed snapshot 20191206 released!
by Dominique Leuenberger 09 Dec '19

09 Dec '19

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&versio… Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: alsa-firmware (1.0.29 -> 1.2.1) kwrited5 (5.17.3 -> 5.17.4) moonjit (2.1.0~beta2 -> 2.1.2) perl-Mojolicious (8.26 -> 8.27) plasma5-thunderbolt (5.17.3 -> 5.17.4) wireguard (0.0.20191127_k5.3.12_1 -> 0.0.20191205_k5.3.12_1) wireless-tools xdg-desktop-portal-kde (5.17.3 -> 5.17.4) yast2-support (4.2.2 -> 4.2.3) === Details === ==== alsa-firmware ==== Version update (1.0.29 -> 1.2.1) - Update to alsa-firmare 1.2.1: * Change FSF address (Franklin Street) * Fix up aica firmware licensing * Add new firmware for Creative CA0132 HD-Audio Codec ==== kwrited5 ==== Version update (5.17.3 -> 5.17.4) - Update to 5.17.4 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.4.php - No code changes since 5.17.3 ==== moonjit ==== Version update (2.1.0~beta2 -> 2.1.2) - Fork of luajit with more active upstream - Version 2.1.2 building on top of 2.1.0-beta3 with following goodies: * fix for CVE-2019-19391 * Support for ppc64 ppc64le s390 s390x - Still carry the patch luajit-lua-versioned.patch to mark it as compatible with lua 5.1, future 2.2 release should contain support for 5.2 and 5.3 release of LUA ==== perl-Mojolicious ==== Version update (8.26 -> 8.27) - updated to 8.27 see /usr/share/doc/packages/perl-Mojolicious/Changes 8.27 2019-12-04 - Added EXPERIMENTAL before_command hook. - Added EXPERIMENTAL scope_guard function to Mojo::Util. - Removed experimental status from context method in Mojo::Log. - Changed default MIME type of content_type method in Mojolicious::Types to application/octet-stream. (aitap) ==== plasma5-thunderbolt ==== Version update (5.17.3 -> 5.17.4) Subpackages: plasma5-thunderbolt-lang - Update to 5.17.4 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.4.php - No code changes since 5.17.3 ==== wireguard ==== Version update (0.0.20191127_k5.3.12_1 -> 0.0.20191205_k5.3.12_1) - Update to version 0.0.20191127 * wg-quick: linux: suppress error when finding unused table * wg-quick: linux: ensure postdown hooks execute * wg-quick: linux: have remove_iptables return true * wg-quick: linux: iptables-* -w is not widely supported * ipc: make sure userspace communication frees wgdevice ==== wireless-tools ==== Subpackages: libiw30 - Convert wireless-tools.changes to proper UTF-8 format: new version of RPM are getting strict in interpreting files. ==== xdg-desktop-portal-kde ==== Version update (5.17.3 -> 5.17.4) Subpackages: xdg-desktop-portal-kde-lang - Update to 5.17.4 * New bugfix release * For more details please see: * https://www.kde.org/announcements/plasma-5.17.4.php - Changes since 5.17.3: * Port away from deprecated API in KWindowSystem ==== yast2-support ==== Version update (4.2.2 -> 4.2.3) - update the URL to privacy policy (bsc#1158434) - 4.2.3 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

1 0

[opensuse-factory] openSUSE:Factory - Build fail notification
by DimStar / Dominique Leuenberger 06 Dec '19

06 Dec '19

Dear Package maintainers and hackers. Below package(s) in openSUSE:Factory have been failing to build for at least 4 weeks. We tried to send out notifications to the configured bugowner/maintainers of the package(s), but so far no fix has been submitted. This probably means that the maintainer/bugowner did not yet find the time to look into the matter and he/she would certainly appreciate help to get this sorted. - gr-osmosdr - python-gogs_client Unless somebody is stepping up and submitting fixes, the listed package(s) are going to be removed from openSUSE:Factory. Kind regards, DimStar / Dominique Leuenberger <dimstar(a)opensuse.org>

1 0

[opensuse-factory] warning deviations in Leap vs. Factory builds with gcc
by Hans-Peter Jansen 06 Dec '19

06 Dec '19

[automatic line breaks disabled intentionally] Hi, today, I noticed some deviations of warnings between Leap and Factory package builds with gcc. E.g. for this package: https://build.opensuse.org/package/show/network:telephony/hylafax+ These two warnings in Leap 15.2[1]: [ 159s] /usr/bin/gcc -D__ANSI_CPP__ -I. -I.. -I.././util -I.././util -L/usr/include -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fpic -O -o faxconfig .././util/faxconfig.c -L../util -L../faxd ../util/libfaxutil.so.7.0.1 ../util/libfaxutil.so.7.0.1 -ltiff -lz ../port/libport.a -lcrypt -lutil -lm -lpam -ljbig -ljpeg -llcms2 -lldap -llber -lresolv [ 159s] .././util/faxconfig.c: In function 'main': [ 159s] .././util/faxconfig.c:90:58: warning: '__builtin___snprintf_chk' output may be truncated before the last format character [-Wformat-truncation=] [ 159s] snprintf(fifoname, sizeof(fifoname), "%s.%.*s", FAX_FIFO, [ 159s] ^ [ 159s] In file included from /usr/include/stdio.h:862:0, [ 159s] from .././util/faxconfig.c:26: [ 159s] /usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 6 and 81 bytes into a destination of size 80 [ 159s] return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, [ 159s] ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ 159s] __bos (__s), __fmt, __va_arg_pack ()); [ 159s] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ 160s] /usr/bin/gcc -D__ANSI_CPP__ -I. -I.. -I.././util -I.././util -L/usr/include -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fpic -O -o faxstate .././util/faxstate.c -L../util -L../faxd ../util/libfaxutil.so.7.0.1 ../util/libfaxutil.so.7.0.1 -ltiff -lz ../port/libport.a -lcrypt -lutil -lm -lpam -ljbig -ljpeg -llcms2 -lldap -llber -lresolv [ 160s] .././util/faxstate.c: In function 'main': [ 160s] .././util/faxstate.c:142:54: warning: '__builtin___snprintf_chk' output may be truncated before the last format character [-Wformat-truncation=] [ 160s] snprintf(fifoname, sizeof(fifoname), "%s.%.*s", FAX_FIFO, [ 160s] ^ [ 160s] In file included from /usr/include/stdio.h:862:0, [ 160s] from .././util/faxstate.c:25: [ 160s] /usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 6 and 257 bytes into a destination of size 256 [ 160s] return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, [ 160s] ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ 160s] __bos (__s), __fmt, __va_arg_pack ()); [ 160s] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ are missing in Factory[2]. I would have expected them at timestamp [102s]. My question is, where this deviation originates? Thanks, Pete [1] https://build.opensuse.org/public/build/network:telephony/openSUSE_Leap_15.… [2] https://build.opensuse.org/public/build/network:telephony/openSUSE_Factory/… -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

5 5

[opensuse-factory] Backlog in legal review
by Axel Braun 06 Dec '19

06 Dec '19

Hello factory maintainers, is there a possibility to speed up legal review for new packages in the factory queue? Some of my submissions are stuck there for 4 weeks now, and I really dont want to light a x-mas candle for them while waiting for legal review.... Thanks Axel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

5 6