9 Feb
2018
9 Feb
'18
12:00
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=15.0&build=124.1&groupid=50 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2015.0 When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m1p6gXPc/edit#gid=168760829 to record your testing efforts and use bugzilla to report bugs. Packages changed: ImageMagick (7.0.7.21 -> 7.0.7.22) NetworkManager (1.8.4 -> 1.8.6) OpenIPMI SDL2 SUSEConnect acpica (20170531 -> 20180105) alsa audit-secondary autoyast2 (4.0.24 -> 4.0.27) babl (0.1.38 -> 0.1.42) bash bind binutils boost boost-base btrfsmaintenance ca-certificates-mozilla (2.11 -> 2.22) ceph (13.0.0 -> 13.0.0.5171+g4d4101fe78) cryptsetup (1.7.5 -> 2.0.0) cups-filters (1.17.6 -> 1.19.0) deltarpm device-mapper digikam (5.7.0 -> 5.8.0) dracut e2fsprogs enscript (1.6.4 -> 1.6.6) fftw3 file gcab (0.7 -> 0.8) gcc7 (7.2.1+r256737 -> 7.3.0+r257042) gd gdm gegl glibc glibc gnome-contacts (3.26 -> 3.26.1) gnome-software (3.26.4 -> 3.26.5) gnumeric graphite2 graphviz graphviz-addons gstreamer-plugins-libav hugin ibus installation-images-openSUSE (14.354 -> 14.358) ipset iso-codes (3.76 -> 3.77) jack (1.9.10 -> 1.9.12) java-1_8_0-openjdk javapackages-tools (4.7.0+git20170331.ef4057e7 -> 5.0.0+git20180104.9367c8f6) kactivitymanagerd kbd kdeconnect-kde (1.2 -> 1.2.1) kernel-firmware (20180104 -> 20180119) kexec-tools (2.0.14 -> 2.0.16) konsole libbsd (0.8.6 -> 0.8.7) libcaca (0.99.beta19 -> 0.99.beta19+git20171002.da28e96) libdvdread (5.0.3 -> 6.0.0) libexif libexttextcat (3.4.4 -> 3.4.5) libfastjson (0.99.7 -> 0.99.8) libgepub (0.5.2 -> 0.5.3) libgme (0.6.1 -> 0.6.2) libmbim (1.14.2 -> 1.16.0) libmspack (0.5 -> 0.6) libpng16 (1.6.31 -> 1.6.34) libqmi (1.18.0 -> 1.20.0) libraw (0.18.6 -> 0.18.7) libreoffice libsolv (0.6.30 -> 0.6.31) libsoup (2.60.2 -> 2.60.3) libssh2_org libstorage-ng (3.3.140 -> 3.3.145) libtasn1 (4.12 -> 4.13) libunwind (1.2~rc1 -> 1.2.1) libvpx libwmf libxcb libzio (1.05 -> 1.06) llvm5 logrotate (3.12.3 -> 3.13.0) lttng-ust lvm2 lzip (1.18 -> 1.19) make mdadm mozilla-nss (3.33 -> 3.34.1) mozjs52 (52.3.0 -> 52.6.0) multipath-tools (0.7.3+31+suse.6804bb73f72d -> 0.7.3+38+suse.a16beed5280a) nano (2.9.1 -> 2.9.3) ncurses (6.0 -> 6.1) newt nghttp2 (1.28.0 -> 1.29.0) open-iscsi openCOLLADA (1.6.51 -> 1.6.62) openssh openssh-askpass-gnome openssl-1_1_0 p7zip parted perl perl-Socket6 (0.25 -> 0.28) perl-Try-Tiny (0.28 -> 0.30) permissions (20171129 -> 20180125) plasma5-openSUSE plasma5-pk-updates plymouth (0.9.3+git20171130.fa66a5b -> 0.9.3+git20171220.6e9e95d) poppler-qt5 postgresql procps protobuf publicsuffix (20171228 -> 20180125) python-base python-cairocffi python-pycurl python-pyudev qpdf (7.0.0 -> 7.1.0) rollback-helper rpm (4.13.0.1 -> 4.14.0) rsyslog (8.30.0 -> 8.32.0) simple-scan (3.26.2 -> 3.26.3) snapper (0.5.3 -> 0.5.4) spamassassin strace supportutils (3.0 -> 3.1) texinfo texlive texlive-filesystem (2017.133.svn41616 -> 2017.135.svn41616) texlive-specs-b (2017.133.svn15878 -> 2017.135.svn15878) timezone (2017c -> 2018c) timezone-java (2017c -> 2018c) totem util-linux (2.30.1 -> 2.31) util-linux-systemd (2.30.1 -> 2.31) vim (8.0.1417 -> 8.0.1442) virtualbox w3m (0.5.3.git20161120 -> 0.5.3+git20180125) webkit2gtk3 (2.18.5 -> 2.18.6) wireless-tools xorg-x11-libs (7.6 -> 7.6.1) xtables-addons yast2 (4.0.38 -> 4.0.45) yast2-bootloader (4.0.13 -> 4.0.14) yast2-country (4.0.16 -> 4.0.19) yast2-drbd (4.0.0 -> 4.0.1) yast2-firewall (4.0.8 -> 4.0.9) yast2-installation (4.0.26 -> 4.0.28) yast2-pkg-bindings (4.0.6 -> 4.0.7) yast2-squid (4.0.0 -> 4.0.1) yast2-storage-ng (4.0.76 -> 4.0.81) zypp-plugin (0.6.2 -> 0.6.3) zziplib (0.13.62 -> 0.13.67) === Details === ==== ImageMagick ==== Version update (7.0.7.21 -> 7.0.7.22) Subpackages: ImageMagick-extra libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI5 libMagickWand-7_Q16HDRI5 - update to 7.0.7.22 * Support aspect ratio geometry, e.g. -crop 3:2. * Add support for reading the HEIC image format (reference https://github.com/ImageMagick/ImageMagick/issues/507). * Fixed numerous memory leaks, credit to OSS Fuzz. ==== NetworkManager ==== Version update (1.8.4 -> 1.8.6) Subpackages: NetworkManager-lang libnm-glib-vpn1 libnm-glib4 libnm-util2 libnm0 typelib-1_0-NM-1_0 typelib-1_0-NMClient-1_0 typelib-1_0-NetworkManager-1_0 - Update to version 1.8.6: + Fix a daemon crash on permission check (bgo#787897). + Fix a daemon crash on VPN state change (bgo#787893). + Fix a nmcli crash in interactive mode's describe command (bgo#788104). + Fix termination of the nmcli interactive mode (rh#1517401). + Properly handle route metric of zero in keyfiles. + Add support for DSA switch devices (rh#1371289). + Fix a memory leak of connection D-Bus objects (rh#1461643). + A double close that could potentially race with the D-Bus thread reusing the same file descriptor (rh#1451236). + Connectivity check fixes (bgo#785281) (bgo#784629). + Fix the metered properties handling in libnm. + Avoid dropping agent secrets unnecessarily (bgo#789383). + Fix the asynchronous initialization of a secret agent in libnm. - Drop nm-disconnect-proxy-signals.patch and nm-vpn-remote-connection-disconnect-signals.patch: Fixed upstream. - Minor spec cleaning, tweak spec to silence a few rpm lint warnings. - Replace addFilter("dbus-policy-missing-allow") with addFilter("dbus-policy-allow-without-destination"), filter out the current rpmlint warning. - Add addFilter("suse-branding-unversioned-requires*") to rpmlintrc, we have this unversioned on purpose. - Add addFilter("systemd-service-without-service_add_post NetworkManager-wait-online.service") addFilter("systemd-service-without-service_add_pre NetworkManager-wait-online.service") addFilter("systemd-service-without-service_del_postun NetworkManager-wait-online.service") addFilter("systemd-service-without-service_del_preun NetworkManager-wait-online.service") to rpmlintrc, filter out warnings we do not care about nor want as we do not want to enable this service by default. - "Mark" %%{_sysconfdir}/dbus-1/system.d/org.freedesktop.NetworkManager.conf and %%config %{_sysconfdir}/dbus-1/system.d/nm-dispatcher.conf as config files in spec, silence rpmlint. ==== OpenIPMI ==== - * added a section defining IPMI_SI_MODULE_NAME to sysconfig.ipmi * added code to OpenIPMI.spec/%install to modify sysconfig.ipmi according to architecture * modified openipmi-helper to load "sysconfig.ipmi" AFTER setting default IPMI_SI_MODULE_NAME=ipmi_si [bsc#1059820, OpenIPMI.spec, openipmi-helper, sysconfig.ipmi] ==== SDL2 ==== - Add sdl2-symvers.patch. ==== SUSEConnect ==== - Repackage gem ==== acpica ==== Version update (20170531 -> 20180105) - Update to latest version 20180105 D revert_62ca7996_build_date_and_time.patch D revert_cdd3c612d4230bbb_build_date_and_time.patch A do_not_use_build_date_and_time.patch - pass --jobs from build service to make for much faster building - Changed shebang path in wmidump_add_she_bang.patch to /usr/bin/python3 [bsc#1075687,wmidump_add_she_bang.patch] ==== alsa ==== Subpackages: libasound2 - Upstream fixes: * Add the new ucm for Cherrytrail devices (bsc#1068546): 0005-conf-ucm-Add-chtrt5645-mono-speaker-analog-mic-confi.patch * Fix for error code from PCM API functions at unexpected states: 0006-pcm-Return-the-consistent-error-code-for-unexpected-.patch ==== audit-secondary ==== - Add conditions around python plugins to allow us to conditionalize them in enviroment without python2 ==== autoyast2 ==== Version update (4.0.24 -> 4.0.27) Subpackages: autoyast2-installation - Speed optimization for the previous fix, the "clone_system" client spent several minutes processing the packages (related to bsc#1077882) - 4.0.27 - Avoid using Pkg.ResolvableProperties("", :package, "") calls which require too much memory (bsc#1077882) - 4.0.26 - Reporting packages which cannot be selected for installation. (bnc#1077292) - 4.0.25 ==== babl ==== Version update (0.1.38 -> 0.1.42) - Update to version 0.1.42: + Fully initialize fishes when loading from cache. - Update to version 0.1.40: + Added: - Format "CIE XYZ alpha" color model and formats; - Meson build; being tested in parallel with automake. + New API babl_process_rows for reduced overhead in some scenarios; though bigger gains seen also for regular babl_process with reimplemented branch-free dispatch, and faster cbrt. + Improved reference conversions for formats skipping some of models components. + Fixed gamma handling in indexed/palettized formats and improved gamma precision consistenct in sse2 conversions. ==== bash ==== Subpackages: bash-doc bash-lang libreadline7 readline-doc - Modify patch bash-4.3-pathtemp.patch to avoid crash at full file system (boo#1076909) ==== bind ==== Subpackages: bind-chrootenv bind-utils libbind9-160 libdns169 libirs160 libisc166 libisccc160 libisccfg160 liblwres160 python3-bind - Apply bind-CVE-2017-3145.patch to fix CVE-2017-3145 (bsc#1076118) ==== binutils ==== - Drop bc BuildRequires: no longer needed. - Add riscv64 to %target_list - Add arm-none-eabi symlinks (bsc#1074741) ==== boost ==== - Multibuild requires versioned Name: tag and doesn't seem to do this automatically. (bnc#1076640) ==== boost-base ==== Subpackages: boost-license1_66_0 libboost_atomic1_66_0 libboost_chrono1_66_0 libboost_date_time1_66_0 libboost_filesystem1_66_0 libboost_iostreams1_66_0 libboost_locale1_66_0 libboost_regex1_66_0 libboost_signals1_66_0 libboost_system1_66_0 libboost_thread1_66_0 - Multibuild requires versioned Name: tag and doesn't seem to do this automatically. (bnc#1076640) ==== btrfsmaintenance ==== - Move the defrag plugin over to Python 3. (bsc#1070322) - update to version 0.4 - add support for systemd timers and use them by default; the alternative cron scripts are still present (#29, #36) - add automatic monitoring (via systemd.path) of the config file, no manual updates by btrfsmaintenance-refresh.service needed (#38) - fix RPM database path detection - spec file cleanups - documentation updates - removed patches: - btrfsmaintenance-0.3.1-fix-rpm-db-path.patch (upstream) - btrfsmaintenance-switch-to-timer.patch (upstream) - pull-request-36.patch (upstream) - Fix systemd timers enabled even if period is set to none: * Micro change in pull-request-36.patch (bsc#1075884) - Clean spec file: * Removed support for suse_version <= 1210. * Removed call to btrfsmaintenance-refresh-cron.sh upon deletion (not needed anymore since we use systemd timers which are handled by macros). * Ran spec-cleaner. - Switch default of btrfsmaintenance-refresh.service to systemd-timer, too (btrfsmaintenance-switch-to-timer.patch) [bsc#1073204] - pull-request-36.patch: update patch - Don't call btrfsmaintenance-refresh-cron.sh in %post, this is done already by the systemd macros - Add patch to use systemd timer instead of cron (pull-request-36.patch) - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - Fix cron symlinks removal upon package upgrade (boo#904518): * The problem was in the preun section (in the old RPM). * This means the symlinks are removed by this update, but won't be by the next ones. * Please run 'systemctl start btrfsmaintenance-refresh' one more time to fix your symlinks. - Add btrfsmaintenance-0.3.1-fix-rpm-db-path.patch: * Change RPM database path to /usr/lib/sysimage/rpm for Tumbleweed. - Require btrfsprogs (bsc#1047226) - version 0.3.1 - dist-install: fix installation paths, install functions - functions: fix syntax to be compatible with dash - spec: install functions file - version 0.3 - add syslog to logging targets - add none target (/dev/null) - autodetect btrfs filesystems for balance, scrub and trim - detect mixed blockgroups and use correct balance filters - fix uninstall rules - fix capturing entire output to the log - fix when cron files are symlinks - add generic installation script - doc updates: retention policy tuning - version 0.2 - updated documentation - support debian-like configuration paths - no hardcoded paths to external utilities - fixed logger name typos for 'journal' target - defrag fixes (sysconfig, find arguments) - version 0.1.2 - change default config for trim: off - journal loggin should work (fixed a typo) - version 0.1.1 - fix typo and make journal logging target work - cron refresh: remove bashism - cron refresh: remove debugging messages - post installation must create the cron links (bsc#904518) - Removed patches: * btrfsmaintenance-0.1-fix-bashisms.patch - fix bashism in btrfsmaintenance-refresh-cron.sh script - add patches: * btrfsmaintenance-0.1-fix-bashisms.patch - add COPYING, README.md - add config option to specify log target (stdout, or journal) - clean spec - add Url tag - fix sysconfig file Path: tags - initial import 0.1 ==== ca-certificates-mozilla ==== Version update (2.11 -> 2.22) - Updated to 2.22 state of the Mozilla NSS Certificate store. - Removed CAs: * ACEDICOM Root * AddTrust Public CA Root * AddTrust Qualified CA Root * ApplicationCA - Japanese Government * CA Disig Root R1 * CA WoSign ECC Root * Certification Authority of WoSign G2 * Certinomis - Autorit� Racine * China Internet Network Information Center EV Certificates Root * CNNIC ROOT * Comodo Secure Certificate Services * Comodo Trusted Certificate Services * ComSign Secured CA * DST ACES CA X6 * GeoTrust Global CA 2 * StartCom Certification Authority * StartCom Certification Authority * StartCom Certification Authority G2 * Swisscom Root CA 1 * T�B?TAK UEKAE K�k Sertifika Hizmet Sa?lay?c?s? - S�r�m 3 * T�RKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s? * T�RKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s? H6 * UTN USERFirst Hardware Root CA * UTN USERFirst Object Root CA * VeriSign Class 3 Secure Server CA - G2 * WellsSecure Public Root Certificate Authority * Certification Authority of WoSign * WoSign China - Added CAs: * D-TRUST Root CA 3 2013 * GDCA TrustAUTH R5 ROOT * SSL.com EV Root Certification Authority ECC * SSL.com EV Root Certification Authority RSA R2 * SSL.com Root Certification Authority ECC * SSL.com Root Certification Authority RSA * TrustCor RootCert CA-1 * TrustCor RootCert CA-2 * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 ==== ceph ==== Version update (13.0.0 -> 13.0.0.5171+g4d4101fe78) - Update to version 13.0.0-5171-g4d4101fe78: + spec file: * change version number format * define _defined_if_python2_absent if, and only if, building without python2 bcond - Update to version 13.0.0-5169-g26918cdcc9: + rebase to latest upstream master, including spec file changes: * eliminate Python 2 dependencies (bsc#1076403) N.B.: this has the consequence that we no longer build or ship Python 2 versions of the Python bindings for librados, librbd, libcephfs and librgw * drop lowmem_builder bcond and rewrite associated code to be distro-agnostic * move distro-conditional BuildRequires to appropriate section * use more recent toolchain on RHEL 7 * ceph-base: put runtime dependencies in alphabetical order * correct Group for python bindings subpackages * move ceph-volume to ceph-osd and adjust systemd macros accordingly * ceph-osd subpackage now requires lvm2 for ceph-volume * ceph-test: peg version of ceph-common dependency * drop deprecated scripts rcceph and ceph-crush-location * fix permissions of rbd resource agent - ceph-rpmlintrc: add lines to quash RPMLINT warnings + ceph-base.x86_64: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib64/ceph/crypto/libceph_crypto_isal.so + librados2.x86_64: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib64/ceph/libceph-common.so + ceph-base.x86_64: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib64/libos_tp.so + ceph-base.x86_64: E: devel-file-in-non-devel-package (Badness: 50) /usr/lib64/libosd_tp.so ==== cryptsetup ==== Version update (1.7.5 -> 2.0.0) - Update to version 2.0.0: * Add support for new on-disk LUKS2 format * Enable to use system libargon2 instead of bundled version * Install tmpfiles.d configuration for LUKS2 locking directory * New command integritysetup: support for the new dm-integrity kernel target * Support for larger sector sizes for crypt devices * Miscellaneous fixes and improvements ==== cups-filters ==== Version update (1.17.6 -> 1.19.0) - Update to 1.19.0: * See the detailed stuff in NEWS file * New filters and poppler compatibility as always - Do not require python-cups but rather python3-cups in order to allow build on python2 less system - Explicitly enable ijs and opvp filters ==== deltarpm ==== - Make python2 and python3 conditional to ensure we can build with python3 only ==== device-mapper ==== Subpackages: libdevmapper-event1_03 libdevmapper1_03 libdevmapper1_03-32bit - clvmd: try to refresh device cache on the first failure (bsc#978055, bsc#1076042) + bug-978055_clvmd-try-to-refresh-device-cache-on-the-first-failu.patch ==== digikam ==== Version update (5.7.0 -> 5.8.0) Subpackages: digikam-doc digikam-lang kipi-plugins kipi-plugins-lang libdigikamcore5 showfoto - Add digikam-5.8.0.fix-db-migration-0001.patch (adapted to 5.8.0), digikam-5.8.0.fix-db-migration-0002.patch, digikam-5.8.0.fix-db-migration-0003.patch, and digikam-5.8.0.fix-db-migration-0004.patch to fix MySQL DB migration issues (kde#388824, kde#388867, kde#388977) - Add fix-font-size-in-tooltips.patch to make tooltips respect the configured font size (kde#337243) - Remove some no longer respected cmake options - Update to 5.8.0: * https://www.digikam.org/news/2018-01-14-5.8.0_release_announcement/ - New features (from NEWS): General : Add support to OpenCV 3.4.x. General : Updated internal Libraw to last 0.18.6. General : New Upnp/Dlna media server to share collections on local network. Image Editor : New clone tool to replace old CImg in-painting tool. DropBox : tool ported AuthO2 API. - 231 bugs fixed - Remove unneeded libkface-devel build requirement, it's not used anymore since over 2 years - Add 0001-Revert-replace-obsolete-qSort-function.patch and 0002-Revert-replace-obsolete-qSort-function.patch to fix build with gcc 4.8 on Leap 42 - Add fix-italian-docs-with-older-kdoctools.patch to make it build on Leap 42.2 - Pass --without-kde to %find_lang to prevent the docs being added to the lang package, we have a separate docs subpackage (it supports the KF5 docs location starting with rpm 4.14.0, and that would break the build) - Drop upstream patches: * Adapt-to-KCalCore-API-changes.patch * fix-Qt-5.9.3-empty-album-problem.patch - Add fix-Qt-5.9.3-empty-album-problem.patch to fix albums showing up empty with Qt 5.9.3 or higher (kde#387373) ==== dracut ==== - support validating the IMA policy file signature, needed since Kernel 4.7 * Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch - IMA: improve support for evm key loading (bsc#1077359, fate#323906) * Adds 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch * Adds 0554-98integrity-support-X.509-only-EVM-configuration.patch - FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070) - Added a few more patch annotations - Fix typo for ima dependency (evmtcl vs evmctl) (bsc#1073466) - Updated Patch annotation regarding their upstream state - FIPS: Try to fetch list of fips modules from the kernel's modules dir (bsc#1074984) * Adds 0551-fips-use-lib-modules-uname-r-modules.fips.patch - Annotated patches regarding their upstream state - dracut-ima requires evmctl and keyutils (bsc#1073466) ==== e2fsprogs ==== Subpackages: libcom_err2 libcom_err2-32bit libext2fs2 - libext2fs-fix-build-failure-in-swapfs.c-on-big-endia.patch: libext2fs: fix build failure in swapfs.c on big-endian systems (bsc#1077420) ==== enscript ==== Version update (1.6.4 -> 1.6.6) - Add missing scan vor LC_PAPER in patch enscript-1.6.6-encoding+paper.patch - Add enscript-1.6.6-ghostscript.patch to get correct support for ghostscript back - Add enscript-1.6.6-silent-warns.patch to silent gcc - Move %install_info_delete from %postun to %preun - Add patch enscript-1.6.6-helper-apps.patch to mention helper app support again - Add patch enscript-1.6.6-mailto.patch to get mailto support with optional address back - Add patch enscript-1.6.6-encoding+paper.patch to get better encoding and automatic paper size support back - Add patch enscript-1.6.6-euro+baltic.patch to get support for the Euro symbol as well as the Baltic language support back - update to 1.6.6 * Add afm/MustRead.html, containing licensing information for Adobe AFM files. * Sync all translations from the Translation Project. Visit http://translationproject.org/ to help translate Enscript * Add documented but missing '-w' option as an alias for '--language' * Apply sliceprint patch from Debian - includes 1.6.5.2: * Fix CFG_FATAL macro in util.c-- prevents a segfault when the config file contains unknown parameters * Fix segfault with line lengths over 90 characters - includes 1.6.5.1: * Typo corrections in the manual pages * Actually ship f90.st in the tarball * Better organization for ChangeLog, INSTALL and README - includes 1.6.5: * Licensing change: GNU Enscript is now distributed under version 3 or later of the GNU GPL * Build system fixes - distcheck now passes * At least four security bug fixes: - CAN-2004-1184 - CAN-2004-1185 - CAN-2004-1186 - CVE-2008-3863, CVE-2008-4306 * Syntax highlighting fixes - shell escaping rules from Shawn McMahon - JavaScript regexps now recognised - New highlighting rules for Fortran 90 from David Bowler - rebase enscript-automake.diff - remove enscript-1.6.4-CAN-2004-1184.patch * upstreamed in 9510e4315705329e51b27fa2f3f688989b9fb37f - remove enscript-1.6.4-CAN-2004-1185.patch * fixed in a3e6bf57e48bb7434cdd590732e221fd2e0b4c17 - remove enscript-1.6.4-CAN-2004-1186.patch * fixed in 0acc7b63a1be9f5d02f1a21d6df52cb5a9ce7e58 - remove enscript-1.6.4-CVE-2008-3863.patch * upstreamed in 94135714871a735e3fe624eaf37901bbb6314e05 - remove enscript-1.6.4-fdleak.patch * fixed in f2bfb5ead29048ce42000e4796383a4406b069f6 - remove enscript-1.6.4.dif - renumber patches - cleanup with spec-cleaner ==== fftw3 ==== Subpackages: libfftw3-3 libfftw3_threads3 - Fix typo in flavor gnu7-hpc settings. - Change the name of the MPI version of the module file directory to pfftw3 to distinguish it from the 'serial' one (boo#1075933). - Disable the openmpi3 flavor in some products. - Add gcc7 as additional compiler flavor for HPC on SLES. - Fix library package requires - use HPC macro (boo#1074890). - Add support for mpich and openmpi3 for HPC. ==== file ==== Subpackages: file-magic libmagic1 libmagic1-32bit - Add patch file-5.32-ncurses-6.1.patch to support extend magic format for new ncurses 6.1 ==== gcab ==== Version update (0.7 -> 0.8) Subpackages: gcab-lang libgcab-1_0-0 - Update to version 0.8 (CVE-2018-5345): + This fixes the security bug known as CVE-2018-5345. + Always check the return value when writing to the stream. + Do not crash when ncbytes is larger than the buffer size. + Don't encode timezone in generated files. + Don't use version script if unsupported. + Explicitly enable C99 support. + Fix a few 'Dereference of null pointer' warnings. + Fix buffer overrun when generating Huffman codes. + Fix builddir != srcdir builds. + Fix dependency on generated .h file. + Fix invalid return annotation. + Fix the calculation of the checksum on big endian machines. + Fix -Wimplicit-fallthrough=. + Use glib-mkenum's prefixes to avoid sed. + Updated translations. - Minor spec cleanup, use autosetup macro. ==== gcc7 ==== Version update (7.2.1+r256737 -> 7.3.0+r257042) Subpackages: cpp7 gcc7-info gcc7-locale libasan4 libatomic1 libcilkrts5 libgcc_s1 libgcc_s1-32bit libgfortran4 libgomp1 libitm1 liblsan0 libmpx2 libmpxwrappers2 libobjc4 libquadmath0 libstdc++6 libstdc++6-32bit libstdc++6-locale libtsan0 libubsan0 - Update to GCC 7.3 release. - Move misplaced %endif - Update to GCC 7.3.0 RC1 (r256792). ==== gd ==== - security update: * CVE-2018-5711 [bsc#1076391] + gd-CVE-2018-5711.patch ==== gdm ==== Subpackages: gdm-lang gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0 - Add back translation-update-upstream as BuildRequires since SLE still needs it. - Update gdm-disable-wayland-on-unsupported-chipsets.patch: examine filename argument in gdm_settings_desktop_backend_new instead of examining GDM_RUNTIME_CONF (bsc#1078030). - Add gdm-disable-wayland-on-unsupported-chipsets.patch: let udev write to a runtime config file to disable Wayland for gdm on chipsets where Wayland is not supported yet, e.g. Cirrus (boo#1059356, bgo#789081). - Update gdm-sysconfig-settings.patch: parts of this openSUSE specific patch are splitted and merged into gdm-disable-wayland-on-unsupported-chipsets.patch to push to upstream, - Add gdm-nb-translations.patch: Update Norwegian Bokm�l translations. - Drop gdmflexiserver Obsoletes from main package, we ship gdmflexiserver again, so this is not needed nor wanted. - Do minor spec-cleanup, silence a couple of rpmlint warnings. - Add gdm-not-run-with-bogus-DISPLAY-XAUTHORITY.patch: When run PreSession script, don't set DISPLAY and XAUTHORITY environment variable, avoiding environment variable equal (null) (bsc#1068016 bgo#792150). - Remove gdm-ignore-SLE-CLASSIC-MODE.patch: SLE-Classic doesn't use environment variable SLE_CLASSIC_MODE anymore. ==== gegl ==== Subpackages: gegl-0_2 gegl-0_2-lang libgegl-0_2-0 - require liberation-fonts instead of liberation2-fonts, it is dead [bsc#1077375] [rh#856239] ==== glibc ==== Subpackages: glibc-32bit glibc-locale-32bit - getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679) - dl-init-paths-overflow.patch: Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ [#22607], BZ #22627) - fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) ==== glibc ==== Subpackages: glibc-devel glibc-extra glibc-locale nscd - getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679) - dl-init-paths-overflow.patch: Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ [#22607], BZ #22627) - fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) ==== gnome-contacts ==== Version update (3.26 -> 3.26.1) Subpackages: gnome-contacts-lang gnome-shell-search-provider-contacts - Update to version 3.26.1: + Makefile.am: add README.md. Fixes bgo#792768. + Updated translations. - Drop gnome-contacts-nb-translations.patch: Fixed upstream. ==== gnome-software ==== Version update (3.26.4 -> 3.26.5) Subpackages: gnome-software-lang - Update to version 3.26.5: + Add missing locking to gs_plugin_cache_remove(), fixing a possible crash. + Fix various memory leaks spotted by valgrind. + Fix a possible crash triggered by the fwupd plugin. + Do not emit critical warnings when reviewing OS Updates. + fwupd: Use the custom user-agent when downloading firmware. + overview page: Fix a crash when we have no featured apps. + packagekit: Implement repository enabling. + Fix hover CSS for "unknown" and "nonfree" license buttons. + Updated translations. ==== gnumeric ==== Subpackages: gnumeric-doc gnumeric-lang - Recommen liberation-fonts instead of liberation2-fonts, liberation2-fonts is dead (bsc#1077375, rh#856239). ==== graphite2 ==== Subpackages: libgraphite2-3 libgraphite2-3-32bit - Do not BR asciidoc as we do not install the generated html page ==== graphviz ==== Subpackages: graphviz-plugins-core libgraphviz6 - Disable building the graphviz-ocaml package: we have no consumer of it, but not building it allows us to elminiate a build cycle. ==== graphviz-addons ==== Subpackages: graphviz-gd graphviz-gnome - Disable building the graphviz-ocaml package: we have no consumer of it, but not building it allows us to elminiate a build cycle. ==== gstreamer-plugins-libav ==== - Add conditional libavcodec.so(unrestricted) Requires, pull in the full codecpack when installing package from third party repos who build libavcodec. ==== hugin ==== - Pass -DPYTHON_EXECUTABLE=/usr/bin/python2 to CMake, ensuring we use the python2 interpreter. ==== ibus ==== Subpackages: ibus-gtk ibus-gtk3 ibus-lang libibus-1_0-5 typelib-1_0-IBus-1_0 - Fix boo#1073524: IBus does not work on Qt5 applicatin under Qt5 only environment * do not set QT_IM_MODULE=xim for Qt5 applications * use QT4_IM_MODULE for Qt4 applications - Enable emoji support for openSUSE. - Use %fdupes in python3-ibus. ==== installation-images-openSUSE ==== Version update (14.354 -> 14.358) - merge gh#openSUSE/installation-images#233 - add missing drivers for ppc (bsc#1077546) - 14.358 - merge gh#openSUSE/installation-images#232 - add full open-iscsi package to zenworks image (bsc# 1077301) - 14.357 - merge gh#openSUSE/installation-images#231 - mk_image: /var/lib/rpm/alternatives was moved to /var/lib/alternatives - 14.356 - Do not explicitly BuildRequire libcryptsetup4-hmac and libgcrypt20-hmac: since those packages change sonmae every now and then, it makes it only difficult to follow it. They are already pulled in by dracut-fips, so we still have them in the buildroot available. - merge gh#openSUSE/installation-images#229 - make cypto lib dependencies more flexible - make dependency on bash explicit - 14.355 - Own /usr/lib/skelcd if skelcd_compat is set: until the products are fully migrated to the product builder rewrite, some still use the legacy /CD1 path. They advertise this by defining skelcd_compat=1. ==== ipset ==== Subpackages: libipset11 - Add 0001-build-do-install-libipset-args.h.patch. ==== iso-codes ==== Version update (3.76 -> 3.77) Subpackages: iso-codes-lang - Update to version 3.77: + Updated translations for ISO 3166-1, ISO 3166-2, ISO 4217, ISO 3166-3, ISO 639-2, ISO 639-5, ISO 639-3, ISO 15924. - Cleanup with spec-cleaner. ==== jack ==== Version update (1.9.10 -> 1.9.12) - Build with _smp_mflags - Split off libjacknet0 and libjackserver0 into subpackages. - Update to version 1.9.12 and use python3 instead of python2 for the build. - Removed jack-sparcv9.diff and jack-ppc64-long.patch, the file that is patched - linux/cycles.h no longer exists. - Removed reproducible.patch, gcc6-fixes.diff and jack-fixgcc7.patch they are all now upstream. - Upstream changes: * Various corrections in NetJack2 code. * Partial buffers can now be transmitted with libjacknet API. * Including S24_LE/BE formats to linux ALSA driver. * More robust shared memory allocator. * Correct CoreAudio devices aggregation code. * Waf and wscripts improvement and update. * New JackProxyDriver. * Various fixes in JACK MIDI code. * Fix return value of SetTimebaseCallback(). * Correct netmanager latency reporting. * Implement new jack_port_rename and JackPortRenameCallback API. * Fix CPU hogging of the midi_thread(). * Release audio devices when alsa_driver_new fails. * String management fix. * Correct JackDriver::Open : call to fGraphManager->SetBufferSize has to use current fEngineControl->fBufferSize value. * Use ARM neon intrinsics for AudioBufferMixdown. * Fix Netjack alignment. * Various wscript improvements and cleanup. * Fix initialization of several class variables. * Heap-allocate client matrix in topo sort. * Add a toggle command to transport utility, to allow toggling between play and stop state. * Avoid side effects from parsing of "version" option in jackd. * Allow firewire device be selected via -d. * Add ARM-NEON acceleration for all non-dithering sample conversion functions. * Add jack_simdtest utility. * Use Linux futex as JackSynchro. * Add autoclose option to jack_load. * Fix build with gcc-7. * Show hint when DBus device reservation fails. * Add support for internal session files. ==== java-1_8_0-openjdk ==== Subpackages: java-1_8_0-openjdk-headless - Fix build with gcc 7.3 * add -fno-delete-null-pointer-checks -fno-lifetime-dse and - std=gnu++98 ==== javapackages-tools ==== Version update (4.7.0+git20170331.ef4057e7 -> 5.0.0+git20180104.9367c8f6) - Update to version 5.0.0+git20180104.9367c8f6: * [java-functions] Avoid colons in jar names * Workaround for SCL enable scripts not working with -e * Second argument to pom_xpath_inject is mandatory * [mvn_artifact] Provide more helpful error messages * Fix traceback on corrupt zipfile * [test] Add reproducer for rhbz#1481005 * [spec] Fix default JRE path * [readme] Fix typo * Add initial content to README.md (#21) * Decouple JAVA_HOME setting from java command alternatives - Rebase patches: * python-optional.patch * suse-use-libdir.patch - Drop merged patch fix-abs2rel.patch ==== kactivitymanagerd ==== Subpackages: kactivitymanagerd-lang - Require libQt5Sql5-sqlite, apparently it crashes without it, and even if not it would probably not work properly (boo#1078173) ==== kbd ==== Subpackages: kbd-legacy - Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service written by Thomas Blume (boo#1010880, kbdsettings, kbdsettings.service, numlockbios.c, update sysconfig.console and sysconfig.keyboard). * Exclude numlockbios support for non x86 platforms (kbdsettings-nox86.patch). - Drop references to KEYTABLE and COMPOSETABLE (boo#1010880#c32, boo#1010880#c54, sysconfig.keyboard.del, README.SUSE, drop kbd.fillup). - Fix paths in kbd.pl. ==== kdeconnect-kde ==== Version update (1.2 -> 1.2.1) Subpackages: kdeconnect-kde-lang - Update to 1.2.1 * Require the latest version of KF5 * Was getting a double-delete, now it won't crash * Get rid of ProcessRunner * Add album art to mpris network packets * Add title, artist and album to MPRIS network packets * Fix information leak via /tmp (kde#383144) * Add support for new Android 2.3 (API 9+) cipher * Fix kdeconnect-cli device list * Fix "error activiting kdeconnectd" for kdeconnect-cli * Delay kdeconnectd autostart phase * Fix Notifications in Plasmoid * Make sure there's not a path within the filename * share plugin: fix path display * Use pactl instead of KMix in PauseMusic Plugin - needs KDE Frameworks 5.42 now ==== kernel-firmware ==== Version update (20180104 -> 20180119) Subpackages: ucode-amd - Update to version 20180119: * amdgpu: update uvd firmware for polaris asics * amdgpu: update vce firmware for Fiji * amdgpu: update vcn firmware for raven * amdgpu: update vce and uvd firmware for Vega10 * mediatek: update MT8173 VPU firmware to 1.0.8 [decoder h264] Fix h264 decoder output delay for some low latency bitstreams * cxgb4: update firmware to revision 1.17.14.0 * linux-firmware: update Marvell PCIe-USB8897/8997 firmware image to add WPA2 vulnerability fix * linux-firmware: intel: Update Geminilake audio firmware ==== kexec-tools ==== Version update (2.0.14 -> 2.0.16) - Create compat link for rckexec-loader systemd service - Convert the asciidoc file to normal man in order to drop asciidoc dep * python2 only obsoletion and upstream has only raw manpages too - Properly state all post/postun dependencies (systemd, suse-module-tools) - There is no reason for exclusive arch if we state all archs - Bump to version 2.0.16 Changelog: http://git.kernel.org/cgit/utils/kernel/kexec/kexec-tools.git/log/?id=refs/tags/v2.0.14..v2.0.16 - Remove support for older products to trivialize spec file - Make sure to not pull python2 via asciidoc - Drop merged patch 0001-kexec-tools-2.0.14.git.patch - Drop all patches from upstream git: * 0002-ppc64-Reduce-number-of-ELF-LOAD-segments.patch * 0003-kexec-Increase-the-upper-limit-for-RAM-segments.patch * 0004-alpha-add-missing-__NR_kexec_load-definition.patch * 0005-kexec-implemented-XEN-KEXEC-STATUS-to-determine-if-a.patch * 0006-kexec-Remove-redundant-space-from-help-message.patch * 0007-purgatory-Add-purgatory.map-and-purgatory.ro.sym-to-.patch * 0008-kexec-Add-option-to-get-crash-kernel-region-size.patch * 0009-crashdump-arm-Add-get_crash_kernel_load_range-functi.patch * 0010-crashdump-arm64-Add-get_crash_kernel_load_range-func.patch * 0011-crashdump-cris-Add-get_crash_kernel_load_range-funct.patch * 0012-crashdump-ia64-Add-get_crash_kernel_load_range-funct.patch * 0013-crashdump-m68k-Add-get_crash_kernel_load_range-funct.patch * 0014-crashdump-mips-Add-get_crash_kernel_load_range-funct.patch * 0015-crashdump-ppc-Add-get_crash_kernel_load_range-functi.patch * 0016-crashdump-ppc64-Add-get_crash_kernel_load_range-func.patch * 0017-crashdump-s390-Add-get_crash_kernel_load_range-funct.patch * 0018-crashdump-sh-Add-get_crash_kernel_load_range-functio.patch * 0019-gitignore-add-two-generated-files-in-purgatory.patch * 0020-Only-print-debug-message-when-failed-to-serach-for-k.patch * 0021-build_mem_phdrs-check-if-p_paddr-is-invalid.patch * 0022-uImage-fix-realloc-pointer-confusion.patch * 0023-uImage-Fix-uImage_load-for-little-endian-machines.patch * 0024-uImage-Add-new-IH_ARCH_xxx-definitions.patch * 0025-uImage-use-char-instead-of-unsigned-char-for-uImage_.patch * 0026-uImage-use-char-instead-of-unsigned-char-for-uImage_.patch * 0027-arm64-add-uImage-support.patch * 0028-vmcore-dmesg-Define-_GNU_SOURCE.patch * 0029-Don-t-use-L-width-specifier-with-integer-values.patch * 0030-x86-x86_64-Fix-format-warning-with-die.patch * 0031-ppc-Fix-format-warning-with-die.patch * 0032-crashdump-Remove-stray-get_crashkernel_region-declar.patch * 0033-x86-Support-large-number-of-memory-ranges.patch * 0034-Fix-broken-Xen-support-in-configure.ac.patch * 0035-kexec-extend-the-semantics-of-kexec_iomem_for_each_l.patch * 0036-kexec-generalize-and-rename-get_kernel_stext_sym.patch * 0037-arm64-identify-PHYS_OFFSET-correctly.patch * 0038-arm64-change-return-values-on-error-to-negative.patch * 0039-arm64-kdump-identify-memory-regions.patch * 0040-arm64-kdump-add-elf-core-header-segment.patch * 0041-arm64-kdump-set-up-kernel-image-segment.patch * 0042-arm64-kdump-set-up-other-segments.patch * 0043-arm64-kdump-add-DT-properties-to-crash-dump-kernel-s.patch * 0044-arm64-kdump-Add-support-for-binary-image-files.patch * 0045-Handle-additional-e820-memmap-type-strings.patch * 0046-powerpc-fix-command-line-overflow-error.patch * 0047-fix-how-RMA-top-is-deduced.patch ==== konsole ==== Subpackages: konsole-part konsole-part-lang - Temporary add patch konsole-D10064.id25855.diff which is based on the Diff 25855 from https://phabricator.kde.org/D10064 for Support of ECMA-48 REP (boo#1054448, bsc#1078565, and kde#384620) ==== libbsd ==== Version update (0.8.6 -> 0.8.7) - Update to version 0.8.7: * Fixfor gcc with no __has_include or __has_include_next support * man: Document on what other BSDs arc4random(3) is present * Handle several functions now being provided by glibc * test: Fix nlist(3) unit test on IA64 - switch to mirror temporarily, per announce: https://lists.freedesktop.org/archives/libbsd/2018-January/000166.html ==== libcaca ==== Version update (0.99.beta19 -> 0.99.beta19+git20171002.da28e96) - Drop the py2 bindings they fail to build using rpm macros and somehow ingnore LD_LIBRARY_PATH, anyway provide py3 variant and stick with that - Switch to git repack service in order to get all the latest fixes * like python3 porting of the bindings - Update to version 0.99.beta19+git20171002.da28e96: * img2text.c: fix width arg case in example * ruby: require 'caca' instead of 'caca.so' * Only fail the check-copyright test if more than 10 files are affected. * Try to run Coverity from Travis CI. * Add some missing breaks (thanks coverity) * Fix header copyright. * Fix a bug into the autorepeat trigger. - Refresh patches: * libcaca-ruby_am_cflags.patch * libcaca-ruby_vendor_install.patch - Fix URL - Mention github repo containing more changes - Format with spec-cleaner - Remove support for older distros lets stick with latest only - Remove for years disabled mono and java integration code snippets - Use python macros to build python instead of waiting for autotools - Convert to pkgconfig style dependencies ==== libdvdread ==== Version update (5.0.3 -> 6.0.0) - Update to version 6.0.0: * restrict the number of symbols to be exposed to the shared-object * remove dvdinput_error function * improve compatibility with some DVDs (notably the eOne ones) * fix write after free in ifoFree functions * fix possible buffer overflow in open * additional checks on DVDReadBytes arguments * fix leaks - Removed libdvdread-no-internal-crypto.patch because it's not applied anymore. ==== libexif ==== - Remove %__-type macro indirections. Fix SRPM group. - Use %_smp_mflags for parallel build. - Drop pointless --with-pic (no effect since --disable-static). - Add CVE-2016-6328.patch: Fix integer overflow in parsing MNOTE entry data of the input file (bnc#1055857) - Add CVE-2017-7544.patch: Fix vulnerable out-of-bounds heap read vulnerability (bnc#1059893) ==== libexttextcat ==== Version update (3.4.4 -> 3.4.5) Subpackages: libexttextcat-2_0-0 - Version bump to 3.4.5 * fixed broken uk.lm langclass * Fix -fsanitize=shift-base errors - use new URL - cleanup with spec-cleaner ==== libfastjson ==== Version update (0.99.7 -> 0.99.8) - update to 0.99.8: * make build under gcc7 with strict settings (warning==error) * bugfix: constant key names not properly handled * fix potentially invalid return value of fjson_object_iter_begin * fix small potential memory leak in json_tokener ==== libgepub ==== Version update (0.5.2 -> 0.5.3) - Update to version 0.5.3: + Fixed SVG image resource replacement. + Rename introspection build option. + Removed autotools. + build: - Conform to build-api expectations. - Remove default warning level. - Remove unused defines. - Improved linker script handling. - Set prefix-relative install_dir for libgepub. - Fix typo in symbol path creation. + tests: - Fix crash on exit. - Replace "100" with a constant. - widget: Don't change LC_NUMERIC at runtime. - Pass introspection=true to meson, ensure we build the features we want. - Minor spec cleanup, use autosetup macro. ==== libgme ==== Version update (0.6.1 -> 0.6.2) - Update to 0.6.2: * fix crashes in nsfe emulator ==== libmbim ==== Version update (1.14.2 -> 1.16.0) Subpackages: libmbim-glib4 mbimcli-bash-completion - Update to version 1.16.0: + All the code base was ported to use the GTask based asynchronous operations support instead of the deprecated GSimpleAsyncResult. + New support for AT&T Device Service and Intel Firmware Update Service. + libmbim-glib: - Added: . MBIM_STATUS_ERROR_CONTEXT_NOT_SUPPORTED to MbimStatusError. . Support to detect already open MBIM channels on the Sierra Wireless EM7345. - Avoid using iconv() directly for the UTF-16BE conversions, which makes it possible to use libmbim on systems with a stub iconv() implementation. - Prefer realpath() to canonicalize_file_name(). - Added MBIM_READY_INFO_FLAG_NONE to MbimReadyInfoFlag. + mbimcli: - New: --query-ip-packet-filters, --query-pin-list action, - -atds-query-signal, --atds-query-location and - -intel-modem-reboot actions. - Add cancellability to the query-ip-configuration action. + mbim-proxy: Avoid receiving signals from the parent process. - Add pkgconfig(gio-unix-2.0) BuildRequires: it was being pulled by another pkgconfig module that live in glib2-devel package and used already. ==== libmspack ==== Version update (0.5 -> 0.6) - Correct mspack-tools group to Productivity/File utilities - Correct SRPM group. - Fix typo - Update to version 0.6 * read_spaninfo(): a CHM file can have no ResetTable and have a negative length in SpanInfo, which then feeds a negative output length to lzxd_init(), which then sets frame_size to a value of your choosing, the lower 32 bits of output length, larger than LZX_FRAME_SIZE. If the first LZX block is uncompressed, this writes data beyond the end of the window. This issue was raised by ClamAV as CVE-2017-6419. * lzxd_init(), lzxd_set_output_length(), mszipd_init(): due to the issue mentioned above, these functions now reject negative lengths * cabd_read_string(): add missing error check on result of read(). If an mspack_system implementation returns an error, it's interpreted as a huge positive integer, which leads to reading past the end of the stack-based buffer. This issue was raised by ClamAV as CVE-2017-11423 - Add subpackage for helper tools - Run spec-cleaner ==== libpng16 ==== Version update (1.6.31 -> 1.6.34) Subpackages: libpng16-16 libpng16-16-32bit - check with -j1 - Fix SRPM group and grammar issues. - removed obsoleted Obsoletes - update to 1.6.34: * Removed contrib/pngsuite/i*.png; some of these were incorrect and caused test failures. - includes 1.6.33: * Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added missing parenthesis in contrib/pngminus/pnm2png.c * Fixed off-by-one error in png_do_check_palette_indexes() * Initialize png_handler.row_ptr in libpng_read_fuzzer.cc to fix shortlived oss-fuzz issue 3234. * Compute a larger limit on IDAT because some applications write a deflate buffer for each row * Use current date (DATE) instead of release-date (RDATE) in last changed date of contrib/oss-fuzz files. * Enabled ARM support in CMakeLists.txt * Fixed incorrect typecast of some arguments to png_malloc() and png_calloc() that were png_uint_32 instead of png_alloc_size_t * Use pnglibconf.h.prebuilt when building for ANDROID with cmake * Initialize memory allocated by png_inflate to zero, using memset, to stop an oss-fuzz "use of uninitialized value" detection in png_set_text_2() due to truncated iTXt or zTXt chunk. * Initialize memory allocated by png_read_buffer to zero, using memset, to stop an oss-fuzz "use of uninitialized value" detection in png_icc_check_tag_table() due to truncated iCCP chunk. * Removed redundant tests * Added an interlaced version of each file in contrib/pngsuite. * Relocate new memset() call in pngrutil.c * Add support for loading images with associated alpha in the Simplified API * Revert contrib/oss-fuzz/libpng_read_fuzzer.cc to libpng-1.6.32 state * Initialize png_handler.row_ptr in libpng_read_fuzzer.cc * Add end_info structure and png_read_end() to the libpng fuzzer - includes 1.6.32: * Avoid possible NULL dereference in png_handle_eXIf when benign_errors are allowed. Avoid leaking the input buffer "eXIf_buf". * Eliminated png_ptr->num_exif member from pngstruct.h and added num_exif to arguments for png_get_eXIf() and png_set_eXIf(). * Added calls to png_handle_eXIf(() in pngread.c and png_write_eXIf() in pngwrite.c, and made various other fixes to png_write_eXIf(). * Changed name of png_get_eXIF and png_set_eXIf() to png_get_eXIf_1() and png_set_eXIf_1(), respectively, to avoid breaking API compatibility with libpng-1.6.31. * Updated contrib/libtests/pngunknown.c with eXIf chunk. * Initialized btoa[] in pngstest.c * Stop memory leak when returning from png_handle_eXIf() with an error * Replaced local eXIf_buf with info_ptr-eXIf_buf in png_handle_eXIf(). * Update libpng.3 and libpng-manual.txt about eXIf functions. * Restored png_get_eXIf() and png_set_eXIf() to maintain API compatability. * Removed png_get_eXIf_1() and png_set_eXIf_1(). * Check length of all chunks except IDAT against user limit to fix an OSS-fuzz issue (Fixes CVE-2017-12652) * Check length of IDAT against maximum possible IDAT size, accounting for height, rowbytes, interlacing and zlib/deflate overhead. * Restored png_get_eXIf_1() and png_set_eXIf_1(), because strlen(eXIf_buf) does not work (the eXIf chunk data can contain zeroes). * Revised symlink creation, no longer using deprecated cmake LOCATION feature * Fixed five-byte error in the calculation of IDAT maximum possible size. * Moved chunk-length check into a png_check_chunk_length() private function * Moved bad pngs from tests to contrib/libtests/crashers * Moved testing of bad pngs into a separate tests/pngtest-badpngs script * Added the --xfail (expected FAIL) option to pngtest.c. It writes XFAIL in the output but PASS for the libpng test. * Require cmake-3.0.2 in CMakeLists.txt * Fix "const" declaration info_ptr argument to png_get_eXIf_1() and the num_exif argument to png_get_eXIf_1() * Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks(). * Added huge_IDAT.png and empty_ancillary_chunks.png to testpngs/crashers. * Make pngtest --strict, --relax, --xfail options imply -m (multiple). * Removed unused chunk_name parameter from png_check_chunk_length(). * Relocated setting free_me for eXIf data, to stop an OSS-fuzz' leak. * Initialize profile_header[] in png_handle_iCCP() to fix OSS-fuzz issue. * Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix OSS-fuzz UMR. * Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. * Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), to account for the minimum 'deflate' stream, and relocate the test to a point after the keyword has been read. * Check that the eXIf chunk has at least 2 bytes and begins with "II" or "MM". * Added a set of "huge_xxxx_chunk.png" files to contrib/testpngs/crashers, one for each known chunk type, with length = 2GB-1. * Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706, and 162707). * Renamed chunks in contrib/testpngs/crashers to avoid having files whose names differ only in case; this causes problems with some platforms * Added contrib/oss-fuzz directory which contains files used by the oss-fuzz project - cleanup with spec-cleaner ==== libqmi ==== Version update (1.18.0 -> 1.20.0) Subpackages: libqmi-glib5 libqmi-tools - Update to version 1.20.0: + New services: loc - new "LOC" (location) service, which e.g. allows controlling GPS devices in newer modules that don't implement the PDS service. Just some very basic implementation for now. + New request/responses: - nas: new "Attach/Detach" request/response messages. - wds: new "Get Channel Rates" request/response messages. - dms: new 'Swi Get/Set USB Composition' request/response messages. + New TLVs supported in existing messages: - nas: new 'Extended LTE Band Preference' TLV in "Set/Get SSP". - dms: new 'Extended LTE Band Capability' TLV in "Get Band Capabilities". + libqmi: - New: . QMI_DEVICE_SIGNAL_REMOVED signal in the QmiDevice object, propagated through the qmi-proxy. . QMI_CLIENT_VALID property in the QmiClient that allows detecting whether the underlying QmiDevice is usable or not. - Defined additional LTE bands. + qmicli: - New: --wds-set-ip-family, --wds-get-channel-rates, - -uim-read-record, --dms-swi-get-usb-composition and - -dms-swi-set-usb-composition commands. + libqmi-glib: - Prefer realpath() to canonicalize_file_name(). - Avoid signals sent to the qmi-proxy process. + qmi-firmware-update: Support USB3->USB2 mode changes during upgrade. - Update Url to https://www.freedesktop.org/wiki/Software/libqmi/: current libqmi's web page. - Add pkgconfig(gio-unix-2.0) BuildRequires: it was being pulled by another pkgconfig module that live in glib2-devel package and used already. ==== libraw ==== Version update (0.18.6 -> 0.18.7) - updated to 0.18.7: * All legacy (RGB raw) image loaders checks for imgdata.image is not NULL * kodak_radc_load_raw: check image size before processing * legacy memory allocator: allocate max(widh, raw_width) * max(height, raw_height) - partial cleanup with spec-cleaner - other spec fixes: * switch to https site * remove executable bit from copyright * remove outdated comment about build parallelism ==== libreoffice ==== Subpackages: libreoffice-base libreoffice-base-drivers-mysql libreoffice-branding-upstream libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-kde4 libreoffice-l10n-en libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-writer libreofficekit - Require xorg-x11-fonts otherwise nothing is shown - Do not pull in liberation2-fonts wrt bsc#1077375#c5 ==== libsolv ==== Version update (0.6.30 -> 0.6.31) Subpackages: libsolv-tools python-solv - new ENABLE_RPMDB_LIBRPM/ENABLE_RPMPKG_LIBRPM config options - new pool_set_whatprovides function to change the whatprovides data - much improved selection code - bump version to 0.6.31 ==== libsoup ==== Version update (2.60.2 -> 2.60.3) Subpackages: libsoup-2_4-1 libsoup-lang typelib-1_0-Soup-2_4 - Update to version 2.60.3: + heap-buffer-overflow in soup_ntlm_parse_challenge() (bgo#788037). + session: don't request Keep-Alive for upgraded connections (bgo#788723). + soup-headers: accept any 3 digit number as message status code (bgo#792124). ==== libssh2_org ==== - Drop openssh BuildRequires: this is only used for one of the minor self-tests. ==== libstorage-ng ==== Version update (3.3.140 -> 3.3.145) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#439 - start rpcbind before doing NFS mounts - cleanup - added integration-test - 3.3.145 - Translated using Weblate (Arabic) - merge gh#openSUSE/libstorage-ng#438 - extended documentation - 3.3.144 - merge gh#openSUSE/libstorage-ng#437 - distinguish between mounted and unounted in supports_shrink/grow - 3.3.143 - Translated using Weblate (Korean) - Fixed an Arabic format string typo - 3.3.142 - Translated using Weblate (Arabic) - 3.3.141 ==== libtasn1 ==== Version update (4.12 -> 4.13) Subpackages: libtasn1-6 libtasn1-6-32bit - update to 4.13 * On indefinite string decoding, set a maximum level of allowed recursions (3) to protect the BER decoder from a stack exhaustion. (CVE-2018-6003 boo#1076832) ==== libunwind ==== Version update (1.2~rc1 -> 1.2.1) - Update keyring - Upgrade to 1.2.1 * minor package fixes for tilegx, mips, others * fix missing include file issues - cleanup with spec-cleaner - do not ship static libraries ==== libvpx ==== - cleanup traces for testing, we don't have the >400MB test data here - Fix OOB caused by odd frame width with patch from android Adding patch CVE-2017-13194.patch (CVE-2017-13194) - this changelog entry also contains the new scheme with full name and "umlaut" to test which tools may break with it in our distro. Please track problems here: https://github.com/openSUSE/obs-build/pull/214 ==== libwmf ==== Subpackages: libwmf-0_2-7 libwmf-tools - removed unneeded 'BuildRequires: xorg-x11-util-devel' (bsc#1077489) ==== libxcb ==== Subpackages: libxcb-composite0 libxcb-damage0 libxcb-devel libxcb-dpms0 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-randr0 libxcb-record0 libxcb-render0 libxcb-render0-32bit libxcb-res0 libxcb-screensaver0 libxcb-shape0 libxcb-shm0 libxcb-shm0-32bit libxcb-sync1 libxcb-xf86dri0 libxcb-xfixes0 libxcb-xinerama0 libxcb-xkb1 libxcb-xtest0 libxcb-xv0 libxcb-xvmc0 libxcb1 libxcb1-32bit - Really conditionalize the python3 option to allow us building without any python2 present * u_build_python3.patch - Convert to pkgconfig style deps - Format bit with spec-cleaner - Enable xinput extension. (bnc#1074249) - U_add-support-for-eventstruct.patch * Update xinput to the state when it was enabled by default upstream. - n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch * Prevent infinite loop also in case DISPLAY is non-local. - Use spaces instead of tabs in the patches (as does the original source code) to avoid confusion. - n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch * If authentication (with *stage == 0) failed and the variable XAUTHLOCALHOSTNAME wasn't set, we were never getting to stage 2 in the original patch, causing calls to xcb_connect_to_display to be stuck in an infinite loop. Now we also go to stage 2 if the variable isn't set. ==== libzio ==== Version update (1.05 -> 1.06) - Version 1.06: Add changes from Jerrell Watts which has kindly provided his changes for lzma/xz support with large I/O buffers ==== llvm5 ==== - n_clang_allow_BUILD_SHARED_LIBRARY.patch * Allow buildling clang with BUILD_SHARED_LIBRARY while the rest is built with LLVM_LINK_LLVM_DYLIB. (bnc#1065464) - Remove clang-devel-static. ==== logrotate ==== Version update (3.12.3 -> 3.13.0) - Version update to 3.13.0: * make distribution tarballs report logrotate version properly * make (un)compress work even if stdin and/or stdout are closed (#154) * remove -s from DEFAULT_MAIL_COMMAND and improve its documenation (#152) * uncompress logs before mailing them even if delaycompress is enabled (#151) * handle unlink of a non-existing log file as a warning only (#144) * include compile-time options in the output of logrotate --version (#145) * make logrotate --version print to stdout instead of stderr (#145) * flush write buffers before syncing state file (#148) * specify (un)compress utility explicitly in tests (#137) * enable running tests in parallel (#132) * explicitly map root UID/GID to 0 on Cygwin (#133) * add .dpkg-bak and .dpkg-del to default tabooext list (#134) ==== lttng-ust ==== - Format with spec-cleaner - Drop tex/asciidoc/xmlto dependencies as the manpages are already generated in the tarball so we produce the same result and this way we are not pulling in python2 ==== lvm2 ==== Subpackages: liblvm2app2_2 liblvm2cmd2_02 - clvmd: try to refresh device cache on the first failure (bsc#978055, bsc#1076042) + bug-978055_clvmd-try-to-refresh-device-cache-on-the-first-failu.patch ==== lzip ==== Version update (1.18 -> 1.19) - Update to version 1.19 * The option '-l, --list' has been ported from lziprecover. * Don't allow mixing different operations (-d, -l or -t). * Compression time of option '-0' has been slightly reduced. * Decompression time has been reduced by 2%. * main.cc: Continue testing if any input file is a terminal. * main.cc: Show trailing data in both hexadecimal and ASCII. * encoder.cc (Matchfinder_base): Verify size passed to new. * file_index.cc: Improve detection of bad dict and trailing data. * lzip.h: Unified messages for bad magic, trailing data, etc. - switch to https in source urls ==== make ==== Subpackages: make-lang - test-driver.patch: let perl find test_driver.pl - glob-interface.patch: Support GLIBC glob interface version 2 ==== mdadm ==== - 0208-mdadm-grow-correct-the-s-size-1-to-make-max-work.patch (bsc#1074949) ==== mozilla-nss ==== Version update (3.33 -> 3.34.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.34.1 Changes in 3.34: Notable changes * The following CA certificates were Added: GDCA TrustAUTH R5 ROOT SSL.com Root Certification Authority RSA SSL.com Root Certification Authority ECC SSL.com EV Root Certification Authority RSA R2 SSL.com EV Root Certification Authority ECC TrustCor RootCert CA-1 TrustCor RootCert CA-2 TrustCor ECA-1 * The following CA certificates were Removed: Certum CA, O=Unizeto Sp. z o.o. StartCom Certification Authority StartCom Certification Authority G2 T�B?TAK UEKAE K�k Sertifika Hizmet Sa?lay?c?s? - S�r�m 3 ACEDICOM Root Certinomis - Autorit� Racine T�RKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s? PSCProcert CA ?????, O=WoSign CA Limited Certification Authority of WoSign Certification Authority of WoSign G2 CA WoSign ECC Root * libfreebl no longer requires SSE2 instructions New functionality * When listing an NSS database using certutil -L, but the database hasn't yet been initialized with any non-empty or empty password, the text "Database needs user init" will be included in the listing. * When using certutil to set an inacceptable password in FIPS mode, a correct explanation of acceptable passwords will be printed. * SSLKEYLOGFILE is now supported with TLS 1.3, see bmo#1287711 for details. * SSLChannelInfo has two new fields (bmo#1396525): SSLNamedGroup originalKeaGroup holds the key exchange group of the original handshake when the session was resumed. PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE otherwise. * RSA-PSS signatures are now supported on certificates. Certificates with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS signature on a certificate using the --pss-sign argument to certutil. Changes in 3.34.1: * The following CA certificate was Re-Added. It was removed in NSS 3.34, but has been re-added with only the Email trust bit set. (bmo#1418678): libfreebl no longer requires SSE2 instructionsCN = Certum CA, O=Unizeto Sp. z o.o. * Removed entries from certdata.txt for actively distrusted certificates that have expired (bmo#1409872) * The version of the CA list was set to 2.20. ==== mozjs52 ==== Version update (52.3.0 -> 52.6.0) - Update to 52.6.0 - Drop fix-64bit-archs.patch and bmo1379539.patch, fixed upstream - Update Source url. ==== multipath-tools ==== Version update (0.7.3+31+suse.6804bb73f72d -> 0.7.3+38+suse.a16beed5280a) Subpackages: kpartx multipath-tools-rbd - Update to version 0.7.3+38+suse.a16beed5280a: * kpartx: don't delete partitions from partitions (bsc#1078362) * hwtable: add latest updates (bsc#1078363) * multipathd.service: set TasksMax=infinity (bsc#1060616) ==== nano ==== Version update (2.9.1 -> 2.9.3) Subpackages: nano-lang - GNU nano 2.9.3: * fix a segfault with trimblanks that could occur when a typed space caused the word after it to be pushed to the next line * make macros work also when your keyboard still emits escape sequences * add the options -M and --trimblanks for the command line * recognizeskey combos with Shift on a few more terminals * no longer show dots in certain prompt texts when visible witespace is turned on * fix two corner cases when doing replacements in a marked region * allow to open a named pipe again when using --noread * accurately detect a needed color change when a line contains a start match but not a corresponding end match any more - includes changes gom 2.9.2: * correctly display the Modified state when undoing/redoing (also when the file was saved somewhere midway) * improve the undoing of an automatic linefeed at EOF * show the cursor again when compiled with --withslang * rename the option 'justifytrim' to 'trimblanks' because it will now snip trailing whitespace also while you are typing (and hard-wrapping is enabled) * continue pushing words to the next line much longer (when hard-wrapping) * make and indent and unindent a marked region * allow unindenting when not all lines are indented * let a region marked with Shift persist when indenting/ unindenting or commenting/uncommenting it ==== ncurses ==== Version update (6.0 -> 6.1) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base - Correct include path for wide chraracter header files for ABI 6.1 - Update to ncurses 6.1 (patch 20180127) + updated release notes + amend a warning message from tic which should have flagged misuse of "XT" capability in "screen" terminal description. > terminfo changes: + trim "XT" from screen entry, add comments to explain why it was not suitable -TD + modify iterm to use xterm+sl-twm building block -TD + mark konsole-420pc, konsole-vt100, konsole-xf3x obsolete reflecting konsole's removal in 2008 -TD + expanded the history section of konsole to explain its flawed imitation of xterm's keyboard -TD + use xterm+x11mouse in screen.* entries because screen does not yet support xterm's 1006 mode -TD + add nsterm-build400 for macOS 10.13 -TD + add ansi+idc1, use that in ansi+idc adding dch for consistency -TD + update vte to vte-2017 -TD + add ecma+strikeout to vte-2017 -TD + add iterm2-direct -TD + updated teraterm, added teraterm-256color -TD + add mlterm-direct -TD + add descriptions for ANSI building-blocks -TD - Modify patch ncurses-5.9-ibm327x.dif - Rename patch ncurses-6.0.dif to new name ncurses-6.1.dif - Modify patch ncurses-6.1.dif - Add ncurses patch 20180121 pre-release 6.1 > terminfo changes: + add xterm+noalt, xterm+titlestack, xterm+alt1049, xterm+alt+title blocks from xterm #331 -TD + add xterm+direct, xterm+indirect, xterm-direct entries from xterm [#331] -TD + modify xterm+256color and xterm+256setaf to use correct number of color pairs, for ncurses 6.1 -TD + add rs1 capability to xterm-256color -TD + modify xterm-r5, xterm-r6 and xterm-xf86-v32 to use xterm+kbs to match xterm #272, reflecting packager's changes -TD + remove "boolean" Se, Ss from st-0.7 -TD + add konsole-direct and st-direct -TD + remove unsupported "Tc" capability from st-0.7; use st-direct if direct-colors are wanted -TD + add vte-direct -TD + add XT, hpa, indn, and vpa to screen, and invis, E3 to tmux (patch by Pierre Carru) + use xterm+sm+1006 in xterm-new, vte-2014 -TD + use xterm+x11mouse in iterm, iterm2, mlterm3 because xterm's 1006 mode does not work with those programs. konsole is debatable -TD + add "termite" entry (report by Markus Pfeiffer) -TD > merge branch begun April 2, 2017 which provides these features: + support read/write new binary-format for terminfo which stores numeric capabilities as a signed 32-bit integer. The test programs such as picsmap, ncurses were created or updated during 2017 to use this feature. + the new format is written by the wide-character configuration of tic when it finds a numeric capability larger than 32767. + other applications such as infocmp built with the wide-character ncurses library work as expected. + applications built with the "narrow" (8-bit) configuration will read the new format, but will limit those extended values to 32767. + in either wide/narrow configuration, the structure defined in term.h still uses signed 16-bit values. + because it is incompatible with the legacy (mid-1980s) binary format, a new magic value is provided for the "file" program. + the term.5 manual page is updated to describe this new format. + the limit on file-size for compiled terminfo is increased in the wide-character configuration to 32768. - Add ncurses patch 20180120 + build-fix in picsmap.c for stdint.h existence. + add --disable-stripping option to configure scripts. + modify ncurses-examples to install test-scripts in the data directory. + work around tool-breakage in Debian 9 and later by invoking gprconfig to specify the C compiler to be used by gnatmake, and conditionally suppressing Library_Options line for static libraries. + bump the compat level for test-packages to 7, i.e., Debian 5. - Add tack patch 1.08-20170818 ==== newt ==== - Build without py2 if needed - Fix upstream url ==== nghttp2 ==== Version update (1.28.0 -> 1.29.0) - Update to version 1.29.0: * lib: Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY * build: Remove SPDY * build: Fix CMAKE_MODULE_PATH * nghttpx: Revert "nghttpx: Use an existing h2 backend connection as much as possible" * nghttpx: Write API request body in temporary file * nghttpx: Increase api-max-request-body * nghttpx: Faster configuration loading with lots of backends * nghttpx: Fix crash with --backend-http-proxy-uri option ==== open-iscsi ==== Subpackages: iscsiuio - Removed the "rpm/" source directory from both the open-iscsi-2.0.876-suse.tar.bz2 and open-iscsi-SUSE-latest.diff.bz2 files, since they are not needed for building and are not part of the upstream sources. They are still available under the git repository at github.com/hreinecke/open-iscsi.git. This means that changes to the spec file or the changes file will no longer require a change to the "*SUSE-latest*" file. - Update to latest upstream vesion 2.0.876, with very few SUSE-specific modifications, namely around things upstream does not care about, like SUSE-specific systemd files. Also, version number modified to add "-suse", as usual. See the Changelog file for more details on changes in this upstream version. This replaces open-iscsi-2.0.875-suse.tar.bz2 with open-iscsi-2.0.876-suse.tar.bz2, and resets open-iscsi-SUSE-latest.diff.bz2 to contain only changes since the 2.0.876-suse tag. These changes added a new libopeniscsiusr.so library, as well as include files under a new open-iscsi-dev package, if you want to link against this library. The SPEC file was also cleaned up using spec-cleaner. - Fix vulnerabilities found in iscsiuio by qualsys (bsc#1072312), updating: open-iscsi-SUSE-latest.diff.bz2 ==== openCOLLADA ==== Version update (1.6.51 -> 1.6.62) Subpackages: libGeneratedSaxParser0_3 libMathMLSolver0_3 libOpenCOLLADABaseUtils0_3 libOpenCOLLADAFramework0_3 libOpenCOLLADASaxFrameworkLoader0_3 libOpenCOLLADAStreamWriter0_3 libUTF0_3 libbuffer0_3 libftoa0_3 - Update to version 1.6.62, removed incorporated openCOLLADA-signed-char.patch. - Upstream changes: * Add signed char keyword * Expose COLLADASaxFWL::Loader string ID -> UniqueId map * Export "Force to sleep" attribute. * Consistent use of std::abs - Remove conflicts with old libOpenCOLLADA0 to allow parallel installation of different so versions. ==== openssh ==== Subpackages: openssh-helpers - Add missing crypto hardware enablement patches for IBM mainframes (FATE#323902) - add missing part of systemd integration (unit type) - Replace forgotten references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - tighten configuration access rights - Update to vanilla 7.6p1 Most important changes (more details below): * complete removal of the ancient SSHv1 protocol * sshd(8) cannot run without privilege separation * removal of suport for arcfourm blowfish and CAST ciphers and RIPE-MD160 HMAC * refuse RSA keys shorter than 1024 bits Distilled upstream log: - OpenSSH 7.3 - --- Security * sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto. * sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and only included for legacy compatibility. * ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage has been observed. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. * sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh. - --- New Features * ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts". * ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. bz#2577 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00. * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03. * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates; * ssh(1): Add an Include directive for ssh_config(5) files. * ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. bz#2058 - --- Bugfixes * ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. bz#2585 * sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. bz#2398 * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. bz#2585 * ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. bz#1988 * misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. bz#2529 * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. bz#2562 * sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. bz#2559. * sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts; bz#2554 * ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. bz#2550 * sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. bz#2252 - --- Portability * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers not supported by OpenSSL. bz#2466 * misc: Fix compilation failures on some versions of AIX's compiler related to the definition of the VA_COPY macro. bz#2589 * sshd(8): Whitelist more architectures to enable the seccomp-bpf sandbox. bz#2590 * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris using setpflags(__PROC_PROTECT, ...). bz#2584 * sshd(8): On Solaris, don't call Solaris setproject() with UsePAM=yes it's PAM's responsibility. bz#2425 - OpenSSH 7.4 - --- Potentially-incompatible changes * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. * sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time. * sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. * sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions. - --- Security * ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). Reported by Jann Horn of Project Zero. * sshd(8): When privilege separation is disabled, forwarded Unix- domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years). Reported by Jann Horn of Project Zero. * sshd(8): Avoid theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. Reported by Jann Horn of Project Zero. * sshd(8): The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first). This release removes support for pre-authentication compression from sshd(8). Reported by Guido Vranken using the Stack unstable optimisation identification tool (http://css.csail.mit.edu/stack/) * sshd(8): Fix denial-of-service condition where an attacker who sends multiple KEXINIT messages may consume up to 128MB per connection. Reported by Shi Lei of Gear Team, Qihoo 360. * sshd(8): Validate address ranges for AllowUser and DenyUsers directives at configuration load time and refuse to accept invalid ones. It was previously possible to specify invalid CIDR address ranges (e.g. user@127.1.2.3/55) and these would always match, possibly resulting in granting access where it was not intended. Reported by Laurence Parry. - --- New Features * ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in PuTTY by Simon Tatham. This allows a multiplexing client to communicate with the master process using a subset of the SSH packet and channels protocol over a Unix-domain socket, with the main process acting as a proxy that translates channel IDs, etc. This allows multiplexing mode to run on systems that lack file- descriptor passing (used by current multiplexing code) and potentially, in conjunction with Unix-domain socket forwarding, with the client and multiplexing master process on different machines. Multiplexing proxy mode may be invoked using "ssh -O proxy ..." * sshd(8): Add a sshd_config DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account. * sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "curve25519-sha256@libssh.org". * sshd(8): Improve handling of SIGHUP by checking to see if sshd is already daemonised at startup and skipping the call to daemon(3) if it is. This ensures that a SIGHUP restart of sshd(8) will retain the same process-ID as the initial execution. sshd(8) will also now unlink the PidFile prior to SIGHUP restart and re-create it after a successful restart, rather than leaving a stale file in the case of a configuration error. bz#2641 * sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives to appear in sshd_config Match blocks. * sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.) and a few more to provide access to the contents of the certificate being offered. * Added regression tests for string matching, address matching and string sanitisation functions. * Improved the key exchange fuzzer harness. - --- Bugfixes * ssh(1): Allow IdentityFile to successfully load and use certificates that have no corresponding bare public key. bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub). * ssh(1): Fix public key authentication when multiple authentication is in use and publickey is not just the first method attempted. bz#2642 * regress: Allow the PuTTY interop tests to run unattended. bz#2639 * ssh-agent(1), ssh(1): improve reporting when attempting to load keys from PKCS#11 tokens with fewer useless log messages and more detail in debug messages. bz#2610 * ssh(1): When tearing down ControlMaster connections, don't pollute stderr when LogLevel=quiet. * sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending sftp(1) to ensure that ssh(1) restores the terminal mode correctly if suspended during a password prompt. * ssh(1): Avoid busy-wait when ssh(1) is suspended during a password prompt. * ssh(1), sshd(8): Correctly report errors during sending of ext- info messages. * sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message. * sshd(8): Correct list of supported signature algorithms sent in the server-sig-algs extension. bz#2547 * sshd(8): Fix sending ext_info message if privsep is disabled. * sshd(8): more strictly enforce the expected ordering of privilege separation monitor calls used for authentication and allow them only when their respective authentication methods are enabled in the configuration * sshd(8): Fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin. * Fix false positive reports caused by explicit_bzero(3) not being recognised as a memory initialiser when compiled with - fsanitize-memory. * sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for configuration examples. - --- Portability * On environments configured with Turkish locales, fall back to the C/POSIX locale to avoid errors in configuration parsing caused by that locale's unique handling of the letters 'i' and 'I'. bz#2643 * sftp-server(8), ssh-agent(1): Deny ptrace on OS X using ptrace(PT_DENY_ATTACH, ..) * ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL. * Fix compilation for libcrypto compiled without RIPEMD160 support. * contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 * sshd(8): Improve PRNG reseeding across privilege separation and force libcrypto to obtain a high-quality seed before chroot or sandboxing. * All: Explicitly test for broken strnvis. NetBSD added an strnvis and unfortunately made it incompatible with the existing one in OpenBSD and Linux's libbsd (the former having existed for over ten years). Try to detect this mess, and assume the only safe option if we're cross compiling. - OpenSSH 7.5 - --- Potentially-incompatible changes * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. * [Portable OpenSSH only] This version removes support for building against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting versions prior to 1.0.1 over 12 months ago (i.e. they no longer receive fixes for security bugs). - --- Security * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London. * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to perform a path-traversal attack. creating or modifying files outside of the intended target directory. Reported by Jann Horn of Google Project Zero. - --- New Features * ssh(1), sshd(8): Support "=-" syntax to easily remove methods from algorithm lists, e.g. Ciphers=-*cbc. bz#2671 - --- Bugfixes * sshd(1): Fix NULL dereference crash when key exchange start messages are sent out of sequence. * ssh(1), sshd(8): Allow form-feed characters to appear in configuration files. * sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs extension, where SHA2 RSA signature methods were not being correctly advertised. bz#2680 * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in known_hosts processing. bz#2591 bz#2685 * ssh(1): Allow ssh to use certificates accompanied by a private key file but no corresponding plain *.pub public key. bz#2617 * ssh(1): When updating hostkeys using the UpdateHostKeys option, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and not the old ssh-rsa method. bz#2650 * ssh(1): Detect and report excessively long configuration file lines. bz#2651 * Merge a number of fixes found by Coverity and reported via Redhat and FreeBSD. Includes fixes for some memory and file descriptor leaks in error paths. bz#2687 * ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692 * ssh(1), sshd(8): When logging long messages to stderr, don't truncate "\r\n" if the length of the message exceeds the buffer. bz#2688 * ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- line; avoid confusion over IPv6 addresses and shells that treat square bracket characters specially. * ssh-keygen(1): Fix corruption of known_hosts when running "ssh-keygen -H" on a known_hosts containing already-hashed entries. * Fix various fallout and sharp edges caused by removing SSH protocol 1 support from the server, including the server banner string being incorrectly terminated with only \n (instead of \r\n), confusing error messages from ssh-keyscan bz#2583 and a segfault in sshd if protocol v.1 was enabled for the client and sshd_config contained references to legacy keys bz#2686. * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683 * sshd(8): Fix Unix domain socket forwarding for root (regression in OpenSSH 7.4). * sftp(1): Fix division by zero crash in "df" output when server returns zero total filesystem blocks/inodes. * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors encountered during key loading to more meaningful error codes. bz#2522 bz#2523 * ssh-keygen(1): Sanitise escape sequences in key comments sent to printf but preserve valid UTF-8 when the locale supports it; bz#2520 * ssh(1), sshd(8): Return reason for port forwarding failures where feasible rather than always "administratively prohibited". bz#2674 * sshd(8): Fix deadlock when AuthorizedKeysCommand or AuthorizedPrincipalsCommand produces a lot of output and a key is matched early. bz#2655 * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659 * ssh(1): Fix typo in ~C error message for bad port forward cancellation. bz#2672 * ssh(1): Show a useful error message when included config files can't be opened; bz#2653 * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page (previously incorrectly) advertised. bz#2637 * sshd_config(5): Repair accidentally-deleted mention of %k token in AuthorizedKeysCommand; bz#2656 * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665 * ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common 32-bit compatibility library directories. * sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME response handling. * ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys. It was not possible to delete them except by specifying their full physical path. bz#2682 - --- Portability * sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA crypto coprocessor. * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg inspection. * ssh(1): Fix X11 forwarding on OSX where X11 was being started by launchd. bz#2341 * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that contain non-printable characters where the codeset in use is ASCII. * build: Fix builds that attempt to link a kerberised libldns. bz#2603 * build: Fix compilation problems caused by unconditionally defining _XOPEN_SOURCE in wide character detection. * sshd(8): Fix sandbox violations for clock_gettime VSDO syscall fallback on some Linux/X32 kernels. bz#2142 - OpenSSH 7.6 - --- Potentially-incompatible changes This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. - --- Security * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. - --- New Features * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the - R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 - --- Bugfixes * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. - --- Portability * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification. - packaging: * moving patches into a separate archive * first round of rebased patches: [-X11_trusted_forwarding] [-allow_root_password_login] [-blocksigalrm] [-cavstest-ctr] [-cavstest-kdf] [-disable_short_DH_parameters] [-eal3] [-enable_PAM_by_default] [-fips] [-fips_checks] [-gssapi_key_exchange] [-hostname_changes_when_forwarding_X] [-lastlog] [-missing_headers] [-pam_check_locks] [-pts_names_formatting] [-remove_xauth_cookies_on_exit] [-seccomp_geteuid] [-seccomp_getuid] [-seccomp_stat] [-seed-prng] [-send_locale] [-systemd-notify] * not rebased (obsoleted) patches (so far): [-additional_seccomp_archs] [-allow_DSS_by_default] [-default_protocol] [-dont_use_pthreads_in_PAM] [-eal3_obsolete] [-gssapimitm] [-saveargv-fix] * obviously removing all standalone patch files: [openssh-7.2p2-allow_root_password_login.patch] [openssh-7.2p2-allow_DSS_by_default.patch] [openssh-7.2p2-X11_trusted_forwarding.patch] [openssh-7.2p2-lastlog.patch] [openssh-7.2p2-enable_PAM_by_default.patch] [openssh-7.2p2-dont_use_pthreads_in_PAM.patch] [openssh-7.2p2-eal3.patch] [openssh-7.2p2-blocksigalrm.patch] [openssh-7.2p2-send_locale.patch] [openssh-7.2p2-hostname_changes_when_forwarding_X.patch] [openssh-7.2p2-remove_xauth_cookies_on_exit.patch] [openssh-7.2p2-pts_names_formatting.patch] [openssh-7.2p2-pam_check_locks.patch] [openssh-7.2p2-disable_short_DH_parameters.patch] [openssh-7.2p2-seccomp_getuid.patch] [openssh-7.2p2-seccomp_geteuid.patch] [openssh-7.2p2-seccomp_stat.patch] [openssh-7.2p2-additional_seccomp_archs.patch] [openssh-7.2p2-fips.patch] [openssh-7.2p2-cavstest-ctr.patch] [openssh-7.2p2-cavstest-kdf.patch] [openssh-7.2p2-seed-prng.patch] [openssh-7.2p2-gssapi_key_exchange.patch] [openssh-7.2p2-audit.patch] [openssh-7.2p2-audit_fixes.patch] [openssh-7.2p2-audit_seed_prng.patch] [openssh-7.2p2-login_options.patch] [openssh-7.2p2-disable_openssl_abi_check.patch] [openssh-7.2p2-no_fork-no_pid_file.patch] [openssh-7.2p2-host_ident.patch] [openssh-7.2p2-sftp_homechroot.patch] [openssh-7.2p2-sftp_force_permissions.patch] [openssh-7.2p2-X_forward_with_disabled_ipv6.patch] [openssh-7.2p2-ldap.patch] [openssh-7.2p2-IPv6_X_forwarding.patch] [openssh-7.2p2-ignore_PAM_with_UseLogin.patch] [openssh-7.2p2-prevent_timing_user_enumeration.patch] [openssh-7.2p2-limit_password_length.patch] [openssh-7.2p2-keep_slogin.patch] [openssh-7.2p2-kex_resource_depletion.patch] [openssh-7.2p2-verify_CIDR_address_ranges.patch] [openssh-7.2p2-restrict_pkcs11-modules.patch] [openssh-7.2p2-prevent_private_key_leakage.patch] [openssh-7.2p2-secure_unix_sockets_forwarding.patch] [openssh-7.2p2-ssh_case_insensitive_host_matching.patch] [openssh-7.2p2-disable_preauth_compression.patch] [openssh-7.2p2-s390_hw_crypto_syscalls.patch] [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch] ==== openssh-askpass-gnome ==== - .spec file cleanup ==== openssl-1_1_0 ==== Subpackages: libopenssl1_1_0 libopenssl1_1_0-32bit - Don't disable afalgeng on aarch64 ==== p7zip ==== - remove CPP/7zip/Compress/Rar* files from the tar archive as they have incompatible license [bnc#1077978] * also remove DOC/unRarLicense.txt * add p7zip_16.02_norar.patch to adjust makefile according to it * remove no longer used Codecs ==== parted ==== Subpackages: libparted0 parted-lang - libparted: dasd: Use BLKRRPART only when needed (bsc#1065197, bsc#1067435) - add: libparted-use-BLKRRPART-only-when-needed.patch ==== perl ==== Subpackages: perl-base perl-doc - posix-sigaction.patch: make sure Perl_sighandler is always installed with SA_SIGINFO (bsc#1064697) ==== perl-Socket6 ==== Version update (0.25 -> 0.28) - updated to 0.28 * aclocal.m4 (IPv6_CHECK_INET_NTOP): inet_ntop(3) may returns IPv4-compatible IPv6 address. [cpan #113950] - includes fix from 0.27 * t/use.t: We still support an environment where AF_INET6 is not defined - includes changes from 0.26 * Makefile.PL: Make Socket6 buildable on Android. [cpan #98181] * system inet_ntop broken in darwin. [cpan #113005] * gailookup.pl.in: Add -r option to do reverse lookup * gailookup.pl.in: Add awareness of AI_ALL and AI_V4MAPPED * gailookup.pl.in: Add -P option to ease to specify port number - cleanup spec file with spec-cleaner - split tests into %check section ==== perl-Try-Tiny ==== Version update (0.28 -> 0.30) - updated to 0.30 see /usr/share/doc/packages/perl-Try-Tiny/Changes 0.30 2017-12-21 07:23:03Z - expand "when" test skippage to more perl versions - updated to 0.29 see /usr/share/doc/packages/perl-Try-Tiny/Changes 0.29 2017-12-19 03:51:26Z - skip tests of "when" and "given/when" usage for perl 5.27.7 *only* (see RT#123908) ==== permissions ==== Version update (20171129 -> 20180125) - Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467) - Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877) ==== plasma5-openSUSE ==== Subpackages: plasma5-defaults-openSUSE plasma5-theme-openSUSE plasma5-workspace-branding-openSUSE sddm-theme-openSUSE - Provide the KDE4 branding and plasma5-desktop-branding-openSUSE in version 43 and obsolete (or conflict with) < 43 to prevent upgrade problems from Leap 42 to 15, which has a lower version (boo#1077854) ==== plasma5-pk-updates ==== Subpackages: plasma5-pk-updates-lang - Update translations (boo#1077851) ==== plymouth ==== Version update (0.9.3+git20171130.fa66a5b -> 0.9.3+git20171220.6e9e95d) Subpackages: libply-boot-client4 libply-splash-core4 libply-splash-graphics4 libply4 plymouth-dracut plymouth-plugin-label plymouth-plugin-label-ft plymouth-plugin-script plymouth-plugin-two-step plymouth-scripts - Update to version 0.9.3+git20171220.6e9e95d: * device-manager: drop superfluous create_pixel_displays_for_renderer call * x11: don't call gdk_display_get_name before gtk_init ==== poppler-qt5 ==== - make introspection scanner (g-ir-scanner) work with older build envs ==== postgresql ==== Subpackages: postgresql-server - postgresql-script: /etc/sysconfig/language is deprecated, use the locale that was inherited from systemd instead for initializing a new database instance (boo#1074988). ==== procps ==== Subpackages: libprocps6 - Remove patch procps-ng-3.3.12-sysctl-iobuf-write.patch (bsc#1077746) - Add patches 0001-Preload-sysctl-lines-even-if-longer-than-stdio-buffe.patch 0002-Add-flexible-buffered-I-O-based-on-fopencookie-3.patch 0003-Use-new-standard-I-O-for-reading-writing-sysctl-valu.patch from my project https://gitlab.com/bitstreamout/procps/tree/procio which implements a flexible buffer for reading and writing values below /proc/sys (bsc#1039941) ==== protobuf ==== - Conditionalize python2 and python3 in order to be able to build without python2 present in distribution * Use singlespec macros to simplify the logic - Run fdupes on python modules to avoid duplicates - Remove shebangs from import-only code ==== publicsuffix ==== Version update (20171228 -> 20180125) - Update to version 20180125: * .br updated - 12 new 2nd level city domains * Update .ke suffixes to include second-level domains * Remove myfusion.cloud domain ==== python-base ==== Subpackages: libpython2_7-1_0 libpython2_7-1_0-32bit python-xml - Add python-skip_random_failing_tests.patch bypass boo#1078485 and exclude many tests for PowerPC - Add patch python-fix-shebang.patch to fix bsc#1078326 ==== python-cairocffi ==== - Add xcffib support - Spec file cleaned ==== python-pycurl ==== - Disable tests on arm platforms as they are very flaky there, on multiple runs always different failures - Disable strict aliasing as reported by the rpm checks - Since version 7.58.0, curl may be compiled with libssh instead of libssh2 which differ in supported functionality (bsc#1078329) * add pycurl-libssh.patch - update license ==== python-pyudev ==== - Require libudev (bsc#1077282) Otherwise, an pyudev import fails with: ImportError: No library named udev ==== qpdf ==== Version update (7.0.0 -> 7.1.0) - Update to version 7.1.0 * Allow raw encryption key to be specified in libary and command line with the QPDF::setPasswordIsHexKey method and - -password-is-hex-key option. Allow encryption key to be displayed with --show-encryption-key option. See https://blog.didierstevens.com/2017/12/28/cracking-encrypted-pdfs-part-3/ for a discussion of using this for cracking encrypted PDFs. I hope that a future release of qpdf will include some additional recovery options that may also make use of this capability. * Fix lexical error: the PDF specification allows floating point numbers to end with "." * Fix link order in the build to avoid conflicts when building from source while an older version of qpdf is installed * Add support for TIFF predictor for LZW and Flate streams. Now * Clarify documentation around options that control parsing but not output creation. Two options: --suppress-recovery and - -ignore-xref-streams, were documented in the "Advanced Transformation Options" section of the manual and --help output even though they are not related to output. These are now described in a separate section called "Advanced Parsing Options." * Implement remaining PNG filters for decode. Prior versions could decode only the "up" filter. Now all PNG filters (sub, up, average, Paeth, optimal) are supported for decoding. The implementation of the remaining PNG filters changed the interface to the private Pl_PNGFilter class, but this class's header file is not in the installation, and there is no public interface to the class. Within the library, the class is never allocated on the stack; it is only ever dynamically allocated. As such, this does not actually break binary compatibility of the library. all predictor functions are supported - cleanup with spec-cleaner ==== rollback-helper ==== - check if current btrfs snapshot is the production snapshot before re-registering (bsc#1068947) - unified branching versions (Jul 27 2017 vs. May 22 2017) ==== rpm ==== Version update (4.13.0.1 -> 4.14.0) Subpackages: rpm-32bit - fix debugedit relocation offset computation (boo#1076819) new patch: debugedit-bnc1076819.diff - fix signature header writing if the archive size is bigger than 2 GByte new patch: bigarchive.diff - remove shebang from pythondistdeps.py new patch: pythondistdeps.diff - Update RPM groups - patch debugedit so that it also handles the .debug.macro section new patch: debugedit-macro.diff - switch build id generation to "alldebug" mode - Replace PreReq fillup with Requires(post), so that we can deinstall it later if we don't need it anymore - update to rpm-4.14.0 * new with/without/unless rich dependencies * multifile optimized debuginfo packages * much improved macro engine - dropped patches: * 0001-set-SOURCE_DATE_EPOCH-from-changelog.patch * 0002-Extend-changelog-to-support-full-timestamps-903.patch * 0003-Allow-SOURCE_DATE_EPOCH-to-override-file-timestamps.patch * 0004-Allow-SOURCE_DATE_EPOCH-to-override-RPMTAG_BUILDTIME.patch * buildidprov.diff * changes-doc.diff * convertdb1static.diff * debugedit-canon-fix.diff * debugedit-comp-dir.diff * debugsource-package.diff * find-lang-python.patch * nobfd.diff * normalize_blocksize.diff * perlprov-package.diff * perlprov.diff * python3-abi-kind.diff * rpmrctests.diff - new patches (backports from master): * editdwarf.diff * rofs.diff * transfiletriggerpostun.diff * hardlink.diff - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - Introduce new %_fillupdir macro for fillup-templates location - Set %_fillupdir macro to /usr/share/fillup-templates - Change fillup macros to support new %_fillupdir in addition to old /var/adm/fillup-templates location - Make %post compatibility symlink creation more resiliant - Correct %post compatibility symlink for /usr/lib/sysimage/rpm - Remove usr-lib-rpmdb.patch - Add usr-lib-sysimage-rpm.patch to locate rpmdb to /usr/lib/sysimage/rpm after discussions with upstream - Migrates existing rpmdb in /var/lib/rpm to /usr/lib/sysimage/rpm - Add usr-lib-rpmdb.patch to locate rpmdb to /usr/lib/rpmdb - Migrates existing rpmdb in /var/lib/rpm to /usr/lib/rpmdb - Generate ksym() dependencies for SLE if %is_opensuse is unset (bsc#981083). - Drop %supplements_kernel_module, as it is broken, undocumented and is not used by anybody (bsc#981083). dropped: modalias-kernel_module.diff refreshed: modalias-encode.diff - Split fileattrs for kernel and kmps, do not pass around %name and simplify the helpers refreshed: fileattrs.diff, modalias.diff dropped: symset-table, helperenv.diff, modalias-no-kgraft.diff - Change Supplements in rpm-suse_macros to not depend on bundle-lang-other anymore, it does not exist in Leap and will likely be dropped from TW. - Amend finddebuginfo.diff to adjust readelf -Wn pattern matching to account for fixed readelf no longer emitting spurious newlines with -W. - Drop net-tools Requires from rpm-build: net-tools only ships uninteresting binaries. Most people would probably rather have net-tools-depreacted expected (e.g. ifconfig), but as we did not pull this in neither, we can just ignore this. - Define %_sharedstatedir as /var/lib, which is the path for shared state content in Red Hat/Fedora; Mageia; and Debian/Ubuntu. The old path (/usr/com) isn't recognized by FHS, whereas /var/lib is recognized as suitable for this purpose. - Change the RPM binary payload from old-lzma to xz, in line with payload settings for RH/Fedora and Mageia - Backport upstream commit to read changelog entries with full timestamps New patch: changes-doc.diff - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string ~~~ - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to compare the installed version of the first argument with. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns - 1, 0, 1 or ~~~ . The number values have the same meaning as in %rpm_vercmp and the ~~~ string is returned if the package or capability can't be found. - Add patch to handle newer package statement variations for Perl 5.12+ * perlprov-package.diff - Add patch to handle special case of .qm file paths correctly (boo#1027925): * find-lang-qt-qm.patch - Convert rpmconfigcheck init script to systemd unit - Tweak debugsubpkg.diff to no longer use obsoleted RPM interfaces and add support for debuginfo compressed by DWZ. - Add %_find_debuginfo_dwz_opts and DWZ limits to macrosin.diff. - Add dwz requires to rpm-build. [fate#322957] - Tweak debugedit-comp-dir patch so that debugedit does not crash with a NULL comp_dir [bnc#1027228] - Fix debugedit-canon-fix.diff to handle directory table size shrinking by 1 byte correctly. - Add upstream patches 0001-set-SOURCE_DATE_EPOCH-from-changelog.patch 0002-Extend-changelog-to-support-full-timestamps-903.patch 0003-Allow-SOURCE_DATE_EPOCH-to-override-file-timestamps.patch 0004-Allow-SOURCE_DATE_EPOCH-to-override-RPMTAG_BUILDTIME.patch in order to allow for building bit-identical rpms as described in https://github.com/rpm-software-management/rpm/pull/144 - update to rpm-4.13.0.1 * fix several out of bounds reads in the OpenPGP parser * fix handling of OpenPGP reserved tag (should be rejected) * fix various crashes from malformed packages with invalid tags * fix transfiletriggerpostun nondeterministic behavior - update to rpm-4.13.0 * support of rich (boolean) dependencies * support of file triggers - new patches: * nobfd.diff * emptymanifest.diff - dropped patches: * rpm-4.12.0.1-lua-5.3.patch * fixsizeforbigendian.diff * repackage-nomd5.diff - Correct summary/description of -lang subpackages - add is_opensuse and leap_version macros to suse_macros [bnc#940315] - Add rpm-findlang-inject-metainfo.patch: allow packagers to inject a metainfo.xml file for the -lang package, which can then serve AppStream based Software Centers to show -lang packages as extensions to applications (boo#980583). - work around bug in rpm's macro expandsion [bnc#969381] - tweak rpm-4.12.0.1-lua-5.3.patch so that it does not need the -p1 option - add option to make postinstall scriptlet errors fatal [bnc#967728] new patch: enable-postin-scripts-error.diff - rework nfs-blocksize-free.patch to always normalize big blocksizes to 4096 bytes [bnc#894610] [bnc#829717] [bnc#965322] removed patch: nfs-blocksize-free.patch new patch: normalize_blocksize.diff - drop service_del_preun, service_del_postun macros, they are provided by the systemd package - change restart_on_update and stop_on_removal macros to use service_del_preun and service_del_postun [bnc#968405] [bnc#969381] - add beecrypt-4.1.2-build.diff: * make sure debug info is not stripped from internal beecrypt - %install_info_delete: only delete if package is removed - Add nfs-blocksize-free.patch: * Blocksize of NFS shouldn't be used directly - Fixes bsc#894610 and bsc#829717 - Add armv6hl to %arml macro - add patch: rpm-4.12.0.1-lua-5.3.patch * replace luaL_optint/luaL_checkint w/ (int)luaL_optinteger (int)luaL_checkinteger for compatibility w/ lua 5.3 - add a space when printing information about updating a sysconfig file - apply db.diff from the subdir to avoid patching through a symlink (to please new patch) - comment gcc-PIE for now - add gcc-PIE to requires of rpm-build to make PIE building default. bsc#912298 - fix bashisms in brp-compress, symset-table and check-rpaths scripts - fix shebang in find-supplements.ksyms script that contains bash-specific constructions - updated patches: * modalias.diff * modalias-kernel_module.diff * brpcompress.diff - add patches: * rpm-4.12.0.1-fix-bashisms.patch - Do not generate supplements for kgraft patches (bnc#904848) new patch: modalias-no-kgraft.diff - fix size and payloadsize generation for big endian platforms new patch: fixsizeforbigendian.diff - update to rpm-4.12.0.1 * fixes archivesize being off a couple of bytes - update to rpm-4.12.0 * weakdeps support is now upstream * new optional payload format to support files > 4GB * lots of cleanups all over the codebase - dropped patches: autodeps.diff, psm-errno.diff, exportoldtags.diff, pythondeps.diff, newweakdeps.diff, findsupplements.diff, rpm-gst-provides.patch, noposttrans.diff, fontprovides.diff - update to rpm-4.11.3 * consists of cherry picked bug fixes * fix double-free on malformed signature header (RhBug:1133885) * fix curl globbing being enabled on remote retrieval (RhBug:1076277) * fix verification of SHA224 signatures (RhBug:1066494) * fix buffer overflows on malformed macro define/undefine (RhBug:1087000) * fix buffer overflow on unterminated macro options * fix file actions sometimes carrying state across multiple rpmtsRun() calls (RhBug:1076552, RhBug:1128359) * fix %autopatch options getting expanded twice * add support for %autosetup -S git_am (RhBug:1082038) - dropped patches: gentlyadjustmacros.diff, rundir.diff, m68k.patch, debugedit-m68k.patch - rename SuSE to SUSE [bnc#888990] - add correct self-provides to debuginfo subpackages - adapt restart_on_update and stop_on_removal to use systemctl [bnc#878255] - fix macro adjusting in installplatform the old code broke macos like GNUconfigure [bnc#874897] new patch: gentlyadjustmacros.diff - make _rundir configurable new patch: rundir.diff - offer a %_rundir to avoid hardcoding /run - and packages wanting to support older distros, can have /var/run as fallback for the macro - export the old weak dependency tags so that they are accessible from python new patch: exportoldtags.diff - fix bug in weakdepscompa.diff patch - make the 'douple separator' error a warning new patch: checksepwarn.diff - cherry-pick new weakdeps tags from upstream new patch: newweakdeps.diff dropped: weakdeps.diff - add weakdepscompat.diff to support querying the old tags - drop outdated and non-free RPM-Tips tarball [bnc#849465] - update to rpm-4.11.2 * dropped patches: appdata_provides.diff, application_provides.diff, beedigest.diff, debug_gdb_scripts.diff, getauxval.diff, ignore_poolstr_dummy_entries.diff, ppc64le.diff, selfconflicts.diff, strpoolrehash.diff - package /usr/lib/rpm/macros.d - activate config.guess and config.sub update also for ppc64le - Rename and extend auto-config-update-aarch64.diff to auto-config-update-aarch64-ppc64le.diff to apply same hack to powerpc64le architecture - Substitute current values of %suse_release, %sles_release, %ul_release into suse_macros (bnc#851877) - Add find-lang-python.patch: Support for finding translations in %python_sitelib/python_sitearch. - Add support for ppc64le (ppc64le.diff) those are upstream commits: ef1497b1f81966fed56f008bc8ee8ba42102efd6 cf07feda05822377d62b973adc4010c0d7f9eaa0 - debugedit-m68k.patch: Add support for m68k - m68k.patch: Add support for m68k - add application_provides.diff and appdata_provides.diff to generate provides for .desktop files (both patches are sent to upstream) - add selfconflicts.diff: fix self-conflicts and self-obsoletes handling for verify operations [bnc#838133] - replace obsoleted "find -perm +NNN" syntax [bnc#842004] to "-perm /NNN" in debugsource-package.diff and finddebuginfo.diff. - fix two bugs in the rpmstrPoolRehash() function: adding strpoolrehash.diff and ignore_poolstr_dummy_entries.diff - brp-compress-no-img.patch: don't compress image files - add beedigest.diff to plug memory leaks and support DSA signatures with hashes other than sha-1 (already upstream) - weakdeps.diff: readd support for recommends, suggests, enhances supplements - fix typo in .debug_gdb_scripts name [bnc#818502] - backport noposttrans.diff from rpm master [bnc#773575] ==== rsyslog ==== Version update (8.30.0 -> 8.32.0) - rsyslog 8.32.0 * libfastjson 0.99.8 required * libczmq >= 3.0.2 is now required for omczmq * libcurl is now needed for rsyslog core * rsyslogd: add capability to specify that no pid file shall be written * core improvements and bug fixes * RainerScript improvements and bug fixes * build fixes, including gcc7 fixes drop 0001-imgssapi-fix-compiler-warnings.patch * various bug fixes in multiple modules - remove build dependency on libee ==== simple-scan ==== Version update (3.26.2 -> 3.26.3) Subpackages: simple-scan-lang - Update to version 3.26.3: + Fix email sending failing with PDF attachments. ==== snapper ==== Version update (0.5.3 -> 0.5.4) Subpackages: libsnapper4 snapper-zypp-plugin - create subvolume instead of snapshot for initial system (bsc#1077240) - version 0.5.4 - improved error handling for systemd services (gh#openSUSE/snapper#382) ==== spamassassin ==== Subpackages: perl-Mail-SpamAssassin - bsc#1059210 spamassassin perl dns resolver recursion desired not set o add DNS-resolver-recursion-desired-not-set.patch - Replace %__-type macro indirections. Replace old $RPM_ shell variables. ==== strace ==== - add update-futex-test-in-accordance-with-kernel-s-v4.15-.patch ==== supportutils ==== Version update (3.0 -> 3.1) - Includes X without display issue (bsc#1077813) - Fixes for Infiniband (bsc#1071294) - Using chrony for NTP (bsc#1077818) - Added os-release processing (bsc#1077758) - Removed invalid string tty string (bsc#1077681) - Added SLE15 taint values (bsc#1077683) - Added transactional update with OPTION_TRANSACTIONAL=1 - Updated supportconfig.conf.5 with OPTION_TRANSACTIONAL - Fixed docker package detection (bsc#1069457) - Replaced route with ip route (bsc#1070379) - Added systemd-delta to systemd.txt (bsc#1071924) - Changed repos -u to repos -d (bsc#1071926) - Added rdma-core for infiniband (bsc#1071294) - Branding updates fate#324067 - Fixed piped spelling error - Separated core supportconfig function into resources/supportconfig.rc - Removed virtualization functions - Removed OES functions - Removed eDirectory functions - Initial commit ==== texinfo ==== - Do not require bash for package info (boo#1077744) ==== texlive ==== Subpackages: libkpathsea6 libsynctex1 libtexlua52-5 libtexluajit2 texlive-a2ping-bin texlive-accfonts-bin texlive-adhocfilelist-bin texlive-afm2pl-bin texlive-amstex-bin texlive-arara-bin texlive-asymptote-bin texlive-bibtex-bin texlive-bibtex8-bin texlive-bibtexu-bin texlive-bundledoc-bin texlive-checkcites-bin texlive-checklistings-bin texlive-chktex-bin texlive-context-bin texlive-cslatex-bin texlive-csplain-bin texlive-ctanify-bin texlive-ctanupload-bin texlive-ctie-bin texlive-cweb-bin texlive-de-macro-bin texlive-detex-bin texlive-dosepsbin-bin texlive-dtl-bin texlive-dtxgen-bin texlive-dviasm-bin texlive-dvicopy-bin texlive-dvidvi-bin texlive-dviinfox-bin texlive-dviljk-bin texlive-dvipdfmx-bin texlive-dvipng-bin texlive-dvipos-bin texlive-dvips-bin texlive-dvisvgm-bin texlive-epstopdf-bin texlive-findhyph-bin texlive-fontinst-bin texlive-fontools-bin texlive-fontware-bin texlive-fragmaster-bin texlive-gsftopk-bin texlive-kpathsea-bin texlive-lacheck-bin texlive-latex-bin-bin texlive-latex-git-log-bin texlive-latex-papersize-bin texlive-latex2man-bin texlive-latex2nemeth-bin texlive-latexdiff-bin texlive-latexfileversion-bin texlive-latexindent-bin texlive-latexmk-bin texlive-latexpand-bin texlive-lcdftypetools-bin texlive-listings-ext-bin texlive-ltxfileinfo-bin texlive-ltximg-bin texlive-lua2dox-bin texlive-luaotfload-bin texlive-luatex-bin texlive-lwarp-bin texlive-make4ht-bin texlive-makeindex-bin texlive-match_parens-bin texlive-metafont-bin texlive-metapost-bin texlive-mex-bin texlive-mf2pt1-bin texlive-mflua-bin texlive-mfware-bin texlive-mkjobtexmf-bin texlive-mptopdf-bin texlive-patgen-bin texlive-pdfbook2-bin texlive-pdfcrop-bin texlive-pdfjam-bin texlive-pdflatexpicscale-bin texlive-pdftex-bin texlive-pdftools-bin texlive-pdfxup-bin texlive-pfarrei-bin texlive-pkfix-bin texlive-pkfix-helper-bin texlive-ps2pk-bin texlive-pst-pdf-bin texlive-pstools-bin texlive-purifyeps-bin texlive-pygmentex-bin texlive-pythontex-bin texlive-seetexk-bin texlive -srcredact-bin texlive-sty2dtx-bin texlive-synctex-bin texlive-tetex-bin texlive-tex-bin texlive-tex4ebook-bin texlive-tex4ht-bin texlive-texconfig-bin texlive-texcount-bin texlive-texdef-bin texlive-texdiff-bin texlive-texdirflatten-bin texlive-texdoc-bin texlive-texfot-bin texlive-texliveonfly-bin texlive-texloganalyser-bin texlive-texosquery-bin texlive-texware-bin texlive-thumbpdf-bin texlive-tie-bin texlive-tpic2pdftex-bin texlive-ttfutils-bin texlive-typeoutfileinfo-bin texlive-ulqda-bin texlive-vlna-bin texlive-web-bin texlive-xdvi-bin texlive-xetex-bin - removed unneeded 'BuildRequires: xorg-x11-util-devel' (bsc#1077489) - For Leap 42.3 build without biber as the perl version does not fit ==== texlive-filesystem ==== Version update (2017.133.svn41616 -> 2017.135.svn41616) Subpackages: texlive-collection-basic texlive-collection-binextra texlive-collection-context texlive-collection-fontsrecommended texlive-collection-fontutils texlive-collection-langczechslovak texlive-collection-langenglish texlive-collection-langeuropean texlive-collection-langfrench texlive-collection-langgerman texlive-collection-langitalian texlive-collection-langpolish texlive-collection-langportuguese texlive-collection-langspanish texlive-collection-latex texlive-collection-latexrecommended texlive-collection-luatex texlive-collection-mathscience texlive-collection-metapost texlive-collection-plaingeneric texlive-collection-xetex texlive-extratools texlive-scheme-medium - Switch over to python 3 (boo#1077170) ==== texlive-specs-b ==== Version update (2017.133.svn15878 -> 2017.135.svn15878) Subpackages: texlive-around-the-bend texlive-arphic texlive-arphic-doc texlive-arphic-fonts texlive-arydshln texlive-arydshln-doc texlive-ascii-chart texlive-asymptote texlive-asymptote-doc texlive-autoaligne texlive-autoaligne-doc texlive-autobreak texlive-autobreak-doc texlive-automata texlive-automata-doc texlive-avantgar texlive-avantgar-fonts texlive-awesomebox texlive-awesomebox-doc texlive-axodraw2 texlive-axodraw2-doc texlive-babel texlive-babel-albanian texlive-babel-albanian-doc texlive-babel-basque texlive-babel-basque-doc texlive-babel-bosnian texlive-babel-bosnian-doc texlive-babel-breton texlive-babel-breton-doc texlive-babel-catalan texlive-babel-catalan-doc texlive-babel-croatian texlive-babel-croatian-doc texlive-babel-czech texlive-babel-czech-doc texlive-babel-danish texlive-babel-danish-doc texlive-babel-doc texlive-babel-dutch texlive-babel-dutch-doc texlive-babel-english texlive-babel-english-doc texlive-babel-estonian texlive-babel-estonian-doc texlive-babel-fi nnish texlive-babel-finnish-doc texlive-babel-french texlive-babel-french-doc texlive-babel-friulan texlive-babel-friulan-doc texlive-babel-galician texlive-babel-galician-doc texlive-babel-german texlive-babel-german-doc texlive-babel-hebrew texlive-babel-hebrew-doc texlive-babel-hungarian texlive-babel-hungarian-doc texlive-babel-icelandic texlive-babel-icelandic-doc texlive-babel-irish texlive-babel-irish-doc texlive-babel-italian texlive-babel-italian-doc texlive-babel-kurmanji texlive-babel-kurmanji-doc texlive-babel-latin texlive-babel-latin-doc texlive-babel-latvian texlive-babel-latvian-doc texlive-babel-macedonian texlive-babel-macedonian-doc texlive-babel-norsk texlive-babel-norsk-doc texlive-babel-occitan texlive-babel-occitan-doc texlive-babel-piedmontese texlive-babel-piedmontese-doc texlive-babel-polish texlive-babel-polish-doc texlive-babel-portuges texlive-babel-portuges-doc texlive-babel-romanian texlive-babel-romanian-doc texlive-babel-romansh texlive-babel-romansh -doc texlive-babel-samin texlive-babel-samin-doc texlive-babel-scottish texlive-babel-scottish-doc texlive-babel-slovak texlive-babel-slovak-doc texlive-babel-slovenian texlive-babel-slovenian-doc texlive-babel-spanglish texlive-babel-spanglish-doc texlive-babel-spanish texlive-babel-spanish-doc texlive-babel-swedish texlive-babel-swedish-doc texlive-babel-turkish texlive-babel-turkish-doc texlive-babel-welsh texlive-babel-welsh-doc texlive-babelbib texlive-babelbib-doc texlive-background texlive-background-doc texlive-backnaur texlive-backnaur-doc texlive-barr texlive-barr-doc texlive-basque-book texlive-basque-book-doc - Switch over to python 3 (boo#1077170) - Avoid nasty warning about missing batchmode in ENVironment ==== timezone ==== Version update (2017c -> 2018c) - timezone update 2018c: * S�o Tom� and Pr�ncipe switched from +00 to +01 on 2018-01-01 * Southern Brazil's DST will now start on November's first Sunday (bsc#1073275) * New zic option -t to specify the time zone file if TZ is unset ==== timezone-java ==== Version update (2017c -> 2018c) - timezone update 2018c: * S�o Tom� and Pr�ncipe switched from +00 to +01 on 2018-01-01 * Southern Brazil's DST will now start on November's first Sunday (bsc#1073275) * New zic option -t to specify the time zone file if TZ is unset ==== totem ==== Subpackages: nautilus-totem totem-lang totem-plugins - Drop python-beautifulsoup and python-httplib2 recommends: BBC rewrote the iplayer plugin and as such the recommends do not make sense anymore. ==== util-linux ==== Version update (2.30.1 -> 2.31) Subpackages: libblkid1 libblkid1-32bit libfdisk1 libmount1 libmount1-32bit libsmartcols1 libuuid1 libuuid1-32bit util-linux-lang - Combine %service_* calls again. - Provide /usr/sbin/rfkill from rfkill package (boo#1076134) - Add util_linux_bigendian.patch solve two failing tests on ppc64 (sha1, uuid/oids) - Integrate rfkill-block@.service and rfkill-unblock@.service from rfkill package (boo#1074250#c4). - Remove unneeded release based conflicts and obsolescences (boo#1074250#c18). - Remove sysvinit requirement. - Fix Obsoletes for rfkill (boo#1074250). - Update bash completion conflict to cover rfkill file conflict. - lsmem: Add support for zone awareness (bsc#1065471, FATE#324252, util-linux-lsmem-memory-zone-1.patch, util-linux-lsmem-memory-zone-2.patch, util-linux-lsmem-memory-zone-3.patch). - Drop util-linux-losetup-Add-support-for-setting-logical-blocksize.patch. Different implementations exists in the new kernel, and it has a conflicting implementation in util-linux. - Update to version 2.31: * New utilities: uuidparse, rfkill. * su has been refactored and extended to create pseudo terminal (new option --pty, CVE-2016-2779, bsc#968674). This new EXPERIMENTAL feature provides better isolation between root's terminal and an unprivileged su. * libuuid: Improved to match * libuuid, uuidgen: support hash-based UUIDs v3 (md5) and v5 (sha1) as specified by RFC-4122. Provide UUID templates for dns, url, oid, or x500. * libblkid: Extended support for DM-integrity, HPE (aka extended-XFS) and UBI superblock. New API to hide already detected signatures. * libfdisk: New API to modify grain, make possible to completely disable dialog driven partitioning. * libsmartcols: New API to move columns. * column: --table-header-repeat to repeat table headers. * libfdisk: Use BLKPG ioctls to inform the kernel about changes. * fdisk: Improved ^C and ^D behavior. * cfdisk: Dialog to resize partition. * look: Follow the WORDLIST environment variable. * losetup: Added support for --sector-size (FATE#319010). * script: Follow the usual semantics for stop/continue signals. * setpriv: New command line options --ambient-caps and - -init-groups. * hwclock: Reduce system shutdown times, log --systz when using libaudit. * Other bug fixes. - Drop upstreamed util-linux-use-tinfow.patch. - Refreshed make-sure-sbin-resp-usr-sbin-are-in-PATH.diff. ==== util-linux-systemd ==== Version update (2.30.1 -> 2.31) - Combine %service_* calls again. - Provide /usr/sbin/rfkill from rfkill package (boo#1076134) - Add util_linux_bigendian.patch solve two failing tests on ppc64 (sha1, uuid/oids) - Integrate rfkill-block@.service and rfkill-unblock@.service from rfkill package (boo#1074250#c4). - Remove unneeded release based conflicts and obsolescences (boo#1074250#c18). - Remove sysvinit requirement. - Fix Obsoletes for rfkill (boo#1074250). - Update bash completion conflict to cover rfkill file conflict. - lsmem: Add support for zone awareness (bsc#1065471, FATE#324252, util-linux-lsmem-memory-zone-1.patch, util-linux-lsmem-memory-zone-2.patch, util-linux-lsmem-memory-zone-3.patch). - Drop util-linux-losetup-Add-support-for-setting-logical-blocksize.patch. Different implementations exists in the new kernel, and it has a conflicting implementation in util-linux. - Update to version 2.31: * New utilities: uuidparse, rfkill. * su has been refactored and extended to create pseudo terminal (new option --pty, CVE-2016-2779, bsc#968674). This new EXPERIMENTAL feature provides better isolation between root's terminal and an unprivileged su. * libuuid: Improved to match * libuuid, uuidgen: support hash-based UUIDs v3 (md5) and v5 (sha1) as specified by RFC-4122. Provide UUID templates for dns, url, oid, or x500. * libblkid: Extended support for DM-integrity, HPE (aka extended-XFS) and UBI superblock. New API to hide already detected signatures. * libfdisk: New API to modify grain, make possible to completely disable dialog driven partitioning. * libsmartcols: New API to move columns. * column: --table-header-repeat to repeat table headers. * libfdisk: Use BLKPG ioctls to inform the kernel about changes. * fdisk: Improved ^C and ^D behavior. * cfdisk: Dialog to resize partition. * look: Follow the WORDLIST environment variable. * losetup: Added support for --sector-size (FATE#319010). * script: Follow the usual semantics for stop/continue signals. * setpriv: New command line options --ambient-caps and - -init-groups. * hwclock: Reduce system shutdown times, log --systz when using libaudit. * Other bug fixes. - Drop upstreamed util-linux-use-tinfow.patch. - Refreshed make-sure-sbin-resp-usr-sbin-are-in-PATH.diff. ==== vim ==== Version update (8.0.1417 -> 8.0.1442) Subpackages: gvim vim-data - Updated to revision 1442, fixes the following problems * Crash when calling term_start() with empty argument. * Crash when term_start() fails. * MS-Windows: vimtutor fails if %TMP% has special chars. * After ":copen" can't get the window-ID of the quickfix window. (FalacerSelene) * Illegal memory access after undo. (Dominique Pelle) * GTK: :promtfind does not put focus on text input. (Adam Novak) * Memory leak in test_arabic. * Not enough information about what Python version may work. * Pkg-config doesn't work with cross compiling. * Filetype detection test not updated for change. * If cscope fails a search Vim may hang. * Terminal window: some vterm responses are delayed. * Using ":undo 0" leaves undo in wrong state. * Using pointer before it is set. - Make vim require vim-data bsc#1077352 bsc#1075541 bsc#1074790 - Sort with spec-cleaner - Add conditional to build with python2 in order to build with py3 only enviroment - Convert dependencies to pkgconfig style - Updated to revision 1428, fixes the following problems * No test for expanding backticks. * Cursor column is not updated after ]s. (Gary Johnson) * Accessing freed memory in vimgrep. * Accessing invalid memory with overlong byte sequence. * No fallback to underline when undercurl is not set. (Ben Jackson) * Error in return not caught by try/catch. * The timer_pause test is flaky on Travis. * execute() does not work in completion of user command. (thinca) * "gf" and don't accept ? and & in URL. (Dmitrii Tcyganok) * The :leftabove modifier doesn't work for :copen. * Compiler warning on 64 bit MS-Windows system. - ignore make check transient errors for PowerPC bypass boo#1072651 - Update apparmor.vim (taken from AppArmor 2.12) * add support for the "smc" network keyword ==== virtualbox ==== Subpackages: virtualbox-guest-kmp-default virtualbox-host-kmp-default - Update "fixes_for_4.15.patch": remove useless log statement that broke building the vboxvideo guest kernel module - Build and install it again, it's needed for KMS support, i.e. for Xorg's "modesetting" driver to work in the guest (boo#1079221) ==== w3m ==== Version update (0.5.3.git20161120 -> 0.5.3+git20180125) - add git ChangeLog to /usr/share/doc/w3m/ - update to version 0.5.3+git20180125 addressed security issue: CVE-2018-6196: w3m: an infinite recursion flaw in HTMLlineproc0 because the feed_table_block_tag function in table.c does not prevent a negative indent value allows for (bsc#1077559) CVE-2018-6197: w3m: NULL pointer dereference flaw in formUpdateBuffer in form.c (bsc#1077568) CVE-2018-6198: w3m: does not properly handle temporary files when the ~/.w3m directory is unwritable, which allows a local attacker to craft a symlink attack to overwrite arbitrary files (bsc#1077572) other changes, bugfixes see: /usr/share/doc/w3m/ChangeLog ==== webkit2gtk3 ==== Version update (2.18.5 -> 2.18.6) Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 libwebkit2gtk3-lang typelib-1_0-JavaScriptCore-4_0 typelib-1_0-WebKit2-4_0 webkit2gtk-4_0-injected-bundles - even on recent codestreams there is no binutils gold on s390 only on s390x - Update to version 2.18.6: + Fix deadlock in GStreamer video sink during shutdown when accelerated compositing is disabled. + Several fixes and improvements in WebDriver. + Security fixes: CVE-2018-4088, CVE-2017-13885, CVE-2017-7165, CVE-2017-13884, CVE-2017-7160, CVE-2017-7153, CVE-2017-7153, CVE-2017-7161, CVE-2018-4096. ==== wireless-tools ==== Subpackages: libiw30 - improved install scripts (using install instead of mv and using $UID: * install_acx100_firmware * install_intersil_firmware - updated URL in install_acx100_firmware script (bnc#1004577) - improved spec file * removed obsolete openSUSE Versions checks * replaced bash variables with macros * removed obsolete tags and macros * cleaned spec file with spec-cleaner ==== xorg-x11-libs ==== Version update (7.6 -> 7.6.1) - raised version number of package; improved definitions for provide/obsolete of xorg-x11-util-devel so makedepend, lndir, gccmakedep, xorg-cf-files and xorg-sgml-doctools no longer conflict with xorg-x11-devel package (bsc#1077489) - Directly require packages, which were required by xorg-x11-util-devel meta package; provide/obsolete xorg-x11-util-devel now (bsc#1077489) ==== xtables-addons ==== - Backport from upstream * Support for Linux 4.15 (add init_timer.patch) ==== yast2 ==== Version update (4.0.38 -> 4.0.45) - Firewalld API: Cache whether the configuration has been read (fate#323460) - 4.0.45 - Installation::AutoClient: modified packages default and improved documentation (fate#323460 bsc#1077987) - 4.0.44 - Fixed a bug causing pages of all CWM::TreePager to be rendered twice on every page switch (bsc#1078212) - 4.0.43 - Firewalld API: reload and complete reload return true in offline mode (fate#323460) - 4.0.42 - Fixed logging typo (fate#1076513) - 4.0.41 - Improved base product detection at upgrade (fate#1076513) - 4.0.40 ==== yast2-bootloader ==== Version update (4.0.13 -> 4.0.14) - fix crash when clicking link in proposal (bsc#1078227) - 4.0.14 ==== yast2-country ==== Version update (4.0.16 -> 4.0.19) Subpackages: yast2-country-data - Lnaguage: nicer handling of dbus timeout (bsc#1076804) - 4.0.19 - Reimplemented package reset to require less memory (related to bsc#1076768) - 4.0.18 - Unify openSUSE and SLE console fonts maps (bsc#1068814). - 4.0.17 ==== yast2-drbd ==== Version update (4.0.0 -> 4.0.1) - SuSEFirewall2 replace by firewalld(fate#323460) - Version 4.0.1 ==== yast2-firewall ==== Version update (4.0.8 -> 4.0.9) - AutoYaST: fixed default valur for log denied packets when using SuSEFIrewall2 profiles (fate#323460) - 4.0.9 ==== yast2-installation ==== Version update (4.0.26 -> 4.0.28) - Do not enable xvnc.socket for second installation stage. Xvnc will be started by a direct call in vnc.sh. (bnc#1077236) - 4.0.28 - Reimplemented finding package upgrades to require less memory (related to bsc#1076768) - 4.0.27 ==== yast2-pkg-bindings ==== Version update (4.0.6 -> 4.0.7) - Added "transact_by" key to the PkgPropertiesAll call (improvement for bsc#1077882) - 4.0.7 ==== yast2-squid ==== Version update (4.0.0 -> 4.0.1) - Replace SuSEFirewall2 by firewalld (fate#323460) - 4.0.1 ==== yast2-storage-ng ==== Version update (4.0.76 -> 4.0.81) - Partitioner: list all LVM thin volumes to delete when an LVM thin pool is going to be deleted. - Partitioner: show warning when an LVM thin pool is overcommitted after resizing. - Part of fate#318196. - 4.0.81 - AutoYaST: try to shrink new partitions/logical volumes proportionally when there is not enough space (bsc#1078418). - 4.0.80 - Partitioner: initial support for NFS (part of fate#318196) - Partitioner: removed useless tmpfs option - 4.0.79 - Partitioner: allow to create LVM thin pools and volumes. - Fix transactions of devicegraphs. - Part of fate#318196. - 4.0.78 - Partitioner: improve error message when trying to remove an used physical volume. - Add default mount options for /etc/fstab for ext2/3/4 and vfat (bsc#1066076) - 4.0.77 ==== zypp-plugin ==== Version update (0.6.2 -> 0.6.3) - Disable singlespec packaging in SLE12* and older distros while it's not working there. They provide python2 packages only. - Fix a bit the obsoletes/provides to allow migration, previously was overwritten by macros - BR python-rpm-macros to build on older distributions - Fix bit python detection conditions on install phase to be better readable and uniform - Switch to singlespec packaging to make it easy to disable either python3 or python2 plugin and make sure all is buildable - version 0.6.3 ==== zziplib ==== Version update (0.13.62 -> 0.13.67) - Drop tests as they fail completely anyway, not finding lib needing zip command, this should allow us to kill python dependency - Also drop docs subdir avoiding python dependency for it * The generated xmls were used for mans too but we shipped those only in devel pkg and as such we will live without them - Version update to 0.13.67: * Various fixes found by fuzzing * Merged bellow patches - Remove merged patches: * zziplib-CVE-2017-5974.patch * zziplib-CVE-2017-5975.patch * zziplib-CVE-2017-5976.patch * zziplib-CVE-2017-5978.patch * zziplib-CVE-2017-5979.patch * zziplib-CVE-2017-5981.patch - Switch to github tarball as upstream seem no longer pull it to sourceforge - Remove no longer applying patch zziplib-unzipcat-NULL-name.patch * The sourcecode was quite changed for this to work this way anymore, lets hope this is fixed too -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org