Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here.

Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&...

Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports

Packages changed: krb5 (1.18.2 -> 1.18.3) openssl-1_1 python-Mako python-dbus-python python-dnspython python-dulwich python-geventhttpclient python-importlib-metadata (2.0.0 -> 3.1.1) python-mailman python-notify2 python-pyOpenSSL (19.1.0 -> 20.0.0) python-pycurl python-python-xlib (0.27 -> 0.29) python-pyudev python-requests-toolbelt python-setuptools python-urllib3 (1.25.10 -> 1.26.2) system-users systemd sysuser-tools

=== Details ===

==== krb5 ==== Version update (1.18.2 -> 1.18.3) Subpackages: krb5-32bit krb5-client

- Update to 1.18.3 * Fix a denial of service vulnerability when decoding Kerberos protocol messages. * Fix a locking issue with the LMDB KDB module which could cause KDC and kadmind processes to lose access to the database. * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded and unloaded while libkrb5support remains loaded.

==== openssl-1_1 ==== Subpackages: libopenssl1_1 libopenssl1_1-32bit libopenssl1_1-hmac

- Use the centralized crypto policy profile (jsc#SLE-15832) * add openssl-1.1.1-system-cipherlist.patch from Fedora

==== python-Mako ====

- Let the python-rpm-macros do their job for the correct provides and obsoletes tags for multiple python3 flavors gh#openSUSE/python-rpm-macros#66

==== python-dbus-python ====

- Support builds with more than one python3 flavor gh#openSUSE/python-rpm-macros#66 - Remove shebang from examples (rpmlint warning, is in common doc) - Clean duplicate python flavor variables for configure - Update the provides/obsoletes tags for old-style dbus-1-$python

==== python-dnspython ====

- Remove skipping tests which are acutally passing. - Python < 3.7 requires external contextvars

==== python-dulwich ====

- Fix condition around BuildRequirement - We don't need to break Python 2.7 - Add remove_mock.patch to remove dependency on the external mock package (gh#dulwich/dulwich#820).

==== python-geventhttpclient ====

- Fix condition around BuildRequirement - We don't need to break Python 2.7 - Add remove_mock.patch to remove dependency on the external mock package (gh#gwik/geventhttpclient#135).

==== python-importlib-metadata ==== Version update (2.0.0 -> 3.1.1)

- Update to 3.1.1 * no changelog, probably just the merge of 2.1.1 - Update in v2.1.1 * #261: Restored compatibility for package discovery for metadata without version in the name and for legacy eggs. - Update in v3.1.0 * Merge with 2.1.0. - Update in v2.1.0 * #253: When querying for package metadata, the lookup now honors package normalization rules. - Update in v3.0.0 * Require Python 3.6 or later. - Upstream switched to pytest, so do we - Revert last change: The condition for **BuildRequires** does not make any sense, as that would also prevent the install of python36-importlib_resources into the build environment. - Make requirement of importlib_resources only for particular versions of Python (< 3.9).

==== python-mailman ====

- Fix systemd services - Add missing services and timers to systemd

==== python-notify2 ====

- Fix Requires of dbus-python so that the macros can work out the correct flavor for multiple python3 flavors gh#openSUSE/python-rpm-macros#66

==== python-pyOpenSSL ==== Version update (19.1.0 -> 20.0.0)

- According to gh#pyca/pyopenssl#684 tests must run with TZ=UTC, also skip test_verify_with_time on %ix86. - Update to v20.0.0 - Backward-incompatible changes: - The minimum cryptography version is now 3.2. - Remove deprecated OpenSSL.tsafe module. - Removed deprecated OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated. - Drop support for Python 3.4 - Drop support for OpenSSL 1.0.1 and 1.0.2 - Deprecations: - Deprecated OpenSSL.crypto.loads_pkcs7 and OpenSSL.crypto.loads_pkcs12. - Changes: - Added a new optional chain parameter to OpenSSL.crypto.X509StoreContext() where additional untrusted certificates can be specified to help chain building. #948 - Added OpenSSL.crypto.X509Store.load_locations to set trusted certificate file bundles and/or directories for verification. [#943] - Added Context.set_keylog_callback to log key material. #910 - Added OpenSSL.SSL.Connection.get_verified_chain to retrieve the verified certificate chain of the peer. #894. - Make verification callback optional in Context.set_verify. If omitted, OpenSSL?s default verification is used. #933 - Fixed a bug that could truncate or cause a zero-length key error due to a null byte in private key passphrase in OpenSSL.crypto.load_privatekey and OpenSSL.crypto.dump_privatekey. #947 - drop patch fix-compilation-2020.patch: no longer needed - refreshed patch skip-networked-test.patch

==== python-pycurl ====

- Add make-leap15-compat.patch to pass tests on Leap 15.2 - Add remove_nose.patch to remove dependency on nose (gh#pycurl/pycurl#655).

==== python-python-xlib ==== Version update (0.27 -> 0.29)

- Update to version 0.29 * Drawable & XInput: Avoid using array.array.tostring() which will be removed in Python 3.9 (thanks @t-wissmann). - Changelog for version 0.28 * DPMS: Display Power Management Signaling (by @thiagokokada) - Add remove-mock.patch gh#python-xlib/python-xlib#186 - Let the python-rpm-macros do their job for correct provides and obsoletes tag for all python3 flavors gh#openSUSE/python-rpm-macros#66

==== python-pyudev ====

- Add remove_mock.patch gh#pyudev/pyudev#409 - Static linting with pylint is not needed for unit tests or build

==== python-requests-toolbelt ====

- Fix condition around BuildRequirement - We don't need to break Python 2.7 - Add remove_mock.patch to remove dependency on the external mock

==== python-setuptools ====

- Add remove_mock.patch to remove dependency on the external mock package.

==== python-urllib3 ==== Version update (1.25.10 -> 1.26.2)

- If you skip_python2 you don't need mock. - We don't need to break Python 2.7 - Add remove_mock.patch to remove dependency on the external mock package (gh#urllib3/urllib3#2108). - Fixed the testsuite and updated dependencies - update to 1.26.2: * Fixed an issue where ``wrap_socket`` and ``CERT_REQUIRED`` wouldn't be imported properly on Python 2.7.8 and earlier (Pull #2052) * Fixed an issue where two ``User-Agent`` headers would be sent if a ``User-Agent`` header key is passed as ``bytes`` (Pull #2047) * Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806) * Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that still wish to use TLS earlier than 1.2 without a deprecation warning should opt-in explicitly by setting ``ssl_version=ssl.PROTOCOL_TLSv1_1`` (Pull #2002) * *Starting in urllib3 v2.0: Connections that receive a ``DeprecationWarning`` will fail** * Deprecated ``Retry`` options ``Retry.DEFAULT_METHOD_WHITELIST``, ``Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST`` and ``Retry(method_whitelist=...)`` in favor of ``Retry.DEFAULT_ALLOWED_METHODS``, ``Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT``, and ``Retry(allowed_methods=...)`` (Pull #2000) **Starting in urllib3 v2.0: Deprecated options will be removed** * Added default ``User-Agent`` header to every request (Pull #1750) * Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``, and ``Host`` headers from being automatically emitted with requests (Pull #2018) * Collapse ``transfer-encoding: chunked`` request data and framing into the same ``socket.send()`` call (Pull #1906) * Send ``http/1.1`` ALPN identifier with every TLS handshake by default (Pull #1894) * Properly terminate SecureTransport connections when CA verification fails (Pull #1977) * Don't emit an ``SNIMissingWarning`` when passing ``server_hostname=None`` to SecureTransport (Pull #1903) * Disabled requesting TLSv1.2 session tickets as they weren't being used by urllib3 (Pull #1970) * Suppress ``BrokenPipeError`` when writing request body after the server has closed the socket (Pull #1524) * Wrap ``ssl.SSLError`` that can be raised from reading a socket (e.g. "bad MAC") into an ``urllib3.exceptions.SSLError`` (Pull #1939) * Fix retry backoff time parsed from ``Retry-After`` header when given in the HTTP date format. The HTTP date was parsed as the local timezone rather than accounting for the timezone in the HTTP date (typically UTC) (Pull #1932, Pull #1935, Pull #1938, Pull #1949)

==== system-users ==== Subpackages: system-group-hardware system-group-libvirt system-group-wheel system-user-bin system-user-daemon system-user-ftp system-user-games system-user-lp system-user-mail system-user-man system-user-news system-user-nobody system-user-qemu system-user-tftp system-user-upsd system-user-uucp system-user-wwwrun

- Remove kvm group from hardware subpackage, since kvm is in its own subpackage (jsc#SLE-11629).

==== systemd ==== Subpackages: libsystemd0 libsystemd0-32bit libudev-devel libudev1 libudev1-32bit systemd-32bit systemd-container systemd-doc systemd-lang systemd-logger systemd-sysvinit udev

- Explicitly require group(kvm) by udev: the group used to be created by system-users-hardware, but has been split/moved to qemu/kvm, where it is more logical. The file /usr/lib/udev/rules.d/50-udev-default.rules references this group, thus we should make sure the group exists. Otherwise there are errors in the journal in the form of: /usr/lib/udev/rules.d/50-udev-default.rules:86 Unknown group 'kvm', ignoring

==== sysuser-tools ====

- useradd_or_adduser_dep must be PreReq so ordering makes sure it gets installed before. - suggest shadow where useradd_or_adduser_dep is actually required