Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20210921
Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
LibVNCServer
alpine (2.24 -> 2.25)
apache2 (2.4.48 -> 2.4.49)
apache2-manual (2.4.48 -> 2.4.49)
apache2-prefork (2.4.48 -> 2.4.49)
apache2-utils (2.4.48 -> 2.4.49)
cppcheck
cryptsetup (2.4.0 -> 2.4.1)
e2fsprogs (1.46.3 -> 1.46.4)
eog-plugins
epiphany
fetchmail
glabels
gnome-maps (40.4 -> 40.5)
gnome-packagekit
gstreamer-devtools (1.18.3 -> 1.18.5)
libXi (1.7.10 -> 1.8)
libcontainers-common
libtirpc
libzypp (17.28.3 -> 17.28.4)
perl-Bootloader (0.935 -> 0.936)
pidgin-sipe
pipewire (0.3.35 -> 0.3.36)
pitivi
plasma5-workspace
python-gst (1.18.4 -> 1.18.5)
python-kiwi (9.23.54 -> 9.23.56)
rygel
samba (4.14.6+git.168.6a9fc8a1ddd -> 4.14.6+git.182.2205d5224e3)
transactional-update (3.5.4 -> 3.5.5)
xfce4-whiskermenu-plugin (2.5.3 -> 2.6.0)
xkeyboard-config
xorgproto (2021.4 -> 2021.5)
=== Details ===
==== LibVNCServer ====
Subpackages: libvncclient1 libvncserver1
- purposedly adding just this changelog entry
- previous version updates fixed also:
* CVE-2020-14398 [bsc#1173880] -- improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c
* CVE-2017-18922 [bsc#1173477] -- preauth buffer overwrite
* CVE-2018-20748 [bsc#1123823] -- libvnc contains multiple heap out-of-bounds writes
* CVE-2020-25708 [bsc#1178682] -- libvncserver/rfbserver.c has a divide by zero which could result in DoS
* CVE-2018-21247 [bsc#1173874] -- uninitialized memory contents are vulnerable to Information leak
* CVE-2018-20750 [bsc#1123832] -- heap out-of-bounds write vulnerability in libvncserver/rfbserver.c
* CVE-2020-14397 [bsc#1173700] -- NULL pointer dereference in libvncserver/rfbregion.c
* CVE-2019-20839 [bsc#1173875] -- buffer overflow in ConnectClientToUnixSock()
* CVE-2020-14401 [bsc#1173694] -- potential integer overflows in libvncserver/scale.c
* CVE-2020-14400 [bsc#1173691] -- Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c.
* CVE-2019-20840 [bsc#1173876] -- unaligned accesses in hybiReadAndDecode can lead to denial of service
* CVE-2020-14399 [bsc#1173743] -- Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c.
* CVE-2020-14402 [bsc#1173701] -- out-of-bounds access via encodings.
* CVE-2020-14403 [bsc#1173701]
* CVE-2020-14404 [bsc#1173701]
==== alpine ====
Version update (2.24 -> 2.25)
Subpackages: pico
- Update to release 2.25
* New configuration variable VAR_ssl-ciphers that allows users
to list the ciphers to use when connecting to a SSL
server.
* New hidden feature FEAT_enable-delete-before-writing to add
support for terminals that need lines to be deleted before
being written.
* Always follow ?suppress-asterisks-in-password-prompt? setting
in the various password prompts.
* Fixed a memory corruption when alpine searches for a string
that is an incomplete utf8 string in a local folder.
* Fixed: When forwarding a message, replacing an attachment
might make Alpine re-attach the original attachment.
==== apache2 ====
Version update (2.4.48 -> 2.4.49)
- version update to 2.4.49
* ) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
* ) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
* ) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
* ) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
* ) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
* ) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
* ) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
* ) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
* ) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
* ) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
* ) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
* ) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
* ) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
* ) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
* ) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
* ) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
* ) core: fix ap_escape_quotes substitution logic. [Eric Covener]
* ) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
* ) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
* ) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
* ) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
* ) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
* ) mod_md:
- Domain names in `` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
* ) Add CPING to health check logic. [Jean-Frederic Clere]
* ) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
* ) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
* ) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
* ) htcacheclean: Improve help messages. [Christophe Jaillet]
- modified patches
% apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
- modified sources
% apache2.keyring
==== apache2-manual ====
Version update (2.4.48 -> 2.4.49)
- version update to 2.4.49
* ) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
* ) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
* ) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
* ) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
* ) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
* ) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
* ) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
* ) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
* ) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
* ) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
* ) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
* ) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
* ) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
* ) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
* ) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
* ) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
* ) core: fix ap_escape_quotes substitution logic. [Eric Covener]
* ) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
* ) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
* ) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
* ) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
* ) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
* ) mod_md:
- Domain names in `` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
* ) Add CPING to health check logic. [Jean-Frederic Clere]
* ) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
* ) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
* ) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
* ) htcacheclean: Improve help messages. [Christophe Jaillet]
- modified patches
% apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
- modified sources
% apache2.keyring
==== apache2-prefork ====
Version update (2.4.48 -> 2.4.49)
- version update to 2.4.49
* ) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
* ) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
* ) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
* ) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
* ) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
* ) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
* ) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
* ) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
* ) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
* ) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
* ) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
* ) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
* ) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
* ) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
* ) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
* ) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
* ) core: fix ap_escape_quotes substitution logic. [Eric Covener]
* ) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
* ) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
* ) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
* ) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
* ) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
* ) mod_md:
- Domain names in `` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
* ) Add CPING to health check logic. [Jean-Frederic Clere]
* ) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
* ) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
* ) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
* ) htcacheclean: Improve help messages. [Christophe Jaillet]
- modified patches
% apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
- modified sources
% apache2.keyring
==== apache2-utils ====
Version update (2.4.48 -> 2.4.49)
- version update to 2.4.49
* ) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
* ) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
* ) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
* ) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
* ) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
* ) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
* ) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
* ) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
* ) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
* ) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
* ) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
* ) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
* ) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
* ) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
* ) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
* ) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
* ) core: fix ap_escape_quotes substitution logic. [Eric Covener]
* ) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
* ) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
* ) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
* ) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
* ) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
* ) mod_md:
- Domain names in `` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
* ) Add CPING to health check logic. [Jean-Frederic Clere]
* ) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
* ) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
* ) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
* ) htcacheclean: Improve help messages. [Christophe Jaillet]
- modified patches
% apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
- modified sources
% apache2.keyring
==== cppcheck ====
- Add glibc 2.34 build fix:
* 0001-Fix-compilation-with-recent-glibc-where-SIGSTKSZ-is-.patch
==== cryptsetup ====
Version update (2.4.0 -> 2.4.1)
Subpackages: cryptsetup-lang libcryptsetup12 libcryptsetup12-32bit libcryptsetup12-hmac
- cryptsetup 2.4.1
* Fix compilation for libc implementations without dlvsym().
* Fix compilation and tests on systems with non-standard libraries
* Try to workaround some issues on systems without udev support.
* Fixes for OpenSSL3 crypto backend (including FIPS mode).
* Print error message when assigning a token to an inactive keyslot.
* Fix offset bug in LUKS2 encryption code if --offset option was used.
* Do not allow LUKS2 decryption for devices with data offset.
* Fix LUKS1 cryptsetup repair command for some specific problems.
==== e2fsprogs ====
Version update (1.46.3 -> 1.46.4)
Subpackages: e2fsprogs-scrub libcom_err2 libcom_err2-32bit libext2fs2
- Update to 1.46.4:
* Default to 256-byte inodes for all filesystems, not only larger ones
* Bigalloc is considered supported now for small cluster sizes
* E2fsck and e2image fixes for quota feature
* Fix mke2fs creation of filesystem into non-existent file
- libss-add-newer-libreadline.so.8-to-dlopen-path.patch: libss: add newer
libreadline.so.8 to dlopen path (bsc#1189453)
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_e2scrub@.service.patch
* harden_e2scrub_all.service.patch
* harden_e2scrub_fail@.service.patch
* harden_e2scrub_reap.service.patch
==== eog-plugins ====
Subpackages: eog-plugins-lang
- Remove obsolete translation-update-upstream support
(jsc#SLE-21105).
==== epiphany ====
Subpackages: epiphany-lang gnome-shell-search-provider-epiphany
- Remove obsolete translation-update-upstream support
(jsc#SLE-21105).
==== fetchmail ====
Subpackages: fetchmailconf
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* fetchmail.service
==== glabels ====
Subpackages: glabels-lang
- Remove obsolete translation-update-upstream support
(jsc#SLE-21105).
==== gnome-maps ====
Version update (40.4 -> 40.5)
Subpackages: gnome-maps-lang
- Update to version 40.5:
+ Updated translations.
==== gnome-packagekit ====
Subpackages: gnome-packagekit-lang
- Add gnome-packagekit-drop-NEWEST-on-get-updates.patch: Don't use
PK_FILTER_ENUM_NEWEST filter when getting updates
(glgo#GNOME/gnome-packagekit!3, bsc#1190330).
==== gstreamer-devtools ====
Version update (1.18.3 -> 1.18.5)
Subpackages: libgstvalidate-1_0-0 typelib-1_0-GstValidate-1_0
- Update to version 1.18.5:
+ scenario: Fix EOS handling in seek_forward.scenario
+ validate-utils: Only modify structure fields that really need
updates
+ Don't use volatile to mean atomic (fixes compiler warnings with
gcc 11)
- Changes from version 1.18.4:
+ No changes
==== libXi ====
Version update (1.7.10 -> 1.8)
Subpackages: libXi6 libXi6-32bit
- Update to version 1.8
* This release of libXi marks the support of XI 2.4 touchpad
gesture events official. This feature is the only difference
between libXi 1.8 and the latest release in the 1.7.x series
(1.7.10).
==== libcontainers-common ====
- Comment out ostree_repo if it's blank [boo#1189893]
- Comment out ostree_repo [boo#1189893]
==== libtirpc ====
Subpackages: libtirpc-netconfig libtirpc3 libtirpc3-32bit
- Backport DoS vulnerability fix 0001-Fix-DoS-vulnerability-in-libtirpc.patch
- Replace %setup with %autosetup
==== libzypp ====
Version update (17.28.3 -> 17.28.4)
- Make sure to keep states alives while transitioning
(bsc#1190199)
- May set techpreview variables for testing in /etc/zypp/zypp.conf.
If environment variables are unhandy one may enable the desired
techpreview in zypp.conf as well:
[main]
techpreview.ZYPP_SINGLE_RPMTRANS=1
techpreview.ZYPP_MEDIANETWORK=1
- version 17.28.4 (22)
==== perl-Bootloader ====
Version update (0.935 -> 0.936)
- merge gh#openSUSE/perl-bootloader#136
- report error if config file could not be updated (bsc#1188768)
- 0.936
==== pidgin-sipe ====
Subpackages: libpurple-plugin-sipe libpurple-plugin-sipe-lang pidgin-plugin-sipe
- Remove obsolete translation-update-upstream support
(jsc#SLE-21105).
==== pipewire ====
Version update (0.3.35 -> 0.3.36)
Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-lang pipewire-media-session pipewire-modules pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools
- Add patches from upstream to fix an "use-after-free" error and
to set the version number correctly:
* 0001-media-session-dont-use-after-free-if-linking-node-removed.patch
* 0002-update-version-number-as-well.patch
- Update to version 0.3.36:
* Highlights
- A quick update with mostly only bugfixes and small
improvements.
- Capture and playback is now avoided on unavailable devices.
This should fix some issues where an unusable microphone was
selected by default.
- MIDI output should not stop randomly now.
- The GStreamer elements are much improved, cheese should work
a lot better now.
- Virtual sinks and sources should now always show up
immediately.
- JACK processing is now delayed until buffersize and
samplerate are emited. This should improve stability of many
JACK apps.
- JACK transport sync is now implemented correctly so that
preroll in bitwig works.
* PipeWire
- The module dir environment variable can now contain multiple
paths.
- Documentation now contains dot graphs of dependencies.
(#1585)
- config min/max/default quantum values are now scaled with the
samplerate.
- A potential crash was fixed where destroyed memory was still
used by a node. This could cause crashes in cheese.
* pipewire-media-session
- Only allow passthrough for passthrough formats (S/PDIF) for
now. (#1587)
- Improve bluetooth profile autoswitch.
- Don't try to route audio to nodes with unavailable routes.
* ALSA
- Pass the right AES bits to the alsa device when opening an
S/PDIF stream.
- Fix a bug in the MIDI bridge port management logic. When a
port was added and immediately removed, output would stop.
* GStreamer
- The GStreamer source now handles the flushing state
correctly.
- All blocking operations now have a 30 seconds timeout, to
avoid infinite locks.
* Plugins
- V4l2 Device formats and controls are now passed on the node,
just like with audio devices.
- audioconvert now also exposes the softMute property.
* JACK
- Improve stability when changing buffer size and sample rate
dynamically by pausing the processing until the application
has handled the callback.
- Improve handling of timebase master. When the master was
moved to another driver, it did not attempt to become a new
timebase master on the new driver. (#1589)
- Implement transport sync to make preroll in bitwig work.
(#1589)
* pulse-server
- Fix an issue where virtual sinks/sources would not show up
immediately. (#1588)
==== pitivi ====
Subpackages: pitivi-lang
- Remove obsolete translation-update-upstream support
(jsc#SLE-21105).
==== plasma5-workspace ====
Subpackages: gmenudbusmenuproxy plasma5-session plasma5-session-wayland plasma5-workspace-lang plasma5-workspace-libs xembedsniproxy
- Add upstream patch to fix a bug that would result in power management
remaining inhibited even after un-inhibiting it in the UI:
* Call-UnInhibit-with-correct-signature-in-powermanagement-dataengine.patch
==== python-gst ====
Version update (1.18.4 -> 1.18.5)
- Update to version 1.18.5:
+ No changes
==== python-kiwi ====
Version update (9.23.54 -> 9.23.56)
- Bump version: 9.23.55 ? 9.23.56
- Only wipe bundle dir when required
The given result bundle dir must only be wiped if the
request to turn the result files into an rpm was given.
Only in this case the given bundle dir must start empty
- Fixed uninstall handling via dnf, microdnf, zypper
The above package managers supports uninstall instructions
like 'iwl*'. In kiwi there was code checking via rpm if
the packages given to uninstall actually exists. That code
does not work if the given package to uninstall is an
instruction that matches a pattern. Therefore if we use
the uninstall section in the kiwi image description, just
pass the provided information to the package manager and
don't try to be clever in kiwi itself.
- Allow to set --logfile for result namespace
Setting a logfile for e.g 'kiwi-ng result bundle ...'
is useful and should be possible
- Bump version: 9.23.54 ? 9.23.55
- Added support for building rpm package from bundle
With the new option --package-as-rpm it is possible to
call the kiwi result bundler such that the image build
results gets packaged into an rpm. I think this is a
handy feature to transport image builds via repositories
- Fixed MicroOS integration test
With ignition/combustion in place it's not allowed
to use tmp as a subvolume
==== rygel ====
Subpackages: librygel-core-2_6-2 librygel-server-2_6-2
- Remove obsolete translation-update-upstream support
(jsc#SLE-21105).
==== samba ====
Version update (4.14.6+git.168.6a9fc8a1ddd -> 4.14.6+git.182.2205d5224e3)
Subpackages: libdcerpc-binding0 libdcerpc-binding0-32bit libdcerpc0 libdcerpc0-32bit libndr-krb5pac0 libndr-krb5pac0-32bit libndr-nbt0 libndr-nbt0-32bit libndr-standard0 libndr-standard0-32bit libndr1 libndr1-32bit libnetapi0 libnetapi0-32bit libsamba-credentials1 libsamba-credentials1-32bit libsamba-errors0 libsamba-errors0-32bit libsamba-hostconfig0 libsamba-hostconfig0-32bit libsamba-passdb0 libsamba-passdb0-32bit libsamba-policy0-python3 libsamba-util0 libsamba-util0-32bit libsamdb0 libsamdb0-32bit libsmbclient0 libsmbconf0 libsmbconf0-32bit libsmbldap2 libsmbldap2-32bit libtevent-util0 libtevent-util0-32bit libwbclient0 libwbclient0-32bit samba-client samba-client-32bit samba-doc samba-libs samba-libs-32bit samba-libs-python3 samba-python3 samba-winbind samba-winbind-32bit
- Add Certificate Auto Enrollment Policy; (jsc#SLE-18457).
==== transactional-update ====
Version update (3.5.4 -> 3.5.5)
Subpackages: dracut-transactional-update libtukit0 transactional-update-zypp-config tukit
- Version 3.5.5
- t-u: Use tukit for SUSEConnect call [bsc#1190574]
Correctly registers repositories
==== xfce4-whiskermenu-plugin ====
Version update (2.5.3 -> 2.6.0)
Subpackages: xfce4-whiskermenu-plugin-lang
- Update to version 2.6.0
* Fix unable to resize with metacity.
(gxo#panel-plugins/xfce4-whiskermenu-plugin#56)
* Fix invalid desktop files when hiding applications.
(gxo#panel-plugins/xfce4-whiskermenu-plugin#53)
* Fix not showing focused launcher when searching.
(gxo#panel-plugins/xfce4-whiskermenu-plugin#45)
* Add option to disable sorting categories.
(gxo#panel-plugins/xfce4-whiskermenu-plugin#42)
* Translation updates
==== xkeyboard-config ====
Subpackages: xkeyboard-config-lang
- Remove obsolete translation-update-upstream support
(jsc#SLE-21105).
==== xorgproto ====
Version update (2021.4 -> 2021.5)
- xorgproto 2021.5
* This release introduces the version 2.4 of the X Input
protocol. It contains the addition of the concept of touchpad
gestures. Touchpad gesture is an interaction of two or more
fingers that can be interpreted as a swipe or a pinch.