New Tumbleweed snapshot 20210212 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20210212 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: MozillaThunderbird (78.7.0 -> 78.7.1) apache2-mod_php7 (7.4.14 -> 7.4.15) ceph (16.0.0.5613+gb1a0951432 -> 16.1.0.46+g571704f730) dosfstools (4.1+git.1610658652.9443732 -> 4.2) ffmpeg-4 fftw3 gcc10 gcc11 (11.0.0+git182924 -> 11.0.0+git183291) glib2 (2.66.4 -> 2.66.6) glibc (2.32 -> 2.33) ibus kde-gtk-config5 kernel-source (5.10.12 -> 5.10.14) libevent libqt5-qtbase libreoffice (7.0.4.2 -> 7.1.0.3) libselinux libshout (2.4.4 -> 2.4.5) libwebp (1.1.0 -> 1.2.0) lightdm logrotate (3.17.0 -> 3.18.0) nghttp2 (1.42.0 -> 1.43.0) nodejs-common openssh php7 (7.4.14 -> 7.4.15) pigz (2.4 -> 2.6) pinentry postfix (3.5.8 -> 3.5.9) python-pybind11 (2.5.0 -> 2.6.2) python-requests qemu re2 (20201101 -> 20210202) rubygem-i18n (1.8.7 -> 1.8.8) rubygem-rspec-mocks (3.10.1 -> 3.10.2) rubygem-rspec-support (3.10.1 -> 3.10.2) thai-fonts unixODBC v4l2loopback virtualbox virtualbox-kmp (6.1.18_k5.10.12_1 -> 6.1.18_k5.10.14_1) wpa_supplicant yast2-trans (84.87.20210130.332fb904b7 -> 84.87.20210205.68980f3ed7) === Details === ==== MozillaThunderbird ==== Version update (78.7.0 -> 78.7.1) Subpackages: MozillaThunderbird-translations-common - Mozilla Thunderbird 78.7.1 * CardDAV address books now support OAuth2 and Google Contacts * Thunderbird will no longer allow installation of addons that use legacy APIs ==== apache2-mod_php7 ==== Version update (7.4.14 -> 7.4.15) - updated to 7.4.15: This is a security release which also contains several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.15 - suppress warning for all flavors not equal to "" in multibuild % php7.rpmlintrc - add versioning to php-sapi as well - require this PHP version of subpackages in Recommends/Suggests - run apache-rex tests in php7:test as packages need to be build first (otherwise tests run with previous version) - add php_cfgdir and php_extdir macros ==== ceph ==== Version update (16.0.0.5613+gb1a0951432 -> 16.1.0.46+g571704f730) Subpackages: librados2 librbd1 - Update to 16.1.0-46-g571704f730 + rebase on top of upstream v16.1.0 (Pacific release candidate) + drop obsolete downstream patches that were causing conflicts: * cephadm: use registry.suse.com by default * cephadm: add global flag --container-init * mgr/cephadm: append --container-init to basecommand * cephadm: remove container-init subparser from "deploy" - Update to 16.0.0-7500-g78f6791981: + cephadm: add global flag --container-init + mgr/cephadm: append --container-init to basecommand + cephadm: remove container-init subparser from "deploy" - Update to 16.0.0-7497-g63a0682c7e: + rebase on tip of upstream "master" branch, SHA1 8c6b533ee85e7fe2cd19e5dbb6f0363898f5a2ee - Update to 16.0.0-6239-g0c2e605e78: + rebase on tip of upstream "master" branch, SHA1 6d1f1f63b711797e21ff8ff12662d07d86546e66 * cephadm: Fix error setting 'mgr/cephadm/container_init' config (PR #37500) - Update to 16.0.0-6229-g71574673b0: + rebase on tip of upstream "master" branch, SHA1 f68197eca4b4dceef9fbf497d640b4600663d3ed * ceph-volume: don't exit before empty report can be printed (PR #37591) - Update to 16.0.0-6177-g01e4ab745b: + rebase on tip of upstream "master" branch, SHA1 f8ea1f38aee3d8715186a756331a23d4b51121f2 * ceph-volume: pass filter_for_batch as keyword argument (PR #37545) - Update to 16.0.0-6162-g892bfa3fef: + drop the following commits: + lvmcache: refactor argument parsing and add -h flag + ceph-volume: install lvmcache plugin + ceph-volume: add lvmcache plugin and its tests + rebase on tip of upstream "master" branch, SHA1 0a92d5094fc0baae3af223aa16b271d2e5e6f349 + mgr/devicehealth: device_health_metrics pool gets created even without any OSDs in the cluster (bsc#1173079) ==== dosfstools ==== Version update (4.1+git.1610658652.9443732 -> 4.2) - update to 4.2: * mkfs.fat: Allow to specify disk geometry via new -g option * fsck.fat: Add code for fixing first FAT cluster * fatlabel: Do not call parts of fsck repair procedure * Update warning message about lowercase labels * mkfs.fat: Read geom_start from sysfs * Add missing files into distribution tarball ==== ffmpeg-4 ==== Subpackages: libavcodec58_91 libavdevice58_10 libavfilter7_85 libavformat58_45 libavresample4_0 libavutil56_51 libpostproc55_7 libswresample3_7 libswscale5_7 - Add 0001-avformat-vividas-improve-extradata-packing-checks-in.patch [boo#1180519] [CVE-2020-35964] ==== fftw3 ==== Subpackages: libfftw3-3 libfftw3_threads3 - Add build support for gcc10 to HPC build (bsc#1174439). ==== gcc10 ==== Subpackages: cpp10 gcc10-info gcc10-locale libstdc++6-devel-gcc10 - Remove include-fixed/pthread.h - Change GCC exception licenses to SPDX format ==== gcc11 ==== Version update (11.0.0+git182924 -> 11.0.0+git183291) Subpackages: libasan6 libatomic1 libgcc_s1 libgcc_s1-32bit libgfortran5 libgomp1 libitm1 liblsan0 libobjc4 libquadmath0 libstdc++6 libstdc++6-32bit libstdc++6-locale libstdc++6-pp-gcc11 libstdc++6-pp-gcc11-32bit libtsan0 libubsan1 - Bump to efcd941e86b507d77e90a1b13f621e036eacdb45. - Bump to 7a18bc4ae62081021f4fd90d591a588cac931f77. - New package, inherits from gcc10 * gcc-add-defaultsspec.diff, add the ability to provide a specs file that is read by default * tls-no-direct.diff, avoid direct %fs references on x86 to not slow down Xen * gcc43-no-unwind-tables.diff, do not produce unwind tables for CRT files * gcc41-ppc32-retaddr.patch, fix expansion of __builtin_return_addr for ppc, just a testcase * gcc44-textdomain.patch, make translation files version specific and adjust textdomain to find them * gcc44-rename-info-files.patch, fix cross-references in info files when renaming them to be version specific * gcc48-libstdc++-api-reference.patch, fix link in the installed libstdc++ html documentation * gcc48-remove-mpfr-2.4.0-requirement.patch, make GCC work with earlier mpfr versions on old products * gcc5-no-return-gcc43-workaround.patch, make build work with host gcc 4.3 * gcc7-remove-Wexpansion-to-defined-from-Wextra.patch, removes new warning from -Wextra * gcc7-avoid-fixinc-error.diff * gcc9-reproducible-builds-buildid-for-checksum.patch * gcc9-reproducible-builds.patch * gcc10-amdgcn-llvm-as.patch * gcc10-foffload-default.patch - libgccjit subpackage is added. - HWASAN is built for aarch64 target. ==== glib2 ==== Version update (2.66.4 -> 2.66.6) Subpackages: glib2-lang glib2-tools libgio-2_0-0 libgio-2_0-0-32bit libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgmodule-2_0-0-32bit libgobject-2_0-0 libgobject-2_0-0-32bit libgthread-2_0-0 libgthread-2_0-0-32bit - Update to version 2.66.6: + Fix various instances within GLib where `g_memdup()` was vulnerable to a silent integer truncation and heap overflow problem (glgo#GNOME/GLib#2319). - Update to version 2.66.5: + Fix some issues with handling over-long (invalid) input when parsing for `GDate`. + Don?t load GIO modules or parse other GIO environment variables when `AT_SECURE` is set (i.e. in a setuid/setgid/setcap process). GIO has always been documented as not being safe to use in privileged processes, but people persist in using it unsafely, so these changes should harden things against potential attacks at least a little. Unfortunately they break a couple of projects which were relying on reading `DBUS_SESSION_BUS_ADDRESS`, so GIO continues to read that for setgid/setcap (but not setuid) processes. This loophole will be closed in GLib 2.70 (see issue #2316), which should give modules 6 months to change their behaviour. + Fix `g_spawn()` searching `PATH` when it wasn?t meant to. + Bugs fixed: bgo#2168, bgo#2210, bgo#2305, glgo#GNOME/GLib!1820, glgo#GNOME/GLib!1824, glgo#GNOME/GLib!1831, glgo#GNOME/GLib!1836, glgo#GNOME/GLib!1864, glgo#GNOME/GLib!1872, glgo#GNOME/GLib!1913, glgo#GNOME/GLib!1922. - Rebase/refresh patches: + glib2-dbus-socket-path.patch + glib2-fate300461-gettext-gkeyfile-suse.patch + glib2-gdbus-codegen-version.patch + glib2-suppress-schema-deprecated-path-warning.patch + glib2-bgo569829-gettext-gkeyfile.patch ==== glibc ==== Version update (2.32 -> 2.33) Subpackages: glibc-32bit glibc-devel glibc-extra glibc-lang glibc-locale glibc-locale-base nscd - Update to glibc 2.33 * The dynamic linker accepts the --list-tunables argument which prints all the supported tunables. * The dynamic linker accepts the --argv0 argument and provides opportunity to change argv[0] string. * The dynamic linker loads optimized implementations of shared objects from subdirectories under the glibc-hwcaps directory on the library search path if the system's capabilities meet the requirements for that subdirectory. * The new --help option of the dynamic linker provides usage and information and library search path diagnostics. * The mallinfo2 function is added to report statistics as per mallinfo, but with larger field widths to accurately report values that are larger than fit in an integer. * Add <sys/platform/x86.h> to provide query macros for x86 CPU features. * A new fortification level _FORTIFY_SOURCE=3 is available. * The mallinfo function is marked deprecated. * When dlopen is used in statically linked programs, alternative library implementations from HWCAP subdirectories are no longer loaded. * The deprecated <sys/vtimes.h> header and the function vtimes have been removed. * On s390(x), the type float_t is now derived from the macro __FLT_EVAL_METHOD__ that is defined by the compiler, instead of being hardcoded to double. * A future version of glibc will stop loading shared objects from the "tls" subdirectories on the library search path, the subdirectory that corresponds to the AT_PLATFORM system name, and also stop employing the legacy AT_HWCAP search mechanism. * CVE-2021-3326: An assertion failure during conversion from the ISO-20220-JP-3 character set using the iconv function has been fixed. - Remove obsolete, unused /etc/default/nss - aarch64-static-pie.patch, euc-kr-overrun.patch, get-nprocs-cpu-online-parsing.patch, iconv-redundant-shift.patch, iconv-ucs4-loop-bounds.patch, ifunc-fma4.patch, intl-codeset-suffixes.patch, nscd-gc-cycle.patch, printf-long-double-non-normal.patch, strerrorname-np.patch, syslog-locking.patch, sysvipc.patch: Removed - Remove support for %optimize_power - Move to power4 baseline on ppc ==== ibus ==== Subpackages: ibus-dict-emoji ibus-gtk ibus-gtk-32bit ibus-gtk3 ibus-lang libibus-1_0-5 libibus-1_0-5-32bit typelib-1_0-IBus-1_0 - Fix the invalid desktop file for auto start (boo#1178447) - Fix xim.d/ibus so that a Plasma session can use XDG auto start ==== kde-gtk-config5 ==== Subpackages: kde-gtk-config5-gtk3 - Add patch to not pollute stdout, which broke some applications (boo#1182151, kde#431365): * 0001-Remove-debug-message-to-avoid-polute-to-stdout.patch ==== kernel-source ==== Version update (5.10.12 -> 5.10.14) Subpackages: kernel-default kernel-docs - Linux 5.10.14 (bsc#1012628). - workqueue: Restrict affinity change to rescuer (bsc#1012628). - kthread: Extract KTHREAD_IS_PER_CPU (bsc#1012628). - x86/cpu: Add another Alder Lake CPU to the Intel family (bsc#1012628). - objtool: Don't fail the kernel build on fatal errors (bsc#1012628). - habanalabs: disable FW events on device removal (bsc#1012628). - habanalabs: fix backward compatibility of idle check (bsc#1012628). - habanalabs: zero pci counters packet before submit to FW (bsc#1012628). - drm/amd/display: Fixed corruptions on HPDRX link loss restore (bsc#1012628). - drm/amd/display: Use hardware sequencer functions for PG control (bsc#1012628). - drm/amd/display: Change function decide_dp_link_settings to avoid infinite looping (bsc#1012628). - drm/amd/display: Allow PSTATE chnage when no displays are enabled (bsc#1012628). - drm/amd/display: Update dram_clock_change_latency for DCN2.1 (bsc#1012628). - selftests/powerpc: Only test lwm/stmw on big endian (bsc#1012628). - platform/x86: thinkpad_acpi: Add P53/73 firmware to fan_quirk_table for dual fan control (bsc#1012628). - nvmet: set right status on error in id-ns handler (bsc#1012628). - nvme-pci: allow use of cmb on v1.4 controllers (bsc#1012628). - nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1012628). - nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1012628). - nvme: check the PRINFO bit before deciding the host buffer length (bsc#1012628). - udf: fix the problem that the disc content is not displayed (bsc#1012628). - i2c: tegra: Create i2c_writesl_vi() to use with VI I2C for filling TX FIFO (bsc#1012628). - ALSA: hda: Add Cometlake-R PCI ID (bsc#1012628). - scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1012628). - mac80211: fix encryption key selection for 802.3 xmit (bsc#1012628). - mac80211: fix fast-rx encryption check (bsc#1012628). - mac80211: fix incorrect strlen of .write in debugfs (bsc#1012628). - objtool: Don't add empty symbols to the rbtree (bsc#1012628). - ALSA: hda: Add AlderLake-P PCI ID and HDMI codec vid (bsc#1012628). - ASoC: SOF: Intel: hda: Resume codec to do jack detection (bsc#1012628). - scsi: fnic: Fix memleak in vnic_dev_init_devcmd2 (bsc#1012628). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1012628). - scsi: scsi_transport_srp: Don't block target in failfast state (bsc#1012628). - x86: __always_inline __{rd,wr}msr() (bsc#1012628). - locking/lockdep: Avoid noinstr warning for DEBUG_LOCKDEP (bsc#1012628). - habanalabs: fix dma_addr passed to dma_mmap_coherent (bsc#1012628). - platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron 7352 (bsc#1012628). - platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix touchscreen on Estar Beauty HD tablet (bsc#1012628). - tools/power/x86/intel-speed-select: Set higher of cpuinfo_max_freq or base_frequency (bsc#1012628). - tools/power/x86/intel-speed-select: Set scaling_max_freq to base_frequency (bsc#1012628). - phy: cpcap-usb: Fix warning for missing regulator_disable (bsc#1012628). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1012628). - ARM: 9025/1: Kconfig: CPU_BIG_ENDIAN depends on !LD_IS_LLD (bsc#1012628). - Revert "x86/setup: don't remove E820_TYPE_RAM for pfn 0" (bsc#1012628). - arm64: Do not pass tagged addresses to __is_lm_address() (bsc#1012628). - arm64: Fix kernel address detection of __is_lm_address() (bsc#1012628). - arm64: dts: meson: Describe G12b GPU as coherent (bsc#1012628). - drm/panfrost: Support cache-coherent integrations (bsc#1012628). - iommu/io-pgtable-arm: Support coherency for Mali LPAE (bsc#1012628). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1012628). - net: switchdev: don't set port_obj_info->handled true when - EOPNOTSUPP (bsc#1012628). - net: dsa: bcm_sf2: put device node before return (bsc#1012628). - mlxsw: spectrum_span: Do not overwrite policer configuration (bsc#1012628). - stmmac: intel: Configure EHL PSE0 GbE and PSE1 GbE to 32 bits DMA addressing (bsc#1012628). - net: octeontx2: Make sure the buffer is 128 byte aligned (bsc#1012628). - net: fec: put child node on error path (bsc#1012628). - net: stmmac: dwmac-intel-plat: remove config data on error (bsc#1012628). - net: dsa: microchip: Adjust reset release timing to match reference reset circuit (bsc#1012628). - commit 0a69f62 - Update patches.kernel.org/5.10.13-143-vsock-fix-the-race-conditions-in-multi-transp.patch (bsc#1012628 bsc#1181806). Add bsc reference. - commit 64ec974 - net/mlx5: Fix function calculation for page trees (git-fixes). - commit e976b88 - Linux 5.10.13 (bsc#1012628). - iwlwifi: provide gso_type to GSO packets (bsc#1012628). - nbd: freeze the queue while we're adding connections (bsc#1012628). - tty: avoid using vfs_iocb_iter_write() for redirected console writes (bsc#1012628). - ACPI: sysfs: Prefer "compatible" modalias (bsc#1012628). - ACPI: thermal: Do not call acpi_thermal_check() directly (bsc#1012628). - kernel: kexec: remove the lock operation of system_transition_mutex (bsc#1012628). - ALSA: hda/realtek: Enable headset of ASUS B1400CEPE with ALC256 (bsc#1012628). - parisc: Enable -mlong-calls gcc option by default when !CONFIG_MODULES (bsc#1012628). - media: cec: add stm32 driver (bsc#1012628). - media: cedrus: Fix H264 decoding (bsc#1012628). - media: hantro: Fix reset_raw_fmt initialization (bsc#1012628). - media: rc: fix timeout handling after switch to microsecond durations (bsc#1012628). - media: rc: ite-cir: fix min_timeout calculation (bsc#1012628). - media: rc: ensure that uevent can be read directly after rc device register (bsc#1012628). - ARM: dts: tbs2910: rename MMC node aliases (bsc#1012628). - ARM: dts: ux500: Reserve memory carveouts (bsc#1012628). - ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming (bsc#1012628). - wext: fix NULL-ptr-dereference with cfg80211's lack of commit() (bsc#1012628). - x86/xen: avoid warning in Xen pv guest with CONFIG_AMD_MEM_ENCRYPT enabled (bsc#1012628). - ASoC: AMD Renoir - refine DMI entries for some Lenovo products (bsc#1012628). - Revert "drm/amdgpu/swsmu: drop set_fan_speed_percent (v2)" (bsc#1012628). - drm/nouveau/kms/gk104-gp1xx: Fix > 64x64 cursors (bsc#1012628). - drm/i915: Always flush the active worker before returning from the wait (bsc#1012628). - drm/i915/gt: Always try to reserve GGTT address 0x0 (bsc#1012628). - drivers/nouveau/kms/nv50-: Reject format modifiers for cursor planes (bsc#1012628). - bcache: only check feature sets when sb->version >= BCACHE_SB_VERSION_CDEV_WITH_FEATURES (bsc#1012628). - net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family (bsc#1012628). - s390: uv: Fix sysfs max number of VCPUs reporting (bsc#1012628). - s390/vfio-ap: No need to disable IRQ after queue reset (bsc#1012628). - PM: hibernate: flush swap writer after marking (bsc#1012628). - x86/entry: Emit a symbol for register restoring thunk (bsc#1012628). - efi/apple-properties: Reinstate support for boolean properties (bsc#1012628). - crypto: marvel/cesa - Fix tdma descriptor on 64-bit (bsc#1012628). - drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs (bsc#1012628). - drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] (bsc#1012628). - btrfs: fix lockdep warning due to seqcount_mutex on 32bit arch (bsc#1012628). - btrfs: fix possible free space tree corruption with online conversion (bsc#1012628). - KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] (bsc#1012628). - KVM: x86/pmu: Fix UBSAN shift-out-of-bounds warning in intel_pmu_refresh() (bsc#1012628). - KVM: arm64: Filter out v8.1+ events on v8.0 HW (bsc#1012628). - KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES on nested vmexit (bsc#1012628). - KVM: x86: allow KVM_REQ_GET_NESTED_STATE_PAGES outside guest mode for VMX (bsc#1012628). - KVM: nVMX: Sync unsync'd vmcs02 state to vmcs12 on migration (bsc#1012628). - KVM: x86: get smi pending status correctly (bsc#1012628). - KVM: Forbid the use of tagged userspace addresses for memslots (bsc#1012628). - io_uring: fix wqe->lock/completion_lock deadlock (bsc#1012628). - xen: Fix XenStore initialisation for XS_LOCAL (bsc#1012628). - leds: trigger: fix potential deadlock with libata (bsc#1012628). - arm64: dts: broadcom: Fix USB DMA address translation for Stingray (bsc#1012628). - mt7601u: fix kernel crash unplugging the device (bsc#1012628). - mt76: mt7663s: fix rx buffer refcounting (bsc#1012628). - mt7601u: fix rx buffer refcounting (bsc#1012628). - iwlwifi: Fix IWL_SUBDEVICE_NO_160 macro to use the correct bit (bsc#1012628). - drm/i915/gt: Clear CACHE_MODE prior to clearing residuals (bsc#1012628). - drm/i915/pmu: Don't grab wakeref when enabling events (bsc#1012628). - net/mlx5e: Fix IPSEC stats (bsc#1012628). - ARM: dts: imx6qdl-kontron-samx6i: fix pwms for lcd-backlight (bsc#1012628). - drm/nouveau/svm: fail NOUVEAU_SVM_INIT ioctl on unsupported devices (bsc#1012628). - drm/vc4: Correct lbm size and calculation (bsc#1012628). - drm/vc4: Correct POS1_SCL for hvs5 (bsc#1012628). - drm/i915: Check for all subplatform bits (bsc#1012628). - drm/i915/selftest: Fix potential memory leak (bsc#1012628). - uapi: fix big endian definition of ipv6_rpl_sr_hdr (bsc#1012628). - KVM: Documentation: Fix spec for KVM_CAP_ENABLE_CAP_VM (bsc#1012628). - tee: optee: replace might_sleep with cond_resched (bsc#1012628). - xen-blkfront: allow discard-* nodes to be optional (bsc#1012628). - blk-mq: test QUEUE_FLAG_HCTX_ACTIVE for sbitmap_shared in hctx_may_queue (bsc#1012628). - clk: imx: fix Kconfig warning for i.MX SCU clk (bsc#1012628). - clk: mmp2: fix build without CONFIG_PM (bsc#1012628). - clk: qcom: gcc-sm250: Use floor ops for sdcc clks (bsc#1012628). - ARM: imx: build suspend-imx6.S with arm instruction set (bsc#1012628). - ARM: zImage: atags_to_fdt: Fix node names on added root nodes (bsc#1012628). - netfilter: nft_dynset: add timeout extension to template (bsc#1012628). - Revert "RDMA/mlx5: Fix devlink deadlock on net namespace deletion" (bsc#1012628). - Revert "block: simplify set_init_blocksize" to regain lost performance (bsc#1012628). - xfrm: Fix oops in xfrm_replay_advance_bmp (bsc#1012628). - xfrm: fix disable_xfrm sysctl when used on xfrm interfaces (bsc#1012628). - selftests: xfrm: fix test return value override issue in xfrm_policy.sh (bsc#1012628). - xfrm: Fix wraparound in xfrm_policy_addr_delta() (bsc#1012628). - arm64: dts: ls1028a: fix the offset of the reset register (bsc#1012628). - ARM: imx: fix imx8m dependencies (bsc#1012628). - ARM: dts: imx6qdl-kontron-samx6i: fix i2c_lcd/cam default status (bsc#1012628). - ARM: dts: imx6qdl-sr-som: fix some cubox-i platforms (bsc#1012628). - arm64: dts: imx8mp: Correct the gpio ranges of gpio3 (bsc#1012628). - firmware: imx: select SOC_BUS to fix firmware build (bsc#1012628). - RDMA/cxgb4: Fix the reported max_recv_sge value (bsc#1012628). - ASoC: dt-bindings: lpass: Fix and common up lpass dai ids (bsc#1012628). - ASoC: qcom: Fix incorrect volatile registers (bsc#1012628). - ASoC: qcom: Fix broken support to MI2S TERTIARY and QUATERNARY (bsc#1012628). - ASoC: qcom: lpass-ipq806x: fix bitwidth regmap field (bsc#1012628). - spi: altera: Fix memory leak on error path (bsc#1012628). - ASoC: Intel: Skylake: skl-topology: Fix OOPs ib skl_tplg_complete (bsc#1012628). - powerpc/64s: prevent recursive replay_soft_interrupts causing superfluous interrupt (bsc#1012628). - pNFS/NFSv4: Fix a layout segment leak in pnfs_layout_process() (bsc#1012628). - pNFS/NFSv4: Update the layout barrier when we schedule a layoutreturn (bsc#1012628). - ASoC: SOF: Intel: soundwire: fix select/depend unmet dependencies (bsc#1012628). - ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup (bsc#1012628). - iwlwifi: pcie: avoid potential PNVM leaks (bsc#1012628). - iwlwifi: pnvm: don't skip everything when not reloading (bsc#1012628). - iwlwifi: pnvm: don't try to load after failures (bsc#1012628). - iwlwifi: pcie: set LTR on more devices (bsc#1012628). - iwlwifi: pcie: use jiffies for memory read spin time limit (bsc#1012628). - iwlwifi: pcie: reschedule in long-running memory reads (bsc#1012628). - mac80211: pause TX while changing interface type (bsc#1012628). - ice: fix FDir IPv6 flexbyte (bsc#1012628). - ice: Implement flow for IPv6 next header (extension header) (bsc#1012628). - ice: update dev_addr in ice_set_mac_address even if HW filter exists (bsc#1012628). - ice: Don't allow more channels than LAN MSI-X available (bsc#1012628). - ice: Fix MSI-X vector fallback logic (bsc#1012628). - i40e: acquire VSI pointer only after VF is initialized (bsc#1012628). - igc: fix link speed advertising (bsc#1012628). - net/mlx5: Fix memory leak on flow table creation error flow (bsc#1012628). - net/mlx5e: E-switch, Fix rate calculation for overflow (bsc#1012628). - net/mlx5e: free page before return (bsc#1012628). - net/mlx5e: Reduce tc unsupported key print level (bsc#1012628). - net/mlx5: Maintain separate page trees for ECPF and PF functions (bsc#1012628). - net/mlx5e: Disable hw-tc-offload when MLX5_CLS_ACT config is disabled (bsc#1012628). - net/mlx5e: Fix CT rule + encap slow path offload and deletion (bsc#1012628). - net/mlx5e: Correctly handle changing the number of queues when the interface is down (bsc#1012628). - net/mlx5e: Revert parameters on errors when changing trust state without reset (bsc#1012628). - net/mlx5e: Revert parameters on errors when changing MTU and LRO state without reset (bsc#1012628). - net/mlx5: CT: Fix incorrect removal of tuple_nat_node from nat rhashtable (bsc#1012628). - can: dev: prevent potential information leak in can_fill_info() (bsc#1012628). - ACPI/IORT: Do not blindly trust DMA masks from firmware (bsc#1012628). - of/device: Update dma_range_map only when dev has valid dma-ranges (bsc#1012628). - iommu/amd: Use IVHD EFR for early initialization of IOMMU features (bsc#1012628). - iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() (bsc#1012628). - nvme-multipath: Early exit if no path is available (bsc#1012628). - selftests: forwarding: Specify interface when invoking mausezahn (bsc#1012628). - rxrpc: Fix memory leak in rxrpc_lookup_local (bsc#1012628). - NFC: fix resource leak when target index is invalid (bsc#1012628). - NFC: fix possible resource leak (bsc#1012628). - ASoC: mediatek: mt8183-da7219: ignore TDM DAI link by default (bsc#1012628). - ASoC: mediatek: mt8183-mt6358: ignore TDM DAI link by default (bsc#1012628). - ASoC: topology: Properly unregister DAI on removal (bsc#1012628). - ASoC: topology: Fix memory corruption in soc_tplg_denum_create_values() (bsc#1012628). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1012628). - team: protect features update by RCU to avoid deadlock (bsc#1012628). - tcp: make TCP_USER_TIMEOUT accurate for zero window probes (bsc#1012628). - tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN (bsc#1012628). - vsock: fix the race conditions in multi-transport support (bsc#1012628). - Update patches.suse/acpi_thermal_passive_blacklist.patch (bsc#333043). - commit 3527948 ==== libevent ==== - Drop insserv_prereq and fillup_prereq macros: there are no pre-scripts that would justify these dependencies. ==== libqt5-qtbase ==== Subpackages: libQt5Concurrent5 libQt5Core5 libQt5DBus5 libQt5Gui5 libQt5Network5 libQt5OpenGL5 libQt5PrintSupport5 libQt5Sql5 libQt5Sql5-mysql libQt5Sql5-sqlite libQt5Test5 libQt5Widgets5 libQt5Xml5 libqt5-qtbase-platformtheme-gtk3 - Add patch to fix build with GCC 11 (boo#1181861, QTBUG-90395): * 0001-Fix-build-with-GCC-11-include-limits.patch * 0002-Build-fixes-for-GCC-11.patch ==== libreoffice ==== Version update (7.0.4.2 -> 7.1.0.3) Subpackages: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-writer libreofficekit - Update to 7.1.0.3 * RC3 7.1 series - Update bundled dependencies - New patch use-comphelper.patch to fix build - Rebased patch bsc1177955.diff - Dropped merged patches: * 0001-Upgrade-liborcus-to-0.16.0.patch * bsc1178944.diff * bsc1178943.diff * bsc1178807.diff * bsc1179025.diff ==== libselinux ==== Subpackages: libselinux1 libselinux1-32bit selinux-tools - Add Recommends: selinux-autorelabel, which is very important for healthy use of the SELinux on the system (/.autorelabel mechanism) (bsc#1181837). ==== libshout ==== Version update (2.4.4 -> 2.4.5) - update to 2.4.5: * Improved shout.h for reading, and understanding. * Marked dumpfile support as obsolete (as SHOUT_PROTOCOL_XAUDIOCAST already is). * Added Support for setting the content language. * Avoid the use of obsolete functions (#2317). * Several small fixes for non-blocking mode (#2321, #2315). * Corrected detection of libogg (mostly for windows targets). * Now accept TLS mode "auto" when build without TLS support. * Added new tool shout(1). ==== libwebp ==== Version update (1.1.0 -> 1.2.0) Subpackages: libwebp7 libwebpdemux2 libwebpmux3 - update to 1.2.0: * API changes in libwebp: encode.h: add a qmin / qmax range for quality factor (cwebp adds -qrange) * lossless encoder improvements * SIMD support for Wasm builds * import fuzzers from oss-fuzz & chromium * webpmux: add a '-set loop <value>' option ==== lightdm ==== Subpackages: liblightdm-gobject-1-0 lightdm-lang - Add lightdm-glibc-2.33-fix.patch that fixes issue with glibc 2.33 (boo#1181778). The patch was suggested as gh#168. ==== logrotate ==== Version update (3.17.0 -> 3.18.0) - Update to 3.18.0: * Allow UIDs and GIDs to be specified numerically * Add support for Zstandard compressed files * Make delaycompress not to fail with rotate 0 ==== nghttp2 ==== Version update (1.42.0 -> 1.43.0) - update to 1.43.0: * doc: Make doc generation work with sphinx v3.3 * python: Require python3 for python bindings * python: Require python3 for python scripts * nghttpx: Make sure that Pool gets cleared when all buffers are returned * nghttpx: Choose ECDSA cert if compatible signature algorithm available * nghttpx: Add workaround to include ':' in backend pattern ==== nodejs-common ==== - set nodejs14 as default for sle15-sp3+ - set nodejs15 as default for TW ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Add openssh-whitelist-syscalls.patch (bsc#1182232), fixing failure to accept connections on 32-bit platforms with glibc 2.33+. ==== php7 ==== Version update (7.4.14 -> 7.4.15) Subpackages: php7-cli php7-ctype php7-dom php7-gd php7-gettext php7-iconv php7-json php7-mbstring php7-mysql php7-openssl php7-pdo php7-sqlite php7-tokenizer php7-xmlreader php7-xmlwriter - updated to 7.4.15: This is a security release which also contains several bug fixes. See https://www.php.net/ChangeLog-7.php#7.4.15 - suppress warning for all flavors not equal to "" in multibuild % php7.rpmlintrc - add versioning to php-sapi as well - require this PHP version of subpackages in Recommends/Suggests - run apache-rex tests in php7:test as packages need to be build first (otherwise tests run with previous version) - add php_cfgdir and php_extdir macros ==== pigz ==== Version update (2.4 -> 2.6) - update to 2.6: * Add --huffman/-H and --rle/U strategy options * Fix issue when compiling for no threads * Fail silently on a broken pipe * Add --alias/-A option to set .zip name for stdin input * Add --comment/-C option to add comment in .gz or .zip * Several bug and behavior fixes - drop fortify.patch: obsolete ==== pinentry ==== Subpackages: pinentry-gnome3 pinentry-gtk2 pinentry-qt5 - add _multibuild to separate out gui client builds ==== postfix ==== Version update (3.5.8 -> 3.5.9) Subpackages: postfix-doc - (bsc#1180473) [Build 20201230] postfix has invalid default config (bsc#1181381) [Build 130.3] openQA test fails in mta, mutt - postfix broken: "queue file write error" and "error: unsupported dictionary type: hash" Export DEF_DB_TYPE before starting the perl script. - bsc#1180473 - [Build 20201230] postfix has invalid default config Fixing config.postfix and sysconfig.postfix - Update to 3.5.9 * improves the reporting of DNSSEC problems that may affect DANE security - Only do the conversion from the hash/btree databases to lmdb when the default database type changes from hash to lmdb and do not stop and start the service (the old compiled databases can live together with the new ones) - convert-bdb-to-lmdb.sh - Clean up the specfile * Remove < 1330 conditional builds * Use generated postfix-files instead of the obsolete one from postfix-SUSE.tar.gz * Use dynamicmaps.cf.d instead of modifying dynamicmaps.cf upon (de)installation of optional mysql, pgsql and ldap subpackages * Use default location for post-install, postfix-tls-script, postfix-wrapper and postmulti-script - Set lmdb to be the default db. - Convert btree tables to lmdb too. Stop postfix before converting from bdb to lmdb - This package is without bdb support. That's why convert must be done without any suse release condition. o remove patch postfix-no-btree.patch o add set-default-db-type.patch - Set database type for address_verify_map and postscreen_cache_map to lmdb (btree requires Berkeley DB) o add postfix-no-btree.patch - Set default database type to lmdb and fix update_postmaps script - Use variable substition instead of sed to remove .db suffix and substitute hash: for lmdb: in /etc/postfix/master.cf as well. Check before substitution if there is something to do (to keep rpmcheck happy). - bsc#1176650 L3: What is regularly triggering the "fillup" command and changing modify-time of /etc/sysconfig/postfix? o Remove miss placed fillup_only call from %verifyscript - Remove Berkeley DB dependency (JIRA#SLE-12191) The pacakges postfix is build without Berkely DB support. lmdb will be used instead of BDB. The pacakges postfix-bdb is build with Berkely DB support. o add patch for main.cf for postfix-bdb package postfix-bdb-main.cf.patch ==== python-pybind11 ==== Version update (2.5.0 -> 2.6.2) - Add docs/changelog.rst to package contents - Update to v2.6.2 * See changelog for changes since 2.5.0 ==== python-requests ==== - Don't pin idna<3 in the egg-info so that depending packages can install the new idna dropping python2 ==== qemu ==== Subpackages: qemu-ipxe qemu-microvm qemu-seabios qemu-sgabios qemu-skiboot qemu-vgabios - Switch the modules qemu-ui-display-gpu and qemu-ui-display-gpu-pci from being an x86 only Recommends, to a Recommends for all arch's except s390x (boo#1181350) - Fix qemu-hw-usb-smartcard to not be a Recommends for s390x - Minor spec file tweaks for compatibility with upcoming spec file formatter - Make note that this patch takes care of an OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933) hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch - Include upstream patches designated as stable material and reviewed for applicability to include here block-Separate-blk_is_writable-and-blk_s.patch hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch hw-net-lan9118-Fix-RX-Status-FIFO-PEEK-v.patch hw-timer-slavio_timer-Allow-64-bit-acces.patch net-Fix-handling-of-id-in-netdev_add-and.patch target-arm-Don-t-decode-insns-in-the-XSc.patch target-arm-Fix-MTE0_ACTIVE.patch target-arm-Introduce-PREDDESC-field-defi.patch target-arm-Update-PFIRST-PNEXT-for-pred_.patch target-arm-Update-REV-PUNPK-for-pred_des.patch target-arm-Update-ZIP-UZP-TRN-for-pred_d.patch tcg-Use-memset-for-large-vector-byte-rep.patch ui-vnc-Add-missing-lock-for-send_color_m.patch virtio-move-use-disabled-flag-property-t.patch - binutils v2.36 has changed the handling of the assembler's - mx86-used-note, resulting in a build failure. To compensate, we now explicitly specify -mx86-used-note=no in the seabios Makefile (boo#1181775) build-be-explicit-about-mx86-used-note-n.patch ==== re2 ==== Version update (20201101 -> 20210202) - Update to version 2021-02-02: * Address `-Wnull-dereference' warnings from GCC 10.x. ==== rubygem-i18n ==== Version update (1.8.7 -> 1.8.8) Subpackages: ruby2.7-rubygem-i18n ruby3.0-rubygem-i18n - updated to version 1.8.8 * Fixed threadsafety issues in Simple backend: #554 * Re-attempt to fix threadsafety of fallbacks: #548 * Use OpenSSL::Digest instead of usual Digest libraries: #549 * Goodbye, post-install message #552 * Use Rails' main branch, instead of master #553 ==== rubygem-rspec-mocks ==== Version update (3.10.1 -> 3.10.2) - updated to version 3.10.2 [#]## 3.10.2 / 2021-01-27 [Full Changelog](http://github.com/rspec/rspec-mocks/compare/v3.10.1...v3.10.2) Bug Fixes: * Support keyword arguments with `and_call_original` on Ruby 3.0. (Bryan Powell, #1385) * `RSpec::Mocks::Constant#previously_defined?` is now always a boolean. (Phil Pirozhkov, #1397) * Support keyword arguments on Ruby 3.0 when used with `expect_any_instance_of` or `allow_any_instance_of` with `and_call_original`. (Jess Hottenstein, #1407) ==== rubygem-rspec-support ==== Version update (3.10.1 -> 3.10.2) - updated to version 3.10.2 [#]## 3.10.2 / 2021-01-28 [Full Changelog](http://github.com/rspec/rspec-support/compare/v3.10.1...v3.10.2) Bug Fixes: * Fix issue with `RSpec::Support.define_optimized_require_for_rspec` on JRuby 9.1.17.0 (Jon Rowe, #492) ==== thai-fonts ==== - Utilize modern rpm macros. Nudge the description a bit. - Update description. ==== unixODBC ==== - Fix incorrect permission for documentation files. Using %attr affects the documentation subdirectory permission. Instead, the executable bit for doc files will be removed in the %prep section. ==== v4l2loopback ==== Subpackages: v4l2loopback-autoload v4l2loopback-kmp-default v4l2loopback-utils - Add undefined macros when building on older distributions ==== virtualbox ==== Subpackages: virtualbox-guest-tools virtualbox-guest-x11 - Fix build for Leap 15.3. File "fixes_for_leap15.3.patch" is added. ==== virtualbox-kmp ==== Version update (6.1.18_k5.10.12_1 -> 6.1.18_k5.10.14_1) - Fix build for Leap 15.3. File "fixes_for_leap15.3.patch" is added. ==== wpa_supplicant ==== Subpackages: wpa_supplicant-gui - Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777) ==== yast2-trans ==== Version update (84.87.20210130.332fb904b7 -> 84.87.20210205.68980f3ed7) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20210205.68980f3ed7: * New POT for text domain 'qt-pkg'. * New POT for text domain 'qt'. * New POT for text domain 'ncurses-pkg'. * New POT for text domain 'wol'. * New POT for text domain 'vpn'. * New POT for text domain 'users'. * New POT for text domain 'update'. * New POT for text domain 'tune'. * New POT for text domain 'sysconfig'. * New POT for text domain 'support'. * New POT for text domain 'sudo'. * New POT for text domain 'storage'. * New POT for text domain 'squid'. * New POT for text domain 'sound'. * New POT for text domain 'snapper'. * New POT for text domain 'slp-server'. * New POT for text domain 'services-manager'. * New POT for text domain 'security'. * New POT for text domain 'scanner'. * New POT for text domain 'samba-server'. * New POT for text domain 'samba-client'. * New POT for text domain 's390'. * New POT for text domain 'rmt'. * New POT for text domain 'relocation-server'. * New POT for text domain 'reipl'. * New POT for text domain 'registration'. * New POT for text domain 'rdp'. * New POT for text domain 'proxy'. * New POT for text domain 'printer'. * New POT for text domain 'pam'. * New POT for text domain 'packager'. * New POT for text domain 'online-update'. * New POT for text domain 'ntp-client'. * New POT for text domain 'nis_server'. * New POT for text domain 'nis'. * New POT for text domain 'nfs_server'. * New POT for text domain 'nfs'. * New POT for text domain 'network'. * New POT for text domain 'multipath'. * New POT for text domain 'migration'. * New POT for text domain 'mail'. * New POT for text domain 'ldap-client'. * New POT for text domain 'ldap'. * New POT for text domain 'kdump'. * New POT for text domain 'journalctl'. * New POT for text domain 'isns'. * New POT for text domain 'iscsi-lio-server'. * New POT for text domain 'iscsi-client'. * New POT for text domain 'iplb'. * New POT for text domain 'instserver'. * New POT for text domain 'installation'. * New POT for text domain 'http-server'. * New POT for text domain 'geo-cluster'. * New POT for text domain 'ftp-server'. * New POT for text domain 'firewall'. * New POT for text domain 'fcoe-client'. * New POT for text domain 'drbd'. * New POT for text domain 'dns-server'. * New POT for text domain 'dhcp-server'. * New POT for text domain 'crowbar'. * New POT for text domain 'country'. * New POT for text domain 'control'. * New POT for text domain 'cluster'. * New POT for text domain 'bootloader'. * New POT for text domain 'base'. * New POT for text domain 'autoinst'. * New POT for text domain 'auth-client'. * New POT for text domain 'audit-laf'. * New POT for text domain 'apparmor'. * New POT for text domain 'add-on'. * Add empty po files for cc and cc-control * product-check.sh: Add support for 000product and inherited products * DOMAIN_MAP: Add system-role-common-criteria * Automatic update of wol. * Automatic update of vpn. * Automatic update of users. * Automatic update of update. * Automatic update of tune. * Automatic update of s390. * Automatic update of sysconfig. * Automatic update of support. * Automatic update of sudo. * Automatic update of storage. * Automatic update of squid. * Automatic update of sound. * Automatic update of snapper. * Automatic update of slp-server. * Automatic update of services-manager. * Automatic update of security. * Automatic update of scanner. * Automatic update of samba-server. * Automatic update of samba-client. * Automatic update of rmt. * Automatic update of relocation-server. * Automatic update of reipl. * Automatic update of registration. * Automatic update of rdp. * Automatic update of proxy. * Automatic update of printer. * Automatic update of pam. * Automatic update of packager. * Automatic update of online-update. * Automatic update of ntp-client. * Automatic update of nis_server. * Automatic update of nis. * Automatic update of nfs_server. * Automatic update of nfs. * Automatic update of network. * Automatic update of multipath. * Automatic update of migration. * Automatic update of mail. * Automatic update of ldap-client. * Automatic update of ldap. * Automatic update of kdump. * Automatic update of journalctl. * Automatic update of isns. * Automatic update of iscsi-lio-server. * Automatic update of iscsi-client. * Automatic update of iplb. * Automatic update of instserver. * Automatic update of installation. * Automatic update of http-server. * Automatic update of geo-cluster. * Automatic update of ftp-server. * Automatic update of firewall. * Automatic update of fcoe-client. * Automatic update of drbd. * Automatic update of dns-server. * Automatic update of dhcp-server. * Automatic update of crowbar. * Automatic update of country. * Automatic update of control. * Automatic update of cluster. * Automatic update of bootloader. * Automatic update of base. * Automatic update of autoinst. * Automatic update of auth-client. * Automatic update of audit-laf. * Automatic update of apparmor. * Automatic update of add-on. * New POT for text domain 'ncurses'. * New POT for text domain 'autoinst'.
On 2/16/21 1:01 PM, Dominique Leuenberger wrote:
Packages changed: glibc (2.32 -> 2.33)
A warning that any chroot-ed service will fail because of a regression in glibc 2.33: https://bugzilla.opensuse.org/show_bug.cgi?id=1182327 In my case e.g. postfix: https://bugzilla.opensuse.org/show_bug.cgi?id=1182323 Ciao, Michael.
We have better mechanisms now, including extensive sandboxing and namespaces support configurable via systemd unit drop-ins. Do not run stuff on chroot anymore. On Tue, Feb 16, 2021 at 7:27 PM Michael Ströder <michael@stroeder.com> wrote:
On 2/16/21 1:01 PM, Dominique Leuenberger wrote:
Packages changed: glibc (2.32 -> 2.33)
A warning that any chroot-ed service will fail because of a regression in glibc 2.33:
https://bugzilla.opensuse.org/show_bug.cgi?id=1182327
In my case e.g. postfix:
https://bugzilla.opensuse.org/show_bug.cgi?id=1182323
Ciao, Michael.
On Wed, Feb 17, 2021 at 8:36 AM Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
We have better mechanisms now, including extensive sandboxing and namespaces support configurable via systemd unit drop-ins. Do not run stuff on chroot anymore.
That is not the correct response, especially since RPM itself uses chroot() as part of doing package transactions. -- 真実はいつも一つ!/ Always, there's only one truth!
On Wed, Feb 17, 2021 at 10:38 AM Neal Gompa <ngompa13@gmail.com> wrote:
On Wed, Feb 17, 2021 at 8:36 AM Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
We have better mechanisms now, including extensive sandboxing and namespaces support configurable via systemd unit drop-ins. Do not run stuff on chroot anymore.
That is not the correct response, especially since RPM itself uses chroot() as part of doing package transactions.
It is for this case,,and BTW.. I have never claimed it is not a bug, it is.
On Wed, Feb 17, Cristian Rodríguez wrote:
We have better mechanisms now, including extensive sandboxing and namespaces support configurable via systemd unit drop-ins.
And especially for postfix we even have a container :) That's with glibc 2.33 and lmdb working fine without the need for an additional chroot environment. Thorsten
Do not run stuff on chroot anymore.
On Tue, Feb 16, 2021 at 7:27 PM Michael Ströder <michael@stroeder.com> wrote:
On 2/16/21 1:01 PM, Dominique Leuenberger wrote:
Packages changed: glibc (2.32 -> 2.33)
A warning that any chroot-ed service will fail because of a regression in glibc 2.33:
https://bugzilla.opensuse.org/show_bug.cgi?id=1182327
In my case e.g. postfix:
https://bugzilla.opensuse.org/show_bug.cgi?id=1182323
Ciao, Michael.
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
Dne 17. 02. 21 v 15:27 Thorsten Kukuk napsal(a):
On Wed, Feb 17, Cristian Rodríguez wrote:
We have better mechanisms now, including extensive sandboxing and namespaces support configurable via systemd unit drop-ins.
And especially for postfix we even have a container :) That's with glibc 2.33 and lmdb working fine without the need for an additional chroot environment.
Actually the newer glibc makes troubles also in containers. We are getting a lot of EPERM erros in TW Docker images running as GitHub Actions. See https://github.com/yast/yast-ntp-client/pull/166/checks?check_run_id=1922192... or https://github.com/yast/yast-samba-server/runs/1922239238#step:5:153 It seems that the new glibc requires a newer kernel, a similar issue was also reported for WSL: https://github.com/microsoft/WSL/issues/6562 There is a patch for Docker (see https://docs.docker.com/engine/release-notes/#security-1) but that means you need Docker >= 20.10.0 which might not be available for all systems or you might not be able to upgrade the Docker host like in the containerized GitHub Actions ... :-( -- Ladislav Slezák YaST Developer SUSE LINUX, s.r.o. Corso IIa Křižíkova 148/34 18600 Praha 8
Hi, Am Donnerstag, 18. Februar 2021, 12:31:48 CET schrieb Ladislav Slezak:
Dne 17. 02. 21 v 15:27 Thorsten Kukuk napsal(a):
On Wed, Feb 17, Cristian Rodríguez wrote:
We have better mechanisms now, including extensive sandboxing and namespaces support configurable via systemd unit drop-ins.
And especially for postfix we even have a container :) That's with glibc 2.33 and lmdb working fine without the need for an additional chroot environment.
Actually the newer glibc makes troubles also in containers. We are getting a lot of EPERM erros in TW Docker images running as GitHub Actions.
See https://github.com/yast/yast-ntp-client/pull/166/checks?check_run_id=1922192... or https://github.com/yast/yast-samba-server/runs/1922239238#step:5:153
It seems that the new glibc requires a newer kernel, a similar issue was also reported for WSL: https://github.com/microsoft/WSL/issues/6562
The issue is that old docker/podman block faccessat2 with -EPERM instead of letting -ENOSYS through. Some links: https://github.com/seccomp/libseccomp/issues/314 https://github.com/opencontainers/runc/pull/2750
There is a patch for Docker (see https://docs.docker.com/engine/release-notes/#security-1) but that means you need Docker >= 20.10.0 which might not be available for all systems or you might not be able to upgrade the Docker host like in the containerized GitHub Actions ... :-(
Even upgrading won't work in all cases, for instance the latest docker version for ubuntu is apparently still affected. The only workaround is to disable seccomp altogether, with "--security-opt seccomp:unconfined". Due to the nature of the bug there's no workaround on our side possible, other than disabling use of faccessat2 in glibc completely. On 32bit platforms some other syscalls like futex_time64 might also be affected. Cheers, Fabian
Perhaps I should start a new thread... What do we consider/advertise the stability/purpose of the Tumbleweed container images? It seems a bit hard to believe that this is an acceptable breakage unless they are consider toys. When I encountered this problem in a Gitlab CI runner via the message "shell not found" I assumed it was something in TW that had been updated and switch the image to Leap as I did not have the time to investigate. More recently, I dug into it (after I had to rebuild more of my TW based images) [1] and determine the following code had to evaluate to false.
elif [ -x /bin/bash ]; then
I figured there had to be something odd going as as there is no way something as fundamental as checking if a file is executable would be broken in Tumbleweed for over a month. It was not until asking in IRC someone pointed me to a bug indicating that was indeed the case. Clearly various upstream projects will make breaking changes from time to time that we have to handle as a distribution, but this seems like a very bad way to handle it. Clearly based on the bug report various openSUSE projects depend on these images working so that seems to indicate they are not considered toys. How then can we have the expectation that the entire world updates to accommodate a Tumbleweed container? I understand that ultimately that is what is needed to support the newer glibc, but is that not a reason to block the update like we do when other packages break things severely? It would be one thing if our point-release distro (Leap) was updated to handle this at the minimum and the fix had been widely available for say several years. At that point sure, point at everyone and say they need to fix it. But to roll this out knowing it will break things all over and then say things like "Not a bug." is incredible. Even running a TW container on a Leap 15.2 host this does not work. If this is acceptable for going on two months how do we expect serious usage of the Tumbleweed containers? It's great that, from what I can tell, various CI providers have patched this, but I am at a loss that the only reasonable situation for someone running an openSUSE host is to stop using the Tumbleweed container for workloads. [1] https://forums.opensuse.org/showthread.php/552485-Sometime-after-20210210-ev... -- Jimmy
participants (8)
-
Cristian Rodríguez
-
Dominique Leuenberger
-
Fabian Vogt
-
Jimmy Berry
-
Ladislav Slezak
-
Michael Ströder
-
Neal Gompa
-
Thorsten Kukuk