Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=42.3&build=0289&groupid=28 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2042.3 When you reply to discuss some issues, make sure to change the subject. Please use the test plan at https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m... to record your testing efforts and use bugzilla to report bugs. Packages changed: Mesa MozillaFirefox (52.1.1 -> 52.2) MozillaThunderbird (52.1.1 -> 52.2) SUSEConnect (0.3.0 -> 0.3.1) biosdevname ceph (12.0.3+git.1496909744.9f667dc335 -> 12.0.3+git.1497426468.6984d41b5d) drbd (9.0.7rc2+git.36abd387 -> 9.0.8+git.c8bc3670) drbd-utils (8.9.11rc2 -> 9.0.0) drm (4.9.31_k4.4.72_1 -> 4.9.33_k4.4.72_1) glibc glibc gstreamer-plugins-ugly installation-images-openSUSE (14.318 -> 14.319) k3b kdump libgcrypt lttng-modules mozilla-nss (3.28.4 -> 3.28.5) netpbm openvpn pcsc-lite (1.8.21 -> 1.8.22) plasma5-integration polkit python-pyasn1-modules (0.0.8 -> 0.0.9) qemu qemu-linux-user rubygem-ruby-dbus rxvt-unicode sblim-sfcb smuxi (1.0.6 -> 1.0.7) util-linux util-linux-systemd virt-manager vm-install (0.8.65 -> 0.8.67) xen (4.9.0_07 -> 4.9.0_08) xine-lib (1.2.6 -> 1.2.8) xine-ui xorg-x11-server yast2-bootloader (3.2.21 -> 3.2.22) yast2-installation yast2-kdump (3.2.4 -> 3.2.6) yast2-trans (84.87.20170607.40033d88 -> 84.87.20170618.0f9396fd) === Details === ==== Mesa ==== Subpackages: Mesa-32bit Mesa-devel Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libEGL1-32bit Mesa-libGL-devel Mesa-libGL1 Mesa-libGL1-32bit Mesa-libGLESv1_CM-devel Mesa-libGLESv1_CM1 Mesa-libGLESv2-2 Mesa-libGLESv2-devel Mesa-libglapi-devel Mesa-libglapi0 Mesa-libglapi0-32bit Mesa-libva libOSMesa-devel libOSMesa8 libOSMesa8-32bit libgbm-devel libgbm1 libgbm1-32bit libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libwayland-egl-devel libwayland-egl1 libxatracker2 - Fix Xvfb segfault after reset (bsc#1042764): U_radeonsi-add-llvm-init.patch ==== MozillaFirefox ==== Version update (52.1.1 -> 52.2) Subpackages: MozillaFirefox-translations-common - update to Firefox 52.2esr (boo#1043960) MFSA 2017-16 * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only) * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder * CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only) * CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only) * CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only) * CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only) * CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only) * CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only) * CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 - requires NSS 3.28.5 - remove -fno-inline-small-functions and explicitely optimize with - O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) ==== MozillaThunderbird ==== Version update (52.1.1 -> 52.2) Subpackages: MozillaThunderbird-translations-common - update to Thunderbird 52.2 (boo#1043960) * Embedded images not shown in email received from Hotmail/Outlook webmailer * Detection of non-ASCII font names in font selector * Attachment not forwarded correctly under certain circumstances * Multiple requests for master password when GMail OAuth2 is enabled * Large number of blank pages being printed under certain circumstances when invalid preferences were present * Messages sent via the Simple MAPI interface are forced to HTML * Calendar: Invitations can't be printed * Mailing list (group) not accessible from macOS or Outlook address book * Clicking on links with references/anchors where target doesn't exist in the message not opening in external browser MFSA 2017-17 * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder * CVE-2017-7763 (bmo#1360309) Mac fonts render some unicode characters as spaces (MacOS only) * CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only) * CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 - requires NSS 3.28.5 - remove legacy -Os optimization breaking gcc7/i586 (boo#1042090) - explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105, boo#1042090) ==== SUSEConnect ==== Version update (0.3.0 -> 0.3.1) - Update to 0.3.1: - Fix license auto-agree issue (bsc#1037783) - Add missing archs to SLE 12 SP3 build target ==== biosdevname ==== - Do not rename non-Ethernet network interfaces (bsc#1042187) * Add: biosdevname_only_ethernet.patch ==== ceph ==== Version update (12.0.3+git.1496909744.9f667dc335 -> 12.0.3+git.1497426468.6984d41b5d) Subpackages: librados2 librbd1 - Update to version 12.0.3+git.1497426468.6984d41b5d: + qa: add initial deepsea suite (task and test yaml) + fix "ceph osd df" (regression in latest upstream master) (pr#15675, issue#20256) * mon: move creating_pgs and reweight_by_utilization into new MonPGStatService * mon: move most PGMapStatService into PGMap; rename PGMon's to PGMonStatService * mon: mgr: move 'osd df' handling to manager * mon: inherit PGMonStatService from the PGMapStatService * move the OSDUtilizationDumper code into OSDMap * mon: mgr: enable "osd df" on the manager * qa: add a check_commands.sh script which looks for commands with no tests * qa: test 'osd df' in cephtool/test.sh ==== drbd ==== Version update (9.0.7rc2+git.36abd387 -> 9.0.8+git.c8bc3670) Subpackages: drbd-kmp-default - bsc#1045473, update to 9.0.8 fix a race condition between adding connections and receiving data fix a OOPS on a diskfull node when a request from a diskless node fix a distributed deadlock when doing a discard/write-same burst fix an issue with diskless nodes adopting wrong current UUIDs fix wrongly rejected two-phase-state transactions fix initial resync, triggered by "--force primary"(regression 9.0.7) Speed-up AL-updates with bio flags REQ_META and REQ_PRIO Merged changes from 8.4.10 and with that compatibility with Linux-4.12 - Remove patch fix-initial-sync-stop.patch - Fix the license to GPL-2.0+ ==== drbd-utils ==== Version update (8.9.11rc2 -> 9.0.0) - Update to v9.0.0 * drbd udev: fix inconsistent inheritance of implicit volumes * Fix regressions of the out-of-the-box DRBD 8.4 experience * DrbdMon: can now focus on "problem" resources * v9: support new option on_no_quorum * drbdadm: fix segfaults, improve error reporting * adjust: fix deleting unrelated peer(s) on "adjust resource:specific-peer" * drbdmeta create-md/convert: fix check for existing external meta-data - Merged into upstream, remove Pass-md_index-information-to-detect_md.patch ==== drm ==== Version update (4.9.31_k4.4.72_1 -> 4.9.33_k4.4.72_1) - Update to 4.9.33 to follow the upstream development (bsc#1041744, CVE-2017-7346, bsc#1031796): drm/i915: Always recompute watermarks when distrust_bios_wm is set, v2. drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail drm/ast: Fixed system hanged if disable P2A drm/nouveau: Fix drm poll_helper handling drm/nouveau: Don't enabling polling twice on runtime resume drm/nouveau: Handle fbcon suspend/resume in seperate worker drm/nouveau: Rename acpi_work to hpd_work drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE drm/i915: Check for NULL i915_vma in intel_unpin_fb_obj() drm: Don't race connector registration drm: prevent double-(un)registration for connectors drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers drm/nouveau: prevent userspace from deleting client object drm/i915: Prevent the system suspend complete optimization drm/i915/vbt: split out defaults that are set when there is no VBT drm/i915/vbt: don't propagate errors from intel_bios_init() drm/nouveau/tmr: fully separate alarm execution/pending lists drm/vmwgfx: Make sure backup_handle is always valid drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() drm/msm: Expose our reservation object when exporting a dmabuf. drm: Fix oops + Xserver hang when unplugging USB drm devices drm/amdgpu/ci: disable mclk switching for high refresh rates (v2) - Fix the build with 4.9.33: 0025-drm-i915-comment-out-PCI_DEV_FLAGS_NEEDS_RESUME.patch - drm/mgag200: Fix to always set HiPri for G200e4 (bsc#1015452, bsc#995542): 1006-drm-mgag200-Fix-to-always-set-HiPri-for-G200e4.patch ==== glibc ==== Subpackages: glibc-32bit glibc-locale-32bit - ld-library-path-suid.patch: process only a single occurrence of LD_AUDIT - ld-hwcap-mask-suid.patch: Ignore and remove LD_HWCAP_MASK for AT_SECURE programs (BZ #21209) - ld-library-path-suid.patch: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 programs (CVE-2017-1000366, bsc#1039357) - malloc-fork-deadlock.patch: Fix deadlock between malloc and fork (bsc#1040043, BZ #19431) ==== glibc ==== Subpackages: glibc-devel glibc-extra glibc-info glibc-locale nscd - ld-library-path-suid.patch: process only a single occurrence of LD_AUDIT - ld-hwcap-mask-suid.patch: Ignore and remove LD_HWCAP_MASK for AT_SECURE programs (BZ #21209) - ld-library-path-suid.patch: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 programs (CVE-2017-1000366, bsc#1039357) - malloc-fork-deadlock.patch: Fix deadlock between malloc and fork (bsc#1040043, BZ #19431) ==== gstreamer-plugins-ugly ==== Subpackages: gstreamer-plugins-ugly-lang - Move mpg123 module from orig_addon to the main package, since we can now ship mpg123. ==== installation-images-openSUSE ==== Version update (14.318 -> 14.319) - remove obsolete dependency on links (bsc#1044791) - merge gh#openSUSE/installation-images#188 - /etc/systemd: keep symlinks instead of files (bsc#1044791) - 14.319 ==== k3b ==== Subpackages: k3b-lang - Add Re-enable-transcode-support.patch to add back transcode support to rip DVDs, Packman's version seems to work fine (kde#381131) ==== kdump ==== - kdump-fix-save_dump-to-NFS.patch: Fix save_dump to NFS targets (bsc#1045541). - kdump-invoke-subcommand-destructors-on-exit.patch: Invoke subcommand destructors on exit (bsc#1045541). - kdump-do-not-free-fadump-memory-when-immediate-reboot-is-requested.patch Releasing fadump memory can take a long time so skip it when rebooting anyway (bsc#1040610). - kdump-do-not-check-bind-mount.patch: Do not request filesystem check on bind mounts (bsc#1034169). - kdump-remount-sysroot-readwrite.patch: Also remount writable any mounts that were already mounted readonly by systemd (bsc#1034169). - kdump-Routable-preferred-source-address.patch: Routable: parse and store preferred source address (FATE#321844). - kdump-URLTransfer-complete-target.patch: Use the complete target URL for URLTransfer (FATE#321844). - kdump-prepend-IP-address.patch: Prepend IP address to remote target subdirectory (FATE#321844). - kdump-fix-service-files.patch: Fix kdump-related services (bsc#1021484). - kernel-ELF-aarch64: Test data for aarch64 findkernel. - kdump-KDUMP_SSH_IDENTITY.patch: Update with later upstream fixes. - kdump-aarch64.patch: kdumptool: add aarch64 (bsc#1033464). - kdump-source-save_dump.patch: save_dump.sh is designed to be sourced and has numerous toplevel return statements. Source it from the service definition as well to prevent bash complaints. (bcs#1034169). ==== libgcrypt ==== Subpackages: libgcrypt-devel libgcrypt20 libgcrypt20-32bit - Don't require secure memory for the fips selftests (bsc#931932) * prevents "Oops, secure memory pool already initialized" warning - modified libgcrypt-fips_run_selftest_at_constructor.patch - Added libgcrypt-secure-EdDSA-session-key.patch [bsc#1042326] * Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. ==== lttng-modules ==== Subpackages: lttng-modules-kmp-default - Constify btrfs tracepoints to resolve build failures (bsc#1044912) New patch: btrfs-constify-tracepoint-arguments.patch ==== mozilla-nss ==== Version update (3.28.4 -> 3.28.5) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-devel mozilla-nss-tools - update to NSS 3.28.5 * Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1. (bmo#1350859) * March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA certificates removed: O = Japanese Government, OU = ApplicationCA CN = WellsSecure Public Root Certificate Authority CN = T�RKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s? H6 CN = Microsec e-Szigno Root CA certificates added: CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 ==== netpbm ==== Subpackages: libnetpbm-devel libnetpbm11 - security update * CVE-2017-2586 [bsc#1024292] + netpbm-CVE-2017-2586.patch * CVE-2017-2581 [bsc#1024287] + netpbm-CVE-2017-2581.patch * CVE-2017-2587 [bsc#1024294] + netpbm-CVE-2017-2587.patch ==== openvpn ==== - 0001-Fix-remote-triggerable-memory-leaks-CVE-2017-7521.patch: Several OpenSSL-specific certificate-parsing code paths did not always clear all allocated memory. Since a client can cause a few bytes of memory to be leaked for each connection attempt, a client can cause a server to run out of memory and thereby kill the server. That makes this a (quite inefficient) DoS attack. [bsc#1044947, CVE-2017-7521] - 0002-Restrict-x509-alt-username-extension-types.patch: The code never supported all --x509-alt-username extension types. Make this explicit by only allowing subjectAltName and issuerAltName (for which the current code does work). Using unsupported extension fields would most likely cause OpenVPN to crash as soon as a client connects. This does not have a real-world security impact, as such a configuration would not be possible to use in practice. [bsc#1044947] - 0003-Fix-potential-double-free-in-x509-alt-username-CVE-2.patch: We didn't check the return value of ASN1_STRING_to_UTF8() in extract_x509_extension(). Ignoring such a failure could result in buf being free'd twice. An error in ASN1_STRING_to_UTF8() can be caused remotely if the peer can make the local process run out of memory. [bsc#1044947, CVE-2017-7521] - 0004-Prevent-two-kinds-of-stack-buffer-OOB-reads-and-a-cr.patch: If clients use a HTTP proxy with NTLM authentication, a man-in-the-middle attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory. The disclosed stack memory is likely to contain the proxy password. If the proxy password is not reused, this is unlikely to compromise the security of the OpenVPN tunnel itself. Clients who do not use the --http-proxy option with ntlm2 authentication are not affected. [bsc#1044947, CVE-2017-7520] - 0005-Fix-remotely-triggerable-ASSERT-on-malformed-IPv6-pa.patch: Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(), and change the ASSERT() check in mss_fixup_dowork() into a simple "return" (= the TCP header will simply not be inspected further). This can be used to remotely shutdown an openvpn server or client, if IPv6 and --mssfix are enabled and the IPv6 networks used inside the VPN are known. [bsc#1044947, CVE-2017-7508] - Show which ciphers should no longer be used in openvpn --show-ciphers bsc#995374(CVE-2016-6329) [+0006-Discourage-using-64-bit-block-ciphers.patch] - Apply fixes for bsc#1038713, bsc#1038709, CVE-2017-7478, bsc#1038711, CVE-2017-7479 [+ 0003-cleanup-merge-packet_id_alloc_outgoing-into-packet_i.patch, + 0004-Drop-packets-instead-of-assert-out-if-packet-id-roll.patch, + 0005-Don-t-assert-out-on-receiving-too-large-control-pack.patch] ==== pcsc-lite ==== Version update (1.8.21 -> 1.8.22) Subpackages: libpcsclite1 - Updated to version 1.8.22 * SCardCancel() was broken in 1.8.21. The call was blocking. * Enable use of info level logging for pcscd using -i/--info ==== plasma5-integration ==== - Add patch to allow disabling the global menu by setting an env var: * 0001-Introduce-KDE_NO_GLOBAL_MENU-env-variable-to-disable.patch ==== polkit ==== Subpackages: libpolkit0 polkit-devel typelib-1_0-Polkit-1_0 - Use gettext as fallback to get potential distro translations for polkit actions. Similar mechnism as used for desktop file translations. That way it's possible to use weblate to add additional translations that are not provided by upstream (polkit-gettext.patch). - Use pkgconfig() instead of requiring systemd package names directly. - systemd.pc is shipped by systemd main package (bsc#983167) Strangely polkit wants systemd.pc to detect that the target system is running systemd even if its configured to build systemd support... - polkit-revert-session-magic.patch: revert a session detection change that could lead to sessions not being detected as active due to a systemd bug. bsc#954139 - Update to 0.113: * Fix CVE-2015-4625 * Fix CVE-2015-3256 * Fix CVE-2015-3255 * Fix CVE-2015-3218 * On systemd-213 and later, the ?active? state is shared across all sessions of an user, instead of being tracked separately * pkexec: when not given a program to execute, runs the users? shell by default - Remove polkit-no-kded-leak.patch (upstreamed) - Try to fix kded leaking due to powerdevil exposing this issue in polkit: (bsc#912889) * polkit-no-kded-leak.patch - Added gpg signature and keyring with David Zeuthen and Miloslav Trmac ids. - Fixed URL - Update to 0.112 + polkitunixprocess: Deprecate racy APIs + pkcheck: Support --process=pid,start-time,uid syntax too (CVE-2013-4288) + Use GOnce for interface type registration + Add czech translation po file to distribution + Update the czech once more with newest pot file - On openSUSE 13.1+, switch from mozjs185 to mozjs-17.0 by: + Conditionally BuildRequire pkgconfig(mozjs-17.0). - Drop libmozjs185-1_0 Recommends: the library is actually required and auto-detected as such by rpm (from 0.111 changes: "The JavaScript interpreter is now mandatory"). - Update to 0.111 + Both js185 and mozjs17 versions of SpiderMonkey are supported + The JavaScript interpreter is now mandatory + Fixed various memory leaks + Respect SUID_CFLAGS and SUID_LDFLAGS + Set process environment from pam_getenvlist() + Fix the build with automake 1.13 - Drop polkit-suid_flags.patch and automake-113.patch, those patches are included in this release - Add automake-113.patch, fixes build with automake-1.13 - Recommend libmozjs185-1_0 which is dlopen'ed and required for JS rules - Update to 0.110 + Set XAUTHORITY environment variable if is unset + Use mutex and condition variables properly + Build fixes. - Changes from version 0.109: + Include gmodule-2.0 to avoid linker errors + Don't require libmozjs185 devel packages for polkit rules to work - Drop polkit-link-gmodule.patch and polkit-libmozjs.patch, those are merged upstream - Only mark the following files as %config, not %config(noreplace): + %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf + %{_sysconfdir}/pam.d/polkit-1 + %{_sysconfdir}/polkit-1/rules.d/50-default.rules PolicyKit's own config files should only be changed for good reason and we want to prefer openSUSE's defaults (you still get an .rpmsafe file) - Add polkit-libmozjs.patch: dlopen libmozjs185.so.1.0 instead of libmozjs185.so, which is packaged in the -devel package (bnc#793562) - Update to version 0.108: + PolkitAgent: Avoid crashing if initializing the server object fails + Fall back to authenticating as uid 0 if the list of admin identities is empty + Dynamically load libmozjs185.so and cope with it not being available + docs: mention the audience for authorization rules + build: Fix .gir generation for parallel make - Only conditionally Require ConsoleKit when with_systemd is 0: systemd support obsoletes ConsoleKit. - Add polkit-link-gmodule.patch: Link against gmodule-2.0. - Change libpolkit0 to require polkit >= %version instead of the exact version. This will ease upgrade problems should there ever be a soname bump of libpolkit0. - Enable systemd inetegration (change with_systemd to 1): As an agreed target for 12.3, systemd integration will be enabled. - Add pwdutils to prereq for groupadd and useradd. - Add polkit-no-systemd.patch: this patch, only applied when not building systemd support, removes the systemd service reference from the dbus .service file. This is needed as the systemd .service file does not get installed in that case and dbus gets confused because it expects it. - Make %{_datadir}/polkit-1/rules.d and %{_sysconfdir}/polkit-1/rules.d owned by user polkitd, as those directories have 0700 as permissions. - Those two changes should fix polkit so it can start. Fix bnc#782395. - Use %{_localstatedir}/lib/polkit for $HOME of polkit user, instead of %{_libexecdir}/polkit-1. The directory is manually created in %install. - Update to version 0.107: + Try harder to look up the right localization + Introduce a polkit.Result enumeration for authorization rules + pkexec: add support for argv1 annotation and mention shebang-wrappers + doc: update guidance on situations where there is no polkit authority - Changes from version 0.106: + Major change: switch from .pkla files (keyfile-format) to .rules files (JavaScript) + Nuke polkitbackend library, localauthority backend and extension system + Run polkitd as an unprivileged user + Add a systemd .service file + Several other code changes. + Updated documentation. - Changes from version 0.105: + Add pkttyagent(1) helper + Make it possible to influence agent registration with an a{sv} parameter + Several other code changes. - Add pkgconfig(mozjs185) BuildRequires: new dependency for the authority backend. - Rebase polkit-no-wheel-group.patch: the admin configuration is now in a .rules file. - Rebase polkit-suid_flags.patch. - Explicitly pass --enable-libsystemd-login or - -disable-libsystemd-login, depending on whether we build systemd support. - Add a %pre script to create the polkitd group and user, as polkitd now run as an unprivileged user. - also use -z now for binary hardening - Package /etc/polkit-1/localauthority and its subdirectories. They were forgotten because they were empty, but people might need them to put .pkla files. - Change the way we pass -fpie/-pie: + Drop polkit-pie.patch: this was not upstreamable. + Add polkit-suid_flags.patch: respect SUID_CFLAGS/SUID_LDFLAGS when building the suid binaries (pkexec and polkit-agent-helper-1). + Add autoconf, automake and libtool BuildRequires, and call autoreconf, for the new patch. + Set SUID_CFLAGS to -fPIE and SUID_LDFLAGS to -pie in %build. + Pass --with-pic to configure instead of changing CFLAGS to contain -fPIC. - fixed bnc#743145 - added -fpie/-pie flags to compilation and linking of polkit-agent-helper and pkexec - Split typelib file into typelib-1_0-Polkit-1_0 subpackage. - Add typelib-1_0-Polkit-1_0 Requires to devel subpackage. - Add explicit libpolkit0 Requires to devel subpackage: it was missing before. - Remove explicit glib2-devel Requires from devel subpackage: it will automatically be added the pkgconfig() way. - Improve summary of libpolkit0 subpackage. - A quick test reveals that the systemd backend does not integrate very well with packages yet, revert. - Previous update missed systemd-devel in buildrequires without it no systemd support is built - Update to version 0.104: + Add optional systemd support + Add netgroup support (fdo#43610) + Add unit tests (fdo#43608) - Changes from version 0.103: + Mistype in DBus object: PoliycKit1 -> PolicyKit1 + Add support for the org.freedesktop.policykit.imply annotation + Add --no-debug option and use this for D-Bus activation + Add org.freedesktop.policykit.owner annotation (fdo#41025) + Default to AdminIdentities=unix-group:wheel for local authority - Drop patches that were taken from upstream: + 0001-Add-support-for-the-org.freedesktop.policykit.imply-a.diff + 0002-Add-no-debug-option-and-use-this-for-D-Bus-activation.diff + 0003-Bug-41025-Add-org.freedesktop.policykit.owner-annotat.diff - Add polkit-no-wheel-group.patch: do not allow the wheel group as admin identity, and revert to only accept the root user for this. - pick some patches from git to add support for org.freedesktop.policykit.imply, disable debug spam and allow unprivileged users to query authorizations (bnc#698250) - Update to version 0.102: + pkexec: - fdo#38769: Support running X11 apps - Avoid time-of-check-to-time-of-use problems with parent process + Fix backend crash if a .policy file does not specify <message> + Fix multi-line pam prompt handling + Don't show diagnostic messages intended for the administrator to the end user + PolkitUnixProcess: - Clarify that the real uid is returned, not the effective one - Record the uid of the process + Backend: Use polkit_unix_process_get_uid() to get the owner of a process + Introspection fixes: - Add --c-include to the gir files - Specify exported pkg-config files in GIRs + Build fix. - Drop polkit-CVE-2011-1485-1.patch, polkit-CVE-2011-1485-2.patch, polkit-CVE-2011-1485-3.patch, polkit-CVE-2011-1485-4.patch: fixed upstream. - Remove service usage, following the new consensus on Factory packaging. - BuildIgnore ruby, which is being dragged in via indirect dependencies by gtk-doc for one of the helpers, which we do not need during the build of polkit. Not dragging ruby in resolves a build-cycle. - Use %set_permissions instead of deprecated %run_permissions in %post. - Add permissions PreReq, which was missing before. - use LGPLv2.1+ in spec file - stat race condition (CVE-2011-1485) (bnc#688788) - Remove PolkitAgent-1.0.typelib from main package, it is in library package. - update to 0.101: * tons of bug fixes, see NEWS - fix file list - Update to version 0.99: + Remove duplicate definitions of enumeration types + Fix (correct) GCC warning about possibly-uninitialized variable + Fix another GCC uninitialized variable warning + fdo#29816: Install polkitagentenumtypes.h - Drop polkit-install-missing-header.patch: fixed upstream. - Update to version 0.98: + Fix scanning of unix-process subjects + Add textual authentication agent and use it in pkexec(1) + Fix ConsoleKit interaction bug + pkexec: add --disable-internal-agent option + pkcheck: add --enable-internal-agent option + Fix wording in pkexec(1) man page + Various doc cleanups - Changes from version 0.97: + Port to GDBus + Add shadow authentication support + Remove Lock Down functionality + fdo#26982: pkexec information disclosure vulnerability + Make polkitd accept --replace and gracefully handle SIGINT + Implement polkit_temporary_authorization_new_for_gvariant() + Make NameOwnerChanged a private impl detail of the interactive authority + Add a GPermission implementation + PolkitAuthority: Implement failable initialization + PolkitAuthority: Add g_return_if_fail() checks + Add g_return_if_fail() to all public API entry points + Use polkit_authority_get_sync() instead of deprecated polkit_authority_get + PolkitBackend: Don't export unneeded convenience API + Update GI annotations + Don't dist org.freedesktop.ConsoleKit.xml. + Properly reference headers + fdo#29051: Configuration reload on every query - Drop pkexec-information-disclosure.patch: fixed upstream. - Add polkit-install-missing-header.patch to install a header that should get installed. - Remove eggdbus-devel BuildRequires. - Build with introspection support: add gobject-introspection BuildRequires and pass --enable-introspection to configure. - Fix groups of all packages to be valid groups. - use %_smp_mflags - fix pkexec information disclosure (fdo#26982, CVE-2010-0750, bnc#593959) - add baselibs.conf - new upstream release 0.96 - Bug 25367 ? Also read local authority configuration data from /etc - Run the open_session part of the PAM stack in pkexec(1) - Bug 25594 ? System logging - Properly handle return value from getpwnam_r() - Fix error message when no authentication agent is available - Make pkexec(1) validate environment variables - Make pkexec(1) use the syslogging facilities - Save original cwd in pkexec(1) since it will change during the life-time - Complain on stderr, not stdout - Don't log authorization checks - update to 0.95: The major change this release is that the lockdown feature has been cleaned up in a way so it isn't specific to the local authority. See the NEWS files for more details. - Package documentation as noarch - Add Requires on polkit to libpolkit0: all applications using libpolkit0 will really need polkit to be installed to work properly. - new upstream release 0.94 - Allow unprivileged callers to check authorizations - Don't spawn man(1) from a setuid program - Add polkit.retains_authorization_after_challenge to authz result - Ensure all fds except stdin/stdout/stderr are closed after exec(2) - Be more careful when determining process start time - Remove temporary authorization when the subject it applies to vanishes - Generate GI gir and typelibs for libpolkit-gobject-1 - drop patches which are in the release now - disable introspection - add upstream patches: polkit-close-stdfds.patch polkit-no-man-spawn.patch polkit-proc-stat-parse-fix.patch - drop rpmlint patch - check for the right binary in verify_permisisons - disable suid bit for now to get software build on top - split out libraries to follow shared library policy - update to version 0.93 - initial import of polkit 0.92 ==== python-pyasn1-modules ==== Version update (0.0.8 -> 0.0.9) - Update to upstream release 0.0.9 * More CRL data structures added (RFC3279) * Added X.509 certificate extensions map * Added X.509 attribute type map * Fix to __doc__ use in setup.py to make -O0 installation mode working * Copyright added to source files * More PEP-8'ing done on the code * Author's e-mail changed - Switch to singlespec approach ==== qemu ==== Subpackages: qemu-arm qemu-block-curl qemu-block-dmg qemu-block-iscsi qemu-block-rbd qemu-block-ssh qemu-extra qemu-ipxe qemu-ksm qemu-kvm qemu-lang qemu-ppc qemu-s390 qemu-seabios qemu-sgabios qemu-tools qemu-vgabios qemu-x86 - Use most recent compiler to build size-critical firmware, instead of hard-coding gcc6 for all target versions (bsc#1043390) * A few upstream ipxe patches were needed for gcc7 compatibility: ipxe-ath-Add-missing-break-statements.patch ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch - Add --no-renames to the git format-patch command in the git workflow script for better patch compatibility - Address various security/stability issues * Fix potential privilege escalation in virtfs (CVE-2016-9602 bsc#1020427) 0060-9pfs-local-fix-unlink-of-alien-file.patch * Fix DOS in megasas device emulation (CVE-2017-9503 bsc#1043296) 0061-megasas-do-not-read-DCMD-opcode-mor.patch 0062-megasas-always-store-SCSIRequest-in.patch * Fix DOS in qemu-nbd server (CVE-2017-9524 bsc#1043808) 0063-nbd-Fully-initialize-client-in-case.patch * Fix regression introduced by recent virtfs security fixes (bsc#1045035) 0064-9pfs-local-remove-use-correct-path-.patch - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 - Backport ipxe to support FirstBurstLength (bsc#1040476) ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch ==== qemu-linux-user ==== - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 * Patches added: 0060-9pfs-local-fix-unlink-of-alien-file.patch 0061-megasas-do-not-read-DCMD-opcode-mor.patch 0062-megasas-always-store-SCSIRequest-in.patch 0063-nbd-Fully-initialize-client-in-case.patch 0064-9pfs-local-remove-use-correct-path-.patch - Add --no-renames to the git format-patch command in the git workflow script for better patch compatibility ==== rubygem-ruby-dbus ==== - Only build for ruby 2.1. ==== rxvt-unicode ==== - added rxvt-unicode-hardening.patch: (boo# 1036456) While urxvt is not directly affected by CVE-2017-7483. We add a patch to harden urxvt to avoid similar bugs in the future. ==== sblim-sfcb ==== - link_certificate_if_missing.patch: create clist.pem as a symlink to already existing server.pem if it does not exist. This is needed for upgrades from SLE11SP4 versions that did not use this certificate (bnc#1041885) - reintroduce symlink for legacy cmpi-provider-register for upgrades from SLE11 (bnc#1041885) ==== smuxi ==== Version update (1.0.6 -> 1.0.7) - Update to version 1.0.7: + Builds and runs correctly on Mono 5.x. + No longer crash with a SEGV or NullReferenceException when re-joining channels when running on GTK# 2.12.40. ==== util-linux ==== Subpackages: libblkid-devel libblkid1 libblkid1-32bit libfdisk1 libmount1 libmount1-32bit libsmartcols1 libuuid-devel libuuid1 libuuid1-32bit util-linux-lang - libmount: Ensure that utab.lock is always created with correct mode (bsc#1030763, util-linux-libmount-utab-lock.patch). - Fix regressions in safe loop re-use patch set for libmount not included in 2.29.2 (boo#1012504, bsc#1033236, util-linux-loop-reuse-fix-1.patch, util-linux-loop-reuse-fix-2.patch, util-linux-loop-reuse-fix-3.patch). - When when hypervisor_decode_sysfw fails continue with other detection methods (bsc#1042991, bsc#1039360, bsc#1033718) + util-linux-lscpu-cleanup-DMI-detection-return-codes.patch ==== util-linux-systemd ==== - libmount: Ensure that utab.lock is always created with correct mode (bsc#1030763, util-linux-libmount-utab-lock.patch). - Fix regressions in safe loop re-use patch set for libmount not included in 2.29.2 (boo#1012504, bsc#1033236, util-linux-loop-reuse-fix-1.patch, util-linux-loop-reuse-fix-2.patch, util-linux-loop-reuse-fix-3.patch). - When when hypervisor_decode_sysfw fails continue with other detection methods (bsc#1042991, bsc#1039360, bsc#1033718) + util-linux-lscpu-cleanup-DMI-detection-return-codes.patch ==== virt-manager ==== Subpackages: virt-install virt-manager-common - bsc#1042709 - unable to create VM with SLE4SAP SP1 over network install virtinst-fix-sle-distro-parsing.patch - bsc#1027942 - virt-manager: Missing upstream bug fixes f38c56c9-add-support-for-SMM-feature.patch 24f9d053-add-support-for-loader-secure-attribute.patch 4f8e795c-if-required-by-UEFI-enable-SMM-feature-and-set-q35-machine-type.patch b690908a-enable-secure-feature-together-with-smm-for-UEFI.patch - bsc#1027942 - virt-manager: Missing upstream bug fixes 93085d2b-reset-guest-domain-to-none-on-domain-creation-error.patch ==== vm-install ==== Version update (0.8.65 -> 0.8.67) - bsc#1024437 - vm-install interprets disk size incorrectly when used as an option to the command - Version 0.8.67 - bsc#1039333 - vm-install: Invalid syntax error - Version 0.8.66 ==== xen ==== Version update (4.9.0_07 -> 4.9.0_08) Subpackages: xen-doc-html xen-libs xen-tools xen-tools-domU - Update block-dmmd script (bsc#1002573) block-dmmd - Update to Xen 4.9.0-rc8+ (fate#321394, fate#323108) xen-4.9.0-testing-src.tar.bz2 gcc7-arm.patch - Drop gcc7-error-xenpmd.patch - Update to Xen 4.9.0-rc8 (fate#321394, fate#323108) xen-4.9.0-testing-src.tar.bz2 ==== xine-lib ==== Version update (1.2.6 -> 1.2.8) Subpackages: libxine-devel libxine2 libxine2-pulse - Update to release 1.2.8 - Remove patches fixed upstream: xine-lib-crippled-ffmpeg3.0.patch, xine-lib-ffmpeg3.0.patch and xine-lib-link-xcb.patch. - Removed precheckin_cripple_tarball.sh and integrated it into the spec file. - Upstream changes: * Add HEVC to QT demuxer. * Add libOpenHEVC decoder. * Add h.265/HEVC decoding to VAAPI. * Detach VAAPI video out from ffmpeg. * VAAPI fixes. * Improved Matroska compatibility (TrueHD and PCM sound, HDMV/Text subtitles). * Add faad LATM support. * Add faad preamp gain control and channel mixer. * Update/fix internal libfaad. * Integrate 6 basic plugins into libxine. * ffmpeg fixes and optimizations. * Use external libdvdnav by default. * Optimize video out. * AVFormat demuxer fixes. * (XCB)XV video out fixes. * Lots of small fixes and optimizations. * Build fixes (newer automake, xcb, libdvdcss, dxr3, make dist, 32+64bit dual install, gcc 4.x with GNU ld 2.26 ...). * Better C++ compatibility. * Add support for avi WAVE_FORMAT_EXTENSIBLE. * Add "Time Domain Audio Analyzer" Visualization Post Plugin. * Add support for compressed HDMV PGS subtitles in Matroska. * Add HW accelerated OSD for Raspberry Pi. * Add simple deep color (9/10bit) support via ffmpeg. * Join 15 video demuxers into a single multiplugin lib. * Join 5 vdpau decoders into a single multiplugin lib. * Join 3 raw video decoders into a single multiplugin lib. * Make ffmpeg/postproc optional. * Log individual items when loading multiplugin libs. * Improved qt/mp4 edit list handling. * Detect mp3 files with large id3v2 tags. * Auto recover from temporary DVB signal loss. * Fix demuxing low framerate mp4. * DVB AAC sound compatibility fix. * ffmpeg audio downmix level fix and optimization. * ffmpeg multithreading fixes. * ffmpeg compatibility fixes. * BluRay subtitle fixes. * Various small fixes. * OpenGL(2) video out fixes and optimizations. * Fix some issues with heavy stream seeking. * Build fixes, including missing vcd libs and much less warnings. * Code simplifications. - fix build with ImageMagick 7 + xine-lib-ImageMagick7.patch ==== xine-ui ==== - Add reproducible.patch to make build fully reproducible by not having variations in mime type order in .desktop file - Fix desktop file with xine-ui-desktop.patch ==== xorg-x11-server ==== Subpackages: xorg-x11-server-extra xorg-x11-server-sdk - U_Use-timingsafe_memcmp-to-compare-MIT-MAGIC-COOKIES-C.patch * Prevent timing attack against MIT cookie. (CVE-2017-2624, bnc#1025029) - U_Use-arc4random_buf-3-if-available-to-generate-cookie.patch/ U_Brown-bag-commit-to-fix-957e8d-arc4random_buf-suppor.patch * Use arc4random to generate cookies. (bnc#1025084) - U_auth-remove-AuthToIDFunc-and-associated-functions.-N.patch * Remove unused function with use-after-free issue. (bnc#1025035) ==== yast2-bootloader ==== Version update (3.2.21 -> 3.2.22) - Use udev device for prep partition if it is available (bsc#1041692) - 3.2.22 ==== yast2-installation ==== - install the yast2-registration package only in SLE (bsc#1043122) - 3.2.45 ==== yast2-kdump ==== Version update (3.2.4 -> 3.2.6) - Fixed regular expression that verifies alloc_mem parameter (bsc#1045098). - 3.2.6 - The alloc_mem parameter is verified to be in accordance with documentation (bsc#1045098). - Pop-up is suppressed from command line when the user enables or disables kdump (bsc#1045103). - 3.2.5 ==== yast2-trans ==== Version update (84.87.20170607.40033d88 -> 84.87.20170618.0f9396fd) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-en_US yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20170618.0f9396fd: * New POT for text domain 'autoinst'. * New POT for text domain 'base'. * New POT for text domain 'control'. * New POT for text domain 'firewall'. * New POT for text domain 'registration'. * New POT for text domain 'samba-client'. * New POT for text domain 'storage-ng'. * New POT for text domain 'support'. * Translated using Weblate (Arabic) * Translated using Weblate (Catalan) * Translated using Weblate (Chinese (Taiwan)) * Translated using Weblate (Danish) * Translated using Weblate (Dutch) * Translated using Weblate (French) * Translated using Weblate (German) * Translated using Weblate (Indonesian) * Translated using Weblate (Italian) * Translated using Weblate (Japanese) * Translated using Weblate (Kabyle) * Translated using Weblate (Lithuanian) * Translated using Weblate (Portuguese (Brazil)) * Translated using Weblate (Russian) * Translated using Weblate (Slovak) * Translated using Weblate (Spanish) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org