May 2022 - openSUSE Kubic - openSUSE Mailing Lists

Notify desktop users about updates and needed reboots
by Luca Di Maio 27 Jul '22

27 Jul '22

Hi all, as discussed on the matrix channel, there is the need for MicroOS Desktop users to be notified about needed reboots for updates. Brainstorming about it one of the solutions could be: 1 - reintroduce transactional-update.timer 2 - set up rebootmgr to work well with desktop workloads 3 - notify the user that the system is updated and a reboot is needed 4 - nice-to-have: if I click the notification it calls the native reboot prompt of the installed DE. What I'm proposing now is just a proof of concept. As a starting idea, I've thought about patching rebootmgr to have a new strategy: notify Here is the patched rebootmgr: https://github.com/89luca89/rebootmgr/tree/feature/add_notify_strategy The patch consists in adding the strategy to rebootmgrctl and rebootmgrd. The new strategy should consist in notifying the user with a dbus notification. The problem that came up is that I couldn't find a way for a root service to de-privilege itself to use the user's dbus-session, I had various errors about DISPLAY variable, xauth and so on. To work around it, I thought of creating an user-running service (systemctl --user), that would open a file socket in /run/user/$ID/ that would receive the command to launch the notification. You can find the example daemon here (very example...): https://gist.github.com/89luca89/bd78f5e716a7bd9206f802756e6c10de So you would have: t-u -> rebootmgrctl reboot -> dbus message to -> reboomgrd -> contact file socket -> user_notification_daemon The routine I've added to the rebootmgrd should find all the active sockets for all users and contact all of them so that all users are notified about the update. I'd like to have a feedback on the implementation, I'm 100% sure there is a lot to improve and I'm surely missing something on that user's dbus-session issue I had. As it stands now this proof of concept is working right now on my installation. Thanks, 89luca89

4 11

New MicroOS snapshot 20220530 released!
by Richard Brown 01 Jun '22

01 Jun '22

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version… https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com… Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: boost-base google-noto-fonts (20220516 -> 20220524) libidn2 llvm14 (14.0.3 -> 14.0.4) python-packaging update-alternatives (1.21.1 -> 1.21.8) vim (8.2.4877 -> 8.2.5038) === Details === ==== boost-base ==== Subpackages: boost-license1_79_0 libboost_thread1_79_0 - Fix failing conversion of cpp_dec_float to double, depending on locale (gh#boostorg/multiprecision#464, boo#1199968). Add boost-mp-locale-fix.patch ==== google-noto-fonts ==== Version update (20220516 -> 20220524) - Switch back to hinted ttf as unhinted otf causes blurring (boo#1199938) - Add obsoletes and provides for: - noto-mono-fonts: Got merged into noto-sans-mono-fonts - noto-sans-syriac* variants: Got merged into noto-sans-syriac-fonts - noto-sans-tibetan-fonts: Got renamed to noto-serif-tibetan-fonts - Update to version 20220524 - Updated Noto Sans Myanmar and Noto Sans Tangsa Fonts ==== libidn2 ==== - Refresh libidn2.keyring ==== llvm14 ==== Version update (14.0.3 -> 14.0.4) - Update to version 14.0.4. * This release contains bug-fixes for the LLVM 14.0.0 release. This release is API and ABI compatible with 14.0.0. - Don't use gold for linking anymore: on s390x we use ld.bfd with LLVMgold.so, on ppc64 we disable ThinLTO for now. - Using ld.bfd on s390x exposed an issue with the existing llvm_build_tablegen_component_as_shared_library.patch: linking llvm-tblgen with libLLVM.so means we also have to link libraries used for that (like LLVMTableGenGlobalISel) with libLLVM.so. - Rewrite summary and description for llvm-gold to point out that it can also be used with ld.bfd, recommend with binutils. - Prefer RPM macros over shell scripting, so that we can better inspect the build script with substitutions in place. - More memory for stage 1 build jobs due to recent OOMs. - Add %_libclang_sonum RPM macro to llvm-devel, since that might now diverge from %_llvm_sonum. - Rebase llvm-do-not-install-static-libraries.patch. ==== python-packaging ==== - Add patch to fix testsuite on big-endian targets + fix-big-endian-build.patch ==== update-alternatives ==== Version update (1.21.1 -> 1.21.8) - version update to 1.21.8 * fix CVE-2022-1664 [bsc#1199944], dpkg -- security update * lot of changes, see changelog - modified patches % update-alternatives-suse.patch (refreshed) ==== vim ==== Version update (8.2.4877 -> 8.2.5038) Subpackages: vim-data-common vim-small - Updated to version 8.2.5038, fixes the following problems * Valgrind warning for using uninitialized variable. * Screendump test may fail when using valgrind. * Vim9: misplaced elseif causes invalid memory access. * "P" in Visual mode still changes some registers. * Cannot make 'breakindent' use a specific column. * String interpolation only works in heredoc. * Test fails without the job/channel feature. (Dominique Pellé) * Test fails with the job/channel feature. * Vim9: redir in skipped block seen as assignment. * Channel log does not show invoking a timer callback. * Line number of lambda ignores line continuation. * Inconsistent capitalization in error messages. * Vim help presentation could be better. * Test failures because of changed error messages. * Distributed import files are not installed. * Buffer overflow with invalid command with composing chars. * Expression in command block does not look after NL when command is typed. * Comment inside an expression in lambda ignores the rest of the expression. * Coverity complains about pointer usage. * With latin1 encoding CTRL-W might go before the start of the command line. * Vim9 expression test fails without the job feature. * NULL pointer access when using invalid pattern. * Mouse wheel scrolling is inconsistent. * Cannot get the current cmdline completion type and position. * codecov includes MS-Windows install files. * codecov includes MS-Windows install header file. * Some users do not want a line comment always inserted. * No text formatting for // comment after a statement. * MODE_ enum entries names are too generic. * Imperfect coding. * The mode #defines are not clearly named. * Using execute() to define a lambda doesn't work. (Ernie Rael) * Popup_hide() does not always have effect. * String interpolation in :def function may fail. * Sometimes the cursor is in the wrong position. * Mouse in Insert mode test fails. * Fuzzy expansion of option names is not right. * Conceal character from matchadd() displayed too many times. * Can add invalid bytes with :spellgood. * Spell test fails because of new illegal byte check. * Mouse test fails on MS-Windows. * Test checks for terminal feature unnecessarily. * maparg() may return a string that cannot be reused. * Trailing backslash may cause reading past end of line. * #ifdef for crypt feature around too many lines. * Return type of remove() incorrect when using three arguments. * Various white space and cosmetic mistakes. * Off-by-one error in in statusline item. * Interpolated string expression requires escaping. * Crash with sequence of Perl commands. * Not easy to filter the output of maplist(). * A few more capitalization mistakes in error messages. * String interpolation fails when not evaluating. * With 'foldmethod' "indent" some lines are not included in the fold. (Oleg Koshovetc) * No test for what 8.2.4931 fixes. * Crash when matching buffer with invalid pattern. * matchfuzzypos() with "matchseq" does not have all positions. * Some code is never used. * '[ and '] marks may be wrong after undo. * Error when setting 'filetype' in help file again. * Changing 'switchbuf' may have no effect. * Text properties are wrong after "cc". (Axel Forsman) * Inconsistent use of white space. * Vim9: some code not covered by tests. * Text properties not adjusted when accepting spell suggestion. * Cannot use Perl heredoc in nested :def function. (Virginia Senioria) * Vim9: some code not covered by tests. * Text properties position wrong after shifting text. * Smart indenting done when not enabled. * GUI test will fail if color scheme changes. * With 'smartindent' inserting '}' after completion goes wrong. * Inserting line breaks text property spanning more then one line. * Text property in wrong position after auto-indent. * Reading past end of line with "gf" in Visual block mode. * Text properties in a wrong position after a block change. * A couple conditions are always true. * Using NULL regexp program. * Text properties that cross line boundary are not correctly updated for a deleted line. * Build error with a certain combination of features. * Files show up in git status. * Expanding path with "/**" may overrun end of buffer. * GUI: testing mouse move event depends on screen cell size. * Changing text in Visual mode may cause invalid memory access. * "eval 123" gives an error, "eval 'abc'" does not. * Vim9: interpolated string seen as range. * Vim9: compilation fails when using dict member when skipping. * Vim9: type error for list unpack mentions argument. * ":so" command may read after end of buffer. * Recursive command line loop may cause a crash. * Coverity complains about not restoring a saved value. * Memory access error when substitute expression changes window. * No error if engine selection atom is not at the start. * Accessing freed memory when line is flushed. * When 'shortmess' contains 'A' loading a session may still warn for an existing swap file. (Melker Österberg) * It is not possible to manipulate autocommands. * Colors in terminal window are not 100% correct. * Colors test fails in the GUI. * Dragging statusline fails for window with winbar. * PVS warns for possible array underrun. * Some github actions are outdated. * After deletion a small fold may be closable. * Textprop in wrong position when replacing multi-byte chars. * Cannot specify a function name for :defcompile. * Memory leak when :defcompile fails. * No test for hwat patch 8.1.0535 fixes. * Compiler warning for possibly uninitialized variable. (Tony Mechelynck) * smart/C/lisp indenting is optional, which makes the code more complex, while it only reduces the executable size a bit. * Tests are using legacy functions. * Still a compiler warning for possibly uninitialized variable. (Tony Mechelynck) * setbufline() may change Visual selection. (Qiming Zhao) * Python: changing hidden buffer can cause the display to be messed up. * Vim9: crash when using multiple funcref(). * Filetype test table is not properly sorted. * Checking translations affects the search pattern history. * deletebufline() may change Visual selection. * Cannot do bitwise shifts. * Right shift on negative number does not work as documented. * Compiler warning for uninitialized variable. (John Marriott) * Asan warns for undefined behavior. * Spell suggestion may use uninitialized memory. (Zdenek Dohnal) * When 'formatoptions' contains "/" wrongly wrapping a long trailing comment. * Fold may not be closeable after appending. * The terminal debugger uses various global variables. * Replacing an autocommand requires several lines. * Cannot select one character inside (). * After text formatting the cursor may be in an invalid position. * Byte offsets are wrong when using text properties. * Hoon and Moonscript files are not recognized. * Access before start of text with a put command. * Gcc 12.1 warns for uninitialized variable. * Vim9: some code is not covered by tests. * Cannot get the first screen column of a character. * Using 'imstatusfunc' and 'imactivatefunc' breaks 'foldopen'. * Build fails with normal features and +terminal. (Dominique Pellé) * 'completefunc'/'omnifunc' error does not end completion. * Substitute overwrites allocated buffer. * Using freed memory with "]d". * Vim9: a few lines not covered by tests. * Error for missing :endif when an exception was thrown. (Dani Dickstein) * Syntax regexp matching can be slow. * "textlock" is always zero. * autocmd_add() can only handle one event and pattern. * Cannot easily run the benchmarks. * Python 3 test fails without the GUI. * Build error with +eval but without +quickfix. Warning for uninitialized variable. * There is no way to get the byte index from a virtual column. * When splitting a window the changelist position moves. * Using two counters for timeout check in NFA engine. * Cursor position may be invalid after "0;" range. * A finished terminal in a popup window does not show a scrollbar.

1 0

New ARM MicroOS snapshot 20220528 released!
by Guillaume Gardet 31 May '22

31 May '22

Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=3&version… https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com… Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: Mesa Mesa-drivers NetworkManager PackageKit (1.2.4 -> 1.2.5) augeas bash-completion chrony gnome-keyring (40.0 -> 42.1) gnutls (3.7.5 -> 3.7.4) gpg2 grep grub2 harfbuzz (4.2.1 -> 4.3.0) kdsoap keylime (6.3.2 -> 6.4.0) libopenmpt (0.6.2 -> 0.6.3) libunwind logrotate (3.19.0 -> 3.20.1) mobile-broadband-provider-info (20220315 -> 20220511) osinfo-db (20220214 -> 20220516) podman polkit-default-privs (1550+20220404.7b4bea2 -> 1550+20220524.0345bd9) python-cryptography (36.0.2 -> 37.0.2) python-psutil (5.9.0 -> 5.9.1) qemu runc wayland webkit2gtk3 (2.36.1 -> 2.36.2) webkit2gtk3-soup2 (2.36.1 -> 2.36.2) xmlsec1 (1.2.33 -> 1.2.34) xwayland (22.1.1 -> 22.1.2) yast2 (4.5.3 -> 4.5.4) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - buildrequire DirectX-Headers only on %{ix86} x86_64, since it's only relevant on these platforms - Calling patch with '-p1' (as the others are) so 'git show' .patch output works. - Generating 'n_stop-iris-flicker.patch' from 'git format-patch' vs. a standard diff. - Fixing up 'stop-iris-flicker.patch' patch name to follow standards. ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium - buildrequire DirectX-Headers only on %{ix86} x86_64, since it's only relevant on these platforms - Calling patch with '-p1' (as the others are) so 'git show' .patch output works. - Generating 'n_stop-iris-flicker.patch' from 'git format-patch' vs. a standard diff. - Fixing up 'stop-iris-flicker.patch' patch name to follow standards. ==== NetworkManager ==== Subpackages: NetworkManager-wwan libnm0 typelib-1_0-NM-1_0 - Fold NetworkManager-wifi back into the main package: The dep chain is not really different and it causes too many problems for users having that split. Not worth the pain (boo#1199710, boo#1199706). - As a consequence, also drop the recommends fro the main package to -wifi. ==== PackageKit ==== Version update (1.2.4 -> 1.2.5) Subpackages: PackageKit-backend-dnf libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0 - Update to version 1.2.5: + Backends: - dnf: . Add support for autoremove flag when removing packages. . Searches by name and package details should be case insensitive. . Update appstream xml files if dnf_sack_add_repos() does the download. - zypp: . Add -std=c++1z cpp flags. . Fix crash when search string is NULL. . Fix package installation using undefined data. - Changes to alpm, apttcc, nix, and slack. + Bugfixes: - Install offline-update enablement symlink if Meson is new enough. - Move Wants= line for network-online.target. - Add flags to D-Bus offline invoking methods. - Properly handle allow-reinstall flag for installations. - Provide better error message if trying to install an installed package. - Wait until online to activate systemd service. - Drop 505.patch, PackageKit-zypp-c++17.patch, and PackageKit-zypp-fix-crash-with-empty-search-string.patch: fixed upstream. ==== augeas ==== - Employ shared library packaging guideline and resolve this rpmlint report: "libaugeas0.x86_64: E: shlib-policy-name-error SONAME: libfa.so.1, expected package suffix: 1" [boo#1191749] ==== bash-completion ==== - Add patch bsc1199724-modules.patch (bsc#1199724) * Enable upstream commit to list ko.zst modules as well ==== chrony ==== Subpackages: chrony-pool-openSUSE - Moved 20-chrony file from user specif directory /etc/NetworkManager/dispatcher.d to vendor specific directory /usr/lib/NetworkManager/dispatcher.d. So, users changes can still be done in /etc and will not be overwritten by an update. ==== gnome-keyring ==== Version update (40.0 -> 42.1) Subpackages: gnome-keyring-pam libgck-modules-gnome-keyring - Update to version 42.1: + daemon: Add files to EXTRA_DIST to fix distcheck. - Changes from version 42.0: + secret-portal: Properly check the default keyring. + Build fixes. + ssh-agent: Fix crash by uninitialized GMutex. + fix looping off the end of the operations array. + readme: Mention libsecret instead of deprecated libgnome-keyring. + daemon: Make it systemd-activatable through the control socket. + Updated translations. - Add pkgcondfig(systemd) and pkgconfig(libsystemd) BuildRequires: new dependencies. ==== gnutls ==== Version update (3.7.5 -> 3.7.4) - disable kcapi usage for now, as kernel-obs-build not adjusted to contain the algorithms. bsc#1189283 - FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669] * The IG 10.3.A and SP800-132 require some minimum parameters for the salt length, password length and iteration count. These parameters should be also used in the KAT. * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch - Enable to run the regression tests also in FIPS mode. - Update to 3.7.4: * libgnutls: Added support for certificate compression as defined in RFC8879. * certtool: Added option --compress-cert that allows user to specify compression methods for certificate compression. * libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure option to enforce stricter certificate sanity checks that are compliant with RFC5280. * libgnutls: Removed IA5String type from DirectoryString within issuer and subject name to make DirectoryString RFC5280 compliant. * libgnutls: Added function to retrieve the name of current ciphersuite from session. * Bump libgnutlsxx soname due to ABI break * API and ABI modifications: - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member - gnutls_compress_certificate_get_selected_method: Added - gnutls_compress_certificate_set_methods: Added * Update gnutls.keyring - build with lto - build with -Wl,-z,now -Wl,-z,relro - build without -fanalyzer, which cuts build time in ~ half - Update to 3.7.3: [bsc#1190698, bsc#1190796] * libgnutls: The allowlisting configuration mode has been added to the system-wide settings. In this mode, all the algorithms are initially marked as insecure or disabled, while the applications can re-enable them either through the [overrides] section of the configuration file or the new API (#1172). * The build infrastructure no longer depends on GNU AutoGen for generating command-line option handling, template file parsing in certtool, and documentation generation (#773, #774). This change also removes run-time or bundled dependency on the libopts library, and requires Python 3.6 or later to regenerate the distribution tarball. Note that this brings in known backward incompatibility in command-line tools, such as long options are now case sensitive, while previously they were treated in a case insensitive manner: for example --RSA is no longer a valid option of certtool. The existing scripts using GnuTLS tools may need adjustment for this change. * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and used as a gnutls_privkey_t (#594). The code was originally written for the OpenConnect VPN project by David Woodhouse. To generate such blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations or the tpm2_encodeobject tool from unreleased tpm2-tools. * libgnutls: The library now transparently enables Linux KTLS (kernel TLS) when the feature is compiled in with --enable-ktls configuration option (#1113). If the KTLS initialization fails it automatically falls back to the user space implementation. * certtool: The certtool command can now read the Certificate Transparency (RFC 6962) SCT extension (#232). New API functions are also provided to access and manipulate the extension values. * certtool: The certtool command can now generate, manipulate, and evaluate x25519 and x448 public keys, private keys, and certificates. * libgnutls: Disabling a hashing algorithm through "insecure-hash" configuration directive now also disables TLS ciphersuites that use it as a PRF algorithm. * libgnutls: PKCS#12 files are now created with modern algorithms by default (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the default PBKDF2 iteration count has been increased to 600000. * libgnutls: PKCS#12 keys derived using GOST algorithm now uses HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to conform with the latest TC-26 requirements (#1225). * libgnutls: The library now provides a means to report the status of approved cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this complements the existing mechanism to prohibit the use of unapproved algorithms by making the library unusable state. * gnutls-cli: The gnutls-cli command now provides a --list-config option to print the library configuration (!1508). * libgnutls: Fixed possible race condition in gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low] * API and ABI modifications: GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags gnutls_ecc_curve_set_enabled: Added. gnutls_sign_set_secure: Added. gnutls_sign_set_secure_for_certs: Added. gnutls_digest_set_secure: Added. gnutls_protocol_set_enabled: Added. gnutls_fips140_context_init: New function gnutls_fips140_context_deinit: New function gnutls_fips140_push_context: New function gnutls_fips140_pop_context: New function gnutls_fips140_get_operation_state: New function gnutls_fips140_operation_state_t: New enum gnutls_transport_is_ktls_enabled: New function gnutls_get_library_configuration: New function * Remove patches fixed in the update: - gnutls-FIPS-module-version.patch - gnutls-FIPS-service-indicator.patch - gnutls-FIPS-service-indicator-public-key.patch - gnutls-FIPS-service-indicator-symmetric-key.patch - gnutls-FIPS-RSA-PSS-flags.patch - gnutls-FIPS-RSA-mod-sizes.patch - FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468] * Add gnutls-FIPS-disable-failing-tests.patch * Remove patches: - gnutls-temporarily_disable_broken_guile_reauth_test.patch - disable-psk-file-test.patch - FIPS: Provide module identifier and version [bsc#1190796] * Add configurable options to output the module name/identifier (--with-fips140-module-name) and the module version (--with-fips140-module-version). * Add the CLI option list-config that reports the configuration of the library. * Add gnutls-FIPS-module-version.patch - FIPS: Provide a service-level indicator [bsc#1190698] * Add support for a "service indicator" as required in the FIPS140-3 Implementation Guidance in section 2.4.C * Add patches: - gnutls-FIPS-service-indicator.patch - gnutls-FIPS-service-indicator-public-key.patch - gnutls-FIPS-service-indicator-symmetric-key.patch - gnutls-FIPS-RSA-PSS-flags.patch - FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008] * fips: allow more RSA modulus sizes * Add gnutls-FIPS-RSA-mod-sizes.patch * Delete gnutls-3.6.7-fips-rsa-4096.patch - Drop bogus condition "> 1550": that would mean 'more recent than Tumbleweed' which is technically impossible, as Tumbleweed is the leading project (and the condition causes issues as Tumbleweed needs to move away from 1550 due to CODE 15 SP5 plans). - Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287] - Add DANE guards - Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch since its already working. - Update to version 3.7.2 * Added Linux kernel AF_ALG based acceleration * Fixed timing of early data exchange * The priority string option DISABLE_TLS13_COMPAT_MODE was added to disable TLS 1.3 middlebox compatibility mode * The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to GNUTLS_NO_IMPLICIT_INIT to reflect the purpose * certtool: * When signing a CSR, CRL distribution point (CDP) is no longer copied from the signing CA by default * When producing certificates and certificate requests, subject DN components that are provided individually will now be ordered by assumed scale - Rework the crypto-policies dependencies in libraries [bsc#1186385] - Compute the FIPS hmac file without re-defining the __os_install_post macro, use the brp-50-generate-fips-hmac script instead. [bsc#1184555] - Require the main package in devel and lib packages as the default priorities are now set via crypto-policies. [bsc#1183082] - Update to 3.7.1: [bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231] * Fixed potential use-after-free in sending "key_share" and "pre_shared_key" extensions. * Fixed a regression in handling duplicated certs in a chain. * Fixed sending of session ID in TLS 1.3 middlebox compatibility mode. In that mode the client shall always send a non-zero session ID to make the handshake resemble the TLS 1.2 resumption; this was not true in the previous versions. * Removed dependency on the external 'fipscheck' package, when compiled with --enable-fips140-mode. * Added padlock acceleration for AES-192-CBC. - Remove patches upstream: * gnutls-gnutls-cli-debug.patch * gnutls-ignore-duplicate-certificates.patch * gnutls-test-fixes.patch - Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565] * Don't unset system priority settings in gnutls-cli-debug.sh * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387 - Add gnutls-gnutls-cli-debug.patch - Fix: Test certificates in tests/testpkcs11-certs have expired * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 - Add gnutls-test-fixes.patch - gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131 - Add gnutls-ignore-duplicate-certificates.patch - Update to 3.7.0 * Depend on nettle 3.6 * Added a new API that provides a callback function to retrieve missing certificates from incomplete certificate chains * Added a new API that provides a callback function to output the complete path to the trusted root during certificate chain verification * OIDs exposed as gnutls_datum_t no longer account for the terminating null bytes, while the data field is null terminated. The affected API functions are: gnutls_ocsp_req_get_extension, gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension * Added a new set of API to enable QUIC implementation * The crypto implementation override APIs deprecated in 3.6.9 are now no-op * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support * Support for padlock has been fixed to make it work with Zhaoxin CPU * The maximum PIN length for PKCS #11 has been increased from 31 bytes to 255 bytes - Remove patch fixed upstream: * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - Add version guards for the crypto-policies package - Fix threading bug in libgnutls [bsc#1173434] * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044 - Require the crypto-policies package [bsc#1180051] - Use the centralized crypto policy profile (jsc#SLE-15832) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - FIPS: Add TLS KDF selftest (bsc#1176671) * add gnutls-FIPS-TLS_KDF_selftest.patch - Escape rpm command %%expand when used in comment. - Update to 3.6.15 * libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing. [GNUTLS-SA-2020-09-04, CVSS: medium] * libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now indicates that with a false return value (!1306). * libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked accordingly to SP800-56A rev 3 (!1295, !1299). * libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than the size of the internal base64 blob (#1025). * libgnutls: Certificate verification failue due to OCSP must-stapling is not honered is now correctly marked with the GNUTLS_CERT_INVALID flag * libgnutls: The audit log message for weak hashes is no longer printed twice * libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is disabled in the priority string. Previously, even when TLS 1.2 is explicitly disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is enabled (#1054). - drop upstreamed patches: * gnutls-detect_nettle_so.patch * 0001-crypto-api-always-allocate-memory-when-serializing-i.patch - Correctly detect gmp, nettle, and hogweed libraries (bsc#1172666) * add gnutls-detect_nettle_so.patch - Fix a memory leak that could lead to a DoS attack against Samba servers (bsc#1172663) * add 0001-crypto-api-always-allocate-memory-when-serializing-i.patch - Temporarily disable broken guile reauth test (bsc#1171565) * add gnutls-temporarily_disable_broken_guile_reauth_test.patch - Update to 3.6.14 * libgnutls: Fixed insecure session ticket key construction, since 3.6.4. The TLS server would not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) [GNUTLS-SA-2020-06-03, CVSS: high] * libgnutls: Fixed handling of certificate chain with cross-signed intermediate CA certificates (#1008). (bsc#1172461) * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority Key Identifier (AKI) properly (#989, #991). * certtool: PKCS #7 attributes are now printed with symbolic names (!1246). * libgnutls: Use accelerated AES-XTS implementation if possible (!1244). Also both accelerated and non-accelerated implementations check key block according to FIPS-140-2 IG A.9 (!1233). * libgnutls: Added support for AES-SIV ciphers (#463). * libgnutls: Added support for 192-bit AES-GCM cipher (!1267). * libgnutls: No longer use internal symbols exported from Nettle (!1235) * API and ABI modifications: GNUTLS_CIPHER_AES_128_SIV: Added GNUTLS_CIPHER_AES_256_SIV: Added GNUTLS_CIPHER_AES_192_GCM: Added gnutls_pkcs7_print_signature_info: Added - Add key D605848ED7E69871: public key "Daiki Ueno <ueno(a)unixuser.org>" to the keyring - Drop gnutls-fips_correct_nettle_soversion.patch (upstream) - Use correct nettle .so version when looking for a FIPS checksum (bsc#1166635) * add gnutls-fips_correct_nettle_soversion.patch - Update to 3.6.13 * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support) The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol (#960) [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345) * libgnutls: Added new APIs to access KDF algorithms (#813). * libgnutls: Added new callback gnutls_keylog_func that enables a custom logging functionality. * libgnutls: Added support for non-null terminated usernames in PSK negotiation (#586). * gnutls-cli-debug: Improved support for old servers that only support SSL 3.0. - Split off FIPS checksums into a separate libgnutls30-hmac subpackage (bsc#1152692) - gnutls 3.6.12 * libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) to identify sessions that client request OCSP status request (#829). * libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 signature algorithm (RFC 8032) under TLS (#86). * libgnutls: Added the default-priority-string option to system configuration; it allows overriding the compiled-in default-priority-string. * libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-07). By default this ciphersuite is disabled. It can be enabled by adding +GOST to priority string. In the future this priority string may enable other GOST ciphersuites as well. Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers. * libgnutls: added priority shortcuts for different GOST categories like CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. * libgnutls: Reject certificates with invalid time fields. That is we reject certificates with invalid characters in Time fields, or invalid time formatting To continue accepting the invalid form compile with --disable-strict-der-time * libgnutls: Reject certificates which contain duplicate extensions. We were previously printing warnings when printing such a certificate, but that is not always sufficient to flag such certificates as invalid. Instead we now refuse to import them (#887). * libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). * libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. * libgnutls: The stapled OCSP certificate verification adheres to the convention used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag. * libgnutls: On client side only send OCSP staples if they have been requested by the server, and on server side always advertise that we support OCSP stapling * libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible with gnutls_ocsp_req_t but const. * certtool: Added the --verify-profile option to set a certificate verification profile. Use '--verify-profile low' for certificate verification to apply the 'NORMAL' verification profile. * certtool: The add_extension template option is considered even when generating a certificate from a certificate request. - gnutls 3.6.11.1: * libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption * libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to the empty string. This is a behavioral change of the API but it conforms to the RFC4648 expectations * libgnutls: Fixed AES-CFB8 implementation, when input is shorter than the block size. Fix backported from nettle. * certtool: CRL distribution points will be set in CA certificates even when non self-signed * gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and - -rawpkfile flags. - gnutls 3.6.10: * Add support for deterministic ECDSA/DSA (RFC6979) * Add functions for in-place encryption/decryption of data buffers * server now selects the highest TLS protocol version, if TLS 1.3 is enabled and the client advertises an older protocol version first * Add support for GOST 28147-89 cipher in CNT (GOST counter) mode and MAC generation based on GOST 28147-89 (IMIT) * certtool: when outputting an encrypted private key do not insert the textual description of it - Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - gnutls 3.6.9: * add support for copying digest or MAC contexts * Mark the crypto implementation override APIs as deprecated * Add support for AES-GMAC, as a separate to GCM, MAC algorithm * Add support for Generalname registeredID * The priority configuration was enhanced to allow more elaborate system-wide configuration of the library - includes changes from 3.6.8: * Add support for AES-XTS cipher * Fix calculation of Streebog digests * During Diffie-Hellman operations in TLS, verify that the peer's public key is on the right subgroup (y^q=1 mod p), when q is available (under TLS 1.3 and under earlier versions when RFC7919 parameters are used). * Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain crafting via IDNA conversion * certtool: allow the digital signature key usage flag in CA certificates * gnutls-cli/serv: add the --keymatexport and --keymatexportsize options. These allow testing the RFC5705 using these tools - drop patches to re-enable tests: * disable-psk-file-test.patch * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - Trim useless %if..%endif guards that do not affect the build. - Fix language errors in description again. - Update gnutls to 3.6.7 * * libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free(). * * libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829) * * libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836) * * libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690). * * libgnutls: the default number of tickets sent under TLS 1.3 was increased to two. This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server. * * libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code. * * libgnutls: fixed issue preventing sending and receiving from different threads when false start was enabled (#713). * * libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable session, as non-writeable security officer sessions are undefined in PKCS#11 (#721). * * libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when TLS 1.2 or earlier is negotiated (#689). * * gnutls-cli: Added option --logfile to redirect informational messages output. - Disabled dane support in SLE since dane is not shipped there - Changed configure script to hardware guile site directory since command-line option '--with-guile-site-dir=' was removed from the configure script. * * Added gnutls-3.6.6-set_guile_site_dir.patch - Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix compilation issues on PPC - Update to 3.6.6 * * libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits on the public key (#640). * * libgnutls: Added support for raw public-key authentication as defined in RFC7250. Raw public-keys can be negotiated by enabling the corresponding certificate types via the priority strings. The raw public-key mechanism must be explicitly enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280). * * libgnutls: When on server or client side we are sending no extensions we do not set an empty extensions field but we rather remove that field competely. This solves a regression since 3.5.x and improves compatibility of the server side with certain clients. * * libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if the CKA_SIGN is not set (#667). * * libgnutls: The priority string option %NO_EXTENSIONS was improved to completely disable extensions at all cases, while providing a functional session. This also implies that when specified, TLS1.3 is disabled. * * libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous definition was non-functional (#609). - drop no longer needed gnutls-enbale-guile-2.2.patch - refresh disable-psk-file-test.patch - Update to 3.6.5 * * libgnutls: Provide the option of transparent re-handshake/reauthentication when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571). * * libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127) * * libgnutls: The priority functions will ignore and not enable TLS1.3 if requested with legacy TLS versions enabled but not TLS1.2. That is because if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) servers which do not support TLS1.3 will negotiate TLS1.2 which will be rejected by the client as disabled (#621). * * libgnutls: Change RSA decryption to use a new side-channel silent function. This addresses a security issue where memory access patterns as well as timing on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher attacks. Side-channel resistant code is slower due to the need to mask access and timings. When used in TLS the new functions cause RSA based handshakes to be between 13% and 28% slower on average (Numbers are indicative, the tests where performed on a relatively modern Intel CPU, results vary depending on the CPU and architecture used). This change makes nettle 3.4.1 the minimum requirement of gnutls (#630). [CVSS: medium] * * libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword in the priority string. It is only accepted as legacy option and is ignored. * * libgnutls: Added support for EdDSA under PKCS#11 (#417) * * libgnutls: Added support for AES-CFB8 cipher (#357) * * libgnutls: Added support for AES-CMAC MAC (#351) * * libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D S-BOXes). They are fixed now. * * libgnutls: Added support for GOST key unmasking and unwrapped GOST private keys parsing, as specified in R 50.1.112-2016. * * gnutls-serv: It applies the default settings when no --priority option is given, using gnutls_set_default_priority(). * * p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin option (#561) * * certtool: Add parameter --no-text that prevents certtool from outputting text before PEM-encoded private key, public key, certificate, CRL or CSR. - minimum required libnettle is now 3.4.1 - refresh * disable-psk-file-test.patch * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch ==== gpg2 ==== - added tpm support, added a new subpackage gpg2-tpm ==== grep ==== - use release keyring rather than full one for validation - Do not link an unversioned file by URL (and refresh keyring) ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin - Fix installation over serial console ends up in infinite boot loop (bsc#1187810) * 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch - Fix ppc64le build error for new IEEE long double ABI * 0001-libc-config-merge-from-glibc.patch ==== harfbuzz ==== Version update (4.2.1 -> 4.3.0) Subpackages: libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0 - Update to version 4.3.0: + Major speed up in loading and subsetting fonts, especially in handling CFF table. Subsetting some fonts is now 3 times faster + Speed up blending CFF2 table + Speed up hb_ot_tags_from_language() + Fix USE classification of U+10A38 to fix multiple marks on single Kharoshthi base + Fix parsing of empty CFF Index + Fix subsetting CPAL table with partial palette overlaps ==== kdsoap ==== - Add a Qt6 flavor for kdsoap. ==== keylime ==== Version update (6.3.2 -> 6.4.0) Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime - Update to version v6.4.0 (CVE-2022-1053, boo#1199253): * general: bump Keylime version to 6.4.0 * tests: adjust tests to reflect latest API changes * api: bump version to 2.1 * config: remove unused registrar mTLS options in cloud_verifier section * tenant, verifier: let the tenant provide the AK and mTLS certificate * Fix exit call in scripts/download_packit_coverage.sh * Added codecov.io description to TESTING.md * ci: only run CodeQL on the keylime directory and disable it for the webapp * Enable GitHub workflow integrating codecov.io * README: Fix and cleanup the install instructions * ima: add backport for dataclasses support for Python 3.6 * ima: add info that device mapper validation is still experimental * add lark as a dependency * ima: integrate dm validator into gernal IMA validation * agentstates: add the option to load and store dm validator state * ima: add parser and validator for device mapper entries * ima_file_signatures: rename to file_signatures * ima_ast: rename to ast * ima: move IMA components into their own module * failure: add function to get current event ids * config: add more details for tpm_cert_store option * Deprecate API version 1.0 * config, webapp: remove tls_check_hostnames option * ci: add CodeQL analysis * agent, tpm: remove is_vtpm() check * tests: update to reflect vTPM removal * remove vTPM related helper files and documentation * config: remove vTPM related options * tenant: remove vtpm_policy * verifier: remove vtpm_policy * remove REQUIRE_ROOT environment option * Remove Testing farm tag-repository * Bump required packaging module version to 20.0 * Remove last traces of M2Crypto * Workaround for mock_open not supporting iteration in Python 3.6 - Fix "run_as" configuration parameter and set it to keylime:tss - Improve downgrade user migration during package update ==== libopenmpt ==== Version update (0.6.2 -> 0.6.3) - Update to 0.6.3: * Pitch / Pan Separation and Random Variation instrument properties were not resetting properly when seeking, potentially causing instruments to be played e.g. at a vastly different pan position compared to playing the module continuously. * MED: Stereo samples were not imported correctly. ==== libunwind ==== - Fix dependencies - Fix file list ==== logrotate ==== Version update (3.19.0 -> 3.20.1) - update to 3.20.1: * drop world-readable permission on state file even when ACLs are enabled (#446) - removed obsolete logrotate-CVE-2022-1348-follow-up.patch - Security fix: (bsc#1199652, CVE-2022-1348) * Add follow-up upstream patch for the introduced fix. * Added patch logrotate-CVE-2022-1348-follow-up.patch - Update patch: * logrotate-3.19.0-man_logrotate.patch -> logrotate-3.20.0-man_logrotate.patch - update to 3.20.0: * fix potential DoS from unprivileged users via the state file (CVE-2022-1348) * fix a misleading debug message with copytruncate and rotate 0 (#443) * add support for unsigned time_t (#438) * do not lock state file /dev/null (#433) ==== mobile-broadband-provider-info ==== Version update (20220315 -> 20220511) - Update to version 20220511: * us: update verizon MCCMNC * us: Verizon Wirleess had been awarded 301 012 * us: Verizon Wireless MMS settings * us: declare AT&T MCC MNC * at: declare lyca mobile MMS config * al: add AMC internet APN config * af: add MMS settings for AWCC * ad: add andorra telecom MMS settings * za: mtn mms * za: cell-c MMS setting * es: Add Euskaltel MMS settings * il: youphone mms (same APN for data and mms) * il: cellcom balance test * il: Rami Levi MMS settings * serviceproviders: fix indentation * il: Partner (previously known as Orange) MMS config ==== osinfo-db ==== Version update (20220214 -> 20220516) - Update to database version 20220516 osinfo-db-20220516.tar.xz ==== podman ==== Subpackages: podman-cni-config - Backport upstream commit be5abf03ababc ("fix: Container.cGroupPath() skip empty line to avoid false error logging") for fixing "Error parsing cgroup: expected 3 fields but got 1" (see bsc#1199790, as it applies to Factory/Tumbleweed too) * 0004-fix-Container.cGroupPath-skip-empty-line-to-avoid-fa.patch ==== polkit-default-privs ==== Version update (1550+20220404.7b4bea2 -> 1550+20220524.0345bd9) - Update to version 1550+20220524.0345bd9: * Add kinfocenter5 whitelisting (bsc#1199735). * gconf: cleanup rules used by dropped gconf2 package ==== python-cryptography ==== Version update (36.0.2 -> 37.0.2) - update to 37.0.2: * Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error. * Restored some legacy symbols for older ``pyOpenSSL`` users. These will be removed again in the future, so ``pyOpenSSL`` users should still upgrade to the latest version of that package when they upgrade ``cryptography``. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+. * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to ``sign`` and ``verify``. * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of ``cryptography`` will be the last to support compiling with OpenSSL 1.1.0. * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future ``cryptography`` release. * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest ``pip`` will typically get a wheel and not need Rust installed, but check :doc:`/installation` for documentation on installing a newer ``rustc`` if required. * Deprecated :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because they are legacy algorithms with extremely low usage. These will be removed in a future version of ``cryptography``. * Added limited support for distinguished names containing a bit string. * We now ship ``universal2`` wheels on macOS, which contain both ``arm64`` and ``x86_64`` architectures. Users on macOS should upgrade to the latest ``pip`` to ensure they can use this wheel, although we will continue to ship ``x86_64`` specific wheels for now to ease the transition. * This will be the final release for which we ship ``manylinux2010`` wheels. Going forward the minimum supported ``manylinux`` ABI for our wheels will be ``manylinux2014``. The vast majority of users will continue to receive ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy wheels this release already requires ``manylinux2014`` for compatibility with binaries distributed by upstream. * Added support for multiple :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a :class:`~cryptography.x509.ocsp.OCSPResponse`. * Restored support for signing certificates and other structures in :doc:`/x509/index` with SHA3 hash algorithms. * :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is disabled in FIPS mode. * Added support for serialization of PKCS#12 CA friendly names/aliases in :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates` * Added support for 12-15 byte (96 to 120 bit) nonces to :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class previously supported only 12 byte (96 bit). * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using OpenSSL 3.0.0+. * Added support for serializing PKCS7 structures from a list of certificates with :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`. * Added support for parsing :rfc:`4514` strings with :meth:`~cryptography.x509.Name.from_rfc4514_string`. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can be used to verify a signature where the salt length is not already known. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This constant will set the salt length to the same length as the ``PSS`` hash algorithm. * Added support for loading RSA-PSS key types with :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` and :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`. This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information. ==== python-psutil ==== Version update (5.9.0 -> 5.9.1) - removed obsolete skip-partitions-erros.patch - update to 5.9.1 * Enhancements - 1053: drop Python 2.6 support. (patches by Matthieu Darbois and Hugo van Kemenade) - 2050, [Linux]: increase read(2) buffer size from 1k to 32k when reading /proc pseudo files line by line. This should help having more consistent results. - 2057, [OpenBSD]: add support for cpu_freq(). - 2107, [Linux]: Process.memory_full_info() (reporting process USS/PSS/Swap memory) now reads /proc/pid/smaps_rollup instead of /proc/pids/smaps, which makes it 5 times faster. * Bug fixes - 2048: AttributeError is raised if psutil.Error class is raised manually and passed through str. - 2049, [Linux]: cpu_freq() erroneously returns curr value in GHz while min and max are in MHz. - 2050, [Linux]: virtual_memory() may raise ValueError if running in a LCX container. ==== qemu ==== - It has been observed that building QEMU with _FORTIFY_SOURCE=3 causes problem (see bsc#1199924). Force it to =2 for now, while we investigate the issue. - Backport a GCC 12 aarch64 build fix (bsc#1199625) * Patches added: block-qdict-Fix-Werror-maybe-uninitializ.patch - Filter out rpmlint error that is valid for qemu, but will have its badness increased in the future. ==== runc ==== - Backport <https://github.com/opencontainers/runc/pull/3474> to fix issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565 + bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch - Add ExcludeArch for s390 (not s390x) since we've never supported it. ==== wayland ==== Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 - modernize spec file * use licensedir * use bcond * use https:// urls * spec-cleaner ==== webkit2gtk3 ==== Version update (2.36.1 -> 2.36.2) Subpackages: libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 webkit2gtk-4_1-injected-bundles - Update to version 2.36.2: + Fix some pages showing empty content boxes when using GTK4. + Fix the build with accessibility disabled. + Fix the build with newer Ruby versions. + Fix several crashes and rendering issues. ==== webkit2gtk3-soup2 ==== Version update (2.36.1 -> 2.36.2) Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles - Update to version 2.36.2: + Fix some pages showing empty content boxes when using GTK4. + Fix the build with accessibility disabled. + Fix the build with newer Ruby versions. + Fix several crashes and rendering issues. ==== xmlsec1 ==== Version update (1.2.33 -> 1.2.34) Subpackages: libxmlsec1-1 libxmlsec1-openssl1 - update to 1.2.34: * Support for OpenSSL compiled with OPENSSL_NO_ERR. * Full support for LibreSSL 3.5.0 and above * Several other small fixes ==== xwayland ==== Version update (22.1.1 -> 22.1.2) - Update to version 22.1.2 * randr: Add "RANDR Emulation" property * xwayland/output: Set the "RANDR Emulation" property * xwayland: Fix invalid pointer access in drm_lease_device_handle_released. ==== yast2 ==== Version update (4.5.3 -> 4.5.4) - Added experimental infrastructure for managing system in a chroot (bsc#1199840) - 4.5.4

1 0

New MicroOS snapshot 20220527 released!
by Richard Brown 30 May '22

30 May '22

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version… https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com… Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: grep qemu === Details === ==== grep ==== - use release keyring rather than full one for validation - Do not link an unversioned file by URL (and refresh keyring) ==== qemu ==== - It has been observed that building QEMU with _FORTIFY_SOURCE=3 causes problem (see bsc#1199924). Force it to =2 for now, while we investigate the issue. - Backport a GCC 12 aarch64 build fix (bsc#1199625) * Patches added: block-qdict-Fix-Werror-maybe-uninitializ.patch

1 0

Re: k3s segfaults on MicroOS
by Thorsten Kukuk 29 May '22

29 May '22

On Sun, May 29, Marc Balmer wrote: > > > > Am 28.05.2022 um 22:21 schrieb Thorsten Kukuk <kukuk(a)suse.com>: > > > > On Sat, May 28, Marc Balmer wrote: > > > >> FWIW, this installs k3s 1.22.3 with k3s in /usr/bin. When I install k3s > >> directly from get.k3s.io using the curl method described on their website, I > >> get a newer version 1.23.x which installs into /usr/local/bin and which works. > > > > https://bugzilla.suse.com/show_bug.cgi?id=1199285 > > > > I suggest to use the get.k3s.io variant. > > Thanks! Given that, afaik, both MicroOS and k3s are somewhat steered by SUSE, why isn't the k3s in MicroOS kept up to date? The k3s RPM is not maintained by SUSE but by the openSUSE community. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman (HRB 36809, AG Nürnberg)

2 1

Re: k3s segfaults on MicroOS
by Thorsten Kukuk 29 May '22

29 May '22

On Sun, May 29, Marc Balmer wrote: > If understand things correctly, I can not revert to an older version of k3s if neded by rolling back to an older snapper snapshot, right? Since k3s installs itself outside the read-only root filesystem: correct, a rollback to an older snapshot will not revert a k3s update. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman (HRB 36809, AG Nürnberg)

1 0

Re: k3s segfaults on MicroOS
by Thorsten Kukuk 29 May '22

29 May '22

On Sat, May 28, Marc Balmer wrote: > FWIW, this installs k3s 1.22.3 with k3s in /usr/bin. When I install k3s > directly from get.k3s.io using the curl method described on their website, I > get a newer version 1.23.x which installs into /usr/local/bin and which works. https://bugzilla.suse.com/show_bug.cgi?id=1199285 I suggest to use the get.k3s.io variant. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman (HRB 36809, AG Nürnberg)

2 1

k3s segfaults on MicroOS
by Marc Balmer 29 May '22

29 May '22

After the announcement that the Kubic project is in a wind-down process, I shifted my interest to MicroOS. I installed from an ISO image and did a transactional-update and rebootet. Next step was to install k3s using transactional-update pkg in k3s which installed k3s. When starting k3s server, either manually or via systemctl, however, k3s segfaults: ... INFO[0000] To join node to cluster: k3s agent -s https://172.16.18.142:6443 -t ${NODE_TOKEN} panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x562c36fa6d1c] goroutine 1 [running]: reflect.mapiternext(0xc0002348d0?) /usr/lib64/go/1.18/src/runtime/map.go:1378 +0x19 github.com/modern-go/reflect2.(*UnsafeMapIterator).UnsafeNext(0x9?) ... (The actual error message is a lot longer). What am I missing or doing wrong here? - Marc

2 3

New MicroOS snapshot 20220525 released!
by Richard Brown 26 May '22

26 May '22

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version… https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com… Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: NetworkManager gnome-keyring (40.0 -> 42.1) keylime (6.3.2 -> 6.4.0) mobile-broadband-provider-info (20220315 -> 20220511) polkit-default-privs (1550+20220404.7b4bea2 -> 1550+20220524.0345bd9) python-cryptography (36.0.2 -> 37.0.2) yast2 (4.5.3 -> 4.5.4) === Details === ==== NetworkManager ==== Subpackages: NetworkManager-wwan libnm0 typelib-1_0-NM-1_0 - Fold NetworkManager-wifi back into the main package: The dep chain is not really different and it causes too many problems for users having that split. Not worth the pain (boo#1199710, boo#1199706). - As a consequence, also drop the recommends fro the main package to -wifi. ==== gnome-keyring ==== Version update (40.0 -> 42.1) Subpackages: gnome-keyring-pam libgck-modules-gnome-keyring - Update to version 42.1: + daemon: Add files to EXTRA_DIST to fix distcheck. - Changes from version 42.0: + secret-portal: Properly check the default keyring. + Build fixes. + ssh-agent: Fix crash by uninitialized GMutex. + fix looping off the end of the operations array. + readme: Mention libsecret instead of deprecated libgnome-keyring. + daemon: Make it systemd-activatable through the control socket. + Updated translations. - Add pkgcondfig(systemd) and pkgconfig(libsystemd) BuildRequires: new dependencies. ==== keylime ==== Version update (6.3.2 -> 6.4.0) Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime - Update to version v6.4.0 (CVE-2022-1053, boo#1199253): * general: bump Keylime version to 6.4.0 * tests: adjust tests to reflect latest API changes * api: bump version to 2.1 * config: remove unused registrar mTLS options in cloud_verifier section * tenant, verifier: let the tenant provide the AK and mTLS certificate * Fix exit call in scripts/download_packit_coverage.sh * Added codecov.io description to TESTING.md * ci: only run CodeQL on the keylime directory and disable it for the webapp * Enable GitHub workflow integrating codecov.io * README: Fix and cleanup the install instructions * ima: add backport for dataclasses support for Python 3.6 * ima: add info that device mapper validation is still experimental * add lark as a dependency * ima: integrate dm validator into gernal IMA validation * agentstates: add the option to load and store dm validator state * ima: add parser and validator for device mapper entries * ima_file_signatures: rename to file_signatures * ima_ast: rename to ast * ima: move IMA components into their own module * failure: add function to get current event ids * config: add more details for tpm_cert_store option * Deprecate API version 1.0 * config, webapp: remove tls_check_hostnames option * ci: add CodeQL analysis * agent, tpm: remove is_vtpm() check * tests: update to reflect vTPM removal * remove vTPM related helper files and documentation * config: remove vTPM related options * tenant: remove vtpm_policy * verifier: remove vtpm_policy * remove REQUIRE_ROOT environment option * Remove Testing farm tag-repository * Bump required packaging module version to 20.0 * Remove last traces of M2Crypto * Workaround for mock_open not supporting iteration in Python 3.6 - Fix "run_as" configuration parameter and set it to keylime:tss - Improve downgrade user migration during package update ==== mobile-broadband-provider-info ==== Version update (20220315 -> 20220511) - Update to version 20220511: * us: update verizon MCCMNC * us: Verizon Wirleess had been awarded 301 012 * us: Verizon Wireless MMS settings * us: declare AT&T MCC MNC * at: declare lyca mobile MMS config * al: add AMC internet APN config * af: add MMS settings for AWCC * ad: add andorra telecom MMS settings * za: mtn mms * za: cell-c MMS setting * es: Add Euskaltel MMS settings * il: youphone mms (same APN for data and mms) * il: cellcom balance test * il: Rami Levi MMS settings * serviceproviders: fix indentation * il: Partner (previously known as Orange) MMS config ==== polkit-default-privs ==== Version update (1550+20220404.7b4bea2 -> 1550+20220524.0345bd9) - Update to version 1550+20220524.0345bd9: * Add kinfocenter5 whitelisting (bsc#1199735). * gconf: cleanup rules used by dropped gconf2 package ==== python-cryptography ==== Version update (36.0.2 -> 37.0.2) - update to 37.0.2: * Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error. * Restored some legacy symbols for older ``pyOpenSSL`` users. These will be removed again in the future, so ``pyOpenSSL`` users should still upgrade to the latest version of that package when they upgrade ``cryptography``. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+. * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to ``sign`` and ``verify``. * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of ``cryptography`` will be the last to support compiling with OpenSSL 1.1.0. * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future ``cryptography`` release. * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest ``pip`` will typically get a wheel and not need Rust installed, but check :doc:`/installation` for documentation on installing a newer ``rustc`` if required. * Deprecated :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because they are legacy algorithms with extremely low usage. These will be removed in a future version of ``cryptography``. * Added limited support for distinguished names containing a bit string. * We now ship ``universal2`` wheels on macOS, which contain both ``arm64`` and ``x86_64`` architectures. Users on macOS should upgrade to the latest ``pip`` to ensure they can use this wheel, although we will continue to ship ``x86_64`` specific wheels for now to ease the transition. * This will be the final release for which we ship ``manylinux2010`` wheels. Going forward the minimum supported ``manylinux`` ABI for our wheels will be ``manylinux2014``. The vast majority of users will continue to receive ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy wheels this release already requires ``manylinux2014`` for compatibility with binaries distributed by upstream. * Added support for multiple :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a :class:`~cryptography.x509.ocsp.OCSPResponse`. * Restored support for signing certificates and other structures in :doc:`/x509/index` with SHA3 hash algorithms. * :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is disabled in FIPS mode. * Added support for serialization of PKCS#12 CA friendly names/aliases in :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates` * Added support for 12-15 byte (96 to 120 bit) nonces to :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class previously supported only 12 byte (96 bit). * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using OpenSSL 3.0.0+. * Added support for serializing PKCS7 structures from a list of certificates with :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`. * Added support for parsing :rfc:`4514` strings with :meth:`~cryptography.x509.Name.from_rfc4514_string`. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can be used to verify a signature where the salt length is not already known. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This constant will set the salt length to the same length as the ``PSS`` hash algorithm. * Added support for loading RSA-PSS key types with :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` and :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`. This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information. ==== yast2 ==== Version update (4.5.3 -> 4.5.4) - Added experimental infrastructure for managing system in a chroot (bsc#1199840) - 4.5.4

1 0

New Kubic snapshot 20220525 released!
by Richard Brown 26 May '22

26 May '22

Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=T… https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&com… Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: NetworkManager keylime (6.3.2 -> 6.4.0) python-cryptography (36.0.2 -> 37.0.2) yast2 (4.5.3 -> 4.5.4) === Details === ==== NetworkManager ==== Subpackages: NetworkManager-wwan libnm0 - Fold NetworkManager-wifi back into the main package: The dep chain is not really different and it causes too many problems for users having that split. Not worth the pain (boo#1199710, boo#1199706). - As a consequence, also drop the recommends fro the main package to -wifi. ==== keylime ==== Version update (6.3.2 -> 6.4.0) Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime - Update to version v6.4.0 (CVE-2022-1053, boo#1199253): * general: bump Keylime version to 6.4.0 * tests: adjust tests to reflect latest API changes * api: bump version to 2.1 * config: remove unused registrar mTLS options in cloud_verifier section * tenant, verifier: let the tenant provide the AK and mTLS certificate * Fix exit call in scripts/download_packit_coverage.sh * Added codecov.io description to TESTING.md * ci: only run CodeQL on the keylime directory and disable it for the webapp * Enable GitHub workflow integrating codecov.io * README: Fix and cleanup the install instructions * ima: add backport for dataclasses support for Python 3.6 * ima: add info that device mapper validation is still experimental * add lark as a dependency * ima: integrate dm validator into gernal IMA validation * agentstates: add the option to load and store dm validator state * ima: add parser and validator for device mapper entries * ima_file_signatures: rename to file_signatures * ima_ast: rename to ast * ima: move IMA components into their own module * failure: add function to get current event ids * config: add more details for tpm_cert_store option * Deprecate API version 1.0 * config, webapp: remove tls_check_hostnames option * ci: add CodeQL analysis * agent, tpm: remove is_vtpm() check * tests: update to reflect vTPM removal * remove vTPM related helper files and documentation * config: remove vTPM related options * tenant: remove vtpm_policy * verifier: remove vtpm_policy * remove REQUIRE_ROOT environment option * Remove Testing farm tag-repository * Bump required packaging module version to 20.0 * Remove last traces of M2Crypto * Workaround for mock_open not supporting iteration in Python 3.6 - Fix "run_as" configuration parameter and set it to keylime:tss - Improve downgrade user migration during package update ==== python-cryptography ==== Version update (36.0.2 -> 37.0.2) - update to 37.0.2: * Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error. * Restored some legacy symbols for older ``pyOpenSSL`` users. These will be removed again in the future, so ``pyOpenSSL`` users should still upgrade to the latest version of that package when they upgrade ``cryptography``. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+. * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to ``sign`` and ``verify``. * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of ``cryptography`` will be the last to support compiling with OpenSSL 1.1.0. * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future ``cryptography`` release. * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest ``pip`` will typically get a wheel and not need Rust installed, but check :doc:`/installation` for documentation on installing a newer ``rustc`` if required. * Deprecated :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because they are legacy algorithms with extremely low usage. These will be removed in a future version of ``cryptography``. * Added limited support for distinguished names containing a bit string. * We now ship ``universal2`` wheels on macOS, which contain both ``arm64`` and ``x86_64`` architectures. Users on macOS should upgrade to the latest ``pip`` to ensure they can use this wheel, although we will continue to ship ``x86_64`` specific wheels for now to ease the transition. * This will be the final release for which we ship ``manylinux2010`` wheels. Going forward the minimum supported ``manylinux`` ABI for our wheels will be ``manylinux2014``. The vast majority of users will continue to receive ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy wheels this release already requires ``manylinux2014`` for compatibility with binaries distributed by upstream. * Added support for multiple :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a :class:`~cryptography.x509.ocsp.OCSPResponse`. * Restored support for signing certificates and other structures in :doc:`/x509/index` with SHA3 hash algorithms. * :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is disabled in FIPS mode. * Added support for serialization of PKCS#12 CA friendly names/aliases in :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates` * Added support for 12-15 byte (96 to 120 bit) nonces to :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class previously supported only 12 byte (96 bit). * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using OpenSSL 3.0.0+. * Added support for serializing PKCS7 structures from a list of certificates with :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`. * Added support for parsing :rfc:`4514` strings with :meth:`~cryptography.x509.Name.from_rfc4514_string`. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can be used to verify a signature where the salt length is not already known. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This constant will set the salt length to the same length as the ``PSS`` hash algorithm. * Added support for loading RSA-PSS key types with :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` and :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`. This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information. ==== yast2 ==== Version update (4.5.3 -> 4.5.4) - Added experimental infrastructure for managing system in a chroot (bsc#1199840) - 4.5.4

1 0

2023

2022

2021

2020

2019

2018

openSUSE Kubic May 2022