New ARM Kubic snapshot 20211023 released!

26 Oct 2021


      Please note that this mail was generated by a script.
The described changes are computed based on the aarch64 DVD.
The full online repo contains too many changes to be listed here.

Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=3&version=Tumbleweed&build=20211023
https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&component=Kubic&query_format=advanced&resolution=---

Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
  apparmor
  audit-secondary
  avahi
  boost-base
  busybox
  ca-certificates (2+git20210723.27a0476 -> 2+git20211004.3efbea9)
  chrony
  compat-usrmerge
  dracut (055+suse.119.g6c4187af -> 055+suse.129.g7d8c3ce3)
  e2fsprogs
  fcoe-utils
  file (5.40 -> 5.41)
  glibc
  haproxy (2.4.4+git0.acb1d0bea -> 2.4.7+git0.b5e51a5e2)
  helm
  hwinfo (21.76 -> 21.77)
  iputils
  kbd
  kernel-source (5.14.9 -> 5.14.11)
  kubernetes1.21
  libapparmor
  libcap (2.51 -> 2.59)
  libglvnd
  librsvg (2.52.0 -> 2.52.2)
  libwebp (1.2.0 -> 1.2.1)
  libzypp (17.28.4 -> 17.28.6)
  ncurses (6.2.20210911 -> 6.2.20211002)
  ndctl
  nvme-cli
  open-iscsi
  open-vm-tools (11.3.0 -> 11.3.5)
  openssh (8.4p1 -> 8.8p1)
  pam-config (1.4 -> 1.5)
  patterns-microos
  pmdk (1.11.0 -> 1.11.1)
  python-Jinja2 (3.0.1 -> 3.0.2)
  python-PrettyTable
  python-alembic (1.6.5 -> 1.7.4)
  python-apipkg (1.5 -> 2.1.0)
  python-distro
  python-greenlet (1.1.0 -> 1.1.2)
  python-idna (3.2 -> 3.3)
  python-more-itertools (8.8.0 -> 8.10.0)
  python-networkx (2.6.1 -> 2.6.3)
  python-pyrsistent (0.17.3 -> 0.18.0)
  python-pytz (2021.1 -> 2021.3)
  python-zipp (3.5.0 -> 3.6.0)
  qemu
  raspberrypi-firmware (2021.03.10 -> 2021.09.30)
  raspberrypi-firmware-config (2021.03.10 -> 2021.09.30)
  raspberrypi-firmware-dt (2021.03.15 -> 2021.09.17)
  rbac-lookup (0.6.4 -> 0.7.1)
  rdma-core (36.0 -> 37.1)
  salt
  systemd (249.4 -> 249.5)
  systemd-presets-common-SUSE
  timezone (2021c -> 2021d)
  tpm2.0-tools (5.1.1 -> 5.2)
  wireless-regdb (20210421 -> 20210828)
  xfsprogs
  xkeyboard-config (2.33 -> 2.34)
  yomi-formula
  zypper (1.14.49 -> 1.14.50)

=== Details ===

==== apparmor ====
Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor

- add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532)

==== audit-secondary ====
Subpackages: audit python3-audit system-group-audit

- Add CONFIG parameter to %sysusers_generate_pre
- Create separate service for augenrules (bsc#1191614, bsc#1181400)
  * add create-augenrules-service.patch
  Remove ReadWritePaths=/etc/audit from auditd.service, also removes
  augenrules call from ExecStartPost.
  Create augenrules.service with the ReadWritePaths directive above.
  This makes /etc/audit only accessible by augenrules.service and
  let auditd.service (and daemon) to be sandboxed again.
- Update audit-secondary.spec to accomodate the new service file.

==== avahi ====
Subpackages: libavahi-client3 libavahi-common3

- Add rpmlintrc: Filter shlib-policy-name-error for libdns_sd
  (boo#1191750).
- Remove obsolete translation-update-upstream support
  (jsc#SLE-21105).

==== boost-base ====
Subpackages: boost-license1_77_0 libboost_thread1_77_0

- make boost-json-devel require boost-container-devel (bsc#1191822)

==== busybox ====

- Create separate 'Warewulf3' (https://github.com/warewulf/warewulf3)
  flavor of busybox with the
  additional setting:
  CONFIG_REBOOT=y
  CONFIG_SWITCH_ROOT=y
  CONFIG_CTTYHACK=y
  (bsc#1191514).

==== ca-certificates ====
Version update (2+git20210723.27a0476 -> 2+git20211004.3efbea9)

- Update to version 2+git20211004.3efbea9:
  * Ensure --root option propagates prefix properly to other scripts

==== chrony ====
Subpackages: chrony-pool-openSUSE

- boo#1190926: PrivateDevices is too strict, we might need to
  access the rtc and ptp devices.
- Add back support to build chrony on SLE12.
- Drop dependency on asciidoctor. It is only needed for building
  the HTML documentation which we don't package anyway.

==== compat-usrmerge ====

- Fix logic for detecting conflicts with directories (boo#1191111)

==== dracut ====
Version update (055+suse.119.g6c4187af -> 055+suse.129.g7d8c3ce3)
Subpackages: dracut-ima dracut-mkinitrd-deprecated

- Update to version 055+suse.129.g7d8c3ce3:
  * fix(kernel-modules): add blk_mq_alloc_disk and blk_cleanup_disk to blockfuncs (bsc#1190326)
  * docs: update SUSE maintainers doc
  * fix(suse): add 60-io-scheduler.rules (bsc#1188713)
  * revert: remove /sbin/installkernel script from dracut package
  * spec: modernize specfile constructs

==== e2fsprogs ====
Subpackages: libcom_err2 libext2fs2

- Drop ProtectClock hardening, can cause issues if other device acceess is needed

==== fcoe-utils ====

- Drop ProtectClock hardening, can cause issues if other device acceess is needed

==== file ====
Version update (5.40 -> 5.41)
Subpackages: file-magic libmagic1

- Remove file-5.38-allow-readlinkat.dif as already doen in latest
  file 5.41
- Update to 5.41:
  * Avinash Sonawane: Fix tzname detection
  * Fix relationship tests with "search" magic, don't short circuit
    logic
  * Fix memory leak in compile mode
  * PR/272: kiefermat: Only set returnval = 1 when we printed something
    (in all cases print or !print). This simplifies the logic and fixes
    the issue in the PR with -k and --mime-type there was no continuation
    printed before the default case.
  * PR/270: Don't translate unprintable characters in %s magic formats
    when -r
  * PR/269: Avoid undefined behavior with clang (adding offset to NULL)
  * Add a new flag (f) that requires that the match is a full word,
    not a partial word match.
  * Add varint types (unused)
  * PR/256: mutableVoid: If the file is less than 3 bytes, use the file
    length to determine type
  * PR/259: aleksandr.v.novichkov: mime printing through indirect magic
    is not taken into account, use match directly so that it does.
- Remove patches now upstream
  * file-5.40-1c677c04.patch
  * file-5.40-3096f87f.patch
  * file-5.40-4c5fe1ad.patch
  * file-5.40-6b34436a.patch
  * file-5.40-749e1ecf.patch
  * file-5.40-9b0459af.patch
  * file-5.40-9e2becec.patch
  * file-5.40-ascii.patch
  * file-5.40-f0601504.patch
  * file-5.40-f7705dca.patch
- Port patches
  * file-5.19-biorad.dif
  * file-5.19-printf.dif
  * file-5.19-zip2.0.dif
  * file-5.23-endian.patch
  * file-5.28-btrfs-image.dif
  * file-5.38-allow-readlinkat.dif
  * file-secure_getenv.patch
- Port and rename patch file-5.39.dif which is now file-5.41.dif

==== glibc ====
Subpackages: glibc-locale-base

- ld-show-auxv-colon.patch: elf: Fix missing colon in LD_SHOW_AUXV output
  (BZ #282539
- x86-string-control-test.patch: x86-64: Use testl to check
  __x86_string_control
- pthread-kill-fail-after-exit.patch: nptl: pthread_kill, pthread_cancel
  should not fail after exit (BZ #19193)
- pthread-kill-race-thread-exit.patch: nptl: Fix race between pthread_kill
  and thread exit (BZ #12889)
- getcwd-attribute-access.patch: posix: Fix attribute access mode on
  getcwd (BZ #27476)
- pthread-kill-return-esrch.patch: nptl: pthread_kill needs to return
  ESRCH for old programs (BZ #19193)
- pthread-mutexattr-getrobust-np-type.patch: nptl: Fix type of
  pthread_mutexattr_getrobust_np, pthread_mutexattr_setrobust_np (BZ
  [#28036])
- setxid-deadlock-blocked-signals.patch: nptl: Avoid setxid deadlock with
  blocked signals in thread exit (BZ #28361)
- pthread-kill-send-specific-thread.patch: nptl: pthread_kill must send
  signals to a specific thread (BZ #28407)
- sysconf-nprocessors-affinity.patch: linux: Revert the use of
  sched_getaffinity on get_nproc (BZ #28310)
- iconv-charmap-close-output.patch: renamed from
  icon-charmap-close-output.patch

==== haproxy ====
Version update (2.4.4+git0.acb1d0bea -> 2.4.7+git0.b5e51a5e2)

- Update to version 2.4.7+git0.b5e51a5e2:
  * [RELEASE] Released version 2.4.7
  * BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule
- Update to version 2.4.6+git0.d83fd76a1:
  * [RELEASE] Released version 2.4.6
  * BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release
- Update to version 2.4.5+git0.e74a1b34b:
  * [RELEASE] Released version 2.4.5
  * MINOR: tasks: catch TICK_ETERNITY with BUG_ON() in __task_queue()
  * BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input
  * BUG/MINOR: tcpcheck: Don't use arg list for default proxies during parsing
  * MINOR: arg: Be able to forbid unresolved args when building an argument list
  * BUG/MAJOR: lua: use task_wakeup() to properly run a task once
  * BUG/MEDIUM: lua: fix wakeup condition from sleep()
  * MINOR: Makefile: add MEMORY_POOLS to the list of DEBUG_xxx options
  * DOC: peers: fix doc "enable" statement on "peers" sections
  * BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers"
  * MINOR: stream-int: Notify mux when the buffer is not stuck when calling rcv_buf
  * BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary
  * MINOR: htx: Add a function to know if the free space wraps
  * MINOR: htx: Add an HTX flag to know when a message is fragmented
  * MINOR: stream-int: Set CO_RFL transient/persistent flags apart in si_cs_rcv()
  * BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM
  * BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data
  * BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer
  * BUG/MINOR: stats: use refcount to protect dynamic server on dump
  * MINOR: server: return the next srv instance on free_server
  * BUG/MINOR: server: do not use refcount in free_server in stopping mode
  * MINOR: global: define MODE_STOPPING
  * MINOR: server: implement a refcount for dynamic servers
  * BUG/MINOR: http-ana: increment internal_errors counter on response error
  * BUG/MINOR: h1-htx: Fix a typo when request parser is reset
  * BUG/MEDIUM: leastconn: fix rare possibility of divide by zero
  * BUG/MINOR: server: allow 'enable health' only if check configured
  * BUILD: threads: fix -Wundef for _POSIX_PRIORITY_SCHEDULING on libmusl
  * BUILD: halog: fix a -Wundef warning on non-glibc systems
  * BUILD: compiler: fixed a missing test on  defined(__GNUC__)
  * BUILD: fix dragonfly build again on __read_mostly
  * BUG/MINOR: vars: do not talk about global section in CLI errors for set-var
  * BUG/MINOR: vars: truncate the variable name in error reports about scope.
  * BUG/MINOR: vars: properly set the argument parsing context in the expression
  * MINOR: sample: add missing ARGC_ entries
  * BUG/MINOR: vars: improve accuracy of the rules used to check expression validity
  * BUILD: tools: properly guard __GLIBC__ with defined()
  * BUILD: ssl: fix two remaining occurrences of #if USE_OPENSSL
  * BUILD: ssl: next round of build warnings on LIBRESSL_VERSION_NUMBER
  * BUILD/MINOR: regex: avoid a build warning on USE_PCRE2 with -Wundef
  * IMPORT: slz: silence a build warning with -Wundef
  * BUILD/MINOR: ssl: avoid a build warning on LIBRESSL_VERSION with -Wundef
  * BUILD/MINOR: defaults: eliminate warning on MAXHOSTNAMELEN with -Wundef
  * BUILD: activity: use #ifdef not #if on USE_MEMORY_PROFILING
  * MINOR: proc: setting the process to produce a core dump on FreeBSD.
  * MINOR: tools: add FreeBSD support to get_exec_path()
  * BUILD: tools: get the absolute path of the current binary on NetBSD.
  * BUG/MINOR: flt-trace: fix an infinite loop when random-parsing is set
  * BUG/MINOR: cli/payload: do not search for args inside payload
  * BUILD: ist: prevent gcc11 maybe-uninitialized warning on istalloc
  * BUG/MINOR: connection: prevent null deref on mux cleanup task allocation
  * DOC: management: certificate files must be sanitized before injection
  * BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check
  * BUG/MAJOR: mux-h1: Don't eval input data if an error was reported
  * MINOR: pools: use mallinfo2() when available instead of mallinfo()
  * MINOR: pools: automatically disable malloc_trim() with external allocators
  * CLEANUP: pools: factor all malloc_trim() calls into trim_all_pools()
  * BUG/MINOR: compat: make sure __WORDSIZE is always defined
  * BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached
  * CLEANUP: mux-h1: Remove condition rejecting upgrade requests with payload
  * MINOR: htx: Skip headers with no value when adding a header list to a message
  * BUG/MEDIUM: mux-h1: Remove "Upgrade:" header for requests with payload
  * BUG/MINOR: systemd: ExecStartPre must use -Ws
  * BUG/MINOR: filters: Set right FLT_END analyser depending on channel
  * BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set
  * BUG/MEDIUM: http-ana: Reset channels analysers when returning an error
  * BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
  * BUG/MINOR: lua: Don't yield in channel.append() and channel.set()
  * BUG/MINOR: lua: Yield in channel functions only if lua context can yield
  * MINOR: lua: Add a flag on lua context to know the yield capability at run time

==== helm ====

- use 'v' prefix for the version to match upstream builds
- package fish completions

==== hwinfo ====
Version update (21.76 -> 21.77)

- merge gh#openSUSE/hwinfo#105
- Use license file from gnu.org
- Fix spelling
- Add missing final newline
- Trim excess whitespace
- Simple maintenance improvements
- 21.77

==== iputils ====

- Drop ProtectClock hardening, can cause issues if other device acceess is needed

==== kbd ====
Subpackages: kbd-legacy

- regenerated cz-map.patch needed for xkeyboard-config 2.34 update

==== kernel-source ====
Version update (5.14.9 -> 5.14.11)

- Linux 5.14.11 (bsc#1012628).
- Revert "ARM: imx6q: drop of_platform_default_populate() from
  init_machine" (bsc#1012628).
- Revert "brcmfmac: use ISO3166 country code and 0 rev as
  fallback" (bsc#1012628).
- libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870
  SSD (bsc#1012628).
- perf/x86: Reset destroy callback on event init failure
  (bsc#1012628).
- KVM: x86: nSVM: restore int_vector in svm_clear_vintr
  (bsc#1012628).
- kvm: x86: Add AMD PMU MSRs to msrs_to_save_all[] (bsc#1012628).
- KVM: x86: reset pdptrs_from_userspace when exiting smm
  (bsc#1012628).
- KVM: do not shrink halt_poll_ns below grow_start (bsc#1012628).
- selftests: KVM: Align SMCCC call with the spec in steal_time
  (bsc#1012628).
- kasan: always respect CONFIG_KASAN_STACK (bsc#1012628).
- tools/vm/page-types: remove dependency on opt_file for idle
  page tracking (bsc#1012628).
- block: don't call rq_qos_ops->done_bio if the bio isn't tracked
  (bsc#1012628).
- io_uring: allow conditional reschedule for intensive iterators
  (bsc#1012628).
- x86/insn, tools/x86: Fix undefined behavior due to potential
  unaligned accesses (bsc#1012628).
- smb3: correct smb3 ACL security descriptor (bsc#1012628).
- irqchip/gic: Work around broken Renesas integration
  (bsc#1012628).
- scsi: ses: Retry failed Send/Receive Diagnostic commands
  (bsc#1012628).
- thermal/drivers/tsens: Fix wrong check for tzd in irq handlers
  (bsc#1012628).
- nvme-fc: avoid race between time out and tear down
  (bsc#1012628).
- nvme-fc: update hardware queues before using them (bsc#1012628).
- swiotlb-xen: ensure to issue well-formed XENMEM_exchange
  requests (bsc#1012628).
- Xen/gntdev: don't ignore kernel unmapping error (bsc#1012628).
- selftests: kvm: fix get_run_delay() ignoring fscanf() return
  warn (bsc#1012628).
- selftests: kvm: move get_run_delay() into lib/test_util
  (bsc#1012628).
- selftests:kvm: fix get_trans_hugepagesz() ignoring fscanf()
  return warn (bsc#1012628).
- selftests:kvm: fix get_warnings_count() ignoring fscanf()
  return warn (bsc#1012628).
- selftests: be sure to make khdr before other targets
  (bsc#1012628).
- habanalabs/gaudi: fix LBW RR configuration (bsc#1012628).
- habanalabs: fail collective wait when not supported
  (bsc#1012628).
- habanalabs/gaudi: use direct MSI in single mode (bsc#1012628).
- usb: dwc2: check return value after calling
  platform_get_resource() (bsc#1012628).
- usb: testusb: Fix for showing the connection speed
  (bsc#1012628).
- scsi: elx: efct: Do not hold lock while calling
  fc_vport_terminate() (bsc#1012628).
- scsi: sd: Free scsi_disk device via put_device() (bsc#1012628).
- drm/amdkfd: fix svm_migrate_fini warning (bsc#1012628).
- drm/amdkfd: handle svm migrate init error (bsc#1012628).
- ext2: fix sleeping in atomic bugs on error (bsc#1012628).
- platform/x86: gigabyte-wmi: add support for B550I Aorus Pro AX
  (bsc#1012628).
- sparc64: fix pci_iounmap() when CONFIG_PCI is not set
  (bsc#1012628).
- xen-netback: correct success/error reporting for the
  SKB-with-fraglist case (bsc#1012628).
- net: mdio: introduce a shutdown method to mdio device drivers
  (bsc#1012628).
- btrfs: fix mount failure due to past and transient device
  flush error (bsc#1012628).
- btrfs: replace BUG_ON() in btrfs_csum_one_bio() with proper
  error handling (bsc#1012628).
- nfsd: back channel stuck in SEQ4_STATUS_CB_PATH_DOWN
  (bsc#1012628).
- platform/x86: touchscreen_dmi: Update info for the Chuwi Hi10
  Plus (CWI527) tablet (bsc#1012628).
- platform/x86: touchscreen_dmi: Add info for the Chuwi HiBook
  (CWI514) tablet (bsc#1012628).
- afs: Add missing vnode validation checks (bsc#1012628).
- spi: rockchip: handle zero length transfers without timing out
  (bsc#1012628).
- commit 834dddd
- iwlwifi: Fix MODULE_FIRMWARE() for non-existing ucode version
  (boo#1191417).
- commit 6597512
- Linux 5.14.10 (bsc#1012628).
- media: hantro: Fix check for single irq (bsc#1012628).
- media: cedrus: Fix SUNXI tile size calculation (bsc#1012628).
- media: s5p-jpeg: rename JPEG marker constants to prevent build
  warnings (bsc#1012628).
- ASoC: fsl_sai: register platform component before registering
  cpu dai (bsc#1012628).
- ASoC: fsl_esai: register platform component before registering
  cpu dai (bsc#1012628).
- ASoC: fsl_micfil: register platform component before registering
  cpu dai (bsc#1012628).
- ASoC: fsl_spdif: register platform component before registering
  cpu dai (bsc#1012628).
- ASoC: fsl_xcvr: register platform component before registering
  cpu dai (bsc#1012628).
- ASoC: mediatek: common: handle NULL case in suspend/resume
  function (bsc#1012628).
- scsi: elx: efct: Fix void-pointer-to-enum-cast warning for
  efc_nport_topology (bsc#1012628).
- ASoC: SOF: Fix DSP oops stack dump output contents
  (bsc#1012628).
- ASoC: SOF: imx: imx8: Bar index is only valid for IRAM and
  SRAM types (bsc#1012628).
- ASoC: SOF: imx: imx8m: Bar index is only valid for IRAM and
  SRAM types (bsc#1012628).
- pinctrl: qcom: spmi-gpio: correct parent irqspec translation
  (bsc#1012628).
- net/mlx4_en: Resolve bad operstate value (bsc#1012628).
- s390/qeth: Fix deadlock in remove_discipline (bsc#1012628).
- s390/qeth: fix deadlock during failing recovery (bsc#1012628).
- m68k: Update ->thread.esp0 before calling syscall_trace()
  in ret_from_signal (bsc#1012628).
- NIOS2: fix kconfig unmet dependency warning for
  SERIAL_CORE_CONSOLE (bsc#1012628).
- kasan: fix Kconfig check of CC_HAS_WORKING_NOSANITIZE_ADDRESS
  (bsc#1012628).
- HID: amd_sfh: Fix potential NULL pointer dereference
  (bsc#1012628).
- perf test: Fix DWARF unwind for optimized builds (bsc#1012628).
- perf iostat: Use system-wide mode if the target cpu_list is
  unspecified (bsc#1012628).
- perf iostat: Fix Segmentation fault from NULL 'struct
  perf_counts_values *' (bsc#1012628).
- watchdog/sb_watchdog: fix compilation problem due to
  COMPILE_TEST (bsc#1012628).
- tty: Fix out-of-bound vmalloc access in imageblit (bsc#1012628).
- cpufreq: schedutil: Use kobject release() method to free
  sugov_tunables (bsc#1012628).
- scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS
  (bsc#1012628).
- drm/amdgpu: adjust fence driver enable sequence (bsc#1012628).
- drm/amdgpu: avoid over-handle of fence driver fini in s3 test
  (v2) (bsc#1012628).
- drm/amdgpu: stop scheduler when calling hw_fini (v2)
  (bsc#1012628).
- cpufreq: schedutil: Destroy mutex before kobject_put() frees
  the memory (bsc#1012628).
- scsi: ufs: ufs-pci: Fix Intel LKF link stability (bsc#1012628).
- ALSA: rawmidi: introduce SNDRV_RAWMIDI_IOCTL_USER_PVERSION
  (bsc#1012628).
- ALSA: firewire-motu: fix truncated bytes in message tracepoints
  (bsc#1012628).
- ALSA: hda/realtek: Quirks to enable speaker output for Lenovo
  Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops
  (bsc#1012628).
- ACPI: NFIT: Use fallback node id when numa info in NFIT table
  is incorrect (bsc#1012628).
- fs-verity: fix signed integer overflow with i_size near S64_MAX
  (bsc#1012628).
- hwmon: (tmp421) handle I2C errors (bsc#1012628).
- hwmon: (w83793) Fix NULL pointer dereference by removing
  unnecessary structure field (bsc#1012628).
- hwmon: (w83792d) Fix NULL pointer dereference by removing
  unnecessary structure field (bsc#1012628).
- hwmon: (w83791d) Fix NULL pointer dereference by removing
  unnecessary structure field (bsc#1012628).
- gpio: pca953x: do not ignore i2c errors (bsc#1012628).
- scsi: ufs: Fix illegal offset in UPIU event trace (bsc#1012628).
- mac80211: fix use-after-free in CCMP/GCMP RX (bsc#1012628).
- platform/x86/intel: hid: Add DMI switches allow list
  (bsc#1012628).
- x86/kvmclock: Move this_cpu_pvti into kvmclock.h (bsc#1012628).
- ptp: Fix ptp_kvm_getcrosststamp issue for x86 ptp_kvm
  (bsc#1012628).
- KVM: x86: Fix stack-out-of-bounds memory access from
  ioapic_write_indirect() (bsc#1012628).
- KVM: x86: nSVM: don't copy virt_ext from vmcb12 (bsc#1012628).
- KVM: x86: Clear KVM's cached guest CR3 at RESET/INIT
  (bsc#1012628).
- KVM: x86: Swap order of CPUID entry "index" vs. "significant
  flag" checks (bsc#1012628).
- KVM: nVMX: Filter out all unsupported controls when eVMCS was
  activated (bsc#1012628).
- KVM: SEV: Update svm_vm_copy_asid_from for SEV-ES (bsc#1012628).
- KVM: SEV: Pin guest memory for write for RECEIVE_UPDATE_DATA
  (bsc#1012628).
- KVM: SEV: Acquire vcpu mutex when updating VMSA (bsc#1012628).
- KVM: SEV: Allow some commands for mirror VM (bsc#1012628).
- KVM: SVM: fix missing sev_decommission in sev_receive_start
  (bsc#1012628).
- KVM: nVMX: Fix nested bus lock VM exit (bsc#1012628).
- KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue
  (bsc#1012628).
- mmc: renesas_sdhi: fix regression with hard reset on old SDHIs
  (bsc#1012628).
- media: ir_toy: prevent device from hanging during transmit
  (bsc#1012628).
- RDMA/cma: Do not change route.addr.src_addr.ss_family
  (bsc#1012628).
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing
  more requests (bsc#1012628).
- nbd: use shifts rather than multiplies (bsc#1012628).
- drm/amd/display: initialize backlight_ramping_override to false
  (bsc#1012628).
- drm/amd/display: Pass PCI deviceid into DC (bsc#1012628).
- drm/amd/display: Fix Display Flicker on embedded panels
  (bsc#1012628).
- drm/amdgpu: force exit gfxoff on sdma resume for rmb s0ix
  (bsc#1012628).
- drm/amdgpu: check tiling flags when creating FB on GFX8-
  (bsc#1012628).
- drm/amdgpu: correct initial cp_hqd_quantum for gfx9
  (bsc#1012628).
- interconnect: qcom: sdm660: Fix id of slv_cnoc_mnoc_cfg
  (bsc#1012628).
- interconnect: qcom: sdm660: Correct NOC_QOS_PRIORITY shift
  and mask (bsc#1012628).
- drm/i915/gvt: fix the usage of ww lock in gvt scheduler
  (bsc#1012628).
- ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
  (bsc#1012628).
- bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog
  (bsc#1012628).
- IB/cma: Do not send IGMP leaves for sendonly Multicast groups
  (bsc#1012628).
- RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure
  (bsc#1012628).
- bpf, mips: Validate conditional branch offsets (bsc#1012628).
- hwmon: (mlxreg-fan) Return non-zero value when fan current
  state is enforced from sysfs (bsc#1012628).
- RDMA/irdma: Skip CQP ring during a reset (bsc#1012628).
- RDMA/irdma: Validate number of CQ entries on create CQ
  (bsc#1012628).
- RDMA/irdma: Report correct WC error when transport retry
  counter is exceeded (bsc#1012628).
- RDMA/irdma: Report correct WC error when there are MW bind
  errors (bsc#1012628).
- netfilter: nf_tables: unlink table before deleting it
  (bsc#1012628).
- netfilter: log: work around missing softdep backend module
  (bsc#1012628).
- Revert "mac80211: do not use low data rates for data frames
  with no ack flag" (bsc#1012628).
- mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
  (bsc#1012628).
- mac80211: limit injected vht mcs/nss in
  ieee80211_parse_tx_radiotap (bsc#1012628).
- mac80211: mesh: fix potentially unaligned access (bsc#1012628).
- mac80211-hwsim: fix late beacon hrtimer handling (bsc#1012628).
- driver core: fw_devlink: Add support for
  FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD (bsc#1012628).
- net: mdiobus: Set FWNODE_FLAG_NEEDS_CHILD_BOUND_ON_ADD for
  mdiobus parents (bsc#1012628).
- sctp: break out if skb_header_pointer returns NULL in
  sctp_rcv_ootb (bsc#1012628).
- mptcp: don't return sockets in foreign netns (bsc#1012628).
- mptcp: allow changing the 'backup' bit when no sockets are open
  (bsc#1012628).
- RDMA/hns: Work around broken constant propagation in gcc 8
  (bsc#1012628).
- hwmon: (tmp421) report /PVLD condition as fault (bsc#1012628).
- hwmon: (tmp421) fix rounding for negative values (bsc#1012628).
- net: enetc: fix the incorrect clearing of IF_MODE bits
  (bsc#1012628).
- net: ipv4: Fix rtnexthop len when RTA_FLOW is present
  (bsc#1012628).
- smsc95xx: fix stalled rx after link change (bsc#1012628).
- drm/i915/request: fix early tracepoints (bsc#1012628).
- drm/i915: Remove warning from the rps worker (bsc#1012628).
- dsa: mv88e6xxx: 6161: Use chip wide MAX MTU (bsc#1012628).
- dsa: mv88e6xxx: Fix MTU definition (bsc#1012628).
- dsa: mv88e6xxx: Include tagger overhead when setting MTU for
  DSA and CPU ports (bsc#1012628).
- e100: fix length calculation in e100_get_regs_len (bsc#1012628).
- e100: fix buffer overrun in e100_get_regs (bsc#1012628).
- RDMA/hfi1: Fix kernel pointer leak (bsc#1012628).
- RDMA/hns: Fix the size setting error when copying CQE in
  clean_cq() (bsc#1012628).
- RDMA/hns: Add the check of the CQE size of the user space
  (bsc#1012628).
- bpf: Exempt CAP_BPF from checks against bpf_jit_limit
  (bsc#1012628).
- libbpf: Fix segfault in static linker for objects without BTF
  (bsc#1012628).
- selftests, bpf: Fix makefile dependencies on libbpf
  (bsc#1012628).
- selftests, bpf: test_lwt_ip_encap: Really disable rp_filter
  (bsc#1012628).
- bpf, x86: Fix bpf mapping of atomic fetch implementation
  (bsc#1012628).
- net: ks8851: fix link error (bsc#1012628).
- ionic: fix gathering of debug stats (bsc#1012628).
- Revert "block, bfq: honor already-setup queue merges"
  (bsc#1012628).
- scsi: csiostor: Add module softdep on cxgb4 (bsc#1012628).
- ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup
  (bsc#1012628).
- net: hns3: do not allow call hns3_nic_net_open repeatedly
  (bsc#1012628).
- net: hns3: remove tc enable checking (bsc#1012628).
- net: hns3: don't rollback when destroy mqprio fail
  (bsc#1012628).
- net: hns3: fix mixed flag HCLGE_FLAG_MQPRIO_ENABLE and
  HCLGE_FLAG_DCB_ENABLE (bsc#1012628).
- net: hns3: fix show wrong state when add existing uc mac address
  (bsc#1012628).
- net: hns3: reconstruct function hns3_self_test (bsc#1012628).
- net: hns3: fix always enable rx vlan filter problem after
  selftest (bsc#1012628).
- net: hns3: disable firmware compatible features when uninstall
  PF (bsc#1012628).
- net: phy: bcm7xxx: Fixed indirect MMD operations (bsc#1012628).
- net: sched: flower: protect fl_walk() with rcu (bsc#1012628).
- net: stmmac: fix EEE init issue when paired with EEE capable
  PHYs (bsc#1012628).
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
  (bsc#1012628).
- objtool: Teach get_alt_entry() about more relocation types
  (bsc#1012628).
- perf/x86/intel: Update event constraints for ICX (bsc#1012628).
- sched/fair: Add ancestors of unthrottled undecayed cfs_rq
  (bsc#1012628).
- sched/fair: Null terminate buffer when updating tunable_scaling
  (bsc#1012628).
- hwmon: (occ) Fix P10 VRM temp sensors (bsc#1012628).
- hwmon: (pmbus/mp2975) Add missed POUT attribute for page 1
  mp2975 controller (bsc#1012628).
- kvm: fix objtool relocation warning (bsc#1012628).
- nvme: add command id quirk for apple controllers (bsc#1012628).
- elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
  (bsc#1012628).
- driver core: fw_devlink: Improve handling of cyclic dependencies
  (bsc#1012628).
- debugfs: debugfs_create_file_size(): use IS_ERR to check for
  error (bsc#1012628).
- ipack: ipoctal: fix stack information leak (bsc#1012628).
- ipack: ipoctal: fix tty registration race (bsc#1012628).
- ipack: ipoctal: fix tty-registration error handling
  (bsc#1012628).
- ipack: ipoctal: fix missing allocation-failure check
  (bsc#1012628).
- ipack: ipoctal: fix module reference leak (bsc#1012628).
- ext4: fix loff_t overflow in ext4_max_bitmap_size()
  (bsc#1012628).
- ext4: limit the number of blocks in one ADD_RANGE TLV
  (bsc#1012628).
- ext4: fix reserved space counter leakage (bsc#1012628).
- ext4: add error checking to ext4_ext_replay_set_iblocks()
  (bsc#1012628).
- ext4: fix potential infinite loop in ext4_dx_readdir()
  (bsc#1012628).
- ext4: flush s_error_work before journal destroy in
  ext4_fill_super (bsc#1012628).
- HID: u2fzero: ignore incomplete packets without data
  (bsc#1012628).
- net: udp: annotate data race around udp_sk(sk)->corkflag
  (bsc#1012628).
- NIOS2: setup.c: drop unused variable 'dram_start' (bsc#1012628).
- usb: hso: remove the bailout parameter (bsc#1012628).
- HID: betop: fix slab-out-of-bounds Write in betop_probe
  (bsc#1012628).
- netfilter: ipset: Fix oversized kvmalloc() calls (bsc#1012628).
- mm: don't allow oversized kvmalloc() calls (bsc#1012628).
- HID: usbhid: free raw_report buffers in usbhid_stop
  (bsc#1012628).
- crypto: aesni - xts_crypt() return if walk.nbytes is 0
  (bsc#1012628).
- KVM: x86: Handle SRCU initialization failure during page track
  init (bsc#1012628).
- netfilter: conntrack: serialize hash resizes and cleanups
  (bsc#1012628).
- netfilter: nf_tables: Fix oversized kvmalloc() calls
  (bsc#1012628).
- drivers: net: mhi: fix error path in mhi_net_newlink
  (bsc#1012628).
- objtool: print out the symbol type when complaining about it
  (bsc#1012628).
- HID: amd_sfh: Fix potential NULL pointer dereference - take 2
  (bsc#1012628).
- commit 7c980ba
- ALSA: hda: intel: Allow repeatedly probing on codec
  configuration errors (bsc#1190801).
- commit 924f4be
- rpm: use _rpmmacrodir (boo#1191384)
- commit e350c14

==== kubernetes1.21 ====

- Bump disk requirements in _constraints to 12GB. Data based on the
  last successful build consumed storage.

==== libapparmor ====

- add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532)

==== libcap ====
Version update (2.51 -> 2.59)

- update to 2.59:
  * Fixed a potential libcap memory leak by adding a destructor
  * Major improvement is that there is a path for Linux-PAM compliant
    applications to support setting Ambient vector Capabilities via pam_cap.so now
  * Added libcap cap_proc_root() API function
  * Added color support to captree
  * Fixed contrib/sucap/su to correctly handle the Inheritable flag
  * capsh enhancements
  * getcap -r / now generates readable output
  * The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now
    runnable as standalone binaries
  * The module pam_cap.so now contains support for a default=<IAB> module argument
  * Enhanced capsh --suggest to also compare against the capability value names
    and not just their descriptions
  * Added capsh --current support
  * Added a contrib/sucap/su.c pure-capabilities PAM implementation of su
  * Fix for a corner case infinite loop handling long strings
  * Added libcap cap_iab_compare() and cap_iab_get_pid() APIs
  * Added a Go utility, captree, to display the process (and thread) graph along with
    the POSIX.1e and IAB capabilities of each PID{TID} tree.

==== libglvnd ====

- libglvnd.rpmlintrc
  * workaround for future buildcheck (boo#1191763)

==== librsvg ====
Version update (2.52.0 -> 2.52.2)
Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2

- Update to version 2.52.2:
  + New features:
  - rsvg-convert now supports generating multi-page PDFs in a
    sensible way.
  - With one SVG document per page, each page with the SVG's
    natural size:
  - rsvg-convert --format=pdf -o out.pdf a.svg b.svg c.svg
  - With all pages sized as portrait US Letter, and each SVG
    scaled to fit so that there is a 1in margin around each page:
    rsvg-convert --format=pdf -o out.pdf \
  - -page-width=8.5in --page-height=11in \
  - -width=6.5in --height=8.5in --keep-aspect-ratio \
  - -top=1in --left=1in a.svg b.svg c.svg
    Please see the man page for details.
  - Support <a> elements inside <text>. Also, support the CSS
    :link pseudo-class for matching against links.
  - Support the CSS :lang() pseudo-class for matching against an
    element's xml:lang attribute.
  - Support the mask-type property from SVG2.
  + Bugs fixed:
  - Don't panic when a shorthand property is set to inherit.
  - Fix regression with the viewport size of interior <svg>
    elements.
  - Allow length units to be case-insensitive, per SVG2.
  + Documentation:
  - There is now a FEATURES.md in the repository, where you can
    see all the elements, attributes, and properties that librsvg
    supports. We will be adding detail to this gradually.
  - For developers, there is now devel-docs/adding-a-property.md
    with a tutorial on how to add support for new CSS properties.
- Update to version 2.52.1:
  + Fix ordering of tspan inside text elements for right-to-left
    languages.
  + Fix text-anchor positioning for right-to-left languages.
  + Fix regression in computing sizes when an SVG has only one of
    width/height and a viewBox.
  + Spec compliance - the writing-mode property applies only to
    text elements, no to individual tspan elements.
  + Fix build on big-endian platforms.
  + Clarify documentation for the rsvg_handle_write() /
    rsvg_handle_close() deprecated APIs.

==== libwebp ====
Version update (1.2.0 -> 1.2.1)
Subpackages: libwebp7 libwebpdemux2 libwebpmux3

- update to 1.2.1:
  * minor lossless encoder improvements and x86 color conversion
    speed up
  * further security related hardening in libwebp & examples
  * toolchain updates and bug fixes
  * use more inclusive language within the source

==== libzypp ====
Version update (17.28.4 -> 17.28.6)

- Zypper should keep cached files if transaction is aborted
  (bsc#1190356)
  Singletrans mode currently does not keep files around if the
  transaction is aborted. This patch fixes the problem.
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Use procfs to detect nr of open fd's if rlimit is too high
  (bsc#1191324)
  Especially in a VM iterating over all possible fd's to close open
  ones right before a exec() slows down zypper unnecessarily. This
  patch uses /proc/self/fd to iterate over open fd's in case rlimit
  is above 1024.
- po: Fix some lost '%' signs in positional args (bsc#1191370)
- RepoManager: Don't probe for plaindir repo if URL schema is
  plugin: (bsc#1191286)
- version 17.28.6 (22)
- Downloader does not respect checkExistsOnly flag (bsc#1190712)
  A missing check causes zyppng::Downloader to always download full
  files even if the checkExistsOnly flag is set. This patch adds
  the missing logic.
- Fix kernel-*-livepatch removal in purge-kernels (bsc#1190815)
  The kernel-*-livepatch packages are supposed to serve as a stable
  handle for the ephemeral kernel livepatch packages. See
  FATE#320268 for details. As part of the kernel live patching
  ecosystem, kernel-*-livepatch packages should not block the
  purge-kernels step.
- version 17.28.5 (22)

==== ncurses ====
Version update (6.2.20210911 -> 6.2.20211002)
Subpackages: libncurses6 ncurses-utils terminfo-base

- Add ncurses patch 20211002
  + use return-value from vsnprintf to reallocate as needed to allow for
    buffers larger than the screen size (report by "_RuRo_").
  + modify tset "-q" option to refrain from modifying terminal modes, to
    match the documentation.
  + add section on margins to terminfo.5, adapted from X/Open Curses.
  + make tput/tset warning messages consistently using alias names when
    those are used, rather than the underlying program's name.
  + improve tput usage message for aliases such as clear, by eliminating
    tput-specific portions.
  + add a check in toe to ensure that a "termcap file" is text rather
    than binary.
  + further build-fixes for OpenBSD 6.9, whose header files differ from
- Add ncurses patch 20210925
  + add kbeg to xterm+keypad to accommodate termcap applications -TD
  + add smglp and smgrp to vt420+lrmm, to provide useful data for the
    "tabs" +m option -TD
  + build-fix for gcc 3.4.3 with Solaris10, which does not allow forward
    reference of anonymous struct typedef.
  + modify tput to allow multiple commands per line.
  + minor fixes for tset manpage.
- Correct offsets of patch ncurses-6.2.dif

==== ndctl ====

- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
  * harden_ndctl-monitor.service.patch

==== nvme-cli ====

- Drop ProtectClock hardening, can cause issues if other device acceess is needed
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
  * harden_nvmf-connect@.service.patch

==== open-iscsi ====
Subpackages: iscsiuio libopeniscsiusr0_2_0

- Fix possible systemd cycle by adding an "obsoletes" for
  the old libopeniscsiusr for older versions.

==== open-vm-tools ====
Version update (11.3.0 -> 11.3.5)
Subpackages: libvmtools0

- Update to 11.3.5 (build 18557794) (boo#1190987)
  + New/Updated features:
  - Added a configurable logging capability to the network script.
    The network script has been updated to:
    use vmware-toolbox-cmd to query any network logging configuration from
    the tools.conf file.  Use vmtoolsd --cmd "log ..." to log a message to
    the vmx logfile when the logging handler is configured to "vmx" or when
    the logfile is full or is not writeable.
  - The hgfsmounter (mount.vmhgfs) command has been removed from
    open-vm-tools.
    The hgfsmounter (mount.vmhgfs) command is no longer used in
    Linux open-vm-tools. It has been replaced by hgfs-fuse. Therefore,
    removing all references to the hgfsmounter in Linux builds.
  + Resolved issues:
  - Customization: Retry the Linux reboot if telinit is a soft link to
    systemctl.
  - Open-vm-tools commands would hang if configured with "--enable-valgrind".
  + Spec file updates for:
  - rpmlint errors
  - arg_xmlsec1 --enable-xmlsec1 for better xmlsec1/libxml2 handling.

==== openssh ====
Version update (8.4p1 -> 8.8p1)
Subpackages: openssh-clients openssh-common openssh-server

- Version update to 8.8p1:
  = Security
  * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
    supplemental groups when executing an AuthorizedKeysCommand or
    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
    AuthorizedPrincipalsCommandUser directive has been set to run the
    command as a different user. Instead these commands would inherit
    the groups that sshd(8) was started with.
    Depending on system configuration, inherited groups may allow
    AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
    gain unintended privilege.
    Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
    enabled by default in sshd_config(5).
  = Potentially-incompatible changes
  * This release disables RSA signatures using the SHA-1 hash algorithm
    by default. This change has been made as the SHA-1 hash algorithm is
    cryptographically broken, and it is possible to create chosen-prefix
    hash collisions for <USD$50K.
    For most users, this change should be invisible and there is
    no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
    RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
    will automatically use the stronger algorithm where possible.
    Incompatibility is more likely when connecting to older SSH
    implementations that have not been upgraded or have not closely tracked
    improvements in the SSH protocol. For these cases, it may be necessary
    to selectively re-enable RSA/SHA1 to allow connection and/or user
    authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
    options.
  = New features
  * ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
    directive to accept a "none" argument to specify the default
    behaviour.
  = Bugfixes
  * scp(1): when using the SFTP protocol, continue transferring files
    after a transfer error occurs, better matching original scp/rcp
    behaviour.
  * ssh(1): fixed a number of memory leaks in multiplexing,
  * ssh-keygen(1): avoid crash when using the -Y find-principals
    command.
  * A number of documentation and manual improvements, including
    bz#3340, PR139, PR215, PR241, PR257
- Additional changes from 8.7p1 release:
  = Potentially-incompatible changes
  * scp(1): this release changes the behaviour of remote to remote
    copies (e.g. "scp host-a:/path host-b:") to transfer through the
    local host by default. This was previously available via the -3
    flag. This mode avoids the need to expose credentials on the
    origin hop, avoids triplicate interpretation of filenames by the
    shell (by the local system, the copy origin and the destination)
    and, in conjunction with the SFTP support for scp(1) mentioned
    below, allows use of all authentication methods to the remote
    hosts (previously, only non-interactive methods could be used).
    A -R flag has been added to select the old behaviour.
  * ssh(1)/sshd(8): both the client and server are now using a
    stricter configuration file parser. The new parser uses more
    shell-like rules for quotes, space and escape characters. It is
    also more strict in rejecting configurations that include options
    lacking arguments. Previously some options (e.g. DenyUsers) could
    appear on a line with no subsequent arguments. This release will
    reject such configurations. The new parser will also reject
    configurations with unterminated quotes and multiple '='
    characters after the option name.
  * ssh(1): when using SSHFP DNS records for host key verification,
    ssh(1) will verify all matching records instead of just those
    with the specific signature type requested. This may cause host
    key verification problems if stale SSHFP records of a different
    or legacy signature type exist alongside other records for a
    particular host. bz#3322
  * ssh-keygen(1): when generating a FIDO key and specifying an
    explicit attestation challenge (using -Ochallenge), the challenge
    will now be hashed by the builtin security key middleware. This
    removes the (undocumented) requirement that challenges be exactly
    32 bytes in length and matches the expectations of libfido2.
  * sshd(8): environment="..." directives in authorized_keys files are
    now first-match-wins and limited to 1024 discrete environment
    variable names.
  = New features
  * scp(1): experimental support for transfers using the SFTP protocol
    as a replacement for the venerable SCP/RCP protocol that it has
    traditionally used. SFTP offers more predictable filename handling
    and does not require expansion of glob(3) patterns via the shell
    on the remote side.
  * sftp-server(8): add a protocol extension to support expansion of
    ~/ and ~user/ prefixed paths. This was added to support these
    paths when used by scp(1) while in SFTP mode.
  * ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to
    the ssh(1) -f flag. GHPR231
  * ssh(1): add a StdinNull directive to ssh_config(5) that allows the
    config file to do the same thing as -n does on the ssh(1) command-
    line. GHPR231
  * ssh(1): add a SessionType directive to ssh_config, allowing the
    configuration file to offer equivalent control to the -N (no
    session) and -s (subsystem) command-line flags. GHPR231
  * ssh-keygen(1): allowed signers files used by ssh-keygen(1)
    signatures now support listing key validity intervals alongside
    they key, and ssh-keygen(1) can optionally check during signature
    verification whether a specified time falls inside this interval.
    This feature is intended for use by git to support signing and
    verifying objects using ssh keys.
  * ssh-keygen(8): support printing of the full public key in a sshsig
    signature via a -Oprint-pubkey flag.
  = Bugfixes
  * ssh(1)/sshd(8): start time-based re-keying exactly on schedule in
    the client and server mainloops. Previously the re-key timeout
    could expire but re-keying would not start until a packet was sent
    or received, causing a spin in select() if the connection was
    quiescent.
  * ssh-keygen(1): avoid Y2038 problem in printing certificate
    validity lifetimes. Dates past 2^31-1 seconds since epoch were
    displayed incorrectly on some platforms. bz#3329
  * scp(1): allow spaces to appear in usernames for local to remote
    and scp -3 remote to remote copies. bz#1164
  * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
    in favour of KbdInteractiveAuthentication. The former is what was in
    SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
    treated as somewhat but not entirely equivalent. We retain the old
    name as a deprecated alias so configuration files continue to work
    as well as a reference in the man page for people looking for it.
    bz#3303
  * ssh(1)/ssh-add(1)/ssh-keygen(1): fix decoding of X.509 subject name
    when extracting a key from a PKCS#11 certificate. bz#3327
  * ssh(1): restore blocking status on stdio fds before close. ssh(1)
    needs file descriptors in non-blocking mode to operate but it was
    not restoring the original state on exit. This could cause
    problems with fds shared with other programs via the shell,
    bz#3280 and GHPR246
  * ssh(1)/sshd(8): switch both client and server mainloops from
    select(3) to pselect(3). Avoids race conditions where a signal
    may arrive immediately before select(3) and not be processed until
    an event fires. bz#2158
  * ssh(1): sessions started with ControlPersist were incorrectly
    executing a shell when the -N (no shell) option was specified.
    bz#3290
  * ssh(1): check if IPQoS or TunnelDevice are already set before
    overriding. Prevents values in config files from overriding values
    supplied on the command line. bz#3319
  * ssh(1): fix debug message when finding a private key to match a
    certificate being attempted for user authentication. Previously it
    would print the certificate's path, whereas it was supposed to be
    showing the private key's path. GHPR247
  * sshd(8): match host certificates against host public keys, not
    private keys. Allows use of certificates with private keys held in
    a ssh-agent.  bz#3524
  * ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which
    allows RSA/SHA2 signatures for public key authentication but fails
    to advertise this correctly via SSH2_MSG_EXT_INFO. This causes
    clients of these server to incorrectly match
    PubkeyAcceptedAlgorithmse and potentially refuse to offer valid
    keys. bz#3213
  * sftp(1)/scp(1): degrade gracefully if a sftp-server offers the
    limits@openssh.com extension but fails when the client tries to
    invoke it. bz#3318
  * ssh(1): allow ssh_config SetEnv to override $TERM, which is
    otherwise handled specially by the protocol. Useful in ~/.ssh/config
    to set TERM to something generic (e.g. "xterm" instead of
    "xterm-256color") for destinations that lack terminfo entries.
  * sftp-server(8): the limits@openssh.com extension was incorrectly
    marked as an operation that writes to the filesystem, which made it
    unavailable in sftp-server read-only mode. bz#3318
  * ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when
    the update removed more host keys than remain present.
  * Many manual page fixes.
- Additional changes from 8.6p1 release:
  = Security
  * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
    option was enabled with a set of patterns that activated logging
    in code that runs in the low-privilege sandboxed sshd process, the
    log messages were constructed in such a way that printf(3) format
    strings could effectively be specified the low-privilege code.
  = New features
  * sftp-server(8): add a new limits@openssh.com protocol extension
    that allows a client to discover various server limits, including
    maximum packet size and maximum read/write length.
  * sftp(1): use the new limits@openssh.com extension (when available)
    to select better transfer lengths in the client.
  * sshd(8): Add ModuliFile keyword to sshd_config to specify the
    location of the "moduli" file containing the groups for DH-GEX.
  * unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to
    enable printing of the elapsed time in seconds of each test.
  = Bugfixes
  * ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in
    manual pages with the current default. GHPR174
  * ssh(1): ensure that pkcs11_del_provider() is called before exit.
    GHPR234
  * ssh(1), sshd(8): fix problems in string->argv conversion. Multiple
    backslashes were not being dequoted correctly and quoted space in
    the middle of a string was being incorrectly split. GHPR223
  * ssh(1): return non-zero exit status when killed by signal; bz#3281
  * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum
    packet size. Also handle zero-length reads that are not explicitly
    banned by the spec.
- Additional changes from 8.5p1 release:
  = Security
  * ssh-agent(1): fixed a double-free memory corruption that was
    introduced in OpenSSH 8.2 . We treat all such memory faults as
    potentially exploitable. This bug could be reached by an attacker
    with access to the agent socket.
  = Potentially-incompatible changes
  * ssh(1), sshd(8): this release changes the first-preference signature
    algorithm from ECDSA to ED25519.
  * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration
    for interactive use prior to TCP connect. The connection phase of
    the SSH session is time-sensitive and often explicitly interactive.
    The ultimate interactive/bulk TOS/DSCP will be set after
    authentication completes.
  * ssh(1), sshd(8): remove the pre-standardization cipher
    rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before
    it was standardized in RFC4253 (2006), has been deprecated and
    disabled by default since OpenSSH 7.2 (2016) and was only briefly
    documented in ssh.1 in 2001.
  * ssh(1), sshd(8): update/replace the experimental post-quantum
    hybrid key exchange method based on Streamlined NTRU Prime coupled
    with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org
    method is replaced with sntrup761x25519-sha512@openssh.com.
  * ssh(1): disable CheckHostIP by default. It provides insignificant
    benefits while making key rotation significantly more difficult,
    especially for hosts behind IP-based load-balancers.
  = New features
  * ssh(1): this release enables UpdateHostkeys by default subject to
    some conservative preconditions:
  - The key was matched in the UserKnownHostsFile (and not in the
    GlobalKnownHostsFile).
  - The same key does not exist under another name.
  - A certificate host key is not in use.
  - known_hosts contains no matching wildcard hostname pattern.
  - VerifyHostKeyDNS is not enabled.
  - The default UserKnownHostsFile is in use.
  * ssh(1), sshd(8): add a new LogVerbose configuration directive for
    that allows forcing maximum debug logging by file/function/line
    pattern-lists.
  * ssh(1): when prompting the user to accept a new hostkey, display
    any other host names/addresses already associated with the key.
  * ssh(1): allow UserKnownHostsFile=none to indicate that no
    known_hosts file should be used to identify host keys.
  * ssh(1): add a ssh_config KnownHostsCommand option that allows the
    client to obtain known_hosts data from a command in addition to
    the usual files.
  * ssh(1): add a ssh_config PermitRemoteOpen option that allows the
    client to restrict the destination when RemoteForward is used
    with SOCKS.
  * ssh(1): for FIDO keys, if a signature operation fails with a
    "incorrect PIN" reason and no PIN was initially requested from the
    user, then request a PIN and retry the operation. This supports
    some biometric devices that fall back to requiring PIN when reading
    of the biometric failed, and devices that require PINs for all
    hosted credentials.
  * sshd(8): implement client address-based rate-limiting via new
    sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
    directives that provide more fine-grained control on a per-origin
    address basis than the global MaxStartups limit.
  = Bugfixes
  * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
  make it easier to determine which connection they are associated
  with in cases like scp -3, ProxyJump, etc. bz#3224
  * sshd(8): fix sshd_config SetEnv directives located inside Match
    blocks. GHPR201
  * ssh(1): when requesting a FIDO token touch on stderr, inform the
    user once the touch has been recorded.
  * ssh(1): prevent integer overflow when ridiculously large
    ConnectTimeout values are specified, capping the effective value
    (for most platforms) at 24 days. bz#3229
  * ssh(1): consider the ECDSA key subtype when ordering host key
    algorithms in the client.
  * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
    PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
    that it control allowed key algorithms, when this option actually
    specifies the signature algorithms that are accepted. The previous
    name remains available as an alias. bz#3253
  * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
    HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
  * sftp-server(8): add missing lsetstat@openssh.com documentation
    and advertisement in the server's SSH2_FXP_VERSION hello packet.
  * ssh(1), sshd(8): more strictly enforce KEX state-machine by
    banning packet types once they are received. Fixes memleak caused
    by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
  * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
    platforms instead of being limited by LONG_MAX. bz#3206
  * Minor man page fixes (capitalization, commas, etc.) bz#3223
  * sftp(1): when doing an sftp recursive upload or download of a
    read-only directory, ensure that the directory is created with
    write and execute permissions in the interim so that the transfer
    can actually complete, then set the directory permission as the
    final step. bz#3222
  * ssh-keygen(1): document the -Z, check the validity of its argument
    earlier and provide a better error message if it's not correct.
    bz#2879
  * ssh(1): ignore comments at the end of config lines in ssh_config,
    similar to what we already do for sshd_config. bz#2320
  * sshd_config(5): mention that DisableForwarding is valid in a
    sshd_config Match block. bz3239
  * sftp(1): fix incorrect sorting of "ls -ltr" under some
    circumstances. bz3248.
  * ssh(1), sshd(8): fix potential integer truncation of (unlikely)
    timeout values. bz#3250
  * ssh(1): make hostbased authentication send the signature algorithm
    in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
    This make HostbasedAcceptedAlgorithms do what it is supposed to -
    filter on signature algorithm and not key type.
- Rebased patches:
  * openssh-7.7p1-IPv6_X_forwarding.patch
  * openssh-7.7p1-X11_trusted_forwarding.patch
  * openssh-7.7p1-X_forward_with_disabled_ipv6.patch
  * openssh-7.7p1-cavstest-ctr.patch
  * openssh-7.7p1-cavstest-kdf.patch
  * openssh-7.7p1-disable_openssl_abi_check.patch
  * openssh-7.7p1-eal3.patch
  * openssh-7.7p1-enable_PAM_by_default.patch
  * openssh-7.7p1-fips.patch
  * openssh-7.7p1-fips_checks.patch
  * openssh-7.7p1-host_ident.patch
  * openssh-7.7p1-hostname_changes_when_forwarding_X.patch
  * openssh-7.7p1-ldap.patch
  * openssh-7.7p1-no_fork-no_pid_file.patch
  * openssh-7.7p1-pam_check_locks.patch
  * openssh-7.7p1-pts_names_formatting.patch
  * openssh-7.7p1-remove_xauth_cookies_on_exit.patch
  * openssh-7.7p1-seccomp_ipc_flock.patch
  * openssh-7.7p1-seccomp_stat.patch
  * openssh-7.7p1-send_locale.patch
  * openssh-7.7p1-sftp_force_permissions.patch
  * openssh-7.7p1-sftp_print_diagnostic_messages.patch
  * openssh-7.7p1-systemd-notify.patch
  * openssh-7.9p1-keygen-preserve-perms.patch
  * openssh-7.9p1-revert-new-qos-defaults.patch
  * openssh-8.0p1-gssapi-keyex.patch
  * openssh-8.1p1-audit.patch
  * openssh-8.1p1-seccomp-clock_gettime64.patch
  * openssh-8.1p1-seccomp-clock_nanosleep.patch
  * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch
  * openssh-8.1p1-use-openssl-kdf.patch
  * openssh-8.4p1-vendordir.patch
  * openssh-fips-ensure-approved-moduli.patch
  * openssh-link-with-sk.patch
  * openssh-reenable-dh-group14-sha1-default.patch
  * openssh-whitelist-syscalls.patch
- Removed openssh-fix-ssh-copy-id.patch (fixed upstream).
- openssh.keyring: rotated to new key from https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
- sshd-gen-keys-start:
  - only source sysconfig file if it exists.
  - create /etc/ssh if it does not exists.
  Required for image based installation/updates.

==== pam-config ====
Version update (1.4 -> 1.5)

- Update to Version 1.5
  - Don't print an error message if one of the systemd PAM modules
    does not exist if creating the *-pc files [bsc#1191528]
  - Drop pam_systemd_home again [bsc#1191528]

==== patterns-microos ====
Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap

- Add xdg-desktop-portal-gnome to gnome pattern
- Drop gnome-power-manager Requires: Package is dormant upstream
  and on it's way to be replaced by new features inside of
  gnome-control-center.

==== pmdk ====
Version update (1.11.0 -> 1.11.1)
Subpackages: libpmem1 libpmemobj1

- Update to PMDK 1.11.1
  * Bugfixes:
  * doc: remove exprimental moniker from libpmem2(7)
  * common: fix missing sfence in non-temporal memcpy
  * common: fix a mismatch between prototype and body
  * common: fix mismatched function args
  * obj: rename vars clashing with those of a containing block
  * pmem2: don't force smaller alignment for fsdax mappings
  * pool: don't trample upon users of localtime()
  * rpmem: Fix RPMEM_RAW_BUFF_SIZE and LANE_ALIGN_SIZE for powerpc64le

==== python-Jinja2 ====
Version update (3.0.1 -> 3.0.2)

- dropped obsolete no-warnings-as-errors.patch
- update to 3.0.2
  * Fix a loop scoping bug that caused assignments in nested loops to still
    be referenced outside of it. #1427
  * Make compile_templates deterministic for filter and import names. #1452, #1453
  * Revert an unintended change that caused Undefined to act like
    StrictUndefined for the in operator. #1448
  * Imported macros have access to the current template globals in async
    environments. #1494
  * PackageLoader will not include a current directory (.) path segment.
    This allows loading templates from the root of a zip import. #1467

==== python-PrettyTable ====

- %check: use %pyunittest rpm macro

==== python-alembic ====
Version update (1.6.5 -> 1.7.4)

- update to 1.7.4:
  * Fixed a regression that prevented the use of post write hooks on python
    version lower than 3.9
  * Added missing attributes from context stubs.
  * Fixed issue where registration of custom ops was prone to failure due to
    the registration process running exec() on generated code that as of the
    1.7 series includes pep-484 annotations, which in the case of end user code
    would result in name resolution errors when the exec occurs
- specfile:
  * skip python 2 builds
  * require importlib-resources
- update to version 1.7.1:
  * Corrected "universal wheel" directive in setup.cfg so that
    building a wheel does not target Python 2. The PyPi files index
    for 1.7.0 was corrected manually. Pull request courtesy layday.
  * Fixed issue in generated .pyi files where default values for
    "Optional" arguments were missing, thereby causing mypy to
    consider them as required.
  * Fixed regression in batch mode due to :ticket:`883` where the
    "auto" mode of batch would fail to accommodate any additional
    migration directives beyond encountering an "add_column()"
    directive, due to a mis-application of the conditional logic that
    was added as part of this change, leading to "recreate" mode not
    being used in cases where it is required for SQLite such as for
    unique constraints.
- changes from version 1.7.0:
  * Fixed regression due to :ticket:`803` where the ".info" and
    ".comment" attributes of "Table" would be lost inside of the
    :class:`.DropTableOp` class, which when "reversed" into a
    :class:`.CreateTableOp` would then have lost these elements. Pull
    request courtesy Nicolas CANIART.
  * Enhance "version_locations" parsing to handle paths containing
    spaces.  The new configuration option "version_path_separator"
    specifies the character to use when splitting the
    "version_locations" string. The default for new configurations is
    "version_path_separator = os", which will use "os.pathsep" (e.g.,
    ";" on Windows).
  * Alembic 1.7 now supports Python 3.6 and above; support for prior
    versions including Python 2.7 has been dropped.
  * Batch "auto" mode will now select for "recreate" if the
    "add_column()" operation is used on SQLite, and the column itself
    meets the criteria for SQLite where ADD COLUMN is not allowed, in
    this case a functional or parenthesized SQL expression or a
    "Computed" (i.e. generated) column.
  * Make the "python-dateutil" library an optional dependency.  This
    library is only required if the "timezone" option is used in the
    Alembic configuration.  An extra require named "tz" is available
    with "pip install alembic[tz]" to install it.
  * Re-implemented the "python-editor" dependency as a small internal
    function to avoid the need for external dependencies.
  * Named CHECK constraints are now supported by batch mode, and will
    automatically be part of the recreated table assuming they are
    named. They also can be explicitly dropped using
    "op.drop_constraint()". For "unnamed" CHECK constraints, these are
    still skipped as they cannot be distinguished from the CHECK
    constraints that are generated by the "Boolean" and "Enum"
    datatypes.  Note that this change may require adjustments to
    migrations that drop or rename columns which feature an associated
    named check constraint, such that an additional
    "op.drop_constraint()" directive should be added for that named
    constraint as there will no longer be an associated column for it;
    for the "Boolean" and "Enum" datatypes, an "existing_type" keyword
    may be passed to "BatchOperations.drop_constraint" as well.
  * The dependency on "pkg_resources" which is part of "setuptools"
    has been removed, so there is no longer any runtime dependency on
    "setuptools". The functionality has been replaced with
    "importlib.metadata" and "importlib.resources" which are both part
    of Python std.lib, or via pypy dependency "importlib-metadata" for
    Python version < 3.8 and "importlib-resources" for Python version
    < 3.9 (while importlib.resources was added to Python in 3.7, it
    did not include the "files" API until 3.9).
  * Created a "test suite" similar to the one for SQLAlchemy, allowing
    developers of third-party dialects to test their code against a
    set of Alembic tests that have been specially selected to exercise
    back-end database operations. At the time of release, third-party
    dialects that have adopted the Alembic test suite to verify
    compatibility include `CockroachDB
    <https://pypi.org/project/sqlalchemy-cockroachdb/>`_ and `SAP ASE
    (Sybase) <https://pypi.org/project/sqlalchemy-sybase/>`_.
  * Fixed issue where usage of the PostgreSQL "postgresql_include"
    option within a :meth:`.Operations.create_index` would raise a
    KeyError, as the additional column(s) need to be added to the
    table object used by the construct internally. The issue is
    equivalent to the SQL Server issue fixed in :ticket:`513`. Pull
    request courtesy Steven Bronson.
  * pep-484 type annotations have been added throughout the library.
    Additionally, stub .pyi files have been added for the
    "dynamically" generated Alembic modules "alembic.op" and
    "alembic.config", which include complete function signatures and
    docstrings, so that the functions in these namespaces will have
    both IDE support (vscode, pycharm, etc) as well as support for
    typing tools like Mypy. The files themselves are statically
    generated from their source functions within the source tree.

==== python-apipkg ====
Version update (1.5 -> 2.1.0)

- Update to v2.1.0
  * fix race condition for import of modules using apipkg.initpkg
    in Python 3.3+ by updating existing modules in-place rather
    than replacing in sys.modules with an apipkg.ApiModule
    instances. This race condition exists for import statements
    (and __import__) in Python 3.3+ where sys.modules is checked
    before obtaining an import lock, and for
    importlib.import_module in Python 3.11+ for the same reason.
- Release 2.0.1
  * fix race conditions for attribute creation
- Release 2.0.0
  * also transfer __spec__ attribute
  * make py.test hack more specific to avoid hiding real errors
  * switch from Travis CI to GitHub Actions
  * modernize package build
  * reformat code with black
- Drop pytest4.patch

==== python-distro ====

- Expliciting setting of locale is not necessary anymore
  (gh#python-distro/distro#223).

==== python-greenlet ====
Version update (1.1.0 -> 1.1.2)

- update to 1.1.2:
  - Fix a potential crash due to a reference counting error when Python
    subclasses of ``greenlet.greenlet`` were deallocated. The crash
    became more common on Python 3.10; on earlier versions, silent
    memory corruption could result.
  - Fix a leak of a list object when the last reference to a greenlet
    was deleted from some other thread than the one to which it
    belonged. For this to work correctly, you must call a greenlet API
    like ``getcurrent()`` before the thread owning the greenlet exits:
    this is a long-standing limitation that can also lead to the leak of
    a thread's main greenlet if not called; we hope to lift this
    limitation. Note that in some cases this may also fix leaks of
    greenlet objects themselves. See `issue 251
  - Python 3.10: Tracing or profiling into a spawned greenlet didn't
    work as expected. See `issue 256

==== python-idna ====
Version update (3.2 -> 3.3)

- update to 3.3:
  - Update to Unicode 14.0.0
  - Update to in-line type annotations
  - Throw IDNAError exception correctly for some malformed input
  - Advertise support for Python 3.10
  - Improve testing regime on Github
  - Fix Russian typo in documentation

==== python-more-itertools ====
Version update (8.8.0 -> 8.10.0)

- update to 8.10.0:
  * The type stub for :func:`iter_except` was improved (thanks to  MarcinKonowalczyk)
  * Type stubs now ship with the source release (thanks to saaketp)
  * The Sphinx docs were improved (thanks to MarcinKonowalczyk)
  * New functions
  * :func:`interleave_evenly` (thanks to mbugert)
  * :func:`repeat_each` (thanks to FinalSh4re)
  * :func:`chunked_even` (thanks to valtron)
  * :func:`map_if` (thanks to sassbalint)
  * :func:`zip_broadcast` (thanks to kalekundert)
  * Changes to existing functions
  * The type stub for :func:`chunked` was improved (thanks to  PhilMacKay)
  * The type stubs for :func:`zip_equal` and `zip_offset` were improved (thanks to maffoo)
  * Building Sphinx docs locally was improved (thanks to MarcinKonowalczyk)

==== python-networkx ====
Version update (2.6.1 -> 2.6.3)

- update to 2.6.3:
  * Fix modularity functions (gh#networkx/networkx#5072)
  * CI/MAINT: drop gdal tests (gh#networkx/networkx#5068)
  * modularity_max: provide labels to get_edge_data (gh#networkx/networkx#4965)
  * Improvements to greedy_modularity_community (gh#networkx/networkx#4996)
  * use weight arg instead of 'weight' key at greedy_modularity_communities()
  * modularity_max: breaking the loop when given community size is reached (gh#networkx/networkx#4950)
  * modularity_max: allow input of desired number of communities
  * greedy_modularity_communities with digraphs and multi(di)graphs (gh#networkx/networkx#5007) (gh#networkx/networkx#5007)
  * Allow greedy_modularity_communities to use floating point weights or resolution (gh#networkx/networkx#5065)
  * change i,j,k notation to u,v,w (no indexes since gh#networkx/networkx#5007)

==== python-pyrsistent ====
Version update (0.17.3 -> 0.18.0)

- update to 0.18.0:
  * Fix #209 Update freeze recurse into pyrsistent data structures and thaw to
    recurse into lists and dicts
  * Fix #226, stop using deprecated exception.message.
  * Fix #211, add union operator to persistent maps.
  * Fix #194, declare build dependencies through pyproject.toml.
  * Officially drop Python 3.5 support.
  * Fix #223, release wheels for all major platforms.
  * Fix #221, KeyError obscured by TypeError if key is a tuple.
  * Fix LICENSE file name spelling.
  * Fix #216, add abstractmethod decorator for CheckedType and ABCMeta for
    _CheckedTypeMeta.
  * Fix #228, rename example classes in tests to avoid name clashes with pytest.

==== python-pytz ====
Version update (2021.1 -> 2021.3)

- update to 2021.3
  * matches tzdata 2021c

==== python-zipp ====
Version update (3.5.0 -> 3.6.0)

- update to 3.6.0:
  * Only ``Path`` is exposed in the public API.
  * Remove news file intended only for CPython.

==== qemu ====

- Stable fixes from upstream
  * Patches added:
  block-introduce-max_hw_iov-for-use-in-sc.patch
  hmp-Unbreak-change-vnc.patch
  qemu-nbd-Change-default-cache-mode-to-wr.patch
  target-arm-Don-t-skip-M-profile-reset-en.patch
  vhost-vsock-fix-migration-issue-when-seq.patch
  virtio-mem-pci-Fix-memory-leak-when-crea.patch
  virtio-net-fix-use-after-unmap-free-for-.patch

==== raspberrypi-firmware ====
Version update (2021.03.10 -> 2021.09.30)

- Update to b5257da58c (2021-09-30):
  * firmware: arm_loader: Allow non-optional reads of current clock
    See: #1619
  * firmware: dispmanx: Demote null eptr from vcos_verify to no warning
    See: raspberrypi/linux#4592
  * firmware: filesystem: sdcard: Probe FAT type in GPT ESD partitions
  * firmware: tvservice: Add check to warn when running with kms
  * firmware: filesystem: sdcard: Fix Hybrid GPT partitions
    See: #1465
  * firmware: video_decode: Ensure all buffers are flushed before
    port disable completes
  * firmware: arm_loader: Allow hvs interrupt during SET_NOTIFY_DISPLAY_DONE
  * firmware: arm_display: Allow null buffer in successful call
    See: raspberrypi/linux#4540
- Update to b80f36b3fb (2021-09-13):
  * firmware: hdmi_2711: Use HDMI block REPEAT_PIXEL instead of PV
    See: https://forum.libreelec.tv/thread/24415-le-10-beta-for-i4-force-hdmi-resolut...
  * firmware: DSI display autodetection for kms
  * firmware: arm_dt: Load overlays for detected cameras
  * firmware: Make more use of the user-warnings DT property
  * firmware: arm_loader: Consider required flags from GET_CLOCK_RATE
    See: #1598
  * firmware: arm_loader: Make most arm clock requests required
    See: #1598
  * firmware: firmware: Disable VLL loading from file system
    See: #1605
  * firmware: video_decode: Use the ISP instead of vc_image_convert
  * firmware: video_decode: Correct support for YVU formats using ISP
  * firmware: arm_dt: Limit CMA to 256MB if total_mem < 2GB or gpu_mem > 256MB
    See: #1603
  * firmware: hdmi_cec: Remove TX/RX SW_INIT on power_on
    See: Hexxeh/rpi-firmware#267
    See: https://www.raspberrypi.org/forums/viewtopic.php?p=1895082#p1895082
  * firmware: cec: Avoid sending messages with kms
    See: raspberrypi/linux#4460
  * firmware: Revert: video_decode: Use the ISP instead of vc_image_convert
  * firmware: isp: Set the YUV420/YVU420 format stride to 64 byte
  * arm_loader: Add message to release firmware framebuffer
  * firmware: video_decode: Use the ISP instead of vc_image_convert
  * firmware: hdmi-2711: Wait for HDMI hardware scheduler to activate in HDMI mode
  * firmware: bcm_host: Recognise all Pi 4 variants, add BCM2711
    See: raspberrypi/userland#695
  * firmware: PoE+ HAT support
    See: raspberrypi/linux#4367
  * firmware: arm_loader: Use Pi4 bootloader MAC_ADDRESS if set
  * firmware: platform: Apply ARM thermal throttling rules on BCM2711
  * firmware: dt-blob.dts: Correct HDMI HPD and EMMC_ENABLE for CM4
    See: https://www.raspberrypi.org/forums/viewtopic.php?f=29&p=1858516
  * firmware: vcfw/hdmi: CUSTOM modes used for FKMS didn't set RGB quant range correctly
    See: #1580
  * firmware: platform: Remove build-time constant for MICROVOLTS_PER_PIP
  * firmware: Pi400: Reduce MII clock freq when probing ethernet PHY
  * firmware: isp: Ensure the VRF is locked when setting up video colour denoise
    See: raspberrypi/libcamera-apps#19
  * firmware: isp: Remove custom EV mappings from camera tunings
  * firmware: Add support for board-type=0xXX conditional filters in bootloader, bootcode and firmware
  * firmware: Two UART1 patches
    See: #1566
  * firmware: arm_loader: kernel_old=1 should force kernel_address=0
    See: #1561
  * firmware: scalerlib: Fix offset applied to x coordinate of YUV10COL image
    See: https://forum.kodi.tv/showthread.php?tid=361164&pid=3024654#pid3024654
  * firmware: vcfw/power: Add a new latch for power_pad_control
    See: #1552
  * firmware: board-info: Fix memsize on 3B+
  * firmware: Move core to PLLA and support accurate clk108
    See: xbmc/xbmc#19263
  * firmware: board_info: Separate memory size from OTP field encoding
  * firmware: power: Swap DA9090 ADC assignments to match XR77004
  * firmware: vl805: Remove redundant log statement and fix warning
  * firmware: power: Fix DA9090 ADC1 register definition
  * firmware: arm_loader: Only report clocks arm has set, not siblings
  * firmware: arm_loader: Don't report clocks set as turbo side effect of arm clock
  * firmware: arm_loader: 2711: gpu clocks are not dependant
  * firmware: platform: Need to clear cached versions of get_max_clock_internal vars
  * firmware: video_decode: For VC1/WMV with no signalled header bytes, use start of 1st buffer
  See: raspberrypi/linux#4113
- Use smbios overlay to get minimal SMBIOS information through dmidecode (bsc#1183079)

==== raspberrypi-firmware-config ====
Version update (2021.03.10 -> 2021.09.30)

- Update to b5257da58c (2021-09-30):
  * firmware: arm_loader: Allow non-optional reads of current clock
    See: #1619
  * firmware: dispmanx: Demote null eptr from vcos_verify to no warning
    See: raspberrypi/linux#4592
  * firmware: filesystem: sdcard: Probe FAT type in GPT ESD partitions
  * firmware: tvservice: Add check to warn when running with kms
  * firmware: filesystem: sdcard: Fix Hybrid GPT partitions
    See: #1465
  * firmware: video_decode: Ensure all buffers are flushed before
    port disable completes
  * firmware: arm_loader: Allow hvs interrupt during SET_NOTIFY_DISPLAY_DONE
  * firmware: arm_display: Allow null buffer in successful call
    See: raspberrypi/linux#4540
- Update to b80f36b3fb (2021-09-13):
  * firmware: hdmi_2711: Use HDMI block REPEAT_PIXEL instead of PV
    See: https://forum.libreelec.tv/thread/24415-le-10-beta-for-i4-force-hdmi-resolut...
  * firmware: DSI display autodetection for kms
  * firmware: arm_dt: Load overlays for detected cameras
  * firmware: Make more use of the user-warnings DT property
  * firmware: arm_loader: Consider required flags from GET_CLOCK_RATE
    See: #1598
  * firmware: arm_loader: Make most arm clock requests required
    See: #1598
  * firmware: firmware: Disable VLL loading from file system
    See: #1605
  * firmware: video_decode: Use the ISP instead of vc_image_convert
  * firmware: video_decode: Correct support for YVU formats using ISP
  * firmware: arm_dt: Limit CMA to 256MB if total_mem < 2GB or gpu_mem > 256MB
    See: #1603
  * firmware: hdmi_cec: Remove TX/RX SW_INIT on power_on
    See: Hexxeh/rpi-firmware#267
    See: https://www.raspberrypi.org/forums/viewtopic.php?p=1895082#p1895082
  * firmware: cec: Avoid sending messages with kms
    See: raspberrypi/linux#4460
  * firmware: Revert: video_decode: Use the ISP instead of vc_image_convert
  * firmware: isp: Set the YUV420/YVU420 format stride to 64 byte
  * arm_loader: Add message to release firmware framebuffer
  * firmware: video_decode: Use the ISP instead of vc_image_convert
  * firmware: hdmi-2711: Wait for HDMI hardware scheduler to activate in HDMI mode
  * firmware: bcm_host: Recognise all Pi 4 variants, add BCM2711
    See: raspberrypi/userland#695
  * firmware: PoE+ HAT support
    See: raspberrypi/linux#4367
  * firmware: arm_loader: Use Pi4 bootloader MAC_ADDRESS if set
  * firmware: platform: Apply ARM thermal throttling rules on BCM2711
  * firmware: dt-blob.dts: Correct HDMI HPD and EMMC_ENABLE for CM4
    See: https://www.raspberrypi.org/forums/viewtopic.php?f=29&p=1858516
  * firmware: vcfw/hdmi: CUSTOM modes used for FKMS didn't set RGB quant range correctly
    See: #1580
  * firmware: platform: Remove build-time constant for MICROVOLTS_PER_PIP
  * firmware: Pi400: Reduce MII clock freq when probing ethernet PHY
  * firmware: isp: Ensure the VRF is locked when setting up video colour denoise
    See: raspberrypi/libcamera-apps#19
  * firmware: isp: Remove custom EV mappings from camera tunings
  * firmware: Add support for board-type=0xXX conditional filters in bootloader, bootcode and firmware
  * firmware: Two UART1 patches
    See: #1566
  * firmware: arm_loader: kernel_old=1 should force kernel_address=0
    See: #1561
  * firmware: scalerlib: Fix offset applied to x coordinate of YUV10COL image
    See: https://forum.kodi.tv/showthread.php?tid=361164&pid=3024654#pid3024654
  * firmware: vcfw/power: Add a new latch for power_pad_control
    See: #1552
  * firmware: board-info: Fix memsize on 3B+
  * firmware: Move core to PLLA and support accurate clk108
    See: xbmc/xbmc#19263
  * firmware: board_info: Separate memory size from OTP field encoding
  * firmware: power: Swap DA9090 ADC assignments to match XR77004
  * firmware: vl805: Remove redundant log statement and fix warning
  * firmware: power: Fix DA9090 ADC1 register definition
  * firmware: arm_loader: Only report clocks arm has set, not siblings
  * firmware: arm_loader: Don't report clocks set as turbo side effect of arm clock
  * firmware: arm_loader: 2711: gpu clocks are not dependant
  * firmware: platform: Need to clear cached versions of get_max_clock_internal vars
  * firmware: video_decode: For VC1/WMV with no signalled header bytes, use start of 1st buffer
  See: raspberrypi/linux#4113

==== raspberrypi-firmware-dt ====
Version update (2021.03.15 -> 2021.09.17)

- Update to 2425833c7ff5 (2021-09-17)
  * Switch to 5.14 branch
  * Drop upstream-overlay-rpi-poe.patch

==== rbac-lookup ====
Version update (0.6.4 -> 0.7.1)

- Update to version 0.7.1:
  * Mac M1 Support
  * Update documentation from template
  * Update README.md

==== rdma-core ====
Version update (36.0 -> 37.1)
Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1

- Update to rdma-core v37.1 (jsc#SLE-18381, jsc#SLE-19249)
  - Bugfixes on all providers
- Fix cmake flags to correct paths for .pc files

==== salt ====
Subpackages: python3-salt salt-master salt-minion salt-standalone-formulas-configuration salt-transactional-update

- Fix issues with salt-ssh's extra-filerefs
- Added:
  * fix-issues-with-salt-ssh-s-extra-filerefs.patch
- Fix crash when calling manage.not_alive runners
- Added:
  * fix-crash-when-calling-manage.not_alive-runners.patch
- Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446)
- Added:
  * 3003.3-do-not-consider-skipped-targets-as-failed-for.patch

==== systemd ====
Version update (249.4 -> 249.5)
Subpackages: libsystemd0 libudev1 systemd-sysvinit udev

- Import commit 8521f8d22fd44400289fcea03493ebd7f8b1487d (merge of v249.5)
  For a complete list of changes, visit:
  https://github.com/openSUSE/systemd/compare/355e113ce193e5e2d195278c57d47f9a...
- Import commit 355e113ce193e5e2d195278c57d47f9a1b00ae46
  3b4a005095 meson: add missing include directory when using xkbcommon
  4c4e642712 meson: allow extra net naming schemes to be defined during configuration (jsc#SLE-18514)
  78466e4464 meson: drop the list of valid net naming schemes
  b9a2098f9d netif-naming: inline one iterator variable
  d7fbbc5e74 Add remaining supported schemes as options for default-net-naming-scheme
- Rename %{gnu-efi} into %{sd_boot}
  Build conditionals (%bcond_with and %bcond_without) are used to
  define a specific feature of systemd. "gnu-efi" is rather an
  implemenation detail. Also not really sure what "efi" option alone
  is useful for since systemd-boot & co depends on "gnu-efi".
- Enable sd_boot support for aarch64
- Ghost own directories /var/log/journal and /var/log/journal/remote again
  rpmlint no more complain about the setgid bit, see sr#923496.
- Overwriting rootprefix= is only required when split-usr is enabled
- Rename %usrmerged into %split_usr
- Suppress PAM warning when the credentials for user@.service service
  are established (bsc#1190515)
  systemd-user PAM service needs to define a default implementation of
  pam_setcred() otherwise the fallback (defined by /etc/pam.d/other)
  is used, which consists of pam_warn.so + pam_deny.so, and will throw
  a warning each time a user logs in.
- No need to install upstream pam configuration file "systemd-user"
  It's overwritten by the SUSE version anyway.

==== systemd-presets-common-SUSE ====

- Haveged as a daemon is no longer required since kernel 5.6
  do not enable by default.

==== timezone ====
Version update (2021c -> 2021d)

- timezone update 2021d:
  * Fiji suspends DST for the 2021/2022 season
  * 'zic -r' marks unspecified timestamps with "-00"

==== tpm2.0-tools ====
Version update (5.1.1 -> 5.2)

- Update to version 5.2:
  + tpm2_nvextend:
  * Added option -n, --name to specify the name of the nvindex in
    hex bytes. This is used when cpHash ought to be calculated
    without dispatching the TPM2_NV_Extend command to the TPM.
  + tpm2_nvread:
  * Added option --rphash=FILE to specify ile path to record the
    hash of the response parameters. This is commonly termed as
    rpHash.
  * Added option -n, --name to specify the name of the nvindex in
    hex bytes. This is used when cpHash ought to be calculated
    without dispatching the TPM2_NVRead command to the TPM.
  * Added option -S, --session to specify to specify an auxiliary
    session for auditing and or encryption/decryption of the
    parameters.
  + tpm2_nvsetbits:
  * Added option --rphash=FILE to specify file path to record the
    hash of the response parameters. This is commonly termed as
    rpHash.
  * Added option -S, --session to specify to specify an auxiliary
    session for auditing and or encryption/decryption of the
    parameters.
  * Added option -n, --name to specify the name of the nvindex in
    hex bytes. This is used when cpHash ought to be calculated
    without dispatching the TPM2_NV_SetBits command to the TPM.
  + tpm2_createprimary:
  * Support public-key output at creation time in various public-key
    formats.
  + tpm2_create:
  * Support public-key output at creation time in various public-key
    formats.
  + tpm2_print:
  * Support outputing public key in various public key formats over
    the default YAML output. Supports taking -u output from
    tpm2_create and converting it to a PEM or DER file format.
  + tpm2_import:
  * Add support for importing keys with sealed-data-blobs.
  + tpm2_rsaencrypt, tpm2_rsadecrypt:
  * Add support for specifying the hash algorithm with oaep.
  + tpm2_pcrread, tpm2_quote:
  * Add option -F, --pcrs_format to specify PCR format selection for
    the binary blob in the PCR output file. 'values' will output a
    binary blob of the PCR values. 'serialized' will output a binary
    blob of the PCR values in the form of serialized data structure
    in little endian format.
  + tpm2_eventlog:
  * Add support for decoding StartupLocality.
  * Add support for printing the partition information.
  * Add support for reading eventlogs longer than 64kb including
    from /sys/kernel/security/tpm0/binary_bios-measurements.
  + tpm2_duplicate:
  * Add option -L, --policy to specify an authorization policy to be
    associated with the duplicated object.
  * Added support for external key duplication without needing the
    TCTI.
  + tools:
  * Enhance error message on invalid passwords when sessions cannot
    be used.
  + lib/tpm2_options:
  * Add option to specify fake tcti which is required in cases where
    sapi ctx is required to be initialized for retrieving command
    parameters without invoking the tcti to talk to the TPM.
  + openssl:
  * Dropped support for OpenSSL < 1.1.0
  * Add support for OpenSSL 3.0.0
  + Support added to make the repository documentation and man pages
    available live on readthedocs.
  + Bug-fixes:
  * tpm2_import: Don't allow setting passwords for imported object
    with -p option as the tool doesn't modify the TPM2B_SENSITIVE
    structure. Added appropriate logging to indicate using
    tpm2_changeauth after import.
  * lib/tpm2_util.c: The function to calculate pHash algorithm
    returned error when input session is a password session and the
    only session in the command.
  * lib/tpm2_alg_util.c: Fix an error where oaep was parsed under
    ECC.
  * tpm2_sign: Fix segfaults when tool does not find TPM resources
    (TPM or RM).
  * tpm2_makecredential: Fix an issue where reading input from stdin
    could result in unsupported data size larger than the largest
    digest size.
  * tpm2_loadexternal: Fix an issue where restricted attribute could
    not be set.
  * lib/tpm2_nv_util.h: The NV index size is dependent on different
    data sets read from the GetCapability structures because there
    is a dependency on the NV operation type: Define vs Read vs
    Write vs Extend. Fix a sane default in the case where
    GetCapability fails or fails to report the specific property/
    data set. This is especially true because some properties are
    TPM implementation dependent.
  * tpm2_createpolicy: Fix an issue where tool exited silently
    without reporting an error if wrong pcr string is specified.
  * lib/tpm2_alg_util: add error message on public init to prevent
    tools from dying silently, add an error message.
  * tpm2_import: fix an issue where an imported hmac object scheme
    was NULL. While allowed, it was inconsistent with other tools
    like tpm2_create which set the scheme as hmac->sha256 when
    generating a keyedhash object.
- Drop patches already in upstream:
  + 0001-tpm2_checkquote-fix-uninitialized-variable.patch
  + 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch
  + 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch

==== wireless-regdb ====
Version update (20210421 -> 20210828)

- Update to version 20210828:
  * wireless-regdb: update regulatory database based on preceding changes
  * Update regulatory rules for Ecuador (EC)
  * wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
  * wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
  * wireless-regdb: update regulatory database based on preceding changes
  * wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
  * wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
  * wireless-regdb: recent FCC report and order allows 5850-5895 immediately
  * wireless-regdb: update 5725-5850 MHz rule for GB

==== xfsprogs ====

- move fsck.xfs, mkfs.xfs and xfs_repair from /sbin to /usr/sbin
  (bsc#1191105)
  The default rpmbuild %configure macro passes --sbindir=/usr/sbin to
  every configure script, but the xfsprogs configure script ignores it
  when --exec-prefix is also set. Unset --exec-prefix since it is not
  really required (all other paths are explicitly passed via the rpm
  configure macro), so that the --sbindir is respected.

==== xkeyboard-config ====
Version update (2.33 -> 2.34)

- update to version 2.34
  * xml2lst: use dynamic Perl path
  * Resolved 101key Old Hungarian II
  * Old turkish f layout (with pc104 support) added.
  * Fix wrong key symbol name
  * Added International Phonetic Alphabet (QWERTY)
  * gitlab CI: update to latest ci-templates
  * Hellenic keyboard perfected.
  * lt: Place sterling symbol on AD03, layer 4 (with E and euro)
  * Use single guillemots on L4 (not less/greater) where L3 has guillemots
  * Added English (Dvorak, Macintosh) based on the MacOS dvorak layout
  * Accommodate uppercase/lowercase ß, long s, §; deduplicate ?
  * Move left/right quotes one key to the right, place lower quotes on AB04
  * Update symbols/it adding credits and reference for fur lang
  * lt/us: Inherit AE09/AE10 from latin
  * Add Russian GOST layouts
  * Add Polish(lefty) layout
  * Add Arabic(Ergoarabic) keyboard layout
  * translation sync
  * Hebrew translation added

==== yomi-formula ====

- Ignore libudev1 dependency for Enterprise Linux.

==== zypper ====
Version update (1.14.49 -> 1.14.50)
Subpackages: zypper-needs-restarting

- Fix compiler warning.
- zypper.conf: New option whether to collect subcommands found in
  $PATH (fixes #379)
  +[subcommand] i
  +
  +##  Whether to look for subcommands in $PATH
  +##
  +## If a subcommand is not found in the zypper_execdir, the wrapper
  +## will look in the rest of your $PATH for it. Thus, it's possible
  +## to write local zypper extensions that don't live in system space.
  +## See section SUBCOMMANDS in the zypper manpage.
  +##
  +## Valid values: boolean
  +## Default value: yes
  +##
  +# seachSubcommandInPath = yes.
- help subcommand: show path of command found in $PATH.
- version 1.14.50

New ARM Kubic snapshot 20211023 released!

Guillaume Gardet