Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=Tumbleweed&build=20211001 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&component=Kubic&query_format=advanced&resolution=--- Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: audit (3.0.3 -> 3.0.5) audit-secondary (3.0.3 -> 3.0.5) crypto-policies (20210225.05203d2 -> 20210917.c9d86d1) diffutils mozjs78 (78.13.0 -> 78.14.0) openSUSE-build-key salt (3002.2 -> 3003.3) selinux-policy === Details === ==== audit ==== Version update (3.0.3 -> 3.0.5) Subpackages: libaudit1 libauparse0 - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs ==== audit-secondary ==== Version update (3.0.3 -> 3.0.5) Subpackages: audit python3-audit system-group-audit - Fix hardened auditd.service (bsc#1181400) * add fix-hardened-service.patch Make /etc/audit read-write from the service. Remove PrivateDevices=true to expose /dev/* to auditd.service. - Enable stop rules for audit.service (cf. bsc#1190227) * add enable-stop-rules.patch - Change default log_format from ENRICHED to RAW (bsc#1190500): * add change-default-log_format.patch (SUSE-specific patch) - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs ==== crypto-policies ==== Version update (20210225.05203d2 -> 20210917.c9d86d1) - Remove the scripts and documentation regarding fips-finish-install and test-fips-setup * Add crypto-policies-FIPS.patch - Update to version 20210917.c9d86d1: * openssl: fix disabling ChaCha20 * pacify pylint 2.11: use format strings * pacify pylint 2.11: specify explicit encoding * fix minor things found by new pylint * update-crypto-policies: --check against regenerated * update-crypto-policies: fix --check's walking order * policygenerators/gnutls: revert disabling DTLS0.9... * policygenerators/java: add javasystem backend * LEGACY: bump 1023 key size to 1024 * cryptopolicies: fix 'and' in deprecation warnings * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 * nss: hopefully the last fix for nss sigalgs check * cryptopolicies: Python 3.10 compatibility * nss: postponing check + testing at least something * Rename 'policy modules' to 'subpolicies' * validation.rules: fix a missing word in error * cryptopolicies: raise errors right after warnings * update-crypto-policies: capitalize warnings * cryptopolicies: syntax-precheck scope errors * .gitlab-ci.yml, Makefile: enable codespell * all: fix several typos * docs: don't leave zero TLS/DTLS protocols on * openssl: separate TLS/DTLS MinProtocol/MaxProtocol * alg_lists: order protocols new-to-old for consistency * alg_lists: max_{d,}tls_version * update-crypto-policies: fix pregenerated + local.d * openssh: allow validation with pre-8.5 * .gitlab-ci.yml: run commit-range against upstream * openssh: Use the new name for PubkeyAcceptedKeyTypes * sha1_in_dnssec: deprecate * .gitlab-ci.yml: test commit ranges * FIPS:OSPP: sign = -*-SHA2-224 * scoped policies: documentation update * scoped policies: use new features to the fullest... * scoped policies: rewrite + minimal policy changes * scoped policies: rewrite preparations * nss: postponing the version check again, to 3.64 - Remove patches fixed upstream: crypto-policies-typos.patch - Rebase: crypto-policies-test_supported_modules_only.patch - Merge crypto-policies-asciidoc.patch into crypto-policies-no-build-manpages.patch ==== diffutils ==== - Skip stack overflow tests under qemu emulation (bsc#1190046) ==== mozjs78 ==== Version update (78.13.0 -> 78.14.0) - Update to version 78.14.0esr. ==== openSUSE-build-key ==== - Only add openSUSE Backports key when building for a Leap system (sle_version > 0). Tumbleweed does not use Backports. ==== salt ==== Version update (3002.2 -> 3003.3) Subpackages: python3-salt salt-master salt-minion salt-standalone-formulas-configuration salt-transactional-update - Support querying for JSON data in external sql pillar - Added: * 3003.3-postgresql-json-support-in-pillar-423.patch - Update to Salt release version 3003.3 - See release notes: https://docs.saltstack.com/en/latest/topics/releases/3003.3.html - Added: * allow-vendor-change-option-with-zypper.patch * support-transactional-systems-microos.patch * virt-enhancements.patch - Modified: * adds-explicit-type-cast-for-port.patch * use-adler32-algorithm-to-compute-string-checksums.patch * do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch * fixes-56144-to-enable-hotadd-profile-support.patch * include-aliases-in-the-fqdns-grains.patch * implementation-of-held-unheld-functions-for-state-pk.patch * add-alibaba-cloud-linux-2-by-backporting-upstream-s-.patch * debian-info_installed-compatibility-50453.patch * fix-wrong-test_mod_del_repo_multiline_values-test-af.patch * update-target-fix-for-salt-ssh-to-process-targets-li.patch * x509-fixes-111.patch * prevent-logging-deadlock-on-salt-api-subprocesses-bs.patch * restore-default-behaviour-of-pkg-list-return.patch * adding-preliminary-support-for-rocky.-59682-391.patch * add-astra-linux-common-edition-to-the-os-family-list.patch * templates-move-the-globals-up-to-the-environment-jin.patch * fix-bsc-1065792.patch * add-migrated-state-and-gpg-key-management-functions-.patch * zypperpkg-ignore-retcode-104-for-search-bsc-1176697-.patch * improvements-on-ansiblegate-module-354.patch * add-custom-suse-capabilities-as-grains.patch * return-the-expected-powerpc-os-arch-bsc-1117995.patch * revert-fixing-a-use-case-when-multiple-inotify-beaco.patch * enhance-openscap-module-add-xccdf_eval-call-386.patch * implementation-of-suse_ip-execution-module-bsc-10999.patch * add-missing-aarch64-to-rpm-package-architectures-405.patch * async-batch-implementation.patch * temporary-fix-extend-the-whitelist-of-allowed-comman.patch * do-not-crash-when-unexpected-cmd-output-at-listing-p.patch * figure-out-python-interpreter-to-use-inside-containe.patch * better-handling-of-bad-public-keys-from-minions-bsc-.patch * early-feature-support-config.patch * do-not-monkey-patch-yaml-bsc-1177474.patch - Removed: * fix-memory-leak-produced-by-batch-async-find_jobs-me.patch * fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch * fix-for-log-checking-in-x509-test.patch * do-not-make-ansiblegate-to-crash-on-python3-minions.patch * prevent-race-condition-on-sigterm-for-the-minion-bsc.patch * remove-msgpack-1.0.0-requirement-in-the-installed-me.patch * move-server_id-deprecation-warning-to-reduce-log-spa.patch * re-adding-function-to-test-for-root.patch * make-profiles-a-package.patch * handle-master-tops-data-when-states-are-applied-by-t.patch * fix-unit-tests-for-batch-async-after-refactor.patch * prevent-test_mod_del_repo_multiline_values-to-fail.patch * prevent-import-errors-when-running-test_btrfs-unit-t.patch * fix-failing-unit-tests-for-batch-async.patch * remove-unnecessary-yield-causing-badyielderror-bsc-1.patch * virt-use-dev-kvm-to-detect-kvm-383.patch * 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch * add-docker-logout-237.patch * drop-wrong-mock-from-chroot-unit-test.patch * fix-async-batch-multiple-done-events.patch * fix-unit-test-for-grains-core.patch * remove-arch-from-name-when-pkg.list_pkgs-is-called-w.patch * pkgrepo-support-python-2.7-function-call-295.patch * opensuse-3000-virt-defined-states-222.patch * open-suse-3002.2-xen-grub-316.patch * add-patch-support-for-allow-vendor-change-option-wit.patch * fix-the-removed-six.itermitems-and-six.-_type-262.patch * fix-aptpkg-systemd-call-bsc-1143301.patch * add-almalinux-and-alibaba-cloud-linux-to-the-os-fami.patch * fix-cve-2020-25592-and-add-tests-bsc-1178319.patch * regression-fix-of-salt-ssh-on-processing-targets-353.patch * do-not-break-repo-files-with-multiple-line-values-on.patch * 3002-set-distro-requirement-to-oldest-supported-vers.patch * integration-of-msi-authentication-with-azurearm-clou.patch * zypperpkg-filter-patterns-that-start-with-dot-244.patch * fix-for-temp-folder-definition-in-loader-unit-test.patch * fix-novendorchange-option-284.patch * backport-virt-patches-from-3001-256.patch * allow-passing-kwargs-to-pkg.list_downloaded-bsc-1140.patch * path-replace-functools.wraps-with-six.wraps-bsc-1177.patch * virt-uefi-fix-backport-312.patch * add-all_versions-parameter-to-include-all-installed-.patch * add-pkg.services_need_restart-302.patch * add-batch_presence_ping_timeout-and-batch_presence_p.patch * allow-vendor-change-option-with-zypper-313.patch * avoid-traceback-when-http.query-request-cannot-be-pe.patch * changed-imports-to-vendored-tornado.patch * fix-issue-parsing-errors-in-ansiblegate-state-module.patch * sanitize-grains-loaded-from-roster_grains.json.patch * handle-volumes-on-stopped-pools-in-virt.vm_info-373.patch * add-multi-file-support-and-globbing-to-the-filetree-.patch * loosen-azure-sdk-dependencies-in-azurearm-cloud-driv.patch * backport-thread.is_alive-fix-390.patch * get-os_arch-also-without-rpm-package-installed.patch * python3.8-compatibility-pr-s-235.patch * fixed-bug-lvm-has-no-parttion-type.-the-scipt-later-.patch * ensure-virt.update-stop_on_reboot-is-updated-with-it.patch * xfs-do-not-fails-if-type-is-not-present.patch * grains-master-can-read-grains.patch * invalidate-file-list-cache-when-cache-file-modified-.patch * move-vendor-change-logic-to-zypper-class-355.patch * implement-network.fqdns-module-function-bsc-1134860-.patch * opensuse-3000.2-virt-backports-236-257.patch * prevent-ansiblegate-unit-tests-to-fail-on-ubuntu.patch * batch_async-avoid-using-fnmatch-to-match-event-217.patch * provide-the-missing-features-required-for-yomi-yet-o.patch * fix-__mount_device-wrapper-254.patch * fix-ipv6-scope-bsc-1108557.patch * fix-failing-unit-tests-for-systemd.patch * use-current-ioloop-for-the-localclient-instance-of-b.patch * revert-add-patch-support-for-allow-vendor-change-opt.patch * remove-deprecated-warning-that-breaks-miniion-execut.patch * prevent-systemd-run-description-issue-when-running-a.patch * fix-grains.test_core-unit-test-277.patch * prevent-command-injection-in-the-snapper-module-bsc-.patch * backport-of-upstream-pr59492-to-3002.2-404.patch * use-threadpool-from-multiprocessing.pool-to-avoid-le.patch * reintroducing-reverted-changes.patch * add-cpe_name-for-osversion-grain-parsing-u-49946.patch * add-hold-unhold-functions.patch * virt._get_domain-don-t-raise-an-exception-if-there-i.patch * fix-error-handling-in-openscap-module-bsc-1188647-40.patch * apply-patch-from-upstream-to-support-python-3.8.patch * remove-deprecated-usage-of-no_mock-and-no_mock_reaso.patch * add-supportconfig-module-for-remote-calls-and-saltss.patch * allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch * fall-back-to-pymysql.patch * fixes-cve-2018-15750-cve-2018-15751.patch * do-not-crash-when-there-are-ipv6-established-connect.patch * improve-batch_async-to-release-consumed-memory-bsc-1.patch * support-config-non-root-permission-issues-fixes-u-50.patch * transactional_update-detect-recursion-in-the-executo.patch * open-suse-3002.2-virt-network-311.patch * option-to-en-disable-force-refresh-in-zypper-215.patch * do-noop-for-services-states-when-running-systemd-in-.patch * exclude-the-full-path-of-a-download-url-to-prevent-i.patch * fix-a-wrong-rebase-in-test_core.py-180.patch * add-new-custom-suse-capability-for-saltutil-state-mo.patch * opensuse-3000-libvirt-engine-fixes-251.patch * accumulated-changes-from-yomi-167.patch * fix-async-batch-race-conditions.patch * fix-onlyif-unless-when-multiple-conditions-bsc-11808.patch * loop-fix-variable-names-for-until_no_eval.patch * batch-async-catch-exceptions-and-safety-unregister-a.patch * grains.extra-support-old-non-intel-kernels-bsc-11806.patch * backport-a-few-virt-prs-272.patch * fix-git_pillar-merging-across-multiple-__env__-repos.patch * drop-wrong-virt-capabilities-code-after-rebasing-pat.patch * virt-adding-kernel-boot-parameters-to-libvirt-xml-55.patch * async-batch-implementation-fix-320.patch * support-for-btrfs-and-xfs-in-parted-and-mkfs.patch * support-transactional-systems-microos-271.patch * strip-trailing-from-repo.uri-when-comparing-repos-in.patch * opensuse-3000.3-spacewalk-runner-parse-command-250.patch * calculate-fqdns-in-parallel-to-avoid-blockings-bsc-1.patch * add-virt.all_capabilities.patch * ansiblegate-take-care-of-failed-skipped-and-unreacha.patch * virt-pass-emulator-when-getting-domain-capabilities-.patch * fixing-streamclosed-issue.patch * fix-for-some-cves-bsc1181550.patch * transactional_update-unify-with-chroot.call.patch * do-not-raise-streamclosederror-traceback-but-only-lo.patch * fix-batch_async-obsolete-test.patch * fix-zypper-pkg.list_pkgs-expectation-and-dpkg-mockin.patch * fix-zypper.list_pkgs-to-be-aligned-with-pkg-state.patch * accumulated-changes-required-for-yomi-165.patch * fix-virt.update-with-cpu-defined-263.patch * remove-vendored-backports-abc-from-requirements.patch * open-suse-3002.2-bigvm-310.patch * xen-disk-fixes-264.patch * virt.network_update-handle-missing-ipv4-netmask-attr.patch * add-saltssh-multi-version-support-across-python-inte.patch ==== selinux-policy ==== Subpackages: selinux-policy-targeted - Fix auditd service start with systemd hardening directives (boo#1190918) * add fix_auditd.patch