New Kubic snapshot 20220223 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=kubic&groupid=1&version=Tumbleweed&build=20220223 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&component=Kubic&query_format=advanced&resolution=--- Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: expat (2.4.4 -> 2.4.6) libnvme (1.0~3 -> 1.0~4) ncurses (6.3.20220129 -> 6.3.20220212) nvme-cli (2.0~3 -> 2.0~4) perl polkit python38 python38-core systemd (249.9 -> 249.10) update-alternatives (1.20.9 -> 1.21.1) === Details === ==== expat ==== Version update (2.4.4 -> 2.4.6) - update to 2.4.6 (bsc#1196168, CVE-2022-25313): * Bug fixes: - Fix a regression introduced by the fix for CVE-2022-25313 in release 2.4.5 that affects applications that (1) call function XML_SetElementDeclHandler and (2) are parsing XML that contains nested element declarations (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). - Version info bumped from 9:5:8 to 9:6:8; see https://verbump.de/ for what these numbers do. - update to 2.4.5 (bsc#1196171, bsc#1196169, bsc#1196168, bsc#1196026, bsc#1196025): * Security fixes: - CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 sequences (e.g. from start tag names) to the XML processing application on top of Expat can cause arbitrary damage (e.g. code execution) depending on how invalid UTF-8 is handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. - CVE-2022-25236 -- Passing (one or more) namespace separator characters in "xmlns[:prefix]" attribute values made Expat send malformed tag names to the XML processor on top of Expat which can cause arbitrary damage (e.g. code execution) depending on such unexpectable cases are handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. - CVE-2022-25313 -- Fix stack exhaustion in doctype parsing that could be triggered by e.g. a 2 megabytes file with a large number of opening braces. Expected impact is denial of service or potentially arbitrary code execution. - CVE-2022-25314 -- Fix integer overflow in function copyString; only affects the encoding name parameter at parser creation time which is often hardcoded (rather than user input), takes a value in the gigabytes to trigger, and a 64-bit machine. Expected impact is denial of service. - CVE-2022-25315 -- Fix integer overflow in function storeRawNames; needs input in the gigabytes and a 64-bit machine. Expected impact is denial of service or potentially arbitrary code execution. * Other changes: - Version info bumped from 9:4:8 to 9:5:8; see https://verbump.de/ for what these numbers do ==== libnvme ==== Version update (1.0~3 -> 1.0~4) - Update to version 1.0-rc4: * fabrics: add default port number for NVMe/TCP I/O controllers * linux: Update size when telemetry controller initiated data is unavailable * add cdw13 for set_feature_args structure * Add support for TP8010 * Documentation cleanups ==== ncurses ==== Version update (6.3.20220129 -> 6.3.20220212) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20220212 + improve font-formatting in other manpages, for consistency. + correct/improve font-formatting in curs_wgetch.3x (patch by Benno Schulenberg). - Add ncurses patch 20220205 + workaround in test/picsmap.c for use of floating point for rgb values by ImageMagick 6.9.11, which appears to use the wrong upper limit. + improve use of "trap" in shell scripts, using "fixup-trap". ==== nvme-cli ==== Version update (2.0~3 -> 2.0~4) - Update to version 2.0-rc4: * netapp-nvme: free the nsdescs pointer after use * netapp-nvme: fix ontapdevices segfault in json output * nvme-print: fix 'nvme list -o json' segfault * nvme: get_ns_id command fails on nvme device * wdc: updated products list for telemetry (--type) argument * docs: fix typo in Data Set Management section * Fix ctrlist for attach-ns and detach-ns * netapp-nvme: fix nvme ns desc uuid handling for ontapdevices * wdc: Fix use-after-free access of cbs_data * Fixed regression with 'open namespace exclusive' (bsc#1195945) ==== perl ==== - Add multibuild flavor to split the testsuite out of the main package build time. The testsuite dominates the build time and having perl in the bootstrap cycle, we better seperate it. The testsuite flavor rebuilds the same package the same way, but runs the check section ==== polkit ==== Subpackages: libpolkit-agent-1-0 libpolkit-gobject-1-0 - Fixed denial of service via file descriptor leak (bsc#1195542 CVE-2021-4115) 0001-CVE-2021-4115-GHSL-2021-077-fix.patch ==== python38 ==== - Add patch support-expat-245.patch: * Support Expat >= 2.4.5 ==== python38-core ==== Subpackages: libpython3_8-1_0 python38-base - Add patch support-expat-245.patch: * Support Expat >= 2.4.5 ==== systemd ==== Version update (249.9 -> 249.10) Subpackages: libsystemd0 libudev1 udev - Import commit 0bb1977021be2fc9ebfae10d766dff0b1a457f88 (merge of v249.10) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/b9b83c5d11e686178ddd545862a00b33... - Import commit b9b83c5d11e686178ddd545862a00b33c6fdfabb 8973cb2462 systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23866) - Fix build if %_distconfdir is not defined (see bsc#1195679) ==== update-alternatives ==== Version update (1.20.9 -> 1.21.1) - rebase patches: * update-alternatives.changes * update-alternatives.spec * update-alternatives-suse.patch - New upstream release 1.21.1 dpkg (1.21.1) unstable; urgency=medium [ Guillem Jover ] * dpkg-buildpackage: Remove duplicate command print for dpkg-genchanges. * dpkg-buildpackage: Fix build description due to improper multiline match. * dpkg-realpath: Remove spurious heading space from --help output. * update-alternatives: When initializing admindir from DPKG_ADMINDIR append "/alternatives". Closes: #1001198 * Code internals: - Remove <ar.h> inclusions. * Packaging: - Install deb-md5sums(5) into dpkg-dev package. dpkg (1.21.0) unstable; urgency=medium [ Guillem Jover ] * dpkg-genchanges: Include orig tarball on source package renames. Closes: #980066 * scripts: Consider SHA-1 and RIPEMD-160 weak algorithms in OpenPGP signatures. * dpkg: During unpack print a removal message due to Conflicts. Closes: #985401 * scripts: Add zsh completions for dpkg-parsechangelog. Thanks to Daniel Shahaf <danielsh@apache.org>. Closes: #986103 * dpkg-buildpackage: When printing build type match the extension exactly. Closes: #989824 * dpkg-maintscript-helper: Use xargs -I argument instead of deprecated -i. * dpkg-maintscript-helper: Quote variable inside ${} to avoid pattern match. * libdpkg: Fix dpkg_fsys_get_path() to always strip leading / and ./. * libdpkg: Set the default database directory relative to the system root. * dpkg-divert, dpkg-statoverride: Set admindir after instdir. * update-alternatives: Fix admindir setting. Prompted by Johannes Schauer Marin Rodrigues <josch@debian.org>. * dselect: Honor DPKG_ADMINDIR environment variable. * dpkg-query, dpkg-trigger, dselect: Add support for setting the root directory. * dpkg-fsys-usrunmess: Move forced reconfiguration to the last step. See #991190. * dpkg-fsys-usrunmess: Install a local policy-rc.d to ignore service restarts. Closes: #991190 * dpkg-fsys-usrunmess: Do not fail when removing lingering directories. * dpkg-fsys-usrunmess: Generate a regression prevention package. * dpkg-fsys-usrunmess: Fix typo in debug message. * dpkg: Distinguish deconfiguration message for installation and multi-arch syncs. * dpkg-buildpackage: Add new --changes-file option. Prompted by Niels Thykier <niels@thykier.net>. * dpkg-buildpackage: Add new --buildinfo-file option. * dpkg: Rework --assert-<feature> logic to be more robust. Prompted by Helmut Grohne <helmut@subdivi.de>. Prompted by David Kalnischkies <donkult@debian.org>. * dpkg: Improve --assert-<feature> descriptions. * dpkg: Add a new --assert-help option. * scripts/mk: Pass DEB_BUILD_PATH to dpkg-buildflags. See #985553. * dpkg-db-backup: New program factored out from Debian-specific daily cron. * dpkg-db-backup: Accept an option to override the number of rotation cycles. * dpkg-db-backup: Honor the admindir set at configure time. * update-alternatives: Fix --auto and --set-selections output progress. * update-alternatives: Print defaults for configuration and database pathnames. * scripts: Replace shebang in dpkg-error shell library with shellcheck directive. * dpkg-buildpackage: Add support for terse DEB_BUILD_OPTIONS. * dpkg-mergechangelogs: Add new --merge-unreleased option. Closes: #582921 * dpkg: Restore fallback to "new-prerm failed-upgrade" for downgrades. Analysis by Ian Jackson <ijackson@chiark.greenend.org.uk>. Closes: #996959 * dselect: Use safe temporary file creation in methods setup. * dselect: Remove bashism from update script in multicd method. * dpkg: Fix --verify to handle missing or inaccessible pathnames. Closes: #963087 * dpkg: Add partial --verify support for mode checks. * Use «digest» instead of «hash» in output messages. Reported by Sven Joachim <svenjoac@gmx.de>. * dselect: use `grep -E` instead of `egrep`. Thanks to Ville Skyttä <ville.skytta@iki.fi>. Closes: #999600 * libdpkg: Fix memory leak on End Of Tape condition in tar parser. * dpkg: Fix short lived memory leak with --recursive. * dpkg: Fix conffile removal-on-upgrade handling. Closes: #995387 * dpkg-deb: Fix conffile name length tracking on remove-on-upgrade parsing. Reported by uau on IRC. * Architecture support: - Clarify that the regex columns need to be ordered to match first. - Add support for ARCv2 CPU. Closes: #980963 Based on a patch by Alexey Brodkin <Alexey.Brodkin@synopsys.com>. * Portability: - start-stop-daemon: Define SOCK_NONBLOCK to 0 if not defined. - libdpkg: Add support for AIX to dpkg_get_progname(). * Perl modules: - Dpkg::Source::Quilt: Add hint to check missing files on patch apply failures. Reported by Joseph Nahmias <jello@debian.org>. - Dpkg::Changelog::Parse: Require format plugins to inherit from Dpkg::Changelog. - Dpkg::OpenPGP: Refactor openpgp implementation execution into a new function. - Dpkg::Vendor::Debian: Refactor compiler flag names into an array. - Dpkg::Vendor::Debian: Add new lto feature in new optimize area. Closes: #940571 - Test::Dpkg: Print actual error messages in test_neutralize_checksums(). - Dpkg::Deps: Use current_sub feature for __SUB__. - Dpkg::BuildFlags: Add support for ASFLAGS. See https://salsa.debian.org/debian/debhelper/-/merge_requests/50. - Dpkg::Compression: Use gzip --rsyncable unconditionally. - Dpkg::Changelog::Entry::Debian: Fix full month misuse warning. - Dpkg::Shlibs::Symbol: Emit a warning on fully qualified symver patterns. Closes: #993991 - Dpkg::Control::HashCore: Add new keep_duplicate option. - Dpkg::Control::FieldsCore: Add new field_parse_binary_source(). Closes: #980527 - Dpkg::Control::FieldsCore: Fix types allowed for field_parse_binary_source(). Reported by Johannes Schauer Marin Rodrigues <josch@debian.org>. - Dpkg::Shlibs::Objdump: Fix apply_relocations to work with versioned symbols. Closes: #1000421 - Dpkg::Vendor::Ubuntu: Update Maintainer field logic to include ?canonical?. Based on a patch by William 'jawn-smith' Wilson <william.wilson@canonical.com>. Closes: #1000557 - Dpkg::Source::Package::V2: Add hint about version matching source tree. Based on a patch by Samuel Henrique <samueloph@debian.org>. Closes: #996044 * Documentation: - man: Itemize dpkg-gensymbols -c levels. - man: Add man page for deb-md5sums(5). Reported by Maxim Cournoyer (on IRC). - man: Switch the Architecture field in deb-control(5) to required. Reported by Maxim Cournoyer (on IRC). - man: Make clear that dpkg-query arguments accept multiple values. Prompted by Rémi Rampin <remirampin@gmail.com>. See #913781. - man: Document dpkg-query --search and --listfiles output formats. - doc: Fix incorrect use of ?an? article. - doc: Update coding style to document POD instead of troff. - doc: Update THANKS file. - doc: Annotate current maintainer start year. - doc: Sort maintenance information chronologically. - man: Add versions since features where introduced. - man: Further clarify when re-inclusions of excluded pathnames happen. Closes: #871420 - doc: Update Doxygen configuration from version 1.9.1. - doc: Improve description of dpkg suite. Prompted by Fabrice Bauzac-Stehly <noon@mykolab.com>. - man: Add a reference to where the Installed-Size algorithm is described. - man: Improve dpkg --verify-format rpm format documentation. - man: Document in deb-substvars(5) what ${} is good for. Prompted by Paul Wise <pabs@debian.org>. - man: Document in dpkg-architecture(1) target being useful for emulators too. Prompted by Helmut Grohne <helmut@subdivi.de>. - man: Document in dpkg-query(1) full --search and --listfiles output format. Prompted by Johannes Schauer Marin Rodrigues <josch@debian.org>. * Code internals: - Remove irrelevant or obsolete FIXME markers. - Turn FIXME markers denoting pending actions into TODO markers. - Turn FIXME markers giving historic information into simple Notes. - update-alternatives: Turn FIXME for explicit behavior choice into an XXX. - Use localtime_r() instead of localtime(). - libdpkg: Remove MDEBUG support from m_malloc() implementation. - libdpkg: Mark dpkg_arch_unmark() arch_remove argument as const. - libdpkg: Mark treewalk_open() func argument as const. - dpkg: Mark ignore_depends() pkg argument as const. - dpkg: Mark deb_parse_conffiles() pkg argument as const. - libcompat: Remove local setexecfilecon() and require libselinux 2.3. - libdpkg: Add missing DPKG_{BEGIN,END}_DECLS in header files. - dpkg: Move SE Linux function declarations into its own header file. - dpkg: Move the command action enum to its own header file. - dpkg: Switch from including "main.h" to "force.h". - dselect: Rename dme() to display_menu_entry(). - dpkg: Split function handling deconfiguration due to install and removal. - libdpkg: Add new ACTION_MUX macro for continued options. - dpkg: Refactor --assert-<feature> handling to be data driven. - dpkg-fsys-usrunmess: Do not use interpolated strings for literals. - dpkg-db-backup: Add a license header comment. * Build system: - Fallback to $^X and 'perl' if $Config{perlpath} is unset or empty. - Bump minimal Perl version to 5.28.1. - Remove redundant localedir and pkgconfdir initializations. - Check for libsocket. - Do not set have_libmd on the found branch in AC_SEARCH_LIBS. - Switch DPKG_FUNC_C99_SNPRINTF from AC_LANG_SOURCE to AC_LANG_PROGRAM. - Check whether fsync(3) works on directories. - Remove obsolete AC_HEADER_STDC. - Detect appropriate sed program at configure time. - Rename DPKG_DEB_PROG_TAR to DPKG_PROG_TAR. - Parametrize the backups directory with a configure option. - Add a check for symlinks in the git repository. - Rename shell scripts to .sh. - Switch from hardcoded /run to parametrized runstatedir. - Use new Dpkg::Control keep_duplicate option in gen-changelog. - Use title-case for field in gen-changelog. - Execute run-script via CONFIG_SHELL. Reported by Larkin Nickle <me@larbob.org>. - Quote variables containing pathnames in m4 macros. - Add support for commit message fix up machinery in gen-changelog. * Packaging: - Use absolute pathnames in .install debhelper fragments. - Remove unused dh_installcron call for arch-indep targets. - Add support for a native systemd timer. Closes: #985444 - Create auotpkgtest installation directory. - Bump Standards-Version to 4.6.0 (no changes needed). * Test suite: - Pass --ignore-builtin-builddeps to dpkg-buildpackage. - Use can_run() instead of find_command(). - Add descriptions to makefile test runners. - Add unit tests for architecture bijective mapping property. - Suppress cppcheck constParameter check. - Suppress bogus cppcheck for nullPointerRedundantCheck. - Mark external sourced shell files for checking. - Ignore new shellcheck checks. - Remove shipped dpkg database. - Add re-inclusion of symlink case to t-filtering. See #871420. - Generate symlink during test build time. - Remove superfluous long filename. - Refactor parse_ctrl() from parse_dsc(). - Update codespell stopwords. [ Helge Kreutzmann ] * deb-md5sums.pod: Fix typo. [ Add programs translations ] * Occitan (Quentin PAGÈS). [ Update dselect translations ] * German (Sven Joachim). [ Update man pages translations ] * German (Helge Kreutzmann). [ Update programs translations ] * German (Sven Joachim). * Polish (Marcin Owsiany, ?ukasz Dulny). [ Update scripts translations ] * German (Helge Kreutzmann).
participants (1)
-
Richard Brown