New MicroOS snapshot 20220130 released!
Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=microos&groupid=1&version=Tumbleweed&build=20220130 https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&component=MicroOS&query_format=advanced&resolution=--- Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: apparmor fcoe-utils fontconfig glib2 (2.70.2 -> 2.70.3) graphite2 keylime (6.2.1 -> 6.3.0) libapparmor libical (3.0.12 -> 3.0.13) libical-glib (3.0.12 -> 3.0.13) llvm13 perl-Net-HTTP (6.21 -> 6.22) perl-libwww-perl (6.60 -> 6.61) pipewire (0.3.43 -> 0.3.44) procps snapper (0.9.0 -> 0.9.1) solid udisks2 userspace-rcu (0.13.0 -> 0.13.1) === Details === ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - add ruby-3.1-build-fix.diff: fix build with ruby 3.1 (boo#1194221, MR 827) ==== fcoe-utils ==== - Added upstream commit to fix gcc12 warning/errors: * fcoe-utils-Fix-GCC-12-warning.patch ==== fontconfig ==== Subpackages: libfontconfig1 - adding bug reference to this changelog [bsc#1172301] ==== glib2 ==== Version update (2.70.2 -> 2.70.3) Subpackages: glib2-tools libgio-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 - Update to version 2.70.3: + Several important fixes to FD handling in gspawn. + Several important fixes to GDBus message and GVariant parsing of invalid data. + Fix potential data loss due to missing fsync when saving files on btrfs. + Bugs fixed: glgo#GNOME/GLib#2503, glgo#GNOME/GLib#2506, glgo#GNOME/GLib#2557, glgo#GNOME/GLib#2572, glgo#GNOME/GLib#2580, glgo#GNOME/GLib!2394, glgo#GNOME/GLib!2415, glgo#GNOME/GLib!2437, glgo#GNOME/GLib!2444, glgo#GNOME/GLib!2455. + Updated translations. ==== graphite2 ==== - Fix license header so that it corresponds to SPDX abbreviation ==== keylime ==== Version update (6.2.1 -> 6.3.0) Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime - Drop patches beacuse merged upstream: * 0001-Drop-dataclasses-module-usage.patch * 0001-config-support-merge-multiple-config-files.patch * 0001-ca-support-back-old-cyptography-API.patch - Update to version v6.3.0: * Coordinated update to fix: + bsc#1193997 (CVE-2022-23948) + bsc#1193998 (CVE-2021-43310) + bsc#1194000 (CVE-2022-23949) + bsc#1194002 (CVE-2022-23950) + bsc#1194004 (CVE-2022-23951) + bsc#1194005 (CVE-2022-23952) * secure_mount: add umount function * secure_mount: use /proc/self/mountinfo * Validate user ID in all public interfaces * validators: add uuid and agent_id validators * validators: create validators module * revocation_notifier: move zmq socket to /var/run/keylime * Update API version from 1.0 to 2.0 * tpm: do not compress quote with zlib by default * verifier: persist AK and mTLS certificate to DB * verifier: use "supported_version" for agent connections * tenant: add support for "supported_version" option for the verifier * api_version: add the option for basic validation * verifier: add supported_version field to DB and API * agent: add /version to REST API * verifier, tenant: allow agents to not use mTLS * tenant, verifier: allow manual configuration of agent mTLS * tests: migrate to mTLS * tenant: connect to the agent via mTLS * verifier: connect to the agent via mTLS * tornado_requests: handle SSLError * web_util: add mTLS context generation for agent * agent: Enable mTLS for agent REST API * crypto: add helper function for creating self signed certs * registrar: Allow the agent to registrar with a mTLS certificate * request_client: add workaround for handling certificates * request_client: add the option to ignore hostname validation * Better docs and errors about IMA hash mismatches * tests: use JSON instead Python string for IMA tests * verifier: use json.loads(..) instead of ast.literal_eval(..) * Adding Nuvoton certificate for a post 2020 TPM device. The EK cert of the device directs to the following download site: 'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 1111.cer' (yes, including the spaces) * Improve revocation notifier IP description in keylime.conf * tornado_requests: set Content-Type header correctly for JSON * tenant: post U key to agent with correct Content-Type header * Explicitly set permissions on new keylime.conf files installed * tpm_main: close file descriptor for aik handle * verifier: do not call finish() twice * agent: fix payload execution * tests: add initial tests for web_util module * config, web_util: move get_restful_params(..) to web_util * verifier: Also retry on HTTP 500 status code * agent: improve startup and shutdown * registrar: cleanup start function * web_util: move echo_json_response(..) out of config.py * verifier: fix failure generation for V key * tornado_requests: cleanup TornadoResponse class * web_util, verifier: move mTLS SSLContext generation into separate module * ca: support back old cyptography API * Fix test branch reference in packit.yaml * ci: disable DeprecationWarning from pylint in tox * Enable new test in Packit CI * tenant: fix reactivate command * config: support merge multiple config files * ci: use only fedora-stable for packit * elchecking: harden example policy against event type manipulation * elchecking: add new tests * tests: fix stdout formatting for agent and verifier * Drop dataclasses module usage * revocation notifier: handle shutdown of process gracefully * verifier: handle SIGINT and SIGTERM correctly * ima_emulator: fix IMA hash validation and add more options * ima_ast: fix handling ToMToU errors * Remove leftovers of TPM 1.2 support * agent: improved validation for post function * agent: better validation for mask and nonce * config: add function to validate hex strings * agent: keys/verify check if challenge was provided * tpm_main: do not append /usr/local/{bin,lib} to default env * db: only set length on Text type if supported * json: do not make sqlalchemy a hard requirement * Enable functional testing with Packit CI * ima_emulator: specify sys.argv as the named parameter argv in main() * elchecking example policy: make it work with Fedora 34 * elchecking example policy: initrd* might be also called initramfs* * scripts: add mb_refstate generator for example policy * config: change tpm_hash_alg to SHA1 by default * parse_mb_bootlog: specify the used hash algorithm used for PCRs * agent: add warning that on kernels <5.10 IMA only works with SHA1 * tpm: explicitly pass hash alg to sim_extend(..) * ima emulator: use IMA AST and support multiple hash algorithms * tests: update IMA allowlist version number * ima: add option 'log_hash_alg' to IMA allowlist * ima: remove hard requirement for SHA1 PCR 10 * algorithms: extend Hash class to simplify computing hash values * config, tpm_main: explicitly handle YAML load errors * config: private_key must be set to -private.pem not -public.pem * agent: add UUID option environment * agent: drop openstack uuid option ==== libapparmor ==== - add ruby-3.1-build-fix.diff: fix build with ruby 3.1 (boo#1194221, MR 827) ==== libical ==== Version update (3.0.12 -> 3.0.13) - update to 3.0.13: * icalcomponent_get_dtend() return icaltime_null_time(), unless called on VEVENT, VAVAILABILITY or VFREEBUSY * icalcomponent_get_duration() for VTODO calculate with DUE instead of DTEND * Replace CMake FindBDB with FindBerleyDB * Fix finding ICU and BerkeleyDB on Mac ==== libical-glib ==== Version update (3.0.12 -> 3.0.13) - update to 3.0.13: * icalcomponent_get_dtend() return icaltime_null_time(), unless called on VEVENT, VAVAILABILITY or VFREEBUSY * icalcomponent_get_duration() for VTODO calculate with DUE instead of DTEND * Replace CMake FindBDB with FindBerleyDB * Fix finding ICU and BerkeleyDB on Mac ==== llvm13 ==== - Add support for experimental targets and enable the M68k backend - Add patch to fix testsuite after enabling the M68k backend + llvm-update-extract-section-script.patch ==== perl-Net-HTTP ==== Version update (6.21 -> 6.22) - updated to 6.22 see /usr/share/doc/packages/perl-Net-HTTP/Changes 6.22 2022-01-21 20:41:21Z - Format method bullet points as code in docs (GH#77) (Paul Cochrane) - Ignore automatically generated directories (GH#76) (Paul Cochrane) - Use copyright start year rather than range (issue raised by Paul Cochrane) ==== perl-libwww-perl ==== Version update (6.60 -> 6.61) - updated to 6.61 see /usr/share/doc/packages/perl-libwww-perl/Changes 6.61 2022-01-21 21:41:18Z - Use File::Copy::move to attempt an atomic mirror (GH#401) (Andrew Fresh) - Require Getopt::Long at runtime, too (GH#402) (Ville Skyttä) ==== pipewire ==== Version update (0.3.43 -> 0.3.44) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 0.3.44: * Highlights: - It is now possible to run a minimal PipeWire server without a session manager, enough to run JACK clients. - The maximum buffer size is now configurable and can be larger than the previously hardcoded limit of 8192 samples. When using high sample rates, the larger buffer size can avoid xruns. - The default maximum latency was reduced from 170ms to 42ms. This should improve overall latency for application that ask for a large latency, such as notifications. - Better JACK compatibility. Patchbays should now get less confused about ports appearing and disappearing. - Fix some bluetooth crashes. - Fix some races in ALSA device detection. - Many bug fixes and improvements all over the place. * PipeWire: - Bump the meson requirement to 0.59.0. - pw-top now reports correct times for filter-chain and loopback. - max-quantum is now also scaled with the rate. A new quantum-limit property was added as a hard limit for the quantum. This makes it possible to configure for larger than 8192 buffer sizes. Note than many JACK applications have a hardcoded 8192 limit. - The max-quantum was reduced to 2048, This gives a 42ms default latency. - pw-filter can now return a NULL buffer from _get_dsp_buffer() - Add a PIPEWIRE_RATE and PIPEWIRE_QUANTUM env variable to set the graph rate and the graph quantum and rate respectively. - Fix a potential file descriptor leak in the connection. - A new minimal.conf file was added to demonstrate a static setup of a daemon that doesn't require a session manager and is able to run JACK applicaions. - Nice levels are now only changed on the servers, not the clients. - Add an option to suspend nodes when idle. - Make it possible to avoid quantum and rate changes with pw-metadata. This is essential in a locked down system. - Handle mixer port errors better and fail to create the link instead of silently not working. - Nodes that are moved to a driver now have all the linked nodes moved as well. This makes it possible to run some graphs without a driver, such as paplay -> zita-j2n. - pw-cli and pw-dump can now also list objects by name, serial and object.path using glob style pattern matching. * modules: - filter-chain can now also configure parameters by index. - Fix the client name of module-protocol-simple. - module-rtkit was merged into module-rt. This makes it easier to ship a default config that works on more systems by default. - module-adapter can now configure the adapter node from the config. Previously, this was a task only performed by the session manager. - module-metadata can now also create metadata object from the config file. - The ROC module should now work again. - An X11-bell module was added to handle X11 bell events. - filter-chain and loopback modules now have better unique default names for the streams, which makes it possible to save and restore their volumes independently. - module-echo-cancel now has properties to control the delay and buffer size. * ALSA: - The monitor names are now correctly parsed. - The default period size for batch devices is limited now to avoid large latency. - The unused min/max-latency properties were removed. - Internal latency is now also configurable with params at runtime. - The udev rule for TI2902 was removed because it causes problems. - Fix a race where some devices would sometimes be missing. - Add some more timeouts to work around a race in udev device permission changes when switching VTs. * SPA: - Fix potential infinite loop in audioconvert. - The spa-resample tools can now also use optimised implementations. - Fix a potential crash in resampler. - audioconvert can now also handle F64 formats. - The channelmixer now does normalization by default to avoid clipping when downmixing is active. - The channelmixer will now generate LFE channels when the lfe_cutoff frequency is set, even when upmix is disabled. - The channelmixer will now always generate FC when the target has it. - Adapter now reports latency correctly, even after linking the monitor ports. - Reduce memory usage and preallocated memory in some of the audioconvert nodes. - Many properties are now exposed in adapter, such as the resample quality. - The resampler and channelmixer can now be disabled. * V4L2: - pw-v4l2 now also works for ffplay. - Take product names from udev now that the kernel returns generic name. * JACK: - The jack pkgconfig file now has the jack_implementation=pipewire variable to be able to distinguish jack implementations. - jconvolver now starts correctly again. - The object.serial is now used for the port_id. This makes it easier to track old objects in the cache. - Add a dummy jacknet implementation. - A bug in the port allocation was fixed that would make it impossible to allocate ports at some point. * Bluetooth: - Bluetooth profiles are now saved properly by the session manager. - Improved profile detections, increased timeouts for slow devices. - Implement HFP call indicator for improved compatibility. - Handle the case where bluez does not set the adapter or address properties on the device instead of crashing. - Improved support for setting the profile from the session manager. * pulse-server: - Monitor sources now have the device.class=monitor for better compatibility. - Behaviour after seeking is improved. The algorithm for requesting bytes from the client was simplified and improved. - module-ladspa-sink implements the control argument now. - A potential memory leak in the message queue was fixed. - Use the object.serial for the pulseaudio object index. The index is not supposed to be reused and this would cause problems with some clients. - Servers should now again be able to listen in IPv4. - module-x11-bell was added. - There is now support for per-application quirks and properties in the pipewire-pulse.conf file. Per-application latency and buffering properties can also be configured. - Fix a regression in telegram sounds not playing. - Drop patches already included upstream: * 0001-alsa-improve-rate-selection.patch * 0001-audioconvert-avoid-infinite-loop.patch * 0001-bluez5-dont-create-device-if-adapter-is-missing.patch * 0001-bluez5-handle-missing-device-and-adapter-in-quirks.patch * 0001-jack-remember-last-return-from-jack_get_buffer_size.patch * 0001-loop-invoke-immediately-when-loop-is-not-running.patch * 0001-merger-also-reconfigure-when-monitor-changes.patch * 0001-pulse-server-show-monitor-sources-with-device_class_monitor.patch * 0001-pw-metadata-handle-NULL-props-from-metadata-object.patch * 0001-raop-fix-errno-check.patch ==== procps ==== Subpackages: libprocps8 - Correct used URLs ==== snapper ==== Version update (0.9.0 -> 0.9.1) Subpackages: libsnapper5 - added bash completion provided by community - look for most configuration files in /etc/snapper and /usr/share/snapper (bsc#1189601) - version 0.9.1 ==== solid ==== Subpackages: libKF5Solid5 solid-imports - Also use libplist-2.0 in SLE15-SP4/Leap 15.4 ==== udisks2 ==== Subpackages: libudisks2-0 - Stop packaging libudisks_vdo standalone module, it is deprecated. Do this via passing explicit disable-vdo to configure and dropping libblockdev-vdo-devel BuildRequires. Add a libudisks2_0_vdo Obsoletes to ease updates. - No longer remove upstream config files, we want to be able to load modules on demand. Note that we move an example file to docs to keep sysconfdir clean of non-conf files. - Add a default_luks_encryption define, and set it to luks2, sed this macro into source, future versions of udisks will not need this, as upstream moves to luks2 by default. - Ghost a dir/file created by us. - Split out API docs into separate docs sub-package. ==== userspace-rcu ==== Version update (0.13.0 -> 0.13.1) - update to 0.13.1: * fix: properly detect 'cmpxchg' on x86-32 * fix: use urcu-tls compat with c++ compiler * fix: remove autoconf features default value in help message * fix: add missing pkgconfig file for memb flavour lib * Make temporary variable in _rcu_dereference non-const * Fix: x86 and s390: uatomic __hp() macro C++ support * Fix: x86 and s390: uatomic __hp() macro clang support * Fix: x86 and s390 uatomic: __hp() macro warning with gcc 11
participants (1)
-
Richard Brown