Please note that this mail was generated by a script.
The described changes are computed based on the aarch64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=microos&groupid=3&version=Tumbleweed&build=20220528
https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Tumbleweed&component=MicroOS&query_format=advanced&resolution=---
Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org.
For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
Mesa
Mesa-drivers
NetworkManager
PackageKit (1.2.4 -> 1.2.5)
augeas
bash-completion
chrony
gnome-keyring (40.0 -> 42.1)
gnutls (3.7.5 -> 3.7.4)
gpg2
grep
grub2
harfbuzz (4.2.1 -> 4.3.0)
kdsoap
keylime (6.3.2 -> 6.4.0)
libopenmpt (0.6.2 -> 0.6.3)
libunwind
logrotate (3.19.0 -> 3.20.1)
mobile-broadband-provider-info (20220315 -> 20220511)
osinfo-db (20220214 -> 20220516)
podman
polkit-default-privs (1550+20220404.7b4bea2 -> 1550+20220524.0345bd9)
python-cryptography (36.0.2 -> 37.0.2)
python-psutil (5.9.0 -> 5.9.1)
qemu
runc
wayland
webkit2gtk3 (2.36.1 -> 2.36.2)
webkit2gtk3-soup2 (2.36.1 -> 2.36.2)
xmlsec1 (1.2.33 -> 1.2.34)
xwayland (22.1.1 -> 22.1.2)
yast2 (4.5.3 -> 4.5.4)
=== Details ===
==== Mesa ====
Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1
- buildrequire DirectX-Headers only on %{ix86} x86_64, since it's
only relevant on these platforms
- Calling patch with '-p1' (as the others are) so 'git show'
.patch output works.
- Generating 'n_stop-iris-flicker.patch' from 'git format-patch' vs.
a standard diff.
- Fixing up 'stop-iris-flicker.patch' patch name to follow standards.
==== Mesa-drivers ====
Subpackages: Mesa-dri Mesa-gallium
- buildrequire DirectX-Headers only on %{ix86} x86_64, since it's
only relevant on these platforms
- Calling patch with '-p1' (as the others are) so 'git show'
.patch output works.
- Generating 'n_stop-iris-flicker.patch' from 'git format-patch' vs.
a standard diff.
- Fixing up 'stop-iris-flicker.patch' patch name to follow standards.
==== NetworkManager ====
Subpackages: NetworkManager-wwan libnm0 typelib-1_0-NM-1_0
- Fold NetworkManager-wifi back into the main package: The dep
chain is not really different and it causes too many problems for
users having that split. Not worth the pain (boo#1199710,
boo#1199706).
- As a consequence, also drop the recommends fro the main package
to -wifi.
==== PackageKit ====
Version update (1.2.4 -> 1.2.5)
Subpackages: PackageKit-backend-dnf libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0
- Update to version 1.2.5:
+ Backends:
- dnf:
. Add support for autoremove flag when removing packages.
. Searches by name and package details should be case
insensitive.
. Update appstream xml files if dnf_sack_add_repos() does
the download.
- zypp:
. Add -std=c++1z cpp flags.
. Fix crash when search string is NULL.
. Fix package installation using undefined data.
- Changes to alpm, apttcc, nix, and slack.
+ Bugfixes:
- Install offline-update enablement symlink if Meson is new
enough.
- Move Wants= line for network-online.target.
- Add flags to D-Bus offline invoking methods.
- Properly handle allow-reinstall flag for installations.
- Provide better error message if trying to install an
installed package.
- Wait until online to activate systemd service.
- Drop 505.patch, PackageKit-zypp-c++17.patch, and
PackageKit-zypp-fix-crash-with-empty-search-string.patch: fixed
upstream.
==== augeas ====
- Employ shared library packaging guideline and resolve this
rpmlint report: "libaugeas0.x86_64: E: shlib-policy-name-error
SONAME: libfa.so.1, expected package suffix: 1" [boo#1191749]
==== bash-completion ====
- Add patch bsc1199724-modules.patch (bsc#1199724)
* Enable upstream commit to list ko.zst modules as well
==== chrony ====
Subpackages: chrony-pool-openSUSE
- Moved 20-chrony file from user specif directory
/etc/NetworkManager/dispatcher.d to vendor specific directory
/usr/lib/NetworkManager/dispatcher.d. So, users changes can
still be done in /etc and will not be overwritten by an update.
==== gnome-keyring ====
Version update (40.0 -> 42.1)
Subpackages: gnome-keyring-pam libgck-modules-gnome-keyring
- Update to version 42.1:
+ daemon: Add files to EXTRA_DIST to fix distcheck.
- Changes from version 42.0:
+ secret-portal: Properly check the default keyring.
+ Build fixes.
+ ssh-agent: Fix crash by uninitialized GMutex.
+ fix looping off the end of the operations array.
+ readme: Mention libsecret instead of deprecated
libgnome-keyring.
+ daemon: Make it systemd-activatable through the control socket.
+ Updated translations.
- Add pkgcondfig(systemd) and pkgconfig(libsystemd) BuildRequires:
new dependencies.
==== gnutls ====
Version update (3.7.5 -> 3.7.4)
- disable kcapi usage for now, as kernel-obs-build not adjusted
to contain the algorithms. bsc#1189283
- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669]
* The IG 10.3.A and SP800-132 require some minimum parameters for
the salt length, password length and iteration count. These
parameters should be also used in the KAT.
* Add gnutls-FIPS-PBKDF2-KAT-requirements.patch
- Enable to run the regression tests also in FIPS mode.
- Update to 3.7.4:
* libgnutls: Added support for certificate compression as defined
in RFC8879.
* certtool: Added option --compress-cert that allows user to
specify compression methods for certificate compression.
* libgnutls: GnuTLS can now be compiled with --enable-strict-x509
configure option to enforce stricter certificate sanity checks
that are compliant with RFC5280.
* libgnutls: Removed IA5String type from DirectoryString within
issuer and subject name to make DirectoryString RFC5280 compliant.
* libgnutls: Added function to retrieve the name of current
ciphersuite from session.
* Bump libgnutlsxx soname due to ABI break
* API and ABI modifications:
- GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
- GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
- gnutls_compress_certificate_get_selected_method: Added
- gnutls_compress_certificate_set_methods: Added
* Update gnutls.keyring
- build with lto
- build with -Wl,-z,now -Wl,-z,relro
- build without -fanalyzer, which cuts build time in ~ half
- Update to 3.7.3: [bsc#1190698, bsc#1190796]
* libgnutls: The allowlisting configuration mode has been added
to the system-wide settings. In this mode, all the algorithms
are initially marked as insecure or disabled, while the
applications can re-enable them either through the [overrides]
section of the configuration file or the new API (#1172).
* The build infrastructure no longer depends on GNU AutoGen for
generating command-line option handling, template file parsing
in certtool, and documentation generation (#773, #774). This
change also removes run-time or bundled dependency on the
libopts library, and requires Python 3.6 or later to regenerate
the distribution tarball. Note that this brings in known backward
incompatibility in command-line tools, such as long options are
now case sensitive, while previously they were treated in a case
insensitive manner: for example --RSA is no longer a valid option
of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
* libgnutls: The tpm2-tss-engine compatible private blobs can be loaded
and used as a gnutls_privkey_t (#594). The code was originally written
for the OpenConnect VPN project by David Woodhouse. To generate such
blobs, use the tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
* libgnutls: The library now transparently enables Linux KTLS (kernel
TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls
back to the user space implementation.
* certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
* certtool: The certtool command can now generate, manipulate, and evaluate
x25519 and x448 public keys, private keys, and certificates.
* libgnutls: Disabling a hashing algorithm through "insecure-hash"
configuration directive now also disables TLS ciphersuites that use it
as a PRF algorithm.
* libgnutls: PKCS#12 files are now created with modern algorithms by default
(!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and
HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with
PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
default PBKDF2 iteration count has been increased to 600000.
* libgnutls: PKCS#12 keys derived using GOST algorithm now uses
HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity,
to conform with the latest TC-26 requirements (#1225).
* libgnutls: The library now provides a means to report the status
of approved cryptographic operations (!1465). To adhere to the
FIPS140-3 IG 2.4.C., this complements the existing mechanism to
prohibit the use of unapproved algorithms by making the library
unusable state.
* gnutls-cli: The gnutls-cli command now provides a --list-config
option to print the library configuration (!1508).
* libgnutls: Fixed possible race condition in
gnutls_x509_trust_list_verify_crt2 when a single trust list object
is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17,
CVSS: low]
* API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in
gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in
gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function
* Remove patches fixed in the update:
- gnutls-FIPS-module-version.patch
- gnutls-FIPS-service-indicator.patch
- gnutls-FIPS-service-indicator-public-key.patch
- gnutls-FIPS-service-indicator-symmetric-key.patch
- gnutls-FIPS-RSA-PSS-flags.patch
- gnutls-FIPS-RSA-mod-sizes.patch
- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468]
* Add gnutls-FIPS-disable-failing-tests.patch
* Remove patches:
- gnutls-temporarily_disable_broken_guile_reauth_test.patch
- disable-psk-file-test.patch
- FIPS: Provide module identifier and version [bsc#1190796]
* Add configurable options to output the module name/identifier
(--with-fips140-module-name) and the module version
(--with-fips140-module-version).
* Add the CLI option list-config that reports the configuration
of the library.
* Add gnutls-FIPS-module-version.patch
- FIPS: Provide a service-level indicator [bsc#1190698]
* Add support for a "service indicator" as required in
the FIPS140-3 Implementation Guidance in section 2.4.C
* Add patches:
- gnutls-FIPS-service-indicator.patch
- gnutls-FIPS-service-indicator-public-key.patch
- gnutls-FIPS-service-indicator-symmetric-key.patch
- gnutls-FIPS-RSA-PSS-flags.patch
- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008]
* fips: allow more RSA modulus sizes
* Add gnutls-FIPS-RSA-mod-sizes.patch
* Delete gnutls-3.6.7-fips-rsa-4096.patch
- Drop bogus condition "> 1550": that would mean 'more recent than
Tumbleweed' which is technically impossible, as Tumbleweed is the
leading project (and the condition causes issues as Tumbleweed
needs to move away from 1550 due to CODE 15 SP5 plans).
- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287]
- Add DANE guards
- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch
since its already working.
- Update to version 3.7.2
* Added Linux kernel AF_ALG based acceleration
* Fixed timing of early data exchange
* The priority string option DISABLE_TLS13_COMPAT_MODE was added
to disable TLS 1.3 middlebox compatibility mode
* The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
GNUTLS_NO_IMPLICIT_INIT to reflect the purpose
* certtool:
* When signing a CSR, CRL distribution point (CDP) is no
longer copied from the signing CA by default
* When producing certificates and certificate requests, subject
DN components that are provided individually will now be
ordered by assumed scale
- Rework the crypto-policies dependencies in libraries [bsc#1186385]
- Compute the FIPS hmac file without re-defining the
__os_install_post macro, use the brp-50-generate-fips-hmac
script instead. [bsc#1184555]
- Require the main package in devel and lib packages as the default
priorities are now set via crypto-policies. [bsc#1183082]
- Update to 3.7.1:
[bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231]
* Fixed potential use-after-free in sending "key_share" and
"pre_shared_key" extensions.
* Fixed a regression in handling duplicated certs in a chain.
* Fixed sending of session ID in TLS 1.3 middlebox compatibility
mode. In that mode the client shall always send a non-zero
session ID to make the handshake resemble the TLS 1.2
resumption; this was not true in the previous versions.
* Removed dependency on the external 'fipscheck' package,
when compiled with --enable-fips140-mode.
* Added padlock acceleration for AES-192-CBC.
- Remove patches upstream:
* gnutls-gnutls-cli-debug.patch
* gnutls-ignore-duplicate-certificates.patch
* gnutls-test-fixes.patch
- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565]
* Don't unset system priority settings in gnutls-cli-debug.sh
* Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387
- Add gnutls-gnutls-cli-debug.patch
- Fix: Test certificates in tests/testpkcs11-certs have expired
* Upstream bug: gitlab.com/gnutls/gnutls/issues/1135
- Add gnutls-test-fixes.patch
- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates
* Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131
- Add gnutls-ignore-duplicate-certificates.patch
- Update to 3.7.0
* Depend on nettle 3.6
* Added a new API that provides a callback function to retrieve
missing certificates from incomplete certificate chains
* Added a new API that provides a callback function to output the
complete path to the trusted root during certificate chain
verification
* OIDs exposed as gnutls_datum_t no longer account for the
terminating null bytes, while the data field is null terminated.
The affected API functions are: gnutls_ocsp_req_get_extension,
gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
* Added a new set of API to enable QUIC implementation
* The crypto implementation override APIs deprecated in 3.6.9 are
now no-op
* Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support
* Support for padlock has been fixed to make it work with Zhaoxin CPU
* The maximum PIN length for PKCS #11 has been increased from 31
bytes to 255 bytes
- Remove patch fixed upstream:
* gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
- Add version guards for the crypto-policies package
- Fix threading bug in libgnutls [bsc#1173434]
* Upstream bug: gitlab.com/gnutls/gnutls/issues/1044
- Require the crypto-policies package [bsc#1180051]
- Use the centralized crypto policy profile (jsc#SLE-15832)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
* add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch
- FIPS: Add TLS KDF selftest (bsc#1176671)
* add gnutls-FIPS-TLS_KDF_selftest.patch
- Escape rpm command %%expand when used in comment.
- Update to 3.6.15
* libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
[GNUTLS-SA-2020-09-04, CVSS: medium]
* libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now
indicates that with a false return value (!1306).
* libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked
accordingly to SP800-56A rev 3 (!1295, !1299).
* libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than
the size of the internal base64 blob (#1025).
* libgnutls: Certificate verification failue due to OCSP must-stapling is not
honered is now correctly marked with the GNUTLS_CERT_INVALID flag
* libgnutls: The audit log message for weak hashes is no longer printed twice
* libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is
disabled in the priority string. Previously, even when TLS 1.2 is explicitly
disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is
enabled (#1054).
- drop upstreamed patches:
* gnutls-detect_nettle_so.patch
* 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
- Correctly detect gmp, nettle, and hogweed libraries (bsc#1172666)
* add gnutls-detect_nettle_so.patch
- Fix a memory leak that could lead to a DoS attack against Samba
servers (bsc#1172663)
* add 0001-crypto-api-always-allocate-memory-when-serializing-i.patch
- Temporarily disable broken guile reauth test (bsc#1171565)
* add gnutls-temporarily_disable_broken_guile_reauth_test.patch
- Update to 3.6.14
* libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
The TLS server would not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777)
[GNUTLS-SA-2020-06-03, CVSS: high]
* libgnutls: Fixed handling of certificate chain with cross-signed
intermediate CA certificates (#1008). (bsc#1172461)
* libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
* libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
(2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
Key Identifier (AKI) properly (#989, #991).
* certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
* libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
Also both accelerated and non-accelerated implementations check key block
according to FIPS-140-2 IG A.9 (!1233).
* libgnutls: Added support for AES-SIV ciphers (#463).
* libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
* libgnutls: No longer use internal symbols exported from Nettle (!1235)
* API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added
- Add key D605848ED7E69871: public key "Daiki Ueno " to
the keyring
- Drop gnutls-fips_correct_nettle_soversion.patch (upstream)
- Use correct nettle .so version when looking for a FIPS checksum
(bsc#1166635)
* add gnutls-fips_correct_nettle_soversion.patch
- Update to 3.6.13
* libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
support)
The DTLS client would not contribute any randomness to the DTLS negotiation,
breaking the security guarantees of the DTLS protocol (#960)
[GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345)
* libgnutls: Added new APIs to access KDF algorithms (#813).
* libgnutls: Added new callback gnutls_keylog_func that enables a custom
logging functionality.
* libgnutls: Added support for non-null terminated usernames in PSK
negotiation (#586).
* gnutls-cli-debug: Improved support for old servers that only support
SSL 3.0.
- Split off FIPS checksums into a separate libgnutls30-hmac
subpackage (bsc#1152692)
- gnutls 3.6.12
* libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
to identify sessions that client request OCSP status request (#829).
* libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
signature algorithm (RFC 8032) under TLS (#86).
* libgnutls: Added the default-priority-string option to system configuration;
it allows overriding the compiled-in default-priority-string.
* libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
draft-smyshlyaev-tls12-gost-suites-07).
By default this ciphersuite is disabled. It can be enabled by adding
+GOST to priority string. In the future this priority string may enable
other GOST ciphersuites as well. Note, that server will fail to negotiate
GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
are enabled on GnuTLS-based servers.
* libgnutls: added priority shortcuts for different GOST categories like
CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
* libgnutls: Reject certificates with invalid time fields. That is we reject
certificates with invalid characters in Time fields, or invalid time formatting
To continue accepting the invalid form compile with --disable-strict-der-time
* libgnutls: Reject certificates which contain duplicate extensions. We were
previously printing warnings when printing such a certificate, but that is
not always sufficient to flag such certificates as invalid. Instead we now
refuse to import them (#887).
* libgnutls: If a CA is found in the trusted list, check in addition to
time validity, whether the algorithms comply to the expected level prior
to accepting it. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise (#877).
* libgnutls: The min-verification-profile from system configuration applies
for all certificate verifications, not only under TLS. The configuration can
be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
* libgnutls: The stapled OCSP certificate verification adheres to the convention
used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.
* libgnutls: On client side only send OCSP staples if they have been requested
by the server, and on server side always advertise that we support OCSP stapling
* libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
with gnutls_ocsp_req_t but const.
* certtool: Added the --verify-profile option to set a certificate
verification profile. Use '--verify-profile low' for certificate verification
to apply the 'NORMAL' verification profile.
* certtool: The add_extension template option is considered even when generating
a certificate from a certificate request.
- gnutls 3.6.11.1:
* libgnutls: Corrected issue with TLS 1.2 session ticket
handling as client during resumption
* libgnutls: gnutls_base64_decode2() succeeds decoding the empty
string to the empty string. This is a behavioral change of the
API but it conforms to the RFC4648 expectations
* libgnutls: Fixed AES-CFB8 implementation, when input is shorter
than the block size. Fix backported from nettle.
* certtool: CRL distribution points will be set in CA
certificates even when non self-signed
* gnutls-cli/serv: added raw public-key handling capabilities
(RFC7250). Key material can be set via the --rawpkkeyfile and
- -rawpkfile flags.
- gnutls 3.6.10:
* Add support for deterministic ECDSA/DSA (RFC6979)
* Add functions for in-place encryption/decryption of data buffers
* server now selects the highest TLS protocol version, if TLS 1.3
is enabled and the client advertises an older protocol version
first
* Add support for GOST 28147-89 cipher in CNT (GOST counter) mode
and MAC generation based on GOST 28147-89 (IMIT)
* certtool: when outputting an encrypted private key do not
insert the textual description of it
- Install checksums for binary integrity verification which are
required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- gnutls 3.6.9:
* add support for copying digest or MAC contexts
* Mark the crypto implementation override APIs as deprecated
* Add support for AES-GMAC, as a separate to GCM, MAC algorithm
* Add support for Generalname registeredID
* The priority configuration was enhanced to allow more elaborate
system-wide configuration of the library
- includes changes from 3.6.8:
* Add support for AES-XTS cipher
* Fix calculation of Streebog digests
* During Diffie-Hellman operations in TLS, verify that the peer's
public key is on the right subgroup (y^q=1 mod p), when q is
available (under TLS 1.3 and under earlier versions when RFC7919
parameters are used).
* Apply STD3 ASCII rules in gnutls_idna_map() to prevent
hostname/domain crafting via IDNA conversion
* certtool: allow the digital signature key usage flag in CA
certificates
* gnutls-cli/serv: add the --keymatexport and --keymatexportsize
options. These allow testing the RFC5705 using these tools
- drop patches to re-enable tests:
* disable-psk-file-test.patch
* gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
- Trim useless %if..%endif guards that do not affect the build.
- Fix language errors in description again.
- Update gnutls to 3.6.7
* * libgnutls, gnutls tools: Every gnutls_free() will automatically set
the free'd pointer to NULL. This prevents possible use-after-free and
double free issues. Use-after-free will be turned into NULL dereference.
The counter-measure does not extend to applications using gnutls_free().
* * libgnutls: Fixed a memory corruption (double free) vulnerability in the
certificate verification API. Reported by Tavis Ormandy; addressed with
the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829)
* * libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages;
Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836)
* * libgnutls: enforce key usage limitations on certificates more actively.
Previously we would enforce it for TLS1.2 protocol, now we enforce it
even when TLS1.3 is negotiated, or on client certificates as well. When
an inappropriate for TLS1.3 certificate is seen on the credentials structure
GnuTLS will disable TLS1.3 support for that session (#690).
* * libgnutls: the default number of tickets sent under TLS 1.3 was increased to
two. This makes it easier for clients which perform multiple connections
to the server to use the tickets sent by a default server.
* * libgnutls: enforce the equality of the two signature parameters fields in
a certificate. We were already enforcing the signature algorithm, but there
was a bug in parameter checking code.
* * libgnutls: fixed issue preventing sending and receiving from different
threads when false start was enabled (#713).
* * libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
session, as non-writeable security officer sessions are undefined in PKCS#11
(#721).
* * libgnutls: no longer send downgrade sentinel in TLS 1.3.
Previously the sentinel value was embedded to early in version
negotiation and was sent even on TLS 1.3. It is now sent only when
TLS 1.2 or earlier is negotiated (#689).
* * gnutls-cli: Added option --logfile to redirect informational messages output.
- Disabled dane support in SLE since dane is not shipped there
- Changed configure script to hardware guile site directory since command-line
option '--with-guile-site-dir=' was removed from the configure script.
* * Added gnutls-3.6.6-set_guile_site_dir.patch
- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix
compilation issues on PPC
- Update to 3.6.6
* * libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
on the public key (#640).
* * libgnutls: Added support for raw public-key authentication as defined in RFC7250.
Raw public-keys can be negotiated by enabling the corresponding certificate
types via the priority strings. The raw public-key mechanism must be explicitly
enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280).
* * libgnutls: When on server or client side we are sending no extensions we do
not set an empty extensions field but we rather remove that field competely.
This solves a regression since 3.5.x and improves compatibility of the server
side with certain clients.
* * libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
the CKA_SIGN is not set (#667).
* * libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
disable extensions at all cases, while providing a functional session. This
also implies that when specified, TLS1.3 is disabled.
* * libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
The previous definition was non-functional (#609).
- drop no longer needed gnutls-enbale-guile-2.2.patch
- refresh disable-psk-file-test.patch
- Update to 3.6.5
* * libgnutls: Provide the option of transparent re-handshake/reauthentication
when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
* * libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
* * libgnutls: The priority functions will ignore and not enable TLS1.3 if
requested with legacy TLS versions enabled but not TLS1.2. That is because
if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
servers which do not support TLS1.3 will negotiate TLS1.2 which will be
rejected by the client as disabled (#621).
* * libgnutls: Change RSA decryption to use a new side-channel silent function.
This addresses a security issue where memory access patterns as well as timing
on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
attacks. Side-channel resistant code is slower due to the need to mask
access and timings. When used in TLS the new functions cause RSA based
handshakes to be between 13% and 28% slower on average (Numbers are indicative,
the tests where performed on a relatively modern Intel CPU, results vary
depending on the CPU and architecture used). This change makes nettle 3.4.1
the minimum requirement of gnutls (#630). [CVSS: medium]
* * libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
in the priority string. It is only accepted as legacy option and is ignored.
* * libgnutls: Added support for EdDSA under PKCS#11 (#417)
* * libgnutls: Added support for AES-CFB8 cipher (#357)
* * libgnutls: Added support for AES-CMAC MAC (#351)
* * libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers
have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
S-BOXes). They are fixed now.
* * libgnutls: Added support for GOST key unmasking and unwrapped GOST private
keys parsing, as specified in R 50.1.112-2016.
* * gnutls-serv: It applies the default settings when no --priority option is given,
using gnutls_set_default_priority().
* * p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
option (#561)
* * certtool: Add parameter --no-text that prevents certtool from outputting
text before PEM-encoded private key, public key, certificate, CRL or CSR.
- minimum required libnettle is now 3.4.1
- refresh
* disable-psk-file-test.patch
* gnutls-3.6.0-disable-flaky-dtls_resume-test.patch
==== gpg2 ====
- added tpm support, added a new subpackage gpg2-tpm
==== grep ====
- use release keyring rather than full one for validation
- Do not link an unversioned file by URL (and refresh keyring)
==== grub2 ====
Subpackages: grub2-arm64-efi grub2-snapper-plugin
- Fix installation over serial console ends up in infinite boot loop
(bsc#1187810)
* 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
- Fix ppc64le build error for new IEEE long double ABI
* 0001-libc-config-merge-from-glibc.patch
==== harfbuzz ====
Version update (4.2.1 -> 4.3.0)
Subpackages: libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0
- Update to version 4.3.0:
+ Major speed up in loading and subsetting fonts, especially in
handling CFF table. Subsetting some fonts is now 3 times faster
+ Speed up blending CFF2 table
+ Speed up hb_ot_tags_from_language()
+ Fix USE classification of U+10A38 to fix multiple marks on
single Kharoshthi base
+ Fix parsing of empty CFF Index
+ Fix subsetting CPAL table with partial palette overlaps
==== kdsoap ====
- Add a Qt6 flavor for kdsoap.
==== keylime ====
Version update (6.3.2 -> 6.4.0)
Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime
- Update to version v6.4.0 (CVE-2022-1053, boo#1199253):
* general: bump Keylime version to 6.4.0
* tests: adjust tests to reflect latest API changes
* api: bump version to 2.1
* config: remove unused registrar mTLS options in cloud_verifier section
* tenant, verifier: let the tenant provide the AK and mTLS certificate
* Fix exit call in scripts/download_packit_coverage.sh
* Added codecov.io description to TESTING.md
* ci: only run CodeQL on the keylime directory and disable it for the webapp
* Enable GitHub workflow integrating codecov.io
* README: Fix and cleanup the install instructions
* ima: add backport for dataclasses support for Python 3.6
* ima: add info that device mapper validation is still experimental
* add lark as a dependency
* ima: integrate dm validator into gernal IMA validation
* agentstates: add the option to load and store dm validator state
* ima: add parser and validator for device mapper entries
* ima_file_signatures: rename to file_signatures
* ima_ast: rename to ast
* ima: move IMA components into their own module
* failure: add function to get current event ids
* config: add more details for tpm_cert_store option
* Deprecate API version 1.0
* config, webapp: remove tls_check_hostnames option
* ci: add CodeQL analysis
* agent, tpm: remove is_vtpm() check
* tests: update to reflect vTPM removal
* remove vTPM related helper files and documentation
* config: remove vTPM related options
* tenant: remove vtpm_policy
* verifier: remove vtpm_policy
* remove REQUIRE_ROOT environment option
* Remove Testing farm tag-repository
* Bump required packaging module version to 20.0
* Remove last traces of M2Crypto
* Workaround for mock_open not supporting iteration in Python 3.6
- Fix "run_as" configuration parameter and set it to keylime:tss
- Improve downgrade user migration during package update
==== libopenmpt ====
Version update (0.6.2 -> 0.6.3)
- Update to 0.6.3:
* Pitch / Pan Separation and Random Variation instrument properties
were not resetting properly when seeking, potentially causing
instruments to be played e.g. at a vastly different pan position
compared to playing the module continuously.
* MED: Stereo samples were not imported correctly.
==== libunwind ====
- Fix dependencies
- Fix file list
==== logrotate ====
Version update (3.19.0 -> 3.20.1)
- update to 3.20.1:
* drop world-readable permission on state file even when ACLs are enabled (#446)
- removed obsolete logrotate-CVE-2022-1348-follow-up.patch
- Security fix: (bsc#1199652, CVE-2022-1348)
* Add follow-up upstream patch for the introduced fix.
* Added patch logrotate-CVE-2022-1348-follow-up.patch
- Update patch:
* logrotate-3.19.0-man_logrotate.patch -> logrotate-3.20.0-man_logrotate.patch
- update to 3.20.0:
* fix potential DoS from unprivileged users via the state file (CVE-2022-1348)
* fix a misleading debug message with copytruncate and rotate 0 (#443)
* add support for unsigned time_t (#438)
* do not lock state file /dev/null (#433)
==== mobile-broadband-provider-info ====
Version update (20220315 -> 20220511)
- Update to version 20220511:
* us: update verizon MCCMNC
* us: Verizon Wirleess had been awarded 301 012
* us: Verizon Wireless MMS settings
* us: declare AT&T MCC MNC
* at: declare lyca mobile MMS config
* al: add AMC internet APN config
* af: add MMS settings for AWCC
* ad: add andorra telecom MMS settings
* za: mtn mms
* za: cell-c MMS setting
* es: Add Euskaltel MMS settings
* il: youphone mms (same APN for data and mms)
* il: cellcom balance test
* il: Rami Levi MMS settings
* serviceproviders: fix indentation
* il: Partner (previously known as Orange) MMS config
==== osinfo-db ====
Version update (20220214 -> 20220516)
- Update to database version 20220516
osinfo-db-20220516.tar.xz
==== podman ====
Subpackages: podman-cni-config
- Backport upstream commit be5abf03ababc ("fix: Container.cGroupPath()
skip empty line to avoid false error logging") for fixing "Error parsing
cgroup: expected 3 fields but got 1" (see bsc#1199790, as it applies
to Factory/Tumbleweed too)
* 0004-fix-Container.cGroupPath-skip-empty-line-to-avoid-fa.patch
==== polkit-default-privs ====
Version update (1550+20220404.7b4bea2 -> 1550+20220524.0345bd9)
- Update to version 1550+20220524.0345bd9:
* Add kinfocenter5 whitelisting (bsc#1199735).
* gconf: cleanup rules used by dropped gconf2 package
==== python-cryptography ====
Version update (36.0.2 -> 37.0.2)
- update to 37.0.2:
* Fixed an issue where parsing an encrypted private key with the public
loader functions would hang waiting for console input on OpenSSL 3.0.x rather
than raising an error.
* Restored some legacy symbols for older ``pyOpenSSL`` users. These will be
removed again in the future, so ``pyOpenSSL`` users should still upgrade
to the latest version of that package when they upgrade ``cryptography``.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
The new minimum LibreSSL version is 3.1+.
* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
from the public key and private key classes. These methods were originally
deprecated in version 2.0, but had an extended deprecation timeline due
to usage. Any remaining users should transition to ``sign`` and ``verify``.
* Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
the OpenSSL project. The next release of ``cryptography`` will be the last
to support compiling with OpenSSL 1.1.0.
* Deprecated Python 3.6 support. Python 3.6 is no longer supported by the
Python core team. Support for Python 3.6 will be removed in a future
``cryptography`` release.
* Deprecated the current minimum supported Rust version (MSRV) of 1.41.0.
In the next release we will raise MSRV to 1.48.0. Users with the latest
``pip`` will typically get a wheel and not need Rust installed, but check
:doc:`/installation` for documentation on installing a newer ``rustc`` if
required.
* Deprecated
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`,
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`,
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because
they are legacy algorithms with extremely low usage. These will be removed
in a future version of ``cryptography``.
* Added limited support for distinguished names containing a bit string.
* We now ship ``universal2`` wheels on macOS, which contain both ``arm64``
and ``x86_64`` architectures. Users on macOS should upgrade to the latest
``pip`` to ensure they can use this wheel, although we will continue to
ship ``x86_64`` specific wheels for now to ease the transition.
* This will be the final release for which we ship ``manylinux2010`` wheels.
Going forward the minimum supported ``manylinux`` ABI for our wheels will
be ``manylinux2014``. The vast majority of users will continue to receive
``manylinux`` wheels provided they have an up to date ``pip``. For PyPy
wheels this release already requires ``manylinux2014`` for compatibility
with binaries distributed by upstream.
* Added support for multiple
:class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a
:class:`~cryptography.x509.ocsp.OCSPResponse`.
* Restored support for signing certificates and other structures in
:doc:`/x509/index` with SHA3 hash algorithms.
* :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is
disabled in FIPS mode.
* Added support for serialization of PKCS#12 CA friendly names/aliases in
:func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates`
* Added support for 12-15 byte (96 to 120 bit) nonces to
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class
previously supported only 12 byte (96 bit).
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using
OpenSSL 3.0.0+.
* Added support for serializing PKCS7 structures from a list of
certificates with
:class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`.
* Added support for parsing :rfc:`4514` strings with
:meth:`~cryptography.x509.Name.from_rfc4514_string`.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can
be used to verify a signature where the salt length is not already known.
* Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH`
to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This
constant will set the salt length to the same length as the ``PSS`` hash
algorithm.
* Added support for loading RSA-PSS key types with
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
and
:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`.
This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a
normal RSA private key, discarding the PSS constraint information.
==== python-psutil ====
Version update (5.9.0 -> 5.9.1)
- removed obsolete skip-partitions-erros.patch
- update to 5.9.1
* Enhancements
- 1053: drop Python 2.6 support. (patches by Matthieu Darbois and Hugo van Kemenade)
- 2050, [Linux]: increase read(2) buffer size from 1k to 32k when reading /proc
pseudo files line by line. This should help having more consistent results.
- 2057, [OpenBSD]: add support for cpu_freq().
- 2107, [Linux]: Process.memory_full_info() (reporting process USS/PSS/Swap memory)
now reads /proc/pid/smaps_rollup instead of /proc/pids/smaps, which makes it 5 times faster.
* Bug fixes
- 2048: AttributeError is raised if psutil.Error class is raised manually and passed through str.
- 2049, [Linux]: cpu_freq() erroneously returns curr value in GHz while min and max are in MHz.
- 2050, [Linux]: virtual_memory() may raise ValueError if running in a LCX container.
==== qemu ====
- It has been observed that building QEMU with _FORTIFY_SOURCE=3
causes problem (see bsc#1199924). Force it to =2 for now, while
we investigate the issue.
- Backport a GCC 12 aarch64 build fix (bsc#1199625)
* Patches added:
block-qdict-Fix-Werror-maybe-uninitializ.patch
- Filter out rpmlint error that is valid for qemu, but will
have its badness increased in the future.
==== runc ====
- Backport https://github.com/opencontainers/runc/pull/3474 to fix issues
with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565
+ bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
- Add ExcludeArch for s390 (not s390x) since we've never supported it.
==== wayland ====
Subpackages: libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0
- modernize spec file
* use licensedir
* use bcond
* use https:// urls
* spec-cleaner
==== webkit2gtk3 ====
Version update (2.36.1 -> 2.36.2)
Subpackages: libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 webkit2gtk-4_1-injected-bundles
- Update to version 2.36.2:
+ Fix some pages showing empty content boxes when using GTK4.
+ Fix the build with accessibility disabled.
+ Fix the build with newer Ruby versions.
+ Fix several crashes and rendering issues.
==== webkit2gtk3-soup2 ====
Version update (2.36.1 -> 2.36.2)
Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles
- Update to version 2.36.2:
+ Fix some pages showing empty content boxes when using GTK4.
+ Fix the build with accessibility disabled.
+ Fix the build with newer Ruby versions.
+ Fix several crashes and rendering issues.
==== xmlsec1 ====
Version update (1.2.33 -> 1.2.34)
Subpackages: libxmlsec1-1 libxmlsec1-openssl1
- update to 1.2.34:
* Support for OpenSSL compiled with OPENSSL_NO_ERR.
* Full support for LibreSSL 3.5.0 and above
* Several other small fixes
==== xwayland ====
Version update (22.1.1 -> 22.1.2)
- Update to version 22.1.2
* randr: Add "RANDR Emulation" property
* xwayland/output: Set the "RANDR Emulation" property
* xwayland: Fix invalid pointer access in drm_lease_device_handle_released.
==== yast2 ====
Version update (4.5.3 -> 4.5.4)
- Added experimental infrastructure for managing system in
a chroot (bsc#1199840)
- 4.5.4