Mailinglist Archive: opensuse-factory (914 mails)

< Previous Next >
[opensuse-factory] Leap 42.3 Build 0289 released!

Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.

Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&version=42.3&build=0289&groupid=28
https://bugzilla.opensuse.org/buglist.cgi?product=openSUSE%20Distribution&query_format=advanced&resolution=---&version=Leap%2042.3

When you reply to discuss some issues, make sure to change the subject.
Please use the test plan at
https://docs.google.com/spreadsheets/d/1AGKijKpKiJCB616-bHVoNQuhWHpQLHPWCb3m1p6gXPc/edit#gid=298435253
to record your testing efforts and use bugzilla to report bugs.

Packages changed:
Mesa
MozillaFirefox (52.1.1 -> 52.2)
MozillaThunderbird (52.1.1 -> 52.2)
SUSEConnect (0.3.0 -> 0.3.1)
biosdevname
ceph (12.0.3+git.1496909744.9f667dc335 -> 12.0.3+git.1497426468.6984d41b5d)
drbd (9.0.7rc2+git.36abd387 -> 9.0.8+git.c8bc3670)
drbd-utils (8.9.11rc2 -> 9.0.0)
drm (4.9.31_k4.4.72_1 -> 4.9.33_k4.4.72_1)
glibc
glibc
gstreamer-plugins-ugly
installation-images-openSUSE (14.318 -> 14.319)
k3b
kdump
libgcrypt
lttng-modules
mozilla-nss (3.28.4 -> 3.28.5)
netpbm
openvpn
pcsc-lite (1.8.21 -> 1.8.22)
plasma5-integration
polkit
python-pyasn1-modules (0.0.8 -> 0.0.9)
qemu
qemu-linux-user
rubygem-ruby-dbus
rxvt-unicode
sblim-sfcb
smuxi (1.0.6 -> 1.0.7)
util-linux
util-linux-systemd
virt-manager
vm-install (0.8.65 -> 0.8.67)
xen (4.9.0_07 -> 4.9.0_08)
xine-lib (1.2.6 -> 1.2.8)
xine-ui
xorg-x11-server
yast2-bootloader (3.2.21 -> 3.2.22)
yast2-installation
yast2-kdump (3.2.4 -> 3.2.6)
yast2-trans (84.87.20170607.40033d88 -> 84.87.20170618.0f9396fd)

=== Details ===

==== Mesa ====
Subpackages: Mesa-32bit Mesa-devel Mesa-dri-devel Mesa-libEGL-devel
Mesa-libEGL1 Mesa-libEGL1-32bit Mesa-libGL-devel Mesa-libGL1 Mesa-libGL1-32bit
Mesa-libGLESv1_CM-devel Mesa-libGLESv1_CM1 Mesa-libGLESv2-2
Mesa-libGLESv2-devel Mesa-libglapi-devel Mesa-libglapi0 Mesa-libglapi0-32bit
Mesa-libva libOSMesa-devel libOSMesa8 libOSMesa8-32bit libgbm-devel libgbm1
libgbm1-32bit libvdpau_r300 libvdpau_r600 libvdpau_radeonsi
libwayland-egl-devel libwayland-egl1 libxatracker2

- Fix Xvfb segfault after reset (bsc#1042764):
U_radeonsi-add-llvm-init.patch

==== MozillaFirefox ====
Version update (52.1.1 -> 52.2)
Subpackages: MozillaFirefox-translations-common

- update to Firefox 52.2esr (boo#1043960)
MFSA 2017-16
* CVE-2017-5472 (bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7755 (bmo#1361326)
Privilege escalation through Firefox Installer with same
directory DLL files (Windows only)
* CVE-2017-7756 (bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
CVE-2017-7777
Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490)
Out-of-bounds read in Opus encoder
* CVE-2017-7760 (bmo#1348645)
File manipulation and privilege escalation via callback parameter
in Mozilla Windows Updater and Maintenance Service (Windows only)
* CVE-2017-7761 (bmo#1215648)
File deletion and privilege escalation through Mozilla Maintenance
Service helper.exe application (Windows only)
* CVE-2017-7764 (bmo#1364283)
Domain spoofing with combination of Canadian Syllabics and other
unicode blocks
* CVE-2017-7765 (bmo#1273265)
Mark of the Web bypass when saving executable files (Windows only)
* CVE-2017-7766 (bmo#1342742)
File execution and privilege escalation through updater.ini,
Mozilla Windows Updater, and Mozilla Maintenance Service
(Windows only)
* CVE-2017-7767 (bmo#1336964)
Privilege escalation and arbitrary file overwrites through Mozilla
Windows Updater and Mozilla Maintenance Service (Windows only)
* CVE-2017-7768 (bmo#1336979)
32 byte arbitrary file read through Mozilla Maintenance Service
(Windows only)
* CVE-2017-5470
Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
- requires NSS 3.28.5
- remove -fno-inline-small-functions and explicitely optimize with
- O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)

==== MozillaThunderbird ====
Version update (52.1.1 -> 52.2)
Subpackages: MozillaThunderbird-translations-common

- update to Thunderbird 52.2 (boo#1043960)
* Embedded images not shown in email received from Hotmail/Outlook
webmailer
* Detection of non-ASCII font names in font selector
* Attachment not forwarded correctly under certain circumstances
* Multiple requests for master password when GMail OAuth2 is enabled
* Large number of blank pages being printed under certain
circumstances when invalid preferences were present
* Messages sent via the Simple MAPI interface are forced to HTML
* Calendar: Invitations can't be printed
* Mailing list (group) not accessible from macOS or Outlook address book
* Clicking on links with references/anchors where target doesn't
exist in the message not opening in external browser
MFSA 2017-17
* CVE-2017-5472 (bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7756 (bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
CVE-2017-7777
Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490)
Out-of-bounds read in Opus encoder
* CVE-2017-7763 (bmo#1360309)
Mac fonts render some unicode characters as spaces (MacOS only)
* CVE-2017-7764 (bmo#1364283)
Domain spoofing with combination of Canadian Syllabics and other
unicode blocks
* CVE-2017-7765 (bmo#1273265)
Mark of the Web bypass when saving executable files (Windows only)
* CVE-2017-5470
Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
- requires NSS 3.28.5
- remove legacy -Os optimization breaking gcc7/i586 (boo#1042090)
- explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work
with gcc7 (boo#1040105, boo#1042090)

==== SUSEConnect ====
Version update (0.3.0 -> 0.3.1)

- Update to 0.3.1:
- Fix license auto-agree issue (bsc#1037783)
- Add missing archs to SLE 12 SP3 build target

==== biosdevname ====

- Do not rename non-Ethernet network interfaces (bsc#1042187)
* Add: biosdevname_only_ethernet.patch

==== ceph ====
Version update (12.0.3+git.1496909744.9f667dc335 ->
12.0.3+git.1497426468.6984d41b5d)
Subpackages: librados2 librbd1

- Update to version 12.0.3+git.1497426468.6984d41b5d:
+ qa: add initial deepsea suite (task and test yaml)
+ fix "ceph osd df" (regression in latest upstream master) (pr#15675,
issue#20256)
* mon: move creating_pgs and reweight_by_utilization into new MonPGStatService
* mon: move most PGMapStatService into PGMap; rename PGMon's to
PGMonStatService
* mon: mgr: move 'osd df' handling to manager
* mon: inherit PGMonStatService from the PGMapStatService
* move the OSDUtilizationDumper code into OSDMap
* mon: mgr: enable "osd df" on the manager
* qa: add a check_commands.sh script which looks for commands with no tests
* qa: test 'osd df' in cephtool/test.sh

==== drbd ====
Version update (9.0.7rc2+git.36abd387 -> 9.0.8+git.c8bc3670)
Subpackages: drbd-kmp-default

- bsc#1045473, update to 9.0.8
fix a race condition between adding connections and receiving data
fix a OOPS on a diskfull node when a request from a diskless node
fix a distributed deadlock when doing a discard/write-same burst
fix an issue with diskless nodes adopting wrong current UUIDs
fix wrongly rejected two-phase-state transactions
fix initial resync, triggered by "--force primary"(regression 9.0.7)
Speed-up AL-updates with bio flags REQ_META and REQ_PRIO
Merged changes from 8.4.10 and with that compatibility with Linux-4.12
- Remove patch fix-initial-sync-stop.patch
- Fix the license to GPL-2.0+

==== drbd-utils ====
Version update (8.9.11rc2 -> 9.0.0)

- Update to v9.0.0
* drbd udev: fix inconsistent inheritance of implicit volumes
* Fix regressions of the out-of-the-box DRBD 8.4 experience
* DrbdMon: can now focus on "problem" resources
* v9: support new option on_no_quorum
* drbdadm: fix segfaults, improve error reporting
* adjust: fix deleting unrelated peer(s) on "adjust resource:specific-peer"
* drbdmeta create-md/convert: fix check for existing external meta-data
- Merged into upstream, remove Pass-md_index-information-to-detect_md.patch

==== drm ====
Version update (4.9.31_k4.4.72_1 -> 4.9.33_k4.4.72_1)

- Update to 4.9.33 to follow the upstream development (bsc#1041744,
CVE-2017-7346, bsc#1031796):
drm/i915: Always recompute watermarks when distrust_bios_wm is set, v2.
drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail
drm/ast: Fixed system hanged if disable P2A
drm/nouveau: Fix drm poll_helper handling
drm/nouveau: Don't enabling polling twice on runtime resume
drm/nouveau: Handle fbcon suspend/resume in seperate worker
drm/nouveau: Rename acpi_work to hpd_work
drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE
drm/i915: Check for NULL i915_vma in intel_unpin_fb_obj()
drm: Don't race connector registration
drm: prevent double-(un)registration for connectors
drm/nouveau/fence/g84-: protect against concurrent access to
semaphore buffers
drm/nouveau: prevent userspace from deleting client object
drm/i915: Prevent the system suspend complete optimization
drm/i915/vbt: split out defaults that are set when there is no VBT
drm/i915/vbt: don't propagate errors from intel_bios_init()
drm/nouveau/tmr: fully separate alarm execution/pending lists
drm/vmwgfx: Make sure backup_handle is always valid
drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
drm/msm: Expose our reservation object when exporting a dmabuf.
drm: Fix oops + Xserver hang when unplugging USB drm devices
drm/amdgpu/ci: disable mclk switching for high refresh rates (v2)
- Fix the build with 4.9.33:
0025-drm-i915-comment-out-PCI_DEV_FLAGS_NEEDS_RESUME.patch
- drm/mgag200: Fix to always set HiPri for G200e4 (bsc#1015452,
bsc#995542):
1006-drm-mgag200-Fix-to-always-set-HiPri-for-G200e4.patch

==== glibc ====
Subpackages: glibc-32bit glibc-locale-32bit

- ld-library-path-suid.patch: process only a single occurrence of LD_AUDIT
- ld-hwcap-mask-suid.patch: Ignore and remove LD_HWCAP_MASK for AT_SECURE
programs (BZ #21209)
- ld-library-path-suid.patch: Completely ignore LD_LIBRARY_PATH for
AT_SECURE=1 programs (CVE-2017-1000366, bsc#1039357)
- malloc-fork-deadlock.patch: Fix deadlock between malloc and fork
(bsc#1040043, BZ #19431)

==== glibc ====
Subpackages: glibc-devel glibc-extra glibc-info glibc-locale nscd

- ld-library-path-suid.patch: process only a single occurrence of LD_AUDIT
- ld-hwcap-mask-suid.patch: Ignore and remove LD_HWCAP_MASK for AT_SECURE
programs (BZ #21209)
- ld-library-path-suid.patch: Completely ignore LD_LIBRARY_PATH for
AT_SECURE=1 programs (CVE-2017-1000366, bsc#1039357)
- malloc-fork-deadlock.patch: Fix deadlock between malloc and fork
(bsc#1040043, BZ #19431)

==== gstreamer-plugins-ugly ====
Subpackages: gstreamer-plugins-ugly-lang

- Move mpg123 module from orig_addon to the main package, since we
can now ship mpg123.

==== installation-images-openSUSE ====
Version update (14.318 -> 14.319)

- remove obsolete dependency on links (bsc#1044791)
- merge gh#openSUSE/installation-images#188
- /etc/systemd: keep symlinks instead of files (bsc#1044791)
- 14.319

==== k3b ====
Subpackages: k3b-lang

- Add Re-enable-transcode-support.patch to add back transcode
support to rip DVDs, Packman's version seems to work fine
(kde#381131)

==== kdump ====

- kdump-fix-save_dump-to-NFS.patch: Fix save_dump to NFS targets
(bsc#1045541).
- kdump-invoke-subcommand-destructors-on-exit.patch: Invoke
subcommand destructors on exit (bsc#1045541).
- kdump-do-not-free-fadump-memory-when-immediate-reboot-is-requested.patch
Releasing fadump memory can take a long time so skip it when
rebooting anyway (bsc#1040610).
- kdump-do-not-check-bind-mount.patch: Do not request filesystem
check on bind mounts (bsc#1034169).
- kdump-remount-sysroot-readwrite.patch: Also remount writable
any mounts that were already mounted readonly by systemd
(bsc#1034169).
- kdump-Routable-preferred-source-address.patch: Routable: parse
and store preferred source address (FATE#321844).
- kdump-URLTransfer-complete-target.patch: Use the complete target
URL for URLTransfer (FATE#321844).
- kdump-prepend-IP-address.patch: Prepend IP address to remote
target subdirectory (FATE#321844).
- kdump-fix-service-files.patch: Fix kdump-related services
(bsc#1021484).
- kernel-ELF-aarch64: Test data for aarch64 findkernel.
- kdump-KDUMP_SSH_IDENTITY.patch: Update with later upstream fixes.
- kdump-aarch64.patch: kdumptool: add aarch64 (bsc#1033464).
- kdump-source-save_dump.patch: save_dump.sh is designed to be
sourced and has numerous toplevel return statements. Source it
from the service definition as well to prevent bash complaints.
(bcs#1034169).

==== libgcrypt ====
Subpackages: libgcrypt-devel libgcrypt20 libgcrypt20-32bit

- Don't require secure memory for the fips selftests (bsc#931932)
* prevents "Oops, secure memory pool already initialized" warning
- modified libgcrypt-fips_run_selftest_at_constructor.patch
- Added libgcrypt-secure-EdDSA-session-key.patch [bsc#1042326]
* Store the session key in secure memory to ensure that constant
time point operations are used in the MPI library.

==== lttng-modules ====
Subpackages: lttng-modules-kmp-default

- Constify btrfs tracepoints to resolve build failures (bsc#1044912)
New patch: btrfs-constify-tracepoint-arguments.patch

==== mozilla-nss ====
Version update (3.28.4 -> 3.28.5)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-devel
mozilla-nss-tools

- update to NSS 3.28.5
* Implemented domain name constraints for CA: TUBITAK Kamu SM SSL
Kok Sertifikasi - Surum 1. (bmo#1350859)
* March 2017 batch of root CA changes (bmo#1350859) (version 2.14)
CA certificates removed:
O = Japanese Government, OU = ApplicationCA
CN = WellsSecure Public Root Certificate Authority
CN = T√úRKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s? H6
CN = Microsec e-Szigno Root
CA certificates added:
CN = D-TRUST Root CA 3 2013
CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

==== netpbm ====
Subpackages: libnetpbm-devel libnetpbm11

- security update
* CVE-2017-2586 [bsc#1024292]
+ netpbm-CVE-2017-2586.patch
* CVE-2017-2581 [bsc#1024287]
+ netpbm-CVE-2017-2581.patch
* CVE-2017-2587 [bsc#1024294]
+ netpbm-CVE-2017-2587.patch

==== openvpn ====

- 0001-Fix-remote-triggerable-memory-leaks-CVE-2017-7521.patch:
Several OpenSSL-specific certificate-parsing code paths did not
always clear all allocated memory. Since a client can cause a few
bytes of memory to be leaked for each connection attempt, a
client can cause a server to run out of memory and thereby kill
the server. That makes this a (quite inefficient) DoS attack.
[bsc#1044947, CVE-2017-7521]
- 0002-Restrict-x509-alt-username-extension-types.patch: The code
never supported all --x509-alt-username extension types. Make
this explicit by only allowing subjectAltName and issuerAltName
(for which the current code does work). Using unsupported
extension fields would most likely cause OpenVPN to crash as soon
as a client connects. This does not have a real-world security
impact, as such a configuration would not be possible to use in
practice. [bsc#1044947]
- 0003-Fix-potential-double-free-in-x509-alt-username-CVE-2.patch:
We didn't check the return value of ASN1_STRING_to_UTF8() in
extract_x509_extension(). Ignoring such a failure could result in
buf being free'd twice. An error in ASN1_STRING_to_UTF8() can be
caused remotely if the peer can make the local process run out of
memory. [bsc#1044947, CVE-2017-7521]
- 0004-Prevent-two-kinds-of-stack-buffer-OOB-reads-and-a-cr.patch:
If clients use a HTTP proxy with NTLM authentication, a
man-in-the-middle attacker between the client and the proxy can
cause the client to crash or disclose at most 96 bytes of stack
memory. The disclosed stack memory is likely to contain the proxy
password. If the proxy password is not reused, this is unlikely
to compromise the security of the OpenVPN tunnel itself. Clients
who do not use the --http-proxy option with ntlm2 authentication
are not affected. [bsc#1044947, CVE-2017-7520]
- 0005-Fix-remotely-triggerable-ASSERT-on-malformed-IPv6-pa.patch:
Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(),
and change the ASSERT() check in mss_fixup_dowork() into a simple
"return" (= the TCP header will simply not be inspected further).
This can be used to remotely shutdown an openvpn server or
client, if IPv6 and --mssfix are enabled and the IPv6 networks
used inside the VPN are known. [bsc#1044947, CVE-2017-7508]
- Show which ciphers should no longer be used in openvpn --show-ciphers
bsc#995374(CVE-2016-6329)
[+0006-Discourage-using-64-bit-block-ciphers.patch]
- Apply fixes for bsc#1038713, bsc#1038709, CVE-2017-7478, bsc#1038711,
CVE-2017-7479
[+ 0003-cleanup-merge-packet_id_alloc_outgoing-into-packet_i.patch,
+ 0004-Drop-packets-instead-of-assert-out-if-packet-id-roll.patch,
+ 0005-Don-t-assert-out-on-receiving-too-large-control-pack.patch]

==== pcsc-lite ====
Version update (1.8.21 -> 1.8.22)
Subpackages: libpcsclite1

- Updated to version 1.8.22
* SCardCancel() was broken in 1.8.21. The call was blocking.
* Enable use of info level logging for pcscd using -i/--info

==== plasma5-integration ====

- Add patch to allow disabling the global menu by setting an env var:
* 0001-Introduce-KDE_NO_GLOBAL_MENU-env-variable-to-disable.patch

==== polkit ====
Subpackages: libpolkit0 polkit-devel typelib-1_0-Polkit-1_0

- Use gettext as fallback to get potential distro translations for
polkit actions. Similar mechnism as used for desktop file
translations. That way it's possible to use weblate to add
additional translations that are not provided by upstream
(polkit-gettext.patch).
- Use pkgconfig() instead of requiring systemd package names directly.
- systemd.pc is shipped by systemd main package (bsc#983167)
Strangely polkit wants systemd.pc to detect that the target system
is running systemd even if its configured to build systemd support...
- polkit-revert-session-magic.patch: revert a session detection change
that could lead to sessions not being detected as active due to
a systemd bug. bsc#954139
- Update to 0.113:
* Fix CVE-2015-4625
* Fix CVE-2015-3256
* Fix CVE-2015-3255
* Fix CVE-2015-3218
* On systemd-213 and later, the ?active? state is shared across
all sessions of an user, instead of being tracked separately
* pkexec: when not given a program to execute, runs the users?
shell by default
- Remove polkit-no-kded-leak.patch (upstreamed)
- Try to fix kded leaking due to powerdevil exposing this issue in
polkit: (bsc#912889)
* polkit-no-kded-leak.patch
- Added gpg signature and keyring with David Zeuthen and Miloslav Trmac
ids.
- Fixed URL
- Update to 0.112
+ polkitunixprocess: Deprecate racy APIs
+ pkcheck: Support --process=pid,start-time,uid syntax too
(CVE-2013-4288)
+ Use GOnce for interface type registration
+ Add czech translation po file to distribution
+ Update the czech once more with newest pot file
- On openSUSE 13.1+, switch from mozjs185 to mozjs-17.0 by:
+ Conditionally BuildRequire pkgconfig(mozjs-17.0).
- Drop libmozjs185-1_0 Recommends: the library is actually required
and auto-detected as such by rpm (from 0.111 changes: "The
JavaScript interpreter is now mandatory").
- Update to 0.111
+ Both js185 and mozjs17 versions of SpiderMonkey are supported
+ The JavaScript interpreter is now mandatory
+ Fixed various memory leaks
+ Respect SUID_CFLAGS and SUID_LDFLAGS
+ Set process environment from pam_getenvlist()
+ Fix the build with automake 1.13
- Drop polkit-suid_flags.patch and automake-113.patch, those
patches are included in this release
- Add automake-113.patch, fixes build with automake-1.13
- Recommend libmozjs185-1_0 which is dlopen'ed and required for JS
rules
- Update to 0.110
+ Set XAUTHORITY environment variable if is unset
+ Use mutex and condition variables properly
+ Build fixes.
- Changes from version 0.109:
+ Include gmodule-2.0 to avoid linker errors
+ Don't require libmozjs185 devel packages for polkit rules
to work
- Drop polkit-link-gmodule.patch and polkit-libmozjs.patch, those
are merged upstream
- Only mark the following files as %config, not %config(noreplace):
+ %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
+ %{_sysconfdir}/pam.d/polkit-1
+ %{_sysconfdir}/polkit-1/rules.d/50-default.rules
PolicyKit's own config files should only be changed for good reason
and we want to prefer openSUSE's defaults (you still get an .rpmsafe
file)
- Add polkit-libmozjs.patch: dlopen libmozjs185.so.1.0 instead of
libmozjs185.so, which is packaged in the -devel package
(bnc#793562)
- Update to version 0.108:
+ PolkitAgent: Avoid crashing if initializing the server object
fails
+ Fall back to authenticating as uid 0 if the list of admin
identities is empty
+ Dynamically load libmozjs185.so and cope with it not being
available
+ docs: mention the audience for authorization rules
+ build: Fix .gir generation for parallel make
- Only conditionally Require ConsoleKit when with_systemd is 0:
systemd support obsoletes ConsoleKit.
- Add polkit-link-gmodule.patch: Link against gmodule-2.0.
- Change libpolkit0 to require polkit >= %version instead of the
exact version. This will ease upgrade problems should there ever
be a soname bump of libpolkit0.
- Enable systemd inetegration (change with_systemd to 1): As an
agreed target for 12.3, systemd integration will be enabled.
- Add pwdutils to prereq for groupadd and useradd.
- Add polkit-no-systemd.patch: this patch, only applied when not
building systemd support, removes the systemd service reference
from the dbus .service file. This is needed as the systemd
.service file does not get installed in that case and dbus gets
confused because it expects it.
- Make %{_datadir}/polkit-1/rules.d and
%{_sysconfdir}/polkit-1/rules.d owned by user polkitd, as those
directories have 0700 as permissions.
- Those two changes should fix polkit so it can start.
Fix bnc#782395.
- Use %{_localstatedir}/lib/polkit for $HOME of polkit user,
instead of %{_libexecdir}/polkit-1. The directory is manually
created in %install.
- Update to version 0.107:
+ Try harder to look up the right localization
+ Introduce a polkit.Result enumeration for authorization rules
+ pkexec: add support for argv1 annotation and mention
shebang-wrappers
+ doc: update guidance on situations where there is no polkit
authority
- Changes from version 0.106:
+ Major change: switch from .pkla files (keyfile-format) to
.rules files (JavaScript)
+ Nuke polkitbackend library, localauthority backend and
extension system
+ Run polkitd as an unprivileged user
+ Add a systemd .service file
+ Several other code changes.
+ Updated documentation.
- Changes from version 0.105:
+ Add pkttyagent(1) helper
+ Make it possible to influence agent registration with an a{sv}
parameter
+ Several other code changes.
- Add pkgconfig(mozjs185) BuildRequires: new dependency for the
authority backend.
- Rebase polkit-no-wheel-group.patch: the admin configuration is
now in a .rules file.
- Rebase polkit-suid_flags.patch.
- Explicitly pass --enable-libsystemd-login or
- -disable-libsystemd-login, depending on whether we build systemd
support.
- Add a %pre script to create the polkitd group and user, as
polkitd now run as an unprivileged user.
- also use -z now for binary hardening
- Package /etc/polkit-1/localauthority and its subdirectories. They
were forgotten because they were empty, but people might need
them to put .pkla files.
- Change the way we pass -fpie/-pie:
+ Drop polkit-pie.patch: this was not upstreamable.
+ Add polkit-suid_flags.patch: respect SUID_CFLAGS/SUID_LDFLAGS
when building the suid binaries (pkexec and
polkit-agent-helper-1).
+ Add autoconf, automake and libtool BuildRequires, and call
autoreconf, for the new patch.
+ Set SUID_CFLAGS to -fPIE and SUID_LDFLAGS to -pie in %build.
+ Pass --with-pic to configure instead of changing CFLAGS to
contain -fPIC.
- fixed bnc#743145 - added -fpie/-pie flags to compilation and linking of
polkit-agent-helper and pkexec
- Split typelib file into typelib-1_0-Polkit-1_0 subpackage.
- Add typelib-1_0-Polkit-1_0 Requires to devel subpackage.
- Add explicit libpolkit0 Requires to devel subpackage: it was
missing before.
- Remove explicit glib2-devel Requires from devel subpackage: it
will automatically be added the pkgconfig() way.
- Improve summary of libpolkit0 subpackage.
- A quick test reveals that the systemd backend does not
integrate very well with packages yet, revert.
- Previous update missed systemd-devel in buildrequires
without it no systemd support is built
- Update to version 0.104:
+ Add optional systemd support
+ Add netgroup support (fdo#43610)
+ Add unit tests (fdo#43608)
- Changes from version 0.103:
+ Mistype in DBus object: PoliycKit1 -> PolicyKit1
+ Add support for the org.freedesktop.policykit.imply annotation
+ Add --no-debug option and use this for D-Bus activation
+ Add org.freedesktop.policykit.owner annotation (fdo#41025)
+ Default to AdminIdentities=unix-group:wheel for local authority
- Drop patches that were taken from upstream:
+ 0001-Add-support-for-the-org.freedesktop.policykit.imply-a.diff
+ 0002-Add-no-debug-option-and-use-this-for-D-Bus-activation.diff
+ 0003-Bug-41025-Add-org.freedesktop.policykit.owner-annotat.diff
- Add polkit-no-wheel-group.patch: do not allow the wheel group as
admin identity, and revert to only accept the root user for this.
- pick some patches from git to add support for
org.freedesktop.policykit.imply, disable debug spam and allow
unprivileged users to query authorizations (bnc#698250)
- Update to version 0.102:
+ pkexec:
- fdo#38769: Support running X11 apps
- Avoid time-of-check-to-time-of-use problems with parent
process
+ Fix backend crash if a .policy file does not specify <message>
+ Fix multi-line pam prompt handling
+ Don't show diagnostic messages intended for the administrator
to the end user
+ PolkitUnixProcess:
- Clarify that the real uid is returned, not the effective one
- Record the uid of the process
+ Backend: Use polkit_unix_process_get_uid() to get the owner of
a process
+ Introspection fixes:
- Add --c-include to the gir files
- Specify exported pkg-config files in GIRs
+ Build fix.
- Drop polkit-CVE-2011-1485-1.patch, polkit-CVE-2011-1485-2.patch,
polkit-CVE-2011-1485-3.patch, polkit-CVE-2011-1485-4.patch: fixed
upstream.
- Remove service usage, following the new consensus on Factory
packaging.
- BuildIgnore ruby, which is being dragged in via indirect
dependencies by gtk-doc for one of the helpers, which we do not
need during the build of polkit. Not dragging ruby in resolves a
build-cycle.
- Use %set_permissions instead of deprecated %run_permissions in
%post.
- Add permissions PreReq, which was missing before.
- use LGPLv2.1+ in spec file
- stat race condition (CVE-2011-1485) (bnc#688788)
- Remove PolkitAgent-1.0.typelib from main package, it is in
library package.
- update to 0.101:
* tons of bug fixes, see NEWS
- fix file list
- Update to version 0.99:
+ Remove duplicate definitions of enumeration types
+ Fix (correct) GCC warning about possibly-uninitialized variable
+ Fix another GCC uninitialized variable warning
+ fdo#29816: Install polkitagentenumtypes.h
- Drop polkit-install-missing-header.patch: fixed upstream.
- Update to version 0.98:
+ Fix scanning of unix-process subjects
+ Add textual authentication agent and use it in pkexec(1)
+ Fix ConsoleKit interaction bug
+ pkexec: add --disable-internal-agent option
+ pkcheck: add --enable-internal-agent option
+ Fix wording in pkexec(1) man page
+ Various doc cleanups
- Changes from version 0.97:
+ Port to GDBus
+ Add shadow authentication support
+ Remove Lock Down functionality
+ fdo#26982: pkexec information disclosure vulnerability
+ Make polkitd accept --replace and gracefully handle SIGINT
+ Implement polkit_temporary_authorization_new_for_gvariant()
+ Make NameOwnerChanged a private impl detail of the interactive
authority
+ Add a GPermission implementation
+ PolkitAuthority: Implement failable initialization
+ PolkitAuthority: Add g_return_if_fail() checks
+ Add g_return_if_fail() to all public API entry points
+ Use polkit_authority_get_sync() instead of deprecated
polkit_authority_get
+ PolkitBackend: Don't export unneeded convenience API
+ Update GI annotations
+ Don't dist org.freedesktop.ConsoleKit.xml.
+ Properly reference headers
+ fdo#29051: Configuration reload on every query
- Drop pkexec-information-disclosure.patch: fixed upstream.
- Add polkit-install-missing-header.patch to install a header that
should get installed.
- Remove eggdbus-devel BuildRequires.
- Build with introspection support: add gobject-introspection
BuildRequires and pass --enable-introspection to configure.
- Fix groups of all packages to be valid groups.
- use %_smp_mflags
- fix pkexec information disclosure
(fdo#26982, CVE-2010-0750, bnc#593959)
- add baselibs.conf
- new upstream release 0.96
- Bug 25367 ? Also read local authority configuration data from /etc
- Run the open_session part of the PAM stack in pkexec(1)
- Bug 25594 ? System logging
- Properly handle return value from getpwnam_r()
- Fix error message when no authentication agent is available
- Make pkexec(1) validate environment variables
- Make pkexec(1) use the syslogging facilities
- Save original cwd in pkexec(1) since it will change during the life-time
- Complain on stderr, not stdout
- Don't log authorization checks
- update to 0.95:
The major change this release is that the lockdown feature has
been cleaned up in a way so it isn't specific to the local
authority. See the NEWS files for more details.
- Package documentation as noarch
- Add Requires on polkit to libpolkit0: all applications using
libpolkit0 will really need polkit to be installed to work
properly.
- new upstream release 0.94
- Allow unprivileged callers to check authorizations
- Don't spawn man(1) from a setuid program
- Add polkit.retains_authorization_after_challenge to authz result
- Ensure all fds except stdin/stdout/stderr are closed after exec(2)
- Be more careful when determining process start time
- Remove temporary authorization when the subject it applies to vanishes
- Generate GI gir and typelibs for libpolkit-gobject-1
- drop patches which are in the release now
- disable introspection
- add upstream patches:
polkit-close-stdfds.patch
polkit-no-man-spawn.patch
polkit-proc-stat-parse-fix.patch
- drop rpmlint patch
- check for the right binary in verify_permisisons
- disable suid bit for now to get software build on top
- split out libraries to follow shared library policy
- update to version 0.93
- initial import of polkit 0.92

==== python-pyasn1-modules ====
Version update (0.0.8 -> 0.0.9)

- Update to upstream release 0.0.9
* More CRL data structures added (RFC3279)
* Added X.509 certificate extensions map
* Added X.509 attribute type map
* Fix to __doc__ use in setup.py to make -O0 installation mode working
* Copyright added to source files
* More PEP-8'ing done on the code
* Author's e-mail changed
- Switch to singlespec approach

==== qemu ====
Subpackages: qemu-arm qemu-block-curl qemu-block-dmg qemu-block-iscsi
qemu-block-rbd qemu-block-ssh qemu-extra qemu-ipxe qemu-ksm qemu-kvm qemu-lang
qemu-ppc qemu-s390 qemu-seabios qemu-sgabios qemu-tools qemu-vgabios qemu-x86

- Use most recent compiler to build size-critical firmware, instead
of hard-coding gcc6 for all target versions (bsc#1043390)
* A few upstream ipxe patches were needed for gcc7 compatibility:
ipxe-ath-Add-missing-break-statements.patch
ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
- Add --no-renames to the git format-patch command in the git
workflow script for better patch compatibility
- Address various security/stability issues
* Fix potential privilege escalation in virtfs (CVE-2016-9602
bsc#1020427)
0060-9pfs-local-fix-unlink-of-alien-file.patch
* Fix DOS in megasas device emulation (CVE-2017-9503 bsc#1043296)
0061-megasas-do-not-read-DCMD-opcode-mor.patch
0062-megasas-always-store-SCSIRequest-in.patch
* Fix DOS in qemu-nbd server (CVE-2017-9524 bsc#1043808)
0063-nbd-Fully-initialize-client-in-case.patch
* Fix regression introduced by recent virtfs security fixes (bsc#1045035)
0064-9pfs-local-remove-use-correct-path-.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
- Backport ipxe to support FirstBurstLength (bsc#1040476)
ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch

==== qemu-linux-user ====

- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
* Patches added:
0060-9pfs-local-fix-unlink-of-alien-file.patch
0061-megasas-do-not-read-DCMD-opcode-mor.patch
0062-megasas-always-store-SCSIRequest-in.patch
0063-nbd-Fully-initialize-client-in-case.patch
0064-9pfs-local-remove-use-correct-path-.patch
- Add --no-renames to the git format-patch command in the git
workflow script for better patch compatibility

==== rubygem-ruby-dbus ====

- Only build for ruby 2.1.

==== rxvt-unicode ====

- added rxvt-unicode-hardening.patch: (boo# 1036456)
While urxvt is not directly affected by CVE-2017-7483. We add a
patch to harden urxvt to avoid similar bugs in the future.

==== sblim-sfcb ====

- link_certificate_if_missing.patch: create clist.pem as a symlink
to already existing server.pem if it does not exist. This is
needed for upgrades from SLE11SP4 versions that did not use this
certificate (bnc#1041885)
- reintroduce symlink for legacy cmpi-provider-register for
upgrades from SLE11 (bnc#1041885)

==== smuxi ====
Version update (1.0.6 -> 1.0.7)

- Update to version 1.0.7:
+ Builds and runs correctly on Mono 5.x.
+ No longer crash with a SEGV or NullReferenceException when
re-joining channels when running on GTK# 2.12.40.

==== util-linux ====
Subpackages: libblkid-devel libblkid1 libblkid1-32bit libfdisk1 libmount1
libmount1-32bit libsmartcols1 libuuid-devel libuuid1 libuuid1-32bit
util-linux-lang

- libmount: Ensure that utab.lock is always created with correct
mode (bsc#1030763, util-linux-libmount-utab-lock.patch).
- Fix regressions in safe loop re-use patch set for libmount
not included in 2.29.2 (boo#1012504, bsc#1033236,
util-linux-loop-reuse-fix-1.patch,
util-linux-loop-reuse-fix-2.patch,
util-linux-loop-reuse-fix-3.patch).
- When when hypervisor_decode_sysfw fails continue with other
detection methods (bsc#1042991, bsc#1039360, bsc#1033718)
+ util-linux-lscpu-cleanup-DMI-detection-return-codes.patch

==== util-linux-systemd ====

- libmount: Ensure that utab.lock is always created with correct
mode (bsc#1030763, util-linux-libmount-utab-lock.patch).
- Fix regressions in safe loop re-use patch set for libmount
not included in 2.29.2 (boo#1012504, bsc#1033236,
util-linux-loop-reuse-fix-1.patch,
util-linux-loop-reuse-fix-2.patch,
util-linux-loop-reuse-fix-3.patch).
- When when hypervisor_decode_sysfw fails continue with other
detection methods (bsc#1042991, bsc#1039360, bsc#1033718)
+ util-linux-lscpu-cleanup-DMI-detection-return-codes.patch

==== virt-manager ====
Subpackages: virt-install virt-manager-common

- bsc#1042709 - unable to create VM with SLE4SAP SP1 over network
install
virtinst-fix-sle-distro-parsing.patch
- bsc#1027942 - virt-manager: Missing upstream bug fixes
f38c56c9-add-support-for-SMM-feature.patch
24f9d053-add-support-for-loader-secure-attribute.patch
4f8e795c-if-required-by-UEFI-enable-SMM-feature-and-set-q35-machine-type.patch
b690908a-enable-secure-feature-together-with-smm-for-UEFI.patch
- bsc#1027942 - virt-manager: Missing upstream bug fixes
93085d2b-reset-guest-domain-to-none-on-domain-creation-error.patch

==== vm-install ====
Version update (0.8.65 -> 0.8.67)

- bsc#1024437 - vm-install interprets disk size incorrectly when
used as an option to the command
- Version 0.8.67
- bsc#1039333 - vm-install: Invalid syntax error
- Version 0.8.66

==== xen ====
Version update (4.9.0_07 -> 4.9.0_08)
Subpackages: xen-doc-html xen-libs xen-tools xen-tools-domU

- Update block-dmmd script (bsc#1002573)
block-dmmd
- Update to Xen 4.9.0-rc8+ (fate#321394, fate#323108)
xen-4.9.0-testing-src.tar.bz2
gcc7-arm.patch
- Drop gcc7-error-xenpmd.patch
- Update to Xen 4.9.0-rc8 (fate#321394, fate#323108)
xen-4.9.0-testing-src.tar.bz2

==== xine-lib ====
Version update (1.2.6 -> 1.2.8)
Subpackages: libxine-devel libxine2 libxine2-pulse

- Update to release 1.2.8
- Remove patches fixed upstream:
xine-lib-crippled-ffmpeg3.0.patch, xine-lib-ffmpeg3.0.patch and
xine-lib-link-xcb.patch.
- Removed precheckin_cripple_tarball.sh and integrated it into the
spec file.
- Upstream changes:
* Add HEVC to QT demuxer.
* Add libOpenHEVC decoder.
* Add h.265/HEVC decoding to VAAPI.
* Detach VAAPI video out from ffmpeg.
* VAAPI fixes.
* Improved Matroska compatibility (TrueHD and PCM sound,
HDMV/Text subtitles).
* Add faad LATM support.
* Add faad preamp gain control and channel mixer.
* Update/fix internal libfaad.
* Integrate 6 basic plugins into libxine.
* ffmpeg fixes and optimizations.
* Use external libdvdnav by default.
* Optimize video out.
* AVFormat demuxer fixes.
* (XCB)XV video out fixes.
* Lots of small fixes and optimizations.
* Build fixes (newer automake, xcb, libdvdcss, dxr3, make dist,
32+64bit dual install, gcc 4.x with GNU ld 2.26 ...).
* Better C++ compatibility.
* Add support for avi WAVE_FORMAT_EXTENSIBLE.
* Add "Time Domain Audio Analyzer" Visualization Post Plugin.
* Add support for compressed HDMV PGS subtitles in Matroska.
* Add HW accelerated OSD for Raspberry Pi.
* Add simple deep color (9/10bit) support via ffmpeg.
* Join 15 video demuxers into a single multiplugin lib.
* Join 5 vdpau decoders into a single multiplugin lib.
* Join 3 raw video decoders into a single multiplugin lib.
* Make ffmpeg/postproc optional.
* Log individual items when loading multiplugin libs.
* Improved qt/mp4 edit list handling.
* Detect mp3 files with large id3v2 tags.
* Auto recover from temporary DVB signal loss.
* Fix demuxing low framerate mp4.
* DVB AAC sound compatibility fix.
* ffmpeg audio downmix level fix and optimization.
* ffmpeg multithreading fixes.
* ffmpeg compatibility fixes.
* BluRay subtitle fixes.
* Various small fixes.
* OpenGL(2) video out fixes and optimizations.
* Fix some issues with heavy stream seeking.
* Build fixes, including missing vcd libs and much less warnings.
* Code simplifications.
- fix build with ImageMagick 7
+ xine-lib-ImageMagick7.patch

==== xine-ui ====

- Add reproducible.patch to make build fully reproducible
by not having variations in mime type order in .desktop file
- Fix desktop file with xine-ui-desktop.patch

==== xorg-x11-server ====
Subpackages: xorg-x11-server-extra xorg-x11-server-sdk

- U_Use-timingsafe_memcmp-to-compare-MIT-MAGIC-COOKIES-C.patch
* Prevent timing attack against MIT cookie. (CVE-2017-2624, bnc#1025029)
- U_Use-arc4random_buf-3-if-available-to-generate-cookie.patch/
U_Brown-bag-commit-to-fix-957e8d-arc4random_buf-suppor.patch
* Use arc4random to generate cookies. (bnc#1025084)
- U_auth-remove-AuthToIDFunc-and-associated-functions.-N.patch
* Remove unused function with use-after-free issue. (bnc#1025035)

==== yast2-bootloader ====
Version update (3.2.21 -> 3.2.22)

- Use udev device for prep partition if it is available
(bsc#1041692)
- 3.2.22

==== yast2-installation ====

- install the yast2-registration package only in SLE (bsc#1043122)
- 3.2.45

==== yast2-kdump ====
Version update (3.2.4 -> 3.2.6)

- Fixed regular expression that verifies alloc_mem parameter
(bsc#1045098).
- 3.2.6
- The alloc_mem parameter is verified to be in accordance with
documentation (bsc#1045098).
- Pop-up is suppressed from command line when the user enables or
disables kdump (bsc#1045103).
- 3.2.5

==== yast2-trans ====
Version update (84.87.20170607.40033d88 -> 84.87.20170618.0f9396fd)
Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn
yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da
yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-en_US
yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr
yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu
yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka
yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk
yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl
yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si
yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta
yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa
yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu

- Update to version 84.87.20170618.0f9396fd:
* New POT for text domain 'autoinst'.
* New POT for text domain 'base'.
* New POT for text domain 'control'.
* New POT for text domain 'firewall'.
* New POT for text domain 'registration'.
* New POT for text domain 'samba-client'.
* New POT for text domain 'storage-ng'.
* New POT for text domain 'support'.
* Translated using Weblate (Arabic)
* Translated using Weblate (Catalan)
* Translated using Weblate (Chinese (Taiwan))
* Translated using Weblate (Danish)
* Translated using Weblate (Dutch)
* Translated using Weblate (French)
* Translated using Weblate (German)
* Translated using Weblate (Indonesian)
* Translated using Weblate (Italian)
* Translated using Weblate (Japanese)
* Translated using Weblate (Kabyle)
* Translated using Weblate (Lithuanian)
* Translated using Weblate (Portuguese (Brazil))
* Translated using Weblate (Russian)
* Translated using Weblate (Slovak)
* Translated using Weblate (Spanish)


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >