Please note that this mail was generated by a script. The described changes are computed based on the x86_64 DVD. The full online repo contains too many changes to be listed here. Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20180116 When you reply to report some issues, make sure to change the subject. It is not helpful to keep the release announcement subject in a thread while discussing a specific problem. Packages changed: ImageMagick (7.0.7.15 -> 7.0.7.21) Mesa (17.2.6 -> 17.3.2) Mesa-drivers (17.2.6 -> 17.3.2) ModemManager (1.6.8 -> 1.6.12) MozillaFirefox NetworkManager-applet acpica antlr bluez (5.47 -> 5.48) brltty btrfsprogs (4.13.3 -> 4.14.1) cairo (1.15.8 -> 1.15.10) corosync deltarpm device-mapper evince (3.26.0 -> 3.26.0+20171120.3955d480) evolution (3.26.3 -> 3.26.4) evolution-data-server (3.26.3 -> 3.26.4) evolution-ews (3.26.3 -> 3.26.4) fftw3 fluidsynth (1.1.8 -> 1.1.9) freerdp gdk-pixbuf gdm gimp gnome-font-viewer gnome-shell (3.26.2 -> 3.26.2+20171218.15b1810a6) gnome-software (3.26.3 -> 3.26.4) gpgme gstreamer-plugins-base gtk2 (2.24.31+20171209.61d5c82f5c -> 2.24.32) gutenprint (5.2.13 -> 5.2.13pre14.2) harfbuzz hdf5 hwinfo (21.50 -> 21.51) hyper-v iputils ispell k3b (17.12.0 -> 17.12.1) kdump kernel-source (4.14.12 -> 4.14.13) kio krita (3.3.2.1 -> 3.3.3) krusader ldns libdrm (2.4.88 -> 2.4.89) libe-book (0.1.2 -> 0.1.3) libepoxy libglvnd libmediaart libpagemaker (0.0.3 -> 0.0.4) libpeas libpwquality (1.3.0 -> 1.4.0) libqt5-qtwebengine libqt5-qtwebsockets librsvg (2.40.20 -> 2.42.0) libsamplerate libteam libvirt libxcb libzio (1.05 -> 1.06) llvm logrotate (3.12.3 -> 3.13.0) lvm2 makedumpfile mdadm mjpegtools mutter (3.26.2 -> 3.26.2+20171231.0bd1d7cf0) nbd (3.16.1 -> 3.16.2) newt nghttp2 (1.28.0 -> 1.29.0) ntp numactl openblas_pthreads opencv openssh (7.2p2 -> 7.6p1) patterns-kde php7 (7.2.0 -> 7.2.1) plasma5-desktop plasma5-pk-updates publicsuffix (20171028 -> 20171228) python-attrs (17.3.0 -> 17.4.0) python-cssselect (1.0.1 -> 1.0.3) python-dbus-python python-gpgme python-httplib2 python-kiwi (9.11.24 -> 9.11.30) python-numpy (1.13.3 -> 1.14.0) python-pywbem qemu qemu-linux-user rsync ruby2.4 serd speech-dispatcher swig tbb texinfo (6.4 -> 6.5) totem tracker tracker-miners vim (8.0.1417 -> 8.0.1428) virtualbox webkit2gtk3 (2.18.4 -> 2.18.5) wireless-regdb (2017.03.07 -> 2017.12.23) wireshark (2.4.3 -> 2.4.4) xen (4.10.0_08 -> 4.10.0_10) xorg-x11-server (1.19.5 -> 1.19.6) yast2-ruby-bindings (4.0.3 -> 4.0.4) === Details === ==== ImageMagick ==== Version update (7.0.7.15 -> 7.0.7.21) Subpackages: ImageMagick-devel ImageMagick-extra libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI5 libMagickWand-7_Q16HDRI5 perl-PerlMagick - update to 7.0.7.21 * Fix some enum values in the OpenCL code. * Fixed numerous memory leaks. * Check for webpmux library version 0.4.4. * Fix heap use after free error. * Fix error reading multi-layer XCF image file. * Fix possible stack overflow in WEBP reader. ==== Mesa ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1 - U_intel-Add-more-Coffee-Lake-PCI-IDs.patch * Add more Coffeelake PCI IDs (request by Intel) - Update to 17.3.2 * Multiple fixes in the RADV Vulkan driver, workaround when using slibtool and a GLSL workaround for various titles using Unreal Engine 4. - Drop upstreamed u_r600-Add-support-for-B5G5R5A1.patch - Modify u_mesa-python3-only.patch to not break python 2. - Update to 17.3.1 * Multiple fixes and improvements of the GLSL shader cache. The RADV driver no longer advertises VK_EXT_debug_report - there is no support for it. * The i965, radeonsi, nvc0 and freedreno drivers have received a few small fixes each. * A number of big endian fixes have been merged. - Switch to python3 during build instead of python2 * Add patch u_mesa-python3-only.patch - Add Mesa-dri and Mesa-gallium to baselibs.conf. - Require llvm >= 3.9.0 * The build fails otherwise because it is required for multiple Mesa components. - Drop some redundant wording from descriptions. Drop redundant %if guard around a %post section. - Use different form of split for faster build (bnc#1071297) * Mesa.spec does not use llvm and builds most of the *-devel subpackages. * Mesa-drivers.spec uses llvm and builds extra things installable in addition to packages from Mesa.spec. These packages are required for actual rendering. - update to 17.3.0 - drop U_configure.ac-rework-llvm-libs-handling-for-3.9.patch * new major release comitng with changes in RADV, intel ANV, S3TC support, RadeonSI driver with RX Vega. On-disk shader cache - Split Mesa into Mesa and Mesa-mini. Mesa-mini does not depend on llvm and its purpose is to build fast and allow other packages that BuildRequire Mesa to be build independently on llvm. Packages built against Mesa-mini should work correctly when installed with full Mesa package. (bsc#1071297) ==== Mesa-drivers ==== Version update (17.2.6 -> 17.3.2) Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_radeon libxatracker2 - U_intel-Add-more-Coffee-Lake-PCI-IDs.patch * Add more Coffeelake PCI IDs (request by Intel) - Update to 17.3.2 * Multiple fixes in the RADV Vulkan driver, workaround when using slibtool and a GLSL workaround for various titles using Unreal Engine 4. - Drop upstreamed u_r600-Add-support-for-B5G5R5A1.patch - Modify u_mesa-python3-only.patch to not break python 2. - Update to 17.3.1 * Multiple fixes and improvements of the GLSL shader cache. The RADV driver no longer advertises VK_EXT_debug_report - there is no support for it. * The i965, radeonsi, nvc0 and freedreno drivers have received a few small fixes each. * A number of big endian fixes have been merged. - Switch to python3 during build instead of python2 * Add patch u_mesa-python3-only.patch - Add Mesa-dri and Mesa-gallium to baselibs.conf. - Require llvm >= 3.9.0 * The build fails otherwise because it is required for multiple Mesa components. - Drop some redundant wording from descriptions. Drop redundant %if guard around a %post section. - Use different form of split for faster build (bnc#1071297) * Mesa.spec does not use llvm and builds most of the *-devel subpackages. * Mesa-drivers.spec uses llvm and builds extra things installable in addition to packages from Mesa.spec. These packages are required for actual rendering. - update to 17.3.0 - drop U_configure.ac-rework-llvm-libs-handling-for-3.9.patch * new major release comitng with changes in RADV, intel ANV, S3TC support, RadeonSI driver with RX Vega. On-disk shader cache - Split Mesa into Mesa and Mesa-mini. Mesa-mini does not depend on llvm and its purpose is to build fast and allow other packages that BuildRequire Mesa to be build independently on llvm. Packages built against Mesa-mini should work correctly when installed with full Mesa package. (bsc#1071297) ==== ModemManager ==== Version update (1.6.8 -> 1.6.12) Subpackages: ModemManager-bash-completion ModemManager-devel ModemManager-lang libmm-glib0 typelib-1_0-ModemManager-1_0 - Update to version 1.6.12: + Blacklist: - Ignored Pycom devices. - Added Microchip's VID to the greylist. + QMI: - Fixed connection state machine when built against libqmi < 1.18. - Fixed connection state machine when an error is reported setting up WDS indications. - Changes from version 1.6.10: + Blacklist: - Ignored Silicon Labs USB Zigbee dongles. - Ignored Garmin ANT+ sticks. - Ignored Intel coredump downloader device. + QMI: - Fixed potential user-after-free issues. - Fixed missing handler cleanups on network-initiated disconnects. + MBIM: - Fix invalid session_id and nw_error reads. - Avoid calling mbim_message_unref() on NULL message. - Fixed invalid object access due to handlers not being removed correctly. - Ensure session is disconnected before trying to connect. - Fixed t crash when modem doesn't send gateways. + udev: - Removed default ID_MM_PLATFORM_DRIVER_PROBE whitelist. Devices exposed via the 'atmel_usart' driver aren't probed automatically any more. + Core: - Fixed running init sequence after port flashing in disconnection. - Fixed "forbidden product strings" check in plugins. - Fixed multiple memory leaks and invalid memory read/writes. - Fixed multiple async operation completions in event handlers. - Fixed multiple potential NULL dereferences. - Fixed deadlock when trying to disconnect cancellable. - Fixed reporting TX/RX stats (numbers were swapped). - Ignored USB interface removal events. + libmm-glib: Fix NULL dereference on firmware unique_id checks. + polkit: Added missing Location interface method rules. + Plugins: - MBM: set data port for Dell DW5560. - Simtech: fix error reporting in 3gpp unsolicited events enabling. - Fixed multiple memory leaks. + systemd: Drop After=syslog.target rule. - Drop post(un) handling of icon_theme_cache_post(un), no longer needed, file-triggers takes care of this now. - Drop ModemManager-1.0.0-systemd-activation.patch: No longer needed. ==== MozillaFirefox ==== Subpackages: MozillaFirefox-translations-common - fixed build with latest rust (mozilla-rust-1.23.patch) ==== NetworkManager-applet ==== Subpackages: NetworkManager-applet-lang NetworkManager-connection-editor libnm-gtk0 libnma0 nma-data typelib-1_0-NMGtk-1_0 - Add 0001-shared-compat-fix-memory-handling-of-nm_setting_vpn_.patch and 0002-shared-compat-fix-memory-handling-of-nm_setting_vpn_.patch: fix crashes due to double frees. ==== acpica ==== - Changed shebang path in wmidump_add_she_bang.patch to /usr/bin/python3 [bsc#1075687,wmidump_add_she_bang.patch] ==== antlr ==== Subpackages: antlr-devel antlr-java - Add condition about python2 module, the rewrite happened in antlr4 for python3 support and it is completely different than the antlr2 * The python module is not used by any package in TW bsc#1068226 ==== bluez ==== Version update (5.47 -> 5.48) Subpackages: bluez-cups bluez-devel libbluetooth3 - update to version 5.48: This release brings many fixes and feature enhancements. Some notable enhancements include support for devices with the BLE battery service, as well as improved Mesh support in the meshctl tool. Several previously experimental D-Bus APIs have now been marked as stable, notably the Advertising Manager API as well as the AquireWrite & AquireNotify GATT APIs. As far as fixes go, these can be found in many areas of the stack, including A2DP, AVCTP, device discovery, Mesh, and GATT. ==== brltty ==== Subpackages: brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-espeak brltty-driver-speech-dispatcher brltty-driver-xwindow brltty-lang libbrlapi0_6 python3-brlapi xbrlapi - Fix %pre, %post, and %postun: brltty.service is now brltty@.service (boo#1074096). ==== btrfsprogs ==== Version update (4.13.3 -> 4.14.1) Subpackages: btrfsprogs-udev-rules libbtrfs0 - spec: fix distro version condition - update to version 4.14.1 * dump-tree: print times of root items * check: fix several lowmem mode bugs * convert: fix rollback after balance * other * new and updated tests, enabled lowmem mode in CI * docs updates * fix travis CI build * build fixes * cleanups - update to version 4.14 * build: libzstd now required by default * check: more lowmem mode repair enhancements * subvol set-default: also accept path * prop set: compression accepts no/none, same as "" * filesystem usage: enable for filesystem on top of a seed device * rescue: new command fix-device-size * other * new tests * cleanups and refactoring * doc updates - Removed patches: - rollback-regression-fix.patch - upstreamed - spec: disable static build, missing libzstd-devel-static - spec: disable zstd support for non-Tumbleweed distros ==== cairo ==== Version update (1.15.8 -> 1.15.10) Subpackages: cairo-devel libcairo-gobject2 libcairo-script-interpreter2 libcairo2 libcairo2-32bit - Update to version 1.15.10: + Features and Enhancements: - Add support for OpenGL ES 3.0 to the gl backend. - Use Reusable streams for forms in Level 3 Postscript. - Add CAIRO_MIME_TYPE_EPS mime type for embedding EPS files. - Add CCITT_FAX mime type for PDF and PS surfaces. - svg: add a new function to specify the SVG document unit (fdo#90166). - Use UTF-8 filenames on Windows. + API Changes: cairo_svg_surface_set_document_unit() and cairo_svg_surface_get_document_unit(). + Bugs fixed: - Fix regression in gles version detection. - Fix undefined-behavior with integer math. - Handle SOURCE and CLEAR operators when painting color glyphs (fdo#102661). - Convert images to rgba or a8 formats when uploading with GLESv2. - Use _WIN32 instead of windows.h to check for windows build. - Fix sigabrt printing documents with fonts lacking the mandatory .nodef glyph (fdo#102922). - Prevent curved strokes in small ctms from being culled from vector surfaces (fdo#103071). - Fix painting an unbounded recording surface with the SVG backend. - Fix falling back to system font with PDFs using certain embedded fonts, due to truncated font names (fdo#103249). - Fix handling of truetype fonts with excessively long font names (fdo#103249). - Fix race conditions with cairo_mask_compositor_t (fdo#103037). - Fix build error with util/font-view. - Fix assertion hit with PDFs using Type 4 fonts rendered with user fonts, due to error when destroying glyph page (fdo#103335). - Set default creation date for PDFs. - Prevent invalid ptr access for > 4GB images (fdo#98165). - Prevent self-copy infinite loop in Postscript surface. - Fix padded image crash in Postscript surface. - Fix annotation bugs in PDFs and related memory leaks. - Fix test failures and other assorted issues in ps and pdf code. - Fix code generation when using GCC legacy atomic operations (fdo#103559). - Fix various compilation warnings and errors. - Fix various distcheck errors with private symbols, doxygen formatting etc. - Drop cairo-image-prevent-invalid-ptr-access.patch ==== corosync ==== Subpackages: libcmap4 libcorosync_common4 - totemudp[u]: Drop truncated packets on receive(bsc#1075300) Added: 0012-totemudp-u-Drop-truncated-packets-on-receive.patch - issue with partial packets assembly when multiple nodes are sending big packets(bsc#1074929) Added: 0011-libcpg-Fix-issue-with-partial-big-packet-assembly.patch ==== deltarpm ==== Subpackages: python2-deltarpm - Make python2 and python3 conditional to ensure we can build with python3 only ==== device-mapper ==== Subpackages: libdevmapper-event1_03 libdevmapper1_03 libdevmapper1_03-32bit - lvmlockd: add lockopt values for skipping selected locks (fate#323203) + fate-323203_lvmlockd-add-lockopt-values-for-skipping-selected-lo.patch ==== evince ==== Version update (3.26.0 -> 3.26.0+20171120.3955d480) Subpackages: evince-lang evince-plugin-comicsdocument evince-plugin-djvudocument evince-plugin-dvidocument evince-plugin-pdfdocument evince-plugin-psdocument evince-plugin-tiffdocument evince-plugin-xpsdocument libevdocument3-4 libevview3-3 nautilus-evince typelib-1_0-EvinceDocument-3_0 typelib-1_0-EvinceView-3_0 - Update to version 3.26.0+20171120.3955d480: + Updated translations. - Switch to git-checkout via source service. - Following the above, add gnome-common BuildRequires, pass autogen.sh and pass enable-gtk doc to configure, as we need to bootstrap the tarball. - Clean up spec, use modern macros. - Drop update-desktop-files BuildRequires and stop using suse_update_desktop macro, no longer needed. - Drop obsolete conditionals for no longer supported versions of openSUSE. - Avoid running fdupes across hardlink boundaries. ==== evolution ==== Version update (3.26.3 -> 3.26.4) Subpackages: evolution-lang evolution-plugin-bogofilter evolution-plugin-pst-import evolution-plugin-spamassassin - Update to version 3.26.4: + Bugs fixed: bgo#791291, bgo#791341, bgo#791346, bgo#791793. + Updated translations. ==== evolution-data-server ==== Version update (3.26.3 -> 3.26.4) Subpackages: evolution-data-server-lang libcamel-1_2-60 libebackend-1_2-10 libebook-1_2-19 libebook-contacts-1_2-2 libecal-1_2-19 libedata-book-1_2-25 libedata-cal-1_2-28 libedataserver-1_2-22 libedataserverui-1_2-1 - Update to version 3.26.4: + Prevent passing NULL ldap handle into LDAP functions. + [Maildir]: Correct double free when the source message file doesn't exist. + Bugs fixed: bgo#791475, bgo#791282. ==== evolution-ews ==== Version update (3.26.3 -> 3.26.4) Subpackages: evolution-ews-lang - Update to version 3.26.4: + Bugs fixed: bgo#792190. ==== fftw3 ==== Subpackages: fftw3-devel libfftw3-3 libfftw3_threads3 - Disable the openmpi3 flavor in some products. - Add gcc7 as additional compiler flavor for HPC on SLES. - Fix library package requires - use HPC macro (boo#1074890). - Add support for mpich and openmpi3 for HPC. ==== fluidsynth ==== Version update (1.1.8 -> 1.1.9) - Update to version 1.1.9: * fix building the portaudio driver on Windows * fix build if no MIDI drivers are available * fix return value of fluid_file_set_encoding_quality() * fix use-after-free in fluid_timer * fix memory leak in pulseaudio driver * fix memory leak in rvoice_mixer * fix dumptuning shell command displaying uninitialized values * fix a resource leak in source shell command * harmonize fluidsynth's output library naming with autotools on Windows * dont set LIB_SUFFIX when building with MinGW * avoid a possible deadlock when initializing fluidsynths DLL on windows * avoid a buffer overrun when mixing effects channels in fluid_synth_nwrite_float() * correctly clean up fluid_server on Windows * implement handling of FLUID_SEQ_ALLSOUNDSOFF events in fluid_seq_fluidsynth_callback() * support for registering audio drivers based on actual needs ==== freerdp ==== Subpackages: libfreerdp2 libwinpr2 - Users can connect only once wo windows sessions due to [#]gh/FreeRDP/FreeRDP/4348 Therefore WITH_GSSAPI has been disabled until that issue has been solved ==== gdk-pixbuf ==== Subpackages: gdk-pixbuf-devel gdk-pixbuf-lang gdk-pixbuf-query-loaders gdk-pixbuf-query-loaders-32bit gdk-pixbuf-thumbnailer libgdk_pixbuf-2_0-0 libgdk_pixbuf-2_0-0-32bit typelib-1_0-GdkPixbuf-2_0 - Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential integer overflow (boo#1027026 CVE-2017-6312). - Add gdk-pixbuf-gif-negative-array-indexes.patch and gdk-pixbuf-gif-uninitialized-variable.patch: protect against access to negative array indexes (BGO#778584). - Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size computation (bgo#779020). - Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against short block length when reading icns (boo#1027024 CVE-2017-6313). ==== gdm ==== Subpackages: gdm-lang gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0 - Add gdm-nb-translations.patch: Update Norwegian Bokm�l translations. - Drop gdmflexiserver Obsoletes from main package, we ship gdmflexiserver again, so this is not needed nor wanted. - Do minor spec-cleanup, silence a couple of rpmlint warnings. - Add gdm-not-run-with-bogus-DISPLAY-XAUTHORITY.patch: When run PreSession script, don't set DISPLAY and XAUTHORITY environment variable, avoiding environment variable equal (null) (bsc#1068016 bgo#792150). - Remove gdm-ignore-SLE-CLASSIC-MODE.patch: SLE-Classic doesn't use environment variable SLE_CLASSIC_MODE anymore. ==== gimp ==== Subpackages: gimp-lang gimp-plugin-aa gimp-plugins-python libgimp-2_0-0 libgimpui-2_0-0 - Run spec-cleaner, modernize spec, drop Obsoletes for versions no longer supported. - Don't build with webkit1, as it is no longer maintained and has plenty of security bugs. This disables the GIMP's built-in help browser; it will use an external browser when configured this way. This works around a number of security vulnerabilities in Webkit1: https://bugzilla.suse.com/show_bug.cgi?id=923223 https://bugzilla.suse.com/show_bug.cgi?id=906375 https://bugzilla.suse.com/show_bug.cgi?id=906374 https://bugzilla.suse.com/show_bug.cgi?id=906373 https://bugzilla.suse.com/show_bug.cgi?id=1034856 https://bugzilla.suse.com/show_bug.cgi?id=871792 https://bugzilla.suse.com/show_bug.cgi?id=879607 https://bugzilla.suse.com/show_bug.cgi?id=892084 ==== gnome-font-viewer ==== Subpackages: gnome-font-viewer-lang - Add gfv-handle-ttf-otf-mime-types.patch: Handle new font/ttf and font/otf mime types (bgo#788383). - Add gfv-update-nb-translations.patch: Update Norwegian Bokm�l translations. ==== gnome-shell ==== Version update (3.26.2 -> 3.26.2+20171218.15b1810a6) Subpackages: gnome-shell-browser-plugin gnome-shell-calendar gnome-shell-lang - Add gnome-shell-network-fix-visibility-VPN.patch: network: Fix visibility of VPN section (bgo#787845). - Own directories {_datadir}/gnome-shell/extensions|search-providers|modes again, seems a lot of packages depended on this beeing true. - Update to version 3.26.2+20171218.15b1810a6: + background: don't leak wall clock when background changes. + dateMenu: - Fix possible crash with unknown locations. - Ignore malformed world-clocks settings. + dash: - Do not shadow ClutterActor's destroy(). - Make sure item labels are only destroyed once. + status/keyboard: Reset menuItems and Label objects on change. + overview: Protect ::drag-end handlers. + Updated translations. - Switch to git-checkout via source services. - Pass enable-browser-plugin=true, enable-documentation=true, enable-man=true, enable-networkmanager=yes and enable-systemd=yes to meson, ensure we build the features we want. - Following the above, add gtk-doc BuildRequires and build documentation again. - Run spec-cleaner, modernize spec. - Drop update-desktop-files BuildRequires and stop using the suse_update_desktop_file macro. - Drop conditional libaccountsservice0, libcaribou0 and libgdmgreeter1 Requires needed for no longer supported versions of openSUSE. - Add fdupes BuildRequires and pass fdupes macro, remove duplicate files. - Drop gnome-shell-wayland Obsoletes: No currently supported version of openSUSE have ever had this binary, so this is no longer needed. - Stop exporting BROWSER_PLUGIN_DIR=%%{_libdir}/browser-plugins, does not work as we are using meson buildsystem. ==== gnome-software ==== Version update (3.26.3 -> 3.26.4) Subpackages: gnome-software-lang - Update to version 3.26.4: + Fix crashes in the repos plugin due to missing locking. + Work around Firefox deleting rpm/deb files downloaded to /tmp when closing. + Do not require the user to keep clicking 'More reviews' after each click. + Fix a critical when updating (flatpak) packages live. + fwupd: Prepend the vendor name to the device name if not included. + Improve SPDX ID parsing when working out if it is 'free'. + packagekit: Do not crash when getting an invalid ID from PackageKit. + Do not crash when closing the source dialog while it is loading. + Updated translations. - Drop gs-add-locking-to-the-repos-plugin.patch: Fixed upstream. ==== gpgme ==== Subpackages: libgpgme-devel libgpgme11 libgpgmepp6 libqgpgme7 - Tweak up the python conditional to allow us finegraining and selecting only py2 or py3 if needed ==== gstreamer-plugins-base ==== Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Add gst-pb-playbin3-fix-accessing-invalid-index.patch: playbin3: Fix accessing invalid index in GstStream when received select-stream event (bgo#791638). - Clean up spec with spec-cleaner. ==== gtk2 ==== Version update (2.24.31+20171209.61d5c82f5c -> 2.24.32) Subpackages: gtk2-data gtk2-devel gtk2-immodule-amharic gtk2-immodule-inuktitut gtk2-immodule-thai gtk2-immodule-vietnamese gtk2-immodule-xim gtk2-lang gtk2-tools gtk2-tools-32bit libgtk-2_0-0 libgtk-2_0-0-32bit typelib-1_0-Gtk-2_0 - Update to version 2.24.32: + Fix abicheck. - Use the release version as revision and set versionformat to PARENT_TAG, ensure we build the upstream released tag. ==== gutenprint ==== Version update (5.2.13 -> 5.2.13pre14.2) - Version upgrade to 5.2.13pre14.2 which is the second pre-release of Gutenprint 5.2.14. Major changes in this release (compared to 5.2.12): * The PCL driver now supports color laser printers that use PCL 5c natively (as opposed to emulation). The support is considered to be preliminary at this time. Tons of PCL printers have been added with color support. Please report success or failure with PCL color laser printers using the Generic PCL Color drivers. Based on feedback from this pre-release, some or all of these printers may be removed from the list prior to 5.2.14 release. * Support for the Brother HL-2030 and HL-2035 has been removed because these printers do not support standard PCL. * A crash that affected certain dyesub printers when used with simplified PPD files has been fixed. * Enhanced support for some dye-sublimation printers. For details see the NEWS file. ==== harfbuzz ==== Subpackages: harfbuzz-devel libharfbuzz-icu0 libharfbuzz0 libharfbuzz0-32bit - harfbuzz-devel hb-ft.h requires pkgconfig(freetype2) but it is not automatically added by the dependency generator. ==== hdf5 ==== Subpackages: libhdf5-101 libhdf5_hl100 - Disable the openmpi3 flavor in some products. - Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES. - Add support for mpich and openmpi3 for HPC. ==== hwinfo ==== Version update (21.50 -> 21.51) Subpackages: hwinfo-devel - merge gh#openSUSE/hwinfo#55 - Please make CDBISDN_DATE ignore timezone. - 21.51 ==== hyper-v ==== - update buffer handling in hv_fcopy_daemon - remove unnecessary header files and netlink related code - Avoid reading past allocated blocks from KVP file - fix snprintf warning in kvp_daemon - properly handle long paths - kvp: configurable external scripts path - vss: Thaw the filesystem and continue if freeze call has timed out - vss: Skip freezing filesystems backed by loop ==== iputils ==== Subpackages: rarpd - Backport iputils-ping-fix-pmtu-for-ipv6.patch from upstream to fix PMTU discovery in ping6. (bsc#1072460) ==== ispell ==== Subpackages: ispell-american ispell-british - Avoid `set -e' in munchlist (boo#1075882) ==== k3b ==== Version update (17.12.0 -> 17.12.1) Subpackages: k3b-lang - Update to 17.12.1 * New bugfix release * For more details please see: * https://www.kde.org/announcements/announce-applications-17.12.1.php - Changes since 17.12.0: * Revert "Fix Settings dialog resizes itself issue" - Add fix-build-with-older-kio.patch to make it build again on standard Leap 42.x. ==== kdump ==== - Add kdump-fillupdir-fixes.patch and correct specfile to build with new fillupdir location - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) ==== kernel-source ==== Version update (4.14.12 -> 4.14.13) Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs kernel-macros kernel-syms - Linux 4.14.13 (bnc#1012628). - x86/mm: Set MODULES_END to 0xffffffffff000000 (bnc#1012628). - x86/mm: Map cpu_entry_area at the same place on 4/5 level (bnc#1012628). - x86/kaslr: Fix the vaddr_end mess (bnc#1012628). - x86/events/intel/ds: Use the proper cache flush method for mapping ds buffers (bnc#1012628). - x86/tlb: Drop the _GPL from the cpu_tlbstate export (bnc#1012628). - x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm (bnc#1012628). - x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN (bnc#1012628). - kernel/acct.c: fix the acct->needcheck check in check_free_space() (bnc#1012628). - mm/mprotect: add a cond_resched() inside change_pmd_range() (bnc#1012628). - mm/sparse.c: wrong allocation for mem_section (bnc#1012628). - userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails (bnc#1012628). - btrfs: fix refcount_t usage when deleting btrfs_delayed_nodes (bnc#1012628). - efi/capsule-loader: Reinstate virtual capsule mapping (bnc#1012628). - crypto: n2 - cure use after free (bnc#1012628). - crypto: chacha20poly1305 - validate the digest size (bnc#1012628). - crypto: pcrypt - fix freeing pcrypt instances (bnc#1012628). - crypto: chelsio - select CRYPTO_GF128MUL (bnc#1012628). - drm/i915: Disable DC states around GMBUS on GLK (bnc#1012628). - drm/i915: Apply Display WA #1183 on skl, kbl, and cfl (bnc#1012628). - sunxi-rsb: Include OF based modalias in device uevent (bnc#1012628). - fscache: Fix the default for fscache_maybe_release_page() (bnc#1012628). - x86 / CPU: Avoid unnecessary IPIs in arch_freq_get_on_cpu() (bnc#1012628). - x86 / CPU: Always show current CPU frequency in /proc/cpuinfo (bnc#1012628). - kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL (bnc#1012628). - kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals (bnc#1012628). - kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal() (bnc#1012628). - iommu/arm-smmu-v3: Don't free page table ops twice (bnc#1012628). - iommu/arm-smmu-v3: Cope with duplicated Stream IDs (bnc#1012628). - ARC: uaccess: dont use "l" gcc inline asm constraint modifier (bnc#1012628). - powerpc/mm: Fix SEGV on mapped region to return SEGV_ACCERR (bnc#1012628). - Input: elantech - add new icbody type 15 (bnc#1012628). - apparmor: fix regression in mount mediation when feature set is pinned (bnc#1012628). - parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel (bnc#1012628). - parisc: qemu idle sleep support (bnc#1012628). - mtd: nand: pxa3xx: Fix READOOB implementation (bnc#1012628). - KVM: s390: fix cmma migration for multiple memory slots (bnc#1012628). - KVM: s390: prevent buffer overrun on memory hotplug during migration (bnc#1012628). - commit bd444a0 - Refresh patches.suse/0007-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch. - Refresh patches.suse/0013-x86-entry-Stuff-RSB-for-entry-to-kernel-for-non-SMEP.patch. - Refresh patches.suse/0015-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch. Fix double fault in 32bit binaries (bnc#1074869, bnc#1074918, bnc#1074920, bnc#1074921, bnc#1075018, bnc#1075034) - commit f4b3cf0 - rpm/constraints.in: lower kernel-syzkaller's mem requirements OBS now reports that it needs only around 2G, so lower the limit to 8G, so that more compliant workers can be used. - commit 7637ae2 ==== kio ==== Subpackages: kio-core kio-devel kio-lang - Add patch to fix layout of icons in the file dialog (kde#352776): * 0001-Fix-KFilePreviewGenerator-LayoutBlocker.patch ==== krita ==== Version update (3.3.2.1 -> 3.3.3) Subpackages: krita-lang - Update to 3.3.3: * See https://krita.org/en/item/krita-3-3-3/ * Fix an issue where it would not be possible to select certain blending modes when the current layer is grayscale but the image is rgb. * Set the OS and platform when reporting a bug from within Krita on Windows. * Make it possible to enter color values as percentage in the specific color selector * Add OpenGL warnings and make ANGLE default on Intel GPUs * Add an Invert button to the levels filter * Implement loading and saving of styles for group layers to and from PSD * Fix the erase mode not showing correctly when returning to the brush tool * Save the visibility of individual assistants in .kra files * Add an option to draw ruler tips as a power of 2 * Disable autoscroll on move and transform tools * Improve handling of native mouse events when using a pen and the Windows Ink API * Fix the focal point for the pinch zoom gesture * Fix loading netpbm files with comment ==== krusader ==== Subpackages: kio_iso - Add Panel-fixed-actions-in-PanelContextMenu-ignored.patch to fix the "Create New" context menu not working when the '..' entry is selected (boo#1075690, kde#383544) ==== ldns ==== Subpackages: libldns2 - Switch directly to python3 in order for us to proceed with py2 obsoletion for future releases * Upstream sadly can build only against one of the two ==== libdrm ==== Version update (2.4.88 -> 2.4.89) Subpackages: libdrm-devel libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2 libdrm_radeon1 - U_intel-Add-more-Coffeelake-PCI-IDs.patch * Add more Coffeelake PCI IDs (request by Intel) - Update to version 2.4.89: libdrm release with leasing and syncobj api updates, updated amdgpu marketing ids, amdgpu tests, updated uapi headers & etnaviv updates. ==== libe-book ==== Version update (0.1.2 -> 0.1.3) - Cure linguistic problem in descriptions. - Update to 0.1.3: * Fix various problems when reading broken files, found with the help of american-fuzzy-lop and oss-fuzz. * Fix build with boost >= 1.59. * Set default page margins. (tdf#94162) * Make output of ebook2* --help more compatible with help2man. * Check for librevenge-stream if tests are enabled. (gentoo#603098) * Require C++11 for build. * Drop outdated MSVC project files. * Fix several issues found by Coverity. * FictionBook v.2: * Use document language as default language for text. * Use note title as footnote mark. * Handle subscript and superscript. * Output content of <code> in monospace font. ==== libepoxy ==== - -devel package requires pkgconfig(x11), pkgconfig(egl) but those deps are not generated automatically. ==== libglvnd ==== Subpackages: libglvnd-32bit libglvnd-devel - Make sure to use only python3 for the build and do not rely on env calls for python ==== libmediaart ==== Subpackages: libmediaart-2_0-0 typelib-1_0-MediaArt-2_0 - Add meson-Introspection-fix.patch: The meson build did not add the extractdummy.c to the sources, which contains introspection annotations (bgo#792272, bgo#791586). ==== libpagemaker ==== Version update (0.0.3 -> 0.0.4) - Cure linguistic problem in descriptions. - Update to 0.0.4: * Add a command line tool for conversion to plain text, called pmd2text. * Require C++11 for build. * Drop outdated MSVC project files. * Fix parsing of page dimensions and shape coordinates in Mac documents. That makes the output at least somewhat useful, but more work is needed to handle big endian files properly. * Fix parsing of color tint in Mac documents. (tdf#109126) * Fix parsing of text formatting attributes in Mac documents. * Properly handle all caps and small caps. * Parse more text formatting attributes. * Parse more paragraph attributes. ==== libpeas ==== Subpackages: libpeas-1_0-0 libpeas-gtk-1_0-0 libpeas-lang libpeas-loader-python libpeas-loader-python3 typelib-1_0-Peas-1_0 typelib-1_0-PeasGtk-1_0 - Use make_build macro. - Avoid running fdupes across hardlink boundaries. - Update URL to reflect current web, old was 404. - Run spec-cleaner. - Fix typo on parallel build command call. - Conditionalize py2 and py3 build to allow us building of the one we desire based on codestream. ==== libpwquality ==== Version update (1.3.0 -> 1.4.0) Subpackages: libpwquality-lang libpwquality1 - Update RPM groups and summaries. - Switch url to https://github.com/libpwquality/libpwquality/ - Update to release 1.4.0: * Fix possible buffer overflow with data from /dev/urandom in pwquality_generate(). * Do not try to check presence of too short username in password. (thanks to Nikos Mavrogiannopoulos) * Make the user name check optional (via usercheck option). * Add an 'enforcing' option to make the checks to be warning-only in PAM. * The difok = 0 setting will disable all old password similarity checks except new and old passwords being identical. * Updated translations from Zanata. - Add patch libpwquality-pythons.patch to avoid duping pythondir - Make python3 default and enable py2 only when needed ==== libqt5-qtwebengine ==== - Also work around crashes on wayland by disabling the GPU by default (boo#1060990): * disable-gpu-when-using-nouveau-boo-1005323.diff ==== libqt5-qtwebsockets ==== Subpackages: libQt5WebSockets5 libQt5WebSockets5-imports libqt5-qtwebsockets-devel - fix Typo ==== librsvg ==== Version update (2.40.20 -> 2.42.0) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Update to version 2.42.0: + Fix a memory leak in rsvg_handle_new_from_file(). + Optimize the xml:space normalization function. + Fix a runtime warning in the feMergeNode code (glgo#GNOME/librsvg#179). + Clarify documentation about the rsvg_*_sub() APIs (glgo#GNOME/librsvg#175). + Stylistic fixes from cargo-clippy. + Port the Pango glue code to Rust. + New ARCHITECTURE.md with a description of librsvg's internals. - Clean up spec, use autosetup macro. ==== libsamplerate ==== Subpackages: libsamplerate-devel libsamplerate0 - Add libsamplerate-0.1.9-reproducible.patch to disable throughput test to make builds reproducible in spite of Profile Guided Optimizations ==== libteam ==== - Drop /pkg/ subpart from includedir - Remove defattr that is not really needed - Add condition around python bindings, they are really based on swig code that would need to be rewritten to support python3 ==== libvirt ==== Subpackages: libvirt-client libvirt-daemon libvirt-daemon-config-network libvirt-daemon-config-nwfilter libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-driver-uml libvirt-daemon-driver-vbox libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs - Add a qemu hook script providing functionality similar to Xen's block-dmmd script suse-qemu-domain-hook.py FATE#324177 ==== libxcb ==== Subpackages: libxcb-render0-32bit libxcb-shm0-32bit libxcb1-32bit - Enable xinput extension. (bnc#1074249) - U_add-support-for-eventstruct.patch * Update xinput to the state when it was enabled by default upstream. - n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch * Prevent infinite loop also in case DISPLAY is non-local. - Use spaces instead of tabs in the patches (as does the original source code) to avoid confusion. - n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch * If authentication (with *stage == 0) failed and the variable XAUTHLOCALHOSTNAME wasn't set, we were never getting to stage 2 in the original patch, causing calls to xcb_connect_to_display to be stuck in an infinite loop. Now we also go to stage 2 if the variable isn't set. ==== libzio ==== Version update (1.05 -> 1.06) - Add changes from Jerrell Watts which has kindly provided his changes for lzma/xz support with large I/O buffers ==== llvm ==== - Add missing %files for lld. ==== logrotate ==== Version update (3.12.3 -> 3.13.0) - Version update to 3.13.0: * make distribution tarballs report logrotate version properly * make (un)compress work even if stdin and/or stdout are closed (#154) * remove -s from DEFAULT_MAIL_COMMAND and improve its documenation (#152) * uncompress logs before mailing them even if delaycompress is enabled (#151) * handle unlink of a non-existing log file as a warning only (#144) * include compile-time options in the output of logrotate --version (#145) * make logrotate --version print to stdout instead of stderr (#145) * flush write buffers before syncing state file (#148) * specify (un)compress utility explicitly in tests (#137) * enable running tests in parallel (#132) * explicitly map root UID/GID to 0 on Cygwin (#133) * add .dpkg-bak and .dpkg-del to default tabooext list (#134) ==== lvm2 ==== Subpackages: liblvm2app2_2 liblvm2cmd2_02 - lvmlockd: add lockopt values for skipping selected locks (fate#323203) + fate-323203_lvmlockd-add-lockopt-values-for-skipping-selected-lo.patch ==== makedumpfile ==== - makedumpfile-__cpu_online_mask-symbol.patch: Support symbol __cpu_online_mask (FATE#323473, bsc#1070291). - makedumpfile-vtop4_x86_64_pagetable.patch: Introduce vtop4_x86_64_pagetable (FATE#323473, bsc#1070291). - makedumpfile-fix-KASLR-for-sadump.patch: Fix a KASLR problem of sadump (FATE#323473, bsc#1070291). - makedumpfile-fix-KASLR-for-sadump-while-kdump.patch: sadump: Fix a KASLR problem of sadump while kdump is working (FATE#323473, bsc#1070291). ==== mdadm ==== - 0208-mdadm-grow-correct-the-s-size-1-to-make-max-work.patch (bsc#1074949) ==== mjpegtools ==== Subpackages: libmjpegutils-2_0-0 - Add conditional post(un) handling for libmpeg2encpp-2_0-0. ==== mutter ==== Version update (3.26.2 -> 3.26.2+20171231.0bd1d7cf0) Subpackages: libmutter-1-0 mutter-data mutter-lang - Update to version 3.26.2+20171231.0bd1d7cf0: + Revert "window: Raise and lower tile match in tandem". + wayland: Only send full sequences of touch events to clients. + stage: Push framebuffer before setting up viewport. + keybindings: Only add multiple keycodes from the same level. + wayland-outputs: Delay wl_output destruction. + monitor-manager-kms: - Fix recently introduced build issue. - poll() on KMS fd on EAGAIN. + compositor: reset top_window_actor and remove it from windows when destroyed. + monitor-manager: Compare keys when checking whether a config is complete. + Updated translations. - Switch to git-checkout via source services. - Following the above, add intltool and libtool BuildRequires and pass autogen.sh to bootstrap the generated tarball. - Pkgconfigy the BuildRequires, replace: gobject-introspection-devel, libSM-devel, libX11-devel and libXinerama-devel with pkgconfig(gobject-introspection-1.0), pkgconfig(sm), pkgconfig(x11) and pkgconfig(xinerama). - Drop update-desktop-files BuildRequires and stop using suse_update_desktop_file macro, no longer needed. - Drop pkgconfig(gbm) BuildRequires listed twice. - Run spec-cleaner, modernize spec, use make_build macro. ==== nbd ==== Version update (3.16.1 -> 3.16.2) - Update to version 1.16.2: * Make the test suite less chatty * Various build system improvements * Fixes to the systemd unit to make it work again with recent systemd * Point to the nbd mailinglist, rather than to the maintainer's personal email address, for bug reports. ==== newt ==== - Build without py2 if needed - Fix upstream url ==== nghttp2 ==== Version update (1.28.0 -> 1.29.0) - Update to version 1.29.0: * lib: Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY * build: Remove SPDY * build: Fix CMAKE_MODULE_PATH * nghttpx: Revert "nghttpx: Use an existing h2 backend connection as much as possible" * nghttpx: Write API request body in temporary file * nghttpx: Increase api-max-request-body * nghttpx: Faster configuration loading with lots of backends * nghttpx: Fix crash with --backend-http-proxy-uri option ==== ntp ==== Subpackages: ntp-doc - Add ntp-reproducible.patch to make build reproducible (boo#1047218) - Restart nptd if failed or aborted (FATE#315133). - Do not try to set the HW clock when adding a server at runtime to avoid blocking systemd. ==== numactl ==== Subpackages: libnuma1 - Disable building at 32-bit ARM. NUMA is not supported by 32-bit ARM Linux Kernel, so build failed with [#]error "Add syscalls for your architecture or update kernel headers" ==== openblas_pthreads ==== - Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES. - Fix library package requires - use HPC macro (boo#1074890). - Fix unexpanded rpm macro in environment module file for HPC (boo#1074897). ==== opencv ==== Subpackages: libopencv3_3 opencv-devel - Add conditionals for python2 and python3 to allow us enabling only desired python variants when needed - Do not depend on sphinx as py2 and py3 seem to collide there ==== openssh ==== Version update (7.2p2 -> 7.6p1) Subpackages: openssh-helpers - Replace forgotten references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - tighten configuration access rights - Update to vanilla 7.6p1 Most important changes (more details below): * complete removal of the ancient SSHv1 protocol * sshd(8) cannot run without privilege separation * removal of suport for arcfourm blowfish and CAST ciphers and RIPE-MD160 HMAC * refuse RSA keys shorter than 1024 bits Distilled upstream log: - OpenSSH 7.3 - --- Security * sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto. * sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and only included for legacy compatibility. * ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage has been observed. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. * sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh. - --- New Features * ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts". * ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. bz#2577 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00. * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03. * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates; * ssh(1): Add an Include directive for ssh_config(5) files. * ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. bz#2058 - --- Bugfixes * ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. bz#2585 * sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. bz#2398 * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. bz#2585 * ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. bz#1988 * misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. bz#2529 * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. bz#2562 * sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. bz#2559. * sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts; bz#2554 * ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. bz#2550 * sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. bz#2252 - --- Portability * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers not supported by OpenSSL. bz#2466 * misc: Fix compilation failures on some versions of AIX's compiler related to the definition of the VA_COPY macro. bz#2589 * sshd(8): Whitelist more architectures to enable the seccomp-bpf sandbox. bz#2590 * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris using setpflags(__PROC_PROTECT, ...). bz#2584 * sshd(8): On Solaris, don't call Solaris setproject() with UsePAM=yes it's PAM's responsibility. bz#2425 - OpenSSH 7.4 - --- Potentially-incompatible changes * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. * sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time. * sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. * sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions. - --- Security * ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). Reported by Jann Horn of Project Zero. * sshd(8): When privilege separation is disabled, forwarded Unix- domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years). Reported by Jann Horn of Project Zero. * sshd(8): Avoid theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. Reported by Jann Horn of Project Zero. * sshd(8): The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first). This release removes support for pre-authentication compression from sshd(8). Reported by Guido Vranken using the Stack unstable optimisation identification tool (http://css.csail.mit.edu/stack/) * sshd(8): Fix denial-of-service condition where an attacker who sends multiple KEXINIT messages may consume up to 128MB per connection. Reported by Shi Lei of Gear Team, Qihoo 360. * sshd(8): Validate address ranges for AllowUser and DenyUsers directives at configuration load time and refuse to accept invalid ones. It was previously possible to specify invalid CIDR address ranges (e.g. user@127.1.2.3/55) and these would always match, possibly resulting in granting access where it was not intended. Reported by Laurence Parry. - --- New Features * ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in PuTTY by Simon Tatham. This allows a multiplexing client to communicate with the master process using a subset of the SSH packet and channels protocol over a Unix-domain socket, with the main process acting as a proxy that translates channel IDs, etc. This allows multiplexing mode to run on systems that lack file- descriptor passing (used by current multiplexing code) and potentially, in conjunction with Unix-domain socket forwarding, with the client and multiplexing master process on different machines. Multiplexing proxy mode may be invoked using "ssh -O proxy ..." * sshd(8): Add a sshd_config DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account. * sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "curve25519-sha256@libssh.org". * sshd(8): Improve handling of SIGHUP by checking to see if sshd is already daemonised at startup and skipping the call to daemon(3) if it is. This ensures that a SIGHUP restart of sshd(8) will retain the same process-ID as the initial execution. sshd(8) will also now unlink the PidFile prior to SIGHUP restart and re-create it after a successful restart, rather than leaving a stale file in the case of a configuration error. bz#2641 * sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives to appear in sshd_config Match blocks. * sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.) and a few more to provide access to the contents of the certificate being offered. * Added regression tests for string matching, address matching and string sanitisation functions. * Improved the key exchange fuzzer harness. - --- Bugfixes * ssh(1): Allow IdentityFile to successfully load and use certificates that have no corresponding bare public key. bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub). * ssh(1): Fix public key authentication when multiple authentication is in use and publickey is not just the first method attempted. bz#2642 * regress: Allow the PuTTY interop tests to run unattended. bz#2639 * ssh-agent(1), ssh(1): improve reporting when attempting to load keys from PKCS#11 tokens with fewer useless log messages and more detail in debug messages. bz#2610 * ssh(1): When tearing down ControlMaster connections, don't pollute stderr when LogLevel=quiet. * sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending sftp(1) to ensure that ssh(1) restores the terminal mode correctly if suspended during a password prompt. * ssh(1): Avoid busy-wait when ssh(1) is suspended during a password prompt. * ssh(1), sshd(8): Correctly report errors during sending of ext- info messages. * sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message. * sshd(8): Correct list of supported signature algorithms sent in the server-sig-algs extension. bz#2547 * sshd(8): Fix sending ext_info message if privsep is disabled. * sshd(8): more strictly enforce the expected ordering of privilege separation monitor calls used for authentication and allow them only when their respective authentication methods are enabled in the configuration * sshd(8): Fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin. * Fix false positive reports caused by explicit_bzero(3) not being recognised as a memory initialiser when compiled with - fsanitize-memory. * sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for configuration examples. - --- Portability * On environments configured with Turkish locales, fall back to the C/POSIX locale to avoid errors in configuration parsing caused by that locale's unique handling of the letters 'i' and 'I'. bz#2643 * sftp-server(8), ssh-agent(1): Deny ptrace on OS X using ptrace(PT_DENY_ATTACH, ..) * ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL. * Fix compilation for libcrypto compiled without RIPEMD160 support. * contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 * sshd(8): Improve PRNG reseeding across privilege separation and force libcrypto to obtain a high-quality seed before chroot or sandboxing. * All: Explicitly test for broken strnvis. NetBSD added an strnvis and unfortunately made it incompatible with the existing one in OpenBSD and Linux's libbsd (the former having existed for over ten years). Try to detect this mess, and assume the only safe option if we're cross compiling. - OpenSSH 7.5 - --- Potentially-incompatible changes * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. * [Portable OpenSSH only] This version removes support for building against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting versions prior to 1.0.1 over 12 months ago (i.e. they no longer receive fixes for security bugs). - --- Security * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London. * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to perform a path-traversal attack. creating or modifying files outside of the intended target directory. Reported by Jann Horn of Google Project Zero. - --- New Features * ssh(1), sshd(8): Support "=-" syntax to easily remove methods from algorithm lists, e.g. Ciphers=-*cbc. bz#2671 - --- Bugfixes * sshd(1): Fix NULL dereference crash when key exchange start messages are sent out of sequence. * ssh(1), sshd(8): Allow form-feed characters to appear in configuration files. * sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs extension, where SHA2 RSA signature methods were not being correctly advertised. bz#2680 * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in known_hosts processing. bz#2591 bz#2685 * ssh(1): Allow ssh to use certificates accompanied by a private key file but no corresponding plain *.pub public key. bz#2617 * ssh(1): When updating hostkeys using the UpdateHostKeys option, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and not the old ssh-rsa method. bz#2650 * ssh(1): Detect and report excessively long configuration file lines. bz#2651 * Merge a number of fixes found by Coverity and reported via Redhat and FreeBSD. Includes fixes for some memory and file descriptor leaks in error paths. bz#2687 * ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692 * ssh(1), sshd(8): When logging long messages to stderr, don't truncate "\r\n" if the length of the message exceeds the buffer. bz#2688 * ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- line; avoid confusion over IPv6 addresses and shells that treat square bracket characters specially. * ssh-keygen(1): Fix corruption of known_hosts when running "ssh-keygen -H" on a known_hosts containing already-hashed entries. * Fix various fallout and sharp edges caused by removing SSH protocol 1 support from the server, including the server banner string being incorrectly terminated with only \n (instead of \r\n), confusing error messages from ssh-keyscan bz#2583 and a segfault in sshd if protocol v.1 was enabled for the client and sshd_config contained references to legacy keys bz#2686. * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683 * sshd(8): Fix Unix domain socket forwarding for root (regression in OpenSSH 7.4). * sftp(1): Fix division by zero crash in "df" output when server returns zero total filesystem blocks/inodes. * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors encountered during key loading to more meaningful error codes. bz#2522 bz#2523 * ssh-keygen(1): Sanitise escape sequences in key comments sent to printf but preserve valid UTF-8 when the locale supports it; bz#2520 * ssh(1), sshd(8): Return reason for port forwarding failures where feasible rather than always "administratively prohibited". bz#2674 * sshd(8): Fix deadlock when AuthorizedKeysCommand or AuthorizedPrincipalsCommand produces a lot of output and a key is matched early. bz#2655 * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659 * ssh(1): Fix typo in ~C error message for bad port forward cancellation. bz#2672 * ssh(1): Show a useful error message when included config files can't be opened; bz#2653 * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page (previously incorrectly) advertised. bz#2637 * sshd_config(5): Repair accidentally-deleted mention of %k token in AuthorizedKeysCommand; bz#2656 * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665 * ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common 32-bit compatibility library directories. * sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME response handling. * ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys. It was not possible to delete them except by specifying their full physical path. bz#2682 - --- Portability * sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA crypto coprocessor. * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg inspection. * ssh(1): Fix X11 forwarding on OSX where X11 was being started by launchd. bz#2341 * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that contain non-printable characters where the codeset in use is ASCII. * build: Fix builds that attempt to link a kerberised libldns. bz#2603 * build: Fix compilation problems caused by unconditionally defining _XOPEN_SOURCE in wide character detection. * sshd(8): Fix sandbox violations for clock_gettime VSDO syscall fallback on some Linux/X32 kernels. bz#2142 - OpenSSH 7.6 - --- Potentially-incompatible changes This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. - --- Security * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. - --- New Features * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the - R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 - --- Bugfixes * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. - --- Portability * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification. - packaging: * moving patches into a separate archive * first round of rebased patches: [-X11_trusted_forwarding] [-allow_root_password_login] [-blocksigalrm] [-cavstest-ctr] [-cavstest-kdf] [-disable_short_DH_parameters] [-eal3] [-enable_PAM_by_default] [-fips] [-fips_checks] [-gssapi_key_exchange] [-hostname_changes_when_forwarding_X] [-lastlog] [-missing_headers] [-pam_check_locks] [-pts_names_formatting] [-remove_xauth_cookies_on_exit] [-seccomp_geteuid] [-seccomp_getuid] [-seccomp_stat] [-seed-prng] [-send_locale] [-systemd-notify] * not rebased (obsoleted) patches (so far): [-additional_seccomp_archs] [-allow_DSS_by_default] [-default_protocol] [-dont_use_pthreads_in_PAM] [-eal3_obsolete] [-gssapimitm] [-saveargv-fix] * obviously removing all standalone patch files: [openssh-7.2p2-allow_root_password_login.patch] [openssh-7.2p2-allow_DSS_by_default.patch] [openssh-7.2p2-X11_trusted_forwarding.patch] [openssh-7.2p2-lastlog.patch] [openssh-7.2p2-enable_PAM_by_default.patch] [openssh-7.2p2-dont_use_pthreads_in_PAM.patch] [openssh-7.2p2-eal3.patch] [openssh-7.2p2-blocksigalrm.patch] [openssh-7.2p2-send_locale.patch] [openssh-7.2p2-hostname_changes_when_forwarding_X.patch] [openssh-7.2p2-remove_xauth_cookies_on_exit.patch] [openssh-7.2p2-pts_names_formatting.patch] [openssh-7.2p2-pam_check_locks.patch] [openssh-7.2p2-disable_short_DH_parameters.patch] [openssh-7.2p2-seccomp_getuid.patch] [openssh-7.2p2-seccomp_geteuid.patch] [openssh-7.2p2-seccomp_stat.patch] [openssh-7.2p2-additional_seccomp_archs.patch] [openssh-7.2p2-fips.patch] [openssh-7.2p2-cavstest-ctr.patch] [openssh-7.2p2-cavstest-kdf.patch] [openssh-7.2p2-seed-prng.patch] [openssh-7.2p2-gssapi_key_exchange.patch] [openssh-7.2p2-audit.patch] [openssh-7.2p2-audit_fixes.patch] [openssh-7.2p2-audit_seed_prng.patch] [openssh-7.2p2-login_options.patch] [openssh-7.2p2-disable_openssl_abi_check.patch] [openssh-7.2p2-no_fork-no_pid_file.patch] [openssh-7.2p2-host_ident.patch] [openssh-7.2p2-sftp_homechroot.patch] [openssh-7.2p2-sftp_force_permissions.patch] [openssh-7.2p2-X_forward_with_disabled_ipv6.patch] [openssh-7.2p2-ldap.patch] [openssh-7.2p2-IPv6_X_forwarding.patch] [openssh-7.2p2-ignore_PAM_with_UseLogin.patch] [openssh-7.2p2-prevent_timing_user_enumeration.patch] [openssh-7.2p2-limit_password_length.patch] [openssh-7.2p2-keep_slogin.patch] [openssh-7.2p2-kex_resource_depletion.patch] [openssh-7.2p2-verify_CIDR_address_ranges.patch] [openssh-7.2p2-restrict_pkcs11-modules.patch] [openssh-7.2p2-prevent_private_key_leakage.patch] [openssh-7.2p2-secure_unix_sockets_forwarding.patch] [openssh-7.2p2-ssh_case_insensitive_host_matching.patch] [openssh-7.2p2-disable_preauth_compression.patch] [openssh-7.2p2-s390_hw_crypto_syscalls.patch] [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch] - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) ==== patterns-kde ==== Subpackages: patterns-kde-devel_kde patterns-kde-devel_kde_frameworks patterns-kde-devel_qt5 patterns-kde-kde patterns-kde-kde_edutainment patterns-kde-kde_games patterns-kde-kde_ide patterns-kde-kde_imaging patterns-kde-kde_internet patterns-kde-kde_multimedia patterns-kde-kde_office patterns-kde-kde_plasma patterns-kde-kde_utilities patterns-kde-kde_utilities_opt patterns-kde-kde_yast - Recommend discover in the kde_plasma pattern ==== php7 ==== Version update (7.2.0 -> 7.2.1) Subpackages: apache2-mod_php7 php7-bcmath php7-bz2 php7-calendar php7-ctype php7-curl php7-dba php7-devel php7-dom php7-exif php7-fastcgi php7-ftp php7-gd php7-gettext php7-gmp php7-iconv php7-imap php7-json php7-ldap php7-mbstring php7-mysql php7-odbc php7-openssl php7-pdo php7-pear php7-pear-Archive_Tar php7-pgsql php7-shmop php7-snmp php7-sockets php7-sqlite php7-sysvsem php7-sysvshm php7-tidy php7-tokenizer php7-wddx php7-xmlreader php7-xmlwriter php7-xsl php7-zlib - updated to 7.2.1: Several security bugs were fixed in this release. http://php.net/ChangeLog-7.php#7.2.1 - build against newer webp [bsc#1074121] ==== plasma5-desktop ==== Subpackages: plasma5-desktop-lang - Add patch to fix generation of font previews: * 0001-Support-font-ttf-and-font-otf-mimetypes-in-kfontinst.patch ==== plasma5-pk-updates ==== Subpackages: plasma5-pk-updates-lang - Fix refresh logic on startup: * 0001-Only-save-the-last-update-timestep-on-success.patch * 0002-Show-that-the-last-check-failed-if-no-updates-availa.patch * 0003-List-known-updates-on-startup.patch ==== publicsuffix ==== Version update (20171028 -> 20171228) - Update to version 20171228: * Add Paris region (#579) * Fixed alwaysdata.net. (#555) * Add Combell domains (#565) * Adding scrysec.com (#528) * Add Fedora Openshift app domains (#533) * Add resin.io device domains to list (#499) * Add nh-serv.co.uk to list file (#491) * Add 1Password domains (#562) * Add s5y.io (#572) * Add social domains - NIC.bo (#467) ==== python-attrs ==== Version update (17.3.0 -> 17.4.0) - specfile: * update copyright year - update to version 17.4.0: * Backward-incompatible Changes + The traversal of MROs when using multiple inheritance was backward: If you defined a class "C" that subclasses "A" and "B" like "C(A, B)", "attrs" would have collected the attributes from "B" * before* those of "A". This is now fixed and means that in classes that employ multiple inheritance, the output of "__repr__" and the order of positional arguments in "__init__" changes. Due to the nature of this bug, a proper deprecation cycle was unfortunately impossible. Generally speaking, it's advisable to prefer "kwargs"-based initialization anyways ? *especially* if you employ multiple inheritance and diamond-shaped hierarchies. + The "__repr__" set by "attrs" no longer produces an "AttributeError" when the instance is missing some of the specified attributes (either through deleting or after using "init=False" on some attributes). This can break code that relied on "repr(attr_cls_instance)" raising "AttributeError" to check if any attr-specified members were unset. If you were using this, you can implement a custom method for checking this:: def has_unset_members(self): for field in attr.fields(type(self)): try: getattr(self, field.name) except AttributeError: return True return False * Deprecations + The "attr.ib(convert=callable)" option is now deprecated in favor of "attr.ib(converter=callable)". This is done to achieve consistency with other noun-based arguments like *validator*. *convert* will keep working until at least January 2019 while raising a "DeprecationWarning". * Changes + Generated "__hash__" methods now hash the class type along with the attribute values. Until now the hashes of two classes with the same values were identical which was a bug. The generated method is also *much* faster now. + "attr.ib"?s "metadata" argument now defaults to a unique empty "dict" instance instead of sharing a common empty "dict" for all. The singleton empty "dict" is still enforced. + "ctypes" is optional now however if it's missing, a bare "super()" will not work in slots classes. This should only happen in special environments like Google App Engine. + The attribute redefinition feature introduced in 17.3.0 now takes into account if an attribute is redefined via multiple inheritance. In that case, the definition that is closer to the base of the class hierarchy wins. + Subclasses of "auto_attribs=True" can be empty now. + Equality tests are *much* faster now. + All generated methods now have correct "__module__", "__name__", and (on Python 3) "__qualname__" attributes. ==== python-cssselect ==== Version update (1.0.1 -> 1.0.3) Subpackages: python2-cssselect python3-cssselect - specfile: * update copyright year - update to version 1.0.3: * Fix artifact uploads to pypi - changes from version 1.0.2: * Drop support for Python 2.6 and Python 3.3. * Fix deprecation warning in Python 3.6. * Minor cleanups. ==== python-dbus-python ==== Subpackages: python2-dbus-python python3-dbus-python - drop unneeded epydoc requirement properly ==== python-gpgme ==== - Use python macros to not directly pull both develpackages ==== python-httplib2 ==== - update httplib2-use-system-certs.patch: handle the case with ssl_version being None correctly - update httplib2-use-system-certs.patch: Also use ssl.create_default_context in the python2 case so that the system wide certificates are loaded as trusted again. ==== python-kiwi ==== Version update (9.11.24 -> 9.11.30) - Bump version: 9.11.29 ? 9.11.30 - Deleted syslinux from ppc/oemboot/suse-SLES15 syslinux is not provided for ppc. This Fixes bsc#1073310 [boot] fix double quote in grub menu which makes kernel updates for CentOS / RHEL / Fedora break grub.cfg - Omit kiwi-repart dracut module in oemboot initrd KIWI's oemboot initrd with initrd_system="dracut" together with installiso="true" requires to have dracut-kiwi-oem-repart package installed in the system, thus it ends up also being included in the recreated dracut initrd after booting the oemboot initrd from the installation iso. This kiwi-repart module causes a boot failure in that case since no .profile file is present, moreover, it has no sense to run it at that stage, since the disk is already reparted by the oemboot code. This commit allows installiso="true" and initrd_system="dracut" to play well together. - Improve locale pattern in schema Now the locale pattern in the schema also supports POSIX. Note that POSIX will be only accepted if listed in the first place of the comma separated list. This commit fixes #570 - Bump version: 9.11.28 ? 9.11.29 - Allow to choose dracut live module There is the standard dracut dmsquash-live module based on the device mapper technology and the kiwi-live module based on the overlayfs technology. The setup of the live iso structure in kiwi is compatible to both modules. Thus it makes sense to allow to choose the technology via the flags attribute <type image="iso" ... flags="overlay|dmsquash"/> Please note both modules supports a different set of live features. This Fixes #568 - Bump version: 9.11.27 ? 9.11.28 - Fixed ec2 and azure test builds cryptconfig is no longer provided - Bump version: 9.11.26 ? 9.11.27 - Apply target permissions only if target dir exists - Bump version: 9.11.25 ? 9.11.26 - Fixed use of stat result in os.chmod oct method returns a string representation which was mistakenly used in a subsequent os.chmod call. This Fixes #564 - Fixed tox doc target Correctly include schema pictures after travis-sphinx build - Bump version: 9.11.24 ? 9.11.25 - Update failsafe kernel option list Delete obsolete parameters and make sure a failsafe boot does boot into runlevel 3. This Fixes #554 - Apply xslt validation on boot images - Do not match comments and PIs in XSLT templates I wanted to add a simple vim modeline to my XML description: <!-- vim: et:sts=2:sw=2 --> This made kiwi consume insane amounts of memory during the XSLT transform step. While this may be a bug in my version of lxml, we do not transform comments on processing instructions in the conversion templates, so the easiest solution is not to match them. Signed-off-by: Michal Marek <MichalMarek1@eaton.com> - Make sure toplevel target dir keeps permissions When syncing data via rsync we make sure the toplevel target directory the data gets synced to does not change it's origin permissions. This Fixes #557 - Rebuild schema documentation - Fixed dependencies for dracut-kiwi-lib Adapt package names for gdisk/gptfdisk and btrfs-progs/btrfsprogs Install and require fdasd only on s390 architecture Delete fbiterm requirement since the project seems unmaintained and the use of the framebuffer terminal is an option in the code but not mandatory. This Fixes #559 - add missing deps for docker builds. Moving kiwi-image:* provides to -requires package - Update text per review - Fix and cleanup tox setup Along with the cleanup of the tox setup also the workaround using an older version of the py module has been fixed - Fixed travis-sphinx call syntax - Update dropped feature list Legacy kiwi's oem recovery feature will not be ported due to technologes like ReaR, snapper, btrfs and due to the container, cloud and public cloud orientation of OS images ==== python-numpy ==== Version update (1.13.3 -> 1.14.0) Subpackages: python2-numpy python3-numpy - update to version 1.14.0 Changes documented in release notes: https://github.com/numpy/numpy/blob/master/doc/release/1.14.0-notes.rst - Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES. - Fix library package requires - use HPC macro (boo#1074890). ==== python-pywbem ==== - Fix another lost dependency. Need ssl module which python-base does not provide. (bnc#1072564) ==== qemu ==== Subpackages: qemu-arm qemu-block-curl qemu-block-dmg qemu-block-gluster qemu-block-iscsi qemu-block-rbd qemu-block-ssh qemu-extra qemu-ipxe qemu-ksm qemu-kvm qemu-lang qemu-ppc qemu-s390 qemu-seabios qemu-sgabios qemu-tools qemu-vgabios qemu-x86 - Pass through to guest info related to x86 security vulnerability (CVE-2017-5715 bsc#1068032) 0034-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11 ==== qemu-linux-user ==== - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11 * Patches added: 0034-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch ==== rsync ==== - Fix: Stop file upload after errors [bsc#1062063] - Added patches: * rsync-send_error_to_sender.patch * rsync-avoid-uploading-after-error.patch ==== ruby2.4 ==== Subpackages: libruby2_4-2_4 ruby2.4-devel ruby2.4-stdlib - merge in some improvements from the 2.5 package - track all binaries handled via u-a in an ua_binaries variable - set an UTF-8 locale for building ==== serd ==== - Tweak a bit more py3 dep to not pull whole python but just base - Fix group on one of the subpkgs - Remove python-base dependency and change headers in python scripts to python3 ==== speech-dispatcher ==== Subpackages: libspeechd-devel libspeechd2 python3-speechd speech-dispatcher-configure speech-dispatcher-module-espeak - Add baselibs.conf: create libspeechd2-32bit, required by libQt5TextToSpeech5-32bit. ==== swig ==== - Reduce some conditionals for old distros lets consider sle11/rhel6 as minimal supported configuration - Make sure we can be built and distributed with python3 only present in the system ==== tbb ==== - Add conditions to build with py2 and py3 respectively in order to allow us disable one based on codestream ==== texinfo ==== Version update (6.4 -> 6.5) Subpackages: info makeinfo - Update to version 6.5: * info: + some bugs fixed: a bug where a segfault could happen in the regex search, for example when the user entered a single \ as the search string + another bug which could make nodes inaccessible in long "split" info files + a bug where it was not possible to follow a cross-reference that was split across more than one line has been fixed + do not fall back to a man page if following a cross-reference in an info file failed + if looking for a file failed, do not convert the name of a file to lower-case and look for it again * texinfo.tex + some faulty definitions for Unicode characters have been changed or removed + fix indentation in table of contents for entries that are split across multiple lines * texi2dvi + a bug that broke the processing of LaTeX files that did not use BibTeX has been fixed * texi2any + output the encoding declaration of a HTML file earlier so it will always occur within first 1024 bytes of file + `INLINE_INSERTCOPYING' removed as a customization variable ==== totem ==== Subpackages: nautilus-totem totem-lang totem-plugin-brasero totem-plugins - Add totem-thumbnailer-blacklist-fixes.patch: Fixes to the thumbnailer blacklists plugins (bgo#790491). ==== tracker ==== Subpackages: libtracker-common-2_0 libtracker-control-2_0-0 libtracker-miner-2_0-0 libtracker-sparql-2_0-0 tracker-lang typelib-1_0-Tracker-2_0 typelib-1_0-TrackerControl-2_0 - Add tracker-nb-translations.patch: Update Norwegian bokm�l translations. ==== tracker-miners ==== Subpackages: tracker-miner-files tracker-miners-lang - Add tracker-miners-nb-translations.patch: Update Norwegian Bokm�l translations. ==== vim ==== Version update (8.0.1417 -> 8.0.1428) Subpackages: gvim vim-data - Updated to revision 1428, fixes the following problems * No test for expanding backticks. * Cursor column is not updated after ]s. (Gary Johnson) * Accessing freed memory in vimgrep. * Accessing invalid memory with overlong byte sequence. * No fallback to underline when undercurl is not set. (Ben Jackson) * Error in return not caught by try/catch. * The timer_pause test is flaky on Travis. * execute() does not work in completion of user command. (thinca) * "gf" and <cfile> don't accept ? and & in URL. (Dmitrii Tcyganok) * The :leftabove modifier doesn't work for :copen. * Compiler warning on 64 bit MS-Windows system. - ignore make check transient errors for PowerPC bypass boo#1072651 - Update apparmor.vim (taken from AppArmor 2.12) * add support for the "smc" network keyword ==== virtualbox ==== Subpackages: virtualbox-host-kmp-default virtualbox-qt - Updated file "fixes_for_leap15.patch" for new source. ==== webkit2gtk3 ==== Version update (2.18.4 -> 2.18.5) Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 libwebkit2gtk3-lang typelib-1_0-JavaScriptCore-4_0 typelib-1_0-WebKit2-4_0 webkit2gtk-4_0-injected-bundles - Update to version 2.18.5: + Disable SharedArrayBuffers from Web API. + Reduce the precision of ?high? resolution time to 1ms. + Fix API documentation generation with newer gtk-doc. + bsc#1075419 - Security fixes: includes improvements to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715). ==== wireless-regdb ==== Version update (2017.03.07 -> 2017.12.23) - Update to version 2017.12.23 (boo#1074838): * update regulatory database based on preceding changes * Document regulatory.db in the manual page * Install regulatory.db and regulatory.db.p7s to /lib/firmware * Better support for generating public certificates * Add sforshee's x509 certificate * Restore generation of old format database files * regdb: write firmware file format (version code 20) ==== wireshark ==== Version update (2.4.3 -> 2.4.4) Subpackages: libwiretap7 libwscodecs1 libwsutil8 wireshark-ui-qt - Wireshark 2.4.4: * fixes for dissector crashes: + CVE-2018-5334: IxVeriWave file could crash (bsc#1075737) + CVE-2018-5335: WCP dissector could crash (bsc#1075738) + CVE-2018-5336: Multiple dissector crashes (bsc#1075739) * No longer enable the Linux kernel BPF JIT compiler via the net.core.bpf_jit_enable sysctl, as this would make systems more vulnerable to Spectre variant 1 (bsc#1075748, CVE-2017-5753) * Further bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-2.4.4.html ==== xen ==== Version update (4.10.0_08 -> 4.10.0_10) Subpackages: xen-doc-html xen-libs xen-tools xen-tools-domU - bsc#1067317 - pass cache=writeback|unsafe|directsync to qemu, depending on the libxl disk settings libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch - Remove libxl.LIBXL_DESTROY_TIMEOUT.debug.patch - bsc#1067224 - xen-tools have hard dependency on Python 2 build-python3-conversion.patch bin-python3-conversion.patch - bsc#1070165 - xen crashes after aborted localhost migration 5a2ffc1f-x86-mm-drop-bogus-paging-mode-assertion.patch - bsc#1035442 - L3: libxl: error: libxl.c:1676:devices_destroy_cb: libxl__devices_destroy failed 5a33a12f-domctl-improve-locking-during-domain-destruction.patch - Upstream patches from Jan (bsc#1027519) 5a21a77e-x86-pv-construct-d0v0s-GDT-properly.patch 5a2fda0d-x86-mb2-avoid-Xen-when-looking-for-module-crashkernel-pos.patch 5a313972-x86-microcode-add-support-for-AMD-Fam17.patch 5a32bd79-x86-vmx-dont-use-hvm_inject_hw_exception-in-.patch ==== xorg-x11-server ==== Version update (1.19.5 -> 1.19.6) Subpackages: xorg-x11-server-sdk - Update to version 1.19.6: Another collection of fixes from master. There will likely be at east one more 1.19.x release in 2018. ==== yast2-ruby-bindings ==== Version update (4.0.3 -> 4.0.4) - Set proper title also for YaST2 scc (bsc#1075164) - 4.0.4 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org