Mailinglist Archive: opensuse-factory (745 mails)

< Previous Next >
[opensuse-factory] New Tumbleweed snapshot 20180116 released!

Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.

Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20180116

When you reply to report some issues, make sure to change the subject.
It is not helpful to keep the release announcement subject in a thread
while discussing a specific problem.

Packages changed:
ImageMagick (7.0.7.15 -> 7.0.7.21)
Mesa (17.2.6 -> 17.3.2)
Mesa-drivers (17.2.6 -> 17.3.2)
ModemManager (1.6.8 -> 1.6.12)
MozillaFirefox
NetworkManager-applet
acpica
antlr
bluez (5.47 -> 5.48)
brltty
btrfsprogs (4.13.3 -> 4.14.1)
cairo (1.15.8 -> 1.15.10)
corosync
deltarpm
device-mapper
evince (3.26.0 -> 3.26.0+20171120.3955d480)
evolution (3.26.3 -> 3.26.4)
evolution-data-server (3.26.3 -> 3.26.4)
evolution-ews (3.26.3 -> 3.26.4)
fftw3
fluidsynth (1.1.8 -> 1.1.9)
freerdp
gdk-pixbuf
gdm
gimp
gnome-font-viewer
gnome-shell (3.26.2 -> 3.26.2+20171218.15b1810a6)
gnome-software (3.26.3 -> 3.26.4)
gpgme
gstreamer-plugins-base
gtk2 (2.24.31+20171209.61d5c82f5c -> 2.24.32)
gutenprint (5.2.13 -> 5.2.13pre14.2)
harfbuzz
hdf5
hwinfo (21.50 -> 21.51)
hyper-v
iputils
ispell
k3b (17.12.0 -> 17.12.1)
kdump
kernel-source (4.14.12 -> 4.14.13)
kio
krita (3.3.2.1 -> 3.3.3)
krusader
ldns
libdrm (2.4.88 -> 2.4.89)
libe-book (0.1.2 -> 0.1.3)
libepoxy
libglvnd
libmediaart
libpagemaker (0.0.3 -> 0.0.4)
libpeas
libpwquality (1.3.0 -> 1.4.0)
libqt5-qtwebengine
libqt5-qtwebsockets
librsvg (2.40.20 -> 2.42.0)
libsamplerate
libteam
libvirt
libxcb
libzio (1.05 -> 1.06)
llvm
logrotate (3.12.3 -> 3.13.0)
lvm2
makedumpfile
mdadm
mjpegtools
mutter (3.26.2 -> 3.26.2+20171231.0bd1d7cf0)
nbd (3.16.1 -> 3.16.2)
newt
nghttp2 (1.28.0 -> 1.29.0)
ntp
numactl
openblas_pthreads
opencv
openssh (7.2p2 -> 7.6p1)
patterns-kde
php7 (7.2.0 -> 7.2.1)
plasma5-desktop
plasma5-pk-updates
publicsuffix (20171028 -> 20171228)
python-attrs (17.3.0 -> 17.4.0)
python-cssselect (1.0.1 -> 1.0.3)
python-dbus-python
python-gpgme
python-httplib2
python-kiwi (9.11.24 -> 9.11.30)
python-numpy (1.13.3 -> 1.14.0)
python-pywbem
qemu
qemu-linux-user
rsync
ruby2.4
serd
speech-dispatcher
swig
tbb
texinfo (6.4 -> 6.5)
totem
tracker
tracker-miners
vim (8.0.1417 -> 8.0.1428)
virtualbox
webkit2gtk3 (2.18.4 -> 2.18.5)
wireless-regdb (2017.03.07 -> 2017.12.23)
wireshark (2.4.3 -> 2.4.4)
xen (4.10.0_08 -> 4.10.0_10)
xorg-x11-server (1.19.5 -> 1.19.6)
yast2-ruby-bindings (4.0.3 -> 4.0.4)

=== Details ===

==== ImageMagick ====
Version update (7.0.7.15 -> 7.0.7.21)
Subpackages: ImageMagick-devel ImageMagick-extra libMagick++-7_Q16HDRI4
libMagickCore-7_Q16HDRI5 libMagickWand-7_Q16HDRI5 perl-PerlMagick

- update to 7.0.7.21
* Fix some enum values in the OpenCL code.
* Fixed numerous memory leaks.
* Check for webpmux library version 0.4.4.
* Fix heap use after free error.
* Fix error reading multi-layer XCF image file.
* Fix possible stack overflow in WEBP reader.

==== Mesa ====
Version update (17.2.6 -> 17.3.2)
Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel
Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1

- U_intel-Add-more-Coffee-Lake-PCI-IDs.patch
* Add more Coffeelake PCI IDs (request by Intel)
- Update to 17.3.2
* Multiple fixes in the RADV Vulkan driver, workaround when using
slibtool and a GLSL workaround for various titles using Unreal
Engine 4.
- Drop upstreamed u_r600-Add-support-for-B5G5R5A1.patch
- Modify u_mesa-python3-only.patch to not break python 2.
- Update to 17.3.1
* Multiple fixes and improvements of the GLSL shader cache. The
RADV driver no longer advertises VK_EXT_debug_report - there is
no support for it.
* The i965, radeonsi, nvc0 and freedreno drivers have received a
few small fixes each.
* A number of big endian fixes have been merged.
- Switch to python3 during build instead of python2
* Add patch u_mesa-python3-only.patch
- Add Mesa-dri and Mesa-gallium to baselibs.conf.
- Require llvm >= 3.9.0
* The build fails otherwise because it is required for multiple
Mesa components.
- Drop some redundant wording from descriptions.
Drop redundant %if guard around a %post section.
- Use different form of split for faster build (bnc#1071297)
* Mesa.spec does not use llvm and builds most of the *-devel
subpackages.
* Mesa-drivers.spec uses llvm and builds extra things installable
in addition to packages from Mesa.spec. These packages are
required for actual rendering.
- update to 17.3.0
- drop U_configure.ac-rework-llvm-libs-handling-for-3.9.patch
* new major release comitng with changes in RADV, intel ANV,
S3TC support, RadeonSI driver with RX Vega. On-disk shader cache
- Split Mesa into Mesa and Mesa-mini. Mesa-mini does not depend on
llvm and its purpose is to build fast and allow other packages
that BuildRequire Mesa to be build independently on llvm.
Packages built against Mesa-mini should work correctly when
installed with full Mesa package. (bsc#1071297)

==== Mesa-drivers ====
Version update (17.2.6 -> 17.3.2)
Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi
libvulkan_radeon libxatracker2

- U_intel-Add-more-Coffee-Lake-PCI-IDs.patch
* Add more Coffeelake PCI IDs (request by Intel)
- Update to 17.3.2
* Multiple fixes in the RADV Vulkan driver, workaround when using
slibtool and a GLSL workaround for various titles using Unreal
Engine 4.
- Drop upstreamed u_r600-Add-support-for-B5G5R5A1.patch
- Modify u_mesa-python3-only.patch to not break python 2.
- Update to 17.3.1
* Multiple fixes and improvements of the GLSL shader cache. The
RADV driver no longer advertises VK_EXT_debug_report - there is
no support for it.
* The i965, radeonsi, nvc0 and freedreno drivers have received a
few small fixes each.
* A number of big endian fixes have been merged.
- Switch to python3 during build instead of python2
* Add patch u_mesa-python3-only.patch
- Add Mesa-dri and Mesa-gallium to baselibs.conf.
- Require llvm >= 3.9.0
* The build fails otherwise because it is required for multiple
Mesa components.
- Drop some redundant wording from descriptions.
Drop redundant %if guard around a %post section.
- Use different form of split for faster build (bnc#1071297)
* Mesa.spec does not use llvm and builds most of the *-devel
subpackages.
* Mesa-drivers.spec uses llvm and builds extra things installable
in addition to packages from Mesa.spec. These packages are
required for actual rendering.
- update to 17.3.0
- drop U_configure.ac-rework-llvm-libs-handling-for-3.9.patch
* new major release comitng with changes in RADV, intel ANV,
S3TC support, RadeonSI driver with RX Vega. On-disk shader cache
- Split Mesa into Mesa and Mesa-mini. Mesa-mini does not depend on
llvm and its purpose is to build fast and allow other packages
that BuildRequire Mesa to be build independently on llvm.
Packages built against Mesa-mini should work correctly when
installed with full Mesa package. (bsc#1071297)

==== ModemManager ====
Version update (1.6.8 -> 1.6.12)
Subpackages: ModemManager-bash-completion ModemManager-devel ModemManager-lang
libmm-glib0 typelib-1_0-ModemManager-1_0

- Update to version 1.6.12:
+ Blacklist:
- Ignored Pycom devices.
- Added Microchip's VID to the greylist.
+ QMI:
- Fixed connection state machine when built against libqmi <
1.18.
- Fixed connection state machine when an error is reported
setting up WDS indications.
- Changes from version 1.6.10:
+ Blacklist:
- Ignored Silicon Labs USB Zigbee dongles.
- Ignored Garmin ANT+ sticks.
- Ignored Intel coredump downloader device.
+ QMI:
- Fixed potential user-after-free issues.
- Fixed missing handler cleanups on network-initiated
disconnects.
+ MBIM:
- Fix invalid session_id and nw_error reads.
- Avoid calling mbim_message_unref() on NULL message.
- Fixed invalid object access due to handlers not being removed
correctly.
- Ensure session is disconnected before trying to connect.
- Fixed t crash when modem doesn't send gateways.
+ udev:
- Removed default ID_MM_PLATFORM_DRIVER_PROBE whitelist.
Devices exposed via the 'atmel_usart' driver aren't probed
automatically any more.
+ Core:
- Fixed running init sequence after port flashing in
disconnection.
- Fixed "forbidden product strings" check in plugins.
- Fixed multiple memory leaks and invalid memory read/writes.
- Fixed multiple async operation completions in event handlers.
- Fixed multiple potential NULL dereferences.
- Fixed deadlock when trying to disconnect cancellable.
- Fixed reporting TX/RX stats (numbers were swapped).
- Ignored USB interface removal events.
+ libmm-glib: Fix NULL dereference on firmware unique_id checks.
+ polkit: Added missing Location interface method rules.
+ Plugins:
- MBM: set data port for Dell DW5560.
- Simtech: fix error reporting in 3gpp unsolicited events
enabling.
- Fixed multiple memory leaks.
+ systemd: Drop After=syslog.target rule.
- Drop post(un) handling of icon_theme_cache_post(un), no longer
needed, file-triggers takes care of this now.
- Drop ModemManager-1.0.0-systemd-activation.patch: No longer
needed.

==== MozillaFirefox ====
Subpackages: MozillaFirefox-translations-common

- fixed build with latest rust (mozilla-rust-1.23.patch)

==== NetworkManager-applet ====
Subpackages: NetworkManager-applet-lang NetworkManager-connection-editor
libnm-gtk0 libnma0 nma-data typelib-1_0-NMGtk-1_0

- Add
0001-shared-compat-fix-memory-handling-of-nm_setting_vpn_.patch
and
0002-shared-compat-fix-memory-handling-of-nm_setting_vpn_.patch:
fix crashes due to double frees.

==== acpica ====

- Changed shebang path in wmidump_add_she_bang.patch
to /usr/bin/python3
[bsc#1075687,wmidump_add_she_bang.patch]

==== antlr ====
Subpackages: antlr-devel antlr-java

- Add condition about python2 module, the rewrite happened in antlr4
for python3 support and it is completely different than the antlr2
* The python module is not used by any package in TW bsc#1068226

==== bluez ====
Version update (5.47 -> 5.48)
Subpackages: bluez-cups bluez-devel libbluetooth3

- update to version 5.48:
This release brings many fixes and feature enhancements.
Some notable enhancements include support for devices with the
BLE battery service, as well as improved Mesh support in the
meshctl tool. Several previously experimental D-Bus APIs have now
been marked as stable, notably the Advertising Manager API as
well as the AquireWrite & AquireNotify GATT APIs.
As far as fixes go, these can be found in many areas of the stack,
including A2DP, AVCTP, device discovery, Mesh, and GATT.

==== brltty ====
Subpackages: brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-espeak
brltty-driver-speech-dispatcher brltty-driver-xwindow brltty-lang libbrlapi0_6
python3-brlapi xbrlapi

- Fix %pre, %post, and %postun: brltty.service is now
brltty@.service (boo#1074096).

==== btrfsprogs ====
Version update (4.13.3 -> 4.14.1)
Subpackages: btrfsprogs-udev-rules libbtrfs0

- spec: fix distro version condition
- update to version 4.14.1
* dump-tree: print times of root items
* check: fix several lowmem mode bugs
* convert: fix rollback after balance
* other
* new and updated tests, enabled lowmem mode in CI
* docs updates
* fix travis CI build
* build fixes
* cleanups
- update to version 4.14
* build: libzstd now required by default
* check: more lowmem mode repair enhancements
* subvol set-default: also accept path
* prop set: compression accepts no/none, same as ""
* filesystem usage: enable for filesystem on top of a seed device
* rescue: new command fix-device-size
* other
* new tests
* cleanups and refactoring
* doc updates
- Removed patches:
- rollback-regression-fix.patch - upstreamed
- spec: disable static build, missing libzstd-devel-static
- spec: disable zstd support for non-Tumbleweed distros

==== cairo ====
Version update (1.15.8 -> 1.15.10)
Subpackages: cairo-devel libcairo-gobject2 libcairo-script-interpreter2
libcairo2 libcairo2-32bit

- Update to version 1.15.10:
+ Features and Enhancements:
- Add support for OpenGL ES 3.0 to the gl backend.
- Use Reusable streams for forms in Level 3 Postscript.
- Add CAIRO_MIME_TYPE_EPS mime type for embedding EPS files.
- Add CCITT_FAX mime type for PDF and PS surfaces.
- svg: add a new function to specify the SVG document unit
(fdo#90166).
- Use UTF-8 filenames on Windows.
+ API Changes: cairo_svg_surface_set_document_unit() and
cairo_svg_surface_get_document_unit().
+ Bugs fixed:
- Fix regression in gles version detection.
- Fix undefined-behavior with integer math.
- Handle SOURCE and CLEAR operators when painting color glyphs
(fdo#102661).
- Convert images to rgba or a8 formats when uploading with
GLESv2.
- Use _WIN32 instead of windows.h to check for windows build.
- Fix sigabrt printing documents with fonts lacking the
mandatory .nodef glyph (fdo#102922).
- Prevent curved strokes in small ctms from being culled from
vector surfaces (fdo#103071).
- Fix painting an unbounded recording surface with the SVG
backend.
- Fix falling back to system font with PDFs using certain
embedded fonts, due to truncated font names (fdo#103249).
- Fix handling of truetype fonts with excessively long font
names (fdo#103249).
- Fix race conditions with cairo_mask_compositor_t
(fdo#103037).
- Fix build error with util/font-view.
- Fix assertion hit with PDFs using Type 4 fonts rendered with
user fonts, due to error when destroying glyph page
(fdo#103335).
- Set default creation date for PDFs.
- Prevent invalid ptr access for > 4GB images (fdo#98165).
- Prevent self-copy infinite loop in Postscript surface.
- Fix padded image crash in Postscript surface.
- Fix annotation bugs in PDFs and related memory leaks.
- Fix test failures and other assorted issues in ps and pdf
code.
- Fix code generation when using GCC legacy atomic operations
(fdo#103559).
- Fix various compilation warnings and errors.
- Fix various distcheck errors with private symbols, doxygen
formatting etc.
- Drop cairo-image-prevent-invalid-ptr-access.patch

==== corosync ====
Subpackages: libcmap4 libcorosync_common4

- totemudp[u]: Drop truncated packets on receive(bsc#1075300)
Added: 0012-totemudp-u-Drop-truncated-packets-on-receive.patch
- issue with partial packets assembly when multiple nodes are sending big
packets(bsc#1074929)
Added: 0011-libcpg-Fix-issue-with-partial-big-packet-assembly.patch

==== deltarpm ====
Subpackages: python2-deltarpm

- Make python2 and python3 conditional to ensure we can build with
python3 only

==== device-mapper ====
Subpackages: libdevmapper-event1_03 libdevmapper1_03 libdevmapper1_03-32bit

- lvmlockd: add lockopt values for skipping selected locks (fate#323203)
+ fate-323203_lvmlockd-add-lockopt-values-for-skipping-selected-lo.patch

==== evince ====
Version update (3.26.0 -> 3.26.0+20171120.3955d480)
Subpackages: evince-lang evince-plugin-comicsdocument
evince-plugin-djvudocument evince-plugin-dvidocument evince-plugin-pdfdocument
evince-plugin-psdocument evince-plugin-tiffdocument evince-plugin-xpsdocument
libevdocument3-4 libevview3-3 nautilus-evince typelib-1_0-EvinceDocument-3_0
typelib-1_0-EvinceView-3_0

- Update to version 3.26.0+20171120.3955d480:
+ Updated translations.
- Switch to git-checkout via source service.
- Following the above, add gnome-common BuildRequires, pass
autogen.sh and pass enable-gtk doc to configure, as we need to
bootstrap the tarball.
- Clean up spec, use modern macros.
- Drop update-desktop-files BuildRequires and stop using
suse_update_desktop macro, no longer needed.
- Drop obsolete conditionals for no longer supported versions of
openSUSE.
- Avoid running fdupes across hardlink boundaries.

==== evolution ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-lang evolution-plugin-bogofilter
evolution-plugin-pst-import evolution-plugin-spamassassin

- Update to version 3.26.4:
+ Bugs fixed: bgo#791291, bgo#791341, bgo#791346, bgo#791793.
+ Updated translations.

==== evolution-data-server ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-data-server-lang libcamel-1_2-60 libebackend-1_2-10
libebook-1_2-19 libebook-contacts-1_2-2 libecal-1_2-19 libedata-book-1_2-25
libedata-cal-1_2-28 libedataserver-1_2-22 libedataserverui-1_2-1

- Update to version 3.26.4:
+ Prevent passing NULL ldap handle into LDAP functions.
+ [Maildir]: Correct double free when the source message file
doesn't exist.
+ Bugs fixed: bgo#791475, bgo#791282.

==== evolution-ews ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-ews-lang

- Update to version 3.26.4:
+ Bugs fixed: bgo#792190.

==== fftw3 ====
Subpackages: fftw3-devel libfftw3-3 libfftw3_threads3

- Disable the openmpi3 flavor in some products.
- Add gcc7 as additional compiler flavor for HPC on SLES.
- Fix library package requires - use HPC macro (boo#1074890).
- Add support for mpich and openmpi3 for HPC.

==== fluidsynth ====
Version update (1.1.8 -> 1.1.9)

- Update to version 1.1.9:
* fix building the portaudio driver on Windows
* fix build if no MIDI drivers are available
* fix return value of fluid_file_set_encoding_quality()
* fix use-after-free in fluid_timer
* fix memory leak in pulseaudio driver
* fix memory leak in rvoice_mixer
* fix dumptuning shell command displaying uninitialized values
* fix a resource leak in source shell command
* harmonize fluidsynth's output library naming with autotools on Windows
* dont set LIB_SUFFIX when building with MinGW
* avoid a possible deadlock when initializing fluidsynths DLL on windows
* avoid a buffer overrun when mixing effects channels in
fluid_synth_nwrite_float()
* correctly clean up fluid_server on Windows
* implement handling of FLUID_SEQ_ALLSOUNDSOFF events in
fluid_seq_fluidsynth_callback()
* support for registering audio drivers based on actual needs

==== freerdp ====
Subpackages: libfreerdp2 libwinpr2

- Users can connect only once wo windows sessions due to
[#]gh/FreeRDP/FreeRDP/4348
Therefore WITH_GSSAPI has been disabled until that issue has been
solved

==== gdk-pixbuf ====
Subpackages: gdk-pixbuf-devel gdk-pixbuf-lang gdk-pixbuf-query-loaders
gdk-pixbuf-query-loaders-32bit gdk-pixbuf-thumbnailer libgdk_pixbuf-2_0-0
libgdk_pixbuf-2_0-0-32bit typelib-1_0-GdkPixbuf-2_0

- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
integer overflow (boo#1027026 CVE-2017-6312).
- Add gdk-pixbuf-gif-negative-array-indexes.patch and
gdk-pixbuf-gif-uninitialized-variable.patch: protect against
access to negative array indexes (BGO#778584).
- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
computation (bgo#779020).
- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
short block length when reading icns (boo#1027024
CVE-2017-6313).

==== gdm ====
Subpackages: gdm-lang gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0

- Add gdm-nb-translations.patch: Update Norwegian Bokmål
translations.
- Drop gdmflexiserver Obsoletes from main package, we ship
gdmflexiserver again, so this is not needed nor wanted.
- Do minor spec-cleanup, silence a couple of rpmlint warnings.
- Add gdm-not-run-with-bogus-DISPLAY-XAUTHORITY.patch: When run
PreSession script, don't set DISPLAY and XAUTHORITY environment
variable, avoiding environment variable equal (null)
(bsc#1068016 bgo#792150).
- Remove gdm-ignore-SLE-CLASSIC-MODE.patch: SLE-Classic doesn't use
environment variable SLE_CLASSIC_MODE anymore.

==== gimp ====
Subpackages: gimp-lang gimp-plugin-aa gimp-plugins-python libgimp-2_0-0
libgimpui-2_0-0

- Run spec-cleaner, modernize spec, drop Obsoletes for versions
no longer supported.
- Don't build with webkit1, as it is no longer maintained and has
plenty of security bugs. This disables the GIMP's built-in help
browser; it will use an external browser when configured this way.
This works around a number of security vulnerabilities in Webkit1:
https://bugzilla.suse.com/show_bug.cgi?id=923223
https://bugzilla.suse.com/show_bug.cgi?id=906375
https://bugzilla.suse.com/show_bug.cgi?id=906374
https://bugzilla.suse.com/show_bug.cgi?id=906373
https://bugzilla.suse.com/show_bug.cgi?id=1034856
https://bugzilla.suse.com/show_bug.cgi?id=871792
https://bugzilla.suse.com/show_bug.cgi?id=879607
https://bugzilla.suse.com/show_bug.cgi?id=892084

==== gnome-font-viewer ====
Subpackages: gnome-font-viewer-lang

- Add gfv-handle-ttf-otf-mime-types.patch: Handle new font/ttf and
font/otf mime types (bgo#788383).
- Add gfv-update-nb-translations.patch: Update Norwegian Bokmål
translations.

==== gnome-shell ====
Version update (3.26.2 -> 3.26.2+20171218.15b1810a6)
Subpackages: gnome-shell-browser-plugin gnome-shell-calendar gnome-shell-lang

- Add gnome-shell-network-fix-visibility-VPN.patch: network: Fix
visibility of VPN section (bgo#787845).
- Own directories
{_datadir}/gnome-shell/extensions|search-providers|modes again,
seems a lot of packages depended on this beeing true.
- Update to version 3.26.2+20171218.15b1810a6:
+ background: don't leak wall clock when background changes.
+ dateMenu:
- Fix possible crash with unknown locations.
- Ignore malformed world-clocks settings.
+ dash:
- Do not shadow ClutterActor's destroy().
- Make sure item labels are only destroyed once.
+ status/keyboard: Reset menuItems and Label objects on change.
+ overview: Protect ::drag-end handlers.
+ Updated translations.
- Switch to git-checkout via source services.
- Pass enable-browser-plugin=true, enable-documentation=true,
enable-man=true, enable-networkmanager=yes and
enable-systemd=yes to meson, ensure we build the features we
want.
- Following the above, add gtk-doc BuildRequires and build
documentation again.
- Run spec-cleaner, modernize spec.
- Drop update-desktop-files BuildRequires and stop using the
suse_update_desktop_file macro.
- Drop conditional libaccountsservice0, libcaribou0 and
libgdmgreeter1 Requires needed for no longer supported versions
of openSUSE.
- Add fdupes BuildRequires and pass fdupes macro, remove duplicate
files.
- Drop gnome-shell-wayland Obsoletes: No currently supported
version of openSUSE have ever had this binary, so this is no
longer needed.
- Stop exporting BROWSER_PLUGIN_DIR=%%{_libdir}/browser-plugins,
does not work as we are using meson buildsystem.

==== gnome-software ====
Version update (3.26.3 -> 3.26.4)
Subpackages: gnome-software-lang

- Update to version 3.26.4:
+ Fix crashes in the repos plugin due to missing locking.
+ Work around Firefox deleting rpm/deb files downloaded to /tmp
when closing.
+ Do not require the user to keep clicking 'More reviews' after
each click.
+ Fix a critical when updating (flatpak) packages live.
+ fwupd: Prepend the vendor name to the device name if not
included.
+ Improve SPDX ID parsing when working out if it is 'free'.
+ packagekit: Do not crash when getting an invalid ID from
PackageKit.
+ Do not crash when closing the source dialog while it is
loading.
+ Updated translations.
- Drop gs-add-locking-to-the-repos-plugin.patch: Fixed upstream.

==== gpgme ====
Subpackages: libgpgme-devel libgpgme11 libgpgmepp6 libqgpgme7

- Tweak up the python conditional to allow us finegraining and
selecting only py2 or py3 if needed

==== gstreamer-plugins-base ====
Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0
libgstaudio-1_0-0 libgstfft-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0
libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0
libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0
typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0

- Add gst-pb-playbin3-fix-accessing-invalid-index.patch: playbin3:
Fix accessing invalid index in GstStream when received
select-stream event (bgo#791638).
- Clean up spec with spec-cleaner.

==== gtk2 ====
Version update (2.24.31+20171209.61d5c82f5c -> 2.24.32)
Subpackages: gtk2-data gtk2-devel gtk2-immodule-amharic gtk2-immodule-inuktitut
gtk2-immodule-thai gtk2-immodule-vietnamese gtk2-immodule-xim gtk2-lang
gtk2-tools gtk2-tools-32bit libgtk-2_0-0 libgtk-2_0-0-32bit typelib-1_0-Gtk-2_0

- Update to version 2.24.32:
+ Fix abicheck.
- Use the release version as revision and set versionformat to
PARENT_TAG, ensure we build the upstream released tag.

==== gutenprint ====
Version update (5.2.13 -> 5.2.13pre14.2)

- Version upgrade to 5.2.13pre14.2 which is the
second pre-release of Gutenprint 5.2.14.
Major changes in this release (compared to 5.2.12):
* The PCL driver now supports color laser printers
that use PCL 5c natively (as opposed to emulation).
The support is considered to be preliminary at this time.
Tons of PCL printers have been added with color support.
Please report success or failure with PCL color laser printers
using the Generic PCL Color drivers.
Based on feedback from this pre-release, some or all of these
printers may be removed from the list prior to 5.2.14 release.
* Support for the Brother HL-2030 and HL-2035 has been removed
because these printers do not support standard PCL.
* A crash that affected certain dyesub printers when used with
simplified PPD files has been fixed.
* Enhanced support for some dye-sublimation printers.
For details see the NEWS file.

==== harfbuzz ====
Subpackages: harfbuzz-devel libharfbuzz-icu0 libharfbuzz0 libharfbuzz0-32bit

- harfbuzz-devel hb-ft.h requires pkgconfig(freetype2) but it is
not automatically added by the dependency generator.

==== hdf5 ====
Subpackages: libhdf5-101 libhdf5_hl100

- Disable the openmpi3 flavor in some products.
- Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES.
- Add support for mpich and openmpi3 for HPC.

==== hwinfo ====
Version update (21.50 -> 21.51)
Subpackages: hwinfo-devel

- merge gh#openSUSE/hwinfo#55
- Please make CDBISDN_DATE ignore timezone.
- 21.51

==== hyper-v ====

- update buffer handling in hv_fcopy_daemon
- remove unnecessary header files and netlink related code
- Avoid reading past allocated blocks from KVP file
- fix snprintf warning in kvp_daemon
- properly handle long paths
- kvp: configurable external scripts path
- vss: Thaw the filesystem and continue if freeze call has timed out
- vss: Skip freezing filesystems backed by loop

==== iputils ====
Subpackages: rarpd

- Backport iputils-ping-fix-pmtu-for-ipv6.patch from upstream
to fix PMTU discovery in ping6. (bsc#1072460)

==== ispell ====
Subpackages: ispell-american ispell-british

- Avoid `set -e' in munchlist (boo#1075882)

==== k3b ====
Version update (17.12.0 -> 17.12.1)
Subpackages: k3b-lang

- Update to 17.12.1
* New bugfix release
* For more details please see:
* https://www.kde.org/announcements/announce-applications-17.12.1.php
- Changes since 17.12.0:
* Revert "Fix Settings dialog resizes itself issue"
- Add fix-build-with-older-kio.patch to make it build again on
standard Leap 42.x.

==== kdump ====

- Add kdump-fillupdir-fixes.patch and correct specfile to build
with new fillupdir location
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)

==== kernel-source ====
Version update (4.14.12 -> 4.14.13)
Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs
kernel-macros kernel-syms

- Linux 4.14.13 (bnc#1012628).
- x86/mm: Set MODULES_END to 0xffffffffff000000 (bnc#1012628).
- x86/mm: Map cpu_entry_area at the same place on 4/5 level
(bnc#1012628).
- x86/kaslr: Fix the vaddr_end mess (bnc#1012628).
- x86/events/intel/ds: Use the proper cache flush method for
mapping ds buffers (bnc#1012628).
- x86/tlb: Drop the _GPL from the cpu_tlbstate export
(bnc#1012628).
- x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline
asm (bnc#1012628).
- x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
(bnc#1012628).
- kernel/acct.c: fix the acct->needcheck check in
check_free_space() (bnc#1012628).
- mm/mprotect: add a cond_resched() inside change_pmd_range()
(bnc#1012628).
- mm/sparse.c: wrong allocation for mem_section (bnc#1012628).
- userfaultfd: clear the vma->vm_userfaultfd_ctx if
UFFD_EVENT_FORK fails (bnc#1012628).
- btrfs: fix refcount_t usage when deleting btrfs_delayed_nodes
(bnc#1012628).
- efi/capsule-loader: Reinstate virtual capsule mapping
(bnc#1012628).
- crypto: n2 - cure use after free (bnc#1012628).
- crypto: chacha20poly1305 - validate the digest size
(bnc#1012628).
- crypto: pcrypt - fix freeing pcrypt instances (bnc#1012628).
- crypto: chelsio - select CRYPTO_GF128MUL (bnc#1012628).
- drm/i915: Disable DC states around GMBUS on GLK (bnc#1012628).
- drm/i915: Apply Display WA #1183 on skl, kbl, and cfl
(bnc#1012628).
- sunxi-rsb: Include OF based modalias in device uevent
(bnc#1012628).
- fscache: Fix the default for fscache_maybe_release_page()
(bnc#1012628).
- x86 / CPU: Avoid unnecessary IPIs in arch_freq_get_on_cpu()
(bnc#1012628).
- x86 / CPU: Always show current CPU frequency in /proc/cpuinfo
(bnc#1012628).
- kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks
from SIGKILL (bnc#1012628).
- kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from
!sig_kernel_only() signals (bnc#1012628).
- kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE
check in complete_signal() (bnc#1012628).
- iommu/arm-smmu-v3: Don't free page table ops twice
(bnc#1012628).
- iommu/arm-smmu-v3: Cope with duplicated Stream IDs
(bnc#1012628).
- ARC: uaccess: dont use "l" gcc inline asm constraint modifier
(bnc#1012628).
- powerpc/mm: Fix SEGV on mapped region to return SEGV_ACCERR
(bnc#1012628).
- Input: elantech - add new icbody type 15 (bnc#1012628).
- apparmor: fix regression in mount mediation when feature set
is pinned (bnc#1012628).
- parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit
SMP kernel (bnc#1012628).
- parisc: qemu idle sleep support (bnc#1012628).
- mtd: nand: pxa3xx: Fix READOOB implementation (bnc#1012628).
- KVM: s390: fix cmma migration for multiple memory slots
(bnc#1012628).
- KVM: s390: prevent buffer overrun on memory hotplug during
migration (bnc#1012628).
- commit bd444a0
- Refresh
patches.suse/0007-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Refresh
patches.suse/0013-x86-entry-Stuff-RSB-for-entry-to-kernel-for-non-SMEP.patch.
- Refresh
patches.suse/0015-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch.
Fix double fault in 32bit binaries (bnc#1074869, bnc#1074918,
bnc#1074920, bnc#1074921, bnc#1075018, bnc#1075034)
- commit f4b3cf0
- rpm/constraints.in: lower kernel-syzkaller's mem requirements
OBS now reports that it needs only around 2G, so lower the limit to
8G, so that more compliant workers can be used.
- commit 7637ae2

==== kio ====
Subpackages: kio-core kio-devel kio-lang

- Add patch to fix layout of icons in the file dialog (kde#352776):
* 0001-Fix-KFilePreviewGenerator-LayoutBlocker.patch

==== krita ====
Version update (3.3.2.1 -> 3.3.3)
Subpackages: krita-lang

- Update to 3.3.3:
* See https://krita.org/en/item/krita-3-3-3/
* Fix an issue where it would not be possible to select certain
blending modes when the current layer is grayscale but the
image is rgb.
* Set the OS and platform when reporting a bug from within Krita
on Windows.
* Make it possible to enter color values as percentage in the
specific color selector
* Add OpenGL warnings and make ANGLE default on Intel GPUs
* Add an Invert button to the levels filter
* Implement loading and saving of styles for group layers to and
from PSD
* Fix the erase mode not showing correctly when returning to the
brush tool
* Save the visibility of individual assistants in .kra files
* Add an option to draw ruler tips as a power of 2
* Disable autoscroll on move and transform tools
* Improve handling of native mouse events when using a pen and
the Windows Ink API
* Fix the focal point for the pinch zoom gesture
* Fix loading netpbm files with comment

==== krusader ====
Subpackages: kio_iso

- Add Panel-fixed-actions-in-PanelContextMenu-ignored.patch to fix
the "Create New" context menu not working when the '..' entry is
selected (boo#1075690, kde#383544)

==== ldns ====
Subpackages: libldns2

- Switch directly to python3 in order for us to proceed with py2
obsoletion for future releases
* Upstream sadly can build only against one of the two

==== libdrm ====
Version update (2.4.88 -> 2.4.89)
Subpackages: libdrm-devel libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2
libdrm_radeon1

- U_intel-Add-more-Coffeelake-PCI-IDs.patch
* Add more Coffeelake PCI IDs (request by Intel)
- Update to version 2.4.89:
libdrm release with leasing and syncobj api updates, updated amdgpu marketing
ids, amdgpu tests, updated uapi headers & etnaviv updates.

==== libe-book ====
Version update (0.1.2 -> 0.1.3)

- Cure linguistic problem in descriptions.
- Update to 0.1.3:
* Fix various problems when reading broken files, found with the help of
american-fuzzy-lop and oss-fuzz.
* Fix build with boost >= 1.59.
* Set default page margins. (tdf#94162)
* Make output of ebook2* --help more compatible with help2man.
* Check for librevenge-stream if tests are enabled. (gentoo#603098)
* Require C++11 for build.
* Drop outdated MSVC project files.
* Fix several issues found by Coverity.
* FictionBook v.2:
* Use document language as default language for text.
* Use note title as footnote mark.
* Handle subscript and superscript.
* Output content of <code> in monospace font.

==== libepoxy ====

- -devel package requires pkgconfig(x11), pkgconfig(egl)
but those deps are not generated automatically.

==== libglvnd ====
Subpackages: libglvnd-32bit libglvnd-devel

- Make sure to use only python3 for the build and do not rely
on env calls for python

==== libmediaart ====
Subpackages: libmediaart-2_0-0 typelib-1_0-MediaArt-2_0

- Add meson-Introspection-fix.patch: The meson build did not add
the extractdummy.c to the sources, which contains introspection
annotations (bgo#792272, bgo#791586).

==== libpagemaker ====
Version update (0.0.3 -> 0.0.4)

- Cure linguistic problem in descriptions.
- Update to 0.0.4:
* Add a command line tool for conversion to plain text, called pmd2text.
* Require C++11 for build.
* Drop outdated MSVC project files.
* Fix parsing of page dimensions and shape coordinates in Mac documents.
That makes the output at least somewhat useful, but more work is needed
to handle big endian files properly.
* Fix parsing of color tint in Mac documents. (tdf#109126)
* Fix parsing of text formatting attributes in Mac documents.
* Properly handle all caps and small caps.
* Parse more text formatting attributes.
* Parse more paragraph attributes.

==== libpeas ====
Subpackages: libpeas-1_0-0 libpeas-gtk-1_0-0 libpeas-lang libpeas-loader-python
libpeas-loader-python3 typelib-1_0-Peas-1_0 typelib-1_0-PeasGtk-1_0

- Use make_build macro.
- Avoid running fdupes across hardlink boundaries.
- Update URL to reflect current web, old was 404.
- Run spec-cleaner.
- Fix typo on parallel build command call.
- Conditionalize py2 and py3 build to allow us building of the
one we desire based on codestream.

==== libpwquality ====
Version update (1.3.0 -> 1.4.0)
Subpackages: libpwquality-lang libpwquality1

- Update RPM groups and summaries.
- Switch url to https://github.com/libpwquality/libpwquality/
- Update to release 1.4.0:
* Fix possible buffer overflow with data from /dev/urandom
in pwquality_generate().
* Do not try to check presence of too short username in password.
(thanks to Nikos Mavrogiannopoulos)
* Make the user name check optional (via usercheck option).
* Add an 'enforcing' option to make the checks to be warning-only
in PAM.
* The difok = 0 setting will disable all old password similarity
checks except new and old passwords being identical.
* Updated translations from Zanata.
- Add patch libpwquality-pythons.patch to avoid duping pythondir
- Make python3 default and enable py2 only when needed

==== libqt5-qtwebengine ====

- Also work around crashes on wayland by disabling the GPU by default
(boo#1060990):
* disable-gpu-when-using-nouveau-boo-1005323.diff

==== libqt5-qtwebsockets ====
Subpackages: libQt5WebSockets5 libQt5WebSockets5-imports
libqt5-qtwebsockets-devel

- fix Typo

==== librsvg ====
Version update (2.40.20 -> 2.42.0)
Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer
typelib-1_0-Rsvg-2_0

- Update to version 2.42.0:
+ Fix a memory leak in rsvg_handle_new_from_file().
+ Optimize the xml:space normalization function.
+ Fix a runtime warning in the feMergeNode code
(glgo#GNOME/librsvg#179).
+ Clarify documentation about the rsvg_*_sub() APIs
(glgo#GNOME/librsvg#175).
+ Stylistic fixes from cargo-clippy.
+ Port the Pango glue code to Rust.
+ New ARCHITECTURE.md with a description of librsvg's internals.
- Clean up spec, use autosetup macro.

==== libsamplerate ====
Subpackages: libsamplerate-devel libsamplerate0

- Add libsamplerate-0.1.9-reproducible.patch to disable throughput
test to make builds reproducible in spite of Profile Guided Optimizations

==== libteam ====

- Drop /pkg/ subpart from includedir
- Remove defattr that is not really needed
- Add condition around python bindings, they are really based on
swig code that would need to be rewritten to support python3

==== libvirt ====
Subpackages: libvirt-client libvirt-daemon libvirt-daemon-config-network
libvirt-daemon-config-nwfilter libvirt-daemon-driver-interface
libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc
libvirt-daemon-driver-network libvirt-daemon-driver-nodedev
libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu
libvirt-daemon-driver-secret libvirt-daemon-driver-storage
libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk
libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-logical
libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd
libvirt-daemon-driver-storage-scsi libvirt-daemon-driver-uml
libvirt-daemon-driver-vbox libvirt-daemon-lxc libvirt-daemon-qemu
libvirt-daemon-xen libvirt-libs

- Add a qemu hook script providing functionality similar to Xen's
block-dmmd script
suse-qemu-domain-hook.py
FATE#324177

==== libxcb ====
Subpackages: libxcb-render0-32bit libxcb-shm0-32bit libxcb1-32bit

- Enable xinput extension. (bnc#1074249)
- U_add-support-for-eventstruct.patch
* Update xinput to the state when it was enabled by default
upstream.
-
n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
* Prevent infinite loop also in case DISPLAY is non-local.
- Use spaces instead of tabs in the patches (as does the original
source code) to avoid confusion.
-
n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
* If authentication (with *stage == 0) failed and the variable
XAUTHLOCALHOSTNAME wasn't set, we were never getting to stage 2
in the original patch, causing calls to xcb_connect_to_display
to be stuck in an infinite loop.
Now we also go to stage 2 if the variable isn't set.

==== libzio ====
Version update (1.05 -> 1.06)

- Add changes from Jerrell Watts which has kindly provided
his changes for lzma/xz support with large I/O buffers

==== llvm ====

- Add missing %files for lld.

==== logrotate ====
Version update (3.12.3 -> 3.13.0)

- Version update to 3.13.0:
* make distribution tarballs report logrotate version properly
* make (un)compress work even if stdin and/or stdout are closed (#154)
* remove -s from DEFAULT_MAIL_COMMAND and improve its documenation (#152)
* uncompress logs before mailing them even if delaycompress is enabled (#151)
* handle unlink of a non-existing log file as a warning only (#144)
* include compile-time options in the output of logrotate --version (#145)
* make logrotate --version print to stdout instead of stderr (#145)
* flush write buffers before syncing state file (#148)
* specify (un)compress utility explicitly in tests (#137)
* enable running tests in parallel (#132)
* explicitly map root UID/GID to 0 on Cygwin (#133)
* add .dpkg-bak and .dpkg-del to default tabooext list (#134)

==== lvm2 ====
Subpackages: liblvm2app2_2 liblvm2cmd2_02

- lvmlockd: add lockopt values for skipping selected locks (fate#323203)
+ fate-323203_lvmlockd-add-lockopt-values-for-skipping-selected-lo.patch

==== makedumpfile ====

- makedumpfile-__cpu_online_mask-symbol.patch: Support symbol
__cpu_online_mask (FATE#323473, bsc#1070291).
- makedumpfile-vtop4_x86_64_pagetable.patch: Introduce
vtop4_x86_64_pagetable (FATE#323473, bsc#1070291).
- makedumpfile-fix-KASLR-for-sadump.patch: Fix a KASLR problem of
sadump (FATE#323473, bsc#1070291).
- makedumpfile-fix-KASLR-for-sadump-while-kdump.patch: sadump: Fix
a KASLR problem of sadump while kdump is working (FATE#323473,
bsc#1070291).

==== mdadm ====

- 0208-mdadm-grow-correct-the-s-size-1-to-make-max-work.patch
(bsc#1074949)

==== mjpegtools ====
Subpackages: libmjpegutils-2_0-0

- Add conditional post(un) handling for libmpeg2encpp-2_0-0.

==== mutter ====
Version update (3.26.2 -> 3.26.2+20171231.0bd1d7cf0)
Subpackages: libmutter-1-0 mutter-data mutter-lang

- Update to version 3.26.2+20171231.0bd1d7cf0:
+ Revert "window: Raise and lower tile match in tandem".
+ wayland: Only send full sequences of touch events to clients.
+ stage: Push framebuffer before setting up viewport.
+ keybindings: Only add multiple keycodes from the same level.
+ wayland-outputs: Delay wl_output destruction.
+ monitor-manager-kms:
- Fix recently introduced build issue.
- poll() on KMS fd on EAGAIN.
+ compositor: reset top_window_actor and remove it from windows
when destroyed.
+ monitor-manager: Compare keys when checking whether a config is
complete.
+ Updated translations.
- Switch to git-checkout via source services.
- Following the above, add intltool and libtool BuildRequires and
pass autogen.sh to bootstrap the generated tarball.
- Pkgconfigy the BuildRequires, replace:
gobject-introspection-devel, libSM-devel, libX11-devel and
libXinerama-devel with pkgconfig(gobject-introspection-1.0),
pkgconfig(sm), pkgconfig(x11) and pkgconfig(xinerama).
- Drop update-desktop-files BuildRequires and stop using
suse_update_desktop_file macro, no longer needed.
- Drop pkgconfig(gbm) BuildRequires listed twice.
- Run spec-cleaner, modernize spec, use make_build macro.

==== nbd ====
Version update (3.16.1 -> 3.16.2)

- Update to version 1.16.2:
* Make the test suite less chatty
* Various build system improvements
* Fixes to the systemd unit to make it work again with recent
systemd
* Point to the nbd mailinglist, rather than to the maintainer's
personal email address, for bug reports.

==== newt ====

- Build without py2 if needed
- Fix upstream url

==== nghttp2 ====
Version update (1.28.0 -> 1.29.0)

- Update to version 1.29.0:
* lib: Use NGHTTP2_REFUSED_STREAM for streams which are closed by
GOAWAY
* build: Remove SPDY
* build: Fix CMAKE_MODULE_PATH
* nghttpx: Revert "nghttpx: Use an existing h2 backend connection
as much as possible"
* nghttpx: Write API request body in temporary file
* nghttpx: Increase api-max-request-body
* nghttpx: Faster configuration loading with lots of backends
* nghttpx: Fix crash with --backend-http-proxy-uri option

==== ntp ====
Subpackages: ntp-doc

- Add ntp-reproducible.patch to make build reproducible (boo#1047218)
- Restart nptd if failed or aborted (FATE#315133).
- Do not try to set the HW clock when adding a server at runtime
to avoid blocking systemd.

==== numactl ====
Subpackages: libnuma1

- Disable building at 32-bit ARM.
NUMA is not supported by 32-bit ARM Linux Kernel, so build failed
with
[#]error "Add syscalls for your architecture or update kernel headers"

==== openblas_pthreads ====

- Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES.
- Fix library package requires - use HPC macro (boo#1074890).
- Fix unexpanded rpm macro in environment module file for HPC (boo#1074897).

==== opencv ====
Subpackages: libopencv3_3 opencv-devel

- Add conditionals for python2 and python3 to allow us enabling
only desired python variants when needed
- Do not depend on sphinx as py2 and py3 seem to collide there

==== openssh ====
Version update (7.2p2 -> 7.6p1)
Subpackages: openssh-helpers

- Replace forgotten references to /var/adm/fillup-templates
with new %_fillupdir macro (boo#1069468)
- tighten configuration access rights
- Update to vanilla 7.6p1
Most important changes (more details below):
* complete removal of the ancient SSHv1 protocol
* sshd(8) cannot run without privilege separation
* removal of suport for arcfourm blowfish and CAST ciphers
and RIPE-MD160 HMAC
* refuse RSA keys shorter than 1024 bits
Distilled upstream log:
- OpenSSH 7.3
- --- Security
* sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An
attacker could send very long passwords that would cause
excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024
characters. Independently reported by Tomas Kuthan (Oracle),
Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password
authentication that could be used to discern valid from
invalid account names when long passwords were sent and
particular password hashing algorithms are in use on the
server. CVE-2016-6210, reported by EddieEzra.Harari at
verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin
Albrecht. Note that CBC ciphers are disabled by default and
only included for legacy compatibility.
* ssh(1), sshd(8): Improve operation ordering of MAC
verification for Encrypt-then-MAC (EtM) mode transport MAC
algorithms to verify the MAC before decrypting any
ciphertext. This removes the possibility of timing
differences leaking facts about the plaintext, though no such
leakage has been observed. Reported by Jean Paul Degabriele,
Kenny Paterson, Torben Hansen and Martin Albrecht.
* sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.
- --- New Features
* ssh(1): Add a ProxyJump option and corresponding -J
command-line flag to allow simplified indirection through a
one or more SSH bastions or "jump hosts".
* ssh(1): Add an IdentityAgent option to allow specifying
specific agent sockets instead of accepting one from the
environment.
* ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to
be optionally overridden when using ssh -W. bz#2577
* ssh(1), sshd(8): Implement support for the IUTF8 terminal
mode as per draft-sgtatham-secsh-iutf8-00.
* ssh(1), sshd(8): Add support for additional fixed
Diffie-Hellman 2K, 4K and 8K groups from
draft-ietf-curdle-ssh-kex-sha2-03.
* ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
signatures in certificates;
* ssh(1): Add an Include directive for ssh_config(5) files.
* ssh(1): Permit UTF-8 characters in pre-authentication banners
sent from the server. bz#2058
- --- Bugfixes
* ssh(1), sshd(8): Reduce the syslog level of some relatively
common protocol events from LOG_CRIT. bz#2585
* sshd(8): Refuse AuthenticationMethods="" in configurations
and accept AuthenticationMethods=any for the default
behaviour of not requiring multiple authentication. bz#2398
* sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
ATTEMPT!" message when forward and reverse DNS don't match.
bz#2585
* ssh(1): Close ControlPersist background process stderr except
in debug mode or when logging to syslog. bz#1988
* misc: Make PROTOCOL description for
direct-streamlocal@xxxxxxxxxxx channel open messages match
deployed code. bz#2529
* ssh(1): Deduplicate LocalForward and RemoteForward entries to
fix failures when both ExitOnForwardFailure and hostname
canonicalisation are enabled. bz#2562
* sshd(8): Remove fallback from moduli to obsolete "primes"
file that was deprecated in 2001. bz#2559.
* sshd_config(5): Correct description of UseDNS: it affects ssh
hostname processing for authorized_keys, not known_hosts;
bz#2554
* ssh(1): Fix authentication using lone certificate keys in an
agent without corresponding private keys on the filesystem.
bz#2550
* sshd(8): Send ClientAliveInterval pings when a time-based
RekeyLimit is set; previously keepalive packets were not
being sent. bz#2252
- --- Portability
* ssh(1), sshd(8): Fix compilation by automatically disabling
ciphers not supported by OpenSSL. bz#2466
* misc: Fix compilation failures on some versions of AIX's
compiler related to the definition of the VA_COPY macro.
bz#2589
* sshd(8): Whitelist more architectures to enable the
seccomp-bpf sandbox. bz#2590
* ssh-agent(1), sftp-server(8): Disable process tracing on
Solaris using setpflags(__PROC_PROTECT, ...). bz#2584
* sshd(8): On Solaris, don't call Solaris setproject() with
UsePAM=yes it's PAM's responsibility. bz#2425
- OpenSSH 7.4
- --- Potentially-incompatible changes
* ssh(1): Remove 3des-cbc from the client's default proposal.
64-bit block ciphers are not safe in 2016 and we don't want
to wait until attacks like SWEET32 are extended to SSH. As
3des-cbc was the only mandatory cipher in the SSH RFCs, this
may cause problems connecting to older devices using the
default configuration, but it's highly likely that such
devices already need explicit configuration for key exchange
and hostkey algorithms already anyway.
* sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed
reasonable in the 1990s, but today it's clearly a bad idea in
terms of both cryptography (cf. multiple compression oracle
attacks in TLS) and attack surface. Pre-auth compression
support has been disabled by default for >10 years. Support
remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a
whitelist of trusted paths by default. The path whitelist may
be specified at run-time.
* sshd(8): When a forced-command appears in both a certificate
and an authorized keys/principals command= restriction, sshd
will now refuse to accept the certificate unless they are
identical. The previous (documented) behaviour of having the
certificate forced-command override the other could be a bit
confusing and error-prone.
* sshd(8): Remove the UseLogin configuration directive and
support for having /bin/login manage login sessions.
- --- Security
* ssh-agent(1): Will now refuse to load PKCS#11 modules from
paths outside a trusted whitelist (run-time configurable).
Requests to load modules could be passed via agent forwarding
and an attacker could attempt to load a hostile PKCS#11
module across the forwarded agent channel: PKCS#11 modules
are shared libraries, so this would result in code execution
on the system running the ssh-agent if the attacker has
control of the forwarded agent-socket (on the host running
the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the
ssh client). Reported by Jann Horn of Project Zero.
* sshd(8): When privilege separation is disabled, forwarded
Unix- domain sockets would be created by sshd(8) with the
privileges of 'root' instead of the authenticated user. This
release refuses Unix-domain socket forwarding when privilege
separation is disabled (Privilege separation has been enabled
by default for 14 years). Reported by Jann Horn of Project
Zero.
* sshd(8): Avoid theoretical leak of host private key material
to privilege-separated child processes via realloc() when
reading keys. No such leak was observed in practice for
normal-sized keys, nor does a leak to the child processes
directly expose key material to unprivileged users. Reported
by Jann Horn of Project Zero.
* sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided
by some optimising compilers. Additionally, this memory
manager was incorrectly accessible when pre-authentication
compression was disabled. This could potentially allow
attacks against the privileged monitor process from the
sandboxed privilege-separation process (a compromise of the
latter would be required first). This release removes
support for pre-authentication compression from sshd(8).
Reported by Guido Vranken using the Stack unstable
optimisation identification tool
(http://css.csail.mit.edu/stack/)
* sshd(8): Fix denial-of-service condition where an attacker
who sends multiple KEXINIT messages may consume up to 128MB
per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
* sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept
invalid ones. It was previously possible to specify invalid
CIDR address ranges (e.g. user@127.1.2.3/55) and these would
always match, possibly resulting in granting access where it
was not intended. Reported by Laurence Parry.
- --- New Features
* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by
the version in PuTTY by Simon Tatham. This allows a
multiplexing client to communicate with the master process
using a subset of the SSH packet and channels protocol over a
Unix-domain socket, with the main process acting as a proxy
that translates channel IDs, etc. This allows multiplexing
mode to run on systems that lack file- descriptor passing
(used by current multiplexing code) and potentially, in
conjunction with Unix-domain socket forwarding, with the
client and multiplexing master process on different machines.
Multiplexing proxy mode may be invoked using "ssh -O proxy
..."
* sshd(8): Add a sshd_config DisableForwarding option that
disables X11, agent, TCP, tunnel and Unix domain socket
forwarding, as well as anything else we might implement in
the future. Like the 'restrict' authorized_keys flag, this is
intended to be a simple and future-proof way of restricting
an account.
* sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method
named "curve25519-sha256@xxxxxxxxxx".
* sshd(8): Improve handling of SIGHUP by checking to see if
sshd is already daemonised at startup and skipping the call
to daemon(3) if it is. This ensures that a SIGHUP restart of
sshd(8) will retain the same process-ID as the initial
execution. sshd(8) will also now unlink the PidFile prior to
SIGHUP restart and re-create it after a successful restart,
rather than leaving a stale file in the case of a
configuration error. bz#2641
* sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.
* sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to
match those supported by AuthorizedKeysCommand (key, key
type, fingerprint, etc.) and a few more to provide access to
the contents of the certificate being offered.
* Added regression tests for string matching, address matching
and string sanitisation functions.
* Improved the key exchange fuzzer harness.
- --- Bugfixes
* ssh(1): Allow IdentityFile to successfully load and use
certificates that have no corresponding bare public key.
bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
* ssh(1): Fix public key authentication when multiple
authentication is in use and publickey is not just the first
method attempted. bz#2642
* regress: Allow the PuTTY interop tests to run unattended.
bz#2639
* ssh-agent(1), ssh(1): improve reporting when attempting to
load keys from PKCS#11 tokens with fewer useless log messages
and more detail in debug messages. bz#2610
* ssh(1): When tearing down ControlMaster connections, don't
pollute stderr when LogLevel=quiet.
* sftp(1): On ^Z wait for underlying ssh(1) to suspend before
suspending sftp(1) to ensure that ssh(1) restores the
terminal mode correctly if suspended during a password
prompt.
* ssh(1): Avoid busy-wait when ssh(1) is suspended during a
password prompt.
* ssh(1), sshd(8): Correctly report errors during sending of
ext- info messages.
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
* sshd(8): Correct list of supported signature algorithms sent
in the server-sig-algs extension. bz#2547
* sshd(8): Fix sending ext_info message if privsep is disabled.
* sshd(8): more strictly enforce the expected ordering of
privilege separation monitor calls used for authentication
and allow them only when their respective authentication
methods are enabled in the configuration
* sshd(8): Fix uninitialised optlen in getsockopt() call;
harmless on Unix/BSD but potentially crashy on Cygwin.
* Fix false positive reports caused by explicit_bzero(3) not
being recognised as a memory initialiser when compiled with
- fsanitize-memory.
* sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet
for configuration examples.
- --- Portability
* On environments configured with Turkish locales, fall back to
the C/POSIX locale to avoid errors in configuration parsing
caused by that locale's unique handling of the letters 'i'
and 'I'. bz#2643
* sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
ptrace(PT_DENY_ATTACH, ..)
* ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8)
OpenSSL.
* Fix compilation for libcrypto compiled without RIPEMD160
support.
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
* sshd(8): Improve PRNG reseeding across privilege separation
and force libcrypto to obtain a high-quality seed before
chroot or sandboxing.
* All: Explicitly test for broken strnvis. NetBSD added an
strnvis and unfortunately made it incompatible with the
existing one in OpenBSD and Linux's libbsd (the former having
existed for over ten years). Try to detect this mess, and
assume the only safe option if we're cross compiling.
- OpenSSH 7.5
- --- Potentially-incompatible changes
* This release deprecates the sshd_config
UsePrivilegeSeparation option, thereby making privilege
separation mandatory. Privilege separation has been on by
default for almost 15 years and sandboxing has been on by
default for almost the last five.
* The format of several log messages emitted by the packet code
has changed to include additional information about the user
and their authentication state. Software that monitors
ssh/sshd logs may need to account for these changes. For
example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234
[preauth] Connection closed by invalid user x 1.1.1.1 port
1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal
messages generated by the packet code.
* [Portable OpenSSH only] This version removes support for
building against OpenSSL versions prior to 1.0.1. OpenSSL
stopped supporting versions prior to 1.0.1 over 12 months ago
(i.e. they no longer receive fixes for security bugs).
- --- Security
* ssh(1), sshd(8): Fix weakness in CBC padding oracle
countermeasures that allowed a variant of the attack fixed in
OpenSSH 7.3 to proceed. Note that the OpenSSH client
disables CBC ciphers by default, sshd offers them as
lowest-preference options and will remove them by default
entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen
of Royal Holloway, University of London.
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client
making a recursive file transfer could be maniuplated by a
hostile server to perform a path-traversal attack. creating
or modifying files outside of the intended target directory.
Reported by Jann Horn of Google Project Zero.
- --- New Features
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods
from algorithm lists, e.g. Ciphers=-*cbc. bz#2671
- --- Bugfixes
* sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
* ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
* sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods
were not being correctly advertised. bz#2680
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs
in known_hosts processing. bz#2591 bz#2685
* ssh(1): Allow ssh to use certificates accompanied by a
private key file but no corresponding plain *.pub public key.
bz#2617
* ssh(1): When updating hostkeys using the UpdateHostKeys
option, accept RSA keys if HostkeyAlgorithms contains any RSA
keytype. Previously, ssh could ignore RSA keys when only the
ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and
not the old ssh-rsa method. bz#2650
* ssh(1): Detect and report excessively long configuration file
lines. bz#2651
* Merge a number of fixes found by Coverity and reported via
Redhat and FreeBSD. Includes fixes for some memory and file
descriptor leaks in error paths. bz#2687
* ssh-keyscan(1): Correctly hash hosts with a port number.
bz#2692
* ssh(1), sshd(8): When logging long messages to stderr, don't
truncate "\r\n" if the length of the message exceeds the
buffer. bz#2688
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J
command- line; avoid confusion over IPv6 addresses and shells
that treat square bracket characters specially.
* ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed
entries.
* Fix various fallout and sharp edges caused by removing SSH
protocol 1 support from the server, including the server
banner string being incorrectly terminated with only \n
(instead of \r\n), confusing error messages from ssh-keyscan
bz#2583 and a segfault in sshd if protocol v.1 was enabled
for the client and sshd_config contained references to legacy
keys bz#2686.
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
* sshd(8): Fix Unix domain socket forwarding for root
(regression in OpenSSH 7.4).
* sftp(1): Fix division by zero crash in "df" output when
server returns zero total filesystem blocks/inodes.
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL
errors encountered during key loading to more meaningful
error codes. bz#2522 bz#2523
* ssh-keygen(1): Sanitise escape sequences in key comments sent
to printf but preserve valid UTF-8 when the locale supports
it; bz#2520
* ssh(1), sshd(8): Return reason for port forwarding failures
where feasible rather than always "administratively
prohibited". bz#2674
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a
key is matched early. bz#2655
* Regression tests: several reliability fixes. bz#2654 bz#2658
bz#2659
* ssh(1): Fix typo in ~C error message for bad port forward
cancellation. bz#2672
* ssh(1): Show a useful error message when included config
files can't be opened; bz#2653
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the
manual page (previously incorrectly) advertised. bz#2637
* sshd_config(5): Repair accidentally-deleted mention of %k
token in AuthorizedKeysCommand; bz#2656
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
bz#2665
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
* sftp-client(1): Fix non-exploitable integer overflow in
SSH2_FXP_NAME response handling.
* ssh-agent(1): Fix regression in 7.4 of deleting
PKCS#11-hosted keys. It was not possible to delete them
except by specifying their full physical path. bz#2682
- --- Portability
* sshd(8): Avoid sandbox errors for Linux S390 systems using an
ICA crypto coprocessor.
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox
arg inspection.
* ssh(1): Fix X11 forwarding on OSX where X11 was being started
by launchd. bz#2341
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for
various that contain non-printable characters where the
codeset in use is ASCII.
* build: Fix builds that attempt to link a kerberised libldns.
bz#2603
* build: Fix compilation problems caused by unconditionally
defining _XOPEN_SOURCE in wide character detection.
* sshd(8): Fix sandbox violations for clock_gettime VSDO
syscall fallback on some Linux/X32 kernels. bz#2142
- OpenSSH 7.6
- --- Potentially-incompatible changes
This release includes a number of changes that may affect
existing configurations:
* ssh(1): delete SSH protocol version 1 support, associated
configuration options and documentation.
* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
* ssh(1)/sshd(8): remove support for the arcfour, blowfish and
CAST ciphers.
* Refuse RSA keys <1024 bits in length and improve reporting
for keys that do not meet this requirement.
* ssh(1): do not offer CBC ciphers by default.
- --- Security
* sftp-server(8): in read-only mode, sftp-server was
incorrectly permitting creation of zero-length files.
Reported by Michal Zalewski.
- --- New Features
* ssh(1): add RemoteCommand option to specify a command in the
ssh config file instead of giving it on the client's command
line. This allows the configuration file to specify the
command that will be executed on the remote host.
* sshd(8): add ExposeAuthInfo option that enables writing
details of the authentication methods used (including public
keys where applicable) to a file that is exposed via a
$SSH_USER_AUTH environment variable in the subsequent
session.
* ssh(1): add support for reverse dynamic forwarding. In this
mode, ssh will act as a SOCKS4/5 proxy and forward
connections to destinations requested by the remote SOCKS
client. This mode is requested using extended syntax for the
- R and RemoteForward options and, because it is implemented
solely at the client, does not require the server be updated
to be supported.
* sshd(8): allow LogLevel directive in sshd_config Match
blocks; bz#2717
* ssh-keygen(1): allow inclusion of arbitrary string or flag
certificate extensions and critical options.
* ssh-keygen(1): allow ssh-keygen to use a key held in
ssh-agent as a CA when signing certificates. bz#2377
* ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an
explicit ToS/DSCP value and just use the operating system
default.
* ssh-add(1): added -q option to make ssh-add quiet on success.
* ssh(1): expand the StrictHostKeyChecking option with two new
settings. The first "accept-new" will automatically accept
hitherto-unseen keys but will refuse connections for changed
or invalid hostkeys. This is a safer subset of the current
behaviour of StrictHostKeyChecking=no. The second setting
"off", is a synonym for the current behaviour of
StrictHostKeyChecking=no: accept new host keys, and continue
connection for hosts with incorrect hostkeys. A future
release will change the meaning of StrictHostKeyChecking=no
to the behaviour of "accept-new". bz#2400
* ssh(1): add SyslogFacility option to ssh(1) matching the
equivalent option in sshd(8). bz#2705
- --- Bugfixes
* ssh(1): use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728
* sftp(1): implement sorting for globbed ls; bz#2649
* ssh(1): add a user@host prefix to client's "Permission
denied" messages, useful in particular when using "stacked"
connections (e.g. ssh -J) where it's not clear which host is
denying. bz#2720
* ssh(1): accept unknown EXT_INFO extension values that contain
\0 characters. These are legal, but would previously cause
fatal connection errors if received.
* ssh(1)/sshd(8): repair compression statistics printed at
connection exit
* sftp(1): print '?' instead of incorrect link count (that the
protocol doesn't provide) for remote listings. bz#2710
* ssh(1): return failure rather than fatal() for more cases
during session multiplexing negotiations. Causes the session
to fall back to a non-mux connection if they occur. bz#2707
* ssh(1): mention that the server may send debug messages to
explain public key authentication problems under some
circumstances; bz#2709
* Translate OpenSSL error codes to better report incorrect
passphrase errors when loading private keys; bz#2699
* sshd(8): adjust compatibility patterns for WinSCP to
correctly identify versions that implement only the legacy DH
group exchange scheme. bz#2748
* ssh(1): print the "Killed by signal 1" message only at
LogLevel verbose so that it is not shown at the default
level; prevents it from appearing during ssh -J and
equivalent ProxyCommand configs. bz#1906, bz#2744
* ssh-keygen(1): when generating all hostkeys (ssh-keygen -A),
clobber existing keys if they exist but are zero length.
zero-length keys could previously be made if ssh-keygen
failed or was interrupted part way through generating them.
bz#2561
* ssh(1): fix pledge(2) violation in the escape sequence "~&"
used to place the current session in the background.
* ssh-keyscan(1): avoid double-close() on file descriptors;
bz#2734
* sshd(8): avoid reliance on shared use of pointers shared
between monitor and child sshd processes. bz#2704
* sshd_config(8): document available AuthenticationMethods;
bz#2453
* ssh(1): avoid truncation in some login prompts; bz#2768
* sshd(8): Fix various compilations failures, inc bz#2767
* ssh(1): make "--" before the hostname terminate argument
processing after the hostname too.
* ssh-keygen(1): switch from aes256-cbc to aes256-ctr for
encrypting new-style private keys. Fixes problems related to
private key handling for no-OpenSSL builds. bz#2754
* ssh(1): warn and do not attempt to use keys when the public
and private halves do not match. bz#2737
* sftp(1): don't print verbose error message when ssh
disconnects from under sftp. bz#2750
* sshd(8): fix keepalive scheduling problem: activity on a
forwarded port from preventing the keepalive from being sent;
bz#2756
* sshd(8): when started without root privileges, don't require
the privilege separation user or path to exist. Makes running
the regression tests easier without touching the filesystem.
* Make integrity.sh regression tests more robust against
timeouts. bz#2658
* ssh(1)/sshd(8): correctness fix for channels implementation:
accept channel IDs greater than 0x7FFFFFFF.
- --- Portability
* sshd(9): drop two more privileges in the Solaris sandbox:
PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723
* sshd(8): expose list of completed authentication methods to
PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408
* ssh(1)/sshd(8): fix several problems in the tun/tap
forwarding code, mostly to do with host/network byte order
confusion. bz#2735
* Add --with-cflags-after and --with-ldflags-after configure
flags to allow setting CFLAGS/LDFLAGS after configure has
completed. These are useful for setting sanitiser/fuzzing
options that may interfere with configure's operation.
* sshd(8): avoid Linux seccomp violations on ppc64le over the
socketcall syscall.
* Fix use of ldns when using ldns-config; bz#2697
* configure: set cache variables when cross-compiling. The
cross- compiling fallback message was saying it assumed the
test passed, but it wasn't actually set the cache variables
and this would cause later tests to fail.
* Add clang libFuzzer harnesses for public key parsing and
signature verification.
- packaging:
* moving patches into a separate archive
* first round of rebased patches:
[-X11_trusted_forwarding]
[-allow_root_password_login]
[-blocksigalrm]
[-cavstest-ctr]
[-cavstest-kdf]
[-disable_short_DH_parameters]
[-eal3]
[-enable_PAM_by_default]
[-fips]
[-fips_checks]
[-gssapi_key_exchange]
[-hostname_changes_when_forwarding_X]
[-lastlog]
[-missing_headers]
[-pam_check_locks]
[-pts_names_formatting]
[-remove_xauth_cookies_on_exit]
[-seccomp_geteuid]
[-seccomp_getuid]
[-seccomp_stat]
[-seed-prng]
[-send_locale]
[-systemd-notify]
* not rebased (obsoleted) patches (so far):
[-additional_seccomp_archs]
[-allow_DSS_by_default]
[-default_protocol]
[-dont_use_pthreads_in_PAM]
[-eal3_obsolete]
[-gssapimitm]
[-saveargv-fix]
* obviously removing all standalone patch files:
[openssh-7.2p2-allow_root_password_login.patch]
[openssh-7.2p2-allow_DSS_by_default.patch]
[openssh-7.2p2-X11_trusted_forwarding.patch]
[openssh-7.2p2-lastlog.patch]
[openssh-7.2p2-enable_PAM_by_default.patch]
[openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
[openssh-7.2p2-eal3.patch]
[openssh-7.2p2-blocksigalrm.patch]
[openssh-7.2p2-send_locale.patch]
[openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
[openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
[openssh-7.2p2-pts_names_formatting.patch]
[openssh-7.2p2-pam_check_locks.patch]
[openssh-7.2p2-disable_short_DH_parameters.patch]
[openssh-7.2p2-seccomp_getuid.patch]
[openssh-7.2p2-seccomp_geteuid.patch]
[openssh-7.2p2-seccomp_stat.patch]
[openssh-7.2p2-additional_seccomp_archs.patch]
[openssh-7.2p2-fips.patch]
[openssh-7.2p2-cavstest-ctr.patch]
[openssh-7.2p2-cavstest-kdf.patch]
[openssh-7.2p2-seed-prng.patch]
[openssh-7.2p2-gssapi_key_exchange.patch]
[openssh-7.2p2-audit.patch]
[openssh-7.2p2-audit_fixes.patch]
[openssh-7.2p2-audit_seed_prng.patch]
[openssh-7.2p2-login_options.patch]
[openssh-7.2p2-disable_openssl_abi_check.patch]
[openssh-7.2p2-no_fork-no_pid_file.patch]
[openssh-7.2p2-host_ident.patch]
[openssh-7.2p2-sftp_homechroot.patch]
[openssh-7.2p2-sftp_force_permissions.patch]
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
[openssh-7.2p2-ldap.patch]
[openssh-7.2p2-IPv6_X_forwarding.patch]
[openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
[openssh-7.2p2-prevent_timing_user_enumeration.patch]
[openssh-7.2p2-limit_password_length.patch]
[openssh-7.2p2-keep_slogin.patch]
[openssh-7.2p2-kex_resource_depletion.patch]
[openssh-7.2p2-verify_CIDR_address_ranges.patch]
[openssh-7.2p2-restrict_pkcs11-modules.patch]
[openssh-7.2p2-prevent_private_key_leakage.patch]
[openssh-7.2p2-secure_unix_sockets_forwarding.patch]
[openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
[openssh-7.2p2-disable_preauth_compression.patch]
[openssh-7.2p2-s390_hw_crypto_syscalls.patch]
[openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)

==== patterns-kde ====
Subpackages: patterns-kde-devel_kde patterns-kde-devel_kde_frameworks
patterns-kde-devel_qt5 patterns-kde-kde patterns-kde-kde_edutainment
patterns-kde-kde_games patterns-kde-kde_ide patterns-kde-kde_imaging
patterns-kde-kde_internet patterns-kde-kde_multimedia patterns-kde-kde_office
patterns-kde-kde_plasma patterns-kde-kde_utilities
patterns-kde-kde_utilities_opt patterns-kde-kde_yast

- Recommend discover in the kde_plasma pattern

==== php7 ====
Version update (7.2.0 -> 7.2.1)
Subpackages: apache2-mod_php7 php7-bcmath php7-bz2 php7-calendar php7-ctype
php7-curl php7-dba php7-devel php7-dom php7-exif php7-fastcgi php7-ftp php7-gd
php7-gettext php7-gmp php7-iconv php7-imap php7-json php7-ldap php7-mbstring
php7-mysql php7-odbc php7-openssl php7-pdo php7-pear php7-pear-Archive_Tar
php7-pgsql php7-shmop php7-snmp php7-sockets php7-sqlite php7-sysvsem
php7-sysvshm php7-tidy php7-tokenizer php7-wddx php7-xmlreader php7-xmlwriter
php7-xsl php7-zlib

- updated to 7.2.1: Several security bugs were fixed in this release.
http://php.net/ChangeLog-7.php#7.2.1
- build against newer webp [bsc#1074121]

==== plasma5-desktop ====
Subpackages: plasma5-desktop-lang

- Add patch to fix generation of font previews:
* 0001-Support-font-ttf-and-font-otf-mimetypes-in-kfontinst.patch

==== plasma5-pk-updates ====
Subpackages: plasma5-pk-updates-lang

- Fix refresh logic on startup:
* 0001-Only-save-the-last-update-timestep-on-success.patch
* 0002-Show-that-the-last-check-failed-if-no-updates-availa.patch
* 0003-List-known-updates-on-startup.patch

==== publicsuffix ====
Version update (20171028 -> 20171228)

- Update to version 20171228:
* Add Paris region (#579)
* Fixed alwaysdata.net. (#555)
* Add Combell domains (#565)
* Adding scrysec.com (#528)
* Add Fedora Openshift app domains (#533)
* Add resin.io device domains to list (#499)
* Add nh-serv.co.uk to list file (#491)
* Add 1Password domains (#562)
* Add s5y.io (#572)
* Add social domains - NIC.bo (#467)

==== python-attrs ====
Version update (17.3.0 -> 17.4.0)

- specfile:
* update copyright year
- update to version 17.4.0:
* Backward-incompatible Changes
+ The traversal of MROs when using multiple inheritance was
backward:
If you defined a class "C" that subclasses "A" and "B" like
"C(A, B)", "attrs" would have collected the attributes from "B"
* before* those of "A".
This is now fixed and means that in classes that employ multiple
inheritance, the output of "__repr__" and the order of
positional arguments in "__init__" changes.
Due to the nature of this bug, a proper deprecation cycle was
unfortunately impossible.
Generally speaking, it's advisable to prefer "kwargs"-based
initialization anyways ? *especially* if you employ multiple
inheritance and diamond-shaped hierarchies.
+ The "__repr__" set by "attrs" no longer produces an
"AttributeError" when the instance is missing some of the
specified attributes (either through deleting or after using
"init=False" on some attributes).
This can break code that relied on "repr(attr_cls_instance)"
raising "AttributeError" to check if any attr-specified members
were unset.
If you were using this, you can implement a custom method for
checking this::
def has_unset_members(self):
for field in attr.fields(type(self)):
try:
getattr(self, field.name)
except AttributeError:
return True
return False
* Deprecations
+ The "attr.ib(convert=callable)" option is now deprecated in
favor of "attr.ib(converter=callable)".
This is done to achieve consistency with other noun-based
arguments like *validator*. *convert* will keep working until
at least January 2019 while raising a "DeprecationWarning".
* Changes
+ Generated "__hash__" methods now hash the class type along with
the attribute values. Until now the hashes of two classes with
the same values were identical which was a bug.
The generated method is also *much* faster now.
+ "attr.ib"?s "metadata" argument now defaults to a unique empty
"dict" instance instead of sharing a common empty "dict" for
all. The singleton empty "dict" is still enforced.
+ "ctypes" is optional now however if it's missing, a bare
"super()" will not work in slots classes. This should only
happen in special environments like Google App Engine.
+ The attribute redefinition feature introduced in 17.3.0 now
takes into account if an attribute is redefined via multiple
inheritance. In that case, the definition that is closer to the
base of the class hierarchy wins.
+ Subclasses of "auto_attribs=True" can be empty now.
+ Equality tests are *much* faster now.
+ All generated methods now have correct "__module__", "__name__",
and (on Python 3) "__qualname__" attributes.

==== python-cssselect ====
Version update (1.0.1 -> 1.0.3)
Subpackages: python2-cssselect python3-cssselect

- specfile:
* update copyright year
- update to version 1.0.3:
* Fix artifact uploads to pypi
- changes from version 1.0.2:
* Drop support for Python 2.6 and Python 3.3.
* Fix deprecation warning in Python 3.6.
* Minor cleanups.

==== python-dbus-python ====
Subpackages: python2-dbus-python python3-dbus-python

- drop unneeded epydoc requirement properly

==== python-gpgme ====

- Use python macros to not directly pull both develpackages

==== python-httplib2 ====

- update httplib2-use-system-certs.patch: handle
the case with ssl_version being None correctly
- update httplib2-use-system-certs.patch: Also use
ssl.create_default_context in the python2 case so that
the system wide certificates are loaded as trusted again.

==== python-kiwi ====
Version update (9.11.24 -> 9.11.30)

- Bump version: 9.11.29 ? 9.11.30
- Deleted syslinux from ppc/oemboot/suse-SLES15
syslinux is not provided for ppc. This Fixes bsc#1073310
[boot] fix double quote in grub menu which makes kernel updates for CentOS /
RHEL / Fedora break grub.cfg
- Omit kiwi-repart dracut module in oemboot initrd
KIWI's oemboot initrd with initrd_system="dracut" together with
installiso="true" requires to have dracut-kiwi-oem-repart package
installed in the system, thus it ends up also being included in the
recreated dracut initrd after booting the oemboot initrd from the
installation iso. This kiwi-repart module causes a boot failure in that
case since no .profile file is present, moreover, it has no sense to
run it at that stage, since the disk is already reparted by the
oemboot code.
This commit allows installiso="true" and initrd_system="dracut" to
play well together.
- Improve locale pattern in schema
Now the locale pattern in the schema also supports POSIX. Note
that POSIX will be only accepted if listed in the first place of the comma
separated list.
This commit fixes #570
- Bump version: 9.11.28 ? 9.11.29
- Allow to choose dracut live module
There is the standard dracut dmsquash-live module based on
the device mapper technology and the kiwi-live module based
on the overlayfs technology. The setup of the live iso structure
in kiwi is compatible to both modules. Thus it makes sense
to allow to choose the technology via the flags attribute
<type image="iso" ... flags="overlay|dmsquash"/>
Please note both modules supports a different set of live
features. This Fixes #568
- Bump version: 9.11.27 ? 9.11.28
- Fixed ec2 and azure test builds
cryptconfig is no longer provided
- Bump version: 9.11.26 ? 9.11.27
- Apply target permissions only if target dir exists
- Bump version: 9.11.25 ? 9.11.26
- Fixed use of stat result in os.chmod
oct method returns a string representation which was mistakenly
used in a subsequent os.chmod call. This Fixes #564
- Fixed tox doc target
Correctly include schema pictures after travis-sphinx build
- Bump version: 9.11.24 ? 9.11.25
- Update failsafe kernel option list
Delete obsolete parameters and make sure a failsafe boot
does boot into runlevel 3. This Fixes #554
- Apply xslt validation on boot images
- Do not match comments and PIs in XSLT templates
I wanted to add a simple vim modeline to my XML description:
<!--
vim: et:sts=2:sw=2
-->
This made kiwi consume insane amounts of memory during the XSLT
transform step. While this may be a bug in my version of lxml, we do not
transform comments on processing instructions in the conversion
templates, so the easiest solution is not to match them.
Signed-off-by: Michal Marek <MichalMarek1@xxxxxxxxx>
- Make sure toplevel target dir keeps permissions
When syncing data via rsync we make sure the toplevel target
directory the data gets synced to does not change it's origin
permissions. This Fixes #557
- Rebuild schema documentation
- Fixed dependencies for dracut-kiwi-lib
Adapt package names for gdisk/gptfdisk and btrfs-progs/btrfsprogs
Install and require fdasd only on s390 architecture
Delete fbiterm requirement since the project seems unmaintained
and the use of the framebuffer terminal is an option in the code
but not mandatory. This Fixes #559
- add missing deps for docker builds.
Moving kiwi-image:* provides to -requires package
- Update text per review
- Fix and cleanup tox setup
Along with the cleanup of the tox setup also the workaround
using an older version of the py module has been fixed
- Fixed travis-sphinx call syntax
- Update dropped feature list
Legacy kiwi's oem recovery feature will not be ported
due to technologes like ReaR, snapper, btrfs and due
to the container, cloud and public cloud orientation of
OS images

==== python-numpy ====
Version update (1.13.3 -> 1.14.0)
Subpackages: python2-numpy python3-numpy

- update to version 1.14.0
Changes documented in release notes:
https://github.com/numpy/numpy/blob/master/doc/release/1.14.0-notes.rst
- Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES.
- Fix library package requires - use HPC macro (boo#1074890).

==== python-pywbem ====

- Fix another lost dependency. Need ssl module which python-base
does not provide. (bnc#1072564)

==== qemu ====
Subpackages: qemu-arm qemu-block-curl qemu-block-dmg qemu-block-gluster
qemu-block-iscsi qemu-block-rbd qemu-block-ssh qemu-extra qemu-ipxe qemu-ksm
qemu-kvm qemu-lang qemu-ppc qemu-s390 qemu-seabios qemu-sgabios qemu-tools
qemu-vgabios qemu-x86

- Pass through to guest info related to x86 security vulnerability
(CVE-2017-5715 bsc#1068032)
0034-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11

==== qemu-linux-user ====

- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
* Patches added:
0034-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch

==== rsync ====

- Fix: Stop file upload after errors [bsc#1062063]
- Added patches:
* rsync-send_error_to_sender.patch
* rsync-avoid-uploading-after-error.patch

==== ruby2.4 ====
Subpackages: libruby2_4-2_4 ruby2.4-devel ruby2.4-stdlib

- merge in some improvements from the 2.5 package
- track all binaries handled via u-a in an ua_binaries variable
- set an UTF-8 locale for building

==== serd ====

- Tweak a bit more py3 dep to not pull whole python but just base
- Fix group on one of the subpkgs
- Remove python-base dependency and change headers in python scripts
to python3

==== speech-dispatcher ====
Subpackages: libspeechd-devel libspeechd2 python3-speechd
speech-dispatcher-configure speech-dispatcher-module-espeak

- Add baselibs.conf: create libspeechd2-32bit, required by
libQt5TextToSpeech5-32bit.

==== swig ====

- Reduce some conditionals for old distros lets consider sle11/rhel6
as minimal supported configuration
- Make sure we can be built and distributed with python3 only
present in the system

==== tbb ====

- Add conditions to build with py2 and py3 respectively in order
to allow us disable one based on codestream

==== texinfo ====
Version update (6.4 -> 6.5)
Subpackages: info makeinfo

- Update to version 6.5:
* info:
+ some bugs fixed:
a bug where a segfault could happen in the regex search, for
example when the user entered a single \ as the search string
+ another bug which could make nodes inaccessible in long
"split" info files
+ a bug where it was not possible to follow a cross-reference
that was split across more than one line has been fixed
+ do not fall back to a man page if following a cross-reference
in an info file failed
+ if looking for a file failed, do not convert the name of a
file to lower-case and look for it again
* texinfo.tex
+ some faulty definitions for Unicode characters have been
changed or removed
+ fix indentation in table of contents for entries that are
split across multiple lines
* texi2dvi
+ a bug that broke the processing of LaTeX files that did not
use BibTeX has been fixed
* texi2any
+ output the encoding declaration of a HTML file earlier so it
will always occur within first 1024 bytes of file
+ `INLINE_INSERTCOPYING' removed as a customization variable

==== totem ====
Subpackages: nautilus-totem totem-lang totem-plugin-brasero totem-plugins

- Add totem-thumbnailer-blacklist-fixes.patch: Fixes to the
thumbnailer blacklists plugins (bgo#790491).

==== tracker ====
Subpackages: libtracker-common-2_0 libtracker-control-2_0-0
libtracker-miner-2_0-0 libtracker-sparql-2_0-0 tracker-lang
typelib-1_0-Tracker-2_0 typelib-1_0-TrackerControl-2_0

- Add tracker-nb-translations.patch: Update Norwegian bokmål
translations.

==== tracker-miners ====
Subpackages: tracker-miner-files tracker-miners-lang

- Add tracker-miners-nb-translations.patch: Update Norwegian Bokmål
translations.

==== vim ====
Version update (8.0.1417 -> 8.0.1428)
Subpackages: gvim vim-data

- Updated to revision 1428, fixes the following problems
* No test for expanding backticks.
* Cursor column is not updated after ]s. (Gary Johnson)
* Accessing freed memory in vimgrep.
* Accessing invalid memory with overlong byte sequence.
* No fallback to underline when undercurl is not set. (Ben Jackson)
* Error in return not caught by try/catch.
* The timer_pause test is flaky on Travis.
* execute() does not work in completion of user command. (thinca)
* "gf" and <cfile> don't accept ? and & in URL. (Dmitrii Tcyganok)
* The :leftabove modifier doesn't work for :copen.
* Compiler warning on 64 bit MS-Windows system.
- ignore make check transient errors for PowerPC
bypass boo#1072651
- Update apparmor.vim (taken from AppArmor 2.12)
* add support for the "smc" network keyword

==== virtualbox ====
Subpackages: virtualbox-host-kmp-default virtualbox-qt

- Updated file "fixes_for_leap15.patch" for new source.

==== webkit2gtk3 ====
Version update (2.18.4 -> 2.18.5)
Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37
libwebkit2gtk3-lang typelib-1_0-JavaScriptCore-4_0 typelib-1_0-WebKit2-4_0
webkit2gtk-4_0-injected-bundles

- Update to version 2.18.5:
+ Disable SharedArrayBuffers from Web API.
+ Reduce the precision of ?high? resolution time to 1ms.
+ Fix API documentation generation with newer gtk-doc.
+ bsc#1075419 - Security fixes: includes improvements to mitigate
the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

==== wireless-regdb ====
Version update (2017.03.07 -> 2017.12.23)

- Update to version 2017.12.23 (boo#1074838):
* update regulatory database based on preceding changes
* Document regulatory.db in the manual page
* Install regulatory.db and regulatory.db.p7s to /lib/firmware
* Better support for generating public certificates
* Add sforshee's x509 certificate
* Restore generation of old format database files
* regdb: write firmware file format (version code 20)

==== wireshark ====
Version update (2.4.3 -> 2.4.4)
Subpackages: libwiretap7 libwscodecs1 libwsutil8 wireshark-ui-qt

- Wireshark 2.4.4:
* fixes for dissector crashes:
+ CVE-2018-5334: IxVeriWave file could crash (bsc#1075737)
+ CVE-2018-5335: WCP dissector could crash (bsc#1075738)
+ CVE-2018-5336: Multiple dissector crashes (bsc#1075739)
* No longer enable the Linux kernel BPF JIT compiler via the
net.core.bpf_jit_enable sysctl, as this would make systems
more vulnerable to Spectre variant 1 (bsc#1075748, CVE-2017-5753)
* Further bug fixes and updated protocol support as listed in:
https://www.wireshark.org/docs/relnotes/wireshark-2.4.4.html

==== xen ====
Version update (4.10.0_08 -> 4.10.0_10)
Subpackages: xen-doc-html xen-libs xen-tools xen-tools-domU

- bsc#1067317 - pass cache=writeback|unsafe|directsync to qemu,
depending on the libxl disk settings
libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
- Remove libxl.LIBXL_DESTROY_TIMEOUT.debug.patch
- bsc#1067224 - xen-tools have hard dependency on Python 2
build-python3-conversion.patch
bin-python3-conversion.patch
- bsc#1070165 - xen crashes after aborted localhost migration
5a2ffc1f-x86-mm-drop-bogus-paging-mode-assertion.patch
- bsc#1035442 - L3: libxl: error: libxl.c:1676:devices_destroy_cb:
libxl__devices_destroy failed
5a33a12f-domctl-improve-locking-during-domain-destruction.patch
- Upstream patches from Jan (bsc#1027519)
5a21a77e-x86-pv-construct-d0v0s-GDT-properly.patch
5a2fda0d-x86-mb2-avoid-Xen-when-looking-for-module-crashkernel-pos.patch
5a313972-x86-microcode-add-support-for-AMD-Fam17.patch
5a32bd79-x86-vmx-dont-use-hvm_inject_hw_exception-in-.patch

==== xorg-x11-server ====
Version update (1.19.5 -> 1.19.6)
Subpackages: xorg-x11-server-sdk

- Update to version 1.19.6:
Another collection of fixes from master. There will likely be at east one more
1.19.x release in 2018.

==== yast2-ruby-bindings ====
Version update (4.0.3 -> 4.0.4)

- Set proper title also for YaST2 scc (bsc#1075164)
- 4.0.4


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >