Packages changed:
ca-certificates-mozilla
ceph (15.1.0.1521+gcdf35413a0 -> 15.2.0.108+g8cf4f02b08)
cloud-init
conmon (2.0.14 -> 2.0.15)
cpio
cri-tools (1.17.0 -> 1.18.0)
cryptsetup (2.3.0 -> 2.3.1)
elfutils (0.178 -> 0.179)
glib2 (2.62.5 -> 2.62.6)
glib2-branding-openSUSE
haproxy (2.1.3+git0.5c020bbdd -> 2.1.4+git0.3cfc2f1d9)
k9s (0.15.2 -> 0.18.1)
kdump
kernel-64kb (5.5.13 -> 5.6.0)
kernel-source (5.5.13 -> 5.6.0)
kexec-tools
krb5
kubernetes
mozilla-nss (3.50 -> 3.51)
nano (4.9 -> 4.9.1)
ncurses
nfs-utils
open-iscsi
openSUSE-build-key
openssl-1_1 (1.1.1d -> 1.1.1f)
pam
permissions (1550_20200228 -> 1550_20200324)
podman
rook (1.2.6+git0.g99024013 -> 1.2.7+git0.g1acfd182)
setools (4.2.2 -> 4.3.0)
system-users
sysuser-tools
transactional-update (2.20.4 -> 2.21)
weave (2.6.1 -> 2.6.2)
wpa_supplicant
xz (5.2.4 -> 5.2.5)
yast2 (4.2.78 -> 4.2.80)
yomi-formula (0.0.1+git.1583771480.5787782 -> 0.0.1+git.1585319502.392f59c)
=== Details ===
==== ca-certificates-mozilla ====
- also run update-ca-certificates in %posttrans
==== ceph ====
Version update (15.1.0.1521+gcdf35413a0 -> 15.2.0.108+g8cf4f02b08)
Subpackages: ceph-common libcephfs2 librados2 libradosstriper1 librbd1 librgw2 python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw
- Update to 15.2.0-108-g8cf4f02b08:
+ rebase on tip of upstream "octopus" branch, SHA1 9267cc03e1b1612109dd57cc6ce74c34ed1f1d00
* cephadm: Fix truncated output of "ceph mgr dump"
- Update to 15.2.0-29-g274f7bc2e7:
+ rebase on tip of upstream "octopus" branch, SHA1 a8062613c81ad08815edcdf06e668fcc77270a03
* upstream 15.2.0 (first Octopus stable) release
https://ceph.io/releases/v15-2-0-octopus-released/
- Update to 15.1.1-220-g0f87374dc1:
+ rebase on tip of upstream "octopus" branch, SHA1 243cbd6224921f7f5c2463705c75cb9eafd0db5c
* upstream 15.1.1 (Octopus release candidate) release
https://github.com/ceph/ceph/releases/tag/v15.1.1
+ cephadm: read everything when calling "ceph mgr dump"
- Update to 15.1.0-2160-g310e512e18:
+ rebase on tip of upstream "octopus" branch, SHA1 465f3855623e30f3b4694f3090adbe27c8cd49c3
- Update to 15.1.0-1766-g3d31471523:
+ rebase on tip of upstream master, SHA1 25b8ecc216b02e848f9719ced8c84670de656e78
==== cloud-init ====
- Update cloud-init-write-routes.patch
+ In cases where the config contains 2 or more default gateway
specifications for an interface only write the first default route,
log warning message about skipped routes
+ Avoid writing invalid route specification if neither the network
nor destination is specified in the route configuration
- Update cloud-init-write-routes.patch
+ Still need to consider the "network" configuration uption
for the v1 config implementation. Fixes regression
introduced with update from Wed Feb 12 19:30:42
- Update cloud-init-write-routes.patch (bsc#1165296)
+ Add the default gateway to the ifroute config file when specified
as part of the subnet configuration
+ Fix typo to properly extrakt provided netmask data (bsc#1163178)
==== conmon ====
Version update (2.0.14 -> 2.0.15)
- Enable support for journald logging (bsc#1162432)
- Update to v2.0.15
- store status while waiting for pid
==== cpio ====
- starting with GCC 10, the default of '-fcommon' option will
change to '-fno-common'. Because cpio build fails with
'fno-common', add '-fcommon' option to optflags as a temporary
workaround for this problem till it's properly fixed [bsc#1160870]
==== cri-tools ====
Version update (1.17.0 -> 1.18.0)
- Update to v1.18.0:
* Main Changes
* Update Kubernetes to v1.18.0
* Switch to urfave/cli/v2
* CRI CLI (crictl)
* Use ContextDialer to fix build
* Add go-template option for inspect commands
* Fix invalid log_path in docs
* CRI validation testing (critest)
* Make apparmor failure test more flexible
* Start container before fetching metrics
* Cleanup container create test to reduce duplication
* Add container stats test
==== cryptsetup ====
Version update (2.3.0 -> 2.3.1)
Subpackages: libcryptsetup12
- Split translations to -lang package
- New version to 2.3.1
* Support VeraCrypt 128 bytes passwords.
VeraCrypt now allows passwords of maximal length 128 bytes
(compared to legacy TrueCrypt where it was limited by 64 bytes).
* Strip extra newline from BitLocker recovery keys
There might be a trailing newline added by the text editor when
the recovery passphrase was passed using the --key-file option.
* Detect separate libiconv library.
It should fix compilation issues on distributions with iconv
implemented in a separate library.
* Various fixes and workarounds to build on old Linux distributions.
* Split lines with hexadecimal digest printing for large key-sizes.
* Do not wipe the device with no integrity profile.
With --integrity none we performed useless full device wipe.
* Workaround for dm-integrity kernel table bug.
Some kernels show an invalid dm-integrity mapping table
if superblock contains the "recalculate" bit. This causes
integritysetup to not recognize the dm-integrity device.
Integritysetup now specifies kernel options such a way that
even on unpatched kernels mapping table is correct.
* Print error message if LUKS1 keyslot cannot be processed.
If the crypto backend is missing support for hash algorithms
used in PBKDF2, the error message was not visible.
* Properly align LUKS2 keyslots area on conversion.
If the LUKS1 payload offset (data offset) is not aligned
to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly.
* Validate LUKS2 earlier on conversion to not corrupt the device
if binary keyslots areas metadata are not correct.
==== elfutils ====
Version update (0.178 -> 0.179)
Subpackages: libasm1 libdw1 libelf1
- Update to version 0.179:
debuginfod-client: When DEBUGINFOD_PROGRESS is set and the program doesn't
install its own debuginfod_progressfn_t show download
progress on stderr.
DEBUGINFOD_TIMEOUT is now defined as seconds to get at
least 100K, defaults to 90 seconds.
Default to $XDG_CACHE_HOME/debuginfod_client.
New functions debuginfod_set_user_data,
debuginfod_get_user_data, debuginfod_get_url and
debuginfod_add_http_header.
Support for file:// URLs.
debuginfod: Uses libarchive directly for reading rpm archives.
Support for indexing .deb/.ddeb archives through dpkg-deb
or bsdtar.
Generic archive support through -Z EXT[=CMD]. Which can be
used for example for arch-linux pacman files by using
- Z '.tar.zst=zstdcat'.
Better logging using User-Agent and X-Forwarded-For headers.
More prometheus metrics.
Support for eliding dots or extraneous slashes in path names.
debuginfod-find: Accept /path/names in place of buildid hex.
libelf: Handle PN_XNUM in elf_getphdrnum before shdr 0 is cached
Ensure zlib resource cleanup on failure.
libdwfl: dwfl_linux_kernel_find_elf and dwfl_linux_kernel_report_offline
now find and handle a compressed vmlinuz image.
readelf, elflint: Handle PT_GNU_PROPERTY.
translations: Updated Ukrainian translation.
==== glib2 ====
Version update (2.62.5 -> 2.62.6)
Subpackages: glib2-tools libgio-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0
- Update to version 2.62.6:
+ This is expected to be the final release in the 2.62.x stable
series; maintenance effort will shift to the newer 2.64.x
stable series now.
+ Fix SOCKS5 username/password authentication.
+ Exception handling fixes on Windows.
+ Bugs fixed: glgo#GNOME/GLib#1986, glgo#GNOME/GLib#1988,
glgo#GNOME/GLib#2049, glgo#GNOME/GLib!1378,
glgo#GNOME/GLib!1380, glgo#GNOME/GLib!1393,
glgo#GNOME/GLib!1394, glgo#GNOME/GLib!1411.
+ Updated translations.
==== glib2-branding-openSUSE ====
- Update .gschema.override.in:
+ Set sleep-inactive-ac-timeout, sleep-inactive-battery-timeout to
0 for Leap to be consistent with SLE and old versions (bsc#1158497).
==== haproxy ====
Version update (2.1.3+git0.5c020bbdd -> 2.1.4+git0.3cfc2f1d9)
- Update to version 2.1.4+git0.3cfc2f1d9: (boo#1168023) CVE-2020-11100
- SCRIPTS: make announce-release executable again
- BUG/MINOR: namespace: avoid closing fd when socket failed in
my_socketat
- BUG/MEDIUM: muxes: Use the right argument when calling the
destroy method.
- BUG/MINOR: mux-fcgi: Forbid special characters when matching
PATH_INFO param
- MINOR: mux-fcgi: Make the capture of the path-info optional in
pathinfo regex
- SCRIPTS: announce-release: use mutt -H instead of -i to include
the draft
- MINOR: http-htx: Add a function to retrieve the headers size of
an HTX message
- MINOR: filters: Forward data only if the last filter forwards
something
- BUG/MINOR: filters: Count HTTP headers as filtered data but
don't forward them
- BUG/MINOR: http-htx: Don't return error if authority is updated
without changes
- BUG/MINOR: http-ana: Matching on monitor-uri should be
case-sensitive
- MINOR: http-ana: Match on the path if the monitor-uri starts by
a /
- BUG/MAJOR: http-ana: Always abort the request when a tarpit is
triggered
- MINOR: ist: add an iststop() function
- BUG/MINOR: http: http-request replace-path duplicates the query
string
- BUG/MEDIUM: shctx: make sure to keep all blocks aligned
- MINOR: compiler: move CPU capabilities definition from config.h
and complete them
- BUG/MEDIUM: ebtree: don't set attribute packed without
unaligned access support
- BUILD: fix recent build failure on unaligned archs
- CLEANUP: cfgparse: Fix type of second calloc() parameter
- BUG/MINOR: sample: fix the json converter's endian-sensitivity
- BUG/MEDIUM: ssl: fix several bad pointer aliases in a few
sample fetch functions
- BUG/MINOR: connection: make sure to correctly tag local PROXY
connections
- MINOR: compiler: add new alignment macros
- BUILD: ebtree: improve architecture-specific alignment
- BUG/MINOR: h2: reject again empty :path pseudo-headers
- BUG/MINOR: sample: Make sure to return stable IDs in the
unique-id fetch
- BUG/MINOR: dns: ignore trailing dot
- BUG/MINOR: http-htx: Do case-insensive comparisons on Host
header name
- MINOR: contrib/prometheus-exporter: Add heathcheck status/code
in server metrics
- MINOR: contrib/prometheus-exporter: Add the last heathcheck
duration metric
- BUG/MEDIUM: random: initialize the random pool a bit better
- MINOR: tools: add 64-bit rotate operators
- BUG/MEDIUM: random: implement a thread-safe and process-safe
PRNG
- MINOR: backend: use a single call to ha_random32() for the
random LB algo
- BUG/MINOR: checks/threads: use ha_random() and not rand()
- BUG/MAJOR: list: fix invalid element address calculation
- MINOR: debug: report the task handler's pointer relative to
main
- BUG/MEDIUM: debug: make the debug_handler check for the thread
in threads_to_dump
- MINOR: haproxy: export main to ease access from debugger
- BUILD: tools: remove obsolete and conflicting trace() from
standard.c
- BUG/MINOR: wdt: do not return an error when the watchdog
couldn't be enabled
- DOC: fix incorrect indentation of http_auth_*
- OPTIM: startup: fast unique_id allocation for acl.
- BUG/MINOR: pattern: Do not pass len = 0 to calloc()
- DOC: configuration.txt: fix various typos
- DOC: assorted typo fixes in the documentation and Makefile
- BUG/MINOR: init: make the automatic maxconn consider the max of
soft/hard limits
- BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
- REGTEST: make the PROXY TLV validation depend on version 2.2
- BUG/MINOR: filters: Use filter offset to decude the amount of
forwarded data
- BUG/MINOR: filters: Forward everything if no data filters are
called
- MINOR: htx: Add a function to return a block at a specific
offset
- BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the
response payload
- BUG/MEDIUM: compression/filters: Fix loop on HTX blocks
compressing the payload
- BUG/MINOR: http-ana: Reset request analysers on a response side
error
- BUG/MINOR: lua: Ignore the reserve to know if a channel is full
or not
- BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject
action
- BUG/MINOR: http-rules: Fix a typo in the reject action function
- BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop
action
- BUG/MINOR: rules: Increment be_counters if backend is assigned
for a silent-drop
- DOC: fix typo about no-tls-tickets
- DOC: improve description of no-tls-tickets
- DOC: assorted typo fixes in the documentation
- DOC: ssl: clarify security implications of TLS tickets
- BUILD: wdt: only test for SI_TKILL when compiled with thread
support
- BUG/MEDIUM: mt_lists: Make sure we set the deleted element to
NULL;
- MINOR: mt_lists: Appease gcc.
- BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
- BUG/MEDIUM: pools: Always update free_list in pool_gc().
- BUG/MINOR: haproxy: always initialize sleeping_thread_mask
- BUG/MINOR: listener/mq: do not dispatch connections to remote
threads when stopping
- BUG/MINOR: haproxy/threads: try to make all threads leave
together
- DOC: proxy_protocol: Reserve TLV type 0x05 as
PP2_TYPE_UNIQUE_ID
- DOC: correct typo in alert message about rspirep
- BUILD: on ARM, must be linked to libatomic.
- BUILD: makefile: fix regex syntax in ARM platform detection
- BUILD: makefile: fix expression again to detect ARM platform
- BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong
cases.
- DOC: assorted typo fixes in the documentation
- MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into
types/signal.h.
- BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in
__signal_process_queue().
- MINOR: memory: Change the flush_lock to a spinlock, and don't
get it in alloc.
- BUG/MINOR: connections: Make sure we free the connection on
failure.
- REGTESTS: use "command -v" instead of "which"
- REGTEST: increase timeouts on the seamless-reload test
- BUG/MINOR: haproxy/threads: close a possible race in soft-stop
detection
- BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
- BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
- BUG/MINOR: peers: Use after free of "peers" section.
- MINOR: listener: add so_name sample fetch
- BUILD: ssl: only pass unsigned chars to isspace()
- BUG/MINOR: stats: Fix color of draining servers on stats page
- DOC: internals: Fix spelling errors in filters.txt
- MINOR: http-rules: Add a flag on redirect rules to know the
rule direction
- BUG/MINOR: http_ana: make sure redirect flags don't have
overlapping bits
- MINOR: http-rules: Handle the rule direction when a redirect is
evaluated
- BUG/MINOR: http-ana: Reset request analysers on error when
waiting for response
- BUG/CRITICAL: hpack: never index a header into the headroom
after wrapping
==== k9s ====
Version update (0.15.2 -> 0.18.1)
- Update to version 0.18.1
- Many bug fixes
- Many new features (auto suggestions, revisited logs, k9 plugins)
- see https://github.com/derailed/k9s/releases/
==== kdump ====
- kdump-make-sure-that-the-udev-runtime-directory-exists.patch:
Make sure that the udev runtime directory exists (bsc#1164713).
==== kernel-64kb ====
Version update (5.5.13 -> 5.6.0)
- Refresh
patches.suse/media-go7007-Fix-URB-type-for-interrupt-handling.patch.
Update upstream status.
- commit 46fab61
- mac80211: fix authentication with iwlwifi/mvm
(https://lkml.kernel.org/r/20200329.212136.273575061630425724.davem@davemloft.net).
- commit 5032681
- Revert "sign also s390x kernel images (bsc#1163524)"
This reverts commit b38b61155f0a2c3ebca06d4bb0c2e11a19a87f1f.
The pesign-obs-integration changes needed for s390x image signing are
still missing in Factory so that this change breaks s390x builds.
- commit 9544af9
- Update to 5.6 final
- refresh configs
- commit da616f7
==== kernel-source ====
Version update (5.5.13 -> 5.6.0)
- Refresh
patches.suse/media-go7007-Fix-URB-type-for-interrupt-handling.patch.
Update upstream status.
- commit 46fab61
- mac80211: fix authentication with iwlwifi/mvm
(https://lkml.kernel.org/r/20200329.212136.273575061630425724.davem@davemloft.net).
- commit 5032681
- Revert "sign also s390x kernel images (bsc#1163524)"
This reverts commit b38b61155f0a2c3ebca06d4bb0c2e11a19a87f1f.
The pesign-obs-integration changes needed for s390x image signing are
still missing in Factory so that this change breaks s390x builds.
- commit 9544af9
- Update to 5.6 final
- refresh configs
- commit da616f7
==== kexec-tools ====
- kexec-tools-Remove-duplicated-variable-declarations.patch:
Remove duplicated variable declarations (boo#1160399).
- kexec-tools-s390-Reset-kernel-command-line-on-syscal.patch: s390:
Reset kernel command line on syscall fallback (bsc#1167868).
==== krb5 ====
- Fix segfault in k5_primary_domain; (bsc#1167620);
- Added patches:
* 0009-Fix-null-dereference-qualifying-short-hostnames.patch
==== kubernetes ====
Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet-common kubernetes-kubelet1.17 kubernetes-kubelet1.18
- Rename /usr/lib/sysctl.d/50-kubeadm.conf to 90-kubeadm.conf [boo#1163328]
- Dropping all old CaaSP legacy configuration
==== mozilla-nss ====
Version update (3.50 -> 3.51)
- Update previous patch nss-kremlin-ppc64le.patch
slightly modified to support also ppc64 (BE) versus initial
https://github.com/FStarLang/kremlin/issues/166
- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds
- update to NSS 3.51
* Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892)
* Correct swapped PKCS11 values of CKM_AES_CMAC and
CKM_AES_CMAC_GENERAL (bmo#1611209)
* Complete integration of Wycheproof ECDH test cases (bmo#1612259)
* Check if PPC __has_include(<sys/auxv.h>) (bmo#1614183)
* Fix a compilation error for ?getFIPSEnv? "defined but not used"
(bmo#1614786)
* Send DTLS version numbers in DTLS 1.3 supported_versions extension
to avoid an incompatibility. (bmo#1615208)
* SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed
to be null-terminated (bmo#1538980)
* Correct a warning for comparison of integers of different signs:
'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88
(bmo#1561337)
* Add test for mp_int clamping (bmo#1609751)
* Don't attempt to read the fips_enabled flag on the machine unless
NSS was built with FIPS enabled (bmo#1582169)
* Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940)
* Fix compiler warning in secsign.c (bmo#1617387)
* Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval'
(bmo#1618400)
* Fix a crash on unaligned CMACContext.aes.keySchedule when using
AES-NI intrinsics (bmo#1610687)
==== nano ====
Version update (4.9 -> 4.9.1)
- GNU nano 4.9.1
* fix cursor getting misplaced when undoing line cuts
* fix filtering of the whole buffer to a new buffer
==== ncurses ====
Subpackages: libncurses6 ncurses-utils terminfo terminfo-base
- Add ncurses patch 20200321
+ improve configure-checks to reduce warnings about unused variables.
+ improve description of error-returns in waddch and waddnstr manual
pages (prompted by patch by Benno Schulenberg).
+ add test/move_field.c to demonstrate move_field(), and a stub for
a corresponding demo of dup_field().
- Add ncurses patch 20200314
+ add history note to curs_scanw.3x for <stdarg.h> and <varargs.h>
+ add history note to curs_printw.3x for <stdarg.h> and <varargs.h>
+ add portability note to ncurses.3x regarding <stdarg.h>
==== nfs-utils ====
Subpackages: libnfsidmap1 nfs-client
- Improve the hack to avoid python dependencies.
A new python script had been added since that hack was written.
(boo#1166067)
- 0001-conffile-Don-t-give-warning-for-optional-config-file.patch
Support optional include files correctly
(boo#1164619)
- Update nfs.conf
- change value: udp=n (disabled in 2.2.1.)
- update name: manage-gids
- new: verbosity=0, rpc-verbosity=0, use-gss-proxy=0, rdma-port=20049,
no-notify=0, force=0, lift-grace=y
==== open-iscsi ====
Subpackages: iscsiuio libopeniscsiusr0_2_0
- Update with two upstream commits:
* Fix issue where "iscsi-iname -p" core dumps. (found upstream)
* Fix iscsi.service so it handles restarts better (bsc#1163499)
* Add Wants=remote-fs-pre.target for sequencing. (bsc#1158536)
updating:
* open-iscsi-SUSE-latest.diff.bz2
- Update SPEC file to work around issue with installcheck
SUSE script. Update the SPEC file while there.
==== openSUSE-build-key ====
- mark the opensuse-container-key and the suse-container-key
for openSUSE:Containers and SUSE:Containers space.
(same as the build keys for SLE15 and openSUSE respectively.)
- Replace the old security@suse.de email comm key by the new, move
the old one to the oldkey. (bsc#1166334)
==== openssl-1_1 ====
Version update (1.1.1d -> 1.1.1f)
- Update to 1.1.1f
* Revert the unexpected EOF reporting via SSL_ERROR_SSL
- refresh openssl-1.1.0-no-html.patch
- Update to 1.1.1e
* Properly detect EOF while reading in libssl. Previously if we hit an EOF
while reading in libssl then we would report an error back to the
application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.
* Check that ed25519 and ed448 are allowed by the security level. Previously
signature algorithms not using an MD were not being checked that they were
allowed by the security level.
* Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
was not quite right. The behaviour was not consistent between resumption
and normal handshakes, and also not quite consistent with historical
behaviour. The behaviour in various scenarios has been clarified and
it has been updated to make it match historical behaviour as closely as
possible.
* Corrected the documentation of the return values from the EVP_DigestSign*
set of functions. The documentation mentioned negative values for some
errors, but this was never the case, so the mention of negative values
was removed.
* Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
The presence of this system service is determined at run-time.
* Added newline escaping functionality to a filename when using openssl dgst.
This output format is to replicate the output format found in the '*sum'
checksum programs. This aims to preserve backward compatibility.
* Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
the first value.
- Update bunch of patches as the internal crypto headers got reorganized
- drop openssl-1_1-CVE-2019-1551.patch (upstream)
- openssl dgst: default to SHA256 only when called without a digest,
not when it couldn't be found (bsc#1166189)
* add openssl-unknown_dgst.patch
- Limit the DRBG selftests to not deplete entropy (bsc#1165274)
* update openssl-fips_selftest_upstream_drbg.patch
==== pam ====
- Listed all manual pages seperately as pam_userdb.8 has been moved
to pam-extra.
Also %exclude %{_defaultdocdir}/pam as the docs are in a separate
package.
[pam.spec]
- pam_userdb moved to a new package pam-extra as pam-modules
is obsolete and not part of SLE.
[bsc#1166510, pam.spec]
==== permissions ====
Version update (1550_20200228 -> 1550_20200324)
Subpackages: chkstat permissions-config
- Update to version 20200324:
* whitelist s390-tools setgid bit on log directory (bsc#1167163)
* whitelist WMP (bsc#1161335)
* regtest: improve readability of path variables by using literals
* regtest: adjust test suite to new path locations in /usr/share/permissions
* regtest: only catch explicit FileNotFoundError
* regtest: provide valid home directory in /root
* regtest: mount permissions src repository in /usr/src/permissions
* regtest: move initialialization of TestBase paths into the prepare() function
* chkstat: suppport new --config-root command line option
* fix spelling of icingacmd group
==== podman ====
Subpackages: podman-cni-config
- Add "systemd" BUILDFLAGS to build with support for journald
logging (bsc#1162432)
==== rook ====
Version update (1.2.6+git0.g99024013 -> 1.2.7+git0.g1acfd182)
- Update to v1.2.7 (bsc#1168160):
* Apply the expected lower PG count for rgw metadata pools (#5091)
* Reject devices smaller than 5GiB for OSDs (#5089)
* Add extra check for filesystem to skip boot volumes for OSD configuration (#5022)
* Avoid duplication of mon pod anti-affinity (#4998)
* Update service monitor definition during upgrade (#5078)
* Resizer container fix due to misinterpretation of the cephcsi version (#5073-1)
* Set ResourceVersion for Prometheus rules (#4528)
* Upgrade doc clarification for RBAC related to the helm chart (#5054)
==== setools ====
Version update (4.2.2 -> 4.3.0)
- Update to the upstream version 4.3.0:
* Revised sediff method for TE rules. This drastically reduced memory
and run time.
* Added infiniband context support to seinfo, sediff, and apol.
* Added apol configuration for location of Qt assistant.
* Fixed sediff issue where properties header would display when not
requested.
* Fixed sediff issue with type_transition file name comparison.
* Fixed permission map socket sendto information flow direction.
* Added methods to TypeAttribute class to make it a complete Python
collection.
* Genfscon now will look up classes rather than using fixed values
which were dropped from libsepol
- Dropped python3.8-compat.patch
==== system-users ====
Subpackages: system-group-hardware system-group-wheel system-user-bin system-user-daemon system-user-nobody
- Use test -x instead of -f
- Call usermod only if installed
==== sysuser-tools ====
- Fix bug introduced by simplification of check for useradd -g
- Refactor use of sed away
- Use eval set -- $LINE instead of read for parsing
- Clean up sysusers2shadow and make it use only /bin/sh
- Don't let busybox adduser create the home directory, it breaks
permissions of e.g. /sbin (home of daemon)
- Use only /bin/sh in sysusers-generate-pre and the generated code
- Drop use of tail from the generated %pre scriptlets
==== transactional-update ====
Version update (2.20.4 -> 2.21)
Subpackages: transactional-update-zypp-config
- Update to version 2.21
- Use slave mounts for /proc, /sys & /dev
==== weave ====
Version update (2.6.1 -> 2.6.2)
- Update to version 2.6.2
- Weave Net can not be used in fastdp mode and always falls back
- Restrict timeout value passed to pcap library
- Refresh vendor.tar.xz
==== wpa_supplicant ====
- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (boo#1166933)
==== xz ====
Version update (5.2.4 -> 5.2.5)
Subpackages: liblzma5
- Update to 5.2.5:
* liblzma:
- Fixed several C99/C11 conformance bugs. Now the code is clean
under gcc/clang -fsanitize=undefined. Some of these changes
might have a negative effect on performance with old GCC
versions or compilers other than GCC and Clang. The configure
option --enable-unsafe-type-punning can be used to (mostly)
restore the old behavior but it shouldn't normally be used.
- Improved API documentation of lzma_properties_decode().
- Added a very minor encoder speed optimization.
* xz:
- Fixed a crash in "xz -dcfv not_an_xz_file". All four options
were required to trigger it. The crash occurred in the
progress indicator code when xz was in passthru mode where
xz works like "cat".
- Fixed an integer overflow with 32-bit off_t. It could happen
when decompressing a file that has a long run of zero bytes
which xz would try to write as a sparse file. Since the build
system enables large file support by default, off_t is
normally 64-bit even on 32-bit systems.
- Fixes for --flush-timeout:
* Fix semi-busy-waiting.
* Avoid unneeded flushes when no new input has arrived
since the previous flush was completed.
- Added a special case for 32-bit xz: If --memlimit-compress is
used to specify a limit that exceeds 4020 MiB, the limit will
be set to 4020 MiB. The values "0" and "max" aren't affected
by this and neither is decompression. This hack can be
helpful when a 32-bit xz has access to 4 GiB address space
but the specified memlimit exceeds 4 GiB. This can happen
e.g. with some scripts.
- Capsicum sandbox is now enabled by default where available
(FreeBSD >= 10). The sandbox debug messages (xz -vv) were
removed since they seemed to be more annoying than useful.
==== yast2 ====
Version update (4.2.78 -> 4.2.80)
- Modify the way YaST detects whether systemd is running or not
(bsc#1168307)
- 4.2.80
- Reread network interfaces configuration after writing it avoiding
wrong values when reopen network configuration dialog during an
installation (bsc#1166778)
- 4.2.79
==== yomi-formula ====
Version update (0.0.1+git.1583771480.5787782 -> 0.0.1+git.1585319502.392f59c)
- Update to version 0.0.1+git.1585319502.392f59c:
* users: better quote for certificate
* users: workaround bsc#1167909 for passwords