Packages changed:
aaa_base (84.87+git20211102.80d7177 -> 84.87+git20211124.5486aad)
audit-secondary
bash (5.1.8 -> 5.1.12)
busybox-links
catatonit
containers-systemd (0.0+git20210507.9afe2a6 -> 0.0+git20211129.1b144ae)
efibootmgr (14 -> 17)
gnutls
haproxy (2.4.8+git0.d1f8d41e0 -> 2.5.0+git0.f2e0833f1)
libarchive
libcap (2.59 -> 2.61)
libimagequant (2.15.1 -> 2.17.0)
lua54
pam
python-charset-normalizer (2.0.7 -> 2.0.8)
python38
python38-core
raspberrypi-firmware-dt (2021.09.17 -> 2021.11.19)
sssd (2.5.2 -> 2.6.1)
tpm2.0-abrmd
xmlsec1 (1.2.32 -> 1.2.33)
=== Details ===
==== aaa_base ====
Version update (84.87+git20211102.80d7177 -> 84.87+git20211124.5486aad)
- Clear term.sh and term.csh also from file list
- Update to version 84.87+git20211124.5486aad:
* Remove term.sh and term.csh: no COLORTERM anymore
Avoid changing COLORTERM variable in urxvt (boo#1190833)
==== audit-secondary ====
Subpackages: audit python3-audit system-group-audit
- Use %autosetup
- Don't include sample rules as %doc, they're already installed
as normal files
- Fix create-augenrules-service.patch:
* auditd.service needs to require augenrules.service,
not the other way around
- Fix documentation for enable-stop-rules.patch
==== bash ====
Version update (5.1.8 -> 5.1.12)
- Update bash 5.1 to patch level 12
* Add official patch bash51-009
The bash malloc implementation of malloc_usable_size() does not follow the
specification. This can cause library functions that use it to overwrite
memory bounds checking.
* Add official patch bash51-010
If `wait -n' is interrupted by a trapped signal other than SIGINT, it does
not completely clean up state, and that can prevent subsequent calls to
`wait -n' from working correctly.
* Add official patch bash51-011
When reading a compound assignment, and running it through the parser to
split it into words, we need to save and restore any alias we're currently
expanding.
* Add official patch bash51-012
There is a possible race condition that arises when a child process receives
a signal trapped by the parent before it can reset the signal dispositions.
The child process is not supposed to trap the signal in this circumstance.
- Using package bash-sh instead of the update-alternative
mechanism.
==== busybox-links ====
Subpackages: busybox-coreutils busybox-gawk busybox-grep busybox-gzip busybox-hostname busybox-sed busybox-xz
- Removed libalternatives machanism. Using direct link from
/usr/bin/busybox to /usr/bin/sh. The package is conflicting with
the new packages bash-sh which has a link for /usr/bin/sh too.
- Use libalternatives instead of update-alternatives.
==== catatonit ====
- Add 99bb9048f.patch: configure.ac: call AM_INIT_AUTOMAKE only
once. Fix build with autocnf 2.71 / automake 1.16.5.
==== containers-systemd ====
Version update (0.0+git20210507.9afe2a6 -> 0.0+git20211129.1b144ae)
- Update to version 0.0+git20211129.1b144ae:
* Add roundcube files
==== efibootmgr ====
Version update (14 -> 17)
- Update to v17:
* use efivar's logging facility more (more info in -v2 , -v3, etc)
* Various bug fixes
* Better -e parsing
* fix pkg-config invocation for ldflags
* Make efibootmgr use EFIDIR / efibootmgr.efidir like fwupdate does
* make --loader default build-time configurable
* sanitize set_mirror()/get_mirror()
* Add support for parsing loader options as UCS2
* GCC 7 fixes
* Don't use -fshort-wchar since we don't run on EFI machines.
- Drop 0001-Don-t-use-fshort-wchar-when-building-63.patch (upstreamed)
- Drop 0002-Remove-extra-const-keywords-gcc-7-gripes-about.patch
(upstreamed)
- Drop 0003-Add-support-for-parsing-optional-data-as-ucs2.patch
(upstreamed)
- Drop MARM-sanitize-set_mirror.diff (upstreamed)
- Drop efibootmgr-derhat.diff (upstreamed)
- Rebase efibootmgr-delete-multiple.diff
==== gnutls ====
- Drop bogus condition "> 1550": that would mean 'more recent than
Tumbleweed' which is technically impossible, as Tumbleweed is the
leading project (and the condition causes issues as Tumbleweed
needs to move away from 1550 due to CODE 15 SP5 plans).
==== haproxy ====
Version update (2.4.8+git0.d1f8d41e0 -> 2.5.0+git0.f2e0833f1)
- Update to version 2.5.0+git0.f2e0833f1:
https://www.mail-archive.com/haproxy@formilux.org/msg41508.html
- refreshed patches to apply cleanly again
haproxy-1.6.0-sec-options.patch
haproxy-1.6.0_config_haproxy_user.patch
lua54.patch
==== libarchive ====
- fix permission settings on following symlinks (fix-following-symlinks.patch)
this fixes also wrong permissions of /var/tmp in factory systems
==== libcap ====
Version update (2.59 -> 2.61)
- libcap 2.61:
* Better error handling of the numerical arguments for capsh and
setcap
* Fix executable mode for all of the .so files. There were two
situations where this was failing (with a hard to debug SIGSEGV
inside libc)
* Added an example of a shared library object with its own file
capability
* Fix the top-level include for Make.Rules in the contrib/sucap
example application
* Add support for running constructors at libcap.so start up time
when running as stand alone binary.
- includes changes from 2.60:
* Some build, code linting fixes, the addition of the
cap_fill_flag() API and a memory latency optimization
* General improvement in thread safety for libcap and cap package
* Minor API change replacing libcap:cap_launch_*() void returning
functions with int + errno status returns.
* Added a cap_iab_dup(), and (*cap.IAB).Dup() to API
* New features for capsh: --quiet, -+ and =+ arguments
- add upstream signing key and verify source signature
==== libimagequant ====
Version update (2.15.1 -> 2.17.0)
- update to 2.17.0:
* Do not build as unversioned DSO
* use float as in SSE
* Initialize rows using heap to handle large images
* Free rows after remapping
* Disable SSE on arm64
==== lua54 ====
- Update upstream-bugs.patch and upstream-bugs-test.patch to fix
bugs 7,8 for build and tests respectively.
==== pam ====
Subpackages: pam_unix
- Don't define doc/manpages packages in main build
- Add missing recommends and split provides
- Use multibuild to build docu with correct paths and available
features.
- common-session: move pam_systemd to first position as if the
file would have been generated with pam-config
- Add vendordir fixes and enhancements from upstream:
- pam_xauth_data.3.xml.patch
- 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
- 0002-Only-include-vendordir-in-manual-page-if-set-401.patch
- 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
- For buggy bot: Makefile-pam_unix-nis.diff belonged to the other
spec file.
==== python-charset-normalizer ====
Version update (2.0.7 -> 2.0.8)
- update to 2.0.8:
* Improvement over Vietnamese detection
* MD improvement on trailing data and long foreign (non-pure latin)
* Efficiency improvements in cd/alphabet_languages
* call sum() without an intermediary list following PEP 289 recommendations
* Code style as refactored by Sourcery-AI
* Minor adjustment on the MD around european words
* Remove and replace SRTs from assets / tests
* Initialize the library logger with a `NullHandler` by default
* Setting kwarg `explain` to True will add provisionally
* Fix large (misleading) sequence giving UnicodeDecodeError
* Avoid using too insignificant chunk
* Add and expose function `set_logging_handler` to configure a specific
StreamHandler
- require lower-case name instead of breaking build
- Use lower-case name of prettytable package
==== python38 ====
- Remove shebangs from from python-base libraries in _libdir
(bsc#1193179).
- Readjust patches:
- bpo-31046_ensurepip_honours_prefix.patch
- decimal.patch
- python-3.3.0b1-fix_date_time_compiler.patch
==== python38-core ====
Subpackages: libpython3_8-1_0 python38-base
- Remove shebangs from from python-base libraries in _libdir
(bsc#1193179).
- Readjust patches:
- bpo-31046_ensurepip_honours_prefix.patch
- decimal.patch
- python-3.3.0b1-fix_date_time_compiler.patch
==== raspberrypi-firmware-dt ====
Version update (2021.09.17 -> 2021.11.19)
- Update to 14c1845ff9 (2021-11-19):
* Add DTS:
- bcm2710-rpi-zero-2-w.dts
- bcm2710-rpi-zero-2.dts
* Add overlays:
- adafruit-st7735r-overlay.dts
- fbtft-overlay.dts
- imx519-overlay.dts
- mcp2515-overlay.dts
- mlx90640-overlay.dts
==== sssd ====
Version update (2.5.2 -> 2.6.1)
Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-krb5-common sssd-ldap
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_sssd-ifp.service.patch
* harden_sssd-kcm.service.patch
- Update to release 2.6.1
* New infopipe method FindByValidCertificate().
* The default value of the "ssh_hash_known_hosts" setting was
changed to false for the sake of consistency with OpenSSH
that does not hash host names by default.
- Update to release 2.6.0
* Support of legacy json format for ccaches was dropped.
* Support of long time deprecated secrets responder was dropped.
* Support of long time deprecated local provider was dropped.
* The sssctl command was vulnerable to shell command injection
via the logs-fetch and cache-expire subcommands,
which was fixed.
* Basic support of user's 'subuid and subgid ranges' for IPA
provider and corresponding plugin for shadow-utils were added.
==== tpm2.0-abrmd ====
Subpackages: libtss2-tcti-tabrmd0 tpm2.0-abrmd-selinux
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_tpm2-abrmd.service.patch
==== xmlsec1 ====
Version update (1.2.32 -> 1.2.33)
Subpackages: libxmlsec1-1 libxmlsec1-openssl1
- update to 1.2.33:
* Fix decrypting session key for two recipients
* Added --privkey-openssl-engine option to enhance openssl engine support