Packages changed: aaa_base (84.87+git20200206.ed897a1 -> 84.87+git20200207.27e2c61) bash btrfsprogs (5.4 -> 5.4.1) c-ares (1.15.0+20191108 -> 1.15.0+20200117) chrony cloud-init conmon coreutils cri-o (1.16.1 -> 1.17.0) cryptsetup (2.1.0 -> 2.3.0) curl elfutils (0.177 -> 0.178) etcd (3.3.15 -> 3.4.3) glib2 (2.62.4 -> 2.62.5) glibc (2.30 -> 2.31) gpg2 grep (3.3 -> 3.4) grub2 haproxy (2.1.1+git0.4ae521379 -> 2.1.3+git0.5c020bbdd) installation-images-MicroOS (14.454 -> 14.456) iproute2 (5.4 -> 5.5.0) issue-generator (1.7 -> 1.8) k9s (0.13.0 -> 0.15.2) kail (0.13.0 -> 0.14.2) kernel-firmware (20200122 -> 20200207) kexec-tools kubernetes (1.17.0 -> 1.17.2) libcap (2.25 -> 2.32) libeconf (0.3.3+git20191028.3ac14ce -> 0.3.5+git20200203.3144b69) libssh libtirpc libxcrypt (4.4.10 -> 4.4.12) libzypp (17.22.0 -> 17.22.1) microos-tools (1.0+git20190812.97ca0ee -> 1.0+git20200214.c7654a7) mozilla-nss (3.48 -> 3.49.2) nano (4.7 -> 4.8) ncurses (6.1 -> 6.2) nfs-utils open-lldp openssh patterns-microos permissions (1550_20191205 -> 1550_20200213) podman (1.7.0 -> 1.8.0) popt python-decorator (4.4.0 -> 4.4.1) python-packaging (19.2 -> 20.1) python-pyOpenSSL (19.0.0 -> 19.1.0) python-pyparsing (2.4.5 -> 2.4.6) python-urllib3 (1.25.6 -> 1.25.8) rdma-core readline rook (1.2.2+git0.g73593a1b -> 1.2.4+git9.gd747507e) rpm-config-SUSE (0.g45 -> 0.g52) sudo (1.8.28p1 -> 1.8.31) system-users systemd tallow (19+git20191106.4b071b0 -> 21+git20200213.865ec91) tar toolbox (1.0+git20191014.3034fbc -> 1.0+git20200217.cd18bfb) === Details === ==== aaa_base ==== Version update (84.87+git20200206.ed897a1 -> 84.87+git20200207.27e2c61) - Update to version 84.87+git20200207.27e2c61: * change rp_filter to 2 to follow the current default (bsc#1160735) ==== bash ==== - Add official patch bash50-012 When using previous-history to go back beyond the beginning of the history list, it's possible to move to an incorrect partial line. - Add official patch bash50-013 Reading history entries with timestamps can result in history entries joined by linefeeds. - Add official patch bash50-014 If the current line is empty, using the emacs C-xC-e binding to enter the editor will edit the previous command instead of the current (empty) one. - Add official patch bash50-015 If alias expansion is enabled when processing the command argument to the `-c' option, an alias is defined in that command, and the command ends with the invocation of that alias, the shell's command parser can prematurely terminate before the entire command is executed. - Add official patch bash50-016 Bash waits too long to reap /dev/fd process substitutions used as redirections with loops and group commands, which can lead to file descriptor exhaustion. ==== btrfsprogs ==== Version update (5.4 -> 5.4.1) Subpackages: btrfsprogs-udev-rules libbtrfs0 - Update to 5.4.1 * build: fix docbook5 build * check: do extra verification of extent items, inode items and chunks * qgroup: return ENOTCONN if quotas not running (needs updated kernel) * other: various test fixups ==== c-ares ==== Version update (1.15.0+20191108 -> 1.15.0+20200117) - Upgrade to latest snapshot from 2020-01-17 - disable-live-tests.patch: refreshed - regression.patch: fix a regression in DNS results that contain both A and AAAA answers. - Add netcfg as the build requirement and runtime requirement. ares_getaddrinfo function uses the getservbyport_r function which requires the /etc/services file to function properly. That config file is provided by the netcfg package. Unit tests rely on it too, hence it has to be a build dependency as well. - Switch to cmake-based build. Some packages need the cmake build files. ==== chrony ==== - Add chrony-test-update-processing-of-packet-log.patch in order to fix test-suite failure. - Update clknetsim to version 79ffe44 (fixes boo#1162964). - Backport chrony-test-fix-util-unit-test-for-NTP-era-split.patch. ==== cloud-init ==== - Add cloud-init-long-pass.patch (bsc#1162936, CVE-2020-8632) + Increase the default length of generated passwords - Add cloud-init-use-different-random-src.diff (bsc#1162937, CVE-2020-8631) + Use non-deterministic generator for password generation. - Update cloud-init-write-routes.patch (bsc#1163178) + Entries in the routes definition have changed causing a traceback during rout config file writing. This patch update addresses the issue by extracting the new entries properly. ==== conmon ==== - Update to v2.0.10 (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331): - journal logging: write to /dev/null instead of -1 - Add TimedOutMessage to config to share with go code - Fix format string to limit the size of the string to 10 characters - Persist oom files on cgroup v2 - Revert the check for the OOM counter on cgroups v1 before writing OOM file - Add --persist-dir flag to allow important container files to be written to a persistent directory - Check OOM counter on cgroups v1 before writing OOM file - Use splice(2) to copy from stdin - Kill the process group on timeout - Add --persist-dir to allow callers to specify a directory that conmon should mirror certain important files that should persist reboots (right now, just the container exit file) - Fix tight loop on OOM - Add log level trace - Separate handling of log reopen events and terminal resize events - Add CONN_SOCK_BUF_SIZE to config - Fix bug to close the sync pipe before exit command - Set masterfd_stdout before registering ctrl_cb - Upstream has an actual description, use it instead of just duplicating the summary again. - Use `%make_build` macro instead of `%{__make}` - Use `%make_install` macro instead of `%{__make} install` - Use `%{_bindir}` macro instead of `%{_usr}/bin` - Change `PREFIX` to not contain `%{buildroot}` and use the `$DESTDIR` variable - Initial release v2.0.0 ==== coreutils ==== - disable single and testsuite builds in rings/staging - remove duplicate "coreutils" in flavor to make it look nicer in OBS - minor: remove obsolete comment in spec file. - switch to multibuild - add coreutils-single subpackage that contains a single binary coreutils tool similar to busybox - package LC_CTIME directories also in lang package - split off doc package - remove info macros, handled by file trigger nowadays ==== cri-o ==== Version update (1.16.1 -> 1.17.0) Subpackages: cri-o-kubeadm-criconfig - Put default configuration in /etc/crio/crio.conf.d/00-default.conf in replacement for /etc/crio/crio.conf - Uncomment default apparmor profile to always fallback to the default one - Remove prevent-local-loopback-teardown-rh1754154.patch which is now included in upstream - Update to v1.17.0: * Major Changes - Allow CRI-O to manage IPC and UTS namespaces, in addition to Network - Add support for drop-in configuration files - Added image pull and network setup metrics - Image decryption support - Remove unneeded host_ip configuration value * Minor Changes - Setup container environment variables before user - Move default version file location to a tmpfs - Failures to stop the network will now cause a stop sandbox request to fail - Persist container exit codes across reboot - Add conmonmon: a conmon monitoring loop to protect against conmon being OOM'd - Add namespaces{-_}dir CLI and config option - Add disk usage for ListContainerStats - Introduce new runtime field to restrict devices in privileged mode ==== cryptsetup ==== Version update (2.1.0 -> 2.3.0) Subpackages: libcryptsetup12 - Update to 2.3.0 (include release notes for 2.2.0) * BITLK (Windows BitLocker compatible) device access * Veritysetup now supports activation with additional PKCS7 signature of root hash through --root-hash-signature option. * Integritysetup now calculates hash integrity size according to algorithm instead of requiring an explicit tag size. * Integritysetup now supports fixed padding for dm-integrity devices. * A lot of fixes to online LUKS2 reecryption. * Add crypt_resume_by_volume_key() function to libcryptsetup. If a user has a volume key available, the LUKS device can be resumed directly using the provided volume key. No keyslot derivation is needed, only the key digest is checked. * Implement active device suspend info. Add CRYPT_ACTIVATE_SUSPENDED bit to crypt_get_active_device() flags that informs the caller that device is suspended (luksSuspend). * Allow --test-passphrase for a detached header. Before this fix, we required a data device specified on the command line even though it was not necessary for the passphrase check. * Allow --key-file option in legacy offline encryption. The option was ignored for LUKS1 encryption initialization. * Export memory safe functions. To make developing of some extensions simpler, we now export functions to handle memory with proper wipe on deallocation. * Fail crypt_keyslot_get_pbkdf for inactive LUKS1 keyslot. * Add optional global serialization lock for memory hard PBKDF. * Abort conversion to LUKS1 with incompatible sector size that is not supported in LUKS1. * Report error (-ENOENT) if no LUKS keyslots are available. User can now distinguish between a wrong passphrase and no keyslot available. * Fix a possible segfault in detached header handling (double free). * Add integritysetup support for bitmap mode introduced in Linux kernel 5.2. * The libcryptsetup now keeps all file descriptors to underlying device open during the whole lifetime of crypt device context to avoid excessive scanning in udev (udev run scan on every descriptor close). * The luksDump command now prints more info for reencryption keyslot (when a device is in-reencryption). * New --device-size parameter is supported for LUKS2 reencryption. * New --resume-only parameter is supported for LUKS2 reencryption. * The repair command now tries LUKS2 reencryption recovery if needed. * If reencryption device is a file image, an interactive dialog now asks if reencryption should be run safely in offline mode (if autodetection of active devices failed). * Fix activation through a token where dm-crypt volume key was not set through keyring (but using old device-mapper table parameter mode). * Online reencryption can now retain all keyslots (if all passphrases are provided). Note that keyslot numbers will change in this case. * Allow volume key file to be used if no LUKS2 keyslots are present. * Print a warning if online reencrypt is called over LUKS1 (not supported). * Fix TCRYPT KDF failure in FIPS mode. * Remove FIPS mode restriction for crypt_volume_key_get. * Reduce keyslots area size in luksFormat when the header device is too small. * Make resize action accept --device-size parameter (supports units suffix). ==== curl ==== Subpackages: libcurl4 - Eliminate curl-mini: The reason for this to exist was that cmake pulled in curl into too many places, causing build cycles. A new cmake-mini was generated, eliminating that need. ==== elfutils ==== Version update (0.177 -> 0.178) Subpackages: libasm1 libdw1 libelf1 - Re-add libelf1 to baselibs.conf: we still generate a libelf-devel-32bit, which is only installable if libelf1-21bit also exists. - Exclude debuginfod sub-packages and move them to elfutils-debuginfod. - Avoid double-shipping libdebuginfo.so.1 in two different subpackages. Fixup RPM group. - Split libdebuginfod1 into libdebuginfod1 and debuginfod-client. Add Requires for these packages. - Rename debuginfod-client package to libdebuginfod1 in order to fulfil SLPP violation. - Fix variable references in specfile - Use %fillupdir macros for proper sysconfig export. - Update to version 0.178: debuginfod: New server, client tool and library to index and fetch ELF/DWARF files addressed by build-id through HTTP. doc: There are now some manual pages for functions and tools. backends: The libebl libraries are no longer dynamically loaded through dlopen, but are now compiled into libdw.so directly. readelf: -n, --notes now takes an optional "SECTION" argument. - p and -x now also handle section numbers. New option --dyn-sym to show just the dynamic symbol table. libcpu: Add RISC-V disassembler. libdw: Abbrevs and DIEs can now be read concurrently by multiple threads through the same Dwarf handle. libdwfl: Will try to use debuginfod when installed as fallback to retrieve ELF and DWARF debug data files by build-id. - remove dwelf_elf_e_machine_string.patch. - remove unused libebl-plugins and libebl-devel subpackages - new subpackages debuginfod-client, debuginfod-client-devel and debuginfod added - main package binaries are explicitely listed and man pages for the binaries are included - Add remove-run-large-elf-file.sh.patch in order to remove running run-large-elf-file.sh (it hit OOM). ==== etcd ==== Version update (3.3.15 -> 3.4.3) - Update to version 3.4.3: * version: 3.4.3 * *: use Go 1.12.12 * rafthttp: add 3.4 stream type * etcdserver: strip patch version in metrics * etcdserver: strip patch version in cluster version * etcdserver: unset old cluster version in metrics * Add version, tag and branch checks to release script * scripts: fix read failure prompt in release; use https for git clone. * version: 3.4.2 * etcdserver: trace compaction request; add return parameter 'trace' to applierV3.Compaction() mvcc: trace compaction request; add input parameter 'trace' to KV.Compact() * etcdserver: trace raft requests. * etcdserver: add put request steps. mvcc: add put request steps; add trace to KV.Write() as input parameter. * pkg: use zap logger to format the structure log output. * pkg: add field to record additional detail of trace; add stepThreshold to reduce log volume. * pkg: create package traceutil for tracing. mvcc: add tracing steps:range from the in-memory index tree; range from boltdb. etcdserver: add tracing steps: agreement among raft nodes before linerized reading; authentication; filter and sort kv pairs; assemble the response. * clientv3: Replace endpoint.ParseHostPort with net.SplitHostPort to fix IPv6 client endpoints * clientv3: Set authority used in cert checks to host of endpoint * tests/e2e: fix metrics tests * etcdctl: fix member add command * scripts/build-binary: fix darwin tar commands * scripts/release: fix SHA256SUMS command * version: 3.4.1 * scripts/release: fix docker push command * integration: fix bug in for loop, make it break properly * embed: expose ZapLoggerBuilder * vendor: upgrade to gRPC v1.23.1 ==== glib2 ==== Version update (2.62.4 -> 2.62.5) Subpackages: glib2-tools libgio-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 - Update to version 2.62.5: + Fix potential relative read when calling g_printerr(), which could lead to a denial of service from a setuid-root process being used to block access to the TTY for another user. + Fix SOCKS proxy resolver sometimes not being used when resolving addresses via Happy Eyeballs (CVE-2020-6750). + Several other Happy Eyeballs fixes for address resolution. + Fix parsing of full Julian day range from `$TZ` environment variable. + Several race condition/crash fixes. + Bugs fixed: glgo#GNOME/GLib#1919, glgo#GNOME/GLib#1995, glgo#GNOME/GLib#1999, glgo#GNOME/GLib!1323, glgo#GNOME/GLib!1331, glgo#GNOME/GLib!1352, glgo#GNOME/GLib!1361, glgo#GNOME/GLib!1365, glgo#GNOME/GLib!1370, glgo#GNOME/GLib!1371. + Updated translations. - No longer recommend -lang: supplements are in use ==== glibc ==== Version update (2.30 -> 2.31) Subpackages: glibc-locale glibc-locale-base - nsswitch.conf: comment out initgroups setting, so that it defaults to the group setting (bsc#1164075) - fix-locking-in-_IO_cleanup.patch: update to latest version - Update to glibc 2.31 * The GNU C Library now supports a feature test macro _ISOC2X_SOURCE to enable features from the draft ISO C2X standard * The functions that round their results to a narrower type now have corresponding type-generic macros in * The function pthread_clockjoin_np has been added, enabling join with a terminated thread with a specific clock * New locale added: mnw_MM (Mon language spoken in Myanmar). * The DNS stub resolver will optionally send the AD (authenticated data) bit in queries if the trust-ad option is set via the options directive in /etc/resolv.conf (or if RES_TRUSTAD is set in _res.options) * The totalorder and totalordermag functions, and the corresponding functions for other floating-point types, now take pointer arguments to avoid signaling NaNs possibly being converted to quiet NaNs in argument passing * The obsolete function stime is no longer available to newly linked binaries, and its declaration has been removed from * The gettimeofday function no longer reports information about a system-wide time zone * If a lazy binding failure happens during dlopen, during the execution of an ELF constructor, the process is now terminated - malloc-info-whitespace.patch, riscv-vfork.patch, prefer-map-32bit-exec.patch, backtrace-powerpc.patch, ldconfig-dynstr.patch: Removed. - backtrace-powerpc.patch: Fix array overflow in backtrace on PowerPC (bsc#1158996, BZ #25423) - Drop support for pluggable gconv modules (bsc#1159851) ==== gpg2 ==== - Fix build with GCC-10: [bsc#1160394] * Always use EXTERN_UNLESS_MAIN_MODULE pattern * In GCC-10, the default option -fcommon will change to -fno-common - Add gpg2-gcc10-build-fno-common.patch ==== grep ==== Version update (3.3 -> 3.4) - Switch back to system regex to avoid undefined behaviour - grep 3.4: * new --no-ignore-case option causes grep to observe case distinctions, overriding any previous -i (--ignore-case) option * '.' no longer matches some invalid byte sequences in UTF-8 locales * grep -Fw can no longer false match in non-UTF-8 multibyte locales * The exit status of 'grep -L' is no longer incorrect when standard output is /dev/null * fix some performance bugs - drop test-pcre-jitstack.diff ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin - Fix grub hangs after loading rogue image without valid signature for uefi secure boot (bsc#1159102) * grub2-verifiers-fix-system-freeze-if-verify-failed.patch - From Stefan Seyfried : Fix grub2-install fails with "not a directory" error (boo#1161641, bsc#1162403) * grub2-install-fix-not-a-directory-error.patch ==== haproxy ==== Version update (2.1.1+git0.4ae521379 -> 2.1.3+git0.5c020bbdd) - Remove unsupported options from example haproxy.cfg - Make haproxy useable for containers - Use sysusers.d to create users. - Use systemd_ordering instead of requiring systemd. - Own vim syntax directory instead of requiring vim. This also solves the problem the directory got never removed if vim is updated before haproxy. - Update to version 2.1.3+git0.5c020bbdd: * [RELEASE] Released version 2.1.3 * BUG/MINOR: tcp: don't try to set defaultmss when value is negative * BUG/MINOR: http-ana: Set HTX_FL_PROXY_RESP flag if a server perform a redirect * BUG/MINOR: http-ana: Don't overwrite outgoing data when an error is reported * MINOR: htx/channel: Add a function to copy an HTX message in a channel's buffer * MINOR: htx: Add a function to append an HTX message to another one * DOC: word converter ignores delimiters at the start or end of input string * MINOR: build: add aix72-gcc build TARGET and power{8,9} CPUs * BUG/MINOR: tcp: avoid closing fd when socket failed in tcp_bind_listener * BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init * BUG/MEDIUM: listener: only consider running threads when resuming listeners * BUG/MINOR: dns: allow 63 char in hostname * BUG/MINOR: unix: better catch situations where the unix socket path length is close to the limit * DOC: schematic of the SSL certificates architecture * BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init * SCRIPTS: announce-release: allow the user to force to overwrite old files * SCRIPTS: announce-release: place the send command in the mail's header * CONTRIB: debug: also support reading values from stdin * MINOR: acl: Warn when an ACL is named 'or' * CONTRIB: debug: support reporting multiple values at once * CONTRIB: debug: add the possibility to decode the value as certain types only * CONTRIB: debug: add missing flags SF_HTX and SF_MUX * BUG/MINOR: ssl: clear the SSL errors on DH loading failure * BUG/MINOR: ssl: we may only ignore the first 64 errors * BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is empty. * BUG/MEDIUM: memory: Add a rwlock before freeing memory. * MINOR: memory: Only init the pool spinlock once. * BUG/MEDIUM: memory_pool: Update the seq number in pool_flush(). * BUG/MEDIUM: connections: Don't forget to unlock when killing a connection. * BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2 * BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer. * BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error * BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack * BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure. * MINOR: lua: Add HLUA_PREPEND_C?PATH build option * MINOR: lua: Add lua-prepend-path configuration option * MINOR: lua: Add hlua_prepend_path function * BUILD: cfgparse: silence a bogus gcc warning on 32-bit machines * BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers" * BUG/MINOR: stktable: report the current proxy name in error messages * BUG/MEDIUM: 0rtt: Only consider the SSL handshake. * BUG/MINOR: ssl/cli: ocsp_issuer must be set w/ "set ssl cert" * BUG/MINOR: ssl: typo in previous patch * BUG/MINOR: ssl: memory leak w/ the ocsp_issuer * BUG/MINOR: ssl: increment issuer refcount if in chain * CLEANUP: stats: shut up a wrong null-deref warning from gcc 9.2 * BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded * BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent * BUG/MEDIUM: netscaler: Don't forget to allocate storage for conn->src/dst. * BUG/MINOR: http_act: don't check capture id in backend * MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive * BUG/MINOR: ssl: ssl_sock_load_sctl_from_file memory leak * BUG/MINOR: ssl: ssl_sock_load_issuer_file_into_ckch memory leak * BUG/MINOR: ssl: ssl_sock_load_ocsp_response_from_file memory leak * BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing * BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing * BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules * BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters * BUILD: pattern: include errno.h * BUG/MINOR: 51d: Fix bug when HTX is enabled * BUG/MINOR: dns: Make dns_query_id_seed unsigned * BUG/MINOR: cache: Fix leak of cache name in error path * BUG/MINOR: pattern: handle errors from fgets when trying to load patterns * BUG/MEDIUM: connection: add a mux flag to indicate splice usability * BUG/MINOR: stream: don't mistake match rules for store-request rules * BUG/MEDIUM: cli: _getsocks must send the peers sockets * REGTEST: add sample_fetches/hashes.vtc to validate hashes * BUG/MAJOR: hashes: fix the signedness of the hash inputs * BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed(). * BUG/MEDIUM: mworker: remain in mworker mode during reload * REGTEST: mcli/mcli_start_progs: start 2 programs * BUG/MINOR: cli/mworker: can't start haproxy with 2 programs * BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary * BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch * BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send() * BUG/MEDIUM: tasks: Use the MT macros in tasklet_free(). * BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached * BUG/MEDIUM: session: do not report a failure when rejecting a session * BUG/MINOR: channel: inject output data at the end of output * BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied * BUG/MINOR: proxy: Fix input data copy when an error is captured * BUG/MINOR: h1: Report the right error position when a header value is invalid * MINOR: ssl: Remove unused variable "need_out". * MINOR: config: disable busy polling on old processes * BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection. * BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. * BUG/MINOR: checks: refine which errno values are really errors. - Update to version 2.1.2+git0.d5b6759b5: * [RELEASE] Released version 2.1.2 * BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream * BUG/MINOR: state-file: do not leak memory on parse errors * BUG/MINOR: state-file: do not store duplicates in the global tree * BUG/MEDIUM: state-file: do not allocate a full buffer for each server entry * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute * BUG/MEDIUM: ssl: Revamp the way early data are handled. * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task * MINOR: http: add a new "replace-path" action * MINOR: debug: support logging to various sinks * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early. * MINOR: sample: Validate the number of bits for the sha2 converter * BUG/MINOR: sample: always check converters' arguments * BUG/MINOR: sample: fix the closing bracket and LF in the debug converter * DOC: clarify the fact that replace-uri works on a full URI - drop the udev buildrequires completely ==== installation-images-MicroOS ==== Version update (14.454 -> 14.456) - merge gh#openSUSE/installation-images#357 - move gconv files into initrd (bsc#1161701) - netcfg has moved files to /usr/etc - 14.456 - merge gh#openSUSE/installation-images#356 - remove explicit dependency on openssl package - mount /proc in chroot environment during image build (bsc#1160594) - fix package version comparing - 14.455 ==== iproute2 ==== Version update (5.4 -> 5.5.0) - Update to new upstream version 5.5 * bridge: support fdb get * devlink: command line option to switch netns * devlink: all changing netns on reload * devlink: new timestamp format for health report dump * ip: support for alternative device names * ip link: support to get SR-IOV VF node GUID and port GUID * ip neigh: support get * rdma: relax requirement to have PID for HW objects * rdma: stat show mr * ss: allow dumping kTLS info * tc: support action flags * tc flower: support masked port destination and source match * tc pie: add dq_rate_estimator option * tipc: new commands to set TIPC AEAD key * more json support - drop patches obsoleted by version upgrade: * ss-fix-end-of-line-printing-in-misc-ss.c.patch * no-double-definitions.patch * Revert-emp-fix-warning-on-deprecated-bison-directive.patch * Revert-tc-ematch-fix-deprecated-yacc-warning.patch - refresh * split-link-and-compile-steps-for-binaries.patch ==== issue-generator ==== Version update (1.7 -> 1.8) - Update to version 1.8 - Handle network interface renames ==== k9s ==== Version update (0.13.0 -> 0.15.2) - Update to version 0.15.2 - Many bug fixes - Many new features ==== kail ==== Version update (0.13.0 -> 0.14.2) - Update to version 0.14.2 - Capture logs from terminated containers - Update vendor.tar.gz ==== kernel-firmware ==== Version update (20200122 -> 20200207) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network - Update to version 20200207 (git commit 6f89735800fe): * rtl_nic: update firmware for RTL8153A * rtl_bt: Update RTL8822C BT FW to V0x0998_C2B4 * linux-firmware: add firmware for MT7622 * linux-firmware: add version 2 for MT7615E * amdgpu: update to latest navi10 firmware from 19.50 * Revert "radeon: update oland rlc microcode from amdgpu" * amlogic: update video decoder firmwares * amdgpu: add renoir firmware for 19.50 * amdgpu: update raven2 firmware for 19.50 * nfp: update Agilio SmartNIC flower firmware to rev AOTC-2.12.A.13 * qca: update bluetooth firmware for QCA6174 - Update topics and alias list ==== kexec-tools ==== - Fix build errors on old distributions * kexec-tools-video-capability.patch * kexec-tools-SYS_getrandom.patch ==== kubernetes ==== Version update (1.17.0 -> 1.17.2) Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet - Update to version 1.17.2: * [1.17] No-op whitespace fix to CHANGELOG-1.17 to trigger a new 1.17 build * Add/Update CHANGELOG-1.17.md for v1.17.1. * Drop version from static openapi json file * Update to golang@1.13.5 * Revert reflector changes from PR #83520 from 1.17 * Fix IPv6 addresses lost issue in pure ipv6 vsphere environment * Fix unit test to run in non-gce environments * fix: azure disk could not mounted on Standard_DC4s/DC2s instances * Use legacyscheme's types rather than testapi ones * Fix nil pointer dereference in the azure provider * Add unit test for extended ipv4 service IP range * Revert "remove ipallocator in favor of k/utils net package" * It fixes a bug where AAD token obtained by kubectl is incompatible with on-behalf-of flow and oidc. * Allocate map when out points to nil map * fix: azure data disk should use same key as os disk by default * Check FileInfo against nil during walk of container dir path * Add UID precondition to kubelet pod status patch updates * Add cache for VMSS. * Fix build break - Hyperkube image needs kubelet/kubectl * Include cloud/gcp in e2e.test * Do not swallow timeout in manageReplicas * Sync the status of static Pods * Increase Burst limit for discovery client * Update v1.17.0 CHANGELOG to match final draft * Fix LoadBalancer rule checking so that no unexpected LoadBalancer updates are made * Fix broken SELinux detection * Add/Update CHANGELOG-1.17.md for v1.17.0. * Kubernetes version v1.17.1-beta.0 openapi-spec file updates * Deflake kubectl custom printing test * Move hostdns.conf out of cni directory. ==== libcap ==== Version update (2.25 -> 2.32) - Update to version 2.32: * Bug fix for fakeroot incompatibility (boo#1162014) * Slight perf improvement for cap_get_bound(). * C++ support for psx header inclusion. * Some new testing features for capsh - Update to version 2.31: * primarily a documentation update * fix libpam.pc to not require libpsx.pc * changed the text format of the default output of getpcap - Build using -ffat-lto-objects for static library - Update to version 2.30: * BUGFIX: arm and i386 fixes C and Go setgroups choice - used wrong syscall in 2.29. * cleaned up make clean and make install to actually work as intended * updated Gentoo libpsx.pc file from Lars Wendler * refactored the way libpsx linkage with libcap performed mutual discovery. * Previously (2.28) libpsx had an API call overridden by libcap using weak linkage function in libpsx. In 2.30 this is reversed, namely libpsx provides the stronger function and libcap has a weak "no-op" version. * a bit more consistency in handling the 'all' sets in libcap (C) and libcap/cap (Go). Namely, they both dynamically discover the number of capabilities named by the kernel and use this as the definition of 'all' for the current runtime. + libcap (C) exports cap_max_bit() to export the number of supported capabilities + libcap/cap (Go) exports cap.MaxBits() for this same value. - For changes for older releases see: * https://sites.google.com/site/fullycapable/release-notes-for-libcap - Add glibc-static-devel as build requirement as tests need it - Install libpsx.a as it seems to be needed in some cases: * https://bugs.gentoo.org/703912 ==== libeconf ==== Version update (0.3.3+git20191028.3ac14ce -> 0.3.5+git20200203.3144b69) - Update to version 0.3.5+git20200203.3144b69: * Release version 0.3.5 * Use float.h instead of obsolete gnuism values.h * Remove gnuism (strdupa) * Check for empty value (NULL pointer) before calling strdup. - Update to version 0.3.4+git20200121.febebf2: * Release version 0.3.4 * Fix buffer overflow in econf_readDirs * Fix parsing of quoted strings, and values starting with delimiters * tests: add test for quoted strings * tests: tst-configdirs5: fix config dir paths ==== libssh ==== Subpackages: libssh-config libssh4 - Drop the hack to pull curl-mini: we moved the split a bit higher up and now have a non-curl linked variant of cmake in openSUSE:Factory. ==== libtirpc ==== Subpackages: libtirpc-netconfig libtirpc3 - Backport upstream fix daed7ee ("Avoid multiple-definiton with gcc -fno-common") to fix build error with gcc flag -fno-common (bsc#1160875). Tested on gcc-9 and gcc-10. 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch - Skip unneeded autogen.sh run (configure is up-to-date), drop dependencies: libtool, autoconf - Replace krb5-mini-devel/krb5-devel with pkgconfig(krb5) ==== libxcrypt ==== Version update (4.4.10 -> 4.4.12) - Update to version 4.4.12 * Another fix for GCC v10.x, which occurs on s390 architectures only. - Update to version 4.4.11 * Fixes for GCC v10.x * Change how the known-answer tests are parallelized - gcc10.patch: remove ==== libzypp ==== Version update (17.22.0 -> 17.22.1) - update translations - Replace mongoose/webrick with nginx in test suite. This patch makes use of nginx to replace the current WebServer mongoose implementation. Also adds support for registering callback functions for certain URL requests via FCGI, making it possible to mock HTTP responses and test more complex HTTP setups. - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - version 17.22.1 (22) ==== microos-tools ==== Version update (1.0+git20190812.97ca0ee -> 1.0+git20200214.c7654a7) - Update to version 1.0+git20200214.c7654a7: * Remove btrfsQuota, snapper list provides now the same informations * Adjust README.md ==== mozilla-nss ==== Version update (3.48 -> 3.49.2) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.49.2 Fixed bugs: * Fix compilation problems with NEON-specific code in freebl (bmo#1608327) * Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895) - update to NSS 3.49.1 3.49.1 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49.1_release_notes * Cache the most recent PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts (bmo#1606992) 3.49 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes * The legacy DBM database, libnssdbm, is no longer built by default when using gyp builds (bmo#1594933) * several bugfixes ==== nano ==== Version update (4.7 -> 4.8) - update to 4.8: * When something is pasted into nano, suppress auto-indentation * paste can be undone as a whole with a single M-U * Improve handling of lock files on start-up * Shift+Meta+letter key combos can be bound with 'bind Sh-M-letter' * A custom nanorc file can be specified on the command line, with - f filename or --rcfile=filename ==== ncurses ==== Version update (6.1 -> 6.2) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base - Add ncurses patch 20200215 + improve manual page for panel library, extending the portability section as well as documenting error-returns. + show tic's version when installing terminal database in run_tic.sh + correct check for gcc vs other compilers used in ncurses 6.0, from FreeBSD patch by Kyle Evans (cf: 20150725). + add notes for 6.2 to INSTALL. - Update to ncurses 6.2 (patch 20200212) * Add 20200212 6.2 release for upload to ftp.gnu.org + update release notes + minor build-fixes, mostly to test-package scripts * Add ncurses patch20200208 + modify check for sizeof(wchar_t) to ensure it gives useful result when cross-compiling. + drop assumption in configure script that Cygwin's linker is broken. + define NCURSES_BROKEN_LINKER if the broken-linker feature is used, to simplify configure-checks for ncurses-examples. * Add ncurses patch20200202 + reassert copyright on ncurses, per discussion in ncurses FAQ: https://invisible-island.net/ncurses/ncurses.faq.html#relicensed * Add ncurses patch20200201 + modify comparison in make_hash.c to correct a special case in collision handling for Caps-hpux11 + add testing utility report_hashing to check hash-tables used for terminfo and termcap names. + fix a missing prototype for _nc_free_and_exit(). + update a few comments about tack 1.07 + use an awk script to split too-long pathnames used in Ada95 sample programs for explain.txt - Update to tack 1.9 (patch 20200202) * Update copyright and license. Also, portability fixes. - Adopt patch ncurses-5.7-tack.dif - Adopt patch ncurses-6.1.dif which is now ncurses-6.2.dif - Add ncurses patch 20200118 + expanded description of XM in user_caps.5 + improve xm example for xterm+x11mouse, xterm+sm+1006 -TD + add history section to curs_slk.3x and curs_terminfo.3x manpages. + update alacritty entries for 0.4.0 (prompted by patch by Christian Durr) -TD + correct spelling errors found with codespell. + fix for test/configure, from xterm #352. - Add ncurses patch 20200111 + improve configure macros which check for the X11/Intrinsic.h header, to accommodate recent MacOS changes. + suppress gcc's -Winline warning; it has not been useful for some time + update config.guess, config.sub ==== nfs-utils ==== Subpackages: libnfsidmap1 nfs-client - Update to version 2.4.3 Dropped patches (accepted upstream): - 0001-nfs.conf-allow-empty-assignments.patch - 0002-Let-systemd-know-when-rpc.statd-is-needed.patch - 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch - 0004-nfsidmap-honour-with-pluginpath-for-instalation.patch - 0005-nfs.conf-fail-to-disable-major-NFS-version-4-using-v.patch - 0006-conffile-allow-optional-include-files.patch - 0007-statd-user-from-sm - 0008-mountd-Initialize-logging-early.patch Dropped patches (upstream used different solution): - 0009-Allow-compilation-to-succeed-with-fno-common.patch (btw this used Patch0: instead of Patch10:) (boo#1160405) Add nfsdcld - NFSv4 Client Tracking Daemon, add nfsdcld.service and enable it for nfs-kernel-server, add man page Add clddb-tool - tool for downgrading the nfsdcld sqlite database schema, add man page Removed osd_login (dropped in upstream in 2.3.4 rc1) - 0009-Allow-compilation-to-succeed-with-fno-common.patch Allow compilation to success with -fno-common (boo#1160405) ==== open-lldp ==== Subpackages: liblldp_clif1 - BuildRequire pkgconfig(systemd) instead of systemd directly: allow OBS to shortcut through the -mini flavors. ==== openssh ==== - Add patches to fix the sandbox blocking glibc on 32bit platforms (boo#1164061): * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch * openssh-8.1p1-seccomp-clock_gettime64.patch ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-basesystem patterns-microos-cloud patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap - Move fcoe-utils and irqbalance to hardware pattern, not useful on guest install. - Introduce MicroOS Desktop patterns [boo#1163453] ==== permissions ==== Version update (1550_20191205 -> 1550_20200213) Subpackages: chkstat permissions-config - Update to version 20200213: * remove obsolete/broken entries for rcp/rsh/rlogin * chkstat: handle symlinks in final path elements correctly * Revert "Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)"" * Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)" - Update to version 20200204: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: - add read-only fallback when /proc is not mounted (bsc#1160764) - capability handling fixes (bsc#1161779) - better error message when refusing to fix dir perms (#32) - Update to version 20200127: * fix paths of ksysguard whitelisting * fix zero-termination of error message for overly long paths ==== podman ==== Version update (1.7.0 -> 1.8.0) Subpackages: podman-cni-config - Remove: 0001-clarify-container-prune-force.patch because it's now included in the release - Update podman to v1.8.0: * Features - The podman system service command has been added, providing a preview of Podman's new Docker-compatible API. This API is still very new, and not yet ready for production use, but is available for early testing - Rootless Podman now uses Rootlesskit for port forwarding, which should greatly improve performance and capabilities - The podman untag command has been added to remove tags from images without deleting them - The podman inspect command on images now displays previous names they used - The podman generate systemd command now supports a --new option to generate service files that create and run new containers instead of managing existing containers - Support for --log-opt tag= to set logging tags has been added to the journald log driver - Added support for using Seccomp profiles embedded in images for podman run and podman create via the new --seccomp-policy CLI flag - The podman play kube command now honors pull policy * Bugfixes - Fixed a bug where the podman cp command would not copy the contents of directories when paths ending in /. were given - Fixed a bug where the podman play kube command did not properly locate Seccomp profiles specified relative to localhost - Fixed a bug where the podman info command for remote Podman did not show registry information - Fixed a bug where the podman exec command did not support having input piped into it - Fixed a bug where the podman cp command with rootless Podman on CGroups v2 systems did not properly determine if the container could be paused while copying - Fixed a bug where the podman container prune --force command could possible remove running containers if they were started while the command was running - Fixed a bug where Podman, when run as root, would not properly configure slirp4netns networking when requested - Fixed a bug where podman run --userns=keep-id did not work when the user had a UID over 65535 - Fixed a bug where rootless podman run and podman create with the --userns=keep-id option could change permissions on /run/user/$UID and break KDE - Fixed a bug where rootless Podman could not be run in a systemd service on systems using CGroups v2 - Fixed a bug where podman inspect would show CPUShares as 0, instead of the default (1024), when it was not explicitly set - Fixed a bug where podman-remote push would segfault - Fixed a bug where image healthchecks were not shown in the output of podman inspect - Fixed a bug where named volumes created with containers from pre-1.6.3 releases of Podman would be autoremoved with their containers if the --rm flag was given, even if they were given names - Fixed a bug where podman history was not computing image sizes correctly - Fixed a bug where Podman would not error on invalid values to the --sort flag to podman images - Fixed a bug where providing a name for the image made by podman commit was mandatory, not optional as it should be - Fixed a bug where the remote Podman client would append an extra " to %PATH - Fixed a bug where the podman build command would sometimes ignore the -f option and build the wrong Containerfile - Fixed a bug where the podman ps --filter command would only filter running containers, instead of all containers, if - -all was not passed - Fixed a bug where the podman load command on compressed images would leave an extra copy on disk - Fixed a bug where the podman restart command would not properly clean up the network, causing it to function differently from podman stop; podman start - Fixed a bug where setting the --memory-swap flag to podman create and podman run to -1 (to indicate unlimited) was not supported * Misc - Initial work on version 2 of the Podman remote API has been merged, but is still in an alpha state and not ready for use. Read more here - Many formatting corrections have been made to the manpages - The changes to address (#5009) may cause anonymous volumes created by Podman versions 1.6.3 to 1.7.0 to not be removed when their container is removed - Updated vendored Buildah to v1.13.1 - Updated vendored containers/storage to v1.15.8 - Updated vendored containers/image to v5.2.0 ==== popt ==== - fix URLs, rpm5.org is no more ==== python-decorator ==== Version update (4.4.0 -> 4.4.1) - update to 4.4.1: Changed the description to "Decorators for Humans" are requested by several users. Fixed a .rst bug in the description as seen in PyPI. ==== python-packaging ==== Version update (19.2 -> 20.1) - add issue_254.patch to fix tests under non-x86_64 pplatforms - Update to 20.1 * Fix a bug caused by reuse of an exhausted iterator. * Add type hints * Add proper trove classifiers for PyPy support * Scale back depending on ctypes for manylinux support detection * Use sys.implementation.name where appropriate for packaging.tags * Expand upon the API provded by packaging.tags * Officially support Python 3.8 * Add major, minor, and micro aliases to packaging.version.Version * Properly mark packaging has being fully typed by adding a py.typed file ==== python-pyOpenSSL ==== Version update (19.0.0 -> 19.1.0) - Update to v19.1 * Removed deprecated aliases ContextType, ConnectionType, PKeyType, X509NameType, X509ReqType, X509Type, X509StoreType, CRLType, PKCS7Type, PKCS12Type, and NetscapeSPKIType. Use the classes without the ``Type`` suffix instead. * The minimum ``cryptography`` version is now 2.8 * Deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback, OpenSSL.SSL.Context.set_npn_select_callback, and OpenSSL.SSL.Connection.get_next_proto_negotiated ALPN should be used instead. * Support bytearray in SSL.Connection.send() by using cffi's from_buffer * The OpenSSL.SSL.Context.set_alpn_select_callback can return a new NO_OVERLAPPING_PROTOCOLS sentinel value to allow a TLS handshake to complete without an application protocol. ==== python-pyparsing ==== Version update (2.4.5 -> 2.4.6) - update to 2.4.6 * Fixed typos in White mapping of whitespace characters, to use correct "\u" prefix instead of "u". * fix bug in left-associative ternary operators defined using infixNotation. First reported on StackOverflow by user Jeronimo. * Backport of pyparsing_test namespace from 3.0.0, including TestParseResultsAsserts mixin class defining unittest-helper methods: . def assertParseResultsEquals( self, result, expected_list=None, expected_dict=None, msg=None) . def assertParseAndCheckList( self, expr, test_string, expected_list, msg=None, verbose=True) . def assertParseAndCheckDict( self, expr, test_string, expected_dict, msg=None, verbose=True) . def assertRunTestResults( self, run_tests_report, expected_parse_results=None, msg=None) . def assertRaisesParseException(self, exc_type=ParseException, msg=None) ==== python-urllib3 ==== Version update (1.25.6 -> 1.25.8) - update to 1.25.8 * Drop support for EOL Python 3.4 * Optimize _encode_invalid_chars * Preserve chunked parameter on retries * Allow unset SERVER_SOFTWARE in App Engine * Fix issue where URL fragment was sent within the request target. * Fix issue where an empty query section in a URL would fail to parse. * Remove TLS 1.3 support in SecureTransport due to Apple removing support. ==== rdma-core ==== Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1 - Eliminate the curl-mini trickery for Tumbleweed: curl-mini is being eliminated in favor of cmake-mini: the original plan to split the cycle at curl did not work out in the long run. ==== readline ==== - Add official patch readline80-002 When using previous-history to go back beyond the beginning of the history list, it's possible to move to an incorrect partial line. - Add official patch readline80-003 Reading history entries with timestamps can result in history entries joined by linefeeds. - Add official patch readline80-004 If writing the history file fails, and renaming the backup history file fails, it's possible for readline's history code to return the wrong error to its caller. ==== rook ==== Version update (1.2.2+git0.g73593a1b -> 1.2.4+git9.gd747507e) - ceph: populate CSI configmap for external cluster - Update to v1.2.4: * Stop garbage collector from deleting the CSI driver unexpectedly (#4820) * Upgrade legacy OSDs created with partitions created by Rook (#4799) * Ability to set the pool target_size_ratio (#4803) * Improve detection of drain-canaries and log significant nodedrain scheduling events (#4679) * Sort flexvolume docs and update for kubespray (#4747) * Add OpenShift common issues documentation (#4764) * Improved integration test when cleaning devices (#4796) ==== rpm-config-SUSE ==== Version update (0.g45 -> 0.g52) - Update to version 0.g52: * Make deprecated %install_info not fail when used within if/fi construct - Update to version 0.g50: * Add missing changelog entries and fix authors * Add ldconfig_scriptlets macros for RH/Fedora compatibility * move %install_info to file triggers (boo#1152105) ==== sudo ==== Version update (1.8.28p1 -> 1.8.31) - Update to 1.8.31 Major changes between version 1.8.31 and 1.8.30: * This version fixes a potential security issue that can lead to a buffer overflow if the pwfeedback option is enabled in sudoers [CVE-2019-18634] [bsc#1162202] * The sudoedit_checkdir option now treats a user-owned directory as writable, even if it does not have the write bit set at the time of check. Symbolic links will no longer be followed by sudoedit in any user-owned directory. Bug #912. * Fixed a crash introduced in sudo 1.8.30 when suspending sudo at the password prompt. Bug #914. * Fixed compilation on systems where the mmap MAP_ANON flag is not available. Bug #915. Major changes between version 1.8.30 and 1.8.29: * Sudo now closes file descriptors before changing uids. This prevents a non-root process from interfering with sudo's ability to close file descriptors on systems that support the prlimit(2) system call. * Sudo now treats an attempt to run sudo sudoedit as simply sudoedit If the sudoers file contains a fully-qualified path to sudoedit, sudo will now treat it simply as sudoedit (with no path). Visudo will will now treat a fully-qualified path to sudoedit as an error. Bug #871. * Fixed a bug introduced in sudo 1.8.28 where sudo would warn about a missing /etc/environment file on AIX and Linux when PAM is not enabled. Bug #907. * Fixed a bug on Linux introduced in sudo 1.8.29 that prevented the askpass program from running due to an unlimited stack size resource limit. Bug #908. * If a group provider plugin has optional arguments, the argument list passed to the plugin is now NULL terminated as per the documentation. * The user's time stamp file is now only updated if both authentication and approval phases succeed. This is consistent with the behavior of sudo prior to version 1.8.23. Bug #910. * The new allow_unknown_runas_id sudoers setting can be used to enable or disable the use of unknown user or group IDs. Previously, sudo would always allow unknown user or group IDs if the sudoers entry permitted it, including via the ALL alias. As of sudo 1.8.30, the admin must explicitly enable support for unknown IDs. * The new runas_check_shell sudoers setting can be used to require that the runas user have a shell listed in the /etc/shells file. On many systems, users such as bin, do not have a valid shell and this flag can be used to prevent commands from being run as those users. * Fixed a problem restoring the SELinux tty context during reboot if mctransd is killed before sudo finishes. GitHub Issue #17. * Fixed an intermittent warning on NetBSD when sudo restores the initial stack size limit. Major changes between version 1.8.29 and 1.8.28p1: * The cvtsudoers command will now reject non-LDIF input when converting from LDIF format to sudoers or JSON formats. * The new log_allowed and log_denied sudoers settings make it possible to disable logging and auditing of allowed and/or denied commands. * The umask is now handled differently on systems with PAM or login.conf. If the umask is explicitly set in sudoers, that value is used regardless of what PAM or login.conf may specify. However, if the umask is not explicitly set in sudoers, PAM or login.conf may now override the default sudoers umask. Bug #900. * For make install, the sudoers file is no longer checked for syntax errors when DESTDIR is set. The default sudoers file includes the contents of /etc/sudoers.d which may not be readable as non-root. Bug #902. * Sudo now sets most resource limits to their maximum value to avoid problems caused by insufficient resources, such as an inability to allocate memory or open files and pipes. Fixed a regression introduced in sudo 1.8.28 where sudo would refuse to run if the parent process was not associated with a session. This was due to sudo passing a session ID of -1 to the plugin. - refresh sudo-sudoers.patch ==== system-users ==== Subpackages: system-group-hardware system-group-wheel system-user-bin system-user-daemon system-user-nobody - Add tss user for TPM tools (boo#1162360). ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-logger systemd-sysvinit udev - Import commit f8adabc2b1f3e3ad150e7a3bfa88341eda5a8a57 (merge v244.2) 77c04ce5c2 hwdb: update to v245-rc1 b4eb884824 Fix typo in function name e2d4cb9843 polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it 83bfc0d8dd sd-bus: introduce API for re-enqueuing incoming messages 5926f9f172 polkit: use structured initialization 0697d0d972 polkit: on async pk requests, re-validate action/details 2589995acd polkit: reuse some common bus message appending code 5b2442d5c3 bus-polkit: rename return error parameter to ret_error 0a19ff7004 shared: split out polkit stuff from bus-util.c ? bus-polkit.c 1325dfb577 test: adapt to the new capsh format 3538fafb47 meson: update efi path detection to gnu-efi-3.0.11 3034855a5b presets: "disable" all passive targets by default c2e3046819 shared/sysctl-util: normalize repeated slashes or dots to a single value 6f4364046f dhcp6: do not use T1 and T2 longer than one provided by the lease 0ed6cda28d network: fix implicit type conversion warning by GCC-10 f6a5c02d26 bootspec: parse random-seed-mode line in loader.conf ddc5dca8a7 sd-boot: fix typo 2bbbe9ae41 test: Synchronize journal before reading from it 072485d661 sd-bus: fix introspection bug in signal parameter names 80af3cf5e3 efi: fix build. [...] - Use suse.pool.ntp.org server pool on SLE (jsc#SLE-7683) - Drop scripts-udev-convert-lib-udev-path.sh Nobody should need it these days. ==== tallow ==== Version update (19+git20191106.4b071b0 -> 21+git20200213.865ec91) - Update to version 21+git20200213.865ec91: * Add tallow.patterns man page * Add extra path for firewall-cmd - Drop 0001-Add-extra-path-for-firewall-cmd.patch, accepted upstream ==== tar ==== - No longer recommend -lang: supplements are in use. ==== toolbox ==== Version update (1.0+git20191014.3034fbc -> 1.0+git20200217.cd18bfb) - Update to version 1.0+git20200217.cd18bfb: * Multiple toolboxes, with different names * Configure `sudo` access for an user toolbox * Correctly setup the user * Add -u|--user parameter * Handle arguments with 'getopt'