Packages changed: ca-certificates-mozilla ceph (15.1.0.1521+gcdf35413a0 -> 15.2.0.108+g8cf4f02b08) cloud-init conmon (2.0.14 -> 2.0.15) cpio cri-tools (1.17.0 -> 1.18.0) cryptsetup (2.3.0 -> 2.3.1) elfutils (0.178 -> 0.179) glib2 (2.62.5 -> 2.62.6) glib2-branding-openSUSE haproxy (2.1.3+git0.5c020bbdd -> 2.1.4+git0.3cfc2f1d9) k9s (0.15.2 -> 0.18.1) kdump kernel-64kb (5.5.13 -> 5.6.0) kernel-source (5.5.13 -> 5.6.0) kexec-tools krb5 kubernetes mozilla-nss (3.50 -> 3.51) nano (4.9 -> 4.9.1) ncurses nfs-utils open-iscsi openSUSE-build-key openssl-1_1 (1.1.1d -> 1.1.1f) pam permissions (1550_20200228 -> 1550_20200324) podman rook (1.2.6+git0.g99024013 -> 1.2.7+git0.g1acfd182) setools (4.2.2 -> 4.3.0) system-users sysuser-tools transactional-update (2.20.4 -> 2.21) weave (2.6.1 -> 2.6.2) wpa_supplicant xz (5.2.4 -> 5.2.5) yast2 (4.2.78 -> 4.2.80) yomi-formula (0.0.1+git.1583771480.5787782 -> 0.0.1+git.1585319502.392f59c) === Details === ==== ca-certificates-mozilla ==== - also run update-ca-certificates in %posttrans ==== ceph ==== Version update (15.1.0.1521+gcdf35413a0 -> 15.2.0.108+g8cf4f02b08) Subpackages: ceph-common libcephfs2 librados2 libradosstriper1 librbd1 librgw2 python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw - Update to 15.2.0-108-g8cf4f02b08: + rebase on tip of upstream "octopus" branch, SHA1 9267cc03e1b1612109dd57cc6ce74c34ed1f1d00 * cephadm: Fix truncated output of "ceph mgr dump" - Update to 15.2.0-29-g274f7bc2e7: + rebase on tip of upstream "octopus" branch, SHA1 a8062613c81ad08815edcdf06e668fcc77270a03 * upstream 15.2.0 (first Octopus stable) release https://ceph.io/releases/v15-2-0-octopus-released/ - Update to 15.1.1-220-g0f87374dc1: + rebase on tip of upstream "octopus" branch, SHA1 243cbd6224921f7f5c2463705c75cb9eafd0db5c * upstream 15.1.1 (Octopus release candidate) release https://github.com/ceph/ceph/releases/tag/v15.1.1 + cephadm: read everything when calling "ceph mgr dump" - Update to 15.1.0-2160-g310e512e18: + rebase on tip of upstream "octopus" branch, SHA1 465f3855623e30f3b4694f3090adbe27c8cd49c3 - Update to 15.1.0-1766-g3d31471523: + rebase on tip of upstream master, SHA1 25b8ecc216b02e848f9719ced8c84670de656e78 ==== cloud-init ==== - Update cloud-init-write-routes.patch + In cases where the config contains 2 or more default gateway specifications for an interface only write the first default route, log warning message about skipped routes + Avoid writing invalid route specification if neither the network nor destination is specified in the route configuration - Update cloud-init-write-routes.patch + Still need to consider the "network" configuration uption for the v1 config implementation. Fixes regression introduced with update from Wed Feb 12 19:30:42 - Update cloud-init-write-routes.patch (bsc#1165296) + Add the default gateway to the ifroute config file when specified as part of the subnet configuration + Fix typo to properly extrakt provided netmask data (bsc#1163178) ==== conmon ==== Version update (2.0.14 -> 2.0.15) - Enable support for journald logging (bsc#1162432) - Update to v2.0.15 - store status while waiting for pid ==== cpio ==== - starting with GCC 10, the default of '-fcommon' option will change to '-fno-common'. Because cpio build fails with 'fno-common', add '-fcommon' option to optflags as a temporary workaround for this problem till it's properly fixed [bsc#1160870] ==== cri-tools ==== Version update (1.17.0 -> 1.18.0) - Update to v1.18.0: * Main Changes * Update Kubernetes to v1.18.0 * Switch to urfave/cli/v2 * CRI CLI (crictl) * Use ContextDialer to fix build * Add go-template option for inspect commands * Fix invalid log_path in docs * CRI validation testing (critest) * Make apparmor failure test more flexible * Start container before fetching metrics * Cleanup container create test to reduce duplication * Add container stats test ==== cryptsetup ==== Version update (2.3.0 -> 2.3.1) Subpackages: libcryptsetup12 - Split translations to -lang package - New version to 2.3.1 * Support VeraCrypt 128 bytes passwords. VeraCrypt now allows passwords of maximal length 128 bytes (compared to legacy TrueCrypt where it was limited by 64 bytes). * Strip extra newline from BitLocker recovery keys There might be a trailing newline added by the text editor when the recovery passphrase was passed using the --key-file option. * Detect separate libiconv library. It should fix compilation issues on distributions with iconv implemented in a separate library. * Various fixes and workarounds to build on old Linux distributions. * Split lines with hexadecimal digest printing for large key-sizes. * Do not wipe the device with no integrity profile. With --integrity none we performed useless full device wipe. * Workaround for dm-integrity kernel table bug. Some kernels show an invalid dm-integrity mapping table if superblock contains the "recalculate" bit. This causes integritysetup to not recognize the dm-integrity device. Integritysetup now specifies kernel options such a way that even on unpatched kernels mapping table is correct. * Print error message if LUKS1 keyslot cannot be processed. If the crypto backend is missing support for hash algorithms used in PBKDF2, the error message was not visible. * Properly align LUKS2 keyslots area on conversion. If the LUKS1 payload offset (data offset) is not aligned to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly. * Validate LUKS2 earlier on conversion to not corrupt the device if binary keyslots areas metadata are not correct. ==== elfutils ==== Version update (0.178 -> 0.179) Subpackages: libasm1 libdw1 libelf1 - Update to version 0.179: debuginfod-client: When DEBUGINFOD_PROGRESS is set and the program doesn't install its own debuginfod_progressfn_t show download progress on stderr. DEBUGINFOD_TIMEOUT is now defined as seconds to get at least 100K, defaults to 90 seconds. Default to $XDG_CACHE_HOME/debuginfod_client. New functions debuginfod_set_user_data, debuginfod_get_user_data, debuginfod_get_url and debuginfod_add_http_header. Support for file:// URLs. debuginfod: Uses libarchive directly for reading rpm archives. Support for indexing .deb/.ddeb archives through dpkg-deb or bsdtar. Generic archive support through -Z EXT[=CMD]. Which can be used for example for arch-linux pacman files by using - Z '.tar.zst=zstdcat'. Better logging using User-Agent and X-Forwarded-For headers. More prometheus metrics. Support for eliding dots or extraneous slashes in path names. debuginfod-find: Accept /path/names in place of buildid hex. libelf: Handle PN_XNUM in elf_getphdrnum before shdr 0 is cached Ensure zlib resource cleanup on failure. libdwfl: dwfl_linux_kernel_find_elf and dwfl_linux_kernel_report_offline now find and handle a compressed vmlinuz image. readelf, elflint: Handle PT_GNU_PROPERTY. translations: Updated Ukrainian translation. ==== glib2 ==== Version update (2.62.5 -> 2.62.6) Subpackages: glib2-tools libgio-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 - Update to version 2.62.6: + This is expected to be the final release in the 2.62.x stable series; maintenance effort will shift to the newer 2.64.x stable series now. + Fix SOCKS5 username/password authentication. + Exception handling fixes on Windows. + Bugs fixed: glgo#GNOME/GLib#1986, glgo#GNOME/GLib#1988, glgo#GNOME/GLib#2049, glgo#GNOME/GLib!1378, glgo#GNOME/GLib!1380, glgo#GNOME/GLib!1393, glgo#GNOME/GLib!1394, glgo#GNOME/GLib!1411. + Updated translations. ==== glib2-branding-openSUSE ==== - Update .gschema.override.in: + Set sleep-inactive-ac-timeout, sleep-inactive-battery-timeout to 0 for Leap to be consistent with SLE and old versions (bsc#1158497). ==== haproxy ==== Version update (2.1.3+git0.5c020bbdd -> 2.1.4+git0.3cfc2f1d9) - Update to version 2.1.4+git0.3cfc2f1d9: (boo#1168023) CVE-2020-11100 - SCRIPTS: make announce-release executable again - BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat - BUG/MEDIUM: muxes: Use the right argument when calling the destroy method. - BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO param - MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo regex - SCRIPTS: announce-release: use mutt -H instead of -i to include the draft - MINOR: http-htx: Add a function to retrieve the headers size of an HTX message - MINOR: filters: Forward data only if the last filter forwards something - BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them - BUG/MINOR: http-htx: Don't return error if authority is updated without changes - BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive - MINOR: http-ana: Match on the path if the monitor-uri starts by a / - BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered - MINOR: ist: add an iststop() function - BUG/MINOR: http: http-request replace-path duplicates the query string - BUG/MEDIUM: shctx: make sure to keep all blocks aligned - MINOR: compiler: move CPU capabilities definition from config.h and complete them - BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support - BUILD: fix recent build failure on unaligned archs - CLEANUP: cfgparse: Fix type of second calloc() parameter - BUG/MINOR: sample: fix the json converter's endian-sensitivity - BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions - BUG/MINOR: connection: make sure to correctly tag local PROXY connections - MINOR: compiler: add new alignment macros - BUILD: ebtree: improve architecture-specific alignment - BUG/MINOR: h2: reject again empty :path pseudo-headers - BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch - BUG/MINOR: dns: ignore trailing dot - BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name - MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics - MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric - BUG/MEDIUM: random: initialize the random pool a bit better - MINOR: tools: add 64-bit rotate operators - BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG - MINOR: backend: use a single call to ha_random32() for the random LB algo - BUG/MINOR: checks/threads: use ha_random() and not rand() - BUG/MAJOR: list: fix invalid element address calculation - MINOR: debug: report the task handler's pointer relative to main - BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump - MINOR: haproxy: export main to ease access from debugger - BUILD: tools: remove obsolete and conflicting trace() from standard.c - BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled - DOC: fix incorrect indentation of http_auth_* - OPTIM: startup: fast unique_id allocation for acl. - BUG/MINOR: pattern: Do not pass len = 0 to calloc() - DOC: configuration.txt: fix various typos - DOC: assorted typo fixes in the documentation and Makefile - BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits - BUG/MAJOR: proxy_protocol: Properly validate TLV lengths - REGTEST: make the PROXY TLV validation depend on version 2.2 - BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data - BUG/MINOR: filters: Forward everything if no data filters are called - MINOR: htx: Add a function to return a block at a specific offset - BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload - BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload - BUG/MINOR: http-ana: Reset request analysers on a response side error - BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not - BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action - BUG/MINOR: http-rules: Fix a typo in the reject action function - BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action - BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop - DOC: fix typo about no-tls-tickets - DOC: improve description of no-tls-tickets - DOC: assorted typo fixes in the documentation - DOC: ssl: clarify security implications of TLS tickets - BUILD: wdt: only test for SI_TKILL when compiled with thread support - BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL; - MINOR: mt_lists: Appease gcc. - BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 - BUG/MEDIUM: pools: Always update free_list in pool_gc(). - BUG/MINOR: haproxy: always initialize sleeping_thread_mask - BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping - BUG/MINOR: haproxy/threads: try to make all threads leave together - DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID - DOC: correct typo in alert message about rspirep - BUILD: on ARM, must be linked to libatomic. - BUILD: makefile: fix regex syntax in ARM platform detection - BUILD: makefile: fix expression again to detect ARM platform - BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. - DOC: assorted typo fixes in the documentation - MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. - BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue(). - MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc. - BUG/MINOR: connections: Make sure we free the connection on failure. - REGTESTS: use "command -v" instead of "which" - REGTEST: increase timeouts on the seamless-reload test - BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection - BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized - BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL - BUG/MINOR: peers: Use after free of "peers" section. - MINOR: listener: add so_name sample fetch - BUILD: ssl: only pass unsigned chars to isspace() - BUG/MINOR: stats: Fix color of draining servers on stats page - DOC: internals: Fix spelling errors in filters.txt - MINOR: http-rules: Add a flag on redirect rules to know the rule direction - BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits - MINOR: http-rules: Handle the rule direction when a redirect is evaluated - BUG/MINOR: http-ana: Reset request analysers on error when waiting for response - BUG/CRITICAL: hpack: never index a header into the headroom after wrapping ==== k9s ==== Version update (0.15.2 -> 0.18.1) - Update to version 0.18.1 - Many bug fixes - Many new features (auto suggestions, revisited logs, k9 plugins) - see https://github.com/derailed/k9s/releases/ ==== kdump ==== - kdump-make-sure-that-the-udev-runtime-directory-exists.patch: Make sure that the udev runtime directory exists (bsc#1164713). ==== kernel-64kb ==== Version update (5.5.13 -> 5.6.0) - Refresh patches.suse/media-go7007-Fix-URB-type-for-interrupt-handling.patch. Update upstream status. - commit 46fab61 - mac80211: fix authentication with iwlwifi/mvm (https://lkml.kernel.org/r/20200329.212136.273575061630425724.davem@davemloft.net). - commit 5032681 - Revert "sign also s390x kernel images (bsc#1163524)" This reverts commit b38b61155f0a2c3ebca06d4bb0c2e11a19a87f1f. The pesign-obs-integration changes needed for s390x image signing are still missing in Factory so that this change breaks s390x builds. - commit 9544af9 - Update to 5.6 final - refresh configs - commit da616f7 ==== kernel-source ==== Version update (5.5.13 -> 5.6.0) - Refresh patches.suse/media-go7007-Fix-URB-type-for-interrupt-handling.patch. Update upstream status. - commit 46fab61 - mac80211: fix authentication with iwlwifi/mvm (https://lkml.kernel.org/r/20200329.212136.273575061630425724.davem@davemloft.net). - commit 5032681 - Revert "sign also s390x kernel images (bsc#1163524)" This reverts commit b38b61155f0a2c3ebca06d4bb0c2e11a19a87f1f. The pesign-obs-integration changes needed for s390x image signing are still missing in Factory so that this change breaks s390x builds. - commit 9544af9 - Update to 5.6 final - refresh configs - commit da616f7 ==== kexec-tools ==== - kexec-tools-Remove-duplicated-variable-declarations.patch: Remove duplicated variable declarations (boo#1160399). - kexec-tools-s390-Reset-kernel-command-line-on-syscal.patch: s390: Reset kernel command line on syscall fallback (bsc#1167868). ==== krb5 ==== - Fix segfault in k5_primary_domain; (bsc#1167620); - Added patches: * 0009-Fix-null-dereference-qualifying-short-hostnames.patch ==== kubernetes ==== Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet-common kubernetes-kubelet1.17 kubernetes-kubelet1.18 - Rename /usr/lib/sysctl.d/50-kubeadm.conf to 90-kubeadm.conf [boo#1163328] - Dropping all old CaaSP legacy configuration ==== mozilla-nss ==== Version update (3.50 -> 3.51) - Update previous patch nss-kremlin-ppc64le.patch slightly modified to support also ppc64 (BE) versus initial https://github.com/FStarLang/kremlin/issues/166 - Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds - update to NSS 3.51 * Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892) * Correct swapped PKCS11 values of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL (bmo#1611209) * Complete integration of Wycheproof ECDH test cases (bmo#1612259) * Check if PPC __has_include() (bmo#1614183) * Fix a compilation error for ?getFIPSEnv? "defined but not used" (bmo#1614786) * Send DTLS version numbers in DTLS 1.3 supported_versions extension to avoid an incompatibility. (bmo#1615208) * SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed to be null-terminated (bmo#1538980) * Correct a warning for comparison of integers of different signs: 'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88 (bmo#1561337) * Add test for mp_int clamping (bmo#1609751) * Don't attempt to read the fips_enabled flag on the machine unless NSS was built with FIPS enabled (bmo#1582169) * Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940) * Fix compiler warning in secsign.c (bmo#1617387) * Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval' (bmo#1618400) * Fix a crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics (bmo#1610687) ==== nano ==== Version update (4.9 -> 4.9.1) - GNU nano 4.9.1 * fix cursor getting misplaced when undoing line cuts * fix filtering of the whole buffer to a new buffer ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo terminfo-base - Add ncurses patch 20200321 + improve configure-checks to reduce warnings about unused variables. + improve description of error-returns in waddch and waddnstr manual pages (prompted by patch by Benno Schulenberg). + add test/move_field.c to demonstrate move_field(), and a stub for a corresponding demo of dup_field(). - Add ncurses patch 20200314 + add history note to curs_scanw.3x for and + add history note to curs_printw.3x for and + add portability note to ncurses.3x regarding ==== nfs-utils ==== Subpackages: libnfsidmap1 nfs-client - Improve the hack to avoid python dependencies. A new python script had been added since that hack was written. (boo#1166067) - 0001-conffile-Don-t-give-warning-for-optional-config-file.patch Support optional include files correctly (boo#1164619) - Update nfs.conf - change value: udp=n (disabled in 2.2.1.) - update name: manage-gids - new: verbosity=0, rpc-verbosity=0, use-gss-proxy=0, rdma-port=20049, no-notify=0, force=0, lift-grace=y ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Update with two upstream commits: * Fix issue where "iscsi-iname -p" core dumps. (found upstream) * Fix iscsi.service so it handles restarts better (bsc#1163499) * Add Wants=remote-fs-pre.target for sequencing. (bsc#1158536) updating: * open-iscsi-SUSE-latest.diff.bz2 - Update SPEC file to work around issue with installcheck SUSE script. Update the SPEC file while there. ==== openSUSE-build-key ==== - mark the opensuse-container-key and the suse-container-key for openSUSE:Containers and SUSE:Containers space. (same as the build keys for SLE15 and openSUSE respectively.) - Replace the old security@suse.de email comm key by the new, move the old one to the oldkey. (bsc#1166334) ==== openssl-1_1 ==== Version update (1.1.1d -> 1.1.1f) - Update to 1.1.1f * Revert the unexpected EOF reporting via SSL_ERROR_SSL - refresh openssl-1.1.0-no-html.patch - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, not when it couldn't be found (bsc#1166189) * add openssl-unknown_dgst.patch - Limit the DRBG selftests to not deplete entropy (bsc#1165274) * update openssl-fips_selftest_upstream_drbg.patch ==== pam ==== - Listed all manual pages seperately as pam_userdb.8 has been moved to pam-extra. Also %exclude %{_defaultdocdir}/pam as the docs are in a separate package. [pam.spec] - pam_userdb moved to a new package pam-extra as pam-modules is obsolete and not part of SLE. [bsc#1166510, pam.spec] ==== permissions ==== Version update (1550_20200228 -> 1550_20200324) Subpackages: chkstat permissions-config - Update to version 20200324: * whitelist s390-tools setgid bit on log directory (bsc#1167163) * whitelist WMP (bsc#1161335) * regtest: improve readability of path variables by using literals * regtest: adjust test suite to new path locations in /usr/share/permissions * regtest: only catch explicit FileNotFoundError * regtest: provide valid home directory in /root * regtest: mount permissions src repository in /usr/src/permissions * regtest: move initialialization of TestBase paths into the prepare() function * chkstat: suppport new --config-root command line option * fix spelling of icingacmd group ==== podman ==== Subpackages: podman-cni-config - Add "systemd" BUILDFLAGS to build with support for journald logging (bsc#1162432) ==== rook ==== Version update (1.2.6+git0.g99024013 -> 1.2.7+git0.g1acfd182) - Update to v1.2.7 (bsc#1168160): * Apply the expected lower PG count for rgw metadata pools (#5091) * Reject devices smaller than 5GiB for OSDs (#5089) * Add extra check for filesystem to skip boot volumes for OSD configuration (#5022) * Avoid duplication of mon pod anti-affinity (#4998) * Update service monitor definition during upgrade (#5078) * Resizer container fix due to misinterpretation of the cephcsi version (#5073-1) * Set ResourceVersion for Prometheus rules (#4528) * Upgrade doc clarification for RBAC related to the helm chart (#5054) ==== setools ==== Version update (4.2.2 -> 4.3.0) - Update to the upstream version 4.3.0: * Revised sediff method for TE rules. This drastically reduced memory and run time. * Added infiniband context support to seinfo, sediff, and apol. * Added apol configuration for location of Qt assistant. * Fixed sediff issue where properties header would display when not requested. * Fixed sediff issue with type_transition file name comparison. * Fixed permission map socket sendto information flow direction. * Added methods to TypeAttribute class to make it a complete Python collection. * Genfscon now will look up classes rather than using fixed values which were dropped from libsepol - Dropped python3.8-compat.patch ==== system-users ==== Subpackages: system-group-hardware system-group-wheel system-user-bin system-user-daemon system-user-nobody - Use test -x instead of -f - Call usermod only if installed ==== sysuser-tools ==== - Fix bug introduced by simplification of check for useradd -g - Refactor use of sed away - Use eval set -- $LINE instead of read for parsing - Clean up sysusers2shadow and make it use only /bin/sh - Don't let busybox adduser create the home directory, it breaks permissions of e.g. /sbin (home of daemon) - Use only /bin/sh in sysusers-generate-pre and the generated code - Drop use of tail from the generated %pre scriptlets ==== transactional-update ==== Version update (2.20.4 -> 2.21) Subpackages: transactional-update-zypp-config - Update to version 2.21 - Use slave mounts for /proc, /sys & /dev ==== weave ==== Version update (2.6.1 -> 2.6.2) - Update to version 2.6.2 - Weave Net can not be used in fastdp mode and always falls back - Restrict timeout value passed to pcap library - Refresh vendor.tar.xz ==== wpa_supplicant ==== - With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331) - Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933) ==== xz ==== Version update (5.2.4 -> 5.2.5) Subpackages: liblzma5 - Update to 5.2.5: * liblzma: - Fixed several C99/C11 conformance bugs. Now the code is clean under gcc/clang -fsanitize=undefined. Some of these changes might have a negative effect on performance with old GCC versions or compilers other than GCC and Clang. The configure option --enable-unsafe-type-punning can be used to (mostly) restore the old behavior but it shouldn't normally be used. - Improved API documentation of lzma_properties_decode(). - Added a very minor encoder speed optimization. * xz: - Fixed a crash in "xz -dcfv not_an_xz_file". All four options were required to trigger it. The crash occurred in the progress indicator code when xz was in passthru mode where xz works like "cat". - Fixed an integer overflow with 32-bit off_t. It could happen when decompressing a file that has a long run of zero bytes which xz would try to write as a sparse file. Since the build system enables large file support by default, off_t is normally 64-bit even on 32-bit systems. - Fixes for --flush-timeout: * Fix semi-busy-waiting. * Avoid unneeded flushes when no new input has arrived since the previous flush was completed. - Added a special case for 32-bit xz: If --memlimit-compress is used to specify a limit that exceeds 4020 MiB, the limit will be set to 4020 MiB. The values "0" and "max" aren't affected by this and neither is decompression. This hack can be helpful when a 32-bit xz has access to 4 GiB address space but the specified memlimit exceeds 4 GiB. This can happen e.g. with some scripts. - Capsicum sandbox is now enabled by default where available (FreeBSD >= 10). The sandbox debug messages (xz -vv) were removed since they seemed to be more annoying than useful. ==== yast2 ==== Version update (4.2.78 -> 4.2.80) - Modify the way YaST detects whether systemd is running or not (bsc#1168307) - 4.2.80 - Reread network interfaces configuration after writing it avoiding wrong values when reopen network configuration dialog during an installation (bsc#1166778) - 4.2.79 ==== yomi-formula ==== Version update (0.0.1+git.1583771480.5787782 -> 0.0.1+git.1585319502.392f59c) - Update to version 0.0.1+git.1585319502.392f59c: * users: better quote for certificate * users: workaround bsc#1167909 for passwords