Packages changed: audit busybox-links ceph (15.2.0.108+g8cf4f02b08 -> 15.2.3.252+gf2237253cd) cilium conmon (2.0.16 -> 2.0.17) dracut (050+suse.65.ge1e64674 -> 050+suse.66.g76431c83) gmp haproxy (2.1.5+git0.36e14bd31 -> 2.1.7+git0.8bebf80fb) installation-images-MicroOS (15.4 -> 15.5) kernel-64kb (5.6.14 -> 5.7.1) kernel-source (5.6.14 -> 5.7.1) krb5 (1.18.1 -> 1.18.2) kubernetes (1.18.2 -> 1.18.3) kubernetes1.17 (1.17.5 -> 1.17.6) kubernetes1.18 (1.18.2 -> 1.18.3) kustomize (3.5.4 -> 3.6.1) libgpg-error (1.37 -> 1.38) libnftnl (1.1.6 -> 1.1.7) libseccomp (2.4.2 -> 2.4.3) libxml2 multipath-tools (0.8.4+31+suse.8f53764 -> 0.8.4+43+suse.908383f) ncurses (6.2.20200502 -> 6.2.20200531) nfs-utils open-iscsi openssh (8.1p1 -> 8.3p1) patterns-base perl permissions (1550_20200520 -> 1550_20200526) purge-kernels-service python-rpm-macros (20200207.5feb6c1 -> 20200529.b301e36) python3 python3-base shadow sqlite3 (3.31.1 -> 3.32.2) sssd (2.2.3 -> 2.3.0) suse-module-tools (15.3.2 -> 15.3.3) systemd timezone util-linux util-linux-systemd weave (2.6.2 -> 2.6.4) yast2 (4.3.5 -> 4.3.6) === Details === ==== audit ==== Subpackages: libaudit1 libauparse0 - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs (bsc#1172295) ==== busybox-links ==== Subpackages: busybox-coreutils busybox-gawk busybox-grep busybox-xz - Create own busybox-adduser sub-package - Add conflicts: mawk to busybox-gawk ==== ceph ==== Version update (15.2.0.108+g8cf4f02b08 -> 15.2.3.252+gf2237253cd) Subpackages: ceph-common libcephfs2 librados2 librbd1 librgw2 python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw - Up ceph-test disk constraint to address "no space left on device" build error seen in OBS - Update to 15.2.3-252-gf2237253cd: + rebase on tip of upstream "octopus" branch, SHA1 22279597fa9ca40ba2f05af9f186a99ce73a6047 * upstream v15.2.3 release https://ceph.io/releases/v15-2-3-octopus-released/ - Update to 15.2.2-60-gf5864377ab: + rebase on tip of upstream "octopus" branch, SHA1 9e890709ef53ce29006c6fc754dd80e25df186d0 - Update to 15.2.2-18-g1dbcddb5d8: + rebase on tip of upstream "octopus" branch, SHA1 0c857e985a29d90501a285f242ea9c008df49eb8 * Upstream v15.2.2 release https://ceph.io/releases/v15-2-2-octopus-released/ * mon, mgr: require all caps for pre-octopus tell commands (bsc#1170021, CVE-2020-10736) - Update to 15.2.1-277-g17d346932e: + rebase on tip of upstream "octopus" branch, SHA1 752b293586d0c8749483e60e43c7a98c1e0d7b19 * rpm: drop "is_opensuse" conditional in SUSE-specific bcond block (jsc#SLE-11802) - Update to 15.2.1-246-g66cd0e5497: + rebase on tip of upstream "octopus" branch, SHA1 939661f696d3d9eb4d31e998a3ad1487852a4741 - Update to 15.2.1-16-gb3a86250a6: + rebase on tip of upstream "octopus" branch, SHA1 9fd2f65f91d9246fae2c841a6222d34d121680ee * upstream 15.2.1 release https://ceph.io/releases/v15-2-1-octopus-released/ + fix Nonce reuse in msgr V2 secure mode (bsc#1166403, CVE-2020-1759) + prevent RGW GetObject header-splitting XSS (bsc#1166484, CVE-2020-1760) ==== cilium ==== - add 0002-bpf-re-add-a-proper-types.h-mapper.patch - add 0001-build-Avoid-using-git-if-not-in-a-git-repo.patch - add 0001-datapath-Switch-to-upstream-bpftool-remove-additiona.patch - build BPF_SRCFILES to get the list of bpf files to install ==== conmon ==== Version update (2.0.16 -> 2.0.17) - Update to v2.0.17 - Add option to delay execution of exit command ==== dracut ==== Version update (050+suse.65.ge1e64674 -> 050+suse.66.g76431c83) Subpackages: dracut-ima - Update to version 050+suse.66.g76431c83: * 95iscsi: fix missing space when compiling cmdline args (bsc#1172816) ==== gmp ==== - correct license statement (library itself is no GPL-3.0) ==== haproxy ==== Version update (2.1.5+git0.36e14bd31 -> 2.1.7+git0.8bebf80fb) - Update to version 2.1.7+git0.8bebf80fb: * [RELEASE] Released version 2.1.7 - Update to version 2.1.6+git1.661c88907: * BUG/MAJOR: http-htx: Don't forget to copy error messages from defaults sections - Update to version 2.1.6+git0.34db76106: * [RELEASE] Released version 2.1.6 * BUG/MINOR: mworker: fix a memleak when execvp() failed * BUG/MINOR: ssl: fix a trash buffer leak in some error cases * BUG/MEDIUM: mworker: fix the reload with an -- option * BUG/MINOR: init: -S can have a parameter starting with a dash * BUG/MINOR: init: -x can have a parameter starting with a dash * BUG/MEDIUM: mworker: fix the copy of options in copy_argv() * BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics * BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations * BUG/MEDIUM: http-htx: Duplicate error messages as raw data instead of string * BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action * BUG/MINOR: peers: fix internal/network key type mapping. * SCRIPTS: publish-release: pass -n to gzip to remove timestamp * Revert "BUG/MEDIUM: connections: force connections cleanup on server changes" ==== installation-images-MicroOS ==== Version update (15.4 -> 15.5) - merge gh#openSUSE/installation-images#384 - Add missed file to instsys. bsc#1158522 [Build 101.1] openQA test fails in windows_client_remotelogin - 15.5 ==== kernel-64kb ==== Version update (5.6.14 -> 5.7.1) - syscalls: fix offset type of ksys_ftruncate (bsc#1172699). - commit 8d4977c - armv7/ararch64: Update config files. Enable IOMMU_DEFAULT_PASSTHROUGH; per jsc#SLE-5568 this should be on by default, like on x86_64. - commit bb34387 - Refresh patches.suse/jbd2-avoid-leaking-transaction-credits-when-unreserv.patch. Update upstream status. - commit c3ae43f - KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated (bsc#1171904). - KVM: x86: only do L1TF workaround on affected processors (bsc#1171904). - commit 16721c7 - Linux 5.7.1 (bnc#1012628). - airo: Fix read overflows sending packets (bnc#1012628). - net: dsa: mt7530: set CPU port to fallback mode (bnc#1012628). - media: staging: ipu3-imgu: Move alignment attribute to field (bnc#1012628). - media: Revert "staging: imgu: Address a compiler warning on alignment" (bnc#1012628). - mmc: fix compilation of user API (bnc#1012628). - kernel/relay.c: handle alloc_percpu returning NULL in relay_open (bnc#1012628). - crypto: api - Fix use-after-free and race in crypto_spawn_alg (bnc#1012628). - mt76: mt76x02u: Add support for newer versions of the XBox One wifi adapter (bnc#1012628). - p54usb: add AirVasT USB stick device-id (bnc#1012628). - HID: i2c-hid: add Schneider SCL142ALM to descriptor override (bnc#1012628). - HID: multitouch: enable multi-input as a quirk for some devices (bnc#1012628). - HID: sony: Fix for broken buttons on DS3 USB dongles (bnc#1012628). - mm: Fix mremap not considering huge pmd devmap (bnc#1012628). - media: dvbdev: Fix tuner->demod media controller link (bnc#1012628). - commit cc2f849 - config: refresh with gcc10 gcc10 is default in Tumbleweed now. - commit 0b1e86b - Revert "Update config files." This reverts commit 34be040b91701c047e592935bc2dbb46a3947a56. We now have a fix (previous commit) in place, so change the configuration back (bsc#1156053). - commit f4546fe - usercopy: mark dma-kmalloc caches as usercopy caches (bsc#1156053). - commit d3b5ce7 - jbd2: avoid leaking transaction credits when unreserving handle (bnc#1169774). - commit 8599ef4 - jbd2: avoid leaking transaction credits when unreserving handle (bnc#1169774). - Delete patches.suse/Revert-ext4-make-dioread_nolock-the-default.patch. Replace revert by the upstream fix. - commit bfa465b - Refresh patches.suse/drm-nouveau-Fix-regression-by-audio-component-transition.patch. Update upstream status. - commit 3000ce5 - config: enable DEBUG_INFO_BTF This was disabled when the option was introduced in 5.2-rc1 but it turned out there are interesting use cases for having it enabled. Add pahole to build time dependencies as it is used to extracth the BTF data. Once we figure out how to make it conditional (only if DEBUG_INFO_BTF exists and is enabled), it should be done in packaging branch. - commit 9ddab66 - Updated to 5.7 final - refresh configs - commit 7cd0da5 - Update config files. - commit 6dba057 - Revert "virtio-balloon: Revert "virtio-balloon: Switch back to OOM handler for VIRTIO_BALLOON_F_DEFLATE_ON_OOM"" (virtio fix). - commit fe7831e - Linux 5.6.15 (bnc#1012628). - blacklist.conf: remove one entry - sched/fair: Fix enqueue_task_fair() warning some more (bnc#1012628). - sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bnc#1012628). - sched/fair: Reorder enqueue/dequeue_task_fair path (bnc#1012628). - bpf: Prevent mmap()'ing read-only maps as writable (bnc#1012628). - rxrpc: Fix ack discard (bnc#1012628). - rxrpc: Trace discarded ACKs (bnc#1012628). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bnc#1012628). - flow_dissector: Drop BPF flow dissector prog ref on netns cleanup (bnc#1012628). - s390/kexec_file: fix initrd location for kdump kernel (bnc#1012628). - tpm: check event log version before reading final events (bnc#1012628). - rxrpc: Fix a memory leak in rxkad_verify_response() (bnc#1012628). - rxrpc: Fix the excessive initial retransmission timeout (bnc#1012628). - iio: imu: st_lsm6dsx: unlock on error in st_lsm6dsx_shub_write_raw() (bnc#1012628). - z3fold: fix use-after-free when freeing handles (bnc#1012628). - sparc32: fix page table traversal in srmmu_nocache_init() (bnc#1012628). - sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() (bnc#1012628). - sh: include linux/time_types.h for sockios (bnc#1012628). - kasan: disable branch tracing for core runtime (bnc#1012628). - rapidio: fix an error in get_user_pages_fast() error handling (bnc#1012628). - device-dax: don't leak kernel memory to user space after unloading kmem (bnc#1012628). - s390/kaslr: add support for R_390_JMP_SLOT relocation type (bnc#1012628). - s390/pci: Fix s390_mmio_read/write with MIO (bnc#1012628). - ipack: tpci200: fix error return code in tpci200_register() (bnc#1012628). - mei: release me_cl object reference (bnc#1012628). - tty: serial: add missing spin_lock_init for SiFive serial console (bnc#1012628). - misc: rtsx: Add short delay after exit from ASPM (bnc#1012628). - driver core: Fix handling of SYNC_STATE_ONLY + STATELESS device links (bnc#1012628). - driver core: Fix SYNC_STATE_ONLY device link implementation (bnc#1012628). - iio: adc: ti-ads8344: Fix channel selection (bnc#1012628). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bnc#1012628). - iio: sca3000: Remove an erroneous 'get_device()' (bnc#1012628). - iio: adc: stm32-dfsdm: fix device used to request dma (bnc#1012628). - iio: adc: stm32-adc: fix device used to request dma (bnc#1012628). - staging: greybus: Fix uninitialized scalar variable (bnc#1012628). - staging: kpc2000: fix error return code in kp2000_pcie_probe() (bnc#1012628). - staging: wfx: unlock on error path (bnc#1012628). - staging: iio: ad2s1210: Fix SPI reading (bnc#1012628). - kbuild: Remove debug info from kallsyms linking (bnc#1012628). - tools/bootconfig: Fix apply_xbc() to return zero on success (bnc#1012628). - Revert "driver core: platform: Initialize dma_parms for platform devices" (bnc#1012628). - virtio-balloon: Revert "virtio-balloon: Switch back to OOM handler for VIRTIO_BALLOON_F_DEFLATE_ON_OOM" (bnc#1012628). - Revert "gfs2: Don't demote a glock until its revokes are written" (bnc#1012628). - drm/i915: Propagate error from completed fences (bnc#1012628). - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance (bnc#1012628). - vsprintf: don't obfuscate NULL and error pointers (bnc#1012628). - dmaengine: owl: Use correct lock in owl_dma_get_pchan() (bnc#1012628). - dmaengine: idxd: fix interrupt completion after unmasking (bnc#1012628). - dmaengine: dmatest: Restore default for channel (bnc#1012628). - drm/etnaviv: Fix a leak in submit_pin_objects() (bnc#1012628). - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (bnc#1012628). - apparmor: Fix aa_label refcnt leak in policy_update (bnc#1012628). - apparmor: fix potential label refcnt leak in aa_change_profile (bnc#1012628). - apparmor: Fix use-after-free in aa_audit_rule_init (bnc#1012628). - pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip (bnc#1012628). - drm/etnaviv: fix perfmon domain interation (bnc#1012628). - powerpc/64s: Disable STRICT_KERNEL_RWX (bnc#1012628). - arm64: Fix PTRACE_SYSEMU semantics (bnc#1012628). - scsi: target: Put lun_ref at end of tmr processing (bnc#1012628). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bnc#1012628). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (bnc#1012628). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bnc#1012628). - ALSA: pcm: fix incorrect hw_base increase (bnc#1012628). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (bnc#1012628). - bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range (bnc#1012628). - bpf: Restrict bpf_probe_read{, str}() only to archs where they work (bnc#1012628). - Update config files. - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (bnc#1012628). - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (bnc#1012628). - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (bnc#1012628). - ALSA: hda/realtek: Add quirk for Samsung Notebook (bnc#1012628). - ALSA: hda/realtek - Add HP new mute led supported for ALC236 (bnc#1012628). - ALSA: hda/realtek - Add supported new mute Led for HP (bnc#1012628). - scripts/gdb: repair rb_first() and rb_last() (bnc#1012628). - tools/bootconfig: Fix resource leak in apply_xbc() (bnc#1012628). - ARM: futex: Address build warning (bnc#1012628). - KVM: selftests: Fix build for evmcs.h (bnc#1012628). - drm/amd/display: Prevent dpcd reads with passive dongles (bnc#1012628). - drm/amd/display: fix counter in wait_for_no_pipes_pending (bnc#1012628). - iommu/amd: Call domain_flush_complete() in update_domain() (bnc#1012628). - iommu/amd: Do not loop forever when trying to increase address space (bnc#1012628). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bnc#1012628). - USB: core: Fix misleading driver bug report (bnc#1012628). - stmmac: fix pointer check after utilization in stmmac_interrupt (bnc#1012628). - ceph: fix double unlock in handle_cap_export() (bnc#1012628). - HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock (bnc#1012628). - gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() (bnc#1012628). - x86/apic: Move TSC deadline timer debug printk (bnc#1012628). - selftests: fix kvm relocatable native/cross builds and installs (bnc#1012628). - ftrace/selftest: make unresolved cases cause failure if - -fail-unresolved set (bnc#1012628). - ibmvnic: Skip fatal error reset after passive init (bnc#1012628). - HID: i2c-hid: reset Synaptics SYNA2393 on resume (bnc#1012628). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bnc#1012628). - net/ena: Fix build warning in ena_xdp_set() (bnc#1012628). - component: Silence bind error on -EPROBE_DEFER (bnc#1012628). - aquantia: Fix the media type of AQC100 ethernet controller in the driver (bnc#1012628). - vhost/vsock: fix packet delivery order to monitoring devices (bnc#1012628). - configfs: fix config_item refcnt leak in configfs_rmdir() (bnc#1012628). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bnc#1012628). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bnc#1012628). - HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead (bnc#1012628). - HID: alps: Add AUI1657 device ID (bnc#1012628). - HID: logitech: Add support for Logitech G11 extra keys (bnc#1012628). - HID: multitouch: add eGalaxTouch P80H84 support (bnc#1012628). - gcc-common.h: Update for GCC 10 (bnc#1012628). - net: drop_monitor: use IS_REACHABLE() to guard net_dm_hw_report() (bnc#1012628). - kbuild: avoid concurrency issue in parallel building dtbs and dtbs_check (bnc#1012628). - iommu: Fix deferred domain attachment (bnc#1012628). - mtd: Fix mtd not registered due to nvmem name collision (bnc#1012628). - afs: Don't unlock fetched data pages until the op completes successfully (bnc#1012628). - ubi: Fix seq_file usage in detailed_erase_block_info debugfs file (bnc#1012628). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bnc#1012628). - evm: Fix a small race in init_desc() (bnc#1012628). - iommu/amd: Fix get_acpihid_device_id() (bnc#1012628). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bnc#1012628). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (bnc#1012628). - ubifs: remove broken lazytime support (bnc#1012628). - pipe: Fix pipe_full() test in opipe_prep() (bnc#1012628). - fix multiplication overflow in copy_fdtable() (bnc#1012628). - mtd: spinand: Propagate ECC information to the MTD structure (bnc#1012628). - ACPI: EC: PM: Avoid flushing EC work when EC GPE is inactive (bnc#1012628). - ubifs: fix wrong use of crypto_shash_descsize() (bnc#1012628). - ovl: potential crash in ovl_fid_to_fh() (bnc#1012628). - ima: Fix return value of ima_write_policy() (bnc#1012628). - evm: Check also if *tfm is an error pointer in init_desc() (bnc#1012628). - ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() (bnc#1012628). - ARC: [plat-hsdk]: fix USB regression (bnc#1012628). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bnc#1012628). - commit 5afc154 - Update config files. Remove ACPI_PROCFS_POWER This should all be in sysfs nowadays. If this is in Tumbleweed for a while, a patch to totally remove this code will be sent mainline. Related to bsc#1160977 - commit 96731f2 - rpm/kernel-source.spec.in: Add obsolete_rebuilds (boo#1172073). - commit 6524463 - Update to 5.7-rc7 - refresh configs (ARCH_HAS_STRICT_KERNEL_RWX=n on ppc64/ppc64le) - commit 67f7fb5 ==== kernel-source ==== Version update (5.6.14 -> 5.7.1) - syscalls: fix offset type of ksys_ftruncate (bsc#1172699). - commit 8d4977c - armv7/ararch64: Update config files. Enable IOMMU_DEFAULT_PASSTHROUGH; per jsc#SLE-5568 this should be on by default, like on x86_64. - commit bb34387 - Refresh patches.suse/jbd2-avoid-leaking-transaction-credits-when-unreserv.patch. Update upstream status. - commit c3ae43f - KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated (bsc#1171904). - KVM: x86: only do L1TF workaround on affected processors (bsc#1171904). - commit 16721c7 - Linux 5.7.1 (bnc#1012628). - airo: Fix read overflows sending packets (bnc#1012628). - net: dsa: mt7530: set CPU port to fallback mode (bnc#1012628). - media: staging: ipu3-imgu: Move alignment attribute to field (bnc#1012628). - media: Revert "staging: imgu: Address a compiler warning on alignment" (bnc#1012628). - mmc: fix compilation of user API (bnc#1012628). - kernel/relay.c: handle alloc_percpu returning NULL in relay_open (bnc#1012628). - crypto: api - Fix use-after-free and race in crypto_spawn_alg (bnc#1012628). - mt76: mt76x02u: Add support for newer versions of the XBox One wifi adapter (bnc#1012628). - p54usb: add AirVasT USB stick device-id (bnc#1012628). - HID: i2c-hid: add Schneider SCL142ALM to descriptor override (bnc#1012628). - HID: multitouch: enable multi-input as a quirk for some devices (bnc#1012628). - HID: sony: Fix for broken buttons on DS3 USB dongles (bnc#1012628). - mm: Fix mremap not considering huge pmd devmap (bnc#1012628). - media: dvbdev: Fix tuner->demod media controller link (bnc#1012628). - commit cc2f849 - config: refresh with gcc10 gcc10 is default in Tumbleweed now. - commit 0b1e86b - Revert "Update config files." This reverts commit 34be040b91701c047e592935bc2dbb46a3947a56. We now have a fix (previous commit) in place, so change the configuration back (bsc#1156053). - commit f4546fe - usercopy: mark dma-kmalloc caches as usercopy caches (bsc#1156053). - commit d3b5ce7 - jbd2: avoid leaking transaction credits when unreserving handle (bnc#1169774). - commit 8599ef4 - jbd2: avoid leaking transaction credits when unreserving handle (bnc#1169774). - Delete patches.suse/Revert-ext4-make-dioread_nolock-the-default.patch. Replace revert by the upstream fix. - commit bfa465b - Refresh patches.suse/drm-nouveau-Fix-regression-by-audio-component-transition.patch. Update upstream status. - commit 3000ce5 - config: enable DEBUG_INFO_BTF This was disabled when the option was introduced in 5.2-rc1 but it turned out there are interesting use cases for having it enabled. Add pahole to build time dependencies as it is used to extracth the BTF data. Once we figure out how to make it conditional (only if DEBUG_INFO_BTF exists and is enabled), it should be done in packaging branch. - commit 9ddab66 - Updated to 5.7 final - refresh configs - commit 7cd0da5 - Update config files. - commit 6dba057 - Revert "virtio-balloon: Revert "virtio-balloon: Switch back to OOM handler for VIRTIO_BALLOON_F_DEFLATE_ON_OOM"" (virtio fix). - commit fe7831e - Linux 5.6.15 (bnc#1012628). - blacklist.conf: remove one entry - sched/fair: Fix enqueue_task_fair() warning some more (bnc#1012628). - sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bnc#1012628). - sched/fair: Reorder enqueue/dequeue_task_fair path (bnc#1012628). - bpf: Prevent mmap()'ing read-only maps as writable (bnc#1012628). - rxrpc: Fix ack discard (bnc#1012628). - rxrpc: Trace discarded ACKs (bnc#1012628). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bnc#1012628). - flow_dissector: Drop BPF flow dissector prog ref on netns cleanup (bnc#1012628). - s390/kexec_file: fix initrd location for kdump kernel (bnc#1012628). - tpm: check event log version before reading final events (bnc#1012628). - rxrpc: Fix a memory leak in rxkad_verify_response() (bnc#1012628). - rxrpc: Fix the excessive initial retransmission timeout (bnc#1012628). - iio: imu: st_lsm6dsx: unlock on error in st_lsm6dsx_shub_write_raw() (bnc#1012628). - z3fold: fix use-after-free when freeing handles (bnc#1012628). - sparc32: fix page table traversal in srmmu_nocache_init() (bnc#1012628). - sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() (bnc#1012628). - sh: include linux/time_types.h for sockios (bnc#1012628). - kasan: disable branch tracing for core runtime (bnc#1012628). - rapidio: fix an error in get_user_pages_fast() error handling (bnc#1012628). - device-dax: don't leak kernel memory to user space after unloading kmem (bnc#1012628). - s390/kaslr: add support for R_390_JMP_SLOT relocation type (bnc#1012628). - s390/pci: Fix s390_mmio_read/write with MIO (bnc#1012628). - ipack: tpci200: fix error return code in tpci200_register() (bnc#1012628). - mei: release me_cl object reference (bnc#1012628). - tty: serial: add missing spin_lock_init for SiFive serial console (bnc#1012628). - misc: rtsx: Add short delay after exit from ASPM (bnc#1012628). - driver core: Fix handling of SYNC_STATE_ONLY + STATELESS device links (bnc#1012628). - driver core: Fix SYNC_STATE_ONLY device link implementation (bnc#1012628). - iio: adc: ti-ads8344: Fix channel selection (bnc#1012628). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bnc#1012628). - iio: sca3000: Remove an erroneous 'get_device()' (bnc#1012628). - iio: adc: stm32-dfsdm: fix device used to request dma (bnc#1012628). - iio: adc: stm32-adc: fix device used to request dma (bnc#1012628). - staging: greybus: Fix uninitialized scalar variable (bnc#1012628). - staging: kpc2000: fix error return code in kp2000_pcie_probe() (bnc#1012628). - staging: wfx: unlock on error path (bnc#1012628). - staging: iio: ad2s1210: Fix SPI reading (bnc#1012628). - kbuild: Remove debug info from kallsyms linking (bnc#1012628). - tools/bootconfig: Fix apply_xbc() to return zero on success (bnc#1012628). - Revert "driver core: platform: Initialize dma_parms for platform devices" (bnc#1012628). - virtio-balloon: Revert "virtio-balloon: Switch back to OOM handler for VIRTIO_BALLOON_F_DEFLATE_ON_OOM" (bnc#1012628). - Revert "gfs2: Don't demote a glock until its revokes are written" (bnc#1012628). - drm/i915: Propagate error from completed fences (bnc#1012628). - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance (bnc#1012628). - vsprintf: don't obfuscate NULL and error pointers (bnc#1012628). - dmaengine: owl: Use correct lock in owl_dma_get_pchan() (bnc#1012628). - dmaengine: idxd: fix interrupt completion after unmasking (bnc#1012628). - dmaengine: dmatest: Restore default for channel (bnc#1012628). - drm/etnaviv: Fix a leak in submit_pin_objects() (bnc#1012628). - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (bnc#1012628). - apparmor: Fix aa_label refcnt leak in policy_update (bnc#1012628). - apparmor: fix potential label refcnt leak in aa_change_profile (bnc#1012628). - apparmor: Fix use-after-free in aa_audit_rule_init (bnc#1012628). - pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip (bnc#1012628). - drm/etnaviv: fix perfmon domain interation (bnc#1012628). - powerpc/64s: Disable STRICT_KERNEL_RWX (bnc#1012628). - arm64: Fix PTRACE_SYSEMU semantics (bnc#1012628). - scsi: target: Put lun_ref at end of tmr processing (bnc#1012628). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bnc#1012628). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (bnc#1012628). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bnc#1012628). - ALSA: pcm: fix incorrect hw_base increase (bnc#1012628). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (bnc#1012628). - bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range (bnc#1012628). - bpf: Restrict bpf_probe_read{, str}() only to archs where they work (bnc#1012628). - Update config files. - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (bnc#1012628). - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (bnc#1012628). - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (bnc#1012628). - ALSA: hda/realtek: Add quirk for Samsung Notebook (bnc#1012628). - ALSA: hda/realtek - Add HP new mute led supported for ALC236 (bnc#1012628). - ALSA: hda/realtek - Add supported new mute Led for HP (bnc#1012628). - scripts/gdb: repair rb_first() and rb_last() (bnc#1012628). - tools/bootconfig: Fix resource leak in apply_xbc() (bnc#1012628). - ARM: futex: Address build warning (bnc#1012628). - KVM: selftests: Fix build for evmcs.h (bnc#1012628). - drm/amd/display: Prevent dpcd reads with passive dongles (bnc#1012628). - drm/amd/display: fix counter in wait_for_no_pipes_pending (bnc#1012628). - iommu/amd: Call domain_flush_complete() in update_domain() (bnc#1012628). - iommu/amd: Do not loop forever when trying to increase address space (bnc#1012628). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bnc#1012628). - USB: core: Fix misleading driver bug report (bnc#1012628). - stmmac: fix pointer check after utilization in stmmac_interrupt (bnc#1012628). - ceph: fix double unlock in handle_cap_export() (bnc#1012628). - HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock (bnc#1012628). - gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() (bnc#1012628). - x86/apic: Move TSC deadline timer debug printk (bnc#1012628). - selftests: fix kvm relocatable native/cross builds and installs (bnc#1012628). - ftrace/selftest: make unresolved cases cause failure if - -fail-unresolved set (bnc#1012628). - ibmvnic: Skip fatal error reset after passive init (bnc#1012628). - HID: i2c-hid: reset Synaptics SYNA2393 on resume (bnc#1012628). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bnc#1012628). - net/ena: Fix build warning in ena_xdp_set() (bnc#1012628). - component: Silence bind error on -EPROBE_DEFER (bnc#1012628). - aquantia: Fix the media type of AQC100 ethernet controller in the driver (bnc#1012628). - vhost/vsock: fix packet delivery order to monitoring devices (bnc#1012628). - configfs: fix config_item refcnt leak in configfs_rmdir() (bnc#1012628). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bnc#1012628). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bnc#1012628). - HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead (bnc#1012628). - HID: alps: Add AUI1657 device ID (bnc#1012628). - HID: logitech: Add support for Logitech G11 extra keys (bnc#1012628). - HID: multitouch: add eGalaxTouch P80H84 support (bnc#1012628). - gcc-common.h: Update for GCC 10 (bnc#1012628). - net: drop_monitor: use IS_REACHABLE() to guard net_dm_hw_report() (bnc#1012628). - kbuild: avoid concurrency issue in parallel building dtbs and dtbs_check (bnc#1012628). - iommu: Fix deferred domain attachment (bnc#1012628). - mtd: Fix mtd not registered due to nvmem name collision (bnc#1012628). - afs: Don't unlock fetched data pages until the op completes successfully (bnc#1012628). - ubi: Fix seq_file usage in detailed_erase_block_info debugfs file (bnc#1012628). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bnc#1012628). - evm: Fix a small race in init_desc() (bnc#1012628). - iommu/amd: Fix get_acpihid_device_id() (bnc#1012628). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bnc#1012628). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (bnc#1012628). - ubifs: remove broken lazytime support (bnc#1012628). - pipe: Fix pipe_full() test in opipe_prep() (bnc#1012628). - fix multiplication overflow in copy_fdtable() (bnc#1012628). - mtd: spinand: Propagate ECC information to the MTD structure (bnc#1012628). - ACPI: EC: PM: Avoid flushing EC work when EC GPE is inactive (bnc#1012628). - ubifs: fix wrong use of crypto_shash_descsize() (bnc#1012628). - ovl: potential crash in ovl_fid_to_fh() (bnc#1012628). - ima: Fix return value of ima_write_policy() (bnc#1012628). - evm: Check also if *tfm is an error pointer in init_desc() (bnc#1012628). - ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() (bnc#1012628). - ARC: [plat-hsdk]: fix USB regression (bnc#1012628). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bnc#1012628). - commit 5afc154 - Update config files. Remove ACPI_PROCFS_POWER This should all be in sysfs nowadays. If this is in Tumbleweed for a while, a patch to totally remove this code will be sent mainline. Related to bsc#1160977 - commit 96731f2 - rpm/kernel-source.spec.in: Add obsolete_rebuilds (boo#1172073). - commit 6524463 - Update to 5.7-rc7 - refresh configs (ARCH_HAS_STRICT_KERNEL_RWX=n on ppc64/ppc64le) - commit 67f7fb5 ==== krb5 ==== Version update (1.18.1 -> 1.18.2) - Update to 1.18.2 * Fix a SPNEGO regression where an acceptor using the default credential would improperly filter mechanisms, causing a negotiation failure. * Fix a bug where the KDC would fail to issue tickets if the local krbtgt principal's first key has a single-DES enctype. * Add stub functions to allow old versions of OpenSSL libcrypto to link against libkrb5. * Fix a NegoEx bug where the client name and delegated credential might not be reported. - Update logrotate script, call systemd to reload the services instead of init-scripts. (boo#1169357) - Don't add the lto flags to the public link options. (boo#1172038) ==== kubernetes ==== Version update (1.18.2 -> 1.18.3) Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet - Bump to kubernetes 1.18.3 and 1.17.6 ==== kubernetes1.17 ==== Version update (1.17.5 -> 1.17.6) - Add reproducible-buildid.patch to make package build reproducible - Remove %{?_smp_mflags} to make build more reliable [boo#1172744] - Update to version 1.17.6: * Azure: support non-VMSS instances removal * deps: Use debian-base:v2.1.0 and debian-iptables:v12.1.0 * build: Add build-image OWNERS to debian-{base,iptables} and pause dirs * count no nodes scheduling failure as unschedulable instead of error * base-images: Update to kube-cross:v1.13.9-5 * build: Alpha-sort dependencies.yaml * Work-around for missing metrics on CRI-O exited containers * fix: azure disk dangling attach issue * fix: ACR auth fails in private azure clouds * Restore cache-control header filter * bugfix: initcontainer wasn't considered when calculate resource request * fix: azure file csi migration failure * Fix flaws in Azure CSI translation * Update CHANGELOG/CHANGELOG-1.17.md for v1.17.5 * Move PSP tests behind a feature tag * Fix code for 1.17 * kube-openapi bump to release-1.17 * Do not reset managedFields in status update strategy * Use discovery to test apply all status * Preserve int/float distinction when decoding raw values * All check for instanceID * Fix AWS eventual consistency of AttachDisk * fix: update max azure disk max count * Fix cherry-pick errors * Fix CSINodeInfo startup * Wait for APIServer 'ok' forever during CSINode initialization during Kubelet init - Add ConditionPathExists=/var/lib/kubelet/config.yaml to kubelet.service [boo#1146372] ==== kubernetes1.18 ==== Version update (1.18.2 -> 1.18.3) Subpackages: kubernetes1.18-client kubernetes1.18-kubeadm kubernetes1.18-kubelet kubernetes1.18-kubelet-common - Remove %{?_smp_mflags} to make build more reliable [boo#1172744] - Add reproducible-buildid.patch to make package build reproducible - Update to version 1.18.3: * Move nfs-provisioner from quay.io/kubernetes_incubator to staging-csi * Use staging-csi to work around quay.io availability * Azure: support non-VMSS instances removal * deps: Use debian-base:v2.1.0 and debian-iptables:v12.1.0 * build: Add build-image OWNERS to debian-{base,iptables} and pause dirs * count no nodes scheduling failure as unschedulable instead of error * kubeadm: fix flakes when performing etcd MemberAdd on slower setups * base-images: Update to kube-cross:v1.13.9-5 * build: Alpha-sort dependencies.yaml * fix: azure disk dangling attach issue * kube-proxy: increase the session affinity timeout to ensure that the test passes in ipvs mode * cluster: ipvs conntrack module vs kernel version * allow k8s.io/kubernetes/third_party/forked/ipvs in e2e test framework import restrictions (transitive dep from pkg/kubemark) * add license headers for third_party/forked/ipvs * third_party/forked/ipvs: check the address family if the netlink address family attribute is not set * run hack/update-vendor.sh to remove github.com/docker/libnetwork * remove github.com/docker/libnetwork from go.mod * update pkg/util/ipvs to use third_party/forked/ipvs * move github.com/docker/libnetwork/ipvs to third_party/forked * fix backoff manager timer initialization race * fix: ACR auth fails in private azure clouds * Restore cache-control header filter * kube-scheduler: compatibility with ServerSideApply * bugfix: initcontainer wasn't considered when calculate resource request * fix: azure file csi migration failure * Fix flaws in Azure CSI translation * Revert "stop defaulting kubeconfig to http://localhost:8080" * Update CHANGELOG/CHANGELOG-1.18.md for v1.18.2 * Fix Node initialization for GCP cloud provider * Simplify unregistration of csiplugin * Unregister csiplugin even if socket path is gone * Move PSP tests behind a feature tag * kube-openapi bump to release-1.18 * Preserve int/float distinction when decoding raw values * Check Annotations map against nil for ConfigMapLock#Update() * Fix CSINodeInfo startup * Wait for APIServer 'ok' forever during CSINode initialization during Kubelet init - Add ConditionPathExists=/var/lib/kubelet/config.yaml to kubelet.service [boo#1146372] ==== kustomize ==== Version update (3.5.4 -> 3.6.1) - Update to version 3.6.1 - pin kustomize to cmd/kubectl_v0_1_0 - Refresh vendor.tar.xz ==== libgpg-error ==== Version update (1.37 -> 1.38) - Update to 1.38: * New option parser features to implement system wide configuration files * New functions to build file names * New function to help reallocating arrays * Protect gpgrt_inc_errorcount against counter overflow - drop needless autotools build dependencies that were added for gawk5.patch ==== libnftnl ==== Version update (1.1.6 -> 1.1.7) - Update to release 1.1.7 * udata: add NFTNL_UDATA_SET_DATA_INTERVAL ==== libseccomp ==== Version update (2.4.2 -> 2.4.3) - Update to release 2.4.3 * Add list of authorized release signatures to README.md * Fix multiplexing issue with s390/s390x shm* syscalls * Remove the static flag from libseccomp tools compilation * Add define for __SNR_ppoll * Fix potential memory leak identified by clang in the scmp_bpf_sim tool - Drop no-static.diff, libseccomp-fix_aarch64-test.patch, SNR_ppoll.patch (merged) ==== libxml2 ==== Subpackages: libxml2-2 libxml2-tools - Fix invalid xmlns references since the fix for CVE-2019-19956 [bsc#1172021] - Revert upstream commit 5a02583c7e683896d84878bd90641d8d9b0d0549 * Add patch libxml2-CVE-2019-19956.patch ==== multipath-tools ==== Version update (0.8.4+31+suse.8f53764 -> 0.8.4+43+suse.908383f) Subpackages: kpartx libmpath0 - Update to version 0.8.4+43+suse.908383f: * enable negated regular expression syntax in conf file * change default devnode blacklist to '!^(sd[a-z]|dasd[a-z]|nvme[0-9])' - Update to version 0.8.4+40+suse.b06c2e5a: - Fix udev rule processing during coldplug (bsc#1172157) * 11-dm-mpath.rules: Fix udev rule processing during coldplug - Fix compilation with gcc-10 * fix boolean value with json-c 0.14 * libmultipath: fix condlog NULL argument in uevent_get_env_var - Reviewed upstream changes: * simplify failed_wwid code * centralize path validation code - Use pkgconfig for BuildRequires ==== ncurses ==== Version update (6.2.20200502 -> 6.2.20200531) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base - Add ncurses patch 20200531 + correct configure version-check/warnng for g++ to allow for 10.x + re-enable "bel" in konsole-base (report by Nia Huang) + add linux-s entry (patch by Alexandre Montaron). + drop long-obsolete convert_configure.pl + add test/test_parm.c, for checking tparm changes. + improve parameter-checking for tparm, adding function _nc_tiparm() to handle the most-used case, which accepts only numeric parameters (report/testcase by "puppet-meteor"). + use a more conservative estimate of the buffer-size in lib_tparm.c's save_text() and save_number(), in case the sprintf() function passes-through unexpected characters from a format specifier (report/testcase by "puppet-meteor"). + add a check for end-of-string in cvtchar to handle a malformed string in infotocap (report/testcase by "puppet-meteor"). - Add ncurses patch 20200523 + update version-check for gnat to allow for gnat 10.x to 99.x + fix an uninitialized variable in lib_mouse.c changes (cf: 20200502) + add a check in EmitRange to guard against repeat_char emitting digits which could be interpreted as BSD-style padding when --enable-bsdpad is configured (report/patch by Hiltjo Posthuma). + add --disable-pkg-ldflags to suppress EXTRA_LDFLAGS from the generated pkg-config and ncurses*-config files, to simplify configuring in the case where rpath is used but the packager wants to hide the feature (report by Michael Stapelberg). > fixes for building with Visual Studio C++ and msys2 (patches by "Maarten Anonymous"): + modify CF_SHARED_OPTS to generate a script which translates linker options into Visual Studio's dialect. + omit parentheses around function-names in generated lib_gen.c to - Add ncurses patch 20200516 + add notes on termcap.h header in curs_termcap.3x + update notes on vscode / xterm.js -TD - Add ncurses patch 20200509 + add "-r" option to the dots test-programs, to help with scripting a performance comparison. + build-fix test/move_field.c for NetBSD curses, whose form headers use different names than SVr4 or ncurses. ==== nfs-utils ==== Subpackages: libnfsidmap1 nfs-client - Remove README.NFSv4. It is out dated and not useful. All the configation described is now done automatically. (bsc#1171448) ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Merged in latest upstream. Summary: * Let initiator name be created by iscsi-init.service. * iscsi: fix fd leak * iscsi: Add break to while loop * Fix compiler complaint about string copy in iscsiuio * Fix a compiler complaint about writing one byte * Fix issue with zero-length arrays at end of struct * Add iscsi-init.service * Proper disconnect of TCP connection * Fix SIGPIPE loop in signal handler * Update iscsi-iname.c * log:modify iSCSI shared memory permissions for logs * Ignore iface.example in iface match checks * More changes for musl. * Fix type mismatch under musl. * Change include of to * iscsi-iname: fix iscsi-iname -p access NULL pointer without given IQN prefix Note that the "Add iscsi-init.service" change adds a new systemd service called "iscsi-init", that creates the iSCSI initiator name file /etc/iscsi/initiatorname.iscsi, if and only if it does not exist. This obviates the need to do this from the SPEC file, now updated. Since this was not a version-number update, in addition to modifying the SPEC file, also updates: * open-iscsi-SUSE-latest.diff.bz2 ==== openssh ==== Version update (8.1p1 -> 8.3p1) - Version update to 8.3p1: = Potentially-incompatible changes * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. = New features * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks. * ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. * all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path". - Additional changes from 8.2p1 release: = Potentially-incompatible changes * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. * sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. * ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). It needs to be installed in the expected path, typically under /usr/libexec or similar. = New features * This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. * sshd(8): add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns. * ssh(1)/sshd(8): make the LE (low effort) DSCP code point available via the IPQoS directive. * ssh(1): when AddKeysToAgent=yes is set and the key contains no comment, add the key to the agent with the key's path as the comment. * ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509 subjects as key comments, rather than simply listing the PKCS#11 provider library path. * ssh-keygen(1): allow PEM export of DSA and ECDSA keys. * ssh(1), sshd(8): make zlib compile-time optional, available via the Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure option for OpenSSH portable. * sshd(8): when clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2. * ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt program, pass a hint to the program to describe the type of desired prompt. The possible values are "confirm" (indicating that a yes/no confirmation dialog with no text entry should be shown), "none" (to indicate an informational message only), or blank for the original ssh-askpass behaviour of requesting a password/phrase. * ssh(1): allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. * ssh-keygen(1): add a new signature operations "find-principals" to look up the principal associated with a signature from an allowed- signers file. * sshd(8): expose the number of currently-authenticating connections along with the MaxStartups limit in the process title visible to "ps". - Rebased patches: * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-no_fork-no_pid_file.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-8.0p1-gssapi-keyex.patch * openssh-8.1p1-audit.patch * openssh-8.1p1-seccomp-clock_nanosleep.patch - Removed openssh-7.7p1-seed-prng.patch (bsc#1165158). ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-bootloader patterns-base-minimal_base - Suggest postfix from the basesystem pattern: suggested packages are not flagged for installation, but give the solver a hint. So in case something wants an MTA (smtp_daemon), openSUSE installs will all default to postfix (as the base pattern is generally installed). Users are still free to switch as they wish (boo#1136078). ==== perl ==== Subpackages: perl-base - Fixes for %_libexecdir changing to /usr/libexec ==== permissions ==== Version update (1550_20200520 -> 1550_20200526) Subpackages: chkstat permissions-config - Update to version 20200526: * profiles: add entries for enlightenment (bsc#1171686) ==== purge-kernels-service ==== - Add split provides for upgrade from old dracut (boo#1168727). ==== python-rpm-macros ==== Version update (20200207.5feb6c1 -> 20200529.b301e36) - Update to version 20200529.b301e36: * update-alternatives are quiet during install ==== python3 ==== - add requires python3-base on libpython subpackage (bsc#1167008) - build against Sphinx 2.x until python is compatible with Sphinx 3.x (see gh#python/cpython#19397, bpo#40204) - Fix build with SQLite 3.32 (bpo#40783) add bpo40784-Fix-sqlite3-deterministic-test.patch ==== python3-base ==== Subpackages: libpython3_8-1_0 - add requires python3-base on libpython subpackage (bsc#1167008) - build against Sphinx 2.x until python is compatible with Sphinx 3.x (see gh#python/cpython#19397, bpo#40204) - Fix build with SQLite 3.32 (bpo#40783) add bpo40784-Fix-sqlite3-deterministic-test.patch ==== shadow ==== - Use pure #!/bin/sh in: * useradd.local * userdel-post.local * userdel-pre.local ==== sqlite3 ==== Version update (3.31.1 -> 3.32.2) - SQLite 3.32.2: * Fix a long-standing bug in the byte-code engine that can cause a COMMIT command report as success when in fact it failed to commit - SQLite 3.32.1: * CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (boo#1172091) - SQLite 3.32.0: * Add support for approximate ANALYZE using the PRAGMA analysis_limit command * Add the bytecode virtual table * Add the checksum VFS shim to the set of run-time loadable extensions included in the source tree * Add the iif() SQL function. * INSERT and UPDATE statements now always apply column affinity before computing CHECK constraints * Increase the default upper bound on the number of parameters from 999 to 32766 * Add code for the UINT collating sequence as an optional loadable extension * multiple enhancements to the CLI - drop upstreamed patches: * 04885763c4cd00cb-s390-compatibility.patch * b20503aaf5b6595a-adapt-FTS-tests-for-big-endian.patch ==== sssd ==== Version update (2.2.3 -> 2.3.0) Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-krb5-common sssd-ldap - Update to release 2.3.0 * SSSD can now handle hosts and networks nsswitch databases (see resolve_provider option). * By default, authentication request only refresh user's initgroups if it is expired or there is not active user's session (see pam_initgroups_scheme option). * OpenSSL is used as default crypto provider, NSS is deprecated. * The AD provider now defaults to GSS-SPNEGO SASL mechanism (see ldap_sasl_mech option). * The AD provider can now be configured to use only ldaps port (see ad_use_ldaps option). * SSSD now accepts host entries from GPO's security filter. * New debug level (0x10000) added for low level LDB messages only (see sssd.conf man page). - Drop sssd-gpo_host_security_filter-2.2.2.patch, 0001-Resolve-computer-lookup-failure-when-sam-cn.patch, 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged) - Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch (unapplicable) ==== suse-module-tools ==== Version update (15.3.2 -> 15.3.3) - Reverted back to tar_scm source service (obs_scm doesn't work well for Ring0 packages) - Update to version 15.3.3: * spec: remove SLE/openSUSE difference in allow_unsupported_modules (jsc#SLE-12255) * spec: use same fs_blacklist on SLE and openSUSE (jsc#SLE-12255, jsc#SLE-3926) * spec: use br_netfilter softdep only for SLE12 (jsc#SLE-12255, bsc#1166531, boo#1158817, bsc#937216) ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-logger systemd-sysvinit udev - Import commit a6d31d1a02c2718a064bbbc40d003668acf72769 bb6e2f7906 pid1: update manager settings on reload too (bsc#1163109) e9e8907b06 watchdog: reduce watchdog pings in timeout interval 385a8f9846 udev: rename the persistent link for ATA devices (bsc#1164538) 66018a12ae tmpfiles: remove unnecessary assert (bsc#1171145) - Disable bump of /proc/sys/fs/nr-open Hopefully a _temporary_ workaround until bsc#1165351 is fixed otherwise user instances crashes the system is using NIS (and the nscd cache is empty). ==== timezone ==== - timezone modifies a file below /usr/share (boo#1172521) - zdump --version reported "unknown" (boo#1172055) ==== util-linux ==== Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 - Add patch to fix sfdisk not reading its own scripts: * libfdisk-script-accept-sector-size.patch - Use %autopatch - Fix verification of mount, su and umount (bsc#1166948) ==== util-linux-systemd ==== - Add patch to fix sfdisk not reading its own scripts: * libfdisk-script-accept-sector-size.patch - Use %autopatch - Fix verification of mount, su and umount (bsc#1166948) ==== weave ==== Version update (2.6.2 -> 2.6.4) - Update to version 2.6.4 - Improve the iptables rule to block just the Weave Net control port, and avoid blocking other uses of 127.0.0.1. #3811 - Update to version 2.6.3 - Block non-local traffic to the Weave control port #3805 - Tell Linux not to accept router advisory messages #3801 - NPC: add a metric to show errors while operating #3804 - NPC: don't treat named port as a fatal error #3790 ==== yast2 ==== Version update (4.3.5 -> 4.3.6) - Fix Xen detection (bsc#1172742). - 4.3.6