Packages changed: apparmor branding-openSUSE cri-o (1.18.2 -> 1.18.3) grub2 haproxy (2.2.0+git0.3a00c915f -> 2.2.1+git0.0ef71a557) ima-evm-utils (1.2.1 -> 1.3) libedit patterns-base patterns-microos perl-Bootloader (0.929 -> 0.931) python-rpm-macros (20200701.9f5a2f6 -> 20200714.252de1f) python38-core (3.8.3 -> 3.8.4) raspberrypi-firmware-dt read-only-root-fs sudo (1.9.1 -> 1.9.2) sysconfig (0.85.4 -> 0.85.5) yast2 (4.3.15 -> 4.3.17) === Details === ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils perl-apparmor python3-apparmor - add abstractions-X-xauth-mr582.diff to allow reading the xauth file from its new sddm location (boo#1174290, boo#1174293) ==== branding-openSUSE ==== Subpackages: grub2-branding-openSUSE - Stop building grub2-branding-openSUSE for Power architectures [boo#1171146] ==== cri-o ==== Version update (1.18.2 -> 1.18.3) Subpackages: cri-o-kubeadm-criconfig - Update to version 1.18.3: - Fix a bug where a sudden reboot causes incomplete image writes. This could cause image storage to be corrupted, resulting in an error layer not known. - Fixed bug where pod names would sometimes leak on creation, causing the kubelet to fail to recreate - If conmon is v2.0.19 or greater, ExecSync requests will not double fork, causing systemd to have fewer conmons re-parented to it ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin - No 95_textmode for PowerPC (boo#1174166) ==== haproxy ==== Version update (2.2.0+git0.3a00c915f -> 2.2.1+git0.0ef71a557) - Update to version 2.2.1+git0.0ef71a557: * [RELEASE] Released version 2.2.1 * BUG/MEDIUM: http-ana: Only set CF_EXPECT_MORE flag on data filtering * BUG/MEDIUM: stream-int: Don't set MSG_MORE flag if no more data are expected * BUG/MINOR: htx: add two missing HTX_FL_EOI and remove an unexpected one * MEDIUM: htx: Add a flag on a HTX message when no more data are expected * BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed * BUG/MAJOR: dns: Make the do-resolve action thread-safe * BUG/MAJOR: tasks: don't requeue global tasks into the local queue * BUG/MEDIUM: resolve: fix init resolving for ring and peers section. * BUG/MEDIUM: arg: empty args list must be dropped * DOC: ssl: req_ssl_sni needs implicit TLS * BUILD: config: fix again bugs gcc warnings on calloc * BUG/MAJOR: tasks: make sure to always lock the shared wait queue if needed * BUILD: config: address build warning on raspbian+rpi4 * BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked * BUG/MEDIUM: server: fix possibly uninitialized state file on close * BUG/MEDIUM: server: resolve state file handle leak on reload * BUG/MEDIUM: fcgi-app: fix memory leak in fcgi_flt_http_headers * BUG/MEDIUM: log: issue mixing sampled to not sampled log servers. * BUG/MINOR: mux-fcgi: Set flags on the right stream field for empty FCGI_STDOUT * BUG/MINOR: mux-fcgi: Set conn state to RECORD_P when skipping the record padding * BUG/MINOR: mux-fcgi: Handle empty STDERR record * BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode * BUG/MEDIUM: mux-fcgi: Don't add private connections in available connection list * BUG/MEDIUM: mux-h2: Don't add private connections in available connection list * CONTRIB: da: fix memory leak in dummy function da_atlas_open() * BUG/MEDIUM: lists: add missing store barrier in MT_LIST_ADD/MT_LIST_ADDQ * BUG/MEDIUM: lists: add missing store barrier on MT_LIST_BEHEAD() * BUG/MINOR: sample: Free str.area in smp_check_const_meth * BUG/MINOR: sample: Free str.area in smp_check_const_bool ==== ima-evm-utils ==== Version update (1.2.1 -> 1.3) - Use %autosetup -p1 - Remove suse_version check for tpm2-0-tss-devel as the package is available for back as far as SLE 12 SP2 and respective openSUSE versions (also check was wrong, should have been 1500). - Fixes from previous SR (reported by fvogt): * Move ibmtss runtime dependency to evmctl package * Remove dependencies to devel package (should not be needed) - Update to version 1.3 version 1.3 new features: * NEW ima-evm-utils regression test infrastructure with two initial tests: - ima_hash.test: calculate/verify different crypto hash algorithms - sign_verify.test: EVM and IMA sign/verify signature tests * TPM 2.0 support - Calculate the new per TPM 2.0 bank template data digest - Support original padding the SHA1 template data digest - Compare ALL the re-calculated TPM 2.0 bank PCRs against the TPM 2.0 bank PCR values - Calculate the per TPM bank "boot_aggregate" values, including PCRs 8 & 9 in calculation - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS - boot_aggregate.test: compare the calculated "boot_aggregate" values with the "boot_aggregate" value included in the IMA measurement. * TPM 1.2 support - Additionally support reading the TPM 1.2 PCRs from a supplied file ("--pcrs" option) * Based on original IMA LTP and standalone version support - Calculate the TPM 1.2 "boot_aggregate" based on the exported TPM 1.2 BIOS event log. - In addition to verifying the IMA measurement list against the the TPM PCRs, verify the IMA template data digest against the template data. (Based on LTP "--verify" option.) - Ignore file measurement violations while verifying the IMA measurment list. (Based on LTP "--validate" option.) - Verify the file data signature included in the measurement list based on the file hash also included in the measurement list (--verify-sig) - Support original "ima" template (mixed templates not supported) * Support "sm3" crypto name Bug fixes and code cleanup: * Don't exit with -1 on failure, exit with 125 * On signature verification failure, include pathname. * Provide minimal hash_info.h file in case one doesn't exist, needed by the ima-evm-utils regression tests. * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs * Fix hash_algo type comparison mismatch * Simplify/clean up code * Address compiler complaints and failures * Fix memory allocations and leaks * Sanity check provided input files are regular files * Revert making "tsspcrread" a compile build time decision. * Limit additional messages based on log level (-v) - Add patch 0001-pcr_tss-Fix-compilation-for-old-compilers.patch - Upstream bumped soname to 2.0.0 - Add tpm2-0-tss-devel for Tumbleweed as build dependency, for the rest ibmtss as runtime dependency (needed for for reading PCR in ima_boot_aggregate cmd; better to use libtss2-esys and libtss2-rc than require tsspcrread binary in runtime, but tpm2-0-tss-devel is available only for Tumbleweed) + the same logic as runtime dependency for devel package - Mark COPYING as %license ==== libedit ==== - autoreconf already runs libtoolize no need to run twice ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-bootloader patterns-base-minimal_base - Move pam_pwquality to Recommends section, as it is not required and user should be able to de-install the full pwquality stack. - Stop trying to install grub2-branding on ppc64/ppc64le [boo#1171146] ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-basesystem patterns-microos-cloud patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap - Re-add kernel-firmware back to the DVDs [bsc#1174521] ==== perl-Bootloader ==== Version update (0.929 -> 0.931) - merge gh#openSUSE/perl-bootloader#129 - Check tpm.mod in the new grub2 directory (bsc#1174320) - 0.931 - merge gh#openSUSE/perl-bootloader#130 - Throw less warnings about fstab - 0.930 ==== python-rpm-macros ==== Version update (20200701.9f5a2f6 -> 20200714.252de1f) - Update to version 20200714.252de1f: * Add pyunittest and pyunittest_arch macros ==== python38-core ==== Version update (3.8.3 -> 3.8.4) - Minor spec file fixes - Fix minor issues found in the staging. - Update to 3.8.4: - Assignment expressions (PEP-572) - Positional-only parameters (PEP-570) - Parallel filesystem cache for compiled bytecode files (PYTHONPYCACHEPREFIX variable) - Debug build uses the same ABI as release build - f-strings support = for self-documenting expressions and debugging - Python Runtime Audit Hooks (PEP-578) - Python Initialization Configuration (PEP-587) - Vectorcall: a fast calling protocol for CPython (PEP-590) - Pickle protocol 5 with out-of-band data buffers (PEP-574) - Many other smaller bug fixes - Removed OBS_dev-shm.patch: contained in upstream - Removed bpo40784-Fix-sqlite3-deterministic-test.patch: contained in upstream - Changed bpo-31046_ensurepip_honours_prefix.patch: to be compatible with new version - Fix %py3_compile being incorrectly defined - Update pre_checkin.sh and regenerate - Convert few dependencies to their pkgconfig counterparts - Remove release requirement on libpython, it is not really needed to be equal as the abi changes with versions - Add provides python3-bla on all the subpkgs in case we are primary provider of the functionality - Remove unversioned files from devel subpkg too - Remove main python3 files from -base based whether we are primary interpreter or not - Fix idle to be co-installable - Add condition to be primary to provide/obsolete python3-* - Fix doc to build in versioned folder so the pythons can be installed next to each other - Revert the full versioning of calls on the macros. These are generic so they should really just call python3 X - For the doc package we can build with generic flavor, we don't need the our-interpreter based one - Add provides for pytohn3X-typing/etc to allow BR on those still to work when needed - Change macros.python3 to use full versioned 3.8 instead of just 3 for python interpreter ==== raspberrypi-firmware-dt ==== - Add vl805-firware-loader-overlay.dts which registers a reset controller that'll take care of triggering vl805's firmware load. ==== read-only-root-fs ==== - Use file requires, add sed ==== sudo ==== Version update (1.9.1 -> 1.9.2) - Update to 1.9.2: * The configure script now uses pkg-config to find the openssl cflags and libs where possible. * The contents of the log.json I/O log file is now documented in the sudoers manual. * The sudoers plugin now properly exports the sudoers_audit symbol on systems where the compiler lacks symbol visibility controls. This caused a regression in 1.9.1 where a successful sudo command was not logged due to the missing audit plugin. Bug #931. * Fixed a regression introduced in 1.9.1 that can result in crash when there is a syntax error in the sudoers file. Bug #934. - Rebase sudo-sudoers.patch ==== sysconfig ==== Version update (0.85.4 -> 0.85.5) Subpackages: sysconfig-netconfig - version 0.85.5 - spec: Fix Requires, use file requires (https://github.com/openSUSE/sysconfig/pull/25) - ntp: call chrony helper in background (bsc#1173391) ==== yast2 ==== Version update (4.3.15 -> 4.3.17) - Provide a way to determine which resources (zones, services...) have been modified from the default values (bsc#1171356) - 4.3.17 - update is_wsl function to match wsl1 and wsl2 osrelease spellings (boo#1174183) - Add Layout class to configure a Wizard layout. - Related to jsc#PM-1998. - 4.3.16