Packages changed: aaa_base (84.87+git20200116.59482ba -> 84.87+git20200206.ed897a1) conmon (2.0.9 -> 2.0.10) dracut (049+git118.a6090e2f -> 049.1+git120.dbfbfcb8) fuse-overlayfs (0.7.5 -> 0.7.6) gcc9 (9.2.1+r280037 -> 9.2.1+git1022) gettext-runtime gmp gnutls (3.6.11.1 -> 3.6.12) health-checker (1.3 -> 1.3.1) hwdata (0.331 -> 0.332) kdump libsepol libtasn1 (4.15.0 -> 4.16.0) makedumpfile (1.6.6 -> 1.6.7) nano (4.6 -> 4.7) netcfg open-iscsi openldap2 (2.4.48 -> 2.4.49) openssl-1_1 python-setuptools (41.6.0 -> 44.0.0) rebootmgr shadow (4.8 -> 4.8.1) sqlite3 === Details === ==== aaa_base ==== Version update (84.87+git20200116.59482ba -> 84.87+git20200206.ed897a1) - Update to version 84.87+git20200206.ed897a1: * get_kernel_version: fix for current kernel on s390x (from azouhr) - Update to version 84.87+git20200206.8d74b0b: * Fix services entry in /etc/nsswitch.conf [bsc#1162916] - Make sure glibc is recent enough else nsswitch.conf update will fail - Adjust Requires/Requires(pre)/Requires(post) - Update to version 84.87+git20200128.8a17290: * Move chkconfig to insserv-compat, as most functionality isn't supported anymore since we have different solutions with systemd. * Remove /usr/bin/mkinfodir, not used anywhere anymore ==== conmon ==== Version update (2.0.9 -> 2.0.10) - Update to v2.0.10: - journal logging: write to /dev/null instead of -1 ==== dracut ==== Version update (049+git118.a6090e2f -> 049.1+git120.dbfbfcb8) Subpackages: dracut-ima - Update to version 049.1+git120.dbfbfcb8: * 95zfcp_rules/parse-zfcp.sh: remove rule existence check (bsc#1008352) - Update to version 049.1+git119.abf1a408: * 30convertfs: adopt for SUSE (boo#1158777) ==== fuse-overlayfs ==== Version update (0.7.5 -> 0.7.6) - Update to v0.7.6 - do not look in lower layers for the ino if there is no origin xattr set - attempt to use the file path if the operation on the fd fails with ENXIO ==== gcc9 ==== Version update (9.2.1+r280037 -> 9.2.1+git1022) Subpackages: libgcc_s1 libstdc++6 - Update to releases/gcc-9 head (83f65674e78d97d27537361de1a9d74067ff228d). * Includes fix for [gcc#92692] ==== gettext-runtime ==== Subpackages: libtextstyle0 - Don't disable openmp with qemu, the emulation works now ==== gmp ==== - Remove broken packaged libgmp.a just containing LTO bytecode. ==== gnutls ==== Version update (3.6.11.1 -> 3.6.12) - gnutls 3.6.12 * libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) to identify sessions that client request OCSP status request (#829). * libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 signature algorithm (RFC 8032) under TLS (#86). * libgnutls: Added the default-priority-string option to system configuration; it allows overriding the compiled-in default-priority-string. * libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-07). By default this ciphersuite is disabled. It can be enabled by adding +GOST to priority string. In the future this priority string may enable other GOST ciphersuites as well. Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers. * libgnutls: added priority shortcuts for different GOST categories like CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. * libgnutls: Reject certificates with invalid time fields. That is we reject certificates with invalid characters in Time fields, or invalid time formatting To continue accepting the invalid form compile with --disable-strict-der-time * libgnutls: Reject certificates which contain duplicate extensions. We were previously printing warnings when printing such a certificate, but that is not always sufficient to flag such certificates as invalid. Instead we now refuse to import them (#887). * libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). * libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. * libgnutls: The stapled OCSP certificate verification adheres to the convention used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag. * libgnutls: On client side only send OCSP staples if they have been requested by the server, and on server side always advertise that we support OCSP stapling * libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible with gnutls_ocsp_req_t but const. * certtool: Added the --verify-profile option to set a certificate verification profile. Use '--verify-profile low' for certificate verification to apply the 'NORMAL' verification profile. * certtool: The add_extension template option is considered even when generating a certificate from a certificate request. ==== health-checker ==== Version update (1.3 -> 1.3.1) Subpackages: health-checker-plugins-MicroOS - Update to version 1.3.1 * Support multiple menuentries in GRUB configuration [gh#kubic-project/health-checker#5] ==== hwdata ==== Version update (0.331 -> 0.332) - Update to version 0.322: * Updated pci, usb and vendor ids. ==== kdump ==== - kdump-activate-udev-rules-late-during-boot.patch: Activate kdump udev rules late during boot (bsc#1154837) ==== libsepol ==== - Add fnocommon.patch to prevent build failures on gcc10 and remove_cil_mem_error_handler.patch to prevent build failures due to leftovers from the removal of cil_mem_error_handler (bsc#1160874) ==== libtasn1 ==== Version update (4.15.0 -> 4.16.0) Subpackages: libtasn1-6 - libtasn1 4.16.0: * asn1_decode_simple_ber: added support for constructed definite octet strings * asn1_get_object_id_der: enhance the range of decoded OIDs * asn1_object_id_der: New function ==== makedumpfile ==== Version update (1.6.6 -> 1.6.7) - makedumpfile-PN_XNUM.patch: Define PN_XNUM if missing. - Update to version 1.6.7: + Makefile: remove -lebl from LIBS when no libebl.a. + Fix compilation warnings on 32-bit system. + Support newer kernels up to v5.4. - Drop makedumpfile-Increase-SECTION_MAP_LAST_BIT-to-4.patch: fixed upstream. - Drop libebl-devel BuildRequires: ebl is being absorbed by libdw. ==== nano ==== Version update (4.6 -> 4.7) - update to 4.7: * A will indent a marked region only when mark/cursor diff * Two indentations are considered the same when they look the same * When using ^J, a line will nver be broken in leading whitespace ==== netcfg ==== - Require libnss_usrfiles2 for /usr/etc [bnc#1162666] ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Bug fixes, including addig support for "-fno-common" compiler option, 586 bug fixes, a bug fix for SHA1 handling, and other needed but small fixes (bsc#1160287), updating: * open-iscsi-SUSE-latest.diff.bz2 ==== openldap2 ==== Version update (2.4.48 -> 2.4.49) - updated to 2.4.49 - removed obsolete back-port patches: * 0013_openldap-its9124_fix_crash_with_cancel_exop.patch - removed obsolete source file DB_CONFIG OpenLDAP 2.4.49 Release (2020/01/30) Added slapd-monitor database entry count for slapd-mdb (ITS#9154) Fixed client tools to not add controls on cancel/abandon (ITS#9145) Fixed client tools SyncInfo message to be LDIF compliant (ITS#8116) Fixed libldap to correctly free sb (ITS#9081, ITS#8755) Fixed libldap descriptor leak if ldaps fails (ITS#9147) Fixed libldap remove unnecessary global mutex for GnuTLS (ITS#9069) Fixed slapd syntax evaluation of preferredDeliveryMethod (ITS#9067) Fixed slapd to relax domainScope control check (ITS#9100) Fixed slapd to have cleaner error handling during connection setup (ITS#9112) Fixed slapd data check when processing cancel exop (ITS#9124) Fixed slapd attribute description processing (ITS#9128) Fixed slapd-ldap to set oldctrls correctly (ITS#9076) Fixed slapd-mdb to honor unchecked limit with alias deref (ITS#7657) Fixed slapd-mdb missing final commit with slapindex (ITS#9095) Fixed slapd-mdb drop attr mappings added in an aborted txn (ITS#9091) Fixed slapd-mdb nosync FLAG configuration handling (ITS#9150) Fixed slapd-monitor global operation counter reporting (ITS#9119) Fixed slapo-ppolicy when used with slapauth (ITS#8629) Fixed slapo-ppolicy to add a missed normalised copy of pwdChangedTime (ITS#9126) Fixed slapo-syncprov fix sessionlog init (ITS#9146) Fixed slapo-unique loop termination (ITS#9077) Build Environment Fix mkdep to honor TMPDIR if set (ITS#9062) Remove ICU library detection (ITS#9144) Update config.guess and config.sub to support newer architectures (ITS#7855) Disable ITS8521 regression test as it is no longer valid (ITS#9015) Documentation admin24 - Fix inconsistent whitespace in replication section (ITS#9153) slapd-config(5)/slapd.conf(5) - Fix missing bold tag for keyword (ITS#9063) slapd-ldap(5) - Document "tls none" option (ITS#9071) slapo-ppolicy(5) - Correctly document pwdGraceAuthnLimit (ITS#9065) ==== openssl-1_1 ==== Subpackages: libopenssl1_1 - Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7575] - Add patches: * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization (bsc#1161789) * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - keep EVP_KDF functions at version 1.1.1d for backward compatibility * add openssl-keep_EVP_KDF_functions_version.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch * openssl-assembly-pack-accelerate-scalar-multiplication.patch * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch * openssl-s390x-assembly-pack-accelerate-ECDSA.patch * openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch * openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch * openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch * openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch * openssl-Fix-9bf682f-which-broke-nistp224_method.patch ==== python-setuptools ==== Version update (41.6.0 -> 44.0.0) - update to 44.0.0 - last version with python2 support - add testdata.tar.gz -> missing data for testsuite * Drop support for Python 3.4. * include pyproject.toml in source distribution by default. Projects relying on the previous behavior where pyproject.toml * Setuptools once again declares 'setuptools' in the build-system.requires and adds PEP 517 build support by declaring itself as the build-backend * Fix support for easy_install's find-links option in setup.cfg * Build dependencies (setup_requires and tests_require) now install transitive dependencies indicated by extras. * Mark the easy_install script and setuptools command as deprecated, and use pip when available to fetch/build wheels for missing setup_requires/tests_require requirements, with the following differences in behavior: + support for python_requires + better support for wheels (proper handling of priority with respect to PEP 425 tags) + PEP 517/518 support + eggs are not supported + no support for the allow_hosts easy_install option (index_url/find_links are still honored) + pip environment variables are honored (and take precedence over easy_install options) * Removed the "upload" and "register" commands in favor of twine. * Add support for the license_files option in setup.cfg to automatically include multiple license files in a source distribution. * Update handling of wheels compatibility tags: * add support for manylinux2010 * fix use of removed 'm' ABI flag in Python 3.8 on Windows * Fix empty namespace package installation from wheel. * Setuptools now exposes a new entry point hook "setuptools.finalize_distribution_options", enabling plugins like setuptools_scm to configure options on the distribution at finalization time. ==== rebootmgr ==== - Disable ectd support (no current etcd C-library available) ==== shadow ==== Version update (4.8 -> 4.8.1) - Update to 4.8.1: * selinux: include stdio * man: don't suggest making groupmems user-writeable * Makefile: bail out on error in for loops * Adding logging of SSH_ORIGINAL_COMMAND to nologin * add new HOME_MODE login.defs option * Add tty logging to useradd * Useradd: make non-executable shell check only a warning * Update Dutch translation * user_busy: Do not mistake a regular user process for a namespaced one * Revert "Honor --sbindir and --bindir for binary installation" - Remove shadow-4.8-shell-check.patch: included - Remove shadow-4.8-selinux-include.patch: upstreamed ==== sqlite3 ==== - Fix a regression on ppc64be and s390x, found by the fuzzing tests, add 04885763c4cd00cb-s390-compatibility.patch. - Adapt some FTS tests to work on big endian archs: b20503aaf5b6595a-adapt-FTS-tests-for-big-endian.patch