Packages changed: apparmor cockpit-podman (25 -> 26) dmidecode gettext-runtime libfido2 (1.5.0 -> 1.6.0) ncurses (6.2.20210109 -> 6.2.20210116) oath-toolkit (2.6.5 -> 2.6.6) openssh python-pyserial (3.4 -> 3.5) python-setuptools raspberrypi-firmware (2021.01.15 -> 2021.01.21) raspberrypi-firmware-config (2021.01.15 -> 2021.01.21) raspberrypi-firmware-dt rdma-core sudo (1.9.5p1 -> 1.9.5p2) system-users sysuser-tools xfsprogs (5.9.0 -> 5.10.0) === Details === ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - add apache-extra-profile-include-if-exists.diff: make include in apache extra profile optional to avoid problems with empty profile directory (boo#1178527) ==== cockpit-podman ==== Version update (25 -> 26) - new version 26 https://github.com/cockpit-project/cockpit-podman/releases/tag/26 ==== dmidecode ==== 2 recommended fixes from upstream: - dmidecode-fix-the-condition-error-in-ascii_filter.patch: dmidecode: Fix the condition error in ascii_filter. - dmidecode-fix-crash-with-u-option.patch: dmidecode: Fix crash with -u option. ==== gettext-runtime ==== Subpackages: libtextstyle0 - fixup libtextstyle autofoo with adding use-acinit-for-libtextstyle.patch ==== libfido2 ==== Version update (1.5.0 -> 1.6.0) Subpackages: libfido2-1 libfido2-udev - Update to version 1.6.0: * Fix OpenSSL 1.0 and Cygwin builds. * hid_linux: fix build on 32-bit systems. * hid_osx: allow reads from spawned threads. * Documentation and reliability fixes. * New API calls: + fido_cred_authdata_raw_len; + fido_cred_authdata_raw_ptr; + fido_cred_sigcount; + fido_dev_get_uv_retry_count; + fido_dev_supports_credman. * Hardened Windows build. * Native FreeBSD and NetBSD support. * Use CTAP2 canonical CBOR when combining hmac-secret and credProtect. - Drop 7a17a4e9127fb6df6278f19396760e7d60a5862c.patch - Do not build examples as their build fails ==== ncurses ==== Version update (6.2.20210109 -> 6.2.20210116) Subpackages: libncurses6 ncurses-utils terminfo-base - Don't skip test for qemu builds - Add ncurses patch 20210116 + add comment for linux2.6 regarding CONFIG_CONSOLE_TRANSLATIONS (report by Patrick McDermott) -TD + make opts extension for getcchar work as documented for ncurses 6.1, adding "-g" flag to test/demo_new_pair to illustrate. ==== oath-toolkit ==== Version update (2.6.5 -> 2.6.6) Subpackages: liboath0 oath-toolkit-xml - Update to version 2.6.6 * oathtool: Support for reading KEY and OTP from standard input or filename. KEY and OTP may now be given as '-' to mean stdin, or @FILE to read from a particular file. This is recommended on multi-user systems, since secrets as command line parameters leak. * pam_oath: Fix unlikely logic fail on out of memory conditions. ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Add openssh-fix-ssh-copy-id.patch, which fixes breakage introduced in 8.4p1 (bsc#1181311). - Improve robustness of sshd init detection when upgrading from a pre-systemd distribution. - Add openssh-reenable-dh-group14-sha1-default.patch, which adds diffie-hellman-group14-sha1 key exchange back to the default list (bsc#1180958). This is needed for backwards compatibility with older platforms. - Make sure sshd is enabled correctly when upgrading from a pre-systemd distribution (bsc#1180083). ==== python-pyserial ==== Version update (3.4 -> 3.5) - update to version 3.5: New Features: [#411] Add a backend for Silicon Labs CP2110/4 HID-to-UART bridge. (depends on hid module) Improvements: [#315] Use absolute import everywhere [#354] Make ListPortInfo hashable [#372] threaded: "write" returns byte count [#400] Add bytesize and stopbits argument parser to tcp_serial_redirect [#408] loop: add out_waiting [#495] list_ports_linux: Correct "interface" property on Linux hosts [#500] Remove Python 3.2 and 3.3 from test [#261, #285, #296, #320, #333, #342, #356, #358, #389, #397, #510] doc updates miniterm: add CTRL+T Q as alternative to exit miniterm: suspend function key changed to CTRL-T Z add command line tool entries pyserial-miniterm (replaces miniterm.py) and pyserial-ports (runs serial.tools.list_ports). python -m serial opens miniterm (use w/o args and it will print port list too) [experimental] Bugfixes: [#371] Don't open port if self.port is not set while entering context manager [#437, #502] refactor: raise new instances for PortNotOpenError and SerialTimeoutException [#261, #263] list_ports: set default name attribute [#286] fix: compare only of the same type in list_ports_common.ListPortInfo rfc2217/close(): fix race-condition [#305] return b'' when connection closes on rfc2217 connection [#386] rfc2217/close(): fix race condition Fixed flush_input_buffer() for situations where the remote end has closed the socket. [#441] reset_input_buffer() can hang on sockets examples: port_publisher python 3 fixes [#324] miniterm: Fix miniterm constructor exit_character and menu_character [#326] miniterm: use exclusive access for native serial ports by default [#497] miniterm: fix double use of CTRL-T + s use z for suspend instead [#443, #444] examples: refactor wx example, use Bind to avoid deprecated warnings, IsChecked, unichr [#265] posix: fix PosixPollSerial with timeout=None and add cancel support [#290] option for low latency mode on linux [#335] Add support to xr-usb-serial ports [#494] posix: Don't catch the SerialException we just raised [#519] posix: Fix custom baud rate to not temporarily set 38400 baud rates on linux [#509 #518] list_ports: use hardcoded path to library on osx [#542] list_ports_osx: kIOMasterPortDefault no longer exported on Big Sur [#545, #545] list_ports_osx: getting USB info on BigSur/AppleSilicon ==== python-setuptools ==== - We cannot remove vendored packages when generating setuptools wheel (bsc#1177127). ==== raspberrypi-firmware ==== Version update (2021.01.15 -> 2021.01.21) - Update to 051e5e1be8 (2021-01-21) (jsc#SLE-16616): * firmware: Export bootloader config via device-tree * firmware: ISP: Colour denoise * firmware: platform: Define DVFS modes and change default to be fixed AVS voltage * firmware: arm_loader: Auto-select 64-bit for kernel8.img * firmware: hdmi: Throttle auto-i2c register writes to avoid PWM audio underrun ==== raspberrypi-firmware-config ==== Version update (2021.01.15 -> 2021.01.21) - Update to 051e5e1be8 (2021-01-21) (jsc#SLE-16616): * firmware: Export bootloader config via device-tree * firmware: ISP: Colour denoise * firmware: platform: Define DVFS modes and change default to be fixed AVS voltage * firmware: arm_loader: Auto-select 64-bit for kernel8.img * firmware: hdmi: Throttle auto-i2c register writes to avoid PWM audio underrun ==== raspberrypi-firmware-dt ==== - Introduce upstream-blconfig-rmem.patch for firmware to be able to define firmware's configuration reserved memory (jsc#SLE-16616) ==== rdma-core ==== Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1 - Add srp_daemon-Fix-systemd-dependency.patch to make sure srp_daemon is loaded at boot if enabled (bsc#1180196) ==== sudo ==== Version update (1.9.5p1 -> 1.9.5p2) - Update to 1.9.5.p2 * When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. * Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. (bsc#1181090) * Fixed sudo's setprogname(3) emulation on systems that don't provide it. * Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954. * Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically. * The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache. ==== system-users ==== Subpackages: system-group-hardware system-group-kvm system-user-nobody - Add system-user-vscan subpackage with vscan user and group and /var/spool/amavis as home directory - Remove kvm group from hardware subpackage, since kvm is in its own subpackage (jsc#SLE-11629). - Add qemu user to kvm group - Add system account and groups for kvm, qemu, and libvirt (jsc#SLE-11629) New files: system-group-kvm.conf, system-group-libvirt.conf, system-user-qemu.conf - Don't add group nogroup to user nobody, as many daemons misuse 'nogroup' as own group - Use test -x instead of -f - Call usermod only if installed - Align /var/lib/tss permissions with trousers (boo#1162360). - Add tss user for TPM tools (boo#1162360). - Remove s390 groups again. The s390-tools maintainer wants to add groups in s390-tools manually. - Add system-user-tftp subpackage with tftp user and group and /srv/tftpboot as home directory [bsc#1143454]. - Add cpacfstats, ts-shell, and zkeyadm groups for s390-tools (bsc#1123730) - Add "render" group in system-group-hardware (bsc#1085847) "uaccess" tag has been dropped from /dev/dri/renderD* and these devices now have 0666 permsions by default is owned by the render group. - Change home directory of user man to /var/lib/empty. Home directories below /var/cache are by definition insecure and a bad idea. - uuidd does not need group daemon, Copy&Paste error. - udev needs groups kvm and lp: [bsc#1058703] - Add group kvm to system-group-hardware - Move group lp from system-user-lp to system-group-hardware - Add system-user-uuidd.conf (boo#1057937#c3). - user nobody: move usermod to %post, else it will be executed before the user is created. - Drop pkgconfig(systemd) BuildRequires: we no longer depend on systemd-sysusers, but converted to shadow toolset. - Move group trusted into system-user-root package [bsc#1044014] - Move system-user-root into own package - Fix syntax of groups in system-user-root.conf - Add utmp to system-group-hardware.conf like systemd has - Create new system-user-root sub-package creating passwd, group and shadow files with root user. - BuildRequire pkgconfig(systemd) instead of systemd: this allows OBS to pick systemd-mini, which is still good enough. And ultimately it helps us break a build cycle (system-users - libssh2_org - curl - systemd - system-users). - BuildIgnore group(lock) and group(daemon) for ourselves, needed for bootstrap. - /bin/bash is needed as shell for user nobody - Add upsd for UPS daemon packages. - Prerequire group lock for uucp - Allow user uucp to do locking - Fix group ownership of /var/lib/wwwrun - Add group sys to system-group-obsolete - Add systemusers lp and nobody - Add systemusers wwwrun, mail and ftp - Add hardware access groups: kmem, lock, tty, audio, cdrom, dialout, disk, input, tape, video - Add group wheel - Remove /var/spool/uucp directories... - Change license to MIT - Add subpackages for obsolete groups and trusted group - Add subpackages for bin, daemon, news and man - Adjust to new sysuser-tools - Use automatic provides and generate %pre with a script - fix uids and add also groups - Create users in %pre install section - Add /etc/uucp to filelist of system-user-uucp - Add system account games - Initial version with system account uucp ==== sysuser-tools ==== - useradd_or_adduser_dep must be PreReq so ordering makes sure it gets installed before. - suggest shadow where useradd_or_adduser_dep is actually required - Avoid useless use of cat - Simplify %sysusers_requires - Drop shebang, rpm passes it to /bin/sh itself - Packages providing users need /usr/bin/cat installed to create them. Add that to the PreRequires. - Create system groups for system users - Fix bug introduced by simplification of check for useradd -g - Refactor use of sed away - Use eval set -- $LINE instead of read for parsing - Clean up sysusers2shadow and make it use only /bin/sh - Don't let busybox adduser create the home directory, it breaks permissions of e.g. /sbin (home of daemon) - Use only /bin/sh in sysusers-generate-pre and the generated code - Drop use of tail from the generated %pre scriptlets - Look for /bin/busybox, too - Add special handling for busybox and groups - Use suggests shadow to prefer that over busybox in normal systems - Add support for busybox adduser/addgroup - Change requirements from shadow to useradd_or_adduser_dep - Fix default home directory [bsc#1105934] - Use _rpmmacrodir for macro file - Further enhance sysusers-generate-pre: inside the build environment, it can be acceptable to be failing to create the users (e.g when building sysuser-tools or system-user-root, since those two packages have to be speificallty excluded). Always return with error code 0 if /.buildenv exists. - sysusers2shadow.sh: Exit if one of the useradd/groupadd/usermod call fails: the resulting system is quite undefined if this should happen. - sysusers-generate-pre: exit the pre script with the exit code of sysusers2shadow.sh. - sysuser-tools needs to require sysuser-shadow - Add requires for shadow to sysuser-shadow - Put helper script into own subpackage - Convert sysusers config file to shadow arguments and use shadow suite to create user and groups. Fixes [bsc#1041497] and serveral dependency loops. - Don't ignore errors of systemd-sysusers [bsc#1039708] - Don't remove 'm' and 'r' entries from sysusers configuration - Add macros.sysusers - initial package ==== xfsprogs ==== Version update (5.9.0 -> 5.10.0) - update to 5.10.0: - xfs_repair: remove old code for mountpoint inodes - xfsprogs: Add inode btree counter feature - xfsprogs: Add bigtime feature for Y2038 - xfsprogs: Polish translation update - mkfs.xfs: Add config file feature - mkfs.xfs: allow users to specify rtinherit=0 - xfs_repair: simplify bmap_next_offset - man: various manpage updates - libxfs: remove some old dead code - libxfs: add realtime extent tracking - libxfs changes merged from kernel 5.10 - refresh 0001-repair-shift-inode-back-into-place-if-corrupted-by-b.patch against libxfs changes