Packages changed: aaa_base (84.87+git20211102.80d7177 -> 84.87+git20211124.5486aad) audit-secondary bash (5.1.8 -> 5.1.12) busybox-links catatonit containers-systemd (0.0+git20210507.9afe2a6 -> 0.0+git20211129.1b144ae) efibootmgr (14 -> 17) gnutls haproxy (2.4.8+git0.d1f8d41e0 -> 2.5.0+git0.f2e0833f1) libarchive libcap (2.59 -> 2.61) libimagequant (2.15.1 -> 2.17.0) lua54 pam python-charset-normalizer (2.0.7 -> 2.0.8) python38 python38-core raspberrypi-firmware-dt (2021.09.17 -> 2021.11.19) sssd (2.5.2 -> 2.6.1) tpm2.0-abrmd xmlsec1 (1.2.32 -> 1.2.33) === Details === ==== aaa_base ==== Version update (84.87+git20211102.80d7177 -> 84.87+git20211124.5486aad) - Clear term.sh and term.csh also from file list - Update to version 84.87+git20211124.5486aad: * Remove term.sh and term.csh: no COLORTERM anymore Avoid changing COLORTERM variable in urxvt (boo#1190833) ==== audit-secondary ==== Subpackages: audit python3-audit system-group-audit - Use %autosetup - Don't include sample rules as %doc, they're already installed as normal files - Fix create-augenrules-service.patch: * auditd.service needs to require augenrules.service, not the other way around - Fix documentation for enable-stop-rules.patch ==== bash ==== Version update (5.1.8 -> 5.1.12) - Update bash 5.1 to patch level 12 * Add official patch bash51-009 The bash malloc implementation of malloc_usable_size() does not follow the specification. This can cause library functions that use it to overwrite memory bounds checking. * Add official patch bash51-010 If `wait -n' is interrupted by a trapped signal other than SIGINT, it does not completely clean up state, and that can prevent subsequent calls to `wait -n' from working correctly. * Add official patch bash51-011 When reading a compound assignment, and running it through the parser to split it into words, we need to save and restore any alias we're currently expanding. * Add official patch bash51-012 There is a possible race condition that arises when a child process receives a signal trapped by the parent before it can reset the signal dispositions. The child process is not supposed to trap the signal in this circumstance. - Using package bash-sh instead of the update-alternative mechanism. ==== busybox-links ==== Subpackages: busybox-coreutils busybox-gawk busybox-grep busybox-gzip busybox-hostname busybox-sed busybox-xz - Removed libalternatives machanism. Using direct link from /usr/bin/busybox to /usr/bin/sh. The package is conflicting with the new packages bash-sh which has a link for /usr/bin/sh too. - Use libalternatives instead of update-alternatives. ==== catatonit ==== - Add 99bb9048f.patch: configure.ac: call AM_INIT_AUTOMAKE only once. Fix build with autocnf 2.71 / automake 1.16.5. ==== containers-systemd ==== Version update (0.0+git20210507.9afe2a6 -> 0.0+git20211129.1b144ae) - Update to version 0.0+git20211129.1b144ae: * Add roundcube files ==== efibootmgr ==== Version update (14 -> 17) - Update to v17: * use efivar's logging facility more (more info in -v2 , -v3, etc) * Various bug fixes * Better -e parsing * fix pkg-config invocation for ldflags * Make efibootmgr use EFIDIR / efibootmgr.efidir like fwupdate does * make --loader default build-time configurable * sanitize set_mirror()/get_mirror() * Add support for parsing loader options as UCS2 * GCC 7 fixes * Don't use -fshort-wchar since we don't run on EFI machines. - Drop 0001-Don-t-use-fshort-wchar-when-building-63.patch (upstreamed) - Drop 0002-Remove-extra-const-keywords-gcc-7-gripes-about.patch (upstreamed) - Drop 0003-Add-support-for-parsing-optional-data-as-ucs2.patch (upstreamed) - Drop MARM-sanitize-set_mirror.diff (upstreamed) - Drop efibootmgr-derhat.diff (upstreamed) - Rebase efibootmgr-delete-multiple.diff ==== gnutls ==== - Drop bogus condition "> 1550": that would mean 'more recent than Tumbleweed' which is technically impossible, as Tumbleweed is the leading project (and the condition causes issues as Tumbleweed needs to move away from 1550 due to CODE 15 SP5 plans). ==== haproxy ==== Version update (2.4.8+git0.d1f8d41e0 -> 2.5.0+git0.f2e0833f1) - Update to version 2.5.0+git0.f2e0833f1: https://www.mail-archive.com/haproxy@formilux.org/msg41508.html - refreshed patches to apply cleanly again haproxy-1.6.0-sec-options.patch haproxy-1.6.0_config_haproxy_user.patch lua54.patch ==== libarchive ==== - fix permission settings on following symlinks (fix-following-symlinks.patch) this fixes also wrong permissions of /var/tmp in factory systems ==== libcap ==== Version update (2.59 -> 2.61) - libcap 2.61: * Better error handling of the numerical arguments for capsh and setcap * Fix executable mode for all of the .so files. There were two situations where this was failing (with a hard to debug SIGSEGV inside libc) * Added an example of a shared library object with its own file capability * Fix the top-level include for Make.Rules in the contrib/sucap example application * Add support for running constructors at libcap.so start up time when running as stand alone binary. - includes changes from 2.60: * Some build, code linting fixes, the addition of the cap_fill_flag() API and a memory latency optimization * General improvement in thread safety for libcap and cap package * Minor API change replacing libcap:cap_launch_*() void returning functions with int + errno status returns. * Added a cap_iab_dup(), and (*cap.IAB).Dup() to API * New features for capsh: --quiet, -+ and =+ arguments - add upstream signing key and verify source signature ==== libimagequant ==== Version update (2.15.1 -> 2.17.0) - update to 2.17.0: * Do not build as unversioned DSO * use float as in SSE * Initialize rows using heap to handle large images * Free rows after remapping * Disable SSE on arm64 ==== lua54 ==== - Update upstream-bugs.patch and upstream-bugs-test.patch to fix bugs 7,8 for build and tests respectively. ==== pam ==== Subpackages: pam_unix - Don't define doc/manpages packages in main build - Add missing recommends and split provides - Use multibuild to build docu with correct paths and available features. - common-session: move pam_systemd to first position as if the file would have been generated with pam-config - Add vendordir fixes and enhancements from upstream: - pam_xauth_data.3.xml.patch - 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch - 0002-Only-include-vendordir-in-manual-page-if-set-401.patch - 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch - For buggy bot: Makefile-pam_unix-nis.diff belonged to the other spec file. ==== python-charset-normalizer ==== Version update (2.0.7 -> 2.0.8) - update to 2.0.8: * Improvement over Vietnamese detection * MD improvement on trailing data and long foreign (non-pure latin) * Efficiency improvements in cd/alphabet_languages * call sum() without an intermediary list following PEP 289 recommendations * Code style as refactored by Sourcery-AI * Minor adjustment on the MD around european words * Remove and replace SRTs from assets / tests * Initialize the library logger with a `NullHandler` by default * Setting kwarg `explain` to True will add provisionally * Fix large (misleading) sequence giving UnicodeDecodeError * Avoid using too insignificant chunk * Add and expose function `set_logging_handler` to configure a specific StreamHandler - require lower-case name instead of breaking build - Use lower-case name of prettytable package ==== python38 ==== - Remove shebangs from from python-base libraries in _libdir (bsc#1193179). - Readjust patches: - bpo-31046_ensurepip_honours_prefix.patch - decimal.patch - python-3.3.0b1-fix_date_time_compiler.patch ==== python38-core ==== Subpackages: libpython3_8-1_0 python38-base - Remove shebangs from from python-base libraries in _libdir (bsc#1193179). - Readjust patches: - bpo-31046_ensurepip_honours_prefix.patch - decimal.patch - python-3.3.0b1-fix_date_time_compiler.patch ==== raspberrypi-firmware-dt ==== Version update (2021.09.17 -> 2021.11.19) - Update to 14c1845ff9 (2021-11-19): * Add DTS: - bcm2710-rpi-zero-2-w.dts - bcm2710-rpi-zero-2.dts * Add overlays: - adafruit-st7735r-overlay.dts - fbtft-overlay.dts - imx519-overlay.dts - mcp2515-overlay.dts - mlx90640-overlay.dts ==== sssd ==== Version update (2.5.2 -> 2.6.1) Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-krb5-common sssd-ldap - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_sssd-ifp.service.patch * harden_sssd-kcm.service.patch - Update to release 2.6.1 * New infopipe method FindByValidCertificate(). * The default value of the "ssh_hash_known_hosts" setting was changed to false for the sake of consistency with OpenSSH that does not hash host names by default. - Update to release 2.6.0 * Support of legacy json format for ccaches was dropped. * Support of long time deprecated secrets responder was dropped. * Support of long time deprecated local provider was dropped. * The sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands, which was fixed. * Basic support of user's 'subuid and subgid ranges' for IPA provider and corresponding plugin for shadow-utils were added. ==== tpm2.0-abrmd ==== Subpackages: libtss2-tcti-tabrmd0 tpm2.0-abrmd-selinux - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_tpm2-abrmd.service.patch ==== xmlsec1 ==== Version update (1.2.32 -> 1.2.33) Subpackages: libxmlsec1-1 libxmlsec1-openssl1 - update to 1.2.33: * Fix decrypting session key for two recipients * Added --privkey-openssl-engine option to enhance openssl engine support