Packages changed: apparmor (3.0.1 -> 3.0.3) audit (3.0.2 -> 3.0.3) audit-secondary (3.0.2 -> 3.0.3) avahi busybox-links c-ares (1.17.1 -> 1.17.2) ceph (16.2.5.111+ga5b472dfcf8 -> 16.2.5.113+g8b5bda7684e) cloud-init container-selinux (2.160.1 -> 2.164.2) cri-tools (1.21.0 -> 1.22.0) dhcp diffutils (3.7 -> 3.8) dracut (055+suse.110.gbe35f166 -> 055+suse.115.gf65e559b) e2fsprogs (1.46.2 -> 1.46.3) etcd freetype2 (2.10.4 -> 2.11.0) gdbm (1.19 -> 1.20) glib2 gpgme grep grub2 gtk3 ipset (7.14 -> 7.15) irqbalance (1.8.0.8.gbd5aaf5 -> 1.8.0.14.ga7f8148) kernel-firmware (20210719 -> 20210812) kernel-source (5.13.6 -> 5.13.8) keyutils krb5 (1.19.1 -> 1.19.2) libXft (2.3.3 -> 2.3.4) libapparmor (3.0.1 -> 3.0.3) libesmtp lvm2 lvm2-device-mapper mozjs78 (78.11.0 -> 78.13.0) ncurses (6.2.20210718 -> 6.2.20210724) nfs-utils pam patterns-microos pcre (8.44 -> 8.45) python-distro (1.5.0 -> 1.6.0) python-gobject python-networkx (2.5.1 -> 2.6.1) python-python-gnupg (0.4.6 -> 0.4.7) python-pyzmq (22.1.0 -> 22.2.1) python-tornado6 python38 (3.8.10 -> 3.8.11) python38-core (3.8.10 -> 3.8.11) qemu rpcbind snappy (1.1.8 -> 1.1.9) systemd transactional-update (3.4.0 -> 3.5.1) u-boot-rpiarm64 === Details === ==== apparmor ==== Version update (3.0.1 -> 3.0.3) Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - add profiles-python-3.10-mr783.diff: update abstractions/python and profiles for python 3.10 - update to AppArmor 3.0.3 - fix a failure in the parser tests - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.3 for the detailed upstream changelog - update to AppArmor 3.0.2 - add missing permissions to several profiles and abstractions (including boo#1188296) - bugfixes in utils and parser (including boo#1180766 and boo#1184779) - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.2 for the detailed upstream changelog - remove upstreamed patches: - apparmor-dovecot-stats-metrics.diff - abstractions-php8.diff - crypto-policies-mr720.diff ==== audit ==== Version update (3.0.2 -> 3.0.3) Subpackages: libaudit1 libauparse0 - Update to version 3.0.3: * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids * Change auparse_feed_has_data in auparse to include incomplete events * Auditd, stop linking against -lrt * Add ProtectHome and RestrictRealtime to auditd.service * In auditd, read up to 3 netlink packets in a row * In auditd, do not validate path to plugin unless active * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists - use https source urls ==== audit-secondary ==== Version update (3.0.2 -> 3.0.3) Subpackages: audit python3-audit system-group-audit - Update to version 3.0.3: * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids * Change auparse_feed_has_data in auparse to include incomplete events * Auditd, stop linking against -lrt * Add ProtectHome and RestrictRealtime to auditd.service * In auditd, read up to 3 netlink packets in a row * In auditd, do not validate path to plugin unless active * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists - use https source urls ==== avahi ==== Subpackages: libavahi-client3 libavahi-common3 - Obsolete the same version of mDNSResponder-lib and mDNSResponder in baselib.conf and spec. ==== busybox-links ==== Subpackages: busybox-coreutils busybox-gawk busybox-grep busybox-gzip busybox-hostname busybox-sed busybox-xz - Add shadow as BuildRequires ==== c-ares ==== Version update (1.17.1 -> 1.17.2) - update to 1.17.2: Security: * When building c-ares with CMake, the RANDOM_FILE would not be set and therefore downgrade to the less secure random number generator * If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause a crash * Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response * Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing follow-up (bsc#1188881, CVE-2021-3672) * Perform validation on hostnames to prevent possible XSS due to applications not performing valiation themselves Changes: * ares_malloc(0) is now defined behavior (returns NULL) rather than system-specific to catch edge cases Bug fixes: * Building tests should not force building of static libraries except on Windows * Relative headers must use double quotes to prevent pulling in a system library for details see, https://c-ares.haxx.se/changelog.html#1_17_2 ==== ceph ==== Version update (16.2.5.111+ga5b472dfcf8 -> 16.2.5.113+g8b5bda7684e) Subpackages: ceph-common libcephfs2 librados2 librbd1 librgw2 python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw - Update to 16.2.5-113-g8b5bda7684e: + (bsc#1188741) compression/snappy: use uint32_t to be compatible with 1.1.9 improved version of patch that did not work as intended ==== cloud-init ==== - Add cloud-init-update-test-characters-in-substitution-unit-test.patch to fix unit test fail in TestGetPackageMirrorInfo::test_substitution. ==== container-selinux ==== Version update (2.160.1 -> 2.164.2) - Update to version 2.164.2 * Don't setup users for writing to pid_sockets * Allow container engines to be started from the staff user. * Allow spc_t domains to set bpf rules on any domain * Add support for k3s ==== cri-tools ==== Version update (1.21.0 -> 1.22.0) - Update to version 1.22.0: * Bump Kubernetes to v1.22.0 * Bump k8s.io/api from 0.21.3 to 0.22.0 * Bump k8s.io/cri-api from 0.21.3 to 0.22.0 * Bump k8s.io/kubectl from 0.21.3 to 0.22.0 * Bump k8s.io/apimachinery from 0.21.3 to 0.22.0 * Bump github.com/docker/docker * Bump github.com/opencontainers/selinux from 1.8.2 to 1.8.3 - Update to version 1.21.0: * Bump README versions to v1.21.0 * Update dependencies * Add dependabot config file * Simplify test image build process for user images * Move from gcr.io/cri-tools to gcr.io/k8s-staging-cri-tools * Fix UID/GID and username values for test images * Bump gcb-docker-gcloud image to v20210331-c732583 * Fix CRI-O master installation in GitHub actions ==== dhcp ==== Subpackages: dhcp-client - bsc#1186249: Remove remaining references to /etc/init.d from dhclient-script and if-up.d.dhcpd-restart-hook . - Use , instead of - or / as a separator in sed when dealing with path names. ==== diffutils ==== Version update (3.7 -> 3.8) - diffutils 3.8: * diff no longer treats a closed stdin as representing an absent file in usage like 'diff --new-file - foo <&-' * diff and related programs no longer get confused if stdin, stdout, or stderr are closed * cmp, diff and sdiff no longer treat negative command-line option-arguments as if they were large positive numbers - drop gnulib-test-avoid-FP-perror-strerror.patch, upstream - drop gnulib-c-stack.patch, equivalent change in c-stack - remove deprecated texinfo packaging macros ==== dracut ==== Version update (055+suse.110.gbe35f166 -> 055+suse.115.gf65e559b) Subpackages: dracut-ima dracut-mkinitrd-deprecated - Update to version 055+suse.115.gf65e559b: * fix(suse-initrd): find links of usrmerged kernels (boo#1184804) * fix(tpm2-tss): typo in depends() * fix(suse-initrd): inform on usage of obsolete -f parameter (bsc#1187470) - use manual mode in _service file ==== e2fsprogs ==== Version update (1.46.2 -> 1.46.3) Subpackages: libcom_err2 libext2fs2 - Update to 1.46.3: * Add -V and -VV options to filefrag * Fix fs corruption cause by resize2fs on filesystems with MMP blocks * Fast commit portability fixes * Fix direct IO support in Unix IO manager * Avoid calling EXT2_IOC_[GS]ETFLAGS for block devices * Fix mke2fs to not discard blocks beyond end of filesystem * Make e2fsck set filetype of '.' and '..' entries * Fix QCOW image generation in e2image for very large filesystems * Update translations ==== etcd ==== - Don't require systemd (works without, too) - Change to sysuser-tools to create system user ==== freetype2 ==== Version update (2.10.4 -> 2.11.0) - Update to version 2.11.0 * A new rendering module has been added to create 8-bit Signed Distance Field (SDF) bitmaps for both outline and bitmap glyphs. * A new, experimental API is now available for surfacing properties of 'COLR' v1 color fonts. * A new function `FT_Get_Transform` returns the values set by FT_Set_Transform. * The legacy Type 1 and CFF engines are further demoted due to lack of CFF2 charstring support. * The experimental 'warp' mode (AF_CONFIG_OPTION_USE_WARPER) for the auto-hinter has been removed. * The smooth rasterizer performance has been improved by >10%. * PCF bitmap fonts compressed with LZW (these are usually files with the extension .pcf.Z) are now handled correctly. ==== gdbm ==== Version update (1.19 -> 1.20) Subpackages: libgdbm6 libgdbm_compat4 - version update to 1.20 * New bucket cache The bucket cache support has been rewritten from scratch. The new bucket cache code provides for significant speed up of search operations. * Change mmap prereading strategy Pre-reading of the memory mapper regions, introduced in version 1.19 can be advantageous only when doing intensive look-ups on a read-only database. It degrades performance otherwise, especially if doing multiple inserts. Therefore, this version introduces a new flag to gdbm_open: GDBM_PREREAD. When given, it enables pre-reading of memory mapped regions. - modified patches % gdbm-no-build-date.patch (refreshed) ==== glib2 ==== Subpackages: glib2-tools libgio-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 - Add 63e7864.patch: Fix build with glibc 2.34: use 3 parameters for close_range (boo#1189088). - Drop patches fixed upstream on SLE and Leap 15.4: + glib2-add-support-for-slim-timezone-format.patch + glib2-fix-6-days-until-the-end-of-the-month.patch + glib2-CVE-2021-27218.patch + glib2-CVE-2021-27219-add-g_memdup2.patch ==== gpgme ==== - Fix build with glibc 2.34: [bsc#1189089] * Use glibc's closefrom. * Add gpgme-use-glibc-closefrom.patch ==== grep ==== - gnulib-c-stack.patch: Fix AC_SYS_XSI_STACK_OVERFLOW_HEURISTIC configure check ==== grub2 ==== Subpackages: grub2-arm64-efi grub2-snapper-plugin - Replace grub2-use-stat-instead-of-udevadm-for-partition-lookup.patch and fix-grub2-use-stat-instead-of-udevadm-for-partition-lookup-with-new-glibc.patch with upstream backport: 0001-osdep-Introduce-include-grub-osdep-major.h-and-use-i.patch and 0002-osdep-linux-hostdisk-Use-stat-instead-of-udevadm-for.patch. ==== gtk3 ==== Subpackages: gtk3-data gtk3-schema gtk3-tools libgtk-3-0 - Drop patch fixed upstream on SLE and Leap 15.4: gtk3-x11-fix-menu-touch-by-pointer-emulation.patch ==== ipset ==== Version update (7.14 -> 7.15) Subpackages: libipset13 - Update to release 7.15 * netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt() ==== irqbalance ==== Version update (1.8.0.8.gbd5aaf5 -> 1.8.0.14.ga7f8148) - Update to version 1.8.0.14.ga7f8148: * irqbalance: Check validity of numa_node * configure.ac: use pkg-config to find numa * Disable the communication socket when UI is disabled - Use %{?systemd_ordering} instead of %{?systemd_requires} ==== kernel-firmware ==== Version update (20210719 -> 20210812) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network - Update to version 20210812 (git commit 24c4a85d8514): * amdgpu: revert back to older raven2 sdma firmware * amdgpu: revert back to older raven sdma firmware * amdgpu: revert back to older picasso sdma firmware * amdgpu: add initial vangogh support * amdgpu: update vega20 firmware from 21.30 * amdgpu: update vega12 firmware from 21.30 * amdgpu: update vega10 firmware from 21.30 * amdgpu: update renoir firmware from 21.30 * amdgpu: update raven2 firmware from 21.30 * amdgpu: update raven firmware from 21.30 * amdgpu: update polaris12 firmware from 21.30 * amdgpu: update picasso firmware from 21.30 * amdgpu: update dimgrey cavefish firmware from 21.30 * amdgpu: update navy flounder firmware from 21.30 * amdgpu: update sienna cichlid firmware from 21.30 * amdgpu: update navi14 firmware from 21.30 * amdgpu: update navi12 firmware from 21.30 * amdgpu: update navi10 firmware from 21.30 * amdgpu: update green sardine firmware from 21.30 * amdgpu: update arcturus firmware from 21.30 * linux-firmware: Update firmware file for Intel Bluetooth AX210 * linux-firmware: update frimware for mediatek bluetooth chip (MT7921) * linux-firmware: add firmware for MT7922 * QCA : Updated firmware files for WCN3991 * i915: Add v2.03 DMC for RKL * i915: Add v2.12 DMC for TGL * qca: Add firmware files for BT chip WCN6750. ==== kernel-source ==== Version update (5.13.6 -> 5.13.8) - rpm/kernel-binary.spec.in: avoid high suse-release requirements Not provided in stagings. - commit 967c6a8 - net: usb: lan78xx: don't modify phy_device state concurrently (bsc#1188270). - commit 79524ad - Linux 5.13.8 (bsc#1012628). - octeontx2-af: Remove unnecessary devm_kfree (bsc#1012628). - perf pmu: Fix alias matching (bsc#1012628). - can: j1939: j1939_session_deactivate(): clarify lifetime of session object (bsc#1012628). - i40e: Add additional info to PHY type error (bsc#1012628). - io_uring: fix race in unified task_work running (bsc#1012628). - Revert "perf map: Fix dso->nsinfo refcounting" (bsc#1012628). - powerpc/pseries: Fix regression while building external modules (bsc#1012628). - powerpc/vdso: Don't use r30 to avoid breaking Go lang (bsc#1012628). - SMB3: fix readpage for large swap cache (bsc#1012628). - bpf: Fix pointer arithmetic mask tightening under state pruning (bsc#1012628). - bpf: verifier: Allocate idmap scratch in verifier env (bsc#1012628). - bpf: Remove superfluous aux sanitation on subprog rejection (bsc#1012628). - bpf: Fix leakage due to insufficient speculative store bypass mitigation (bsc#1012628). - bpf: Introduce BPF nospec instruction for mitigating Spectre v4 (bsc#1012628). - can: hi311x: fix a signedness bug in hi3110_cmd() (bsc#1012628). - sis900: Fix missing pci_disable_device() in probe and remove (bsc#1012628). - tulip: windbond-840: Fix missing pci_disable_device() in probe and remove (bsc#1012628). - sctp: fix return value check in __sctp_rcv_asconf_lookup (bsc#1012628). - block: delay freeing the gendisk (bsc#1012628). - net/mlx5: Fix mlx5_vport_tbl_attr chain from u16 to u32 (bsc#1012628). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (bsc#1012628). - net/mlx5: Unload device upon firmware fatal error (bsc#1012628). - net/mlx5e: Fix page allocation failure for ptp-RQ over SF (bsc#1012628). - net/mlx5e: Fix page allocation failure for trap-RQ over SF (bsc#1012628). - net/mlx5e: Add NETIF_F_HW_TC to hw_features when HTB offload is available (bsc#1012628). - net/mlx5e: RX, Avoid possible data corruption when relaxed ordering and LRO combined (bsc#1012628). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (bsc#1012628). - net/mlx5: E-Switch, Set destination vport vhca id only when merged eswitch is supported (bsc#1012628). - net/mlx5e: Disable Rx ntuple offload for uplink representor (bsc#1012628). - net/mlx5: Fix flow table chaining (bsc#1012628). - bpf, sockmap: Zap ingress queues after stopping strparser (bsc#1012628). - KVM: selftests: Fix missing break in dirty_log_perf_test arg parsing (bsc#1012628). - drm/msm/dp: Initialize the INTF_CONFIG register (bsc#1012628). - drm/msm/dp: use dp_ctrl_off_link_stream during PHY compliance test run (bsc#1012628). - drm/msm/dpu: Fix sm8250_mdp register length (bsc#1012628). - net: llc: fix skb_over_panic (bsc#1012628). - KVM: x86: Check the right feature bit for MSR_KVM_ASYNC_PF_ACK access (bsc#1012628). - drm/i915/bios: Fix ports mask (bsc#1012628). - drm/panel: panel-simple: Fix proper bpc for ytc700tlag_05_201c (bsc#1012628). - mlx4: Fix missing error code in mlx4_load_one() (bsc#1012628). - net: phy: broadcom: re-add check for PHY_BRCM_DIS_TXCRXC_NOENRGY on the BCM54811 PHY (bsc#1012628). - octeontx2-pf: Dont enable backpressure on LBK links (bsc#1012628). - octeontx2-pf: Fix interface down flag on error (bsc#1012628). - tipc: do not write skb_shinfo frags when doing decrytion (bsc#1012628). - can: mcp251xfd: mcp251xfd_irq(): stop timestamping worker in case error in IRQ (bsc#1012628). - ionic: count csum_none when offload enabled (bsc#1012628). - ionic: fix up dim accounting for tx and rx (bsc#1012628). - ionic: remove intr coalesce update from napi (bsc#1012628). - ionic: catch no ptp support earlier (bsc#1012628). - ionic: make all rx_mode work threadsafe (bsc#1012628). - net: qrtr: fix memory leaks (bsc#1012628). - loop: reintroduce global lock for safe loop_validate_file() traversal (bsc#1012628). - net: dsa: mv88e6xxx: silently accept the deletion of VID 0 too (bsc#1012628). - net: Set true network header for ECN decapsulation (bsc#1012628). - tipc: fix sleeping in tipc accept routine (bsc#1012628). - tipc: fix implicit-connect for SYN+ (bsc#1012628). - i40e: Fix log TC creation failure when max num of queues is exceeded (bsc#1012628). - i40e: Fix queue-to-TC mapping on Tx (bsc#1012628). - i40e: Fix firmware LLDP agent related warning (bsc#1012628). - i40e: Fix logic of disabling queues (bsc#1012628). - netfilter: nft_nat: allow to specify layer 4 protocol NAT only (bsc#1012628). - netfilter: conntrack: adjust stop timestamp to real expiry value (bsc#1012628). - mac80211: fix enabling 4-address mode on a sta vif after assoc (bsc#1012628). - bpf: Fix OOB read when printing XDP link fdinfo (bsc#1012628). - netfilter: nf_tables: fix audit memory leak in nf_tables_commit (bsc#1012628). - RDMA/rxe: Fix memory leak in error path code (bsc#1012628). - platform/x86: amd-pmc: Fix missing unlock on error in amd_pmc_send_cmd() (bsc#1012628). - platform/x86: amd-pmc: Fix SMU firmware reporting mechanism (bsc#1012628). - platform/x86: amd-pmc: Fix command completion code (bsc#1012628). - RDMA/bnxt_re: Fix stats counters (bsc#1012628). - cfg80211: Fix possible memory leak in function cfg80211_bss_update (bsc#1012628). - io_uring: fix poll requests leaking second poll entries (bsc#1012628). - io_uring: don't block level reissue off completion path (bsc#1012628). - io_uring: fix io_prep_async_link locking (bsc#1012628). - nfc: nfcsim: fix use after free during module unload (bsc#1012628). - blk-iocost: fix operation ordering in iocg_wake_fn() (bsc#1012628). - drm/amdgpu: Fix resource leak on probe error path (bsc#1012628). - drm/amdgpu: Avoid printing of stack contents on firmware load error (bsc#1012628). - drm/amdgpu: Check pmops for desired suspend state (bsc#1012628). - drm/amd/display: ensure dentist display clock update finished in DCN20 (bsc#1012628). - NIU: fix incorrect error return, missed in previous revert (bsc#1012628). - net: stmmac: add est_irq_status callback function for GMAC 4.10 and 5.10 (bsc#1012628). - HID: wacom: Re-enable touch by default for Cintiq 24HDT / 27QHDT (bsc#1012628). - alpha: register early reserved memory in memblock (bsc#1012628). - can: esd_usb2: fix memory leak (bsc#1012628). - can: ems_usb: fix memory leak (bsc#1012628). - can: usb_8dev: fix memory leak (bsc#1012628). - can: mcba_usb_start(): add missing urb->transfer_dma initialization (bsc#1012628). - can: peak_usb: pcan_usb_handle_bus_evt(): fix reading rxerr/txerr values (bsc#1012628). - can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF (bsc#1012628). - can: j1939: j1939_xtp_rx_dat_one(): fix rxtimer value between consecutive TP.DT to 750ms (bsc#1012628). - mm/memcg: fix NULL pointer dereference in memcg_slab_free_hook() (bsc#1012628). - mm: memcontrol: fix blocking rstat function called from atomic cgroup1 thresholding code (bsc#1012628). - ocfs2: issue zeroout to EOF blocks (bsc#1012628). - ocfs2: fix zero out valid data (bsc#1012628). - KVM: add missing compat KVM_CLEAR_DIRTY_LOG (bsc#1012628). - x86/kvm: fix vcpu-id indexed array sizes (bsc#1012628). - ACPI: DPTF: Fix reading of attributes (bsc#1012628). - Revert "ACPI: resources: Add checks for ACPI IRQ override" (bsc#1012628). - btrfs: mark compressed range uptodate only if all bio succeed (bsc#1012628). - btrfs: fix rw device counting in __btrfs_free_extra_devids (bsc#1012628). - btrfs: fix lost inode on log replay after mix of fsync, rename and inode eviction (bsc#1012628). - fs/ext2: Avoid page_address on pages returned by ext2_get_page (bsc#1012628). - pipe: make pipe writes always wake up readers (bsc#1012628). - selftest: fix build error in tools/testing/selftests/vm/userfaultfd.c (bsc#1012628). - commit 14162fe - arm63: Update config files. (bsc#1188702) - commit c97411a - scsi: sr: Return correct event when media event code is 3 (bsc#1188767 bsc#1188728). - commit 5794a07 - Linux 5.13.7 (bsc#1012628). - ipv6: ip6_finish_output2: set sk into newly allocated nskb (bsc#1012628). - ARM: dts: versatile: Fix up interrupt controller node names (bsc#1012628). - iomap: remove the length variable in iomap_seek_hole (bsc#1012628). - iomap: remove the length variable in iomap_seek_data (bsc#1012628). - cifs: fix the out of range assignment to bit fields in parse_server_interfaces (bsc#1012628). - firmware: arm_scmi: Fix range check for the maximum number of pending messages (bsc#1012628). - firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow (bsc#1012628). - hfs: add lock nesting notation to hfs_find_init (bsc#1012628). - hfs: fix high memory mapping in hfs_bnode_read (bsc#1012628). - hfs: add missing clean-up in hfs_fill_super (bsc#1012628). - drm/ttm: add a check against null pointer dereference (bsc#1012628). - nvme-pci: fix multiple races in nvme_setup_io_queues (bsc#1012628). - ipv6: allocate enough headroom in ip6_finish_output2() (bsc#1012628). - rcu-tasks: Don't delete holdouts within trc_wait_for_one_reader() (bsc#1012628). - rcu-tasks: Don't delete holdouts within trc_inspect_reader() (bsc#1012628). - sctp: move 198 addresses from unusable to private scope (bsc#1012628). - net: annotate data race around sk_ll_usec (bsc#1012628). - net/802/garp: fix memleak in garp_request_join() (bsc#1012628). - net/802/mrp: fix memleak in mrp_request_join() (bsc#1012628). - cgroup1: fix leaked context root causing sporadic NULL deref in LTP (bsc#1012628). - workqueue: fix UAF in pwq_unbound_release_workfn() (bsc#1012628). - af_unix: fix garbage collect vs MSG_PEEK (bsc#1012628). - commit b1bb2c4 ==== keyutils ==== Subpackages: libkeyutils1 - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) ==== krb5 ==== Version update (1.19.1 -> 1.19.2) - Update to 1.19.2 * Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222); * Fix a memory leak when gss_inquire_cred() is called without a credential handle. ==== libXft ==== Version update (2.3.3 -> 2.3.4) - Update to version 2.3.4 * This release handles the deprecation of the FcNameRegisterObjectTypes API by fontconfig, and provides minor cleanups for compiler warnings and man pages. ==== libapparmor ==== Version update (3.0.1 -> 3.0.3) - add profiles-python-3.10-mr783.diff: update abstractions/python and profiles for python 3.10 - update to AppArmor 3.0.3 - fix a failure in the parser tests - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.3 for the detailed upstream changelog - update to AppArmor 3.0.2 - add missing permissions to several profiles and abstractions (including boo#1188296) - bugfixes in utils and parser (including boo#1180766 and boo#1184779) - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.2 for the detailed upstream changelog - remove upstreamed patches: - apparmor-dovecot-stats-metrics.diff - abstractions-php8.diff - crypto-policies-mr720.diff ==== libesmtp ==== - Add libesmtp-fix-cve-2019-19977.patch: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462 bsc#1189097). ==== lvm2 ==== Subpackages: liblvm2cmd2_03 - Add lvm2-rpmlintrc where we skip all rpmlint issue for lvm2-testsuite package (bsc#1179047). ==== lvm2-device-mapper ==== Subpackages: device-mapper libdevmapper-event1_03 libdevmapper1_03 - Add lvm2-rpmlintrc where we skip all rpmlint issue for lvm2-testsuite package (bsc#1179047). ==== mozjs78 ==== Version update (78.11.0 -> 78.13.0) - Update to version 78.13.0esr. MFSA 2021-34 (bsc#1188891) * CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization ==== ncurses ==== Version update (6.2.20210718 -> 6.2.20210724) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20210724 + add workaround for Windows Terminal's problems with CR/LF mapping to ms-terminal (patch by Juergen Pfeifer). + review/update current Windows Terminal vs ms-terminal -TD - Correct offsets of patch ncurses-6.2.dif ==== nfs-utils ==== Subpackages: libnfsidmap1 nfs-client - Remove dependency on fedfs-utils-devel. fedfs-utils was only ever a "technology preview" and is now considered "end of life". nfs-utils is not even built to use it as --enable-junction isn't being passed to confgure and fedfs-utils doesn't build wth glibc 2.34. So remove the unnecessary dependency on fedfs-utils. (bsc#1189085) - Update to version 2.5.4 https://mirrors.edge.kernel.org/pub/linux/utils/nfs-utils/2.5.4/2.5.4-Changelog Notable changes: * Handle failures in gssd better * handle 'sloppy' option to mount better * minor documentation improvements - Drop 2.5.4-rc4 patches: nfs-utils-2-5-4-rc1.patch, nfs-utils-2-5-4-rc2.patch, nfs-utils-2-5-4-rc3.patch, nfs-utils-2-5-4-rc4.patch. ==== pam ==== Subpackages: pam_unix - pam_umask-usergroups-login_defs.patch: Deprecate pam_umask explicit "usergroups" option and instead read it from login.def's "USERGROUP_ENAB" option if umask is only defined there. [bsc#1189139] - package man5/motd.5 as a man-pages link to man8/pam_motd.8 [bsc#1188724] ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap - Switch from PulseAudio to PipeWire ==== pcre ==== Version update (8.44 -> 8.45) - update to 8.45: * This is the final PCRE1 release. A very few small issues have been fixed. ==== python-distro ==== Version update (1.5.0 -> 1.6.0) - Update to version 1.6.0 * Deprecated the distro.linux_distribution() function. Use distro.id(), distro.version() and distro.name() instead [#296] * Deprecated Python 2.7, 3.4 and 3.5 support. Further releases will only support Python 3.6+ * Added type hints to distro module [#269] * Added __version__ for checking distro version [#292] * Added support for arbitrary rootfs via the root_dir parameter [#247] * Added the --root-dir option to CLI [#161] * Added fallback to /usr/lib/os-release when /etc/os-release isn't available [#262] * Fixed subprocess.CalledProcessError when running lsb_release [#261] * Ignore /etc/iredmail-release file while parsing distribution [#268] * Use a binary file for /dev/null to avoid TextIOWrapper overhead [#271] ==== python-gobject ==== - Adjust BuildRequires for python_module cairo to python-module pycairo: the module was renamed 2 years ago. - Skip build for python2: not supported anymore since 3.38.0. ==== python-networkx ==== Version update (2.5.1 -> 2.6.1) - require pandas - update to 2.6.2: * This release is the result of 11 months of work with over 363 pull requests by 91 contributors. Highlights include: * Dropped support for Python 3.6. * NumPy, SciPy, Matplotlib, and pandas are now default requirements. * NetworkX no longer depends on the library "decorator". * Improved example gallery * Removed code for supporting Jython/IronPython * The __str__ method for graph objects is more informative and concise. * Improved import time * Improved test coverage * New documentation theme * Add functionality for drawing self-loop edges * Add approximation algorithms for Traveling Salesman Problem - drop 0001-Replace-hash-function-for-test-of-weighted-astar.patch, yaml-loader.patch (merged upstream) ==== python-python-gnupg ==== Version update (0.4.6 -> 0.4.7) - update to 0.4.7: * Added support for no passphrase during key generation. * Improved permission-denied test. * Updated logging to only show partial results. * Allowed a passphrase to be passed to import_keys(). ==== python-pyzmq ==== Version update (22.1.0 -> 22.2.1) - Update to 22.2.1 * Nicer reprs of contexts and sockets * Memory allocated by recv(copy=False) is no longer read-only * asyncio: Always reference current loop instead of attaching to the current loop at instantiation time. This fixes e.g. contexts and/or sockets instantiated prior to a call to asyncio.run. ==== python-tornado6 ==== - Remove exec bits from demos: fix boo#1189066 - Add python-tornado6-rpmlintrc for empty JS resource in demo ==== python38 ==== Version update (3.8.10 -> 3.8.11) - Update to 3.8.11 * Security - bpo-44022 (boo#1189241): mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server. - bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks. Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks. - bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access. * Core and Builtins - bpo-44070: No longer eagerly makes import filenames absolute, except for extension modules, which was introduced in 3.8.10. * Library - bpo-44061: Fix regression in previous release when calling pkgutil.iter_modules() with a list of pathlib.Path objects - Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858). ==== python38-core ==== Version update (3.8.10 -> 3.8.11) Subpackages: libpython3_8-1_0 python38-base - Update to 3.8.11 * Security - bpo-44022 (boo#1189241): mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server. - bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks. Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks. - bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access. * Core and Builtins - bpo-44070: No longer eagerly makes import filenames absolute, except for extension modules, which was introduced in 3.8.10. * Library - bpo-44061: Fix regression in previous release when calling pkgutil.iter_modules() with a list of pathlib.Path objects - Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858). ==== qemu ==== - usb: unbounded stack allocation in usbredir (bsc#1186012, CVE-2021-3527) hw-usb-Do-not-build-USB-subsystem-if-not.patch hw-usb-host-stub-Remove-unused-header.patch usb-hid-avoid-dynamic-stack-allocation.patch usb-limit-combined-packets-to-1-MiB-CVE-.patch usb-mtp-avoid-dynamic-stack-allocation.patch - usbredir: free call on invalid pointer in bufp_alloc (bsc#1189145, CVE-2021-3682) usbredir-fix-free-call.patch - Add stable patches from upstream: block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch hw-net-can-sja1000-fix-buff2frame_bas-an.patch hw-pci-host-q35-Ignore-write-of-reserved.patch ==== rpcbind ==== - Add now working CONFIG parameter to sysusers generator - UsrMerge changes ==== snappy ==== Version update (1.1.8 -> 1.1.9) - Update to 1.1.9: * Performance improvements - Add fix-always-inline.patch - Add use-system-test-libs.patch - Add a hardcoded snappy.pc file ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-logger systemd-sysvinit udev - Avoid the error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291) ==== transactional-update ==== Version update (3.4.0 -> 3.5.1) Subpackages: dracut-transactional-update libtukit0 transactional-update-zypp-config tukit - Version 3.5.1 - t-u: Disable status file generation by default The new experimental `status` command requires the availability of /etc/YaST2/control.xml, which is not present on all systems. Hide the creation of the corresponding status file behind a new EXPERIMENTAL_STATUS option to try out this functionality. - Increase library version - Add tukit.conf to spec file - Version 3.5.0 - Add alias setDiscardIfUnchanged for setDiscard. The old method name wasn't really clear and will be removed if we should have an API break in the future - Replace mkinitrd with direct dracut call [boo#1186213] - tukit: Add configuration file support (/etc/tukit.conf) - Allow users to configure additional bind mounts (see /usr/etc/tukit.conf for an example and limitations) [bsc#1188322] - Add 'transactional-update status' call. This is a POC for obtaining a hash of a system to verify its integrity. The functionality is still experimental! - Internal bugfixes / optimizations ==== u-boot-rpiarm64 ==== Subpackages: u-boot-rpiarm64-doc - u-boot-bin.spl is used for UART or USB boot. Lets package it for convinience. Patch queue updated from https://github.com/openSUSE/u-boot.git tumbleweed-2021.07 * Patches added: 0014-btrfs-Use-default-subvolume-as-file.patch - boo#1185656