Packages changed: apache2 bash busybox chrony (3.4 -> 3.5) dhcp file libssh2_org ncurses openssh (7.9p1 -> 8.1p1) openvpn perl-Cpanel-JSON-XS (4.14 -> 4.15) pidgin pmdk (1.6 -> 1.7) speech-dispatcher (0.9.0 -> 0.9.1) talloc texinfo vim virtualbox (6.0.12 -> 6.0.14) xorg-x11-server (1.20.5 -> 1.20.5+24) yast2-schema (4.2.4 -> 4.2.5) zlib === Details === ==== apache2 ==== Subpackages: apache2-devel apache2-doc apache2-example-pages apache2-prefork apache2-utils - load private keys and certificates from pkcs11 token [SLE-7653] - added patches load certificates from openssl engine + apache2-load-certificates-from-pkcs11.patch load private keys from openssl engine + apache2-load-private-keys-from-pkcs11.patch ==== bash ==== Subpackages: bash-doc bash-lang - Remove PILOTPORT and PILOTRATE environment variable from default ~/.bashrc (/etc/skel/.bashrc) (bsc#1123510) - Move definitions of environment variables from ~/.bashrc to ~/.profile (/etc/skel/.profile) ==== busybox ==== - Add man.conf to container variant ==== chrony ==== Version update (3.4 -> 3.5) - Fix asciidoc in Tumbleweed - Revert clknetsim to version 58c5e8b - Fix incorrect download link for package signature - Temporarily disable signature usage as its expired - Update clknetsim to version ac3c832 - fix chrony-service-helper.patch - Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems ==== dhcp ==== Subpackages: dhcp-client dhcp-doc dhcp-relay dhcp-server - bsc#1134078, CVE-2019-6470, dhcp-CVE-2019-6470.patch: DHCPv6 server crashes regularly. - Add compile option --enable-secs-byteorder to avoid duplicate lease warnings [bsc#1089524]. - Make systemd a weak dependency as we don't want that in a container - bsc#1136572: Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (0021-dhcp-ip-family-symlinks.patch). ==== file ==== Subpackages: file-magic libmagic1 - Add temporary patch CVE-2019-18218-46a8443f.patch from upstream to fix bsc#1154661 -- heap-based buffer overflow in cdf_read_property_info in cdf.c - Let python-magic build with latest rpm ==== libssh2_org ==== - Security fix: [bsc#1154862, CVE-2019-17498] * The SSH_MSG_DISCONNECT:packet.c logic has an integer overflow in a bounds check that might lead to disclose sensitive information or cause a denial of service * Add patch libssh2_org-CVE-2019-17498.patch ==== ncurses ==== Subpackages: libncurses6 ncurses-devel ncurses-utils tack terminfo terminfo-base terminfo-screen - Add ncurses patch 20191019 + modify make_hash to not require --disable-leaks, to simplify building with address-sanitizer. + modify tic to exit if it cannot remove a conflicting name, because treating that as a partial success can cause an infinite loop in use-resolution (report/testcase by Hongxu Chen, cf: 20111001). - Add ncurses patch 20191015 + improve buffer-checks in captoinfo.c, for some cases when the input string is shorter than expected. > fix two errata in tic (report/testcases by Hongxu Chen): + check for missing character after backslash in write_it + check for missing characters after "%>" when converting from termcap syntax (cf: 980530). - Avoid recursion trouble in spec file cause by undefined _lto_cflags - Add ncurses patch 20191012 + amend recent changes to ncurses*-config and pc-files to filter out Debian linker-flags (report by Sven Joachim, cf: 20150516). + clarify relationship between tic, infocmp and captoinfo in manpage. + check for invalid hashcode in _nc_find_type_entry and _nc_find_name_entry. > fix several errata in tic (reports/testcases by "zjuchenyuan"): + check for invalid hashcode in _nc_find_entry. + check for missing character after backslash in fmt_entry + check for acsc with odd length in dump_entry in check for one-one mapping (cf: 20060415); + check length when converting from old AIX box_chars_1 capability, overlooked in changes to eliminate strcpy (cf: 20001007). - Add ncurses patch 20191005 + modify the ncurse*-config and pc-files to more closely match for the - I and -l options. ==== openssh ==== Version update (7.9p1 -> 8.1p1) Subpackages: openssh-helpers - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch - Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes" in /etc/sysconfig/ssh. This is set to "yes" by default, but can be changed by the system administrator (bsc#1139089). - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). * ssh-keygen(1): print key comment when extracting public key from a private key. * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - Additional changes from 8.0p1 release: * scp(1): Add "-T" flag to disable client-side filtering of server file list. * sshd(8): Remove support for obsolete "host/port" syntax. * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config, * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect. * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands. * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. - Rebased patches: * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-X_forward_with_disabled_ipv6.patch * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-disable_openssl_abi_check.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-seed-prng.patch * openssh-7.7p1-sftp_force_permissions.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-8.0p1-gssapi-keyex.patch (formerly openssh-7.7p1-gssapi_key_exchange.patch) * openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch) - Removed patches (integrated upstream): * 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch * openssh-7.7p1-seccomp_ioctl_s390_EP11.patch * openssh-7.9p1-CVE-2018-20685.patch * openssh-7.9p1-brace-expansion.patch * openssh-CVE-2019-6109-force-progressmeter-update.patch * openssh-CVE-2019-6109-sanitize-scp-filenames.patch * openssh-CVE-2019-6111-scp-client-wildcard.patch - Removed patches (obsolete): * openssh-openssl-1_0_0-compatibility.patch ==== openvpn ==== - Add p11kit build time dependency for pkcs providers autodetection ==== perl-Cpanel-JSON-XS ==== Version update (4.14 -> 4.15) - updated to 4.15 see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes 4.15 2019-10-21 (rurban) - Fix more tests for nvtype long double ==== pidgin ==== Subpackages: libpurple libpurple-lang libpurple-tcl - Add pidgin-Leaky-deprecation-clean-ups.patch: Fix warnings of deprecation of GParameter that result in build failures of plugins that build with -Werror (pidgin.im#17415). ==== pmdk ==== Version update (1.6 -> 1.7) Subpackages: libpmem1 - Update to PMDK 1.7 (jsc#SLE-9886) - Introduces new APIs in libpmemobj for managing space used by transactions. (see pmemobj_tx_log_append_buffer man page for details) - Introduces new APIs in librpmem, splitting rpmem_persist into rpmem_flush and rpmem_drain, allowing applications to use the flush + drain model already known from libpmem. (libpmemobj does not use this feature yet) - Optimizes large libpmemobj transactions by significantly reducing the amount of memory modified at the commit phase. - Optimizes tracking of libpmemobj reservations. - Adds new flags for libpmemobj's pmemobj_tx_xadd_range[_direct] API: POBJ_XADD_NO_SNAPSHOT and POBJ_XADD_ASSUME_INITIALIZED, allowing applications to optimize how memory is tracked by the library. - To support some of the above changes the libpmemobj on-media layout had to be changed, which means that old pools have to be converted using pmdk-convert >= 1.7. ==== speech-dispatcher ==== Version update (0.9.0 -> 0.9.1) Subpackages: libspeechd2 python3-speechd speech-dispatcher-configure speech-dispatcher-module-espeak - Drop -ibmtts package for now. It requires a third-party library which we do not package. - Drop intltool from BuildRequires. Require gettext. - Exclude ibmtts.conf from the main package. - Update to version 0.9.1: * Add module for the non-free IBM TTS (voxin) speech synthesis. * Extend licence to later versions of GPL and LGPL. * Update mailing list address to savannah. * Make generic modules fallback to existing voices. - Create separate package for ibmtts module: most users won't use this. ==== talloc ==== Subpackages: libtalloc2 libtalloc2-32bit python3-talloc - Add two patches making build compatible with Python 3.8.0: - waf_upgrade.patch - waf_use_native_waf_timer.patch ==== texinfo ==== Subpackages: info info-std makeinfo - Delete info-dir as not required anymore - Mark /usr/share/info/dir as %ghost - Add a rpmlintrc file to silent useless warnings ==== vim ==== Subpackages: gvim vim-data vim-data-common - Add python38-config.patch to make vim buildable with new Python 3.8. (gh#vim/vim#4080) ==== virtualbox ==== Version update (6.0.12 -> 6.0.14) Subpackages: virtualbox-guest-tools virtualbox-guest-x11 virtualbox-kmp-default - Tweak file setup for appstream. - Add directory %{buildroot}%{_datadir}/metainfo for metafile "virtualbox.appdata.xml - Add appstream file (boo#1154128) - Version bumk to 6.0.14 (released October 15 2019 by Oracle) This is a maintenance release. The following items were fixed and/or added: Virtualization core: fixed an invalid-guest state guru meditation in some rare circumstances on Intel hosts Virtualization core: some fixes for systems with lots of processors Audio: relaxed VRM / VRA (variable rate audio) bit checks to provide more compatibility for guests running ALSA setups with the AC'97 emulation USB: made device capturing for passthrough more accurate and reliable on Windows host Network: fixed potential issue with interrupt signalling for network adapters in UEFI guests 3D: fixed flicker and redraw issues when using VBoxSVGA or VMSVGA graphics adapter (bugs #18562, #18956) 3D: fixed crash with some applications when using VBoxSVGA or VMSVGA graphics adapter (bug #18638) macOS host: fix crash of GUI VM process which showed up frequently with 10.15 Catalina (bug #18990) Linux host: support Linux 5.3, thank you Larry Finger (see also bug #18911) Linux host: improve python version detection during rpm package creation, can change package dependencies and fix some installation problems Linux guests: calls to aio_read(3) and aio_write(3) may fail inside shared folders (bug #18805) Linux guests: fix problem with shared folder unmounting in service script, thank you Denis Ryndine (bug #18853) Linux guests: VBox 6.0.10 GAs fail to compile on Red Hat/CentOS/Oracle Linux 7.7 and Red Hat 8.1 Beta (bug #18917) Fix vulnerabilities CVE-2019-3028 CVE-2019-3017 CVE-2019-2944 CVE-2019-3026 CVE-2019-3021 CVE-2019-2984 CVE-2019-3002 CVE-2019-3005 CVE-2019-3031 CVE-2019-1547 CVE-2019-2926 (bsc#1154166) Removed file "fixes_for_5.3.patch" - fixes included upstream. ==== xorg-x11-server ==== Version update (1.20.5 -> 1.20.5+24) Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra xorg-x11-server-sdk xorg-x11-server-wayland - Update to version 1.20.5+24: * Fix crash on XkbSetMap - Drop unneeded obsinfo file and tweak _service. - Update to version 1.20.5+22: * miext/sync: - Make struct _SyncObject::initialized fully ABI compatible - Fix needless ABI change * xf86: Disable unused crtc functions when a lease is revoked * xwayland: - Handle the case of windows being realized before redirection - Refactor surface creation into a separate function - Separate DamagePtr into separate window data - Do not free a NULL GBM bo - Expand the RANDR screen size limits - Update screen pixmap on output resize - Reset scheduled frames after hiding tablet cursor - Check status in GBM pixmap creation - Avoid a crash on pointer enter with a grab * GLX: - Fix previous context validation in xorgGlxMakeCurrent - Set GlxServerExports::{major,minor}Version - Add a function to change a clients vendor list - Use the sending client for looking up XID's - Add a per-client vendor mapping * xsync: Add resource inside of SyncCreate, export SyncCreate * dri2: Sync i965_pci_ids.h from mesa * Xi: Use current device active grab to deliver touch events if any * Revert "present/scmd: Check that the flip and screen pixmap pitches match" * glamor: Make pixmap exportable from `gbm_bo_from_pixmap()` - Drop patches fixed upstream: * U_xwayland-Separate-DamagePtr-into-separate-window-data.patch * 0001-xsync-Add-resource-inside-of-SyncCreate-export-SyncC.patch * 0002-GLX-Add-a-per-client-vendor-mapping.patch * 0003-GLX-Use-the-sending-client-for-looking-up-XID-s.patch * 0004-GLX-Add-a-function-to-change-a-clients-vendor-list.patch * 0005-GLX-Set-GlxServerExports-major-minor-Version.patch - Switch to gitcheckout via source service, use the stable released branch but set explicit commit used in _service. ==== yast2-schema ==== Version update (4.2.4 -> 4.2.5) - Added extra_services to security.rnc file (bsc#1153623). - 4.2.5 ==== zlib ==== Subpackages: libminizip1 libz1 libz1-32bit zlib-devel - Add SUSE specific patch to fix bsc#1138793, we simply don't want to test if the app was linked with exactly same version of zlib like the one that is present on the runtime: * zlib-no-version-check.patch