Removed rpms ============ - apache2-mod_php7 - libpoppler126 - libqgpgme7 - libsemanage1 - libsepol1 - mlocate - mlocate-lang - noto-sans-jp-bold-fonts - noto-sans-jp-fonts - noto-sans-jp-regular-fonts - noto-sans-kr-bold-fonts - noto-sans-kr-fonts - noto-sans-kr-regular-fonts - noto-sans-sc-bold-fonts - noto-sans-sc-fonts - noto-sans-sc-regular-fonts - noto-sans-tc-bold-fonts - noto-sans-tc-fonts - noto-sans-tc-regular-fonts - noto-serif-jp-bold-fonts - noto-serif-jp-fonts - noto-serif-jp-regular-fonts - noto-serif-kr-bold-fonts - noto-serif-kr-fonts - noto-serif-kr-regular-fonts - noto-serif-sc-bold-fonts - noto-serif-sc-fonts - noto-serif-sc-regular-fonts - noto-serif-tc-bold-fonts - noto-serif-tc-fonts - noto-serif-tc-regular-fonts - php7 - php7-cli - php7-ctype - php7-dom - php7-iconv - php7-json - php7-mysql - php7-openssl - php7-pdo - php7-pgsql - php7-sqlite - php7-tokenizer - php7-xmlreader - php7-xmlwriter Added rpms ========== - apache2-mod_php8 - libpcre2-8-0-32bit - libpoppler132 - libqgpgme15 - libraw23 - libsemanage-conf - libsemanage2 - libsepol2 - php8 - php8-cli - php8-ctype - php8-dom - php8-iconv - php8-mysql - php8-openssl - php8-pdo - php8-pgsql - php8-sqlite - php8-tokenizer - php8-xmlreader - php8-xmlwriter Package Source Changes ====================== MozillaFirefox +- Firefox Extended Support Release 115.6.0 ESR + Placeholder changelog-entry (bsc#1217974) + - Placeholder changelog-entry (bsc#1217230) + * Fixed: Various security fixes and other quality improvements. + MFSA 2023-50 (bsc#1217230) + * CVE-2023-6204 (bmo#1841050) + Out-of-bound memory access in WebGL2 blitFramebuffer + * CVE-2023-6205 (bmo#1854076) + Use-after-free in MessagePort::Entangled + * CVE-2023-6206 (bmo#1857430) + Clickjacking permission prompts using the fullscreen + transition + * CVE-2023-6207 (bmo#1861344) + Use-after-free in ReadableByteStreamQueueEntry::Buffer + * CVE-2023-6208 (bmo#1855345) + Using Selection API would copy contents into X11 primary + selection. + * CVE-2023-6209 (bmo#1858570) + Incorrect parsing of relative URLs starting with "///" + * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, + bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943, + bmo#1862782) + Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, + and Thunderbird 115.5 avahi +- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in + avahi_rdata_parse (bsc#1216853, CVE-2023-38472). + curl +- Fix: libssh: Implement SFTP packet size limit (bsc#1216987) + * Add curl-libssh_Implement_SFTP_packet_size_limit.patch + freerdp +- Add freerdp-CVE-2023-39350-to-2023-40589.patch + + Multiple CVE fixes + * bsc#1214856, CVE-2023-39350 + * bsc#1214857, CVE-2023-39351 + * bsc#1214858, CVE-2023-39352 + * bsc#1214859, CVE-2023-39353 + * bsc#1214860, CVE-2023-39354 + * bsc#1214862, CVE-2023-39356 + * bsc#1214863, CVE-2023-40181 + * bsc#1214864, CVE-2023-40186 + * bsc#1214866, CVE-2023-40188 + * bsc#1214867, CVE-2023-40567 + * bsc#1214868, CVE-2023-40569 + * bsc#1214869, CVE-2023-40574 + * bsc#1214870, CVE-2023-40575 + * bsc#1214871, CVE-2023-40576 + * bsc#1214872, CVE-2023-40589 + ghostscript +- CVE-2023-46751.patch is derived for Ghostscript-9.52 from + https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13 + (there is no "device initialization redesign" in Ghostscript-9.52) + that fixes CVE-2023-46751 + "dangling pointer in gdev_prn_open_printer_seekable()" + see https://bugs.ghostscript.com/show_bug.cgi?id=707264 + (bsc#1217871) + gimp +- Add gimp-CVE-2023-44442.patch: fix gimp file parsing heap-based + buffer overflow (boo#1217161 CVE-2023-44442) +- Add gimp-CVE-2023-44443-44444.patch: fix gimp file parsing Integer + overflow remote code execution vulnerability (boo#1217162 + CVE-2023-44443) fix gimp file parsing Off-By-One remote code + execution vulnerability(boo#1217163 CVE-2023-44444) +- Add gimp-CVE-2023-44441.patch: fix gimp DDS file parsing heap-based + buffer overflow remote code execution vulnerability (boo#1217160 + CVE-2023-44441) + glibc +- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr + (bsc#1217445, BZ #31113) + +- Remove systemd from shadow and gshadow lookups (bsc#1217220) + glibc:i686 +- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr + (bsc#1217445, BZ #31113) + +- Remove systemd from shadow and gshadow lookups (bsc#1217220) + gnome-screenshot +- Add b60dad3c2536c17bd201f74ad8e40eb74385ed9f.patch: Fix build + with meson 0.60 and newer. +- Replace pkgconfig(appstream-glib) with appstream-glib and + desktop-file-utils BuildRequires, and add a check section and run + meson_test macro, validate metainfo and desktop file during build + via upstream provided automated tests. + gnutls -- FIPS: PBKDF2 additional requirements [bsc#1209001] - * Set the minimum output key length to 112 bits (FIPS 140-3 IG D.N) - * Set the minimum salt length to 128 bits (SP 800-132 sec. 5.1) - * Set the minimum iterations count to 1000 (SP 800-132 sec 5.2) - * Set the minimum passlen of 20 characters (SP SP800-132 sec 5) - * Add regression tests for the new PBKDF2 requirements. - * Add gnutls-FIPS-pbkdf2-additional-requirements.patch - -- libgnutls: Increase the limit of TLS PSK usernames from 128 to - 65535 characters. [bsc#1208237, jsc#PED-1562] - * Upstream: https://gitlab.com/gnutls/gnutls/commit/f032324a - * Add gnutls-increase-TLS-PSK-username-limit.patch - -- FIPS: Fix pct_test() return code in case of error [bsc#1207183] - * Rebase with the upstream version: gnutls-FIPS-PCT-DH.patch +- Fix missing GNUTLS_NO_EXTENSIONS compatibility. + * Upstream: gitlab.com/gnutls/gnutls/commit/abfa8634 + * Add gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch + +- tests: Fix the SRP test that fails with SIGPIPE signal return due + to a socket being closed before using it. + * Add gnutls-srp-test-SIGPIPE.patch + +- Update to version 3.8.1: + * libgnutls: ClientHello extensions are randomized by default + To make fingerprinting harder, TLS extensions in ClientHello + messages are shuffled. As this behavior may cause compatibility + issue with legacy applications that do not accept the last + extension without payload, the behavior can be reverted with the + %NO_SHUFFLE_EXTENSIONS priority keyword. + * libgnutls: Add support for RFC 9258 external PSK importer. + This enables to deploy the same PSK across multiple TLS versions + (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application + needs to set up a callback that formats the PSK identity using + gnutls_psk_format_imported_identity(). + * libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to + %GNUTLS_NO_DEFAULT_EXTENSIONS. + * libgnutls: Add additional PBKDF limit checks in FIPS mode as + defined in SP 800-132. Minimum salt length is 128 bits and + minimum iterations bound is 1000 for PBKDF in FIPS mode. + * libgnutls: Add a mechanism to control whether to enforce extended + master secret (RFC 7627). FIPS 140-3 mandates the use of TLS + session hash (extended master secret, EMS) in TLS 1.2. To enforce + this, a new priority keyword %FORCE_SESSION_HASH is added and if + it is set and EMS is not set, the peer aborts the connection. This + behavior is the default in FIPS mode, though it can be overridden + through the configuration file with the "tls-session-hash" option. + In either case non-EMS PRF is reported as a non-approved operation + through the FIPS service indicator. + * New option --attime to specify current time. + To make testing with different timestamp to the system easier, the + tools doing certificate verification now provide a new option + - -attime, which takes an arbitrary time. + * API and ABI modifications: + gnutls_psk_client_credentials_function3: New typedef + gnutls_psk_server_credentials_function3: New typedef + gnutls_psk_set_server_credentials_function3: New function + gnutls_psk_set_client_credentials_function3: New function + gnutls_psk_format_imported_identity: New function + GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags + * Rebase patches: + - gnutls-FIPS-140-3-references.patch + - gnutls-FIPS-jitterentropy.patch + * Remove patches merged/fixed upstream: + - gnutls-FIPS-PCT-DH.patch + - gnutls-FIPS-PCT-ECDH.patch + +- FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476] + Extend also the checks in gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch + +- FIPS: Skip the fixed HMAC verification for nettle, hogweed and + gmp libraries. These calculated HMACs change for every build of + each of these packages, we only have to verify that for gnutls. + * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476] + +- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116] + +- Disable GNULIB's year2038 also for 32-bit arm - boo#1211394 + +- Temporarily disable GNULIB's year2038 support for 64bit time_t + by using the --disable-year2038 flag. This omits support for + timestamps past the year 2038: + * Fixes the public API on 32-bit architectures avoiding to + change the size of time_t as it cannot be changed without + breaking the ABI compatibility. + * Upstream issue: https://gitlab.com/gnutls/gnutls/-/issues/1466 + +- Update to 3.8.0: [bsc#1205763, bsc#1209627] + * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key + exchange. Reported by Hubert Kario (#1050). Fix developed by + Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] + [CVE-2023-0361] + * libgnutls: C++ library is now header only. All definitions + from gnutlsxx.c have been moved into gnutlsxx.h. Users of the + C++ interface have two options: + 1. include gnutlsxx.h in their application and link against + the C library. (default) + 2. include gnutlsxx.h in their application, compile with + GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link + against the C++ library. + * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST + priority modifier have been added to allow disabling of the + status_request TLS extension in the client side. + * libgnutls: TLS heartbeat is disabled by default. + The heartbeat extension in TLS (RFC 6520) is not widely used + given other implementations dropped support for it. To enable + back support for it, supply --enable-heartbeat-support to + configure script. + * libgnutls: SRP authentication is now disabled by default. + It is disabled because the SRP authentication in TLS is not + up to date with the latest TLS standards and its ciphersuites + are based on the CBC mode and SHA-1. To enable it back, supply + - -enable-srp-authentication option to configure script. + * libgnutls: All code has been indented using "indent -ppi1 -linux". + CI/CD has been adjusted to catch regressions. This is implemented + through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s + commit-check. You may run devel/indent-gnutls to fix any + indentation issues if you make code modifications. + * guile: Guile-bindings removed. They have been extracted into a + separate project to reduce complexity and to simplify maintenance, + see . + * minitasn1: Upgraded to libtasn1 version 4.19. + * API and ABI modifications: + GNUTLS_NO_STATUS_REQUEST: New flag + GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member + GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member + * Merge gnutls-FIPS-Set-error-state-when-jent-init-failed.patch + and gnutls-FIPS-jitterentropy-threadsafe.patch into the main + patch gnutls-FIPS-jitterentropy.patch + * Rebase gnutls-FIPS-140-3-references.patch + * Rebase patches with upstream version: + - gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch + * Remove patches merged/fixed upstream: + - gnutls-FIPS-disable-failing-tests.patch + - gnutls-verify-library-HMAC.patch + - gnutls_ECDSA_signing.patch + - gnutls-Make-XTS-key-check-failure-not-fatal.patch + - gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch + * Update keyring with https://gnutls.org/gnutls-release-keyring.gpg -- Security Fix: [bsc#1208143, CVE-2023-0361] - * Bleichenbacher oracle in TLS RSA key exchange - * Add gnutls-CVE-2023-0361.patch +- Update to 3.7.9: [bsc#1208143, CVE-2023-0361] + * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key + exchange. [GNUTLS-SA-2020-07-14, CVSS: medium][CVE-2023-0361] + * Rebase gnutls-FIPS-140-3-references.patch -- Fix AVX CPU feature detection for OSXSAVE [bsc#1203299] - * Fixes a SIGILL termination at the verzoupper instruction when - trying to run GnuTLS on a Linux kernel with the noxsave command - line parameter set. Relevant mostly for virutal systems. - * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1282 - * Add gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch +- switch to pkgconfig(zlib) so that alternative providers can be + used + +- Verify only the libgnutls library HMAC [bsc#1199881] + * Do not use the brp-50-generate-fips-hmac script as this + is now calculated with the internal fipshmac tool. + * Add gnutls-verify-library-HMAC.patch + +- Temporarily revert the jitterentropy patches in s390 and s390x + architectures until a fix is provided [bsc#1204937] +- Disable flaky test that fails in s390x architecture: + * Add gnutls-disable-flaky-test-dtls-resume.patch + +- Consolidate the FIPS hmac files [bsc#1203245] + * Use the gnutls fipshmac tool instead of the brp-check-suse + and rename it to reflect on the library version. + * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch +- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false + positive for the FIPS hmac calculation. + +- Update to 3.7.8: + * libgnutls: In FIPS140 mode, RSA signature verification is an + approved operation if the key has modulus with known sizes + (1024, 1280, 1536, and 1792 bits), in addition to any modulus + sizes larger than 2048 bits, according to SP800-131A rev2. + * libgnutls: gnutls_session_channel_binding performs additional + checks when GNUTLS_CB_TLS_EXPORTER is requested. According to + RFC9622 4.2, the "tls-exporter" channel binding is only usable + when the handshake is bound to a unique master secret (i.e., + either TLS 1.3 or extended master secret extension is + negotiated). Otherwise the function now returns error. + * libgnutls: usage of the following functions, which are designed + to loosen restrictions imposed by allowlisting mode of + configuration, has been additionally restricted. Invoking + them is now only allowed if system-wide TLS priority string + has not been initialized yet: + - gnutls_digest_set_secure + - gnutls_sign_set_secure + - gnutls_sign_set_secure_for_certs + - gnutls_protocol_set_enabled + * Delete gnutls-3.6.6-set_guile_site_dir.patch and use the + - -with-guile-extension-dir configure option to properly + handle the guile extension directory. + * Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch + * Update gnutls.keyring + * Add a build depencency on gtk-doc required by autoreconf -- FIPS: Zeroize the calculated hmac and new_hmac in the - check_binary_integrity() function. [bsc#1191021] - * Add gnutls-FIPS-Zeroize-check_binary_integrity.patch +- FIPS: Run the CFB8 cipher selftest without offset [bsc#1203245] + * CFB8 list of ciphers: GNUTLS_CIPHER_AES_{128,192,256}_CFB8 + * Add gnutls-FIPS-Run-CFB8-without-offset.patch + +- provide a libgnutls30-hmac-32bit to avoid uninstallable wine + when pattern-base-fips is installed [boo#1203353] -- Security fix: [bsc#1202020, CVE-2022-2509] - * Fixed double free during verification of pkcs7 signatures - * Add gnutls-CVE-2022-2509.patch - -- FIPS: - * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979] - - gnutls_fips140_run_self_tests now properly releases fips_context +- Update to 3.7.7: [bsc#1202020, CVE-2022-2509] + * libgnutls: Fixed double free during verification of pkcs7 + signatures. CVE-2022-2509 + * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument + less than or equal to 255 times hash digest size, to comply with + RFC 5869 2.3. + * libgnutls: Length limit for TLS PSK usernames has been increased + from 128 to 65535 characters + * libgnutls: AES-GCM encryption function now limits plaintext + length to 2^39-256 bits, according to SP800-38D 5.2.1.1. + * libgnutls: New block cipher functions have been added to + transparently handle padding. gnutls_cipher_encrypt3 and + gnutls_cipher_decrypt3 can be used in combination of + GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove + padding if the length of the original plaintext is not a multiple + of the block size. + * libgnutls: New function for manual FIPS self-testing. + * API and ABI modifications: + - gnutls_fips140_run_self_tests: New function + - gnutls_cipher_encrypt3: New function + - gnutls_cipher_decrypt3: New function + - gnutls_cipher_padding_flags_t: New enum + * guile: Guile 1.8 is no longer supported + * guile: Session record port treats premature termination as EOF Previously, + a 'gnutls-error' exception with the 'error/premature-termination' value + would be thrown while reading from a session record port when the + underlying session was terminated prematurely. This was inconvenient + since users of the port may not be prepared to handle such an exception. + Reading from the session record port now returns the end-of-file object + instead of throwing an exception, just like it would for a proper + session termination. + * guile: Session record ports can have a 'close' procedure. The + 'session-record-port' procedure now takes an optional second parameter, + and a new 'set-session-record-port-close!' procedure is provided to + specify a 'close' procedure for a session record port. This 'close' + procedure lets users specify cleanup operations for when the port is + closed, such as closing the file descriptor or port that backs the + underlying session. + * Rebase patches: + - gnutls-3.6.6-set_guile_site_dir.patch + - gnutls-FIPS-TLS_KDF_selftest.patch + - gnutls-FIPS-disable-failing-tests.patch + * Remove patch merged upstream: + - gnutls-FIPS-PBKDF2-KAT-requirements.patch + - https://gitlab.com/gnutls/gnutls/merge_requests/1561 - * Add gnutls-FIPS-force-self-test.patch [bsc#1198979] - - Provides interface for running library self tests on-demand - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 - -- FIPS: Make sure zeroization is performed in all API functions - * Add gnutls-zeroization-API-functions.patch [bsc#1191021] - * Upsream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1573 - -- FIPS: Add missing requirements for the SLI [bsc#1190698] - * Remove 3DES from FIPS approved algorithms: - - gnutls-Remove-3DES-from-FIPS-approved-algos.patch - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1570 - * DRBG service (gnutls_rnd) should be considered approved: - - gnutls-Add-missing-FIPS-service-indicator-transitions.patch - - gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch - - gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1569 - -- FIPS: Mark AES-GCM as approved in the TLS context [bsc#1194907] - * Add gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch - * Upstream issue: https://gitlab.com/gnutls/gnutls/issues/1311 + +- Update to version 3.7.6: + * libgnutls: Fixed invalid write when gnutls_realloc_zero() is + called with new_size < old_size. This bug caused heap + corruption when gnutls_realloc_zero() has been set as gmp + reallocfunc. + * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed + upstream. + +- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory + corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367, + boo#1199929). + +- update to 3.7.5: + * add options disable session ticket usage in TLS 1.2 because + it does not provide forward secrecy + * For TLS 1.3 where session tickets do provide forward secrecy, + the PFS priority string now only disables session tickets in + TLS 1.2. + * Future backward incompatibility: in the next major release of + GnuTLS those flag and modifier are planned to be removed + * gnutls-cli, gnutls-serv: Channel binding for printing + information has been changed from tls-unique to tls-exporter + as tls-unique is not supported in TLS 1.3. + * Certificate sanity checks has been enhanced to make gnutls + more RFC 5280 compliant: + * Removed 3DES from FIPS approved algorithms + * Optimized support for AES-SIV-CMAC algorithms + * libgnutls: HKDF and AES-GCM algorithms are now approved in + FIPS-140 mode when used in TLS + +- disable kcapi usage for now, as kernel-obs-build not adjusted + to contain the algorithms. bsc#1189283 - * Upstream: https://gitlab.com/gnutls/gnutls/merge_requests/1561 +- Update to 3.7.4: + * libgnutls: Added support for certificate compression as defined + in RFC8879. + * certtool: Added option --compress-cert that allows user to + specify compression methods for certificate compression. + * libgnutls: GnuTLS can now be compiled with --enable-strict-x509 + configure option to enforce stricter certificate sanity checks + that are compliant with RFC5280. + * libgnutls: Removed IA5String type from DirectoryString within + issuer and subject name to make DirectoryString RFC5280 compliant. + * libgnutls: Added function to retrieve the name of current + ciphersuite from session. + * Bump libgnutlsxx soname due to ABI break + * API and ABI modifications: + - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member + - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member + - gnutls_compress_certificate_get_selected_method: Added + - gnutls_compress_certificate_set_methods: Added + * Update gnutls.keyring + +- build with lto +- build with -Wl,-z,now -Wl,-z,relro +- build without -fanalyzer, which cuts build time in ~ half + - - gnutls-3.6.0-disable-flaky-dtls_resume-test.patch -- Add crypto-policies support in SLE-15-SP4 [jsc#SLE-20287] - -- Account for the libnettle soname bump [jsc#SLE-19765] +- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287] +- Add DANE guards -- Update to 3.7.2 in SLE-15-SP4: [jsc#SLE-19765, jsc#SLE-18139] - - Add gnutls-temporarily_disable_broken_guile_reauth_test.patch - - Rebased patches: - * disable-psk-file-test.patch - * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - * gnutls-fips_mode_enabled.patch - - Remove patches merged upstream: - * gnutls-CVE-2020-11501.patch - * gnutls-CVE-2020-13777.patch - * gnutls-CVE-2020-24659.patch - * gnutls-CVE-2021-20231.patch - * gnutls-CVE-2021-20232.patch - * gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch - * gnutls-fips_XTS_key_check.patch - * 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch - * 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch - * 0003-x509-trigger-fallback-verification-path-when-cert-is.patch - * 0004-tests-add-test-case-for-certificate-chain-supersedin.patch - * 0001-Add-Full-Public-Key-Check-for-DH.patch - * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch - * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch - * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch - * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch - * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch - * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch - * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch - * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch - * 0001-dh-check-validity-of-Z-before-export.patch - * 0002-ecdh-check-validity-of-P-before-export.patch - * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch - * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch - * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch - * 0001-Vendor-in-XTS-functionality-from-Nettle.patch - * 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch - * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - * gnutls-3.6.7-fix-FTBFS-2024.patch - * gnutls-3.6.7-reproducible-date.patch +- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch + since its already working. -- Add gnutls-3.6.7-fix-FTBFS-2024.patch to let tests pass after 2024 (boo#1186579) -- Add gnutls-3.6.7-reproducible-date.patch to override build date (boo#1047218) +- Rework the crypto-policies dependencies in libraries [bsc#1186385] + +- Compute the FIPS hmac file without re-defining the + __os_install_post macro, use the brp-50-generate-fips-hmac + script instead. [bsc#1184555] -- Security fix: [bsc#1183456, CVE-2021-20232] - * A use after free issue in client_send_params - in lib/ext/pre_shared_key.c may lead to memory - corruption and other potential consequences. -- Add gnutls-CVE-2021-20232.patch - -- Security fix: [bsc#1183457, CVE-2021-20231] - * A use after free issue in client sending key_share extension - may lead to memory corruption and other consequences. -- Add gnutls-CVE-2021-20231.patch +- Require the main package in devel and lib packages as the default + priorities are now set via crypto-policies. [bsc#1183082] - verification + verification +- Add version guards for the crypto-policies package -- Avoid spurious audit messages about incompatible signature algorithms - (bsc#1172695) - * add 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch +- Require the crypto-policies package [bsc#1180051] -- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch -- FIPS: Add TLS KDF selftest (bsc#1176671) - * add gnutls-FIPS-TLS_KDF_selftest.patch - -- Escape rpm command %%expand when used in comment. +- Use the centralized crypto policy profile (jsc#SLE-15832) - -- Fix heap buffer overflow in handshake with no_renegotiation alert sent - * CVE-2020-24659 (bsc#1176181) -- add gnutls-CVE-2020-24659.patch - -- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) -- add patches - * 0001-Add-Full-Public-Key-Check-for-DH.patch - * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch - * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch - * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch - * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch - * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch - * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch - * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch - * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch - * 0001-dh-check-validity-of-Z-before-export.patch - * 0002-ecdh-check-validity-of-P-before-export.patch - * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch - * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch - * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch -- drop obsolete gnutls-3.6.7-fips_DH_ECDH_key_tests.patch +- Escape rpm command %%expand when used in comment. -- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction) - The TLS server would not bind the session ticket encryption key with a - value supplied by the application until the initial key rotation, allowing - attacker to bypass authentication in TLS 1.3 and recover previous - conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) - * add patches: - + gnutls-CVE-2020-13777.patch -- Fixed handling of certificate chain with cross-signed intermediate - CA certificates (#1008). (bsc#1172461) - * add patches: - + 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch - + 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch - + 0003-x509-trigger-fallback-verification-path-when-cert-is.patch - + 0004-tests-add-test-case-for-certificate-chain-supersedin.patch - -- Add RSA 4096 key generation support in FIPS mode (bsc#1171422) - * add gnutls-3.6.7-fips-rsa-4096.patch - -- Don't check for /etc/system-fips which we don't have (bsc#1169992) - * add gnutls-fips_mode_enabled.patch - -- Backport AES XTS support (bsc#1168835) - * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch - * add gnutls-fips_XTS_key_check.patch - - * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support) + * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 + support) -- Fix zero random value in DTLS client hello - (CVE-2020-11501, bsc#1168345) - * add gnutls-CVE-2020-11501.patch - - * update baselibs.conf - -- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue - * No longer truncate output IV if input is shorter than block size. - * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch - -- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test - * Added Diffie Hellman public key verification test. - * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch -- Explicitly require libnettle 3.4.1 (bsc#1134856) - * The RSA decryption code was rewritten in GnuTLS 3.6.5 in order - to fix CVE-2018-16868, the new implementation makes use of a new - rsa_sec_decrypt() function introduced in libnettle 3.4.1 - * libnettle was recently updated to the 3.4.1 version but we need - to add explicit dependency on it to prevent missing symbol errors - with the older versions - -- Restored autoreconf in build. -- Removed gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch - since the version requirements of required libraries are once again - automatically determined. -- Added gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch because it is a - better patch name for handling the '--with-guile-site-dir=' problem in - 3.6.7. - -- Disabled dane support since dane is not shipped with SLE-15 +- Disabled dane support in SLE since dane is not shipped there - option '--with-guile-site-dir=' was removed from the configure script in 3.6.7. - * * Modified gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch + option '--with-guile-site-dir=' was removed from the configure script. + * * Added gnutls-3.6.6-set_guile_site_dir.patch -- Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification - and padding oracle verification (in 3.6.5) [bsc#1118087] (CVE-2018-16868) -- FATE#327114 - Update gnutls to 3.6.6 to support TLS 1.3 +- Update to 3.6.6 - * Removed patches: - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch - * Added Patches: - * * disable failing psk-file test (race condition): - disable-psk-file-test.patch - * * Patch configure script to accept specific versions of autotools and guile - that are present in SUSE-SLE15. (A bug prevents configure from accepting - a range of compatible versions. Upstream's solution is to hardwire for - the most current versions.) - gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch - * Modified: - * * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch -- Security update - Improve mitigations against Lucky 13 class of attacks - * "Just in Time" PRIME + PROBE cache-based side channel attack - can lead to plaintext recovery (CVE-2018-10846, bsc#1105460) - * HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of - wrong constant (CVE-2018-10845, bsc#1105459) - * HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not - enough dummy function calls (CVE-2018-10844, bsc#1105437) - * add patches: - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch - google-noto-sans-cjk-fonts +- use synthetic version 20201202.2.2004, as maintenance updates cannot + do version downgrades. + +feat!: rename noto-*-cjk-fonts -> google-noto-*-cjk-fonts +- The Noto Coloremoji fonts have already been renamed by now +- The other Noto fonts will be renamed once upstream finishes migrating them to the new website + * https://github.com/notofonts/notofonts.github.io + fix: move zh_MO obsoletes and provides to Hong Kong TC fonts +- Macau is physically and culturally closer to Hong Kong than Taiwan + fix: summary and description for Hong Kong TC fonts + +- Move google-noto-serif-cjk-fonts into its own repository again + +- Update version to 2.004 +- Follow upstream versioning: use version numbers instead of dates + +- Fix the source URL to be properly downloadable + +- Update version to 2.002(20201202) + * The copyright year was changed from “2014–2019” to “2014–2020.” + * Addressed Issue #207 including glyph changes to U+4E08 and U+5C83. + Extension G encodings were added for U+30729, U+30EDD, U+30EDE, + and U+3106C and the previous GSUB rules were removed. + * Updated Korean glyph for U+58C4 as reported in Source Han Serif Issue #87 + * Addressed Issue #204 for U+50E7, U+89E6, U+8FD0, U+9EA4, U+25C4A + * Mapped HK U+5C13 尓 to JP glyph + * Fixed U+21B9 as reported in Issue #260 + * Changed Korean mapping for U+51A4 as reported in Issue #202 + * The weights for Kanbun glyphs U+3191–U+319F have been adjusted + as mentioned in the table at the beginning of Issue #205. + * Fixed Korean IVS mapping for U+8ACB as reported in Issue #276 +- Fix descriptions for *-full packages + +- Update version to 2.001(20190410) + * A second flavor of Traditional Chinese, for Hong Kong and supporting the + HKSCS-2016 standard, was add- ed, which increased the total number of font + resources by 16, from 72 to 88. + * 155 new mappings have been added to the CMap resources. 66 are from BMP code + points, 22 are from Plane 1 code points, and the remaining 67 are from + Plane 2 code points. Among the 67 new Plane 2 code points, 57 are from + Extension B, two are from Extension C, three are from Extension E, and the + remaining five are from Extension F. + * As a result of removing approximately 1,750 glyphs in order to make room for + approximately 1,750 new glyphs, the CID assignments of the glyphs + necessarily—and drastically—changed. The CID assignments of exactly 200 + glyphs are unchanged from Version 1.004: 0–107, 2570–2633, 47223–47232, + 47262–47272, 47281–47286, and 65484. + * The Traditional Chinese form of the Radical #162 辶 component was improved. + * The URO is complete up through U+9FEF (Unicode Version 11.0). + * The glyphs for some of the kana were tweaked. + * The glyphs and support for bopomofo, along with their tone marks, were + improved. This involved adding the 'GDEF' (Glyph Definition) table, the + 'mark' (Mark Positioning) GPOS feature, and the 'ruby' (Ruby Nota- tion + Forms) GSUB feature. + * The language and script declarations in the 'locl' and 'vert' GSUB features + were improved. + * The 13-page glyph synopsis PDFs for the 500 pre-composed high-frequency + hangul syllables have been incorporated into the Unicode-base glyph synopsis + PDFs, and are bookmarked under the “Korean” book- mark. + * Placeholder glyphs for U+32FF, uni32FF (CID+2184) and uni32FF-V (CID+65359), + are included. This character has been reserved for the two-ideograph square + ligature that represents the name of Japan’s forthcoming new era which + starts on 2019-05-01, and will be the only character added in Unicode + Version 12.1. + * Like Source Han Serif, the CIDFont and CMap resources do not include XUID + arrays. + * Like Source Han Serif, there are no mappings for the range U+0000 through + U+001F. + * Like Source Han Serif, the code points that correspond to Halfwidth Jamo + variants map to glyphs that cor- respond to code points in the Hangul + Compatibility Jamo block. In other words, the glyphs for half-width jamo + have been removed. + * Like Source Han Serif, the 'name' table does not includes any Macintosh + (PlatformID=1) strings. + * Like Source Han Serif, the Regular weight is now style-linked to the Bold + weight. This means that the Bold weight may not appear in the font menu, + particularly when using applications that support style-linking as a way to + make text bold. + * Like Source Han Serif, the 'vert' GPOS feature is included. + * Like Source Han Serif, the deprecated 'hngl' (Hangul) GSUB feature is not + included in the Korean fonts and font instances. +- Split HongKong Fonts for NotoSans. + google-noto-serif-cjk-fonts +- use 20201202.2.002 to still have linear increase in versions + +feat!: rename noto-*-cjk-fonts -> google-noto-*-cjk-fonts +- The Noto Coloremoji fonts have already been renamed by now +- The other Noto fonts will be renamed once upstream finishes migrating them to the new website + * https://github.com/notofonts/notofonts.github.io + fix: move zh_MO obsoletes and provides to Hong Kong TC fonts +- Macau is physically and culturally closer to Hong Kong than Taiwan + +- Move google-noto-serif-cjk-fonts into its own repository again + +- Update version to 2.001 +- Follow upstream versioning: use version numbers instead of dates + +- Fix the source URL to be properly downloadable + +- Update version to 2.002(20201202) + * The copyright year was changed from “2014–2019” to “2014–2020.” + * Addressed Issue #207 including glyph changes to U+4E08 and U+5C83. + Extension G encodings were added for U+30729, U+30EDD, U+30EDE, + and U+3106C and the previous GSUB rules were removed. + * Updated Korean glyph for U+58C4 as reported in Source Han Serif Issue #87 + * Addressed Issue #204 for U+50E7, U+89E6, U+8FD0, U+9EA4, U+25C4A + * Mapped HK U+5C13 尓 to JP glyph + * Fixed U+21B9 as reported in Issue #260 + * Changed Korean mapping for U+51A4 as reported in Issue #202 + * The weights for Kanbun glyphs U+3191–U+319F have been adjusted + as mentioned in the table at the beginning of Issue #205. + * Fixed Korean IVS mapping for U+8ACB as reported in Issue #276 + +- Update version to 2.001(20190410) + * A second flavor of Traditional Chinese, for Hong Kong and supporting the + HKSCS-2016 standard, was add- ed, which increased the total number of font + resources by 16, from 72 to 88. + * 155 new mappings have been added to the CMap resources. 66 are from BMP code + points, 22 are from Plane 1 code points, and the remaining 67 are from + Plane 2 code points. Among the 67 new Plane 2 code points, 57 are from + Extension B, two are from Extension C, three are from Extension E, and the + remaining five are from Extension F. + * As a result of removing approximately 1,750 glyphs in order to make room for + approximately 1,750 new glyphs, the CID assignments of the glyphs + necessarily—and drastically—changed. The CID assignments of exactly 200 + glyphs are unchanged from Version 1.004: 0–107, 2570–2633, 47223–47232, + 47262–47272, 47281–47286, and 65484. + * The Traditional Chinese form of the Radical #162 辶 component was improved. + * The URO is complete up through U+9FEF (Unicode Version 11.0). + * The glyphs for some of the kana were tweaked. + * The glyphs and support for bopomofo, along with their tone marks, were + improved. This involved adding the 'GDEF' (Glyph Definition) table, the + 'mark' (Mark Positioning) GPOS feature, and the 'ruby' (Ruby Nota- tion + Forms) GSUB feature. + * The language and script declarations in the 'locl' and 'vert' GSUB features + were improved. + * The 13-page glyph synopsis PDFs for the 500 pre-composed high-frequency + hangul syllables have been incorporated into the Unicode-base glyph synopsis + PDFs, and are bookmarked under the “Korean” book- mark. + * Placeholder glyphs for U+32FF, uni32FF (CID+2184) and uni32FF-V (CID+65359), + are included. This character has been reserved for the two-ideograph square + ligature that represents the name of Japan’s forthcoming new era which + starts on 2019-05-01, and will be the only character added in Unicode + Version 12.1. + * Like Source Han Serif, the CIDFont and CMap resources do not include XUID + arrays. + * Like Source Han Serif, there are no mappings for the range U+0000 through + U+001F. + * Like Source Han Serif, the code points that correspond to Halfwidth Jamo + variants map to glyphs that cor- respond to code points in the Hangul + Compatibility Jamo block. In other words, the glyphs for half-width jamo + have been removed. + * Like Source Han Serif, the 'name' table does not includes any Macintosh + (PlatformID=1) strings. + * Like Source Han Serif, the Regular weight is now style-linked to the Bold + weight. This means that the Bold weight may not appear in the font menu, + particularly when using applications that support style-linking as a way to + make text bold. + * Like Source Han Serif, the 'vert' GPOS feature is included. + * Like Source Han Serif, the deprecated 'hngl' (Hangul) GSUB feature is not + included in the Korean fonts and font instances. +- Split HongKong Fonts for NotoSans. + gpg2 -- Security fix [CVE-2022-34903, bsc#1201225] - - Vulnerable to status injection - - Added patch gnupg-CVE-2022-34903.patch - -- gnupg-detect_FIPS_mode.patch: use AES as default cipher instead - of 3DES if we are in FIPS mode. (bsc#1196125) - -- Update gpg2 for SLE15-SP3 [jsc#SLE-17559, bsc#1182572] -- Remove patches fixed upstream: - * gnupg-gpg-agent-ssh-agent.patch - * gnupg-2.2.22-fix-segv-import-keys.patch - * gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch - * gnupg-CRL-fetching-via-https.patch - * gnupg-CVE-2018-1000858.patch - * gnupg-CVE-2018-12020.patch - * gnupg-CVE-2019-13050_0_of_5.patch - * gnupg-CVE-2019-13050_1_of_5.patch - * gnupg-CVE-2019-13050_2_of_5.patch - * gnupg-CVE-2019-13050_3_of_5.patch - * gnupg-CVE-2019-13050_4_of_5.patch - * gnupg-CVE-2019-13050_5_of_5.patch - * gnupg-CVE-2019-14855.patch -- Update gpg2.keyring +- Fix the build in SLE and Leap by adding an exclude in the files + section for the dirmngr's systemd user units. [jsc#PED-7093] + +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Add gnupg-nobetasuffix.patch [bsc#1216334] + +- Fix Emacs EasyPG behavior when parsing output: + * gpg: Report BEGIN_* status before examining the input. + * Upstream task: https://dev.gnupg.org/T6481 + * Add gnupg-Report-BEGIN_-status-before-examining-the-input.patch + +- Install the internal executables in the /usr/libexec dir instead + of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth + gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase, + gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon. + +- Provide the systemd-user files since they have been removed + upstream since version 2.4.1. [bsc#1201564] + * Add gpg2-systemd-user.tar.xz + +- Install the systemd user units in the _userunitdir [bsc#1201564] + * Note that, there is no activation by default. + * Rework excludes in the spec's files section. + +- Revert back to use the IBM TPM Software stack. + +- Update to 2.4.3: + * gpg: Set default expiration date to 3 years. [T2701] + * gpg: Add --list-filter properties "key_expires" and + "key_expires_d". [T6529] + * gpg: Emit status line and proper diagnostics for write errors. [T6528] + * gpg: Make progress work for large files on Windows. [T6534] + * gpg: New option --no-compress as alias for -z0. + * gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534] + * gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0] + * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] + * gpgtar: New option --no-compress. + * dirmngr: Extend the AD_QUERY command. [rG207c99567c] + * dirmngr: Disable the HTTP redirect rewriting. [T6477] + * dirmngr: New option --compatibility-flags. [rGbf04b07327] + * dirmngr: New option --ignore-crl-extensions. [T6545] + * wkd: Use export-clean for gpg-wks-client's --mirror and --create + commands. [rG2c7f7a5a27] + * wkd: Make --add-revocs the default in gpg-wks-client. New option + - -no-add-revocs. [rG10c937ee68] + * scd: Make signing work for Nexus cards. [rGb83d86b988] + * scd: Fix authentication with Administration Key for PIV. [rG25b59cf6ce] + +- Update to 2.4.2: + * gpg: Print a warning if no more encryption subkeys are left over + after changing the expiration date. [rGef2c3d50fa] + * gpg: Fix searching for the ADSK key when adding an ADSK. [T6504] + * gpgsm: Speed up key listings on Windows. [rG08ff55bd44] + * gpgsm: Reduce the number of "failed to open policy file" + diagnostics. [rG68613a6a9d] + * agent: Make updating of private key files more robust and track + display S/N. [T6135] + * keyboxd: Avoid longish delays on Windows when listing keys. + [rG6944aefa3c] + * gpgtar: Emit extra status lines to help GPGME. [T6497] + * w32: Avoid using the VirtualStore. [T6403] + * Rebase gnupg-add_legacy_FIPS_mode_option.patch + +- Update to 2.4.1: + * If the ~/.gnupg directory does not exist, the keyboxd is now + automagically enabled. [rGd9e7488b17] + * gpg: New option --add-desig-revoker. [rG3d094e2bcf] + * gpg: New option --assert-signer. [rGc9e95b8dee] + * gpg: New command --quick-add-adsk and other ADSK features. + [T6395, https://gnupg.org/blog/20230321-adsk.html] + * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]" + instead of the user-id in key signature listings. [rG103acfe9ca] + * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367] + * gpg: Detect already compressed data also when using a pipe. Also + detect JPEG and PNG file formats. [T6332] + * gpg: New subcommand "openpgp" for --card-edit. [T6462] + * gpgsm: Verification of detached signatures does now strip trailing + zeroes from the input if --assume-binary is used. [rG2a13f7f9dc] + * gpgsm: Non-armored detached signature are now created without + using indefinite form length octets. This improves compatibility + with some PDF signature verification software. [rG8996b0b655] + * gpgtar: Emit progress status lines in create mode. [T6363] + * dirmngr: The LDAP modifyTimestamp is now returned by some + keyserver commands. [rG56d309133f] + * ssh: Allow specification of the order keys are presented to ssh. + See the man page entry for --enable-ssh-support. [T5996, T6212] + * gpg: Make list-options "show-sig-subpackets" work again. + Fixes regression in 2.4.0. [rG5a223303d7] + * gpg: Fix the keytocard command for Yubikeys. [T6378] + * gpg: Do not continue an export after a cancel for the primary key. [T6093] + * gpg: Replace the --override-compliance-check hack by a real fix. [T5655] + * gpgtar: Fix decryption with input taken from stdin. [T6355] + * Rebase patches: + - gnupg-revert-rfc4880bis.patch + - gnupg-add_legacy_FIPS_mode_option.patch + * Remove patch fixed upstream: + - gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch + +- Temporarily revert back to the pre-2.4 default for key generation. + The new rfc4880bis has been set as the default in 2.4 version and + might create incompatible keys. Note that, rfc4880bis can still + be used with the option flag --rfc4880bis as in previous versions. + * More info in the gnupg-devel ML: + https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html + * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9 + * Add gnupg-revert-rfc4880bis.patch + +- Allow 8192 bit RSA keys in keygen UI when large_rsa is set + * Add gnupg-allow-large-rsa.patch + +- Fix the regression test suite fails with the IBM TPM Software + stack. Builds fine using the Intel TPM; use the swtpm and + tpm2-0-tss-devel packages instead of ibmswtpm2 and ibmtss-devel. + +- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313 + * The original patch has been modified to expand the changes + also to the tests/gpgme/Makefile.in file. + * Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch + +- Updated to require libgpg-error-devel >= 1.46 +- Rebased patches: + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-add_legacy_FIPS_mode_option.patch +- GnuPG 2.4.0: + * common: Fix translations in --help for gpgrt < 1.47. + * gpg: Do not continue the export after a cancel for the primary key. + * gpg: Replace use of PRIu64 in log_debug. + * Update NEWS for 2.4.0. + * tests: Fix make check with GPGME. + * agent: Allow arguments to "scd serialno" in restricted mode. + * scd:p15: Skip deleted records. + * build: Remove Windows CE support. + * wkd: Do not send/install/mirror expired user ids. + * gpgsm: Print the revocation time also with --verify. + * gpgsm: Fix "problem re-searching certificate" case. + * gpgsm: Print revocation date and reason in cert listings. + * gpgsm: Silence the "non-critical certificate policy not allowed". + * gpgsm: Always use the chain model if the root-CA requests this. + * gpg: New export option "mode1003". + * gpg: Remove a mostly duplicated function. + * tests: Simplify fake-pinentry to use the option only. + * tests: Fix fake-pinentry for Windows. + * tests: Fix make check-all. + * agent: Fix import of protected v5 keys. + * gpgsm: Change default algo to AES-256. + * tests: Put a workaround for semihosted environment. + * tests: More fix for semihosted environment. + * tests: Support semihosted environment. + * tests: Fix tests under cms. + * tests,w32: Fix for semihosted environment. + * w32: Fix for tests on semihosted environment. + * w32: Fix gnupg_unsetenv. + * wkd: New option --add-revocs and some fixes. + * wkd: Make use of --debug extprog. + * gpg: New export-filter export-revocs. + * gpg: Fix double-free in gpg --card-edit. + * gpg: Make --require-compliance work with out --status-fd. + * gpg: New option --list-filter. + * dirmngr: Silence ocsp debug output. + * tests: Fix to support --enable-all-tests and variants. + * tests:w32: Fix for non-dot file name for Windows. + * tests:gpgscm:w32: Fix for GetTempPath. + * tests: Keep .log files in objdir. + * tests: Use 233 for invalid value of FD. + * w32: Fix gnupg_tmpfile for possible failure. + * scd: Redact --debug cardio output of a VERIFY APDU. + * common: Remove Windows CE support in common. + * gpgsm: Fix colon outout of ECC encryption certificates. + * scd:nks: Fix ECC signing if key not given by keygrip. + * dirmngr: Fix verification of ECDSA signed CRLs. + * agent: Allow trustlist on Windows in Unicode homedirs. + * gpg: Fix verification of cleartext signatures with overlong lines. + * gpg: Move w32_system function. + * gpg: New option --quick-update-pref. + * gpg: New list-options show-pref and show-pref-verbose. + * tests: Add tests to check that OCB is only used for capable keys. + * gpg: Make --list-packets work w/o --no-armor for plain OCB packets. + * tests: Add symmetric decryption tests. + * tests: Add tr:assert-same function. + * agent: Avoid blanks in the ssh key's comment. + * build: Update m4 files. + * gpg: Merge --rfc4880bis features into --gnupg. + * gpg: Allow only OCB for AEAD encryption. + * gpg: New option --compatibility-flags. + * gpgsm: Also announce AES256-CBC in signatures. + * gpg: Fix trusted introducer for user-ids with only the mbox. + * gpg: Import stray revocation certificates. + * agent: Automatically convert to extended key format by KEYATTR. + * card: New commands "gpg" and "gpgsm". + * card: Also show fingerprints of known X.509 certificates. + * scd:nks: Support non-ESIGN signing with the Signature Card v2. + * gpgsm: Allow ECC encryption keys with just keyAgreement specified. + * gpgsm: Use macro constants for cert_usage_p. + * build: Update gpg-error.m4. + * agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument. + * gpg: Move NETLIBS after GPG_ERROR_LIBS. + * gpg: Use GCRY_KDF_ONESTEP_KDF with newer libgcrypt in future. + * common,w32: Fix struct stat on Windows. + * agent,w32: Support Win32-OpenSSH emulation by gpg-agent. + * common: Don't use FD2INT for POSIX-only code. + * dirmngr: Fix build with no LDAP support. + +- GnuPG 2.3.8: + * gpg: Do not consider unknown public keys as non-compliant while + decrypting. + * gpg: Avoid to emit a compliance mode line if Libgcrypt is + non-compliant. + * gpg: Improve --edit-key setpref command to ease c+p. + * gpg: Emit an ERROR status if --quick-set-primary-uid fails and + allow to pass the user ID by hash. + * gpg: Actually show symmetric+pubkey encrypted data as de-vs + compliant. Add extra compliance checks for symkey_enc packets. + * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit + preference. + * gpgsm: Fix reporting of bad passphrase error during PKCS#11 + import. + * agent: Fix a regression in "READKEY --format=ssh". + * agent: New option --need-attr for KEYINFO. + * agent: New attribute "Remote-list" for use by KEYINFO. + * scd: Fix problem with Yubikey 5.4 firmware. + * dirmngr: Fix CRL Distribution Point fallback to other schemes. + * dirmngr: New LDAP server flag "areconly" (A-record-only). + * dirmngr: Fix upload of multiple keys for an LDAP server specified + using the colon format. + * dirmngr: Use LDAP schema v2 when a Base DN is specified. + * dirmngr: Avoid caching expired certificates. + * wkd: Fix path traversal attack in gpg-wks-server. Add the mail + address to the pending request data. + * wkd: New command --mirror for gpg-wks-client. + * gpg-auth: New tool for authentication. + * New common.conf option no-autostart. + * Silence warnings from AllowSetForegroundWindow unless + GNUPG_EXEC_DEBUG_FLAGS is used. + * Rebase gnupg-detect_FIPS_mode.patch + * Remove patch upstream: + - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch + +- Fix YubiKey 5 Nano support (boo#1202201), add + gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch + +- GnuPG 2.3.7: + * CVE-2022-34903: garbled status messages could trick gpgme and + other parsers to accept faked status lines [boo#1201225] + * A number of bug fixes to the gpg command line interface + * gpgsm gained a number of new options and got some rework on + the PKCS#12 parser to support DFN issues keys + * The gpg agent got some added options and UI tweaks + * smart card support got a number of bug fixes, and improved + support for Technology Nexus cards and Yubikey + * The Telesec ESIGN application is now supported + +- added tpm support, added a new subpackage gpg2-tpm + +- GnuPG 2.3.6: + * Up to five times faster verification of detached signatures, + doubled detached signing speed, threefold decryption speedup + for large files, nearly double the AES256.OCB encryption speed + * Add support for GeNUA cards + * Added and improved options for crypto options, and all-around + bug fixes + +- GnuPG 2.3.4: + * gpg: New option --min-rsa-length + * gpg: New option --forbid-gen-key + * gpg: New option --override-compliance-check + * gpgconf: New command --show-configs + * agent,dirmngr,keyboxd: New option --steal-socket + * gpg: Fix printing of binary notations + * gpg: Remove stale ultimately trusted keys from the trustdb + * gpg: Fix indentation of --print-mds and --print-md sha512 + * gpg: Emit gpg 2.2 compatible Ed25519 signature + * gpgsm: Detect circular chains in --list-chain + * dirmngr: Make reading resolv.conf more robust + * dirmngr: Ask keyservers to provide the key fingerprints + * gpgconf: Allow changing gpg's deprecated keyserver option + * gpg-wks-server: Fix created file permissions + * scd: Support longer data for ssh-agent authentication with + openpgp cards + * scd: Modify DEVINFO behavior to support looping forever + * Silence warning about the rootdir under Unices w/o a mounted + /proc file system + * Fix possible build problems about missing include files + +- GnuPG 2.3.3: + * agent: Fix segv in GET_PASSPHRASE (regression) + * dirmngr: Fix Let's Encrypt certificate chain validation + * gpg: Change default and maximum AEAD chunk size to 4 MiB + * gpg: Print a warning when importing a bad cv25519 secret key + * gpg: Fix --list-packets for undecryptable AEAD packets + * gpg: Verify backsigs for v5 keys correctly + * keyboxd: Fix checksum computation for no UBID entry on disk + * keyboxd: Fix "invalid object" error with cv448 keys + * dirmngr: New option --ignore-cert + * agent: Fix calibrate_get_time use of clock_gettime + * Support a gpgconf.ctl file under Unix and use this for the + regression tests + +- GnuPG 2.3.2: + * gpg: Allow fingerprint based lookup with --locate-external-key. + * gpg: Allow decryption w/o public key but with correct card inserted. + * gpg: Auto import keys specified with --trusted-keys. + * gpg: Do not use import-clean for LDAP keyserver imports. + * gpg: Fix mailbox based search via AKL keyserver method. + * gpg: Fix memory corruption with --clearsign introduced with 2.3.1. + * gpg: Use a more descriptive prompt for symmetric decryption. + * gpg: Improve speed of secret key listing. + * gpg: Support keygrip search with traditional keyring. + * gpg: Let --fetch-key return an exit code on failure. + * gpg: Emit the NO_SECKEY status again for decryption. + * gpgsm: Support decryption of password based encryption (pwri). + * gpgsm: Support AES-GCM decryption. + * gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint. + * gpgsm: Fix finding of issuer in use-keyboxd mode. + * gpgsm: New option --ldapserver as an alias for --keyserver. + * agent: Use SHA-256 for SSH fingerprint by default. + * agent: Fix calling handle_pincache_put. + * agent: Fix importing protected secret key. + * agent: Fix a regression in agent_get_shadow_info_type. + * agent: Add translatable text for Caps Lock hint. + * agent: New option --pinentry-formatted-passphrase. + * agent: Add checkpin inquiry for pinentry. + * agent: New option --check-sym-passphrase-pattern. + * agent: Use the sysconfdir for a pattern file. + * agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry. + * dirmngr: LDAP search by a mailbox now ignores revoked keys. + * dirmngr: For KS_SEARCH return the fingerprint also with LDAP. + * dirmngr: Allow for non-URL specified ldap keyservers. + * dirmngr: New option --ldapserver. + * dirmngr: Fix regression in KS_GET for mail address pattern. + * card: New option --shadow for the list command. + * tests: Make sure the built keyboxd is used. + * scd: Fix computing shared secrets for 512 bit curves. + * scd: Fix unblock PIN by a Reset Code with KDF. + * scd: Fix PC/SC removed card problem. + * scd: Recover the partial match for PORTSTR for PC/SC. + * scd: Make sure to release the PC/SC context. + * scd: Fix zero-byte handling in ECC. + * scd: Fix serial number detection for Yubikey 5. + * scd: Add basic support for AET JCOP cards. + * scd: Detect external interference when --pcsc-shared is in use. + * scd: Fix access to the list of cards. + * gpgconf: Do not list a disabled tpm2d. + * gpgconf: Make runtime changes with different homedir work. + * keyboxd: Fix searching for exact mail adddress. + * keyboxd: Fix searching with multiple patterns. + * tools: Extend gpg-check-pattern. + * wkd: Fix client issue with leading or trailing spaces in user-ids. + * Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry. + * Change the default keyserver to keyserver.ubuntu.com. This is a + temporary change due to the shutdown of the SKS keyserver pools. + +- GnuPG 2.3.1: + * The new configuration file common.conf is now used to enable + the use of the key database daemon with "use-keyboxd". Using + this option in gpg.conf and gpgsm.conf is supported for a + transitional period. See doc/example/common.conf for more. + * gpg: Force version 5 key creation for ed448 and cv448 algorithms. + * gpg: By default do not use the self-sigs-only option when + importing from an LDAP keyserver. + * gpg: Lookup a missing public key of the active card via LDAP. + * gpgsm: New command --show-certs. + * scd: Fix CCID driver for SCM SPR332/SPR532. + * scd: Further improvements for PKCS#15 cards. + * New configure option --with-tss to allow the selection of the + TSS library. +- Rebase patches: + * gnupg-add_legacy_FIPS_mode_option.patch + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-dont-fail-with-seahorse-agent.patch + * gnupg-set_umask_before_open_outfile.patch + +- GnuPG 2.3.0: + * A new experimental key database daemon is provided. To enable + it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored + in a SQLite database and make key lookup much faster. + * New tool gpg-card as a flexible frontend for all types of + supported smartcards. + * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and + gpg-connect-agent. + * The gpg-wks-client tool is now installed under bin; a wrapper for + its old location at libexec is also installed. + * tpm2d: New daemon to physically bind keys to the local machine. + * gpg: Switch to ed25519/cv25519 as default public key algorithms. + * gpg: Verification results now depend on the --sender option and + the signer's UID subpacket. + * gpg: Do not use any 64-bit block size cipher algorithm for + encryption. Use AES as last resort cipher preference instead of + 3DES. This can be reverted using --allow-old-cipher-algos. + * gpg: Support AEAD encryption mode using OCB or EAX. + * gpg: Support v5 keys and signatures. + * gpg: Support curve X448 (ed448, cv448). + * gpg: Allow use of group names in key listings. + * gpg: New option --full-timestrings to print date and time. + * gpg: New option --force-sign-key. + * gpg: New option --no-auto-trust-new-key. + * gpg: The legacy key discovery method PKA is no longer supported. + The command --print-pka-records and the PKA related import and + export options have been removed. + * gpg: Support export of Ed448 Secure Shell keys. + * gpgsm: Add basic ECC support. + * gpgsm: Support creation of EdDSA certificates. [#4888] + * agent: Allow the use of "Label:" in a key file to customize the + pinentry prompt. + * agent: Support ssh-agent extensions for environment variables. + With a patched version of OpenSSH this avoids the need for the + "updatestartuptty" kludge. + * scd: Improve support for multiple card readers and tokens. + * scd: Support PIV cards. + * scd: Support for Rohde&Schwarz Cybersecurity cards. + * scd: Support Telesec Signature Cards v2.0 + * scd: Support multiple application on certain smartcard. + * scd: New option --application-priority. + * scd: New option --pcsc-shared; see man page for important notes. + * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs. + * The symcryptrun tool, a wrapper for the now obsolete external + Chiasmus tool, has been removed. + * Full Unicode support for the command line. +- dropped legacy commands: gpg-zip + +- Remove the "files-are-digests" option from the openSUSE package. + This feature was not upstream and only used in the OBS signing + daemon. The recommended upstream feature for separating the data + to be signed from the private keys is gpg agent forwarding, + available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch -- Fix segv importing certain keys (e.g. ed25519). [bsc#1176034] -- Add gnupg-2.2.22-fix-segv-import-keys.patch - -- Fix warning: agent returned different signature type ssh-rsa - * The gpg-agent's ssh-agent does not handle flags in signing - requests properly [bsc#1161268, bsc#1172308] - * Add gnupg-gpg-agent-ssh-agent.patch - -- Security fix: [bsc#1157900, CVE-2019-14855, jsc#SLE-16534] - * Web of Trust forgeries using collisions in SHA-1 signatures - * Ignore all SHA-1 signatures in 3rd party key signatures. - * Forbid the creation of SHA-1 third-party key signatures. - * Add option --allow-weak-key-signatures -- Add gnupg-CVE-2019-14855.patch - -- Remove self-buildrequire [bsc#1152755] - -- Security fix: [bsc#1141093, CVE-2019-13050] - * Denial of service attacks via big keys - * Added patches: - - gnupg-CVE-2019-13050_0_of_5.patch - - gnupg-CVE-2019-13050_1_of_5.patch - - gnupg-CVE-2019-13050_2_of_5.patch - - gnupg-CVE-2019-13050_3_of_5.patch - - gnupg-CVE-2019-13050_4_of_5.patch - - gnupg-CVE-2019-13050_5_of_5.patch - -- Allow coredumps in X11 desktop sessions (bsc#1124847) - gpg-agent unconditionally disables coredumps, which is not - supposed to happen in the code path that does just exec(argv[]) - * Added gnupg-gpg-agent-ulimit.patch - +- Allow coredumps in X11 desktop sessions (bsc#1124847) + gpg-agent unconditionally disables coredumps, which is not + supposed to happen in the code path that does just exec(argv[]) + gnupg-gpg-agent-ulimit.patch + -- Security fix: [bsc#1120346, CVE-2018-1000858] - * Cross Site Request Forgery (CSRF) vulnerability in dirmngr that - can result in Attacker controlled CSRF. - * Added patches: - - gnupg-CRL-fetching-via-https.patch - - gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch - - gnupg-CVE-2018-1000858.patch - -- Added gnupg-CVE-2018-12020.patch: Sanitize the diagnostic output of the - original file name in verbose mode (bsc#1096745, CVE-2018-12020). - gpgme -- Update to 1.16.0 in SLE-15-SP4: [jsc#SLE-20014, jsc#SLE-21114] - * Remove gpgme-test-json.patch fixed upstream +- Update to 1.23.0: + * Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME. [T6559] + * New keylist mode GPGME_KEYLIST_MODE_WITH_V5FPR. [T6705] + * New key capability flags has_*. [T6748] + * gpgme-tool: Support use of Windows HANDLE. [T6634] + * qt: Support refreshing keys via WKD. [T6672] + * qt: Handle cancel in changeexpiryjob. [T6754] + * Remove patches fixed upstream: + - gpgme-qt-tests-Fix-build-in-source-directory.patch + - gpgme-build-Suggest-out-of-source-build.patch + +- Use GCC 12 for building the Qt6 library on Leap 15. The + default compiler is too old. +- Use '%{without xxx}' rather than '!%{with xxx}' in spec file + +- Use GCC 12 for building the Qt6 library. The default compiler + is too old. +- Use '%{without xxx}' rather than '!%{with xxx}' in spec file + +- Fix builds with qt and qt6 [T6673]: + * qt,tests: Fix build in source directory. Include Qt binding + sources before C++ binding sources and C sources. This fixes + the problem that the debug.h in the C sources was found before + the one in the Qt bindings. + * build: Suggest out-of-source build. Suggest to run configure + from a build subdirectory. + * Add patches: + - gpgme-qt-tests-Fix-build-in-source-directory.patch + - gpgme-build-Suggest-out-of-source-build.patch + +- Update to 1.22.0: + * Prevent wrong plaintext when verifying clearsigned signature. + * Return bad data error instead of general error on unexpected data. + * Take care of offline mode for all operations of gpgsm engine. + * Prepare the use of the forthcoming libassuan version 3. + * New configure option --with-libtool-modification. + * cpp: Expose gpgme_decrypt_result_t.is_mime. + * qt: Clean up after failure or cancel of sign/encrypt archive operation. + * qt: Add setInputEncoding to QGpgMe::EncryptJob. + * qt: Make toLogString helper public. + * Interface changes relative to the 1.21.0 release: + - qt: EncryptJob::setInputEncoding NEW. + - qt: DecryptionResult::isMime NEW. + - qt: toLogString NEW. + +- Run testsuite in qemu build + +- Update to 1.21.0 + * Extended gpgme_op_encrypt, gpgme_op_encrypt_sign, and gpgme_op_sign + to allow writing the output directly to a file. [T6530] + * Extended gpgme_op_decrypt and gpgme_op_verify to allow reading the + input data directly from files. [T6530] + * For key signing and uid revoking allow an empty user id. [rMfbc3963d62] + * Pass an input-size-hint also to the gpgsm engine. [T6534] + * qt: Allow writing the created archives directly to a file. [T6530] + * qt: Allow reading the signed/encrypted archive to decrypt + or verify directly from a file. [T6530] + * qt: Qt Jobs working with QIODeviceDataProvider now properly + handle input-size hints and progress for files larger. + 2^32 bytes in 32 bit builds. [T6534] + * cpp: Error::isCanceled now also returns true for error code + GPG_ERR_FULLY_CANCELED. [T6510] + * python: Fix wrong use of write. [T6501] + * Interface changes relative to the 1.20.0 release: + - cpp: Data::setFlag NEW. + - cpp: Data::setSizeHint NEW. + - qt: Job::startIt NEW. + - qt: DecryptVerifyArchiveJob::setInputFile NEW. + - qt: DecryptVerifyArchiveJob::inputFile NEW. + - qt: EncryptArchiveJob::setRecipients NEW. + - qt: EncryptArchiveJob::recipients NEW. + - qt: EncryptArchiveJob::setInputPaths NEW. + - qt: EncryptArchiveJob::inputPaths NEW. + - qt: EncryptArchiveJob::setOutputFile NEW. + - qt: EncryptArchiveJob::outputFile NEW. + - qt: EncryptArchiveJob::setEncryptionFlags NEW. + - qt: EncryptArchiveJob::encryptionFlags NEW. + - qt: SignArchiveJob::setSigners NEW. + - qt: SignArchiveJob::signers NEW. + - qt: SignArchiveJob::setInputPaths NEW. + - qt: SignArchiveJob::inputPaths NEW. + - qt: SignArchiveJob::setOutputFile NEW. + - qt: SignArchiveJob::outputFile NEW. + - qt: SignEncryptArchiveJob::setSigners NEW. + - qt: SignEncryptArchiveJob::signers NEW. + - qt: SignEncryptArchiveJob::setRecipients NEW. + - qt: SignEncryptArchiveJob::recipients NEW. + - qt: SignEncryptArchiveJob::setInputPaths NEW. + - qt: SignEncryptArchiveJob::inputPaths NEW. + - qt: SignEncryptArchiveJob::setOutputFile NEW. + - qt: SignEncryptArchiveJob::outputFile NEW. + - qt: SignEncryptArchiveJob::setEncryptionFlags NEW. + - qt: SignEncryptArchiveJob::encryptionFlags NEW. + +- Update to 1.20.0: + * On Windows, the gettext functions provided by gpgrt are switched + into utf8 mode, so that all localized texts returned by GpgME or + gpgrt, e.g. the texts for error codes are now UTF-8 encoded. [T5960] + * Key::canSign now returns false for OpenPGP keys without signing + (sub)key. [T6456] + * The new macOS Homebrew location is now by default supported. [T6440] + * Fix regression in 1.19.0. + * Fix invocation of gpgtar on Windows. + * Interface changes relative to the 1.19.0 release: + - gpgme_subkey_t EXTENDED: New field 'can_renc'. + - gpgme_subkey_t EXTENDED: New field 'can_timestamp'. + - gpgme_subkey_t EXTENDED: New field 'is_group_owned'. + - cpp: Subkey::canRenc NEW. + - cpp: Subkey::canTimestamp NEW. + - cpp: Subkey::isGroupOwned NEW. + - cpp: Key::canReallySign DEPRECATED. + * Release-info: https://dev.gnupg.org/T6463 + +- Add a Qt6 flavor to build Qt6 bindings +- Use %ldconfig_scriptlets + +- Update to 1.19.0: + * New context flag "no-auto-check-trustdb". [T6261] + * Optionally, build QGpgME for Qt 6 + * Support component "gpgtar-name" in gpgme_get_dirinfo. [T6342] + * Extended gpgme_op_encrypt*, gpgme_op_encrypt_sign*, and + gpgme_op_sign* to allow creating an encrypted and/or signed + archive. [T6342] + * Extended gpgme_op_decrypt*, gpgme_op_decrypt_verify*, + and gpgme_op_verify* to allow extracting an encrypted and/or + signed archive. [T6342] + * cpp: Handle error when trying to sign expired keys. [T6155] + * cpp: Support encryption flags ThrowKeyIds, EncryptWrap, and + WantAddress. [T6359] + * cpp, qt: Fix building with C++11. [T6141] + * qt: Fix problem with expiration dates after 2038-01-19 on 32-bit + systems when adding an existing subkey to another key. [T6137] + * cpp: Allow setting the curve to use when generating ECC keys + for smart cards. [T4429] + * qt: Extend ListAllKeysJob to allow disabling the automatic + trust database check when listing all keys. [T6261] + * qt: Allow deferred start of import jobs. [T6323] + * qt: Support creating and extracting signed and encrypted + archives. [T6342] + * Rebase gpgme-suse-nobetasuffix.patch + * Remove patches upstream: + - gpgme-D546-python310.patch + - gpgme-1.18.0-T6137-qt_test.patch + - python311.patch + +- drop python2 subpackage handling. we do not support python 2.x + anymore, and if we would it would happen via singlespec + +- Update upstream keyring: https://gnupg.org/signature_key.asc + +- add python311.patch to build language bindings for python 3.11 + +- Add gpgme-suse-nobetasuffix.patch + * remove "-unknown" suffix from version string + * boo#1205197 + +- gpgme 1.18.0 + * New keylist mode to force refresh via external methods + * The keylist operations now create an import result to report the + result of the locate keylist modes + * core: Return BAD_PASSPHRASE error code on symmetric decryption + failure + * cpp, qt: Do not export internal symbols anymore + * cpp, qt: Support revocation of own OpenPGP keys + * qt: The file name of (signed and) encrypted data can now be set + * cpp, qt: Support setting the primary user ID + * python: Fix segv(NULL) when inspecting contect after exeception +- includes changes from version 1.17.1: + * qt: Fix a bug in the ABI compatibility of 1.17.0 +- includes changes from 1.17.0: + * New context flag "key-origin" + * New context flag "import-filter" + * New export mode to export secret subkeys + * Detect errors during the export of secret keys + * New function gpgme_op_receive_keys to import keys from a keyserver + without first running a key listing + * Detect bad passphrase error in certificate import + * Allow setting --key-origin when importing keys + * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr", + "pinentry", and "socketdir" in gpgme_get_dirinfo + * Under Unix use poll(2) instead of select(2), when available. + * Fix results returned by gpgme_data_* functions + * Support closefrom also for glibc + (drop upstream gpgme-use-glibc-closefrom.patch + * cpp,qt: Add support for export of secret keys and secret subkeys. + * cpp,qt: Support for adding existing subkeys to other keys + * qt: Extend ChangeExpiryJob to change expiration of primary key + and of subkeys at the same time + * qt: Support WKD lookup without implicit import + * qt: Allow specifying an import filter when importing keys + * qt: Allow retrieving the default value of a config entry +- drop patches included upstream + * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch + * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch +- add patches to fix tests: + * gpgme-1.18.0-T6137-qt_test.patch + +- Add patches to support building bindings packages for + Python 3.10 + * gpgme-D545-python310.patch -- https://dev.gnupg.org/D545 + * gpgme-D546-python310.patch -- https://dev.gnupg.org/D546 -- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801] - * tests/json: Bravo key does not have secret key material - * tests/json: Do not check for keygrip of pubkeys - * core: Make sure the keygrip is available in WITH_SECRET mode -- Add gpgme-test-json.patch - gpgme:qt -- Update to 1.16.0 in SLE-15-SP4: [jsc#SLE-20014, jsc#SLE-21114] - * Remove gpgme-test-json.patch fixed upstream +- Update to 1.23.0: + * Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME. [T6559] + * New keylist mode GPGME_KEYLIST_MODE_WITH_V5FPR. [T6705] + * New key capability flags has_*. [T6748] + * gpgme-tool: Support use of Windows HANDLE. [T6634] + * qt: Support refreshing keys via WKD. [T6672] + * qt: Handle cancel in changeexpiryjob. [T6754] + * Remove patches fixed upstream: + - gpgme-qt-tests-Fix-build-in-source-directory.patch + - gpgme-build-Suggest-out-of-source-build.patch + +- Use GCC 12 for building the Qt6 library on Leap 15. The + default compiler is too old. +- Use '%{without xxx}' rather than '!%{with xxx}' in spec file + +- Use GCC 12 for building the Qt6 library. The default compiler + is too old. +- Use '%{without xxx}' rather than '!%{with xxx}' in spec file + +- Fix builds with qt and qt6 [T6673]: + * qt,tests: Fix build in source directory. Include Qt binding + sources before C++ binding sources and C sources. This fixes + the problem that the debug.h in the C sources was found before + the one in the Qt bindings. + * build: Suggest out-of-source build. Suggest to run configure + from a build subdirectory. + * Add patches: + - gpgme-qt-tests-Fix-build-in-source-directory.patch + - gpgme-build-Suggest-out-of-source-build.patch + +- Update to 1.22.0: + * Prevent wrong plaintext when verifying clearsigned signature. + * Return bad data error instead of general error on unexpected data. + * Take care of offline mode for all operations of gpgsm engine. + * Prepare the use of the forthcoming libassuan version 3. + * New configure option --with-libtool-modification. + * cpp: Expose gpgme_decrypt_result_t.is_mime. + * qt: Clean up after failure or cancel of sign/encrypt archive operation. + * qt: Add setInputEncoding to QGpgMe::EncryptJob. + * qt: Make toLogString helper public. + * Interface changes relative to the 1.21.0 release: + - qt: EncryptJob::setInputEncoding NEW. + - qt: DecryptionResult::isMime NEW. + - qt: toLogString NEW. + +- Run testsuite in qemu build + +- Update to 1.21.0 + * Extended gpgme_op_encrypt, gpgme_op_encrypt_sign, and gpgme_op_sign + to allow writing the output directly to a file. [T6530] + * Extended gpgme_op_decrypt and gpgme_op_verify to allow reading the + input data directly from files. [T6530] + * For key signing and uid revoking allow an empty user id. [rMfbc3963d62] + * Pass an input-size-hint also to the gpgsm engine. [T6534] + * qt: Allow writing the created archives directly to a file. [T6530] + * qt: Allow reading the signed/encrypted archive to decrypt + or verify directly from a file. [T6530] + * qt: Qt Jobs working with QIODeviceDataProvider now properly + handle input-size hints and progress for files larger. + 2^32 bytes in 32 bit builds. [T6534] + * cpp: Error::isCanceled now also returns true for error code + GPG_ERR_FULLY_CANCELED. [T6510] + * python: Fix wrong use of write. [T6501] + * Interface changes relative to the 1.20.0 release: + - cpp: Data::setFlag NEW. + - cpp: Data::setSizeHint NEW. + - qt: Job::startIt NEW. + - qt: DecryptVerifyArchiveJob::setInputFile NEW. + - qt: DecryptVerifyArchiveJob::inputFile NEW. + - qt: EncryptArchiveJob::setRecipients NEW. + - qt: EncryptArchiveJob::recipients NEW. + - qt: EncryptArchiveJob::setInputPaths NEW. + - qt: EncryptArchiveJob::inputPaths NEW. + - qt: EncryptArchiveJob::setOutputFile NEW. + - qt: EncryptArchiveJob::outputFile NEW. + - qt: EncryptArchiveJob::setEncryptionFlags NEW. + - qt: EncryptArchiveJob::encryptionFlags NEW. + - qt: SignArchiveJob::setSigners NEW. + - qt: SignArchiveJob::signers NEW. + - qt: SignArchiveJob::setInputPaths NEW. + - qt: SignArchiveJob::inputPaths NEW. + - qt: SignArchiveJob::setOutputFile NEW. + - qt: SignArchiveJob::outputFile NEW. + - qt: SignEncryptArchiveJob::setSigners NEW. + - qt: SignEncryptArchiveJob::signers NEW. + - qt: SignEncryptArchiveJob::setRecipients NEW. + - qt: SignEncryptArchiveJob::recipients NEW. + - qt: SignEncryptArchiveJob::setInputPaths NEW. + - qt: SignEncryptArchiveJob::inputPaths NEW. + - qt: SignEncryptArchiveJob::setOutputFile NEW. + - qt: SignEncryptArchiveJob::outputFile NEW. + - qt: SignEncryptArchiveJob::setEncryptionFlags NEW. + - qt: SignEncryptArchiveJob::encryptionFlags NEW. + +- Update to 1.20.0: + * On Windows, the gettext functions provided by gpgrt are switched + into utf8 mode, so that all localized texts returned by GpgME or + gpgrt, e.g. the texts for error codes are now UTF-8 encoded. [T5960] + * Key::canSign now returns false for OpenPGP keys without signing + (sub)key. [T6456] + * The new macOS Homebrew location is now by default supported. [T6440] + * Fix regression in 1.19.0. + * Fix invocation of gpgtar on Windows. + * Interface changes relative to the 1.19.0 release: + - gpgme_subkey_t EXTENDED: New field 'can_renc'. + - gpgme_subkey_t EXTENDED: New field 'can_timestamp'. + - gpgme_subkey_t EXTENDED: New field 'is_group_owned'. + - cpp: Subkey::canRenc NEW. + - cpp: Subkey::canTimestamp NEW. + - cpp: Subkey::isGroupOwned NEW. + - cpp: Key::canReallySign DEPRECATED. + * Release-info: https://dev.gnupg.org/T6463 + +- Add a Qt6 flavor to build Qt6 bindings +- Use %ldconfig_scriptlets + +- Update to 1.19.0: + * New context flag "no-auto-check-trustdb". [T6261] + * Optionally, build QGpgME for Qt 6 + * Support component "gpgtar-name" in gpgme_get_dirinfo. [T6342] + * Extended gpgme_op_encrypt*, gpgme_op_encrypt_sign*, and + gpgme_op_sign* to allow creating an encrypted and/or signed + archive. [T6342] + * Extended gpgme_op_decrypt*, gpgme_op_decrypt_verify*, + and gpgme_op_verify* to allow extracting an encrypted and/or + signed archive. [T6342] + * cpp: Handle error when trying to sign expired keys. [T6155] + * cpp: Support encryption flags ThrowKeyIds, EncryptWrap, and + WantAddress. [T6359] + * cpp, qt: Fix building with C++11. [T6141] + * qt: Fix problem with expiration dates after 2038-01-19 on 32-bit + systems when adding an existing subkey to another key. [T6137] + * cpp: Allow setting the curve to use when generating ECC keys + for smart cards. [T4429] + * qt: Extend ListAllKeysJob to allow disabling the automatic + trust database check when listing all keys. [T6261] + * qt: Allow deferred start of import jobs. [T6323] + * qt: Support creating and extracting signed and encrypted + archives. [T6342] + * Rebase gpgme-suse-nobetasuffix.patch + * Remove patches upstream: + - gpgme-D546-python310.patch + - gpgme-1.18.0-T6137-qt_test.patch + - python311.patch + +- drop python2 subpackage handling. we do not support python 2.x + anymore, and if we would it would happen via singlespec + +- Update upstream keyring: https://gnupg.org/signature_key.asc + +- add python311.patch to build language bindings for python 3.11 + +- Add gpgme-suse-nobetasuffix.patch + * remove "-unknown" suffix from version string + * boo#1205197 + +- gpgme 1.18.0 + * New keylist mode to force refresh via external methods + * The keylist operations now create an import result to report the + result of the locate keylist modes + * core: Return BAD_PASSPHRASE error code on symmetric decryption + failure + * cpp, qt: Do not export internal symbols anymore + * cpp, qt: Support revocation of own OpenPGP keys + * qt: The file name of (signed and) encrypted data can now be set + * cpp, qt: Support setting the primary user ID + * python: Fix segv(NULL) when inspecting contect after exeception +- includes changes from version 1.17.1: + * qt: Fix a bug in the ABI compatibility of 1.17.0 +- includes changes from 1.17.0: + * New context flag "key-origin" + * New context flag "import-filter" + * New export mode to export secret subkeys + * Detect errors during the export of secret keys + * New function gpgme_op_receive_keys to import keys from a keyserver + without first running a key listing + * Detect bad passphrase error in certificate import + * Allow setting --key-origin when importing keys + * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr", + "pinentry", and "socketdir" in gpgme_get_dirinfo + * Under Unix use poll(2) instead of select(2), when available. + * Fix results returned by gpgme_data_* functions + * Support closefrom also for glibc + (drop upstream gpgme-use-glibc-closefrom.patch + * cpp,qt: Add support for export of secret keys and secret subkeys. + * cpp,qt: Support for adding existing subkeys to other keys + * qt: Extend ChangeExpiryJob to change expiration of primary key + and of subkeys at the same time + * qt: Support WKD lookup without implicit import + * qt: Allow specifying an import filter when importing keys + * qt: Allow retrieving the default value of a config entry +- drop patches included upstream + * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch + * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch +- add patches to fix tests: + * gpgme-1.18.0-T6137-qt_test.patch + +- Add patches to support building bindings packages for + Python 3.10 + * gpgme-D545-python310.patch -- https://dev.gnupg.org/D545 + * gpgme-D546-python310.patch -- https://dev.gnupg.org/D546 -- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801] - * tests/json: Bravo key does not have secret key material - * tests/json: Do not check for keygrip of pubkeys - * core: Make sure the keygrip is available in WITH_SECRET mode -- Add gpgme-test-json.patch - grub2 +- Fix reproducible build for grub.xen (bsc#1217619) + * 0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch + * 0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch + +- Fix unattended boot with TPM2 allows downgrading kernel and rootfs, also + enhancing the overall security posture (bsc#1216680) + * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch + * 0002-Restrict-file-access-on-cryptodisk-print.patch + * 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch + * 0004-Key-revocation-on-out-of-bound-file-access.patch + gstreamer-plugins-bad +- Add gstreamer-plugins-bad-CVE-2023-44429.patch: + Backporting 1db83d3f from upstream, Clip tile rows and cols to 64 + as describe in AV1 specification. + (CVE-2023-44429 bsc#1217211) + - from upstream to fix a heap overwrite in PGS subtitle - overlay decoder which might trigger a crash or remote code - execution (CVE-2023-37329 bsc#1213126). + Backport 7ed446dc,0dabf0eb from upstream to fix a heap overwrite + in PGS subtitle overlay decoder which might trigger a crash or + remote code execution (CVE-2023-37329 bsc#1213126). -- Add patch to support building with srt 1.3.4 in SLE - * fix-build-with-srt-1.3.4.patch +- Add fix-build-with-srt-1.3.4.patch: + To support building with srt 1.3.4 in SLE. +- Update to version 1.16.3 (bsc#1181255 CVE-2021-3185): + - amcvideodec: fix sync meta copying not taking a reference + - audiobuffersplit: Perform discont tracking on running time + - audiobuffersplit: Specify in the template caps that only interleaved audio is supported + - audiobuffersplit: Unset DISCONT flag if not discontinuous + - autoconvert: Fix lock-less exchange or free condition + - autoconvert: fix compiler warnings with g_atomic on recent GLib versions + - avfvideosrc: element requests camera permissions even with capture-screen property is true + - codecparsers: h264parser: guard against ref_pic_markings overflow + - dtlsconnection: Avoid segmentation fault when no srtp capabilities are negotiated + - dtls/connection: fix EOF handling with openssl 1.1.1e + - fdkaacdec: add support for mpegversion=2 + - hls: Check nettle version to ensure AES128 support + - ipcpipeline: Rework compiler checks + - interlace: Increment phase_index before checking if we're at the end of the phase + - lv2: Make it build with -fno-common + - h264parser: Do not allocate too large size of memory for registered user data SEI + - ladspa: fix unbounded integer properties + - modplug: avoid division by zero + - msdkdec: Fix GstMsdkContext leak + - msdkenc: fix leaks on windows + - musepackdec: Don't fail all queries if no sample rate is known yet + - openslessink: Allow openslessink to handle 48kHz streams. + - opencv: allow compilation against 4.2.x + - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc + - vulkan: Drop use of VK_RESULT_BEGIN_RANGE + - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset + - wasapi: Fix possible deadlock while downwards state change + - waylandsink: Clear window when pipeline is stopped + - webrtc: Support non-trickle ICE candidates in the SDP + - webrtc: Unmap all non-binary buffers received via the datachannel + - meson: build with neon 0.31 +- Drop upstream fixed patch: gstreamer-h264parser-fix-overflow.patch + +- Drop gstreamer-plugins-bad-patch-source.sh +- Drop pre_checkin.sh haveged +- Remove haveged-switch-root.service because it's implemented incorrectly and + neither upstream don't know how to fix it (#77). On the other hand, without + this service haveged will be started from scratch after switch root so it's + hopefully no big deal. Also remove patch for bsc#1203079 as it's considered + as a security threat because of creating fixed name file in world-writable + directory. [jsc#PED-6184, bsc#1206699] + * Remove + - haveged-switch-root.service + - haveged-switch-root.patch + hplip -- hppsfilter: booklet printing: change insecure fixed /tmp file paths - (bsc#1214399) - * add hppsfilter-booklet-printing-change-insecure-fixed-tm.patch - -- Update to hplip 3.23.8 (jsc#PED-5846) +- Update to hplip 3.23.8 icu73_2 +- icu4c-73_c-ICU-22512-Fix-broken-TestHebrewCalendarInTemporalLeapYear.patch + Fix testsuite issue in hebrew calendar (bsc#1217479) + jbigkit +- security update +- added patches + fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler + + jbigkit-CVE-2022-1210.patch + kdump +- upgrade to version 2.0.0 + * add support for riscv64 (bsc#1204214) + * mkdumprd: fix the check for updated SSH keys + * prefer by-path and device-mapper aliases (bsc#1217617) + * udev: don't reload kdump if kernel handles hotplug (jsc#PED-5077) + kernel-firmware +- Update to version 20231214 (git commit b80907ec3a81): + * qcom: Add Audio firmware for SM8650 QRD + * qcom: Add Audio firmware for SM8550 QRD + * Add rdfind for deb/rpm build jobs + * wfx: update to firmware 3.17 + * wfx: fix broken firmware + +- Update to version 20231205 (git commit bfc33c1e308e): + * linux-firmware: Update AMD cpu microcode + * cxgb4: Update firmware to revision 1.27.5.0 + * linux-firmware: add firmware for en8811h 2.5G ethernet phy + * s5p-mfc: Add MFC v12 Firmware + * qcom: update qrb4210 firmware + * qcom: update qcm2290 firmware + * qcom: update qcm2290/qrb4210 WiFi firmware file + * qcom: update Venus firmware file for v6.0 + +- Update to version 20231128 (git commit d9f6088f7e91): + * Add a COPYOPTS variable + * rtl_bt: Update RTL8852A BT USB firmware to 0xDFC8_145F + +- Update to version 20231127 (git commit 4124f8f928d5): + * Make rdfind optional + * ice: update ice DDP wireless_edge package to 1.3.13.0 + * linux-firmware: update firmware for mediatek bluetooth chip (MT7922) + * linux-firmware: update firmware for mediatek bluetooth chip (MT7921) + * linux-firmware: update firmware for MT7922 WiFi device + * linux-firmware: update firmware for MT7921 WiFi device + * Makefile, copy-firmware: Use portable "command -v" to detect installed programs + * amdgpu: update DMCUB firmware to 0.0.194.0 for DCN321 and DCN32 + * powervr: add firmware for Imagination Technologies AXE-1-16M GPU + * ice: update ice DDP comms package to 1.3.45.0 + * ice: update ice DDP package to 1.3.35.0 + * mediatek: Remove an unused packed library + * amdgpu: update DMCUB firmware to 0.0.193.0 for DCN31 and DCN314 +- Drop obsoleted copy-file-skip-rdfind.patch; use --ignore-duplicates + +- Update to version 20231120 (git commit 9552083a783e): + * mediatek: Sync shared memory structure changes + * Intel Bluetooth: Update firmware file for Intel Bluetooth BE200 + * i915: Update MTL DMC to v2.19 + * Make email replies more resilient + * Try both utf-8 and windows-1252 for decoding email + +- Update to version 20231116 (git commit 6723a8d90923): + * iwlwifi: fix for the new FWs from core83-55 release + * Enable deb and rpm builds on tags + * linux-firmware: Add firmware for Cirrus CS35L41 on HP G11 Laptops + * linux-firmware: Add firmware for Cirrus CS35L41 on 2024 ASUS Zenbook Laptops + +- Update to version 20231115 (git commit a07fd0b96b5a): + * iwlwifi: add new FWs from core83-55 release + * iwlwifi: update cc/Qu/QuZ firmwares for core83-55 release + * Add a workaround for gitlab.freedesktop.org pull requests + * Add extra debugging output when processing pull requests + * Process pull requets directly from mbox + * linux-firmware: add firmware for mt7988 internal 2.5G ethernet phy + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX210 + +- Update to version 20231110 (git commit 74158e7ac86d): + * amdgpu: DMCUB updates for various AMDGPU ASICs + * Ensure rdfind is installed + * Add checks for destination directory being specified + * Fix symlink creation for some files + * Fix classification of some pull requests + * nvidia: add GSP-RM version 535.113.01 firmware images +- Skip rdfind (not included in our distro as default): + copy-file-skip-rdfind.patch +- Fix make-files.sh to handle symlinked directories + -- Update to version 20231019 (git commit d983107a2dfa): +- Update to version 20231019 (git commit d983107a2dfa) + (bsc#1215823, CVE-2023-20592): + (bsc#1215831, CVE-2021-26345, CVE-2021-46766, CVE-2021-46774, + CVE-2022-23820, CVE-2022-23830, CVE-2023-20519, CVE-2023-20521, + CVE-2023-20526, CVE-2023-20533, CVE-2023-20566): krb5 +- Update patch 0007-SELinux-integration.patch for SELinux 3.5 + libgpg-error +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Add libgpg-error-nobetasuffix.patch [bsc#1216334] + +- Update to 1.47: + * New error codes for PUKs and reset codes. [T6421] + * Avoid segv in logging with improper use of the "socket://". + * Fixed translation of argparse's internal option --help. + * Interface changes relative to the 1.46 release: + - GPG_ERR_SOURCE_TKD NEW. + - GPG_ERR_BAD_PUK NEW. + - GPG_ERR_NO_RESET_CODE NEW. + - GPG_ERR_BAD_RESET_CODE NEW. + - GPGRT_SPAWN_KEEP_STDIN NEW. + - GPGRT_SPAWN_KEEP_STDOUT NEW. + - GPGRT_SPAWN_KEEP_STDERR NEW. + - GPGRT_SPAWN_INHERIT_FILE NEW. + * Release-info: https://dev.gnupg.org/T6231 + +- Update to 1.46: + * Support for bidirectional pipes under Windows. + * REG_DWORD types are now support in the Windows Registry. + * Added ES_SYSHD_SOCK support for gpgrt_sysopen under Windows. + * Fixed gpgrt_log_get_fd for the file case. + * Avoids header problem with C11 and "noreturn". + * The gpg-error-config command is not installed by default, because + it is now replaced by use of pkg-config/gpgrt-config with + gpg-error.pc. Supply --enable-install-gpg-error-config configure + option, if it's really needed. + * Fixed support of posix-lock for FreeBSD. + * Build fixes for some Mingw tool chain versions. + * Removed remaining support for WindowsCE. + * Updated config.guess, config.sub, and config.rpath. + * gpg-error-config is now only installed when enabled. + * System paths are now stripped from --cflags --and --libs. + +- update to 1.45: + * gpgrt_access and gpgrt_mkdir now support file names longer than + MAX_PATH + +- Update to 1.44: + * Fix dependency to gpg-error-config-test.sh. + * Run the posix locking test only on supported platforms. + * Detect Linux systems using musl. + * Fix gpg-error-config-test for PKG_CONFIG_LIBDIR. + * Fix returning of option attributes for options with args. + * Add Turkish translations. + +- Update to 1.43: + * Fix for building against GNU libc 2.34. + * Fix gpgrt-config problems. + * Fix gpgrt_free for legacy platforms. + * Fix truncation of error message in the middle of a character. + * Fix the --disable-threads configure options. + * Improve lock-obj generation for cross-builds. + * Improve cross-builds. + * Improve gpgrt_wait_processes. + libksba -- Security fix: [bsc#1206579, CVE-2022-47629] - * Integer overflow in the CRL signature parser. - * Add libksba-CVE-2022-47629.patch - -- Security fix: [bsc#1204357, CVE-2022-3515] - * Detect a possible overflow directly in the TLV parser. - * Add libksba-CVE-2022-3515.patch +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Run autoreconf for the added patch and add the build + dependecies on autoconf, automake and libtool. + * Add libksba-nobetasuffix.patch [bsc#1216334] + +- Update to 1.6.4: + * Correctly detect CMS write errors. [rK9ced7706f2] + * Release-info: https://dev.gnupg.org/T6543 + +- update to 1.6.3 (bsc#1206579, CVE-2022-47629): + * Fix another integer overflow in the CRL parser. + Release-info: https://dev.gnupg.org/T6304 + +- libksba 1.6.2: [bsc#1204357, CVE-2022-3515] + * Fix integer overflow in the CRL parser. + +- libksba 1.6.1: + * Allow an OCSP server not to return the sent nonce +- fix rpmlint warnings + +- libksba 1.6.0: + * Limited support for the Authenticated-Enveloped-Data + content type. + * Support password based decryption. + * Silence warnings from static analyzers. + * Interface changes relative to the 1.5.0 release: + - KSBA_CT_AUTHENVELOPED_DATA NEW. + +- libksba 1.5.1: + * Support Brainpool curves specified by ECDomainParameters + +- libksba 1.5.0: + * ksba_cms_identify now identifies OpenPGP keyblock content + * Supports TR-03111 plain format ECDSA signature verification + * Fixes a CMS signed data parser bug exhibited by a somewhat + strange CMS message +- remove deprecated texinfo macros and update signing keyring + +- libksba 1.4.0: + * Supports ECDSA and EdDSA certificate creation and parsing. + * Supports ECDH enveloped data. + * Supports ECDSA and EdDSA signed data. + * Supports rsaPSS signature verification. + * Supports standard file descriptors in ksba_reader_read. + * Allows for optional elements in keyinfo objects. + * Fixes error detection in the CMS parser. + * Fixes memory leak in ksba_cms_identify. + * New constants KSBA_VERSION and KSBA_VERSION_NUMBER. + * New API to make creation of DER objects easy. + * Interface changes relative to the 1.3.5 release: + KSBA_VERSION NEW. + KSBA_VERSION_NUMBER NEW. + KSBA_CT_SPC_IND_DATA_CTX NEW. + KSBA_CLASS_* NEW. + KSBA_TYPE_* NEW. + ksba_der_t NEW. + ksba_der_release NEW. + ksba_der_builder_new NEW. + ksba_der_builder_reset NEW. + ksba_der_add_ptr NEW. + ksba_der_add_val NEW. + ksba_der_add_int NEW. + ksba_der_add_oid NEW. + ksba_der_add_bts NEW. + ksba_der_add_der NEW. + ksba_der_add_tag NEW. + ksba_der_add_end NEW. + ksba_der_builder_get NEW. -- libksba 1.3.1: - * Fixed memory leak in CRL parsing - * Build fixes for ppc64el - -- Use URL for source - libnvme +- Update to version 1.6+5.g68c6ffb: + * avoid stack corruption by unaligned DMA to user space buffers + (bsc#1216344, gh#linux-nvme/libnvme#727) + libpwquality +- Update to version 1.4.5: + + Minor bug fixes and documentation enhancements. + + Updated translations. + libqt5-qtbase +- buildrequire pkconfig(icu-i18n) instead of libicu-devel to get + prefered libicuu + +- Add patch from upstream that fixes a buffer overflow in + QXmlStreamReader (bsc#1214327, CVE-2023-37369): + * CVE-2023-37369-qtbase-5.15.diff + libraw -- security update -- added patches - fix CVE-2021-32142 [bsc#1208470], Buffer Overflow in the LibRaw_buffer_datastream:gets function - + libraw-CVE-2021-32142.patch +- update to 0.21.1: + * fixed typo in panasonic metadata parser + * Multiple fixes inspired by oss-fuzz project + * Phase One/Leaf IIQ-S v2 support + * Canon CR3 filmrolls + * Canon CRM (movie) files + * Tiled bit-packed (and 16-bit unpacked) DNGs + * (non-standard) Deflate-compressed integer DNG files are allowed + * Canon EOS R3, R7 and R10 + * Fujifilm X-H2S, X-T30 II + * OM System OM-1 + * Leica M11 + * Sony A7-IV (ILCE-7M4) + * DJI Mavic 3 + * Nikon Z9: standard compression formats only + +- Update to 0.21.0: + * Camera format support: + + Phase One/Leaf IIQ-S v2 support + + Canon CR3 filmrolls/RawBurst + + Canon CRM (movie) files + + Tiled bit-packed (and 16-bit unpacked) DNGs + + (non-standard) Deflate-compressed integer DNG files are allowed + * Camera support: + + Canon EOS R3, R7 and R10 + + Fujifilm X-H2S, X-T30 II + + OM System OM-1 + + Leica M11 + + Sony A7-IV (ILCE-7M4) + + DJI Mavic 3 + + Nikon Z9: standard compression formats only + * Multiple (resultion) thumbnails support + * Misc: + + Nikon makernotes: read NEFCompression tag for HE/HE* files + + Nikon orientation tag: more fixed offsets for known cameras + + Adobe DNG SDK 1.6 support (meaning, just an additional patch for GPR SDK) + * Bugs fixed: + + Fixed possible out-of-buffer read in Nikon orientation tag parser + + Out-of-range read-only array access in postprocessing if output_color is set to 0 (raw color) + + Minolta Z2 was not recognized correctly on 32-bit systems + + Fixed possible buffer overflow in Kodak C330 decoder + + dcraw_process(): check for buffer allocation results to avoid NULL deref + + Multiple bugfixes inspired by oss-fuzz project - CVE-2018-5819 + CVE-2018-5819,CVE-2021-32142 - bsc#1120515,bsc#1120516,bsc#1120517,bsc#1120519) + bsc#1120515,bsc#1120516,bsc#1120517,bsc#1120519,bsc#1208470) libreoffice +- Fix CVE-2023-6186, deny arbitrary script execution for link targets, + bsc#1217578 + * CVE-2023-6186-1.patch + * CVE-2023-6186-2.patch + * CVE-2023-6186-3.patch + * CVE-2023-6186-4.patch + * CVE-2023-6186-5.patch +- Fix CVE-2023-6185, improper input validation enabling arbitrary + Gstreamer pipeline injection, bsc#1217577 + * CVE-2023-6185.patch + libselinux +- Repair initrd libselinux check in selinux-ready + +- Do not BuildRequire swig and ruby-devel in the main build phase: + those are only needed for the bindings. + +- (bsc#1212618) Divide libselinux and libselinux-bindings again. + libselinux itself is in Ring0 so it has to have absolutely + minimal dependencies, so it is better to separate + libselinux-bindings into a separate pacakge. + +- Fix python packaging by setting the name to a fixed value + +- Remove separate libselinux-bindings SPEC file (bsc#1212618). + +- Add explicit BuildRequires for python3-pip and python3-wheel on + 15.5, currently the macros don't do the right thing + +- allow building this with different python versions, to make this + usable for the new sle15 macro (using python3.11) + +- Add python-wheel build dependency to build correctly with latest + python-pip version. + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because + of LTO + +- Enable LTO as it works fine now. + +- Update to version 3.5: + * check for truncations + * avoid newline in avc message + * bail out on path truncations + * add getpidprevcon to gather the previous context before the last + exec of a given process + * Workaround for heap overhead of pcre + * fix memory leaks on the audit2why module init + * ignore invalid class name lookup +- Drop restorecon_pin_file.patch, is upstream +- Refreshed python3.8-compat.patch +- Added additional developer key (Jason Zaman) + +- Fixed initrd check in selinux-ready (bnc#1186127) + +- Added restorecon_pin_file.patch. Fixes issus when running + fixfiles/restorecon + +- Update to version 3.4: + * Use PCRE2 by default + * Make selinux_log() and is_context_customizable() thread-safe + * Prevent leakeing file descriptors + * Correctly hash specfiles larger than 4G +- Refreshed skip_cycles.patch + +- Add Requires for exact libselinux1 version for selinux-tools +- Simplyfied check for correct boot paramaters in selinux-ready + (bsc#1195361) + +- Update to version 3.3: + * Lots of smaller issues fixed found by fuzzing + +- Add missing libselinux-utils Provides to selinux-tools so that + %selinux_requires works + +- Remove Recommends for selinux-autorelabel. It's better to have this + in the policy package itself (bsc#1181837) + +- Switch to pcre2: + + Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8) + + Pass USE_PCRE2=y to make. + + Replace pkgconfig(libpcre) Requires in -devel static with + pkgconfig(libpcre2-8). + +- Update to version 3.2: + * Use mmap()'ed kernel status page instead of netlink by default. + See "KERNEL STATUS PAGE" section in avc_init(3) for more details. + * New log callback levels for enforcing and policy load notices - + SELINUX_POLICYLOAD, SELINUX_SETENFORCE + * Changed userspace AVC setenforce and policy load messages to audit + format. + +- Add Recommends: selinux-autorelabel, which is very important + for healthy use of the SELinux on the system (/.autorelabel + mechanism) (bsc#1181837). + +- install to /usr (boo#1029961) + + * Refreshed python3.8-compat.patch +- Added swig4_moduleimport.patch to prevent import errors due to + SWIG 4 + +- Add python3.8-compat.patch which makes build possible even with + Python 3.8, which doesn’t automatically adds -lpython + +- Disable LTO (boo#1133244). + +- Updated spec file to use python3. Added python3.patch to fix + build + +- Update libselinux-2.2-ruby.patch: use RbConfig instead of + deprecated Config. + libsemanage +- Remove build counter syncing for real + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because + of LTO + +- Enable LTO now (boo#1138812). + +- Update to version 3.5 + * Allow user to set SYSCONFDIR + * always write kernel policy when check_ext_changes is specified +- Added additional developer key (Jason Zaman) + +- Update to version 3.4 + * Optionally rebuild policy when modules are changed externally + * Fix USE_AFTER_FREE (CWE-672) in semanage_direct_get_module_info() + * Allow spaces in user/group names + +- Drop Buildrequires for libustr-devel, not needed anymore + +- Update to version 3.3 + * Fixed use-after-free in parse_module_store() + * Fixed use_after_free in semanage_direct_write_langext() + +- Link to correct so version +- Minor spec file cleanups + +- Move configuration file to separate libsemanage-conf package to allow + for parallel installation in future versions + +- Update to version 3.2 + * dropped old and deprecated symbols and functions + libsemanage version was bumped to libsemanage.so.2 + * libsemanage tries to sync data to prevent empty files in SELinux module + store + libsepol +- Enable LTO now (boo#1138813). + +- Update to version 3.5 + * Stricter policy validation + * do not write empty class definitions to allow simpler round-trip tests + * reject attributes in type av rules for kernel policies +- Added additional developer key (Jason Zaman) + +- Update to version 3.4 + * Add 'ioctl_skip_cloexec' policy capability + * Add sepol_av_perm_to_string + * Add policy utilities + * Support IPv4/IPv6 address embedding + * Hardened/added many validations + * Add support for file types in writing out policy.conf + * Allow optional file type in genfscon rules + +- Update to version 3.3 + * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch + are all included + * Lot of smaller fixes identified by fuzzing + +- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928. + Added CVE-2021-36087.patch + +- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965). + Added CVE-2021-36085.patch +- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964). + Added CVE-2021-36086.patch + +- Update to version 3.2 + * more space-efficient form of storing filename transitions in the binary + policy and reduced the size of the binary policy + * dropped old and deprecated symbols and functions. Version was bumped to + libsepol.so.2 + +- install to /usr (boo#1029961) + libssh2_org +- Security fix: [bsc#1218127, CVE-2023-48795] + * Add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack" + * Add libssh2_org-CVE-2023-48795.patch + libstorage-ng +- merge gh#openSUSE/libstorage-ng#968 +- make more use of new SystemCmd interface +- 4.5.161 + +- merge gh#openSUSE/libstorage-ng#967 +- block more udev by-id links (bsc#1217459) +- adapted testsuite +- 4.5.160 + +- Translated using Weblate (Portuguese (Brazil)) (bsc#1149754) +- 4.5.159 + +- merge gh#openSUSE/libstorage-ng#966 +- fixed build with libxml 2.12.0 +- 4.5.158 + +- merge gh#openSUSE/libstorage-ng#965 +- refactored class SystemCmd +- fixed passing huge amount of data to stdin +- coding style +- 4.5.157 + +- merge gh#openSUSE/libstorage-ng#964 +- extended testsuite +- 4.5.156 + +- merge gh#openSUSE/libstorage-ng#963 +- extended testsuite +- 4.5.155 + +- merge gh#openSUSE/libstorage-ng#962 +- improved error reporting in SystemCmd +- 4.5.154 + +- merge gh#openSUSE/libstorage-ng#961 +- added testcase +- 4.5.153 + +- merge gh#openSUSE/libstorage-ng#960 +- make more use of new SystemCmd interface +- added const +- 4.5.152 + +- merge gh#openSUSE/libstorage-ng#959 +- removed unused function + +- merge gh#openSUSE/libstorage-ng#958 +- make more use of new SystemCmd interface +- prefer make_unique over new +- fixed compound action generation for removing btrfs qgroup + relations + libtirpc +- fix sed parsing for libtirpc.pc.in in specfile (boo#1216862) + lsof +- lsof 4.99.0: + * Do not hard-code fd numbers in epoll test + * --with-selinux configure option. + * Improve performance by using closefrom() + * Introduce liblsof for programmatic access over spawning lsof + in a subprocess +- build with libtirpc +- switch to upstream tarball again as it dropped proprietary code + +- Repacked tarball to remove proprietary code in dialects/uw/uw7/sys/fs + +- lsof 4.98.0: + * Fix two potential null pointer access bug when gethostbyname2() + returns an empty address list + * Fix handling of empty command name + * Add -H switch to print human readable size, e.g. 123.4K + +- update to 4.97.0: + * Remove support because the os is no longer updated for + more than 10 years + * Remove support because the os is no longer updated + for more than 20 years + * Add experimental build system based on Autotools + * Fixed LTsock testing on darwin + * Remove NEW and OLD folders + * Fix FreeBSD testcases + * Rewrite documentation and publish at https://lsof.readthedocs.io/ + +- update to 4.96.5: + * Avoid C89-only constructs is Configure +- drop format.patch, now upstream + +- format.patch: Use correct scanf/printf format for uint64_t +- Build with %{optflags} + +- update to 4.96.4 + * fix hash functions used for finding local tcp/udp IPCs + * Show copyright notice in --version output. + * Avoid some easy collissions for udp/udp6 sockets when hashing + * Changing the number of ipcbuckets to 4096 + * obtain correct information of memory-mapped file. +- drop remove-hostname.patch now upstream + +- Update remove-hostname.patch with the upstream version + +- Fix hostname in reproducible builds, bsc#1199709 + * remove-hostname.patch + +- update to 4.95.0: + * Update perl scripts for the past few decades of progress + * Drop LSOF_CCDATE across all dialects to ensure reproducible builds + * Fix FD field description. + * Adjust alignment of buffer passed to stat(). + * Clean up source code and documents. + - remove trailing whitespace, + - fix some issues in scripts found through shellcheck, and + - fix spelling + * man page: fix hyphen issues + * Fix broken LSOF_CFLAGS_OVERRIDE. + * [linux] Remove sysvlegacy function. + * [linux] use close_range instead of calling close repeatedly + * Add -Q option for adjusting exit status when failed to find a + search item (#129) +- drop lsof-no-build-date-etc.patch (obsolete) + +- Update to 4.94.0: + * Fix various bugs + * Display more information for eventfd and other objects +- Remove lsof-glibc-linux-5.0.patch as it has been fixed upstream +- Remove lsof_4.81-include.patch as it is not needed anymore +- Remove lsof_4.81-perl.patch as this change is now done inside the spec file +- Remove lsof_4.81-fmt.patch as it is not needed anymore + +- update to 4.93.2: + The maintainership is switched from Vic to lsof-org + Made FreeBSD 13 adjustment. + Fix a typo causing a build error. + Fix a potential memory leak. + [linux] use tirpc for rpc if libc doesn't provide rpc.h. + Fix a typo in man page. + fix memory leaks detected by valgrind about unix endpoint + information. + Update the description about -fg and -fG options on linux. + Fix a broken symbolic link. + Update the version number embedded in lsof executable. +- lsof-no-build-date-etc.patch: refreshed against newer base + +- Add lsof-glibc-linux-5.0.patch: Fix build with + linux-glibc-devel-5.0 by including sysmacros.h as needed (bsc#1181571) + -- license update: Zlib - lsof license is most similar to Zlib (also use SPDX format) - -- repack the tarball to remove legally problematic files - (bnc#705143) - -- change perl reference to /usr/bin/perl which actually exists - -- perl4 refference causes missing perl4 dependency - -- portability fixes (by Pascal) - -- Do not include build host specific information including - date and compilation time to make build-compare happy - -- update to lsof 4.84 - * corrects a man page nroff command error - * recognizes FreeBSD 7.3 - * adds improved task support, initially for Linux - -- update to lsof 4.83 - * corrects an over-zealous test that causes lsof to produce no - ouput when the HASSECURITY and HASNOSOCKSECURITTY have been - specified at lsof build time - * fixes a typo with the LINUX_HASSELUNIX Configure variable - * accepts LSOF_RANLIB from the environment - * added Linux test for __UCLIBC__ - -- fix 64bit issue (gcc 4.5) - -- enable parallel build - lvm2 +- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339) + * 2.03.22: + * Fix pv_major/pv_minor report field types so they are integers, not strings. + * Add lvmdevices --delnotfound to delete entries for missing devices. + * Always use cachepool name for metadata backup LV for lvconvert --repair. + * Make metadata backup LVs read-only after pool's lvconvert --repair. + * Handle 'lvextend --usepolicies' for pools for all activation variants. + * Fix memleak in vgchange autoactivation setup. + * Support conversion from thick to fully provisioned thin LV. + * Cache/Thin-pool can use error and zero volumes for testing. + * Individual thin volume can be cached, but cannot take snapshot. + * internal support for handling error and zero target (for testing). + * COW above trimmed maximal size is does not return error. + * Add lvm.conf thin_restore and cache_restore settings. + * Handle multiple mounts while resizing volume with a FS. + * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id. + * Fix failing -S|--select for non-reporting cmds if using LV info/status fields. + * Allow snapshots of raid+integrity LV. + * Fix multisegment RAID1 allocator to prevent using single disk for more legs. + * 2.03.21: + * Allow (write)cache over raid+integrity LV. + * 2.03.20: + * Fix segfault if using -S|--select with log/report_command_log=1 setting. + * 2.03.19: + * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices. + * Ensure udev is processing origin LV before its thick snapshots LVs. + * 2.03.18: + * Fix warning for thin pool overprovisioning on lvextend. + * Add support for writecache metadata_only and pause_writeback settings. + * Fix missing error messages in lvmdbusd. + * 2.03.17: + * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported). + * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away. + * Fix lv_active field type to binary so --select and --binary applies properly. + * Error out in lvm shell if using a cmd argument not supported in the shell. + * Fix lvm shell's lastlog command to report previous pre-command failures. + * Add --valuesonly option to lvmconfig to print only values without keys. + * Add json_std output format for more JSON standard compliant version of output. + * Fix many corner cases in device_id, including handling of S/N duplicates. + * Fix various issues in lvmdbusd. +- device-mapper version upgrade to 1.02.196 + * Improve parallel creation of /dev/mapper/control device node. + * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev. + * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings. + * Improve 'dmsetup create' without given table line with new kernels. + * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format. +- Drop patches that have been merged into upstream + - 0001-devices-file-move-clean-up-after-command-is-run.patch + - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch + - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch + - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch + - 0005-pvdisplay-restore-reportformat-option.patch + - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch + - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch + - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch + - 0009-mm-remove-libaio-from-being-skipped.patch + - 0010-dmsetup-check-also-for-ouf-of-range-value.patch + - 0011-devices-drop-double-from-sysfs-path.patch + - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch + - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch + - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch + - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch + - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch +- Add upstream patch + + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch + + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch + + 0003-lvconvert-fix-regresion-from-integrity-check.patch + + 0004-gcc-cleanup-warnings.patch + + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch + + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch + + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch + + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch + + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch + + 0010-lvmlockd-client-mutex-ordering.patch + + 0011-filesystem-move-stat-after-open-check.patch + + 0012-tests-check-for-writecache.patch + + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch + + 0014-gcc-fix-warnings-for-x32-architecture.patch + + 0015-gcc-warning-missing-braces-around-initializer.patch + + 0016-test-improve-aux-teardown.patch + + 0017-tests-aux-try-with-extra-sleep.patch + + 0018-tests-aux-using-singl-lvmconf-call.patch + + 0019-tests-missing-to-check-for-writecache-support.patch + + 0020-tests-pvmove-large-disk-area.patch + + 0021-tests-enforce-full-fs-check.patch + + 0022-tests-update-for-work-in-fake-dev-environment.patch + + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch + + 0024-tests-better-slowdown.patch +- Update patch + - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch + - bug-1184124-link-tests-as-PIE.patch + - bug-1184687_Add-nolvm-for-kernel-cmdline.patch + - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch +- Rename & Update patch + - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch + + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch +- update lvm2.spec + - change upstream_device_mapper_version to 1.02.196 + - change device_mapper_version to %{lvm2_version}_1.02.196 + - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf + - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package + lvm2:devicemapper +- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339) + * 2.03.22: + * Fix pv_major/pv_minor report field types so they are integers, not strings. + * Add lvmdevices --delnotfound to delete entries for missing devices. + * Always use cachepool name for metadata backup LV for lvconvert --repair. + * Make metadata backup LVs read-only after pool's lvconvert --repair. + * Handle 'lvextend --usepolicies' for pools for all activation variants. + * Fix memleak in vgchange autoactivation setup. + * Support conversion from thick to fully provisioned thin LV. + * Cache/Thin-pool can use error and zero volumes for testing. + * Individual thin volume can be cached, but cannot take snapshot. + * internal support for handling error and zero target (for testing). + * COW above trimmed maximal size is does not return error. + * Add lvm.conf thin_restore and cache_restore settings. + * Handle multiple mounts while resizing volume with a FS. + * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id. + * Fix failing -S|--select for non-reporting cmds if using LV info/status fields. + * Allow snapshots of raid+integrity LV. + * Fix multisegment RAID1 allocator to prevent using single disk for more legs. + * 2.03.21: + * Allow (write)cache over raid+integrity LV. + * 2.03.20: + * Fix segfault if using -S|--select with log/report_command_log=1 setting. + * 2.03.19: + * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices. + * Ensure udev is processing origin LV before its thick snapshots LVs. + * 2.03.18: + * Fix warning for thin pool overprovisioning on lvextend. + * Add support for writecache metadata_only and pause_writeback settings. + * Fix missing error messages in lvmdbusd. + * 2.03.17: + * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported). + * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away. + * Fix lv_active field type to binary so --select and --binary applies properly. + * Error out in lvm shell if using a cmd argument not supported in the shell. + * Fix lvm shell's lastlog command to report previous pre-command failures. + * Add --valuesonly option to lvmconfig to print only values without keys. + * Add json_std output format for more JSON standard compliant version of output. + * Fix many corner cases in device_id, including handling of S/N duplicates. + * Fix various issues in lvmdbusd. +- device-mapper version upgrade to 1.02.196 + * Improve parallel creation of /dev/mapper/control device node. + * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev. + * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings. + * Improve 'dmsetup create' without given table line with new kernels. + * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format. +- Drop patches that have been merged into upstream + - 0001-devices-file-move-clean-up-after-command-is-run.patch + - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch + - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch + - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch + - 0005-pvdisplay-restore-reportformat-option.patch + - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch + - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch + - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch + - 0009-mm-remove-libaio-from-being-skipped.patch + - 0010-dmsetup-check-also-for-ouf-of-range-value.patch + - 0011-devices-drop-double-from-sysfs-path.patch + - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch + - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch + - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch + - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch + - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch +- Add upstream patch + + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch + + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch + + 0003-lvconvert-fix-regresion-from-integrity-check.patch + + 0004-gcc-cleanup-warnings.patch + + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch + + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch + + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch + + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch + + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch + + 0010-lvmlockd-client-mutex-ordering.patch + + 0011-filesystem-move-stat-after-open-check.patch + + 0012-tests-check-for-writecache.patch + + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch + + 0014-gcc-fix-warnings-for-x32-architecture.patch + + 0015-gcc-warning-missing-braces-around-initializer.patch + + 0016-test-improve-aux-teardown.patch + + 0017-tests-aux-try-with-extra-sleep.patch + + 0018-tests-aux-using-singl-lvmconf-call.patch + + 0019-tests-missing-to-check-for-writecache-support.patch + + 0020-tests-pvmove-large-disk-area.patch + + 0021-tests-enforce-full-fs-check.patch + + 0022-tests-update-for-work-in-fake-dev-environment.patch + + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch + + 0024-tests-better-slowdown.patch +- Update patch + - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch + - bug-1184124-link-tests-as-PIE.patch + - bug-1184687_Add-nolvm-for-kernel-cmdline.patch + - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch +- Rename & Update patch + - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch + + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch +- update lvm2.spec + - change upstream_device_mapper_version to 1.02.196 + - change device_mapper_version to %{lvm2_version}_1.02.196 + - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf + - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package + mariadb-connector-c +- Update to release 3.1.22: + * https://mariadb.com/kb/en/mariadb-connector-c-3-1-22-release-notes/ + ncurses +- Add patch bsc1218014-cve-2023-50495.patch + * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry() + +- Add patch boo1201384.patch + * Do not fully reset serial lines + openssh +- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795). + This mitigates a prefix truncation attack that could be used to + undermine channel security. + +- Enhanced SELinux functionality. Added + * openssh-7.8p1-role-mls.patch + Proper handling of MLS systems and basis for other SELinux + improvements + * openssh-6.6p1-privsep-selinux.patch + Properly set contexts during privilege separation + * openssh-6.6p1-keycat.patch + Add ssh-keycat command to allow retrival of authorized_keys + on MLS setups with polyinstantiation + * openssh-6.6.1p1-selinux-contexts.patch + Additional changes to set the proper context during privilege + separation + * openssh-7.6p1-cleanup-selinux.patch + Various changes and putting the pieces together + For now we don't ship the ssh-keycat command, but we need the patch + for the other SELinux infrastructure + This change fixes issues like bsc#1214788, where the ssh daemon + needs to act on behalf of a user and needs a proper context for this + openvpn +- update to 2.6.8: (jsc#PED-5763 bsc#1217073) + * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF + state - the new sanity check function introduced in 2.6.7 sometimes + tried to use a NULL pointer after an unsuccessful TLS handshake + * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly + use a send buffer after it has been free()d in some circumstances, + causing some free()d memory to be sent to the peer. All configurations + using TLS (e.g. not using --secret) are affected by this issue. + * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly + restore --fragment configuration in some circumstances, leading to a + division by zero when --fragment is used. On platforms where division + by zero is fatal, this will cause an OpenVPN crash. + * DCO: warn if DATA_V1 packets are sent by the other side - this a hard + incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 + server, and the only fix is to use --disable-dco. + * Remove OpenSSL Engine method for loading a key. This had to be removed + because the original author did not agree to relicensing the code with + the new linking exception added. This was a somewhat obsolete feature + anyway as it only worked with OpenSSL 1.x, which is end-of-support. + * add warning if p2p NCP client connects to a p2mp server - this is a + combination that used to work without cipher negotiation (pre 2.6 on + both ends), but would fail in non-obvious ways with 2.6 to 2.6. + * add warning to --show-groups that not all supported groups are listed + (this is due the internal enumeration in OpenSSL being a bit weird, + omitting X448 and X25519 curves). + * --dns: remove support for exclude-domains argument (this was a new 2.6 + option, with no backend support implemented yet on any platform, and it + turns out that no platform supported it at all - so remove option again) + * warn user if INFO control message too long, do not forward to management + client (safeguard against protocol-violating server implementations) + * DCO-WIN: get and log driver version (for easier debugging). + * print "peer temporary key details" in TLS handshake + * log OpenSSL errors on failure to set certificate, for example if the + algorithms used are in acceptable to OpenSSL (misleading message would be + printed in cryptoapi / pkcs11 scenarios) + * add CMake build system for MinGW and MSVC builds + * remove old MSVC build system + * improve cmocka unit test building for Windows + p11-kit +- Ensure that programs using can be compiled + with CRYPTOKI_GNU. Fixes GnuTLS builds. [jsc#PED-6705] + * Add p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch + -- new version 0.20.3 - * Fix problems reinitializing managed modules after fork - * Fix bad bookeeping when fail initializing one of the modules - * Fix case where module would be unloaded while in use [#74919] - * Remove assertions when module used before initialized [#74919] - * Fix handling of mmap failure and mapping empty files [#74773] - * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions - * Require automake 1.12 or later - * Build fixes for Windows [#76594 #74149] -- apply patches to avoid errors from certificates with invalid public key - (fdo#82328, bnc#890908, - trust-Dont-use-invalid-public-keys-for-looking-up-.patch, - trust-Print-label-of-certificate-when-complaining-.patch) - perl-Cpanel-JSON-XS +- updated to 4.37 + see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes + 4.37 2023-07-04 (rurban) + - Fix NAN/INF for AIX (Tux: AIX-5.3, tested by XSven on AIX-7.3) GH #165 + - Fix empty string result in object stringification (PR #221 jixam) + - Allow \' in strings when allow_singlequote is enabled (PR #217 warpspin) + plocate +- Add Provides/Obsoletes mlocate for Tumbleweed only + * Since CtLG Leap have try to make SLE compatible as much as possible, + SLE's default locate system is mlocate and it should not be replaced + by other locate service by default. plocate be an option. + poppler -- security update -- added patches - fix CVE-2023-34872 [bsc#1213888], remote denial-of-service in OutlineItem::open in Outline.cc - + poppler-CVE-2023-34872.patch +- Add patch to let it build with the heavily patched tiff 4.0.9 + we have in SLE 15: + * reduce-libtiff-required-version.patch + +- version update to 23.10.0 + core: + * cairo: update type 3 fonts for cairo 1.18 api + * Fix crash on malformed files + build system: + * Make a few more dependencies soft-mandatory + * Add more supported gnupg releases + * Check if linker supports version scripts +- modified patches + % reduce-boost-required-version.patch (refreshed) + +- build with gpgmepp for signing documents (bsc#1215632) + +- Update to version 23.09.0: + * core: + - Add Android-specific font matching functionality + - Fix digital signatures for NeedAppearance=true + - Forms: Don't look up same glyph multiple times + - Provide the key location for certificates you can sign with + - Add ToUnicode support for similarequal + - Fix crash on malformed files + * qt5: + - Provide the key location for certificates you can sign with + - Allow to force a rasterized overprint preview during PS + conversion + * qt6: + - Provide the key location for certificates you can sign with + - Allow to force a rasterized overprint preview during PS + conversion + * pdfsig: + - Provide the key location for certificates you can sign with +- Changes from version 23.08.0: + * core: + - Fix GWG 19.2 - DeviceN Overprint (White) + - Splash: avoid bogus memory allocation size in + doTilingPatternFill + - Fix use-of-uninitialized-value in XRef + - Fix float-cast-overflow error in Catalog + - Cleanup gpgme backend code + - Version symbols in poppler core + * glib: + - Improve poppler_get_available_signing_certificates + - Add new members to PopplerCertificateInfo + * utils: + - pdftotext: small improvement to man page +- Bump poppler_sover to 131 following upstream changes. + +- update to 23.07.0: + core: + * Fix reading of utf8-with-bom files + * Fix crash if CERT_ExtractPublicKey doesn't return a public + key + * Fix rendering of some malformed documents. Issue #1395 + * Allow for stream compression and compress font streams in + forms Remove method Hints::getPageRanges + qt5: + * Fix crash when overprint preview is enabled + * Don't fail signature basics tests if backend is not + configured + qt6: + * Fix crash when overprint preview is enabled + * Don't fail signature basics tests if backend is not + configured + utils: + * pdfsig: Allow showung and selecting signature backend + * pdfsig: Describe signature dump format in manual page + +- update to 23.06.0 (bsc#1212255): + * CairoOutputDev: Fix crash when doing type3 rendering + * Fix crash with unknown signature hashing algorithms + * Add gpgme backend for signature handling + * FontInfo: Make it return proper information about font + substitution + * FontInfo: Try harder to get Type 3 font name + * Store embedded fonts widths table in a more effective manner + * Skip font lookup for nonprintable characters + * Fix crash on malformed files + * Add API to allow selecting signature backend (nss or gpgme) + * Convert embedded files to bytearray a bit smarter + +- update to 23.05.0: + * Fix crash when filling some forms + * Set SigFlags when signing unsigned signature + * Add some infrastructure code to support multiple signing + backends + * Fix potential stack overflow in PostScriptFunction::parseCode + * Fix some minor uninitialised memory reads + +- update to 23.04.0: + * Fix memory issue when signing fails. Issue #1372 + * Internal improvements of signature related code + * CairoOutputDev: improve type3 font rendering + * Fix memory leak in + GlobalParams::findSystemFontFileForFamilyAndStyle + * pdftocairo: Fix crash in some special situations + * pdfsig: allow holes in -dump signature list + * pdfsig: Support --help + +- update to 23.03.0: + core: + * PngWriter: Fix potential uninitialized memory use + +- Update to version 23.02.0: + + core: + * CairoOutputDev: + . Fix rendering of color type 3 fonts + . Add handling matte entry + * Fix segfault on wrong nssdir + * Fix "NSS could not shutdown" + + utils: pdfsig: Point out supports PKCS#11 URIs as nickname postfix +- (bsc#1218304) VUL-0: postfix: new SMTP smuggling attack + (bsc#1218314) SMTP Smuggling - Spoofing E-Mails Worldwide + Apply patch containing the feature smtpd_forbid_unauth_pipelining + as default yes. + add patch: + postfix-3.7-patch06 +- Security: the Postfix SMTP server optionally disconnects remote + SMTP clients that violate RFC 2920 (or 5321) command pipelining + constraints. The server replies with "554 5.5.0 Error: SMTP protocol + synchronization" and logs the unexpected remote SMTP client input. + Specify "smtpd_forbid_unauth_pipelining = yes" to enable. +- Workaround to limit collateral damage from OS distributions that + crank up security to 11, increasing the number of plaintext email + deliveries. This introduces basic OpenSSL configuration file support, + with two new parameters "tls_config_file" and "tls_config_name". + Details are in the postconf(5) manpage under "tls_config_file" and + "tls_config_name". + ppp +- bsc#1218251, CVE-2022-4603, ppp-CVE-2022-4603.patch: improper + validation of array index of the component pppdump. + python-pip +- Add CVE-2023-5752-r-param-hg.patch to fix bsc#1217353 + (CVE-2023-5752) avoiding injection of arbitrary configuration + through Mercurial parameter. + python3-cryptography +- Add CVE-2023-49083.patch to fix A null-pointer-dereference and + segfault could occur when loading certificates from a PKCS#7 bundle. + bsc#1217592 + rdma-core +- Update to v49.0 (jsc#PED-6891, jsc#PED-6864, jsc#PED-6839, jsc#PED-6836, + jsc#PED-6828, jsc#PED-6824, jsc#PED-6958, jsc#PED-6943, jsc#PED-6933, jsc#PED-6916) + - No release notes available. + sg3_utils +- Make sure initrd is rebuilt when sg3_utils is updated + (bsc#1215772) + +- Update to version 1.47+15.b6898b8: + * rescan-scsi-bus.sh: remove /tmp/rescan-scsi-mpath-info.txt + (gh#doug-gilbert/sg3_utils#44) + * rescan_scsi_bus.sh: fix multipath issue when called with -s and + without -u (bsc#1215720, bsc#1216355) + tracker-miners +- Add tracker-miners-CVE-2023-5557.patch: A bug in libcue could + lead to possible sandbox escape in tracker-extract, this fixes it + by adding seccomp rules and applying it to the whole process + (bsc#1216199, glgo#GNOME/tracker-miners!480, CVE-2023-5557). +- Refresh tracker-miners-drop-syscalls-in-seccomp.patch: The patch + context is changed by tracker-miners-CVE-2023-5557.patch. + webkit2gtk3 +- Update to version 2.42.4 (boo#1218032): + + Fix incorrect random images incorrectly displayed as + backgrounds of
elements. + + Fix videos displayed aliased after being resized e.g. in + YouTube. + + Fix several crashes and rendering issues. + + Security fixes: CVE-2023-42883. + +- Update to version 2.42.3 (boo#1217844): + + Fix flickering while playing videos with DMA-BUF sink. + + Fix color picker being triggered in the inspector when typing + "tan". + + Do not special case the "sans" font family name. + + Fix build failure with libxml2 version 2.12.0 due to an API + change. + + Fix several crashes and rendering issues. + + Security fixes: CVE-2023-42916, CVE-2023-42917. + - boo#1215868 boo#1215869 boo#1215870): + boo#1215868 boo#1215869 boo#1215870 boo#1218033): - + Security fixes: CVE-2023-39928, CVE-2023-41074, CVE-2023-32359. + + Security fixes: CVE-2023-39928, CVE-2023-41074, CVE-2023-32359, + CVE-2023-42890. wireless-regdb +- Define %{_firmwaredir} if not defined. This fixes RPM build errors. + +- Update to version 20230901: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for Australia (AU) for June 2023 + +- Update to version 20230721: + * wireless-regdb: Update regulatory info for Türkiye (TR) + * wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidelines + +- Update to version 20230601: + * wireless-regdb: Update regulatory rules for Philippines (PH) + +- Update to version 20230503: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for Hong Kong (HK) + * wireless-regdb: update regulatory rules for India (IN) + * wireless-regdb: Update regulatory rules for Russia (RU). Remove DFS requirement. + * Update regulatory info for Russia (RU) on 6GHz + +- Update to version 20230213: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory info for Russia (RU) on 5GHz + +- Update to version 20221205: + * wireless-regdb: Update regulatory rules for Japan (JP) on 6GHz + * wireless-regdb: Update regulatory rules for Japan (JP) on 5GHz + +- Update to version 20221012: + * wireless-regdb: update regulatory rules for Switzerland (CH) + * wireless-regdb: Update regulatory rules for Brazil (BR) + +- Update to version 20220812: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: update 5 GHz rules for PK and add 60 GHz rule + * wireless-regdb: add 5 GHz rules for GY + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Unify 6 GHz rules for EU contries + * wireless-regdb: Remove AUTO-BW from 6 GHz rules + * wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz + * Regulatory update for 6 GHz operation in FI + * Regulatory update for 6 GHz operation in United States (US) + * Regulatory update for 6 GHz operation in Canada (CA) + +- Update to version 20220606: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Unify 6 GHz rules for EU contries + * wireless-regdb: Remove AUTO-BW from 6 GHz rules + +- Update to version 20220527: + * wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz + * Regulatory update for 6 GHz operation in FI + * Regulatory update for 6 GHz operation in United States (US) + * Regulatory update for 6 GHz operation in Canada (CA) + +- Update to version 20220408: + * wireless-regdb: add db files missing from previous commit + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for Australia (AU) + * wireless-regdb: add missing spaces for US S1G rules + +- Update to version 20220324: + * wireless-regdb: Update regulatory rules for Israel (IL) + +- Update to version 20220218: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for the Netherlands (NL) on 6GHz + * wireless-regdb: Update regulatory rules for China (CN) + * wireless-regdb: Update regulatory rules for South Korea (KR) + * Revert "wireless-regdb: Update regulatory rules for South Korea (KR)" + * wireless-regdb: Update regulatory rules for Spain (ES) on 6GHz + * wireless-regdb: add 802.11ah bands to world regulatory domain + * wireless-regdb: add support for US S1G channels + * wireless-regdb: Update regulatory rules for France (FR) on 6 and 60 GHz + * wireless-regdb: Update regulatory rules for South Korea (KR) + +- Update to version 20220108: + * wireless-regdb: Update regulatory rules for Croatia (HR) on 6GHz + +- Update to version 20211209: + * wireless-regdb: Raise DFS TX power limit to 250 mW (24 dBm) for the US + +- Update to version 20210828: + * wireless-regdb: update regulatory database based on preceding changes + * Update regulatory rules for Ecuador (EC) + * wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz + * wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US + * wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US + * wireless-regdb: recent FCC report and order allows 5850-5895 immediately + * wireless-regdb: update 5725-5850 MHz rule for GB + +- Update to version 20210421: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: re-add source url and info for CU + +- Update to version 20210407: + * wireless-regdb: Update regulatory rules for Cuba (CU) on 5GHz + * wireless-regdb: Do not hardcode 'sforshee' in the certificate commonName + +- Update to version 20210129: + * wireless-regdb: Update regulatory rules for Ukraine (UA) + * wireless-regdb: update CNAF regulation url for ES + +- leverage %{_firmwaredir} to install firmware into correct location (boo#1029961) + +- Update to version 20201120: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for Kazakhstan (KZ) + * wireless-regdb: update 5.8 GHz regulatory rule for GB + * wireless-regdb: Update regulatory rules for Pakistan (PK) on 5GHz + * wireless-regdb: Update regulatory rules for Croatia (HR) + * wireless-regdb: restore channel 12 & 13 limitation in the US + * wireless-regdb: update regulatory rules for Egypt (EG) + +- Fixes for %_libexecdir changing to /usr/libexec + +- Update to version 20200429: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: update rules for US on 2.4/5G + * GB: Extend to cover DMG channels 5 & 6 + * wireless-regdb: Update regulatory rules for Singapore (SG) + * wireless-regdb: Update regulatory rules for Indonesia (ID) + +- Update to version 20191029: + * regdb: fix compatibility with python2 + * wireless-regdb: Update regulatory rules for Russia (RU) + * wireless-regdb: Harmonize ranges of CEPT countries (stand of July 2019) + * wireless-regdb: Fix ranges of EU countries as they are harmonized since 2014 + * wireless-regdb: Extend 5470-5725 MHz range to 5730 MHz for Taiwan (TW) + * wireless-regdb: Fix overlapping ranges for Switzerland and Liechtenstein + * wireless-regdb: update regulatory database based on preceding changes +- Switch to _service +- Update project url + xf86-video-intel +- n_Mesa-i965-crocus.patch + * Mesa's DRI driver is now called "crocus" (previously "i965"); + fixes hardware OpenGL support when still using "intel" X + driver instead of "modesetting" one ... (boo#1214448) + xfsprogs +- update to v6.5.0 (bsc#1217575, bsc#1217576): + - libxfs: fix atomic64_t detection on x86_32 + - libxfs: use XFS_IGET_CREATE when creating new files + - libfrog: fix overly sleep workqueues + - xfs_db: use directio for device access + - libxfs: make platform_set_blocksize optional with directio + - mkfs: add a config file for 6.6 LTS kernels + - mkfs: enable reverse mapping by default + - mkfs: enable large extent counts by default + - xfs_db: create unlinked inodes + - xfs_db: dump unlinked buckets + - xfsprogs: don't allow udisks to automount XFS filesystems with no prompt + - xfs_repair: fix repair failure caused by dirty flag being abnormally set on buffer +- drop: + - 0001-repair-shift-inode-back-into-place-if-corrupted-by-b.patch + - xfsprogs-mkfs-disable-reflink-support-by-default.patch + - xfsprogs-mkfs-don-t-trample-the-gid-set-in-the-protofile.patch + - xfsprogs-mkfs-enable-bigtime-by-default.patch + - xfsprogs-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch + - xfsprogs-mkfs-terminate-getsubopt-arrays-properly.patch + - xfsprogs-xfs_repair-ignore-empty-xattr-leaf-blocks.patch +- mkfs: disable inobtcnt and nrext64 features by default + - add xfsprogs-mkfs-disable-inobtcnt-and-nrext64-features-by-defaul.patch + xorg-x11-server +- Add missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + (bsc#1217765). + +- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + * Out-of-bounds memory write in XKB button actions (CVE-2023-6377, + ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) +- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + * Out-of-bounds memory read in RRChangeOutputProperty and + RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, + bsc#1217766) + xscreensaver +- Update xscreensaver-disable-upgrade-nagging-message.patch to + cover new messages. (boo#1206345, bsc#1217318) + xwayland +- Add missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + (bsc#1217765). + +- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + * Out-of-bounds memory write in XKB button actions (CVE-2023-6377, + ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) +- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + * Out-of-bounds memory read in RRChangeOutputProperty and + RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, + bsc#1217766) + yast2-bootloader -- support 32 bit UEFI firmware on x86_64/i386 architecture (bsc#1208003, - jsc#PED-2569) -- 4.6.3 +- Backport: +-- support 32 bit UEFI firmware on x86_64/i386 architecture + (bsc#1208003, jsc#PED-2569) +- 4.6.4 -- Persist zfcp.allow_lun_scan kernel option for s390 arch - (needed for gh#openSUSE/agama#626). -- 4.6.2 +- Branch package for SP6 (bsc#1208913) -- 4.6.1 - -- Bump version to 4.6.0 (bsc#1208913) +- 4.5.9 yast2-network +- Read all the driver modules from hwinfo instead of just the first + driver ones (bsc#1217652). +- 4.6.7 + zbar +- security update: + * CVE-2023-40889 [bsc#1214770] + Fix heap based buffer overflow in qr_reader_match_centers() + + zbar-CVE-2023-40889.patch + * CVE-2023-40890 [bsc#1214771] + Fix stack based buffer overflow in lookup_sequence() + + zbar-CVE-2023-40890.patch +