Removed rpms ============ - corepack20 - gnutls-guile - google-noto-fonts-doc - libclc - libgdal-drivers - libgdal33 - libgit2-1_3 - libgit2-1_3-32bit - libgnutls30-hmac - libgnutls30-hmac-32bit - libgnutlsxx28 - libibmtss1 - libpoppler126 - libpoppler126-32bit - libqgpgme7 - libqgpgme7-32bit - libsemanage1 - libsemanage1-32bit - libsepol1 - libsepol1-32bit - libvdpau_virtio_gpu - libvdpau_virtio_gpu-32bit - mpich-ofi_4_0_2-gnu-hpc - mpich-ofi_4_0_2-gnu-hpc-devel - mpich-ofi_4_0_2-gnu-hpc-devel-static - mpich-ofi_4_0_2-gnu-hpc-macros-devel - mpich_4_0_2-gnu-hpc - mpich_4_0_2-gnu-hpc-devel - mpich_4_0_2-gnu-hpc-devel-static - mpich_4_0_2-gnu-hpc-macros-devel - nodejs20 - nodejs20-devel - nodejs20-docs - noto-mono-fonts - noto-sans-cjk-fonts - noto-sans-display-fonts - noto-sans-jp-black-fonts - noto-sans-jp-bold-fonts - noto-sans-jp-demilight-fonts - noto-sans-jp-fonts - noto-sans-jp-fonts-full - noto-sans-jp-light-fonts - noto-sans-jp-medium-fonts - noto-sans-jp-mono-fonts - noto-sans-jp-regular-fonts - noto-sans-jp-thin-fonts - noto-sans-kr-black-fonts - noto-sans-kr-bold-fonts - noto-sans-kr-demilight-fonts - noto-sans-kr-fonts - noto-sans-kr-fonts-full - noto-sans-kr-light-fonts - noto-sans-kr-medium-fonts - noto-sans-kr-mono-fonts - noto-sans-kr-regular-fonts - noto-sans-kr-thin-fonts - noto-sans-sc-black-fonts - noto-sans-sc-bold-fonts - noto-sans-sc-demilight-fonts - noto-sans-sc-fonts - noto-sans-sc-fonts-full - noto-sans-sc-light-fonts - noto-sans-sc-medium-fonts - noto-sans-sc-mono-fonts - noto-sans-sc-regular-fonts - noto-sans-sc-thin-fonts - noto-sans-syriaceastern-fonts - noto-sans-syriacestrangela-fonts - noto-sans-syriacwestern-fonts - noto-sans-tc-black-fonts - noto-sans-tc-bold-fonts - noto-sans-tc-demilight-fonts - noto-sans-tc-fonts - noto-sans-tc-fonts-full - noto-sans-tc-light-fonts - noto-sans-tc-medium-fonts - noto-sans-tc-mono-fonts - noto-sans-tc-regular-fonts - noto-sans-tc-thin-fonts - noto-sans-tibetan-fonts - noto-serif-jp-black-fonts - noto-serif-jp-bold-fonts - noto-serif-jp-extralight-fonts - noto-serif-jp-fonts - noto-serif-jp-fonts-full - noto-serif-jp-light-fonts - noto-serif-jp-medium-fonts - noto-serif-jp-regular-fonts - noto-serif-jp-semibold-fonts - noto-serif-kr-black-fonts - noto-serif-kr-bold-fonts - noto-serif-kr-extralight-fonts - noto-serif-kr-fonts - noto-serif-kr-fonts-full - noto-serif-kr-light-fonts - noto-serif-kr-medium-fonts - noto-serif-kr-regular-fonts - noto-serif-kr-semibold-fonts - noto-serif-sc-black-fonts - noto-serif-sc-bold-fonts - noto-serif-sc-extralight-fonts - noto-serif-sc-fonts - noto-serif-sc-fonts-full - noto-serif-sc-light-fonts - noto-serif-sc-medium-fonts - noto-serif-sc-regular-fonts - noto-serif-sc-semibold-fonts - noto-serif-tc-black-fonts - noto-serif-tc-bold-fonts - noto-serif-tc-extralight-fonts - noto-serif-tc-fonts - noto-serif-tc-fonts-full - noto-serif-tc-light-fonts - noto-serif-tc-medium-fonts - noto-serif-tc-regular-fonts - noto-serif-tc-semibold-fonts - npm20 - php7-libphutil - php7-lzf - php7-maxminddb - php7-memcached - php7-phalcon - php7-phpunit8 - php7-smbclient - php7-uuid - python3-apsw - python3-pytest-console-scripts - rime-schema-jyutping - sssd-common - sssd-common-32bit - warewulf4-ipxe Added rpms ========== - emptyepsilon - gpg2-tpm - guile-gnutls - libgdal32 - libgit2-1_7 - libgit2-tools - libgnutlsxx30 - libibmtss2 - libicu73_2-32bit - libicu73_2-devel-32bit - liblsof0 - libpoppler132 - libpoppler132-32bit - libqgpgme15 - libqgpgme15-32bit - libqgpgmeqt6-15 - libqgpgmeqt6-devel - libraw23 - libraw23-32bit - libsemanage-conf - libsemanage2 - libsemanage2-32bit - libsepol2 - libsepol2-32bit - lsof-devel - mpich-ofi_4_1_2-gnu-hpc - mpich-ofi_4_1_2-gnu-hpc-devel - mpich-ofi_4_1_2-gnu-hpc-devel-static - mpich-ofi_4_1_2-gnu-hpc-macros-devel - mpich_4_1_2-gnu-hpc - mpich_4_1_2-gnu-hpc-devel - mpich_4_1_2-gnu-hpc-devel-static - mpich_4_1_2-gnu-hpc-macros-devel - pacemaker-schemas - python3-pacemaker - python311-apsw - python311-pytest-console-scripts - python311-ruff - python311-selinux - ugrep-bash-completion - ugrep-fish-completion - ugrep-zsh-completion - whois-bash-completion Package Source Changes ====================== 389-ds +- bsc#1217581 - Replica ID cannot be specified for consumer and hub roles +- Update to version 2.2.8~git51.3688d68: + * Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987) + * Issue 5984 - Crash when paged result search are abandoned (#5985) + * Issue 5971 - CLI - Fix password prompt for repl status (#5972) + * Issue 5956 - After an upgrade the server won't start - nsslapd-connta… …blesize (#5963) + * Issue 3555 - UI - Fix audit issue with npm - babel/traverse (#5959) + * Issue 5966 - CLI - Custom schema object is removed on a failed edit (#5967) + * Issue 5956 - After an upgrade the server won't start - nsslapd-conntablesize (#5957) + * issue 5924 - ASAN server build crash when looping opening/closing connections (#5926) + * Issue 5848 - Fix condition and add a CI test (#5916) + * Issue 5909 - Multi listener hang with 20k connections (#5917) + * Issue 5853 - Revert MSRV check (#5908) + * Issue 5722 - improve testcase (#5904) + * Bug Description: + * Issue 5858 - WebUI monitoring test fails to run + MozillaFirefox +- Firefox Extended Support Release 115.6.0 ESR + Placeholder changelog-entry (bsc#1217974) + - Placeholder changelog-entry (bsc#1217230) + * Fixed: Various security fixes and other quality improvements. + MFSA 2023-50 (bsc#1217230) + * CVE-2023-6204 (bmo#1841050) + Out-of-bound memory access in WebGL2 blitFramebuffer + * CVE-2023-6205 (bmo#1854076) + Use-after-free in MessagePort::Entangled + * CVE-2023-6206 (bmo#1857430) + Clickjacking permission prompts using the fullscreen + transition + * CVE-2023-6207 (bmo#1861344) + Use-after-free in ReadableByteStreamQueueEntry::Buffer + * CVE-2023-6208 (bmo#1855345) + Using Selection API would copy contents into X11 primary + selection. + * CVE-2023-6209 (bmo#1858570) + Incorrect parsing of relative URLs starting with "///" + * CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252, + bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943, + bmo#1862782) + Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, + and Thunderbird 115.5 avahi +- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in + avahi_rdata_parse (bsc#1216853, CVE-2023-38472). + booth +- Update to version 1.1+git0.09b0074: + * build: Prepare version 1.1 release + * build: Make distcheck work for non-root user + * build: Include icons in release tarballs + * build: Add release.mk + * build: Add gitlog-to-changelog + * tests: Fix Python 3.12 warning + * attr: Fix glib hash_table != NULL assert + * attr: Fix memory leak for list and get operation + * main: Fix exit code on grant/revoke command error + * spec: Migrate to SPDX license +- Added hardening to systemd service(s). Added patch(es): + * harden_booth-arbitrator.service.patch + +- Update to version 1.0+20221117.9d4029a: + * man: Add generated html files into gitignore + * man: remove literal paragraph format from boothd.8 + * man: Remove italic bold formatting + * man: Do not format __defaults__ + * man: Indent peers counters + * man: Move debug description to better place + * test: Add test for unknown/unexpected keyword + * config: Include protocol in error message + * config: Include keyword in error message + * unit file: Remove Alias directive + brickd +- New Version 2.4.5 + - Add Raspberry Pi 5 support for HAT (Zero) Brick + - Fix rare crash in initial USB device scan + +- Fix build error with conflicting strcasestr definition + +- Fixed brickd-rpmlintrc source reference in spec file + removed upstream patch a679ca31b8dbd412e5f379b624200e3a96dda0ce.patch + +- New Version 2.4.4 + - Add menu entry to clear Live Log in Windows Log Viewer + - Abort delayed USB stall recovery if device was removed in the meantime + - Add rate limit for Bricklet error messages + - Increase libusb requirement from 1.0.6 to 1.0.20 + - Allow to disable mesh gateway + - Update bundled libusb to 1.0.26.11755 on Windows (Windows Vista or newer + required) and macOS + +- add a679ca31b8dbd412e5f379b624200e3a96dda0ce.patch for RISCV support +- spec-cleaner + brise +- Update brise.spec: + * Add Conflicts condition to insure brise could update successfully + from brise binary rpm, for SUSE:SLE-SP6 update. + * Replace rime-schema-all dependence to real package name to + avoid 2 level of virtual packages when it installed. + +- update brise 20230603+git.5fdd2d6 + * replace io/ioutil usage + * deprecate rime-jyutping with rime-cantonese + * add rime-custom + +- update brise 20230528+git.cece251 + * rime-plum-go supports github's "main" default branch + * brise data is updated to 20230528 + budgie-extras +- Budgie Extras 1.7.1 "Tinker Tailor..." + * CVE-2023-49347: budgie-wpreviews: use of fixed paths in /tmp + (bsc#1213341) + * CVE-2023-49344: windowshufflerdaemon: uses various fixed /tmp + file paths (bsc#1213342) + * CVE-2023-49345: budgie-takeabreak: fixed /tmp path use in + /tmp/nextbreak_ (bsc#1216281) + * CVE-2023-49346: budgie-weathershow: use of fixed path in + /tmp/_weatherdata (bsc#1216282) + * CVE-2023-49342: budgie-clockworks: uses fixed temporary files + in /tmp/_clockworks (bsc#1217595) + * CVE-2023-49343: budgie-dropby: use of fixed paths in + /tmp/_call_dropby and /tmp/_dropby_icon_copy + (bsc#1217597) + checkpolicy +- Update to version 3.5 + * error out if required permission would exceed limit + * Improve error message for type bounds +- Added additional developer key (Jason Zaman) + +- Update to version 3.4 + * warn on bogus IP address or netmask in nodecon statement + * allow wildcard permissions in constraints + * mention class name on invalid permission + +- Update to version 3.3 + * When reading a binary policy by checkpolicy, do not automatically change the version + to the max policy version supported by libsepol or, if specified, the value given + using the "-c" flag. + * Updated documentation + * Prints the reason why opening a source policy file failed + +- Update to version 3.2 + * Fix a memleak and an integer overflow + clamav-database +- database refresh on 2023-12-25 (bsc#1084929) + +- database refresh on 2023-12-18 (bsc#1084929) + +- database refresh on 2023-12-11 (bsc#1084929) + cloud-regionsrv-client +- Update to version 10.1.5 (bsc#1217583) + + Fix fallback path when IPv6 network path is not usable + + Enable an IPv6 fallback path in IMDS access if it cannot be accessed + over IPv4 + + Enable IMDS access over IPv6 + +- Update to version 10.1.4 (bsc#1217451) + + Fetch cert for new update server during failover + containerd +- Update to containerd v1.7.8. Upstream release notes: + bsc#1200528 +- Rebase patches: + * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch + cosign +- updated to 2.2.1 (jsc#SLE-23879) + This release comes with a fix for + CVE-2023-46737 / bsc#1216933 described in this [Github Security + Advisory](https://github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9). + Enhancements: + * feat: Support basic auth and bearer auth login to registry (#3310) + * add support for ignoring certificates with pkcs11 (#3334) + * Support ReplaceOp in Signatures (#3315) + * feat: added ability to get image digest back via triangulate (#3255) + * feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247) + * feat: add support attaching a Rekor bundle to a container (#3246) + * feat: add support outputting rekor response on signing (#3248) + * feat: improve dockerfile verify subcommand (#3264) + * Add guard flag for experimental OCI 1.1 verify. (#3272) + * Deprecate SBOM attachments (#3256) + * feat: dedent line in cosign copy doc (#3244) + * feat: add platform flag to cosign copy command (#3234) + * Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219) + * attest: pass OCI remote opts to att resolver. (#3225) + Bug Fixes: + * Merge pull request from GHSA-vfp6-jrw2-99g9 + * fix: allow cosign download sbom when image is absent (#3245) + * ci: add a OCI registry test for referrers support (#3253) + * Fix ReplaceSignatures (#3292) + * Stop using deprecated in_toto.ProvenanceStatement (#3243) + * Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237) + * fix: update error in `SignedEntity` to be more descriptive (#3233) + * Fail timestamp verification if no root is provided (#3224) + Documentation: + * Add some docs about verifying in an air-gapped environment (#3321) + * Update CONTRIBUTING.md (#3268) + * docs: improves the Contribution guidelines (#3257) + * Remove security policy (#3230) + Others: + * Set go to min 1.21 and update dependencies (#3327) + * Update contact for code of conduct (#3266) + * Update .ko.yaml (#3240) + +- updated to 2.2.0 (jsc#SLE-23879) + - Enhancements + * switch to uploading DSSE types to rekor instead of intoto (#3113) + * add 'cosign sign' command-line parameters for mTLS (#3052) + * improve error messages around bundle != payload hash (#3146) + * make VerifyImageAttestation function public (#3156) + * Switch to cryptoutils function for SANS (#3185) + * Handle HTTP_1_1_REQUIRED errors in github provider (#3172) + - Bug Fixes + * Fix nondeterminsitic timestamps (#3121) + - Documentation + * doc: Add example of sign-blob with key in env var (#3152) + * add deprecation notice for cosign-releases GCS bucket (#3148) + * update doc links (#3186) + +- updated to 2.1.1 (jsc#SLE-23879) + - Bug Fixes + - wait for the workers become available again to continue the execution (#3084) + - fix help text when in a container (#3082) +- updated to 2.1.0 (jsc#SLE-23879) + - Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag. + - Enhancements + - Verify sigs and attestations in parallel (#3066) + - Deep inspect attestations when filtering download (#3031) + - refactor bundle validation code, add support for DSSE rekor type (#3016) + - Allow overriding remote options (#3049) + - feat: adds no cert found on sig exit code (#3038) + - Make predicate a required flag in attest commands (#3033) + - Added support for attaching Time stamp authority Response in attach command (#3001) + - Add sign --sign-container-identity CLI (#2984) + - Feature: Allow cosign to sign digests before they are uploaded. (#2959) + - accepts attachment-tag-prefix for cosign copy (#3014) + - Feature: adds '--allow-insecure-registry' for cosign load (#3000) + - download attestation: support --platform flag (#2980) + - Cleanup: Add Digest to the SignedEntity interface. (#2960) + - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845) + - verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069) + - Bug Fixes + - Fix pkg/cosign/errors (#3050) + - Fix: update doc to refer to github-actions oidc provider (#3040) + - Fix: prefer GitHub OIDC provider if enabled (#3044) + - Fix --sig-only in cosign copy (#3074) + - Documentation + - Fix links to sigstore/docs in markdown files (#3064) + +- update to 2.0.2 (jsc#SLE-23879) + Enhancements + - Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891) + - feat: Make cosign copy faster (#2901) + - remove sget (#2885) + - Require a payload to be provided with a signature (#2785) + Bug Fixes + - cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876) + - Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878) + Documentation + - Remove experimental warning from Fulcio flags (#2923) + - add missing oidc provider (#2922) + - Add zot as a supported registry (#2920) + - deprecates kms_support docs (#2900) + - chore(docs) deprecate note for usage docs (#2906) + - adds note of deprecation for examples.md docs (#2899) + cppcheck +- add CVE-2023-39070.patch (CVE-2023-39070, bsc#1215233) + crmsh +- Update to version 4.6.0+20231206.a903b854: + * To polish and improve crm report along with PED-5774 (jsc#PED-5774) + * Fix: bootstrap: fix the owner and permission of file authorized_keys (bsc#1217279) + * Fix: prun: should not call user_pair_for_ssh() when target host is localhost (bsc#1217094) + * Fix: utils: Add 'sudo' only when there is a sudoer(bsc#1215549) + csp-billing-adapter +- Update to version 0.8.0: + * Clear billing status with an empty dictionary + +- Update to version 0.7.0: + * Add get version hook spec + csp-billing-adapter-local -- Update to version 0.2.1: - * Bump version: 0.2.0 → 0.2.1 - * Add changelog - * Use date_fmt variable with underscore - * Set date format from core adapter - * Bump version: 0.1.1 → 0.2.0 - * Import format from core adapter - * Bump version: 0.1.0 → 0.1.1 - * Clearer import +- Update to version 0.4.1: + * Edit the build requirement for core adapter module -- Update to 0.2.1 - + Use the same formatter for log file as core adapter - + Add timestamp with the same format as core adapter - + Add reporting time +- Update to version 0.4.0: + * Drop logs for cache and csp-config functions + +- Update to version 0.3.0: + * Add get version hook implementation + +- Update to version 0.2.1 + * Add timestamp with the same format as core adapter +- Update to version 0.2.0 + * Use the same formatter for log file as core adapter +- Update to version 0.1.1 + * Add reporting time to usage data + * Refactor tests csp-billing-adapter-microsoft +- Update to version 0.2.1: + * Get credentials for VM + +- Update to version 0.2.0: + * Add get version hook implementation + + +- Update to version 0.1.0~git2.e424147: - * Update changelog for v0.1.1 + * Bump version: 0.0.1 → 0.1.0 + * Update changelog for v0.1.0 -- Update to version 0.1.0 - + Implement plugin metadata functions and unit tests - curl +- Fix: libssh: Implement SFTP packet size limit (bsc#1216987) + * Add curl-libssh_Implement_SFTP_packet_size_limit.patch + deepin-compressor +- Add fix-Zip-Path-Traversal.patch + * Fix Zip Path Traversal (boo#1218428 and CVE-2023-50255) + distribution +- update to 2.8.3 (bsc#1216491): + * Pass `BUILDTAGS` argument to `go build` + * Enable Go build tags + * `reference`: replace deprecated function `SplitHostname` + * Dont parse errors as JSON unless Content-Type is set to JSON + * update to go 1.20.8 + * Set `Content-Type` header in registry client `ReadFrom` + * deprecate reference package, migrate to + github.com/distribution/reference + * `digestset`: deprecate package in favor of `go- + digest/digestset` + * Do not close HTTP request body in HTTP handler + * Add v2.8.3 release notes + entr +- update to 5.5: + * Report correct error if open(3) fails + +- Update to version 5.4 + * 'make test' runs a quick smoketest, 'make check' runs regressions + * Set IN_CLOEXEC only for inotify_init, kqueue uses similar setting by default + * Unconditionally try to set soft file limit to 2^16 on MacOS + * Use non-reentrant calls sparingly in signal handlers + * configure: use TARGET_OS to override the output of uname(1) +- added only basic smoke test + +- Update to version 5.3 + * Symlink changes detected on Linux by setting + 'ENTR_INOTIFY_SYMLINK'. + * Use /dev/null rather then closed pipe for stdin in -r mode. + * Utilize {O,FD}_CLOEXEC flag for unintentional leaks of + descriptors to executed utilities. + * Remove C unit tests. + * Only respond to attribute/inode changes on Linux. +- Drop tests. The new tests do not run within a chroot. + +- Update to version 5.2 + * Update copy of strlcpy(3) for Linux + * Detect file deletion from directories on Linux + * Print the signal that terminated a child when using '-s' + * Return 128+signal that terminated a child when using '-z' + * Ensure terminal settings are reset when '-z' is set + +- Update to version 5.1 + * Detect files moved to or from directories on Linux. + * Allow detection of directory entries beginning with '.' by + specifying '-d' twice. + * Only reset terminal settings in exit handler if settings were + changed. + +- Update to version 5.0 + * Eliminate memory management warnings on Linux. + * EV_TRACE prints file mode and file name. +- Update to version 4.8 + * EV_TRACE also prints file/notify descriptor limit. + * Set 2^16 watches if inotify limits cannot be read. + * Raise an error and suggest '-n' if terminal attributes cannot + be read. + +- Update to version 4.8 + * Set a maximum of 2^19 watches to guard against absurd file + open limits on MacOS. + * Use control sequences to clear the display and specify '-c' + twice to erase the scrollback buffer. + +- update to 4.7: + * Use system file descriptor limits when max_user_watches is not accessible + * Return the exit status of the child process when the '-z' option is used + * Handle SIGHUP so child process are terminated when a terminal is closed + * More accurately return shell exit code using '-s' option + +- Update to version 4.6 + * Always call waitpid(2) to avoid dead processes + * Duplicate STDIN file descriptor before closing; for the '-r' + option + +- Update to version 4.5 + * New '-z' "one-shot" option self-terminates after the utility + exits + * Termination by 'q' or 'SIGINT' results in an exit status of 0 +- Add source verification + +- Update to version 4.4 + * Use a single inotify queue on Linux, limited by + /proc/sys/fs/inotify/max_user_watches + * Set the environment variable `ENTR_INOTIFY_WORKAROUND` to + enable a compatibility mode for platforms with deformed + inotify support + +- Update to version 4.3 + * No functional changes + +- Update to version 4.2 + * New '-a' option enables response to events that occur while the + utility is running + * Correctly report error when a file cannot be reopened +- Includes change from 4.1 + * New '-n' non-interactive option disables keyboard input + * EV_TRACE environment variable enables file system event + tracing. + * Track changes to the inode number as a workaround for missing + delete events on the Linux kernel + freerdp +- Add freerdp-CVE-2023-39350-to-2023-40589.patch + + Multiple CVE fixes + * bsc#1214856, CVE-2023-39350 + * bsc#1214857, CVE-2023-39351 + * bsc#1214858, CVE-2023-39352 + * bsc#1214859, CVE-2023-39353 + * bsc#1214860, CVE-2023-39354 + * bsc#1214862, CVE-2023-39356 + * bsc#1214863, CVE-2023-40181 + * bsc#1214864, CVE-2023-40186 + * bsc#1214866, CVE-2023-40188 + * bsc#1214867, CVE-2023-40567 + * bsc#1214868, CVE-2023-40569 + * bsc#1214869, CVE-2023-40574 + * bsc#1214870, CVE-2023-40575 + * bsc#1214871, CVE-2023-40576 + * bsc#1214872, CVE-2023-40589 + gdal -- Add Conflicts entry between drivers package and old library version - -- Seperate drivers.ini from the library package - -- update to bugfix release version 3.7.1 - * see https://github.com/OSGeo/gdal/blob/v3.7.1/NEWS.md -- update to feature release version 3.7.0 - + see https://github.com/OSGeo/gdal/blob/v3.7.0/NEWS.md -- packaging: - * add new buildrequire pkgconfig(libarchive) - for new /vsi7z/ and /vsirar/ virtual file systems - * handle new delivered files - data/gfs.xsd: XML schema for .gfs files (#6655) - data/gml_registry.xsd: new file with XML schema of - gml_registry.xml (#6716) - data/ogrinfo_output.json.schema: validate ogrinfo -json output - data/gdalinfo_output.schema.json: validate gdalinfo -json - output (fixes #6850) - data/grib2_table_4_2_0_21.csv - data/grib2_table_4_2_2_6.csv - bin/sozip - * spec-cleaner - * remove limitation for python < 3.11 as Factory has 3.11.4 - ghostscript +- CVE-2023-46751.patch is derived for Ghostscript-9.52 from + https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=dcdbc595c13 + (there is no "device initialization redesign" in Ghostscript-9.52) + that fixes CVE-2023-46751 + "dangling pointer in gdev_prn_open_printer_seekable()" + see https://bugs.ghostscript.com/show_bug.cgi?id=707264 + (bsc#1217871) + gimp +- Add gimp-CVE-2023-44442.patch: fix gimp file parsing heap-based + buffer overflow (boo#1217161 CVE-2023-44442) +- Add gimp-CVE-2023-44443-44444.patch: fix gimp file parsing Integer + overflow remote code execution vulnerability (boo#1217162 + CVE-2023-44443) fix gimp file parsing Off-By-One remote code + execution vulnerability(boo#1217163 CVE-2023-44444) +- Add gimp-CVE-2023-44441.patch: fix gimp DDS file parsing heap-based + buffer overflow remote code execution vulnerability (boo#1217160 + CVE-2023-44441) + glibc +- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr + (bsc#1217445, BZ #31113) + +- Remove systemd from shadow and gshadow lookups (bsc#1217220) + glibc:i686 +- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr + (bsc#1217445, BZ #31113) + +- Remove systemd from shadow and gshadow lookups (bsc#1217220) + glibc:utils +- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr + (bsc#1217445, BZ #31113) + +- Remove systemd from shadow and gshadow lookups (bsc#1217220) + gnome-screenshot +- Add b60dad3c2536c17bd201f74ad8e40eb74385ed9f.patch: Fix build + with meson 0.60 and newer. +- Replace pkgconfig(appstream-glib) with appstream-glib and + desktop-file-utils BuildRequires, and add a check section and run + meson_test macro, validate metainfo and desktop file during build + via upstream provided automated tests. + gnuhealth-client +- version 4.2.1 + * Various Tryton-patches applied, see Changelog for details + +- Remove %python3_install prefix and root options, that's included in + the macro by default. + gnutls -- FIPS: PBKDF2 additional requirements [bsc#1209001] - * Set the minimum output key length to 112 bits (FIPS 140-3 IG D.N) - * Set the minimum salt length to 128 bits (SP 800-132 sec. 5.1) - * Set the minimum iterations count to 1000 (SP 800-132 sec 5.2) - * Set the minimum passlen of 20 characters (SP SP800-132 sec 5) - * Add regression tests for the new PBKDF2 requirements. - * Add gnutls-FIPS-pbkdf2-additional-requirements.patch - -- libgnutls: Increase the limit of TLS PSK usernames from 128 to - 65535 characters. [bsc#1208237, jsc#PED-1562] - * Upstream: https://gitlab.com/gnutls/gnutls/commit/f032324a - * Add gnutls-increase-TLS-PSK-username-limit.patch - -- FIPS: Fix pct_test() return code in case of error [bsc#1207183] - * Rebase with the upstream version: gnutls-FIPS-PCT-DH.patch +- Fix missing GNUTLS_NO_EXTENSIONS compatibility. + * Upstream: gitlab.com/gnutls/gnutls/commit/abfa8634 + * Add gnutls-GNUTLS_NO_EXTENSIONS-compatibility.patch + +- tests: Fix the SRP test that fails with SIGPIPE signal return due + to a socket being closed before using it. + * Add gnutls-srp-test-SIGPIPE.patch + +- Update to version 3.8.1: + * libgnutls: ClientHello extensions are randomized by default + To make fingerprinting harder, TLS extensions in ClientHello + messages are shuffled. As this behavior may cause compatibility + issue with legacy applications that do not accept the last + extension without payload, the behavior can be reverted with the + %NO_SHUFFLE_EXTENSIONS priority keyword. + * libgnutls: Add support for RFC 9258 external PSK importer. + This enables to deploy the same PSK across multiple TLS versions + (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application + needs to set up a callback that formats the PSK identity using + gnutls_psk_format_imported_identity(). + * libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to + %GNUTLS_NO_DEFAULT_EXTENSIONS. + * libgnutls: Add additional PBKDF limit checks in FIPS mode as + defined in SP 800-132. Minimum salt length is 128 bits and + minimum iterations bound is 1000 for PBKDF in FIPS mode. + * libgnutls: Add a mechanism to control whether to enforce extended + master secret (RFC 7627). FIPS 140-3 mandates the use of TLS + session hash (extended master secret, EMS) in TLS 1.2. To enforce + this, a new priority keyword %FORCE_SESSION_HASH is added and if + it is set and EMS is not set, the peer aborts the connection. This + behavior is the default in FIPS mode, though it can be overridden + through the configuration file with the "tls-session-hash" option. + In either case non-EMS PRF is reported as a non-approved operation + through the FIPS service indicator. + * New option --attime to specify current time. + To make testing with different timestamp to the system easier, the + tools doing certificate verification now provide a new option + - -attime, which takes an arbitrary time. + * API and ABI modifications: + gnutls_psk_client_credentials_function3: New typedef + gnutls_psk_server_credentials_function3: New typedef + gnutls_psk_set_server_credentials_function3: New function + gnutls_psk_set_client_credentials_function3: New function + gnutls_psk_format_imported_identity: New function + GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags + * Rebase patches: + - gnutls-FIPS-140-3-references.patch + - gnutls-FIPS-jitterentropy.patch + * Remove patches merged/fixed upstream: + - gnutls-FIPS-PCT-DH.patch + - gnutls-FIPS-PCT-ECDH.patch + +- FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476] + Extend also the checks in gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch + +- FIPS: Skip the fixed HMAC verification for nettle, hogweed and + gmp libraries. These calculated HMACs change for every build of + each of these packages, we only have to verify that for gnutls. + * Add gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch [bsc#1211476] + +- FIPS: Merge libgnutls30-hmac package into the library [bsc#1185116] + +- Disable GNULIB's year2038 also for 32-bit arm - boo#1211394 + +- Temporarily disable GNULIB's year2038 support for 64bit time_t + by using the --disable-year2038 flag. This omits support for + timestamps past the year 2038: + * Fixes the public API on 32-bit architectures avoiding to + change the size of time_t as it cannot be changed without + breaking the ABI compatibility. + * Upstream issue: https://gitlab.com/gnutls/gnutls/-/issues/1466 + +- Update to 3.8.0: [bsc#1205763, bsc#1209627] + * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key + exchange. Reported by Hubert Kario (#1050). Fix developed by + Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] + [CVE-2023-0361] + * libgnutls: C++ library is now header only. All definitions + from gnutlsxx.c have been moved into gnutlsxx.h. Users of the + C++ interface have two options: + 1. include gnutlsxx.h in their application and link against + the C library. (default) + 2. include gnutlsxx.h in their application, compile with + GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link + against the C++ library. + * libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST + priority modifier have been added to allow disabling of the + status_request TLS extension in the client side. + * libgnutls: TLS heartbeat is disabled by default. + The heartbeat extension in TLS (RFC 6520) is not widely used + given other implementations dropped support for it. To enable + back support for it, supply --enable-heartbeat-support to + configure script. + * libgnutls: SRP authentication is now disabled by default. + It is disabled because the SRP authentication in TLS is not + up to date with the latest TLS standards and its ciphersuites + are based on the CBC mode and SHA-1. To enable it back, supply + - -enable-srp-authentication option to configure script. + * libgnutls: All code has been indented using "indent -ppi1 -linux". + CI/CD has been adjusted to catch regressions. This is implemented + through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s + commit-check. You may run devel/indent-gnutls to fix any + indentation issues if you make code modifications. + * guile: Guile-bindings removed. They have been extracted into a + separate project to reduce complexity and to simplify maintenance, + see . + * minitasn1: Upgraded to libtasn1 version 4.19. + * API and ABI modifications: + GNUTLS_NO_STATUS_REQUEST: New flag + GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member + GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member + * Merge gnutls-FIPS-Set-error-state-when-jent-init-failed.patch + and gnutls-FIPS-jitterentropy-threadsafe.patch into the main + patch gnutls-FIPS-jitterentropy.patch + * Rebase gnutls-FIPS-140-3-references.patch + * Rebase patches with upstream version: + - gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch + * Remove patches merged/fixed upstream: + - gnutls-FIPS-disable-failing-tests.patch + - gnutls-verify-library-HMAC.patch + - gnutls_ECDSA_signing.patch + - gnutls-Make-XTS-key-check-failure-not-fatal.patch + - gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch + * Update keyring with https://gnutls.org/gnutls-release-keyring.gpg -- Security Fix: [bsc#1208143, CVE-2023-0361] - * Bleichenbacher oracle in TLS RSA key exchange - * Add gnutls-CVE-2023-0361.patch +- Update to 3.7.9: [bsc#1208143, CVE-2023-0361] + * libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key + exchange. [GNUTLS-SA-2020-07-14, CVSS: medium][CVE-2023-0361] + * Rebase gnutls-FIPS-140-3-references.patch -- Fix AVX CPU feature detection for OSXSAVE [bsc#1203299] - * Fixes a SIGILL termination at the verzoupper instruction when - trying to run GnuTLS on a Linux kernel with the noxsave command - line parameter set. Relevant mostly for virutal systems. - * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1282 - * Add gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch +- switch to pkgconfig(zlib) so that alternative providers can be + used + +- Verify only the libgnutls library HMAC [bsc#1199881] + * Do not use the brp-50-generate-fips-hmac script as this + is now calculated with the internal fipshmac tool. + * Add gnutls-verify-library-HMAC.patch + +- Temporarily revert the jitterentropy patches in s390 and s390x + architectures until a fix is provided [bsc#1204937] +- Disable flaky test that fails in s390x architecture: + * Add gnutls-disable-flaky-test-dtls-resume.patch + +- Consolidate the FIPS hmac files [bsc#1203245] + * Use the gnutls fipshmac tool instead of the brp-check-suse + and rename it to reflect on the library version. + * Remove not needed gnutls-FIPS-Run-CFB8-without-offset.patch +- Add a gnutls.rpmlintrc file to remove a hidden-file-or-dir false + positive for the FIPS hmac calculation. + +- Update to 3.7.8: + * libgnutls: In FIPS140 mode, RSA signature verification is an + approved operation if the key has modulus with known sizes + (1024, 1280, 1536, and 1792 bits), in addition to any modulus + sizes larger than 2048 bits, according to SP800-131A rev2. + * libgnutls: gnutls_session_channel_binding performs additional + checks when GNUTLS_CB_TLS_EXPORTER is requested. According to + RFC9622 4.2, the "tls-exporter" channel binding is only usable + when the handshake is bound to a unique master secret (i.e., + either TLS 1.3 or extended master secret extension is + negotiated). Otherwise the function now returns error. + * libgnutls: usage of the following functions, which are designed + to loosen restrictions imposed by allowlisting mode of + configuration, has been additionally restricted. Invoking + them is now only allowed if system-wide TLS priority string + has not been initialized yet: + - gnutls_digest_set_secure + - gnutls_sign_set_secure + - gnutls_sign_set_secure_for_certs + - gnutls_protocol_set_enabled + * Delete gnutls-3.6.6-set_guile_site_dir.patch and use the + - -with-guile-extension-dir configure option to properly + handle the guile extension directory. + * Rebase gnutls-Make-XTS-key-check-failure-not-fatal.patch + * Update gnutls.keyring + * Add a build depencency on gtk-doc required by autoreconf -- FIPS: Zeroize the calculated hmac and new_hmac in the - check_binary_integrity() function. [bsc#1191021] - * Add gnutls-FIPS-Zeroize-check_binary_integrity.patch +- FIPS: Run the CFB8 cipher selftest without offset [bsc#1203245] + * CFB8 list of ciphers: GNUTLS_CIPHER_AES_{128,192,256}_CFB8 + * Add gnutls-FIPS-Run-CFB8-without-offset.patch + +- provide a libgnutls30-hmac-32bit to avoid uninstallable wine + when pattern-base-fips is installed [boo#1203353] -- Security fix: [bsc#1202020, CVE-2022-2509] - * Fixed double free during verification of pkcs7 signatures - * Add gnutls-CVE-2022-2509.patch - -- FIPS: - * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979] - - gnutls_fips140_run_self_tests now properly releases fips_context +- Update to 3.7.7: [bsc#1202020, CVE-2022-2509] + * libgnutls: Fixed double free during verification of pkcs7 + signatures. CVE-2022-2509 + * libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument + less than or equal to 255 times hash digest size, to comply with + RFC 5869 2.3. + * libgnutls: Length limit for TLS PSK usernames has been increased + from 128 to 65535 characters + * libgnutls: AES-GCM encryption function now limits plaintext + length to 2^39-256 bits, according to SP800-38D 5.2.1.1. + * libgnutls: New block cipher functions have been added to + transparently handle padding. gnutls_cipher_encrypt3 and + gnutls_cipher_decrypt3 can be used in combination of + GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove + padding if the length of the original plaintext is not a multiple + of the block size. + * libgnutls: New function for manual FIPS self-testing. + * API and ABI modifications: + - gnutls_fips140_run_self_tests: New function + - gnutls_cipher_encrypt3: New function + - gnutls_cipher_decrypt3: New function + - gnutls_cipher_padding_flags_t: New enum + * guile: Guile 1.8 is no longer supported + * guile: Session record port treats premature termination as EOF Previously, + a 'gnutls-error' exception with the 'error/premature-termination' value + would be thrown while reading from a session record port when the + underlying session was terminated prematurely. This was inconvenient + since users of the port may not be prepared to handle such an exception. + Reading from the session record port now returns the end-of-file object + instead of throwing an exception, just like it would for a proper + session termination. + * guile: Session record ports can have a 'close' procedure. The + 'session-record-port' procedure now takes an optional second parameter, + and a new 'set-session-record-port-close!' procedure is provided to + specify a 'close' procedure for a session record port. This 'close' + procedure lets users specify cleanup operations for when the port is + closed, such as closing the file descriptor or port that backs the + underlying session. + * Rebase patches: + - gnutls-3.6.6-set_guile_site_dir.patch + - gnutls-FIPS-TLS_KDF_selftest.patch + - gnutls-FIPS-disable-failing-tests.patch + * Remove patch merged upstream: + - gnutls-FIPS-PBKDF2-KAT-requirements.patch + - https://gitlab.com/gnutls/gnutls/merge_requests/1561 - * Add gnutls-FIPS-force-self-test.patch [bsc#1198979] - - Provides interface for running library self tests on-demand - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 - -- FIPS: Make sure zeroization is performed in all API functions - * Add gnutls-zeroization-API-functions.patch [bsc#1191021] - * Upsream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1573 - -- FIPS: Add missing requirements for the SLI [bsc#1190698] - * Remove 3DES from FIPS approved algorithms: - - gnutls-Remove-3DES-from-FIPS-approved-algos.patch - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1570 - * DRBG service (gnutls_rnd) should be considered approved: - - gnutls-Add-missing-FIPS-service-indicator-transitions.patch - - gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch - - gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1569 - -- FIPS: Mark AES-GCM as approved in the TLS context [bsc#1194907] - * Add gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch - * Upstream issue: https://gitlab.com/gnutls/gnutls/issues/1311 + +- Update to version 3.7.6: + * libgnutls: Fixed invalid write when gnutls_realloc_zero() is + called with new_size < old_size. This bug caused heap + corruption when gnutls_realloc_zero() has been set as gmp + reallocfunc. + * Remove gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fixed + upstream. + +- Add gnutls-3.7.5-fix-gnutls_realloc_zero.patch: Fix memory + corruption in gnutls_realloc_zero (gl#gnutls/gnutls#1367, + boo#1199929). + +- update to 3.7.5: + * add options disable session ticket usage in TLS 1.2 because + it does not provide forward secrecy + * For TLS 1.3 where session tickets do provide forward secrecy, + the PFS priority string now only disables session tickets in + TLS 1.2. + * Future backward incompatibility: in the next major release of + GnuTLS those flag and modifier are planned to be removed + * gnutls-cli, gnutls-serv: Channel binding for printing + information has been changed from tls-unique to tls-exporter + as tls-unique is not supported in TLS 1.3. + * Certificate sanity checks has been enhanced to make gnutls + more RFC 5280 compliant: + * Removed 3DES from FIPS approved algorithms + * Optimized support for AES-SIV-CMAC algorithms + * libgnutls: HKDF and AES-GCM algorithms are now approved in + FIPS-140 mode when used in TLS + +- disable kcapi usage for now, as kernel-obs-build not adjusted + to contain the algorithms. bsc#1189283 - * Upstream: https://gitlab.com/gnutls/gnutls/merge_requests/1561 +- Update to 3.7.4: + * libgnutls: Added support for certificate compression as defined + in RFC8879. + * certtool: Added option --compress-cert that allows user to + specify compression methods for certificate compression. + * libgnutls: GnuTLS can now be compiled with --enable-strict-x509 + configure option to enforce stricter certificate sanity checks + that are compliant with RFC5280. + * libgnutls: Removed IA5String type from DirectoryString within + issuer and subject name to make DirectoryString RFC5280 compliant. + * libgnutls: Added function to retrieve the name of current + ciphersuite from session. + * Bump libgnutlsxx soname due to ABI break + * API and ABI modifications: + - GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member + - GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member + - gnutls_compress_certificate_get_selected_method: Added + - gnutls_compress_certificate_set_methods: Added + * Update gnutls.keyring + +- build with lto +- build with -Wl,-z,now -Wl,-z,relro +- build without -fanalyzer, which cuts build time in ~ half + - - gnutls-3.6.0-disable-flaky-dtls_resume-test.patch -- Add crypto-policies support in SLE-15-SP4 [jsc#SLE-20287] - -- Account for the libnettle soname bump [jsc#SLE-19765] +- Add crypto-policies support for Leap and SLE 15.4 [jsc#SLE-20287] +- Add DANE guards -- Update to 3.7.2 in SLE-15-SP4: [jsc#SLE-19765, jsc#SLE-18139] - - Add gnutls-temporarily_disable_broken_guile_reauth_test.patch - - Rebased patches: - * disable-psk-file-test.patch - * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - * gnutls-fips_mode_enabled.patch - - Remove patches merged upstream: - * gnutls-CVE-2020-11501.patch - * gnutls-CVE-2020-13777.patch - * gnutls-CVE-2020-24659.patch - * gnutls-CVE-2021-20231.patch - * gnutls-CVE-2021-20232.patch - * gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch - * gnutls-fips_XTS_key_check.patch - * 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch - * 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch - * 0003-x509-trigger-fallback-verification-path-when-cert-is.patch - * 0004-tests-add-test-case-for-certificate-chain-supersedin.patch - * 0001-Add-Full-Public-Key-Check-for-DH.patch - * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch - * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch - * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch - * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch - * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch - * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch - * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch - * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch - * 0001-dh-check-validity-of-Z-before-export.patch - * 0002-ecdh-check-validity-of-P-before-export.patch - * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch - * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch - * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch - * 0001-Vendor-in-XTS-functionality-from-Nettle.patch - * 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch - * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - * gnutls-3.6.7-fix-FTBFS-2024.patch - * gnutls-3.6.7-reproducible-date.patch +- Remove gnutls-temporarily_disable_broken_guile_reauth_test.patch + since its already working. -- Add gnutls-3.6.7-fix-FTBFS-2024.patch to let tests pass after 2024 (boo#1186579) -- Add gnutls-3.6.7-reproducible-date.patch to override build date (boo#1047218) +- Rework the crypto-policies dependencies in libraries [bsc#1186385] + +- Compute the FIPS hmac file without re-defining the + __os_install_post macro, use the brp-50-generate-fips-hmac + script instead. [bsc#1184555] -- Security fix: [bsc#1183456, CVE-2021-20232] - * A use after free issue in client_send_params - in lib/ext/pre_shared_key.c may lead to memory - corruption and other potential consequences. -- Add gnutls-CVE-2021-20232.patch - -- Security fix: [bsc#1183457, CVE-2021-20231] - * A use after free issue in client sending key_share extension - may lead to memory corruption and other consequences. -- Add gnutls-CVE-2021-20231.patch +- Require the main package in devel and lib packages as the default + priorities are now set via crypto-policies. [bsc#1183082] - verification + verification +- Add version guards for the crypto-policies package -- Avoid spurious audit messages about incompatible signature algorithms - (bsc#1172695) - * add 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch +- Require the crypto-policies package [bsc#1180051] -- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch -- FIPS: Add TLS KDF selftest (bsc#1176671) - * add gnutls-FIPS-TLS_KDF_selftest.patch - -- Escape rpm command %%expand when used in comment. +- Use the centralized crypto policy profile (jsc#SLE-15832) - -- Fix heap buffer overflow in handshake with no_renegotiation alert sent - * CVE-2020-24659 (bsc#1176181) -- add gnutls-CVE-2020-24659.patch - -- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) -- add patches - * 0001-Add-Full-Public-Key-Check-for-DH.patch - * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch - * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch - * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch - * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch - * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch - * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch - * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch - * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch - * 0001-dh-check-validity-of-Z-before-export.patch - * 0002-ecdh-check-validity-of-P-before-export.patch - * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch - * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch - * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch -- drop obsolete gnutls-3.6.7-fips_DH_ECDH_key_tests.patch +- Escape rpm command %%expand when used in comment. -- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction) - The TLS server would not bind the session ticket encryption key with a - value supplied by the application until the initial key rotation, allowing - attacker to bypass authentication in TLS 1.3 and recover previous - conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) - * add patches: - + gnutls-CVE-2020-13777.patch -- Fixed handling of certificate chain with cross-signed intermediate - CA certificates (#1008). (bsc#1172461) - * add patches: - + 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch - + 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch - + 0003-x509-trigger-fallback-verification-path-when-cert-is.patch - + 0004-tests-add-test-case-for-certificate-chain-supersedin.patch - -- Add RSA 4096 key generation support in FIPS mode (bsc#1171422) - * add gnutls-3.6.7-fips-rsa-4096.patch - -- Don't check for /etc/system-fips which we don't have (bsc#1169992) - * add gnutls-fips_mode_enabled.patch - -- Backport AES XTS support (bsc#1168835) - * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch - * add gnutls-fips_XTS_key_check.patch - - * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support) + * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 + support) -- Fix zero random value in DTLS client hello - (CVE-2020-11501, bsc#1168345) - * add gnutls-CVE-2020-11501.patch - - * update baselibs.conf - -- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue - * No longer truncate output IV if input is shorter than block size. - * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch - -- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test - * Added Diffie Hellman public key verification test. - * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch -- Explicitly require libnettle 3.4.1 (bsc#1134856) - * The RSA decryption code was rewritten in GnuTLS 3.6.5 in order - to fix CVE-2018-16868, the new implementation makes use of a new - rsa_sec_decrypt() function introduced in libnettle 3.4.1 - * libnettle was recently updated to the 3.4.1 version but we need - to add explicit dependency on it to prevent missing symbol errors - with the older versions - -- Restored autoreconf in build. -- Removed gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch - since the version requirements of required libraries are once again - automatically determined. -- Added gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch because it is a - better patch name for handling the '--with-guile-site-dir=' problem in - 3.6.7. - -- Disabled dane support since dane is not shipped with SLE-15 +- Disabled dane support in SLE since dane is not shipped there - option '--with-guile-site-dir=' was removed from the configure script in 3.6.7. - * * Modified gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch + option '--with-guile-site-dir=' was removed from the configure script. + * * Added gnutls-3.6.6-set_guile_site_dir.patch -- Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification - and padding oracle verification (in 3.6.5) [bsc#1118087] (CVE-2018-16868) -- FATE#327114 - Update gnutls to 3.6.6 to support TLS 1.3 +- Update to 3.6.6 - * Removed patches: - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch - * Added Patches: - * * disable failing psk-file test (race condition): - disable-psk-file-test.patch - * * Patch configure script to accept specific versions of autotools and guile - that are present in SUSE-SLE15. (A bug prevents configure from accepting - a range of compatible versions. Upstream's solution is to hardwire for - the most current versions.) - gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch - * Modified: - * * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch -- Security update - Improve mitigations against Lucky 13 class of attacks - * "Just in Time" PRIME + PROBE cache-based side channel attack - can lead to plaintext recovery (CVE-2018-10846, bsc#1105460) - * HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of - wrong constant (CVE-2018-10845, bsc#1105459) - * HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not - enough dummy function calls (CVE-2018-10844, bsc#1105437) - * add patches: - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch - google-guest-agent +- Update to version 20231031.01 (bsc#1216547, bsc#1216751) + * Add prefix to scheduler logs (#325) +- from version 20231030.00 + * Test configuration files are loaded in the documented + order. Fix initial integration test. (#324) + * Enable mTLS by default (#323) +- from version 20231026.00 + * Rotate MDS root certificate (#322) +- from version 20231020.00 + * Update response struct, add tests (#315) + * Don't try to schedule mTLS job twice (#317) +- from version 20231019.00 + * snapshot: Add context cancellation handling (#318) + +- Bump the golang compiler version to 1.21 (bsc#1216546) + +- Update to version 20231016.00 + * instance setup: trust/rely on metadata package's retry (#316) +- from version 20231013.01 + * Update known cert dirs for updaters (#314) +- from version 20231011.00 + * Verify cert refresher is enabled before running (#312) +- from version 20231009.00 + * Add support for the SSH key options (#296) +- from version 20231006.01 + * Events interface improvement (#290) +- from version 20231006.00 + * Refactor script runner to use common metadata package (#311) + * Schedule MTLS job before notifying systemd (#310) + * Refactor authorized keys to use metadata package (#300) +- from version 20231005.00 + * docs update: add configuration and event manager's docs. (#309) +- from version 20231004.01 + * Fix license header (#301) + * packaging(deb): add epoch to oslogin dep declaration (#308) +- from version 20231004.00 + * packaging(deb): ignore suffix of version (#306) + * packaging: force epoch and ignore suffix of version (#305) +- from version 20231003.01 + * oslogin: declare explicitly dependency (#304) + * oslogin: remove Unstable.pamless_auth_stack feature flag (#303) +- from version 20231003.00 + * oslogin: resort ssh configuration keys (#299) +- from version 20230925.00 + * oslogin: introduce a feature flag to cert auth (#298) +- from version 20230923.00 + * gitignore: unify ignore in the root dir (#297) +- from version 20230921.01 + * managers: we accidentally disabled addressMgr, bring it back (#295) + * cfg: fix typos (#294) + * cfg: config typos (#293) + * cfg: introduce a configuration management package (#288) +- from version 20230921.00 + * mtls: bring it back (#292) +- from version 20230920.01 + * Fix permissions on file created by SaferWriteFile() (#291) +- from version 20230920.00 + * sshca: re-enable the event watcher & handler (#289) +- from version 20230919.01 + * oslogin: add PAMless Authorization Stack configuration (#285) +- from version 20230919.00 + * Preparing it for review (#287) + * sshca: make sure to restore SELinux context of the pipe (#286) + * remove deprecated usage, fix warnings (#282) + * Update system store (#278) + * Update workload certificate endpoints, use metadata package (#275) + * metadata: use url package to form metadata URLs (#284) +- from version 20230913.00 + * release prep: disable ssh trusted ca module (#281) +- from version 20230912.00 + * New Guest Agent Release (#280) +- from version 20230909.00 + * Revert "service: remove the use of the service library (#273)" (#276) + * service: remove the use of the service library (#273) +- from version 20230906.01 + * Store keys to machine keyset (#272) +- from version 20230905.00 + * restorecon: first try to determine if it's installed (#271) + * run: change all commands to use CommandContext (#268) + * Notify systemd after scheduling required jobs (#270) + * Store certs in ProgramData instead of Program Files (#269) + * metadata watcher: remove local retry & implement unit tests (#267) + * run: split command running utilities into its own package (#265) + +- Update to version 20230828.00 + * snapshot: Use main context rather than create its own (#266) +- from version 20230825.01 + * Verify if cert was successfully added to certpool (#264) +- from version 20230825.00 + * Find previous cert for cleanup using one stored on disk (#263) +- from version 20230823.00 + * Revert "sshtrustedca: configure selinux context + for sshtrustedca pipe (#256)" (#262) + * Update credentials directory on Linux (#260) +- from version 20230821.00 + * Update owners (#261) +- from version 20230819.00 + * Revert "guest-agent: prepare for public release (#258)" (#259) +- from version 20230817.00 + * guest-agent: prepare for public release (#258) +- from version 20230816.01 + * Enable telemetry collection by default (#253) +- from version 20230816.00 + * Add pkcs12 license and update retry logic (#257) + * sshtrustedca: Configure selinux context for sshtrustedca pipe (#256) + * Store windows certs in certstore (#255) + * events: Multiplex event watchers (#250) + * Scheduler fixes (#254) + * Update license files (#251) + * Run telemetry every 24 hours, record pretty name on linux (#248) + +- Update to version 20230811.00 + * sshca: move the event handler to its own package (#247) +- from version 20230809.02 + * Move scheduler package to google_guest_agent (#249) +- from version 20230809.01 + * Add scheduler utility to run jobs at interval (#244) +- from version 20230809.00 + * sshca: transform the format from json to openssh (#246) +- from version 20230803.00 + * Add support for reading UEFI variables on windows (#243) +- from version 20230801.03 + * sshtrustedca watcher: fix concurrency error (#242) +- from version 20230801.02 + * metadata: add a delta between http client timeout and hang (#241) +- from version 20230801.00 + * metadata: properly set request config (#240) + * main: bring back the mds client initialization (#239) + * metadata: don't try to use metadata before agentInit() is done (#238) + * Add (disabled) telemetry logic to GuestAgent (#219) + * metadata event handler: updates and bug fixes (#235) + * Verify client credentials are signed by root CA before writing on disk (#236) + * metadata: properly handle context cancelation (#234) + * metadata: fix context cancelation error check (#233) + * metadata: remove the sleep around metadata in instance setup (#232) + * metadata: implement backoff strategy (#231) + * Decrypt and store client credentials on disk (#230) + * Upgrade Go version 1.20 (#228) + * Fetch guest credentials and add MDS response proto (#226) + * metadata: pass main context to WriteGuestAttributes() (#227) + * Support for reading & writing Root CA cert from UEFI variable (#225) + * ssh_trusted_ca: enable the feature (#224) + * sshTrustedCA: add pipe event handler (#222) + * events: start using events layer (#223) +- from version 20230726.00 + * events: introducing a events handling subsystem (#221) +- from version 20230725.00 + * metadata: add metadata client interface (#220) +- from version 20230711.00 + * metadata: moving to its own package (#218) +- from version 20230707.00 + * snapshot: fix request handling error (#217) +- Bump Go API version to 1.20 + google-guest-oslogin +- Update to version 20231101.00 (bsc#1216548, bsc#1216750) + * Fix HTTP calls retry logic (#117) + +- Update to version 20231004 + * packaging: Make the dependency explicit (#120) + +- update to 20230926.00: + * fix suse build + * selinux: fix selinux build (#114) + * test: align CXX Flags + * sshca: Make the implementation more C++ like + * sshca: Add a SysLog wrapper + * oslogin_utils: introduce AuthorizeUser() API + * sshca: move it out of pam dir + * pam: start disabling the use of oslogin_sshca + * sshca: consider sshca API to assume a cert only + * authorized principals: introduce the new command + * authorize keys: update to use new APIs + * pam modules: remove pam_*_admin and update pam_*_login + * cache_refresh: should be catching by reference. + +- Update to version 20230823.00 + * selinux: Add sshd_key_t type enforcement to trusted user ca (#113) +- from version 20230822.00 + * sshca: Add tests with fingerprint and multiple extensions (#111) +- from version 20230821.01 + * sshca: Support method token and handle multi line (#109) +- from version 20230821.00 + * Update owners (#110) + +- Update to version 20230808.00 + * byoid: extract and apply the ca fingerprint to policy call (#106) + +- Update to version 20230502.00 + * Improve the URL in 2fa prompt (#104) +- from version 20230406.02 + * Check open files (#101) +- from version 20230406.01 + * Initialize variables (#100) + * Fix formatting (#102) +- from version 20230406.00 + * PAM cleanup: remove duplicates (#97) +- from version 20230405.00 + * NSS cleanup (#98) +- from version 20230403.01 + * Cleanup Makefiles (#95) +- from version 20230403.00 + * Add anandadalton to the owners list (#96) + +- Update to version 20230217.00 + * Update OWNERS (#91) +- from version 20230202.00 + * Update owners file (#89) + google-noto-sans-cjk-fonts +- use synthetic version 20201202.2.2004, as maintenance updates cannot + do version downgrades. + +feat!: rename noto-*-cjk-fonts -> google-noto-*-cjk-fonts +- The Noto Coloremoji fonts have already been renamed by now +- The other Noto fonts will be renamed once upstream finishes migrating them to the new website + * https://github.com/notofonts/notofonts.github.io + fix: move zh_MO obsoletes and provides to Hong Kong TC fonts +- Macau is physically and culturally closer to Hong Kong than Taiwan + fix: summary and description for Hong Kong TC fonts + +- Move google-noto-serif-cjk-fonts into its own repository again + +- Update version to 2.004 +- Follow upstream versioning: use version numbers instead of dates + +- Fix the source URL to be properly downloadable + +- Update version to 2.002(20201202) + * The copyright year was changed from “2014–2019” to “2014–2020.” + * Addressed Issue #207 including glyph changes to U+4E08 and U+5C83. + Extension G encodings were added for U+30729, U+30EDD, U+30EDE, + and U+3106C and the previous GSUB rules were removed. + * Updated Korean glyph for U+58C4 as reported in Source Han Serif Issue #87 + * Addressed Issue #204 for U+50E7, U+89E6, U+8FD0, U+9EA4, U+25C4A + * Mapped HK U+5C13 尓 to JP glyph + * Fixed U+21B9 as reported in Issue #260 + * Changed Korean mapping for U+51A4 as reported in Issue #202 + * The weights for Kanbun glyphs U+3191–U+319F have been adjusted + as mentioned in the table at the beginning of Issue #205. + * Fixed Korean IVS mapping for U+8ACB as reported in Issue #276 +- Fix descriptions for *-full packages + +- Update version to 2.001(20190410) + * A second flavor of Traditional Chinese, for Hong Kong and supporting the + HKSCS-2016 standard, was add- ed, which increased the total number of font + resources by 16, from 72 to 88. + * 155 new mappings have been added to the CMap resources. 66 are from BMP code + points, 22 are from Plane 1 code points, and the remaining 67 are from + Plane 2 code points. Among the 67 new Plane 2 code points, 57 are from + Extension B, two are from Extension C, three are from Extension E, and the + remaining five are from Extension F. + * As a result of removing approximately 1,750 glyphs in order to make room for + approximately 1,750 new glyphs, the CID assignments of the glyphs + necessarily—and drastically—changed. The CID assignments of exactly 200 + glyphs are unchanged from Version 1.004: 0–107, 2570–2633, 47223–47232, + 47262–47272, 47281–47286, and 65484. + * The Traditional Chinese form of the Radical #162 辶 component was improved. + * The URO is complete up through U+9FEF (Unicode Version 11.0). + * The glyphs for some of the kana were tweaked. + * The glyphs and support for bopomofo, along with their tone marks, were + improved. This involved adding the 'GDEF' (Glyph Definition) table, the + 'mark' (Mark Positioning) GPOS feature, and the 'ruby' (Ruby Nota- tion + Forms) GSUB feature. + * The language and script declarations in the 'locl' and 'vert' GSUB features + were improved. + * The 13-page glyph synopsis PDFs for the 500 pre-composed high-frequency + hangul syllables have been incorporated into the Unicode-base glyph synopsis + PDFs, and are bookmarked under the “Korean” book- mark. + * Placeholder glyphs for U+32FF, uni32FF (CID+2184) and uni32FF-V (CID+65359), + are included. This character has been reserved for the two-ideograph square + ligature that represents the name of Japan’s forthcoming new era which + starts on 2019-05-01, and will be the only character added in Unicode + Version 12.1. + * Like Source Han Serif, the CIDFont and CMap resources do not include XUID + arrays. + * Like Source Han Serif, there are no mappings for the range U+0000 through + U+001F. + * Like Source Han Serif, the code points that correspond to Halfwidth Jamo + variants map to glyphs that cor- respond to code points in the Hangul + Compatibility Jamo block. In other words, the glyphs for half-width jamo + have been removed. + * Like Source Han Serif, the 'name' table does not includes any Macintosh + (PlatformID=1) strings. + * Like Source Han Serif, the Regular weight is now style-linked to the Bold + weight. This means that the Bold weight may not appear in the font menu, + particularly when using applications that support style-linking as a way to + make text bold. + * Like Source Han Serif, the 'vert' GPOS feature is included. + * Like Source Han Serif, the deprecated 'hngl' (Hangul) GSUB feature is not + included in the Korean fonts and font instances. +- Split HongKong Fonts for NotoSans. + google-noto-serif-cjk-fonts +- use 20201202.2.002 to still have linear increase in versions + +feat!: rename noto-*-cjk-fonts -> google-noto-*-cjk-fonts +- The Noto Coloremoji fonts have already been renamed by now +- The other Noto fonts will be renamed once upstream finishes migrating them to the new website + * https://github.com/notofonts/notofonts.github.io + fix: move zh_MO obsoletes and provides to Hong Kong TC fonts +- Macau is physically and culturally closer to Hong Kong than Taiwan + +- Move google-noto-serif-cjk-fonts into its own repository again + +- Update version to 2.001 +- Follow upstream versioning: use version numbers instead of dates + +- Fix the source URL to be properly downloadable + +- Update version to 2.002(20201202) + * The copyright year was changed from “2014–2019” to “2014–2020.” + * Addressed Issue #207 including glyph changes to U+4E08 and U+5C83. + Extension G encodings were added for U+30729, U+30EDD, U+30EDE, + and U+3106C and the previous GSUB rules were removed. + * Updated Korean glyph for U+58C4 as reported in Source Han Serif Issue #87 + * Addressed Issue #204 for U+50E7, U+89E6, U+8FD0, U+9EA4, U+25C4A + * Mapped HK U+5C13 尓 to JP glyph + * Fixed U+21B9 as reported in Issue #260 + * Changed Korean mapping for U+51A4 as reported in Issue #202 + * The weights for Kanbun glyphs U+3191–U+319F have been adjusted + as mentioned in the table at the beginning of Issue #205. + * Fixed Korean IVS mapping for U+8ACB as reported in Issue #276 + +- Update version to 2.001(20190410) + * A second flavor of Traditional Chinese, for Hong Kong and supporting the + HKSCS-2016 standard, was add- ed, which increased the total number of font + resources by 16, from 72 to 88. + * 155 new mappings have been added to the CMap resources. 66 are from BMP code + points, 22 are from Plane 1 code points, and the remaining 67 are from + Plane 2 code points. Among the 67 new Plane 2 code points, 57 are from + Extension B, two are from Extension C, three are from Extension E, and the + remaining five are from Extension F. + * As a result of removing approximately 1,750 glyphs in order to make room for + approximately 1,750 new glyphs, the CID assignments of the glyphs + necessarily—and drastically—changed. The CID assignments of exactly 200 + glyphs are unchanged from Version 1.004: 0–107, 2570–2633, 47223–47232, + 47262–47272, 47281–47286, and 65484. + * The Traditional Chinese form of the Radical #162 辶 component was improved. + * The URO is complete up through U+9FEF (Unicode Version 11.0). + * The glyphs for some of the kana were tweaked. + * The glyphs and support for bopomofo, along with their tone marks, were + improved. This involved adding the 'GDEF' (Glyph Definition) table, the + 'mark' (Mark Positioning) GPOS feature, and the 'ruby' (Ruby Nota- tion + Forms) GSUB feature. + * The language and script declarations in the 'locl' and 'vert' GSUB features + were improved. + * The 13-page glyph synopsis PDFs for the 500 pre-composed high-frequency + hangul syllables have been incorporated into the Unicode-base glyph synopsis + PDFs, and are bookmarked under the “Korean” book- mark. + * Placeholder glyphs for U+32FF, uni32FF (CID+2184) and uni32FF-V (CID+65359), + are included. This character has been reserved for the two-ideograph square + ligature that represents the name of Japan’s forthcoming new era which + starts on 2019-05-01, and will be the only character added in Unicode + Version 12.1. + * Like Source Han Serif, the CIDFont and CMap resources do not include XUID + arrays. + * Like Source Han Serif, there are no mappings for the range U+0000 through + U+001F. + * Like Source Han Serif, the code points that correspond to Halfwidth Jamo + variants map to glyphs that cor- respond to code points in the Hangul + Compatibility Jamo block. In other words, the glyphs for half-width jamo + have been removed. + * Like Source Han Serif, the 'name' table does not includes any Macintosh + (PlatformID=1) strings. + * Like Source Han Serif, the Regular weight is now style-linked to the Bold + weight. This means that the Bold weight may not appear in the font menu, + particularly when using applications that support style-linking as a way to + make text bold. + * Like Source Han Serif, the 'vert' GPOS feature is included. + * Like Source Han Serif, the deprecated 'hngl' (Hangul) GSUB feature is not + included in the Korean fonts and font instances. +- Split HongKong Fonts for NotoSans. + gpg2 -- Security fix [CVE-2022-34903, bsc#1201225] - - Vulnerable to status injection - - Added patch gnupg-CVE-2022-34903.patch - -- gnupg-detect_FIPS_mode.patch: use AES as default cipher instead - of 3DES if we are in FIPS mode. (bsc#1196125) - -- Update gpg2 for SLE15-SP3 [jsc#SLE-17559, bsc#1182572] -- Remove patches fixed upstream: - * gnupg-gpg-agent-ssh-agent.patch - * gnupg-2.2.22-fix-segv-import-keys.patch - * gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch - * gnupg-CRL-fetching-via-https.patch - * gnupg-CVE-2018-1000858.patch - * gnupg-CVE-2018-12020.patch - * gnupg-CVE-2019-13050_0_of_5.patch - * gnupg-CVE-2019-13050_1_of_5.patch - * gnupg-CVE-2019-13050_2_of_5.patch - * gnupg-CVE-2019-13050_3_of_5.patch - * gnupg-CVE-2019-13050_4_of_5.patch - * gnupg-CVE-2019-13050_5_of_5.patch - * gnupg-CVE-2019-14855.patch -- Update gpg2.keyring +- Fix the build in SLE and Leap by adding an exclude in the files + section for the dirmngr's systemd user units. [jsc#PED-7093] + +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Add gnupg-nobetasuffix.patch [bsc#1216334] + +- Fix Emacs EasyPG behavior when parsing output: + * gpg: Report BEGIN_* status before examining the input. + * Upstream task: https://dev.gnupg.org/T6481 + * Add gnupg-Report-BEGIN_-status-before-examining-the-input.patch + +- Install the internal executables in the /usr/libexec dir instead + of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth + gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase, + gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon. + +- Provide the systemd-user files since they have been removed + upstream since version 2.4.1. [bsc#1201564] + * Add gpg2-systemd-user.tar.xz + +- Install the systemd user units in the _userunitdir [bsc#1201564] + * Note that, there is no activation by default. + * Rework excludes in the spec's files section. + +- Revert back to use the IBM TPM Software stack. + +- Update to 2.4.3: + * gpg: Set default expiration date to 3 years. [T2701] + * gpg: Add --list-filter properties "key_expires" and + "key_expires_d". [T6529] + * gpg: Emit status line and proper diagnostics for write errors. [T6528] + * gpg: Make progress work for large files on Windows. [T6534] + * gpg: New option --no-compress as alias for -z0. + * gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534] + * gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0] + * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] + * gpgtar: New option --no-compress. + * dirmngr: Extend the AD_QUERY command. [rG207c99567c] + * dirmngr: Disable the HTTP redirect rewriting. [T6477] + * dirmngr: New option --compatibility-flags. [rGbf04b07327] + * dirmngr: New option --ignore-crl-extensions. [T6545] + * wkd: Use export-clean for gpg-wks-client's --mirror and --create + commands. [rG2c7f7a5a27] + * wkd: Make --add-revocs the default in gpg-wks-client. New option + - -no-add-revocs. [rG10c937ee68] + * scd: Make signing work for Nexus cards. [rGb83d86b988] + * scd: Fix authentication with Administration Key for PIV. [rG25b59cf6ce] + +- Update to 2.4.2: + * gpg: Print a warning if no more encryption subkeys are left over + after changing the expiration date. [rGef2c3d50fa] + * gpg: Fix searching for the ADSK key when adding an ADSK. [T6504] + * gpgsm: Speed up key listings on Windows. [rG08ff55bd44] + * gpgsm: Reduce the number of "failed to open policy file" + diagnostics. [rG68613a6a9d] + * agent: Make updating of private key files more robust and track + display S/N. [T6135] + * keyboxd: Avoid longish delays on Windows when listing keys. + [rG6944aefa3c] + * gpgtar: Emit extra status lines to help GPGME. [T6497] + * w32: Avoid using the VirtualStore. [T6403] + * Rebase gnupg-add_legacy_FIPS_mode_option.patch + +- Update to 2.4.1: + * If the ~/.gnupg directory does not exist, the keyboxd is now + automagically enabled. [rGd9e7488b17] + * gpg: New option --add-desig-revoker. [rG3d094e2bcf] + * gpg: New option --assert-signer. [rGc9e95b8dee] + * gpg: New command --quick-add-adsk and other ADSK features. + [T6395, https://gnupg.org/blog/20230321-adsk.html] + * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]" + instead of the user-id in key signature listings. [rG103acfe9ca] + * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367] + * gpg: Detect already compressed data also when using a pipe. Also + detect JPEG and PNG file formats. [T6332] + * gpg: New subcommand "openpgp" for --card-edit. [T6462] + * gpgsm: Verification of detached signatures does now strip trailing + zeroes from the input if --assume-binary is used. [rG2a13f7f9dc] + * gpgsm: Non-armored detached signature are now created without + using indefinite form length octets. This improves compatibility + with some PDF signature verification software. [rG8996b0b655] + * gpgtar: Emit progress status lines in create mode. [T6363] + * dirmngr: The LDAP modifyTimestamp is now returned by some + keyserver commands. [rG56d309133f] + * ssh: Allow specification of the order keys are presented to ssh. + See the man page entry for --enable-ssh-support. [T5996, T6212] + * gpg: Make list-options "show-sig-subpackets" work again. + Fixes regression in 2.4.0. [rG5a223303d7] + * gpg: Fix the keytocard command for Yubikeys. [T6378] + * gpg: Do not continue an export after a cancel for the primary key. [T6093] + * gpg: Replace the --override-compliance-check hack by a real fix. [T5655] + * gpgtar: Fix decryption with input taken from stdin. [T6355] + * Rebase patches: + - gnupg-revert-rfc4880bis.patch + - gnupg-add_legacy_FIPS_mode_option.patch + * Remove patch fixed upstream: + - gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch + +- Temporarily revert back to the pre-2.4 default for key generation. + The new rfc4880bis has been set as the default in 2.4 version and + might create incompatible keys. Note that, rfc4880bis can still + be used with the option flag --rfc4880bis as in previous versions. + * More info in the gnupg-devel ML: + https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html + * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9 + * Add gnupg-revert-rfc4880bis.patch + +- Allow 8192 bit RSA keys in keygen UI when large_rsa is set + * Add gnupg-allow-large-rsa.patch + +- Fix the regression test suite fails with the IBM TPM Software + stack. Builds fine using the Intel TPM; use the swtpm and + tpm2-0-tss-devel packages instead of ibmswtpm2 and ibmtss-devel. + +- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313 + * The original patch has been modified to expand the changes + also to the tests/gpgme/Makefile.in file. + * Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch + +- Updated to require libgpg-error-devel >= 1.46 +- Rebased patches: + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-add_legacy_FIPS_mode_option.patch +- GnuPG 2.4.0: + * common: Fix translations in --help for gpgrt < 1.47. + * gpg: Do not continue the export after a cancel for the primary key. + * gpg: Replace use of PRIu64 in log_debug. + * Update NEWS for 2.4.0. + * tests: Fix make check with GPGME. + * agent: Allow arguments to "scd serialno" in restricted mode. + * scd:p15: Skip deleted records. + * build: Remove Windows CE support. + * wkd: Do not send/install/mirror expired user ids. + * gpgsm: Print the revocation time also with --verify. + * gpgsm: Fix "problem re-searching certificate" case. + * gpgsm: Print revocation date and reason in cert listings. + * gpgsm: Silence the "non-critical certificate policy not allowed". + * gpgsm: Always use the chain model if the root-CA requests this. + * gpg: New export option "mode1003". + * gpg: Remove a mostly duplicated function. + * tests: Simplify fake-pinentry to use the option only. + * tests: Fix fake-pinentry for Windows. + * tests: Fix make check-all. + * agent: Fix import of protected v5 keys. + * gpgsm: Change default algo to AES-256. + * tests: Put a workaround for semihosted environment. + * tests: More fix for semihosted environment. + * tests: Support semihosted environment. + * tests: Fix tests under cms. + * tests,w32: Fix for semihosted environment. + * w32: Fix for tests on semihosted environment. + * w32: Fix gnupg_unsetenv. + * wkd: New option --add-revocs and some fixes. + * wkd: Make use of --debug extprog. + * gpg: New export-filter export-revocs. + * gpg: Fix double-free in gpg --card-edit. + * gpg: Make --require-compliance work with out --status-fd. + * gpg: New option --list-filter. + * dirmngr: Silence ocsp debug output. + * tests: Fix to support --enable-all-tests and variants. + * tests:w32: Fix for non-dot file name for Windows. + * tests:gpgscm:w32: Fix for GetTempPath. + * tests: Keep .log files in objdir. + * tests: Use 233 for invalid value of FD. + * w32: Fix gnupg_tmpfile for possible failure. + * scd: Redact --debug cardio output of a VERIFY APDU. + * common: Remove Windows CE support in common. + * gpgsm: Fix colon outout of ECC encryption certificates. + * scd:nks: Fix ECC signing if key not given by keygrip. + * dirmngr: Fix verification of ECDSA signed CRLs. + * agent: Allow trustlist on Windows in Unicode homedirs. + * gpg: Fix verification of cleartext signatures with overlong lines. + * gpg: Move w32_system function. + * gpg: New option --quick-update-pref. + * gpg: New list-options show-pref and show-pref-verbose. + * tests: Add tests to check that OCB is only used for capable keys. + * gpg: Make --list-packets work w/o --no-armor for plain OCB packets. + * tests: Add symmetric decryption tests. + * tests: Add tr:assert-same function. + * agent: Avoid blanks in the ssh key's comment. + * build: Update m4 files. + * gpg: Merge --rfc4880bis features into --gnupg. + * gpg: Allow only OCB for AEAD encryption. + * gpg: New option --compatibility-flags. + * gpgsm: Also announce AES256-CBC in signatures. + * gpg: Fix trusted introducer for user-ids with only the mbox. + * gpg: Import stray revocation certificates. + * agent: Automatically convert to extended key format by KEYATTR. + * card: New commands "gpg" and "gpgsm". + * card: Also show fingerprints of known X.509 certificates. + * scd:nks: Support non-ESIGN signing with the Signature Card v2. + * gpgsm: Allow ECC encryption keys with just keyAgreement specified. + * gpgsm: Use macro constants for cert_usage_p. + * build: Update gpg-error.m4. + * agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument. + * gpg: Move NETLIBS after GPG_ERROR_LIBS. + * gpg: Use GCRY_KDF_ONESTEP_KDF with newer libgcrypt in future. + * common,w32: Fix struct stat on Windows. + * agent,w32: Support Win32-OpenSSH emulation by gpg-agent. + * common: Don't use FD2INT for POSIX-only code. + * dirmngr: Fix build with no LDAP support. + +- GnuPG 2.3.8: + * gpg: Do not consider unknown public keys as non-compliant while + decrypting. + * gpg: Avoid to emit a compliance mode line if Libgcrypt is + non-compliant. + * gpg: Improve --edit-key setpref command to ease c+p. + * gpg: Emit an ERROR status if --quick-set-primary-uid fails and + allow to pass the user ID by hash. + * gpg: Actually show symmetric+pubkey encrypted data as de-vs + compliant. Add extra compliance checks for symkey_enc packets. + * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit + preference. + * gpgsm: Fix reporting of bad passphrase error during PKCS#11 + import. + * agent: Fix a regression in "READKEY --format=ssh". + * agent: New option --need-attr for KEYINFO. + * agent: New attribute "Remote-list" for use by KEYINFO. + * scd: Fix problem with Yubikey 5.4 firmware. + * dirmngr: Fix CRL Distribution Point fallback to other schemes. + * dirmngr: New LDAP server flag "areconly" (A-record-only). + * dirmngr: Fix upload of multiple keys for an LDAP server specified + using the colon format. + * dirmngr: Use LDAP schema v2 when a Base DN is specified. + * dirmngr: Avoid caching expired certificates. + * wkd: Fix path traversal attack in gpg-wks-server. Add the mail + address to the pending request data. + * wkd: New command --mirror for gpg-wks-client. + * gpg-auth: New tool for authentication. + * New common.conf option no-autostart. + * Silence warnings from AllowSetForegroundWindow unless + GNUPG_EXEC_DEBUG_FLAGS is used. + * Rebase gnupg-detect_FIPS_mode.patch + * Remove patch upstream: + - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch + +- Fix YubiKey 5 Nano support (boo#1202201), add + gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch + +- GnuPG 2.3.7: + * CVE-2022-34903: garbled status messages could trick gpgme and + other parsers to accept faked status lines [boo#1201225] + * A number of bug fixes to the gpg command line interface + * gpgsm gained a number of new options and got some rework on + the PKCS#12 parser to support DFN issues keys + * The gpg agent got some added options and UI tweaks + * smart card support got a number of bug fixes, and improved + support for Technology Nexus cards and Yubikey + * The Telesec ESIGN application is now supported + +- added tpm support, added a new subpackage gpg2-tpm + +- GnuPG 2.3.6: + * Up to five times faster verification of detached signatures, + doubled detached signing speed, threefold decryption speedup + for large files, nearly double the AES256.OCB encryption speed + * Add support for GeNUA cards + * Added and improved options for crypto options, and all-around + bug fixes + +- GnuPG 2.3.4: + * gpg: New option --min-rsa-length + * gpg: New option --forbid-gen-key + * gpg: New option --override-compliance-check + * gpgconf: New command --show-configs + * agent,dirmngr,keyboxd: New option --steal-socket + * gpg: Fix printing of binary notations + * gpg: Remove stale ultimately trusted keys from the trustdb + * gpg: Fix indentation of --print-mds and --print-md sha512 + * gpg: Emit gpg 2.2 compatible Ed25519 signature + * gpgsm: Detect circular chains in --list-chain + * dirmngr: Make reading resolv.conf more robust + * dirmngr: Ask keyservers to provide the key fingerprints + * gpgconf: Allow changing gpg's deprecated keyserver option + * gpg-wks-server: Fix created file permissions + * scd: Support longer data for ssh-agent authentication with + openpgp cards + * scd: Modify DEVINFO behavior to support looping forever + * Silence warning about the rootdir under Unices w/o a mounted + /proc file system + * Fix possible build problems about missing include files + +- GnuPG 2.3.3: + * agent: Fix segv in GET_PASSPHRASE (regression) + * dirmngr: Fix Let's Encrypt certificate chain validation + * gpg: Change default and maximum AEAD chunk size to 4 MiB + * gpg: Print a warning when importing a bad cv25519 secret key + * gpg: Fix --list-packets for undecryptable AEAD packets + * gpg: Verify backsigs for v5 keys correctly + * keyboxd: Fix checksum computation for no UBID entry on disk + * keyboxd: Fix "invalid object" error with cv448 keys + * dirmngr: New option --ignore-cert + * agent: Fix calibrate_get_time use of clock_gettime + * Support a gpgconf.ctl file under Unix and use this for the + regression tests + +- GnuPG 2.3.2: + * gpg: Allow fingerprint based lookup with --locate-external-key. + * gpg: Allow decryption w/o public key but with correct card inserted. + * gpg: Auto import keys specified with --trusted-keys. + * gpg: Do not use import-clean for LDAP keyserver imports. + * gpg: Fix mailbox based search via AKL keyserver method. + * gpg: Fix memory corruption with --clearsign introduced with 2.3.1. + * gpg: Use a more descriptive prompt for symmetric decryption. + * gpg: Improve speed of secret key listing. + * gpg: Support keygrip search with traditional keyring. + * gpg: Let --fetch-key return an exit code on failure. + * gpg: Emit the NO_SECKEY status again for decryption. + * gpgsm: Support decryption of password based encryption (pwri). + * gpgsm: Support AES-GCM decryption. + * gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint. + * gpgsm: Fix finding of issuer in use-keyboxd mode. + * gpgsm: New option --ldapserver as an alias for --keyserver. + * agent: Use SHA-256 for SSH fingerprint by default. + * agent: Fix calling handle_pincache_put. + * agent: Fix importing protected secret key. + * agent: Fix a regression in agent_get_shadow_info_type. + * agent: Add translatable text for Caps Lock hint. + * agent: New option --pinentry-formatted-passphrase. + * agent: Add checkpin inquiry for pinentry. + * agent: New option --check-sym-passphrase-pattern. + * agent: Use the sysconfdir for a pattern file. + * agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry. + * dirmngr: LDAP search by a mailbox now ignores revoked keys. + * dirmngr: For KS_SEARCH return the fingerprint also with LDAP. + * dirmngr: Allow for non-URL specified ldap keyservers. + * dirmngr: New option --ldapserver. + * dirmngr: Fix regression in KS_GET for mail address pattern. + * card: New option --shadow for the list command. + * tests: Make sure the built keyboxd is used. + * scd: Fix computing shared secrets for 512 bit curves. + * scd: Fix unblock PIN by a Reset Code with KDF. + * scd: Fix PC/SC removed card problem. + * scd: Recover the partial match for PORTSTR for PC/SC. + * scd: Make sure to release the PC/SC context. + * scd: Fix zero-byte handling in ECC. + * scd: Fix serial number detection for Yubikey 5. + * scd: Add basic support for AET JCOP cards. + * scd: Detect external interference when --pcsc-shared is in use. + * scd: Fix access to the list of cards. + * gpgconf: Do not list a disabled tpm2d. + * gpgconf: Make runtime changes with different homedir work. + * keyboxd: Fix searching for exact mail adddress. + * keyboxd: Fix searching with multiple patterns. + * tools: Extend gpg-check-pattern. + * wkd: Fix client issue with leading or trailing spaces in user-ids. + * Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry. + * Change the default keyserver to keyserver.ubuntu.com. This is a + temporary change due to the shutdown of the SKS keyserver pools. + +- GnuPG 2.3.1: + * The new configuration file common.conf is now used to enable + the use of the key database daemon with "use-keyboxd". Using + this option in gpg.conf and gpgsm.conf is supported for a + transitional period. See doc/example/common.conf for more. + * gpg: Force version 5 key creation for ed448 and cv448 algorithms. + * gpg: By default do not use the self-sigs-only option when + importing from an LDAP keyserver. + * gpg: Lookup a missing public key of the active card via LDAP. + * gpgsm: New command --show-certs. + * scd: Fix CCID driver for SCM SPR332/SPR532. + * scd: Further improvements for PKCS#15 cards. + * New configure option --with-tss to allow the selection of the + TSS library. +- Rebase patches: + * gnupg-add_legacy_FIPS_mode_option.patch + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-dont-fail-with-seahorse-agent.patch + * gnupg-set_umask_before_open_outfile.patch + +- GnuPG 2.3.0: + * A new experimental key database daemon is provided. To enable + it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored + in a SQLite database and make key lookup much faster. + * New tool gpg-card as a flexible frontend for all types of + supported smartcards. + * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and + gpg-connect-agent. + * The gpg-wks-client tool is now installed under bin; a wrapper for + its old location at libexec is also installed. + * tpm2d: New daemon to physically bind keys to the local machine. + * gpg: Switch to ed25519/cv25519 as default public key algorithms. + * gpg: Verification results now depend on the --sender option and + the signer's UID subpacket. + * gpg: Do not use any 64-bit block size cipher algorithm for + encryption. Use AES as last resort cipher preference instead of + 3DES. This can be reverted using --allow-old-cipher-algos. + * gpg: Support AEAD encryption mode using OCB or EAX. + * gpg: Support v5 keys and signatures. + * gpg: Support curve X448 (ed448, cv448). + * gpg: Allow use of group names in key listings. + * gpg: New option --full-timestrings to print date and time. + * gpg: New option --force-sign-key. + * gpg: New option --no-auto-trust-new-key. + * gpg: The legacy key discovery method PKA is no longer supported. + The command --print-pka-records and the PKA related import and + export options have been removed. + * gpg: Support export of Ed448 Secure Shell keys. + * gpgsm: Add basic ECC support. + * gpgsm: Support creation of EdDSA certificates. [#4888] + * agent: Allow the use of "Label:" in a key file to customize the + pinentry prompt. + * agent: Support ssh-agent extensions for environment variables. + With a patched version of OpenSSH this avoids the need for the + "updatestartuptty" kludge. + * scd: Improve support for multiple card readers and tokens. + * scd: Support PIV cards. + * scd: Support for Rohde&Schwarz Cybersecurity cards. + * scd: Support Telesec Signature Cards v2.0 + * scd: Support multiple application on certain smartcard. + * scd: New option --application-priority. + * scd: New option --pcsc-shared; see man page for important notes. + * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs. + * The symcryptrun tool, a wrapper for the now obsolete external + Chiasmus tool, has been removed. + * Full Unicode support for the command line. +- dropped legacy commands: gpg-zip + +- Remove the "files-are-digests" option from the openSUSE package. + This feature was not upstream and only used in the OBS signing + daemon. The recommended upstream feature for separating the data + to be signed from the private keys is gpg agent forwarding, + available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch -- Fix segv importing certain keys (e.g. ed25519). [bsc#1176034] -- Add gnupg-2.2.22-fix-segv-import-keys.patch - -- Fix warning: agent returned different signature type ssh-rsa - * The gpg-agent's ssh-agent does not handle flags in signing - requests properly [bsc#1161268, bsc#1172308] - * Add gnupg-gpg-agent-ssh-agent.patch - -- Security fix: [bsc#1157900, CVE-2019-14855, jsc#SLE-16534] - * Web of Trust forgeries using collisions in SHA-1 signatures - * Ignore all SHA-1 signatures in 3rd party key signatures. - * Forbid the creation of SHA-1 third-party key signatures. - * Add option --allow-weak-key-signatures -- Add gnupg-CVE-2019-14855.patch - -- Remove self-buildrequire [bsc#1152755] - -- Security fix: [bsc#1141093, CVE-2019-13050] - * Denial of service attacks via big keys - * Added patches: - - gnupg-CVE-2019-13050_0_of_5.patch - - gnupg-CVE-2019-13050_1_of_5.patch - - gnupg-CVE-2019-13050_2_of_5.patch - - gnupg-CVE-2019-13050_3_of_5.patch - - gnupg-CVE-2019-13050_4_of_5.patch - - gnupg-CVE-2019-13050_5_of_5.patch - -- Allow coredumps in X11 desktop sessions (bsc#1124847) - gpg-agent unconditionally disables coredumps, which is not - supposed to happen in the code path that does just exec(argv[]) - * Added gnupg-gpg-agent-ulimit.patch - +- Allow coredumps in X11 desktop sessions (bsc#1124847) + gpg-agent unconditionally disables coredumps, which is not + supposed to happen in the code path that does just exec(argv[]) + gnupg-gpg-agent-ulimit.patch + -- Security fix: [bsc#1120346, CVE-2018-1000858] - * Cross Site Request Forgery (CSRF) vulnerability in dirmngr that - can result in Attacker controlled CSRF. - * Added patches: - - gnupg-CRL-fetching-via-https.patch - - gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch - - gnupg-CVE-2018-1000858.patch - -- Added gnupg-CVE-2018-12020.patch: Sanitize the diagnostic output of the - original file name in verbose mode (bsc#1096745, CVE-2018-12020). - gpgme -- Update to 1.16.0 in SLE-15-SP4: [jsc#SLE-20014, jsc#SLE-21114] - * Remove gpgme-test-json.patch fixed upstream +- Update to 1.23.0: + * Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME. [T6559] + * New keylist mode GPGME_KEYLIST_MODE_WITH_V5FPR. [T6705] + * New key capability flags has_*. [T6748] + * gpgme-tool: Support use of Windows HANDLE. [T6634] + * qt: Support refreshing keys via WKD. [T6672] + * qt: Handle cancel in changeexpiryjob. [T6754] + * Remove patches fixed upstream: + - gpgme-qt-tests-Fix-build-in-source-directory.patch + - gpgme-build-Suggest-out-of-source-build.patch + +- Use GCC 12 for building the Qt6 library on Leap 15. The + default compiler is too old. +- Use '%{without xxx}' rather than '!%{with xxx}' in spec file + +- Use GCC 12 for building the Qt6 library. The default compiler + is too old. +- Use '%{without xxx}' rather than '!%{with xxx}' in spec file + +- Fix builds with qt and qt6 [T6673]: + * qt,tests: Fix build in source directory. Include Qt binding + sources before C++ binding sources and C sources. This fixes + the problem that the debug.h in the C sources was found before + the one in the Qt bindings. + * build: Suggest out-of-source build. Suggest to run configure + from a build subdirectory. + * Add patches: + - gpgme-qt-tests-Fix-build-in-source-directory.patch + - gpgme-build-Suggest-out-of-source-build.patch + +- Update to 1.22.0: + * Prevent wrong plaintext when verifying clearsigned signature. + * Return bad data error instead of general error on unexpected data. + * Take care of offline mode for all operations of gpgsm engine. + * Prepare the use of the forthcoming libassuan version 3. + * New configure option --with-libtool-modification. + * cpp: Expose gpgme_decrypt_result_t.is_mime. + * qt: Clean up after failure or cancel of sign/encrypt archive operation. + * qt: Add setInputEncoding to QGpgMe::EncryptJob. + * qt: Make toLogString helper public. + * Interface changes relative to the 1.21.0 release: + - qt: EncryptJob::setInputEncoding NEW. + - qt: DecryptionResult::isMime NEW. + - qt: toLogString NEW. + +- Run testsuite in qemu build + +- Update to 1.21.0 + * Extended gpgme_op_encrypt, gpgme_op_encrypt_sign, and gpgme_op_sign + to allow writing the output directly to a file. [T6530] + * Extended gpgme_op_decrypt and gpgme_op_verify to allow reading the + input data directly from files. [T6530] + * For key signing and uid revoking allow an empty user id. [rMfbc3963d62] + * Pass an input-size-hint also to the gpgsm engine. [T6534] + * qt: Allow writing the created archives directly to a file. [T6530] + * qt: Allow reading the signed/encrypted archive to decrypt + or verify directly from a file. [T6530] + * qt: Qt Jobs working with QIODeviceDataProvider now properly + handle input-size hints and progress for files larger. + 2^32 bytes in 32 bit builds. [T6534] + * cpp: Error::isCanceled now also returns true for error code + GPG_ERR_FULLY_CANCELED. [T6510] + * python: Fix wrong use of write. [T6501] + * Interface changes relative to the 1.20.0 release: + - cpp: Data::setFlag NEW. + - cpp: Data::setSizeHint NEW. + - qt: Job::startIt NEW. + - qt: DecryptVerifyArchiveJob::setInputFile NEW. + - qt: DecryptVerifyArchiveJob::inputFile NEW. + - qt: EncryptArchiveJob::setRecipients NEW. + - qt: EncryptArchiveJob::recipients NEW. + - qt: EncryptArchiveJob::setInputPaths NEW. + - qt: EncryptArchiveJob::inputPaths NEW. + - qt: EncryptArchiveJob::setOutputFile NEW. + - qt: EncryptArchiveJob::outputFile NEW. + - qt: EncryptArchiveJob::setEncryptionFlags NEW. + - qt: EncryptArchiveJob::encryptionFlags NEW. + - qt: SignArchiveJob::setSigners NEW. + - qt: SignArchiveJob::signers NEW. + - qt: SignArchiveJob::setInputPaths NEW. + - qt: SignArchiveJob::inputPaths NEW. + - qt: SignArchiveJob::setOutputFile NEW. + - qt: SignArchiveJob::outputFile NEW. + - qt: SignEncryptArchiveJob::setSigners NEW. + - qt: SignEncryptArchiveJob::signers NEW. + - qt: SignEncryptArchiveJob::setRecipients NEW. + - qt: SignEncryptArchiveJob::recipients NEW. + - qt: SignEncryptArchiveJob::setInputPaths NEW. + - qt: SignEncryptArchiveJob::inputPaths NEW. + - qt: SignEncryptArchiveJob::setOutputFile NEW. + - qt: SignEncryptArchiveJob::outputFile NEW. + - qt: SignEncryptArchiveJob::setEncryptionFlags NEW. + - qt: SignEncryptArchiveJob::encryptionFlags NEW. + +- Update to 1.20.0: + * On Windows, the gettext functions provided by gpgrt are switched + into utf8 mode, so that all localized texts returned by GpgME or + gpgrt, e.g. the texts for error codes are now UTF-8 encoded. [T5960] + * Key::canSign now returns false for OpenPGP keys without signing + (sub)key. [T6456] + * The new macOS Homebrew location is now by default supported. [T6440] + * Fix regression in 1.19.0. + * Fix invocation of gpgtar on Windows. + * Interface changes relative to the 1.19.0 release: + - gpgme_subkey_t EXTENDED: New field 'can_renc'. + - gpgme_subkey_t EXTENDED: New field 'can_timestamp'. + - gpgme_subkey_t EXTENDED: New field 'is_group_owned'. + - cpp: Subkey::canRenc NEW. + - cpp: Subkey::canTimestamp NEW. + - cpp: Subkey::isGroupOwned NEW. + - cpp: Key::canReallySign DEPRECATED. + * Release-info: https://dev.gnupg.org/T6463 + +- Add a Qt6 flavor to build Qt6 bindings +- Use %ldconfig_scriptlets + +- Update to 1.19.0: + * New context flag "no-auto-check-trustdb". [T6261] + * Optionally, build QGpgME for Qt 6 + * Support component "gpgtar-name" in gpgme_get_dirinfo. [T6342] + * Extended gpgme_op_encrypt*, gpgme_op_encrypt_sign*, and + gpgme_op_sign* to allow creating an encrypted and/or signed + archive. [T6342] + * Extended gpgme_op_decrypt*, gpgme_op_decrypt_verify*, + and gpgme_op_verify* to allow extracting an encrypted and/or + signed archive. [T6342] + * cpp: Handle error when trying to sign expired keys. [T6155] + * cpp: Support encryption flags ThrowKeyIds, EncryptWrap, and + WantAddress. [T6359] + * cpp, qt: Fix building with C++11. [T6141] + * qt: Fix problem with expiration dates after 2038-01-19 on 32-bit + systems when adding an existing subkey to another key. [T6137] + * cpp: Allow setting the curve to use when generating ECC keys + for smart cards. [T4429] + * qt: Extend ListAllKeysJob to allow disabling the automatic + trust database check when listing all keys. [T6261] + * qt: Allow deferred start of import jobs. [T6323] + * qt: Support creating and extracting signed and encrypted + archives. [T6342] + * Rebase gpgme-suse-nobetasuffix.patch + * Remove patches upstream: + - gpgme-D546-python310.patch + - gpgme-1.18.0-T6137-qt_test.patch + - python311.patch + +- drop python2 subpackage handling. we do not support python 2.x + anymore, and if we would it would happen via singlespec + +- Update upstream keyring: https://gnupg.org/signature_key.asc + +- add python311.patch to build language bindings for python 3.11 + +- Add gpgme-suse-nobetasuffix.patch + * remove "-unknown" suffix from version string + * boo#1205197 + +- gpgme 1.18.0 + * New keylist mode to force refresh via external methods + * The keylist operations now create an import result to report the + result of the locate keylist modes + * core: Return BAD_PASSPHRASE error code on symmetric decryption + failure + * cpp, qt: Do not export internal symbols anymore + * cpp, qt: Support revocation of own OpenPGP keys + * qt: The file name of (signed and) encrypted data can now be set + * cpp, qt: Support setting the primary user ID + * python: Fix segv(NULL) when inspecting contect after exeception +- includes changes from version 1.17.1: + * qt: Fix a bug in the ABI compatibility of 1.17.0 +- includes changes from 1.17.0: + * New context flag "key-origin" + * New context flag "import-filter" + * New export mode to export secret subkeys + * Detect errors during the export of secret keys + * New function gpgme_op_receive_keys to import keys from a keyserver + without first running a key listing + * Detect bad passphrase error in certificate import + * Allow setting --key-origin when importing keys + * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr", + "pinentry", and "socketdir" in gpgme_get_dirinfo + * Under Unix use poll(2) instead of select(2), when available. + * Fix results returned by gpgme_data_* functions + * Support closefrom also for glibc + (drop upstream gpgme-use-glibc-closefrom.patch + * cpp,qt: Add support for export of secret keys and secret subkeys. + * cpp,qt: Support for adding existing subkeys to other keys + * qt: Extend ChangeExpiryJob to change expiration of primary key + and of subkeys at the same time + * qt: Support WKD lookup without implicit import + * qt: Allow specifying an import filter when importing keys + * qt: Allow retrieving the default value of a config entry +- drop patches included upstream + * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch + * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch +- add patches to fix tests: + * gpgme-1.18.0-T6137-qt_test.patch + +- Add patches to support building bindings packages for + Python 3.10 + * gpgme-D545-python310.patch -- https://dev.gnupg.org/D545 + * gpgme-D546-python310.patch -- https://dev.gnupg.org/D546 -- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801] - * tests/json: Bravo key does not have secret key material - * tests/json: Do not check for keygrip of pubkeys - * core: Make sure the keygrip is available in WITH_SECRET mode -- Add gpgme-test-json.patch - gpgme:qt -- Update to 1.16.0 in SLE-15-SP4: [jsc#SLE-20014, jsc#SLE-21114] - * Remove gpgme-test-json.patch fixed upstream +- Update to 1.23.0: + * Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME. [T6559] + * New keylist mode GPGME_KEYLIST_MODE_WITH_V5FPR. [T6705] + * New key capability flags has_*. [T6748] + * gpgme-tool: Support use of Windows HANDLE. [T6634] + * qt: Support refreshing keys via WKD. [T6672] + * qt: Handle cancel in changeexpiryjob. [T6754] + * Remove patches fixed upstream: + - gpgme-qt-tests-Fix-build-in-source-directory.patch + - gpgme-build-Suggest-out-of-source-build.patch + +- Use GCC 12 for building the Qt6 library on Leap 15. The + default compiler is too old. +- Use '%{without xxx}' rather than '!%{with xxx}' in spec file + +- Use GCC 12 for building the Qt6 library. The default compiler + is too old. +- Use '%{without xxx}' rather than '!%{with xxx}' in spec file + +- Fix builds with qt and qt6 [T6673]: + * qt,tests: Fix build in source directory. Include Qt binding + sources before C++ binding sources and C sources. This fixes + the problem that the debug.h in the C sources was found before + the one in the Qt bindings. + * build: Suggest out-of-source build. Suggest to run configure + from a build subdirectory. + * Add patches: + - gpgme-qt-tests-Fix-build-in-source-directory.patch + - gpgme-build-Suggest-out-of-source-build.patch + +- Update to 1.22.0: + * Prevent wrong plaintext when verifying clearsigned signature. + * Return bad data error instead of general error on unexpected data. + * Take care of offline mode for all operations of gpgsm engine. + * Prepare the use of the forthcoming libassuan version 3. + * New configure option --with-libtool-modification. + * cpp: Expose gpgme_decrypt_result_t.is_mime. + * qt: Clean up after failure or cancel of sign/encrypt archive operation. + * qt: Add setInputEncoding to QGpgMe::EncryptJob. + * qt: Make toLogString helper public. + * Interface changes relative to the 1.21.0 release: + - qt: EncryptJob::setInputEncoding NEW. + - qt: DecryptionResult::isMime NEW. + - qt: toLogString NEW. + +- Run testsuite in qemu build + +- Update to 1.21.0 + * Extended gpgme_op_encrypt, gpgme_op_encrypt_sign, and gpgme_op_sign + to allow writing the output directly to a file. [T6530] + * Extended gpgme_op_decrypt and gpgme_op_verify to allow reading the + input data directly from files. [T6530] + * For key signing and uid revoking allow an empty user id. [rMfbc3963d62] + * Pass an input-size-hint also to the gpgsm engine. [T6534] + * qt: Allow writing the created archives directly to a file. [T6530] + * qt: Allow reading the signed/encrypted archive to decrypt + or verify directly from a file. [T6530] + * qt: Qt Jobs working with QIODeviceDataProvider now properly + handle input-size hints and progress for files larger. + 2^32 bytes in 32 bit builds. [T6534] + * cpp: Error::isCanceled now also returns true for error code + GPG_ERR_FULLY_CANCELED. [T6510] + * python: Fix wrong use of write. [T6501] + * Interface changes relative to the 1.20.0 release: + - cpp: Data::setFlag NEW. + - cpp: Data::setSizeHint NEW. + - qt: Job::startIt NEW. + - qt: DecryptVerifyArchiveJob::setInputFile NEW. + - qt: DecryptVerifyArchiveJob::inputFile NEW. + - qt: EncryptArchiveJob::setRecipients NEW. + - qt: EncryptArchiveJob::recipients NEW. + - qt: EncryptArchiveJob::setInputPaths NEW. + - qt: EncryptArchiveJob::inputPaths NEW. + - qt: EncryptArchiveJob::setOutputFile NEW. + - qt: EncryptArchiveJob::outputFile NEW. + - qt: EncryptArchiveJob::setEncryptionFlags NEW. + - qt: EncryptArchiveJob::encryptionFlags NEW. + - qt: SignArchiveJob::setSigners NEW. + - qt: SignArchiveJob::signers NEW. + - qt: SignArchiveJob::setInputPaths NEW. + - qt: SignArchiveJob::inputPaths NEW. + - qt: SignArchiveJob::setOutputFile NEW. + - qt: SignArchiveJob::outputFile NEW. + - qt: SignEncryptArchiveJob::setSigners NEW. + - qt: SignEncryptArchiveJob::signers NEW. + - qt: SignEncryptArchiveJob::setRecipients NEW. + - qt: SignEncryptArchiveJob::recipients NEW. + - qt: SignEncryptArchiveJob::setInputPaths NEW. + - qt: SignEncryptArchiveJob::inputPaths NEW. + - qt: SignEncryptArchiveJob::setOutputFile NEW. + - qt: SignEncryptArchiveJob::outputFile NEW. + - qt: SignEncryptArchiveJob::setEncryptionFlags NEW. + - qt: SignEncryptArchiveJob::encryptionFlags NEW. + +- Update to 1.20.0: + * On Windows, the gettext functions provided by gpgrt are switched + into utf8 mode, so that all localized texts returned by GpgME or + gpgrt, e.g. the texts for error codes are now UTF-8 encoded. [T5960] + * Key::canSign now returns false for OpenPGP keys without signing + (sub)key. [T6456] + * The new macOS Homebrew location is now by default supported. [T6440] + * Fix regression in 1.19.0. + * Fix invocation of gpgtar on Windows. + * Interface changes relative to the 1.19.0 release: + - gpgme_subkey_t EXTENDED: New field 'can_renc'. + - gpgme_subkey_t EXTENDED: New field 'can_timestamp'. + - gpgme_subkey_t EXTENDED: New field 'is_group_owned'. + - cpp: Subkey::canRenc NEW. + - cpp: Subkey::canTimestamp NEW. + - cpp: Subkey::isGroupOwned NEW. + - cpp: Key::canReallySign DEPRECATED. + * Release-info: https://dev.gnupg.org/T6463 + +- Add a Qt6 flavor to build Qt6 bindings +- Use %ldconfig_scriptlets + +- Update to 1.19.0: + * New context flag "no-auto-check-trustdb". [T6261] + * Optionally, build QGpgME for Qt 6 + * Support component "gpgtar-name" in gpgme_get_dirinfo. [T6342] + * Extended gpgme_op_encrypt*, gpgme_op_encrypt_sign*, and + gpgme_op_sign* to allow creating an encrypted and/or signed + archive. [T6342] + * Extended gpgme_op_decrypt*, gpgme_op_decrypt_verify*, + and gpgme_op_verify* to allow extracting an encrypted and/or + signed archive. [T6342] + * cpp: Handle error when trying to sign expired keys. [T6155] + * cpp: Support encryption flags ThrowKeyIds, EncryptWrap, and + WantAddress. [T6359] + * cpp, qt: Fix building with C++11. [T6141] + * qt: Fix problem with expiration dates after 2038-01-19 on 32-bit + systems when adding an existing subkey to another key. [T6137] + * cpp: Allow setting the curve to use when generating ECC keys + for smart cards. [T4429] + * qt: Extend ListAllKeysJob to allow disabling the automatic + trust database check when listing all keys. [T6261] + * qt: Allow deferred start of import jobs. [T6323] + * qt: Support creating and extracting signed and encrypted + archives. [T6342] + * Rebase gpgme-suse-nobetasuffix.patch + * Remove patches upstream: + - gpgme-D546-python310.patch + - gpgme-1.18.0-T6137-qt_test.patch + - python311.patch + +- drop python2 subpackage handling. we do not support python 2.x + anymore, and if we would it would happen via singlespec + +- Update upstream keyring: https://gnupg.org/signature_key.asc + +- add python311.patch to build language bindings for python 3.11 + +- Add gpgme-suse-nobetasuffix.patch + * remove "-unknown" suffix from version string + * boo#1205197 + +- gpgme 1.18.0 + * New keylist mode to force refresh via external methods + * The keylist operations now create an import result to report the + result of the locate keylist modes + * core: Return BAD_PASSPHRASE error code on symmetric decryption + failure + * cpp, qt: Do not export internal symbols anymore + * cpp, qt: Support revocation of own OpenPGP keys + * qt: The file name of (signed and) encrypted data can now be set + * cpp, qt: Support setting the primary user ID + * python: Fix segv(NULL) when inspecting contect after exeception +- includes changes from version 1.17.1: + * qt: Fix a bug in the ABI compatibility of 1.17.0 +- includes changes from 1.17.0: + * New context flag "key-origin" + * New context flag "import-filter" + * New export mode to export secret subkeys + * Detect errors during the export of secret keys + * New function gpgme_op_receive_keys to import keys from a keyserver + without first running a key listing + * Detect bad passphrase error in certificate import + * Allow setting --key-origin when importing keys + * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr", + "pinentry", and "socketdir" in gpgme_get_dirinfo + * Under Unix use poll(2) instead of select(2), when available. + * Fix results returned by gpgme_data_* functions + * Support closefrom also for glibc + (drop upstream gpgme-use-glibc-closefrom.patch + * cpp,qt: Add support for export of secret keys and secret subkeys. + * cpp,qt: Support for adding existing subkeys to other keys + * qt: Extend ChangeExpiryJob to change expiration of primary key + and of subkeys at the same time + * qt: Support WKD lookup without implicit import + * qt: Allow specifying an import filter when importing keys + * qt: Allow retrieving the default value of a config entry +- drop patches included upstream + * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch + * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch +- add patches to fix tests: + * gpgme-1.18.0-T6137-qt_test.patch + +- Add patches to support building bindings packages for + Python 3.10 + * gpgme-D545-python310.patch -- https://dev.gnupg.org/D545 + * gpgme-D546-python310.patch -- https://dev.gnupg.org/D546 -- Fix t-json test in SP3: https://dev.gnupg.org/T4820 [bsc#1183801] - * tests/json: Bravo key does not have secret key material - * tests/json: Do not check for keygrip of pubkeys - * core: Make sure the keygrip is available in WITH_SECRET mode -- Add gpgme-test-json.patch - grub2 +- Fix reproducible build for grub.xen (bsc#1217619) + * 0001-mkstandalone-ensure-stable-timestamps-for-generated-.patch + * 0002-mkstandalone-ensure-deterministic-tar-file-creation-.patch + +- Fix unattended boot with TPM2 allows downgrading kernel and rootfs, also + enhancing the overall security posture (bsc#1216680) + * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch + * 0002-Restrict-file-access-on-cryptodisk-print.patch + * 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch + * 0004-Key-revocation-on-out-of-bound-file-access.patch + gstreamer-plugins-bad +- Add gstreamer-plugins-bad-CVE-2023-44429.patch: + Backporting 1db83d3f from upstream, Clip tile rows and cols to 64 + as describe in AV1 specification. + (CVE-2023-44429 bsc#1217211) + - from upstream to fix a heap overwrite in PGS subtitle - overlay decoder which might trigger a crash or remote code - execution (CVE-2023-37329 bsc#1213126). + Backport 7ed446dc,0dabf0eb from upstream to fix a heap overwrite + in PGS subtitle overlay decoder which might trigger a crash or + remote code execution (CVE-2023-37329 bsc#1213126). -- Add patch to support building with srt 1.3.4 in SLE - * fix-build-with-srt-1.3.4.patch +- Add fix-build-with-srt-1.3.4.patch: + To support building with srt 1.3.4 in SLE. +- Update to version 1.16.3 (bsc#1181255 CVE-2021-3185): + - amcvideodec: fix sync meta copying not taking a reference + - audiobuffersplit: Perform discont tracking on running time + - audiobuffersplit: Specify in the template caps that only interleaved audio is supported + - audiobuffersplit: Unset DISCONT flag if not discontinuous + - autoconvert: Fix lock-less exchange or free condition + - autoconvert: fix compiler warnings with g_atomic on recent GLib versions + - avfvideosrc: element requests camera permissions even with capture-screen property is true + - codecparsers: h264parser: guard against ref_pic_markings overflow + - dtlsconnection: Avoid segmentation fault when no srtp capabilities are negotiated + - dtls/connection: fix EOF handling with openssl 1.1.1e + - fdkaacdec: add support for mpegversion=2 + - hls: Check nettle version to ensure AES128 support + - ipcpipeline: Rework compiler checks + - interlace: Increment phase_index before checking if we're at the end of the phase + - lv2: Make it build with -fno-common + - h264parser: Do not allocate too large size of memory for registered user data SEI + - ladspa: fix unbounded integer properties + - modplug: avoid division by zero + - msdkdec: Fix GstMsdkContext leak + - msdkenc: fix leaks on windows + - musepackdec: Don't fail all queries if no sample rate is known yet + - openslessink: Allow openslessink to handle 48kHz streams. + - opencv: allow compilation against 4.2.x + - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc + - vulkan: Drop use of VK_RESULT_BEGIN_RANGE + - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset + - wasapi: Fix possible deadlock while downwards state change + - waylandsink: Clear window when pipeline is stopped + - webrtc: Support non-trickle ICE candidates in the SDP + - webrtc: Unmap all non-binary buffers received via the datachannel + - meson: build with neon 0.31 +- Drop upstream fixed patch: gstreamer-h264parser-fix-overflow.patch + +- Drop gstreamer-plugins-bad-patch-source.sh +- Drop pre_checkin.sh haproxy -- Update HA packages for 15 SP6 (jsc#PED-6161) +- Update to version 2.8.4+git0.a4ebf9d3b: + * [RELEASE] Released version 2.8.4 + * BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends + * BUG/MINOR: stconn/applet: Report send activity only if there was output data + * BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer + * BUG/MINOR: stconn: Fix streamer detection for HTX streams + * MINOR: channel: Add functions to get info on buffers and deal with HTX streams + * MINOR: htx: Use a macro for overhead induced by HTX + * BUG/MEDIUM: stconn: Update fsb date on partial sends + * BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented + * BUG/MEDIUM: mworker: set the master variable earlier + * BUG/MEDIUM: applet: Report a send activity everytime data were sent + * BUG/MEDIUM: stconn: Report a send activity everytime data were sent + * REGTESTS: http: Improve script testing abortonclose option + * BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only + * MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads + * MINOR: connection: Add a CTL flag to notify mux it should wait for reads again + * BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up + * BUG/MEDIUM: connection: report connection errors even when no mux is installed + * DOC: quic: Wrong syntax for "quic-cc-algo" keyword. + * BUG/MINOR: sink: don't learn srv port from srv addr + * BUG/MEDIUM: applet: Remove appctx from buffer wait list on release + * DOC: config: use the word 'backend' instead of 'proxy' in 'track' description + * BUG/MINOR: quic: fix retry token check inconsistency + * DOC: management: -q is quiet all the time + * BUG/MEDIUM: stconn: Don't update stream expiration date if already expired + * BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures + * BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets + * BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree + * BUG/MINOR: quic: idle timer task requeued in the past + * BUG/MEDIUM: pool: fix releasable pool calculation when overloaded + * BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period + * BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts + * BUG/MINOR: stick-table/cli: Check for invalid ipv4 key + * BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure + * BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure + * CLEANUP: htx: Properly indent htx_reserve_max_data() function + * BUG/MINOR: stconn: Sanitize report for read activity + * BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room() + * BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire + * BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range() + * BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure + * BUG/MINOR: stktable: missing free in parse_stick_table() + * BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure + * BUG/MEDIUM: ssl: segfault when cipher is NULL + * BUG/MINOR: mux-quic: fix early close if unset client timeout + * BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA + * MEDIUM: quic: count quic_conn for global sslconns + * MEDIUM: quic: count quic_conn instance for maxconn + * MINOR: frontend: implement a dedicated actconn increment function + * BUG/MINOR: ssl: use a thread-safe sslconns increment + * BUG/MINOR: quic: do not consider idle timeout on CLOSING state + * BUG/MEDIUM: server: "proto" not working for dynamic servers + * MINOR: connection: add conn_pr_mode_to_proto_mode() helper func + * DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder + * MINOR: lua: Add flags to configure logging behaviour + * BUG/MINOR: ssl: load correctly @system-ca when ca-base is define + * DOC: internal: filters: fix reference to entities.pdf + * BUG/MINOR: mux-h2: update tracked counters with req cnt/req err + * BUG/MINOR: mux-h2: commit the current stream ID even on reject + * BUG/MEDIUM: peers: Fix synchro for huge number of tables + * BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task + * BUG/MINOR: trace: fix trace parser error reporting + * BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again + * BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending + * BUG/MINOR: mux-h2: make up other blocked streams upon removal from list + * BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request + * BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash + * BUG/MINOR: mux-quic: fix free on qcs-new fail alloc + * BUG/MINOR: h3: strengthen host/authority header parsing + * BUG/MINOR: mux-quic: support initial 0 max-stream-data + * BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream + * BUG/MINOR: quic: reject packet with no frame + * BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos + * BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room() + * BUG/MINOR: hq-interop: simplify parser requirement + * BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set + * BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set + * BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried + * BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only + * MINOR: hlua: Test the hlua struct first when the lua socket is connecting + * MINOR: hlua: Save the lua socket's server in its context + * MINOR: hlua: Save the lua socket's timeout in its context + * MINOR: hlua: Don't preform operations on a not connected socket + * MINOR: hlua: Set context's appctx when the lua socket is created + * BUG/MEDIUM: http-ana: Try to handle response before handling server abort + * BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed + * BUG/MEDIUM: actions: always apply a longest match on prefix lookup + * BUG/MINOR: mux-quic: remove full demux flag on ncbuf release + * BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams + * MINOR: pattern: fix pat_{parse,match}_ip() function comments + * BUG/MINOR: server: add missing free for server->rdr_pfx + * BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers + * BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API + * BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1 + * BUG/MINOR: promex: fix backend_agg_check_status + * BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records + * BUG/MINOR: hlua/init: coroutine may not resume itself + * BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume() + * CI: musl: drop shopt in workflow invocation + * CI: musl: highlight section if there are coredumps + * Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token" + * BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread + * MINOR: hlua: add hlua_stream_ctx_prepare helper function + * BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT + * BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code + * BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind + * BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help + * MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option + * MINOR: quic+openssl_compat: Do not start without "limited-quic" + * MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic" + * BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels + * DOC: quic: Add "limited-quic" new tuning setting + * MINOR: quic: Add "limited-quic" new tuning setting + * MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper. + * MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct + * MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog() + * MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper + * MINOR: quic: Export some KDF functions (QUIC-TLS) + * MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper + * MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled() + * MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method() + * MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT + * MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header + * MINOR: quic: QUIC openssl wrapper implementation + * BUG/MINOR: quic: Wrong cluster secret initialization + * BUG/MINOR: quic: Leak of frames to send. + * BUILD: bug: make BUG_ON() void to avoid a rare warning + +- Update to version 2.8.3+git0.86e043add: + * [RELEASE] Released version 2.8.3 + * CI: Update to actions/checkout@v4 + * MEDIUM: capabilities: enable support for Linux capabilities + * BUG/MINOR: hlua/action: incorrect message on E_YIELD error + * BUG/MINOR: ring/cli: Don't expect input data when showing events + * BUG/MINOR: applet: Always expect data when CLI is waiting for a new command + * NUG/MEDIUM: stconn: Always update stream's expiration date after I/O + * BUG/MEDIUM: stconn/stream: Forward shutdown on write timeout + * BUG/MEDIUM: applet: Report an error if applet request more room on aborted SC + * BUG/MEDIUM: stconn: Report read activity when a stream is attached to front SC + * BUG/MEDIUM: applet: Fix API for function to push new data in channels buffer + * BUG/MINOR: quic: Wrong RTT computation (srtt and rrt_var) + * BUG/MINOR: quic: Wrong RTT adjusments + * MINOR: httpclient: allow to configure the timeout.connect + * MINOR: httpclient: allow to configure the retries + * DOC: configuration: update examples for req.ver + * BUG/MINOR: stream: further protect stream_dump() against incomplete sessions + * BUG/MEDIUM: h1-htx: Ensure chunked parsing with full output buffer + * BUG/MAJOR: quic: Really ignore malformed ACK frames. + * BUG/MINOR: quic: Possible skipped RTT sampling + * BUG/MEDIUM: stconn: Don't block sends if there is a pending shutdown + * BUG/MEDIUM: stconn: Wake applets on sending path if there is a pending shutdown + * BUG/MINOR: stconn: Don't report blocked sends during connection establishment + * BUG/MEDIUM: stconn: Update stream expiration date on blocked sends + * DEBUG: applet: Properly report opposite SC expiration dates in traces + * BUG/MINOR: checks: do not queue/wake a bounced check + * DOC: config: mention uid dependency on the tune.quic.socket-owner option + * BUG/MINOR: stream: protect stream_dump() against incomplete streams + * BUG/MINOR: ssl/cli: can't find ".crt" files when replacing a certificate + * BUILD: import: guard plock.h against multiple inclusion + * BUG/MINOR: ssl_sock: fix possible memory leak on OOM + * DOC: lua: fix core.register_action typo + * BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage + * CI: fedora: fix "dnf" invocation syntax + * IMPORT: xxhash: update xxHash to version 0.8.2 + * MINOR: atomic: make sure to always relax after a failed CAS + * MINOR: threads: inline the wait function for pthread_rwlock emulation + * IMPORT: plock: also support inlining the int code + * BUILD: Makefile: add the USE_QUIC option to make help + * DOC: jwt: Add explicit list of supported algorithms + * REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (3) + * SCRIPTS: git-show-backports: automatic ref and base detection with -m + * DOC: typo: fix sc-set-gpt references + * BUG/MINOR: stktable: allow sc-add-gpc from tcp-request connection + * BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection + * DEV: flags/show-sess-to-flags: properly decode fd.state + * BUG/MINOR: hlua: fix invalid use of lua_pop on error paths + * BUG/MEDIUM: quic: fix tasklet_wakeup loop on connection closing + * CI: get rid of travis-ci wrapper for Coverity scan + * CI: do not use "groupinstall" for Fedora Rawhide builds +- drop 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch: + part of the version update + +- Apply upstream patch for the ppc64le issue: + Add patch: + 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch + Remove patch: + fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch + +- Build error on ppc64le: include/import/xxhash.h:4148:9: error: invalid parameter combination for AltiVec intrinsic __builtin_vec_ld + Add patch: + fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch + + +- Update to version 2.8.1+git0.a90123aa8: + * [RELEASE] Released version 2.8.1 + +- Refreshed patches to apply cleanly again: + haproxy-1.6.0-makefile_lib.patch + haproxy-1.6.0-sec-options.patch +- Updated series file: removed outdated patches + +- Update to version 2.8.0+git0.fdd8154ed: + https://www.mail-archive.com/haproxy@formilux.org/msg43600.html + +- Update to version 2.7.8+git0.58c657f26: + * [RELEASE] Released version 2.7.8 + +- Add handling for the new startup logs in /dev/shm in the apparmor + profile + +- Update to version 2.7.7+git0.feedf1414: + * [RELEASE] Released version 2.7.7 + +- Update to version 2.7.6+git0.4dadaaafb: + * [RELEASE] Released version 2.7.6 + +- Update to version 2.7.5+git0.8d230219e: + * [RELEASE] Released version 2.7.5 + +- switch to autopatch to simplify patch handling + +- Update to version 2.7.4+git0.d28541d1f: + * [RELEASE] Released version 2.7.4 + +- Update to version 2.7.3+git0.1065b1000: (boo#1208132 CVE-2023-25725) + * [RELEASE] Released version 2.7.3 + +- Update to version 2.7.2+git0.7e295dd2c: + * [RELEASE] Released version 2.7.2 + +- Update to version 2.7.1+git0.3e4af0ed7: + * [RELEASE] Released version 2.7.1 + +- Update to version 2.7.0+git0.437fd289f: + https://www.haproxy.com/blog/announcing-haproxy-2-7/ + https://www.mail-archive.com/haproxy@formilux.org/msg42914.html + +- reenable the pcre jit after the last change + +- Switch from unmaintained pcre 8.45 to pcre2 10 + +- Update to version 2.6.6+git0.274d1a4df: + +- Update to version 2.6.5+git0.987a4e248: + +- Update to version 2.6.4+git0.2a2078cba: + * [RELEASE] Released version 2.6.4 + +- Update to version 2.6.3+git0.76f187b36: + * [RELEASE] Released version 2.6.3 + +- Update to version 2.6.2+git0.16a3646fd: + * [RELEASE] Released version 2.6.2 +- drop lua54.patch (upstream) + +- Update to version 2.6.1+git0.f6ca66d44: + * [RELEASE] Released version 2.6.1 + +- Update to version 2.6.0+git0.a1efc048b: + https://www.mail-archive.com/haproxy@formilux.org/msg42371.html +- refreshed patches + - haproxy-1.6.0-makefile_lib.patch + - haproxy-1.6.0-sec-options.patch + - haproxy-1.6.0_config_haproxy_user.patch + - lua54.patch + +- Update to version 2.5.7+git0.2ef551d02: + * [RELEASE] Released version 2.5.7 + +- Update to version 2.5.6+git0.ba44b4312: + +- Update to version 2.5.5+git0.384c5c59a: + +- Update to version 2.5.4+git0.e55ab4208: + * [RELEASE] Released version 2.5.4 + +- apparmor: profile now needs access to /sys/devices/system/node/ + +- Update to version 2.5.3+git0.abf078b15: + +- Update to version 2.5.2+git0.042feec44: (CVE-2022-0711 boo#1196408) + * [RELEASE] Released version 2.5.2 + +- Add now working CONFIG parameter to sysusers generator + +- Update to version 2.5.1+git0.86b093a51: + * [RELEASE] Released version 2.5.1 -- Rename patch to stay sync with Factory: - haproxy-2.4.22-sec-options.patch -> haproxy-1.6.0-sec-options.patch -- Add patch to fix build on ppc64le: - fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch -- Updated series file: removed outdated patches -- Add handling for the new startup logs in /dev/shm in the apparmor - profile -- apparmor: profile now needs access to /sys/devices/system/node/ -- switch to autopatch to simplify patch handling -- reenable the pcre jit after the last change -- Add now working CONFIG parameter to sysusers generator -- ECO: Maint: Update haproxy to latest maintenance release for all SLE15 (jsc#PED-3821) -- rebase and rename haproxy-1.6.0-sec-options.patch -> haproxy-2.4.22-sec-options.patch -- remove patches covered by new release: +- Update to version 2.5.0+git0.f2e0833f1: + https://www.mail-archive.com/haproxy@formilux.org/msg41508.html +- refreshed patches to apply cleanly again + haproxy-1.6.0-sec-options.patch + haproxy-1.6.0_config_haproxy_user.patch - 0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch - 0001-BUG-MEDIUM-mux-h2-Refuse-interim-responses-with-end-.patch - 0001-output-buffer-is-not-zero-initialized.path - 2.0-2.5-BUG-CRITICAL-http-properly-reject-empty-http-header-.patch -- Update to version 2.4.22+git0.f8e3218e2: - * [RELEASE] Released version 2.4.22 - * BUG/CRITICAL: http: properly reject empty http header field names - * CI: github: don't warn on deprecated openssl functions on windows - * BUG/MEDIUM: stconn: Schedule a shutw on shutr if data must be sent first - * DOC: proxy-protocol: fix wrong byte in provided example - * DOC: config: 'http-send-name-header' option may be used in default section - * DOC: config: fix option spop-check proxy compatibility - * BUG/MEDIUM: cache: use the correct time reference when comparing dates - * BUG/MEDIUM: stick-table: do not leave entries in end of window during purge - * BUG/MINOR: ssl/crt-list: warn when a line is malformated - * BUG/MEDIUM: ssl: wrong eviction from the session cache tree - * BUG/MINOR: fcgi-app: prevent 'use-fcgi-app' in default section - * [RELEASE] Released version 2.4.21 - * BUG/MINOR: sink: free the forwarding task on exit - * BUILD: hpack: include global.h for the trash that is needed in debug mode - * BUG/MINOR: mux-h2: add missing traces on failed headers decoding - * BUG/MINOR: listener: close tiny race between resume_listener() and stopping - * DOC: config: fix "Address formats" chapter syntax - * BUG/MINOR: mux-fcgi: Correctly set pathinfo - * DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@" - * DOC: config: fix wrong section number for "protocol prefixes" - * BUG/MINOR: listeners: fix suspend/resume of inherited FDs - * BUG/MINOR: http-ana: make set-status also update txn->status - * BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state - * BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request body - * BUG/MINOR: promex: Don't forget to consume the request on error - * BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action - * BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 responses - * CLEANUP: htx: fix a typo in an error message of http_str_to_htx - * BUG/MINOR: http: Memory leak of http redirect rules' format string - * REGTEST: fix the race conditions in hmac.vtc - * REGTEST: fix the race conditions in digest.vtc - * REGTEST: fix the race conditions in json_query.vtc - * BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned - * BUG/MINOR: http-fetch: Only fill txn status during prefetch if not already set - * BUILD: makefile: sort the features list - * BUILD: makefile: build the features list dynamically - * BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats - * BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set - * BUG/MINOR: ssl: Fix memory leak of find_chain in ssl_sock_load_cert_chain - * LICENSE: wurfl: clarify the dummy library license. - * BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout - * REGTESTS: startup: check maxconn computation - * REGTESTS: fix the race conditions in iff.vtc - * BUG/MAJOR: fcgi: Fix uninitialized reserved bytes - * DOC: promex: Add missing backend metrics - * MINOR: promex: introduce haproxy_backend_agg_check_status - * BUG/MINOR: promex: create haproxy_backend_agg_server_status - * BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers - * BUG/MINOR: ssl: Fix potential overflow - * BUG/MEDIUM: ssl: Verify error codes can exceed 63 - * BUG/MINOR: resolvers: Don't wait periodic resolution on healthcheck failure - * BUILD: peers: peers-t.h depends on stick-table-t.h - * CI: github: change "ubuntu-latest" to "ubuntu-20.04" - * BUG/MEDIIM: stconn: Flush output data before forwarding close to write side - * BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action - * [RELEASE] Released version 2.4.20 - * Revert "CI: determine actual OpenSSL version dynamically" - * Revert "CI: switch to the "latest" LibreSSL" - * SCRIPTS: announce-release: add a link to the data plane API - * DOC: config: clarify the -m dir and -m dom pattern matching methods - * DOC: config: clarify the fact that "retries" is not just for connections - * DOC: config: explain how default matching method for ACL works - * DOC: config: mention that a single monitor-uri rule is supported - * DOC: config: clarify the fact that SNI should not be used in HTTP scenarios - * DOC: config: provide some configuration hints for "http-reuse" - * Revert "BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action" - * BUG/MINOR: mux-h1: Fix handling of 408-Request-Time-Out - * BUILD: http-htx: Silent build error about a possible NULL start-line - * BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action - * BUG/MINOR: log: fix parse_log_message rfc5424 size check - * BUG/MINOR: cfgparse-listen: fix ebpt_next_dup pointer dereference on proxy "from" inheritance - * BUILD: listener: fix build warning on global_listener_rwlock without threads - * BUG/MINOR: server/idle: at least use atomic stores when updating max_used_conns - * BUILD: peers: Remove unused variables - * BUG/MEDIUM: peers: messages about unkown tables not correctly ignored - * BUG/MINOR: ssl: don't initialize the keylog callback when not required - * BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists - * BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task - * BUG/MINOR: pool/cli: use ullong to report total pool usage in bytes - * BUG/MEDIUM: ring: fix creation of server in uninitialized ring - * DOC: config: fix alphabetical ordering of global section - * REG-TESTS: cache: Remove T-E header for 304-Not-Modified responses - * BUG/MINOR: mux-h1: Do not send a last null chunk on body-less answers - * BUG/MEDIUM: mux-fcgi: Avoid value length overflow when it doesn't fit at once - * BUG/MINOR: mux-fcgi: Be sure to send empty STDING record in case of zero-copy - * BUG/MINOR: resolvers: Set port before IP address when processing SRV records - * BUG/MINOR: http-htx: Fix error handling during parsing http replies - * BUG/MEDIUM: wdt/clock: properly handle early task hangs - * CI: emit the compiler's version in the build reports - * CI: switch to the "latest" LibreSSL - * BUG/MINOR: ssl: ocsp structure not freed properly in case of error - * BUG/MINOR: ssl: Memory leak of AUTHORITY_KEYID struct when loading issuer - * CI: add monthly gcc cross compile jobs - * BUG/MINOR: log: fixing bug in tcp syslog_io_handler Octet-Counting - * BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task - * BUG/MAJOR: stick-table: don't process store-response rules for applets - * DOC: management: add forgotten "show startup-logs" - * BUG/MINOR: stick-table: Use server_id instead of std_t_sint in process_store_rules() - * CI: SSL: temporarily stick to LibreSSL=3.5.3 - * CI: SSL: use proper version generating when "latest" semantic is used - * BUG/MINOR: sink: Set default connect/server timeout for implicit ring buffers - * BUG/MINOR: sink: Only use backend capability for the sink proxies - * BUG/MEDIUM: compression: handle rewrite errors when updating response headers - * BUG/MINOR: ring: Properly parse connect timeout - * BUG/MINOR: log: Preserve message facility when the log target is a ring buffer - * CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition - * CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py - * BUG/MINOR: server: make sure "show servers state" hides private bits - * BUG/MAJOR: stick-tables: do not try to index a server name for applets - * DOC: configuration: missing 'if' in tcp-request content example - * BUG/MINOR: backend: only enforce turn-around state when not redispatching - * BUG/MINOR: smtpchk: SMTP Service check should gracefully close SMTP transaction - * MINOR: smtpchk: Update expect rule to fully match replies to EHLO commands - * BUG/MINOR: mux-h1: Account consumed output data on synchronous connection error - * BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os - * BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth() - * BUILD: h1: silence an initiialized warning with gcc-4.7 and -Os - * BUG/MEDIUM: lua: handle stick table implicit arguments right. - * BUG/MEDIUM: lua: Don't crash in hlua_lua2arg_check on failure - * DOC: config: Fix pgsql-check documentation to make user param mandatory - * BUG/MINOR: checks: update pgsql regex on auth packet - * [RELEASE] Released version 2.4.19 - * BUG/MEDIUM: resolvers: Remove aborted resolutions from query_ids tree - * REGTESTS: 4be_1srv_smtpchk_httpchk_layer47errors: Return valid SMTP replies - * BUG/MINOR: log: improper behavior when escaping log data - * SCRIPTS: announce-release: update some URLs to https - * BUILD: fd: fix a build warning on the DWCAS - * BUG/MEDIUM: captures: free() an error capture out of the proxy lock - * DOC: fix TOC in starter guide for subsection 3.3.8. Statistics - * REGTESTS: ssl/log: test the log-forward with SSL - * BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring. - * REGTESTS: log: test the log-forward feature - * REGTESTS: healthcheckmail: Relax matching on the healthcheck log message - * BUG/MINOR: stats: fixing stat shows disabled frontend status as 'OPEN' - * MINOR: listener: small API change - * BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK - * CI: cirrus-ci: bump FreeBSD image to 13-1 - * BUG/MINOR: signals/poller: ensure wakeup from signals - * BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals - * BUG/MINOR: task: always reset a new tasklet's call date - * BUG/MINOR: h1: Support headers case adjustment for TCP proxies - * BUILD: makefile: enable crypt(3) for NetBSD - * BUG/MINOR: regex: Properly handle PCRE2 lib compiled without JIT support - * BUG/MINOR: mux-fcgi: fix the "show fd" dest buffer for the subscriber - * BUG/MINOR: mux-h1: fix the "show fd" dest buffer for the subscriber - * BUG/MINOR: mux-h2: fix the "show fd" dest buffer for the subscriber - * BUG/MEDIUM: mux-h1: always use RST to kill idle connections in pools - * REGTESTS: http_request_buffer: Add a barrier to not mix up log messages - * BUG/MEDIUM: mux-h1: do not refrain from signaling errors after end of input - * BUG/MINOR: tcpcheck: Disable QUICKACK for default tcp-check (with no rule) - * BUG/MINOR: hlua: Rely on CF_EOI to detect end of message in HTTP applets - * BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date - * BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress - * BUG/MEDIUM: peers: Add connect and server timeut to peers proxy - * BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode - * DOC: configuration: do-resolve doesn't work with a port in the string - * REGTESTS: Fix prometheus script to perform HTTP health-checks - * BUG/MINOR: tcpcheck: Disable QUICKACK only if data should be sent after connect - * BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config() - * BUG/MAJOR: mworker: fix infinite loop on master with no proxies. - * BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized - * BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle - * BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names - * BUILD: http: silence an uninitialized warning affecting gcc-5 - * BUG/MEDIUM: ring: fix too lax 'size' parser - * BUILD: debug: silence warning on gcc-5 - * BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq() - * BUG/MEDIUM: poller: use fd_delete() to release the poller pipes - * BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h - * BUG/MINOR: sink: fix a race condition between the writer and the reader - * BUG/MINOR: ring/cli: fix a race condition between the writer and the reader - * BUG/MEDIUM: proxy: Perform a custom copy for default server settings - * REORG: server: Export srv_settings_cpy() function - * MINOR: server: Constify source server to copy its settings - * BUG/MEDIUM: dns: Properly initialize new DNS session - * BUG/MINOR: peers: Use right channel flag to consider the peer as connected - * BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload - * MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer - * BUG/MEDIUM: pattern: only visit equivalent nodes when skipping versions - * MINOR: ebtree: add ebmb_lookup_shorter() to pursue lookups - * MINOR: http-htx: Use new HTTP functions for the scheme based normalization - * BUG/MEDIUM: h1: Improve authority validation for CONNCET request - * MINOR: http: Add function to detect default port - * MINOR: http: Add function to get port part of a host - * BUG/MEDIUM: mworker: use default maxconn in wait mode - * [RELEASE] Released version 2.4.18 - * BUG/MINOR: sockpair: wrong return value for fd_send_uxst() - * BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible - * BUILD: add detection for unsupported compiler models - * BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload - * REGTESTS: Fix some scripts to be compatible with 2.4 and prior - * BUG/MINOR: tools: fix statistical_prng_range()'s output range - * BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2) - * BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX - * BUG/MEDIUM: tools: avoid calling dlsym() in static builds - * MEDIUM: mworker: set the iocb of the socketpair without using fd_insert() - * BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send - * BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state - * BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer - * REGTEESTS: filters: Fix CONNECT request in random-forwarding script - * BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream - * BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo - * BUG/MINOR: peers: fix possible NULL dereferences at config parsing - * BUG/MINOR: http-act: Properly generate 103 responses when several rules are used - * BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule - * BUG/MINOR: peers/config: always fill the bind_conf's argument - * MINOR: fd: Add BUG_ON checks on fd_insert() - * CI: re-enable gcc asan builds - * BUILD: Makefile: Add Lua 5.4 autodetect - * BUG/MEDIUM: ssl/fd: unexpected fd close using async engine - * MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD - * BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch - * BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created - * BUG/MINOR: ssl: Do not look for key in extra files if already in pem - * MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames - * BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list - * BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration - * BUG/MINOR: cli/stats: add missing trailing LF after "show info json" - * BUG/MINOR: server: do not enable DNS resolution on disabled proxies - * BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs - * REGTESTS: healthcheckmail: Relax health-check failure condition - * REGTESTS: healthcheckmail: Update the test to be functionnal again - * BUG/MINOR: checks: Properly handle email alerts in trace messages - * BUG/MINOR: trace: Test server existence for health-checks to get proxy - * BUG/MEDIUM: mailers: Set the object type for check attached to an email alert - * BUILD: compiler: implement unreachable for older compilers too - * REGTESTS: restrict_req_hdr_names: Extend supported versions - * REGTESTS: http_abortonclose: Extend supported versions - * BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler - * BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield - * REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients - * REGTESTS: abortonclose: Add a barrier to not mix up log messages - * MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs - * BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases - * BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases - * BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry - * BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified - * BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails - * DOC: intro: adjust the numbering of paragrams to keep the output ordered - * DOC: peers: fix port number and addresses on new peers section format - * DOC: peers: clarify when entry expiration date is renewed. - * DOC: peers: indicate that some server settings are not usable - * SCRIPTS: make publish-release try to launch make-releases-json - * SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs - * REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2) - * BUG/MEDIUM: sample: Fix adjusting size in word converter - * BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section - * BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections - * BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function - * BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols - * BUG/MEDIUM: tools: Fix `inet_ntop` usage in sa2str - * CI: determine actual OpenSSL version dynamically - * BUILD/MINOR: cpuset fix build for FreeBSD 13.1 - * BUG/MINOR: peers: fix error reporting of "bind" lines - * BUG/MINOR: cfgparse: abort earlier in case of allocation error - * BUG/MINOR: check: Reinit the buffer wait list at the end of a check - * BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile() - * REGTESTS: abortonclose: Fix some race conditions - * BUG/MINOR: ssl: Fix crash when no private key is found in pem - * MINOR: tools: add get_exec_path implementation for solaris based systems. - * BUILD: fix build warning on solaris based systems with __maybe_unused. - * MEDIUM: http-ana: Add a proxy option to restrict chars in request header names - * CI: determine actual LibreSSL version dynamically - * [RELEASE] Released version 2.4.17 - * CLEANUP: mux-h1: Fix comments and error messages for global options - * BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized - * BUG/MINOR: conn_stream: do not confirm a connection from the frontend path - * BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes). - * DOC: install: update gcc version requirements - * BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-( - * BUILD: listener: shut report of possible null-deref in listener_accept() - * BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings - * BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation - * CI: dynamically determine actual version of h2spec - * DOC: fix typo "ant" for "and" in INSTALL - * BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init - * BUG/MINOR: map/cli: protect the backref list during "show map" errors - * BUG/MEDIUM: cli: make "show cli sockets" really yield - * BUG/MEDIUM: resolvers: make "show resolvers" properly yield - * BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port] - * DOC: config: Update doc for PR/PH session states to warn about rewrite failures - * MINOR: mux-h2: report a trace event when failing to create a new stream - * BUG/MINOR: mux-h2: mark the stream as open before processing it not after - * BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket - * BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified - * BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message - * SCRIPTS: announce-release: add URL of dev packages - * CI: github actions: update LibreSSL to 3.5.2 - * [RELEASE] Released version 2.4.16 - * BUILD: opentracing: Fix OT build due to misuse of var_clear() - * BUILD: proto_uxst: do not set unused flag - * BUILD: sockpair: do not set unused flag - * BUILD: fd: remove unused variable totlen in fd_write_frag_line() - * CLEANUP: acl: Remove unused variable when releasing an acl expression - * BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all() - * BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit() - * BUILD: compiler: properly distinguish weak and global symbols - * REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc - * MEDIUM: queue: use tasklet_instant_wakeup() to wake tasks - * MINOR: task: add a new task_instant_wakeup() function - * BUG/MINOR: rules: Fix check_capture() function to use the right rule arguments - * DOC: remove my name from the config doc - * BUG/MAJOR: connection: Never remove connection from idle lists outside the lock - * BUG/MINOR: cache: Disable cache if applet creation fails - * SCRIPTS: announce-release: add shortened links to pending issues - * DOC: lua: update a few doc URLs - * SCRIPTS: announce-release: update the doc's URL - * BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags - * BUG/MEDIUM: fcgi-app: Use http_msg flags to know if C-L header can be added - * BUG/MEDIUM: stream: do not abort connection setup too early - * BUILD: compiler: use a more portable set of asm(".weak") statements - * BUILD: sched: workaround crazy and dangerous warning in Clang 14 - * BUG/MEDIUM: mux-h1: Don't request more room on partial trailers - * BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive - * BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side - * BUILD: debug: mark the __start_mem_stats/__stop_mem_stats symbols as weak - * BUG/MINOR: cache: do not display expired entries in "show cache" - * BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent - * CI: cirrus: switch to FreeBSD-13.0 - * CI: Update to actions/cache@v3 - * CI: Update to actions/checkout@v3 - * DEBUG: opentracing: show return values of all functions in the debug output - * CLEANUP: opentracing: added variable to store variable length - * CLEANUP: opentracing: added flt_ot_smp_init() function - * CLEANUP: opentracing: removed unused function flt_ot_var_get() - * CLEANUP: opentracing: removed unused function flt_ot_var_unset() - * DOC: opentracing: corrected comments in function descriptions - * EXAMPLES: opentracing: refined shell scripts for testing filter performance - * BUG/MINOR: opentracing: setting the return value in function flt_ot_var_set() - * BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid - * BUG/MEDIUM: http-conv: Fix url_enc() to not crush const samples - * BUG/MEDIUM: mux-h1: Set outgoing message to DONE when payload length is reached - * BUG/MEDIUM: promex: Be sure to never set EOM flag on an empty HTX message - * BUG/MEDIUM: hlua: Don't set EOM flag on an empty HTX message in HTTP applet - * BUG/MEDIUM: stats: Be sure to never set EOM flag on an empty HTX message - * BUG/MINOR: fcgi-app: Don't add C-L header on response to HEAD requests - * CI: github actions: update OpenSSL to 3.0.2 - * BUG/MAJOR: mux_pt: always report the connection error to the conn_stream - * BUG/MINOR: cli/stream: fix "shutdown session" to iterate over all threads - * BUG/MINOR: samples: add missing context names for sample fetch functions - * DOC: reflect H2 timeout changes - * BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts - * MEDIUM: mux-h2: slightly relax timeout management rules - * BUG/MEDIUM: stream-int: do not rely on the connection error once established - * BUG/MEDIUM: mux-h1: Properly detect full buffer cases during message parsing - * BUG/MEDIUM: mux-fcgi: Properly handle return value of headers/trailers parsing - * BUG/MINOR: tools: url2sa reads too far when no port nor path - * DOC: config: Explictly add supported MQTT versions - * MEDIUM: mqtt: support mqtt_is_valid and mqtt_field_value converters for MQTTv3.1 - * BUG/MEDIUM: trace: avoid race condition when retrieving session from conn->owner - * BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf - * CI: github actions: switch to LibreSSL-3.5.1 - * BUG/MINOR: server/ssl: free the SNI sample expression - * BUG/MINOR: tools: fix url2sa return value with IPv4 - * [RELEASE] Released version 2.4.15 - * BUILD: tree-wide: mark a few numeric constants as explicitly long long - * DOC: Fix usage/examples of deprecated ACLs - * BUG/MINOR: stream: make the call_rate only count the no-progress calls - * BUG/MINOR: session: fix theoretical risk of memleak in session_accept_fd() - * BUG/MAJOR: mux-pt: Always destroy the backend connection on detach - * DEBUG: stream: Fix stream trace message to print response buffer state - * DEBUG: stream: Add the missing descriptions for stream trace events - * BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing - * DEBUG: cache: Update underlying buffer when loading HTX message in cache applet - * BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request - * BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request - * BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request - * BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request - * BUG/MINOR: cli: shows correct mode in "show sess" - * BUG/MINOR: add missing modes in proxy_mode_str() - * BUILD: pools: fix backport of no-memory-trimming on non-linux OS - * MINOR: pools: add a new global option "no-memory-trimming" - * BUG/MEDIUM: pools: fix ha_free() on area in the process of being freed - * BUG/MINOR: pool: always align pool_heads to 64 bytes - * REGTESTS: fix the race conditions in secure_memcmp.vtc - * REGTESTS: fix the race conditions in normalize_uri.vtc - * BUG/MEDIUM: htx: Fix a possible null derefs in htx_xfer_blks() - * CI: github actions: use cache for SSL libs - * CI: github actions: use cache for OpenTracing - * CI: github actions: add OpenTracing builds - * CI: github actions: add the output of $CC -dM -E- - * [RELEASE] Released version 2.4.14 - * BUG/MEDIUM: stream: Abort processing if response buffer allocation fails - * CI: github: enable pool debugging by default - * REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks - * BUG/MINOR: proxy: preset the error message pointer to NULL in parse_new_proxy() - * BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer - * BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer - * BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message - * BUG/MINOR: tools: url2sa reads ipv4 too far - * BUG/MINOR: mailers: negotiate SMTP, not ESMTP - * CI: github actions: update OpenSSL to 3.0.1 - * CI: github: switch to OpenSSL 3.0.0 - * CI: github actions: relax OpenSSL-3.0.0 version comparision - * CI: github actions: -Wno-deprecated-declarations with OpenSSL 3.0.0 - * CI: github actions: add OpenSSL-3.0.0 builds - * BUILD: adopt script/build-ssl.sh for OpenSSL-3.0.0beta2 - * BUILD: fix compilation for OpenSSL-3.0.0-alpha17 - * CI: ssl: keep the old method for ancient OpenSSL versions - * CI: ssl: do not needlessly build the OpenSSL docs - * CI: ssl: enable parallel builds for OpenSSL on Linux - * BUG/MAJOR: compiler: relax alignment constraints on certain structures - * BUG/MEDIUM: fd: always align fdtab[] to 64 bytes - * BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names - * BUG/MINOR: sink: Use the right field in appctx context in release callback - * BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload - * BUG/MEDIUM: mworker: close unused transferred FDs on load failure - * MINOR: sock: move the unused socket cleaning code into its own function - * [RELEASE] Released version 2.4.13 - * BUG/MINOR: mux-h2: update the session's idle delay before creating the stream - * BUG/MEDIUM: h2/hpack: fix emission of HPACK DTSU after settings change - * REGTESTS: peers: leave a bit more time to peers to synchronize - * BUG/MAJOR: spoe: properly detach all agents when releasing the applet - * BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies - * BUG/MEDIUM: listener: read-lock the listener during accept() - * MINOR: listener: replace the listener's spinlock with an rwlock - * BUG/MINOR: mworker: does not erase the pidfile upon reload - * BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks - * DEBUG: pools: replace the link pointer with the caller's address on pool_free() - * DEBUG: pools: let's add reverse mapping from cache heads to thread and pool - * DEBUG: pools: add extra sanity checks when picking objects from a local cache - * BUG/MINOR: pools: always flush pools about to be destroyed - * BUG/MEDIUM: mworker: don't lose the stats socket on failed reload - * DEBUG: pools: add new build option DEBUG_POOL_INTEGRITY - * BUILD: debug/cli: condition test of O_ASYNC to its existence - * DEBUG: cli: add a new "debug dev fd" expert command - * MEDIUM: h2/hpack: emit a Dynamic Table Size Update after settings change - * BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them - * BUG/MEDIUM: mcli: do not try to parse empty buffers - * BUG/MEDIUM: cli: Never wait for more data on client shutdown - * BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands - * MINOR: channel: add new function co_getdelim() to support multiple delimiters - * MEDIUM: cli: yield between each pipelined command - * BUG/MEDIUM: server: avoid changing healthcheck ctx with set server ssl - * BUILD/MINOR: fix solaris build with clang. - * BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer - * BUG/MEDIUM: connection: properly leave stopping list on error - * [RELEASE] Released version 2.4.12 - * BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data - * BUG/MEDIUM: mworker: don't use _getsocks in wait mode - * [RELEASE] Released version 2.4.11 - * BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry - * BUG/MINOR: cli: fix _getsocks with musl libc - * BUILD/MINOR: tools: solaris build fix on dladdr. - * BUILD/MINOR: cpuset FreeBSD 14 build fix. - * BUG/MEDIUM: ssl: free the ckch instance linked to a server - * BUG/MINOR: ssl: free the fields in srv->ssl_ctx - * MINOR: debug: add support for -dL to dump library names at boot - * MINOR: debug: add ability to dump loaded shared libraries - * MINOR: compat: detect support for dl_iterate_phdr() - * BUG/MINOR: mux-h1: Fix splicing for messages with unknown length - * BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message - * BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning - * MINOR: proxy: add option idle-close-on-response - * REGTESTS: ssl: fix ssl_default_server.vtc - * BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server - * DOC: fix misspelled keyword "resolve_retries" in resolvers - * BUILD: ssl: unbreak the build with newer libressl - * BUILD: cli: clear a maybe-unused warning on some older compilers - * BUG/MINOR: pools: don't mark ourselves as harmless in DEBUG_UAF mode - * BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch - * [RELEASE] Released version 2.4.10 - * BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose - * BUG/MINOR: backend: do not set sni on connection reuse - * MINOR: pools: work around possibly slow malloc_trim() during gc - * BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode - * DOC: config: retry-on list is space-delimited - * DOC: config: Specify %Ta is only available in HTTP mode - * DOC: spoe: Clarify use of the event directive in spoe-message section - * BUG/MINOR: cli/server: Don't crash when a server is added with a custom id - * IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode - * BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types - * MINOR: cli: "show version" displays the current process version - * CI: Github Actions: temporarily disable BoringSSL builds - * BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH - * MINOR: mux-h1: Improve H1 traces by adding info about http parsers - * BUG/MAJOR: segfault using multiple log forward sections. - * BUG/MEDIUM: resolvers: Detach query item on response error - * BUG/MINOR: server: Don't rely on last default-server to init server SSL context - * BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time - * BUILD/MINOR: server: fix compilation without SSL - * [RELEASE] Released version 2.4.9 - * BUG/MINOR: cache: Fix loop on cache entries in "show cache" - * MINOR: promex: backend aggregated server check status - * MINOR: server: add ws keyword - * MEDIUM: server/backend: implement websocket protocol selection - * MINOR: connection: add alternative mux_ops param for conn_install_mux_be - * MINOR: connection: implement function to update ALPN - * MINOR: stream/mux: implement websocket stream flag - * BUG/MINOR: ssl: make SSL counters atomic - * MINOR: shctx: add a few BUG_ON() for consistency checks - * BUG/MINOR: shctx: do not look for available blocks when the first one is enough - * BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found - * BUG/MEDIUM: cache/cli: make "show cache" thread-safe - * BUG/MEDIUM: mux-h2: always process a pending shut read - * BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found - * CLEANUP: ssl: fix wrong #else commentary - * BUG/MINOR: ssl: free correctly the sni in the backend SSL cache - * BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3 - * BUILD: makefile: simplify detection of libatomic - * BUG/MEDIUM: mux-h1: Handle delayed silent shut in h1_process() to release H1C - * BUG/MINOR: stick-table/cli: Check for invalid ipv6 key - * BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent - * BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value - * BUG/MINOR: mworker: doesn't launch the program postparser - * BUG/MEDIUM: conn-stream: Don't reset CS flags on close - * MINOR: mux-h1: Slightly Improve H1 traces - * DOC: lua: Be explicit with the Reply object limits - * Revert "BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on back" - * BUG/MINOR: http-ana: Apply stop to the current section for http-response rules - * DOC: config: Fix typo in ssl_fc_unique_id description - * BUG/MINOR: cache: properly ignore unparsable max-age in quotes - * BUG/MINOR: resolvers: throw log message if trash not large enough for query - * BUG/MINOR: resolvers: fix sent messages were counted twice - * BUG/MEDIUM: mux-h2: reject upgrade if no RFC8441 support - * MINOR: mux-h2: add trace on extended connect usage - * MINOR: mux-h2: perform a full cycle shutdown+drain on close - * MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close - -- VUL-0: serious vulnerability in the HTTP/1 parser (bsc#1208132) - o Apply upstream patch: - 2.0-2.5-BUG-CRITICAL-http-properly-reject-empty-http-header-.patch -- The output buffer is not zero-initialized. If we don't clear reserved - bytes, fcgi requests sent to backend will leak sensitive data. - o Apply proposed patch: - 0001-output-buffer-is-not-zero-initialized.path - -- VUL-0: CVE-2023-0056: haproxy: segfault DoS (bsc#1207181) - o Apply upstream patch: - 0001-BUG-MEDIUM-mux-h2-Refuse-interim-responses-with-end-.patch - -- (bsc#1196408) VUL-0: CVE-2022-0711: haproxy: Denial of service via set-cookie2 header - o Apply upstream patch: - 0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch haveged +- Remove haveged-switch-root.service because it's implemented incorrectly and + neither upstream don't know how to fix it (#77). On the other hand, without + this service haveged will be started from scratch after switch root so it's + hopefully no big deal. Also remove patch for bsc#1203079 as it's considered + as a security threat because of creating fixed name file in world-writable + directory. [jsc#PED-6184, bsc#1206699] + * Remove + - haveged-switch-root.service + - haveged-switch-root.patch + hcode +- fix build: strcasestr now comes with string.h + hplip -- hppsfilter: booklet printing: change insecure fixed /tmp file paths - (bsc#1214399) - * add hppsfilter-booklet-printing-change-insecure-fixed-tm.patch - -- Update to hplip 3.23.8 (jsc#PED-5846) +- Update to hplip 3.23.8 hwloc +- Update to version 2.9.3: + * Handle Linux glibc allocation errors in binding routines (CVE-2022-47022). + * Fix hwloc-calc when searching objects on heterogeneous memory platforms, + * Fix hwloc_get_next_child() when there are some memory-side caches. + * Don't crash if the topology is empty because Linux cgroups are wrong. + * Improve some hwloc-bind warnings in case of command-line parsing errors. + * Many documentation improvements all over the place, including: + + hwloc_topology_restrict() and hwloc_topology_insert_group() may reorder + children, causing the logical indexes of objects to change. +- update to 2.9.2: + * Don't forget L3i when defining filters for multiple levels of + caches with hwloc_topology_set_cache/icache_types_filter(). + * Fix object total_memory after hwloc_topology_insert_group_object(). + * Fix the (non-yet) exporting in synthetic description for + complex memory hierarchies with memory-side caches, etc. + * Fix some default size attributes when building synthetic + topologies. + * Fix size units in hwloc-annotate. + * Improve bitmap reallocation error management in many functions. + * Documentation improvements +- update to 2.9.1: + * Fix a failed assertion in hwloc_topology_restrict() when some + NUMA nodes are removed because of + HWLOC_RESTRICT_FLAG_REMOVE_CPULESS but no PUs are. + * Mark HPE Cray Slingshot NICs with subtype "Slingshot". + hylafax+ +- Remove stray pseudo comment (from Bjørn Lie) + +- Add tiff.patch to unbreak build + ibmswtpm2 +- Update to version 164-2020-192.2 + * Implement the RSA 5 primes optimization. + * Check command size for int32 overflow. + * Add support for OpenSSL 3.1.x + * Do not accept a NULL signKey in TPM2_CertifyX509 + * Add Nuvoton to gcc makefile +- New project URL - move to github +- Drop usptreamed ibmswtpm2-OpenSSL-3.1.patch + +- Add support for OpenSSL 3.1.x + * Add ibmswtpm2-OpenSSL-3.1.patch + +- update to 1682: + * tpm: Fix cast in BnSetBit. + * tpm2: Fix size check in CryptSecretDecrypt + * tpm: Port Windows code for OpenSSL 3.0 + * tpm: Update to openssl 3.0.2 + * tpm: Add command and handle tracing + * tpm: Update for openssl 3.0.1 + * tpm: Add ECC encrypt and decrypt commands + * Fix compilation on RISC-V + * PlatformSvc: return error on control socket failure + * main: set a return code if StartTcpServer fails + * tpm: Add all updates to TPM specification 164. +- drop ibmswtpm2-fix-ppc32.patch (upstream) +- makefile.patch: refresh + +- Fix ppc32 build. + + ibmswtpm2-fix-ppc32.patch + ibmtss +- Update to 2.1.1: + * Add man page for tpmproxy. +- Update to 2.1.0: + * Parse new IMA event log template data fields. + * Add option to verify IMA template data + * Correct minor regression test script typos. +- Update to 2.0.0 + * Expand TPMU_SENSITIVE_COMPOSITE to handle HW TPMs that return 5 + RSA primes. This is an ABI (not API) break. + * Add support for TPM2_ECC_Encrypt and TPM2_ECC_Decrypt + * Add more EFI event log handlers and event tracing. + * SW TPM test CA now uses SHA-256, not the deprecated SHA-1. + * Port tpmproxy for TPM 2.0 to Linux and Windows. + * Add many new EK root certificates. + * Remove OpenSSL functions deprecated in 3.x. + * Fix TSS bug when using encrypt and decrypt in a PWAP session. + * Add build flag to suppress SHA-1. +- Remove patches fixed upstream: + * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch + * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch + * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch + * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch + * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch + * ibmtss-openssl3-deprecation.patch + +- Build with OpenSSL 3.0 deprecated functions until fixed upstream + in the next version update [bsc#1205042] + * ibmtss-openssl3-deprecation.patch +- Add upstream patches to fix build with OpenSSL 3.0 + * ibmtss-regtests-Update-openssl-key-generation-for-3.0.0.patch + * ibmtss-utils-Update-certifyx509-for-Openssl-3.0.0.patch + * ibmtss-utils-Remove-unused-variables-from-certifyx509.patch + * ibmtss-tss-Port-HMAC-operations-to-openssl-3.0.patch + * ibmtss-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch + ibsim +- Update to 0.12 + - Increase LFT size to 48K + - Support NDR when parsing enhance ibnetdiscover + - Enable IsLinkSpeedNDRSupported bit in PortInfo + - Assume QDR speed when port speed is 0 + icu73_2 +- icu4c-73_c-ICU-22512-Fix-broken-TestHebrewCalendarInTemporalLeapYear.patch + Fix testsuite issue in hebrew calendar (bsc#1217479) + installation-images:openSUSE +- merge gh#openSUSE/installation-images#676 +- include complete system-role-common-criteria package + (bsc#1217968) +- 16.59.4 + ipmitool +- bsc#1216556 L3: ipmitool: Unsupported LAN Parameter + lookup error SLE15 SP4+ + Fix regression introduced by 351dad24a26f56580ba6 + lan: Add processing of get/set specific CCs: + https://github.com/ipmitool/ipmitool/pull/388 + https://github.com/ipmitool/ipmitool/pull/389 + Be aware: Even the pullrequest is open for a while, this patch is not + integrated in latest mainstream master branch. + A lanp-Fix-error-response-from-Unsupported-Parameter-lookup.patch.txt + jackson-annotations +- Update to 2.15.2 + * no subsantial changes from 2.15.0 + * 2.15.0 (23-Apr-2023) + + #211: Add 'JsonFormat.Feature's: + READ_UNKNOWN_ENUM_VALUES_AS_NULL, + READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE + + #214: Add NOTICE file with copyright information + + #221: Add + 'JsonFormat.Feature.READ_DATE_TIMESTAMPS_AS_NANOSECONDS' + * 2.14.0 (05-Nov-2022) + + #204: Allow explicit 'JsonSubTypes' repeated names check + +- Update to 2.13.3 + * no substantial changes, just version allignment to other + jackson packages + - [#141]: Add `JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES` - [#159]: Add `JsonFormat.Shape.BINARY` + [#141]: Add 'JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES' + [#159]: Add 'JsonFormat.Shape.BINARY' jackson-bom +- Update to version 2.15.2 + * 2.15.2 (30-May-2023) + + No changes since 2.15.1 + * 2.15.1 (16-May-2023) + + #63: Update 'de.jjohannes:gradle-module-metadata-maven-plugin' + to 0.4.0 + + Add override for 'version.plugin.moditect' to be '1.0.0.Final' + until upgraded in 'oss-parent'/51 + * 2.15.0 (23-Apr-2023) + + #56: Change defaults for Felix OSGi Bundle plug-in to fix + timestamps for Reproducible Builds + + Add version for 'jackson-datatype-hibernate6' + + Add version for 'jackson-module-jsonSchema-jakarta' + * 2.14.0 (05-Nov-2022) + + #52: Gradle reports incorrect jackson-bom dependency version + +- Update to version 2.13.3 + * 2.13.3 (14-May-2022) + + No changes since 2.13.2 + * 2.13.2 (06-Mar-2022) + + #46: 'module-info.java' is in 'META-INF/versions/11' instead + of 'META-INF/versions/9' + * 2.13.1 (19-Dec-2021) + + No changes since 2.13.0 + jackson-core +- Update to 2.15.2 + * 2.15.2 (30-May-2023) + + #1019: Allow override of 'StreamReadContraints' default with + 'overrideDefaultStreamReadConstraints()' + + #1027: Extra module-info.class in 2.15.1 + + #1028: Wrong checksums in 'module.json' (2.15.0, 2.15.1) + + #1032: 'LICENSE' missing from 2.15.1 jar + * 2.15.1 (16-May-2023)) + + #999: Gradle metadata for 'jackson-core' '2.15.0' adds + dependency on 'ch.randelshofer:fastdoubleparser' + + #1003: Add FastDoubleParser section to 'NOTICE' + + #1014: Increase default max allowed String value length from + 5 megs to 20 megs + + #1023: Problem with 'FilteringGeneratorDelegate' wrt + 'TokenFilter.Inclusion.INCLUDE_NON_NULL' + * 2.15.0 (23-Apr-2023) + + #827: Add numeric value size limits via + 'StreamReadConstraints' (fixes 'sonatype-2022-6438') + + #844: Add SLSA provenance via build script + + #851: Add 'StreamReadFeature.USE_FAST_BIG_DECIMAL_PARSER' to + enable faster 'BigDecimal', 'BigInteger' parsing + + #863: Add 'StreamReadConstraints' limit for longest textual + value to allow (default: 5M) + + #865: Optimize parsing 19 digit longs + + #898: Possible flaw in 'TokenFilterContext#skipParentChecks()' + + #902: Add 'Object JsonParser.getNumberValueDeferred()' method + to allow for deferred decoding in some cases + + #921: Add 'JsonFactory.Feature.CHARSET_DETECTION' to disable + charset detection + + #948: Use 'StreamConstraintsException' in name canonicalizers + + #962: Offer a way to directly set 'StreamReadConstraints' via + 'JsonFactory' (not just Builder) + + #965: 2.15.0-rc1 missing Gradle module metadata marker in + pom.xml + + #968: Prevent inefficient internal conversion from + 'BigDecimal' to 'BigInteger' wrt ultra-large scale + + #984: Add 'JsonGenerator.copyCurrentEventExact' as alternative + to 'copyCurrentEvent()' + * 2.14.3 (05-May-2023) + + #909: Revert schubfach changes in #854 + + #912: Optional padding Base64Variant still throws exception on + missing padding character + + #967: Address performance issue with 'BigDecimalParser' + + #990: Backport removal of BigDecimal to BigInt conversion + (#987) + + #1004: FastDoubleParser license + + #1012: Got 'NegativeArraySizeException' when calling + 'writeValueAsString()' + * 2.14.2 (28-Jan-2023) + + #854: Backport schubfach changes from v2.15#8 + + #882: Allow TokenFIlter to skip last elements in arrays + + #886: Avoid instance creations in fast parser code + + #890: 'FilteringGeneratorDelegate' does not create new + 'filterContext' if 'tokenFilter' is null + * 2.14.0 (05-Nov-2022) + + #478: Provide implementation of async JSON parser fed by + 'ByteBufferFeeder' + + #577: Allow use of faster floating-point number parsing with + 'StreamReadFeature.USE_FAST_DOUBLE_PARSER' + + #684: Add "JsonPointer#appendProperty" and + "JsonPointer#appendIndex" + + #715: Allow TokenFilters to keep empty arrays and objects + + #717: Hex capitalization for JsonWriter should be configurable + (add 'JsonWriteFeature.WRITE_HEX_UPPER_CASE') + + #733: Add 'StreamReadCapability.EXACT_FLOATS' to indicate + whether parser reports exact floating-point values or not + + #736: 'JsonPointer' quadratic memory use: OOME on deep inputs + + #745: Change minimum Java version to 8 + + #749: Allow use of faster floating-point number serialization + ('StreamWriteFeature.USE_FAST_DOUBLE_WRITER') + + #751: Remove workaround for old issue with a particular double + + #753: Add 'NumberInput.parseFloat()' + + #757: Update ParserBase to support floats directly + + #759: JsonGenerator to provide current value to the context + before starting objects + + #762: Make 'JsonPointer' 'java.io.Serializable' + + #763: 'JsonFactory.createParser()' with 'File' may leak + 'InputStream's + + #764: 'JsonFactory.createGenerator()' with 'File' may leak + 'OutputStream's + + #773: Add option to accept non-standard trailing decimal point + ('JsonReadFeature.ALLOW_TRAILING_DECIMAL_POINT_FOR_NUMBERS') + + #774: Add a feature to allow leading plus sign + ('JsonReadFeature.ALLOW_LEADING_PLUS_SIGN_FOR_NUMBERS') + + #788: 'JsonPointer.empty()' should NOT indicate match of a + property with key of "" + + #798: Avoid copy when parsing 'BigDecimal' + + #811: Add explicit bounds checks for 'JsonGenerator' methods + that take 'byte[]'/'char[]'/String-with-offsets input + + #812: Add explicit bounds checks for + 'JsonFactory.createParser()' methods that take + 'byte[]'/'char[]'-with-offsets input + + #814: Use 'BigDecimalParser' for BigInteger parsing very long + numbers + + #818: Calling 'JsonPointer.compile(...)' on very deeply nested + expression throws 'StackOverflowError' + + #828: Make 'BigInteger' parsing lazy + + #830: Make 'BigDecimal' parsing lazy + + #834: ReaderBaseJsonParser._verifyRootSpace() can cause buffer + boundary failure +- Added patch: + * 0001-Remove-ch.randelshofer.fastdoubleparser.patch + + we don't have 'ch.randelshofer:fastdoubleparser' + +- Update to 2.13.3 + * 2.13.3 (14-May-2022) + + #744: Limit size of exception message in BigDecimalParser + * 2.13.2 (06-Mar-2022) + + #732: Update Maven wrapper + + #739: 'JsonLocation' in 2.13 only uses identity comparison + for "content reference" + * 2.13.1 (19-Dec-2021) + + #713: Incorrect parsing of single-quoted surrounded String + values containing double quotes + jackson-databind +- Update to 2.15.2 + * 2.15.2 (30-May-2023) + + #3938: Record setter not included from interface + (2.15 regression) + * 2.15.1 (16-May-2023) + + #3882: Error in creating nested 'ArrayNode's with + 'JsonNode.withArray()' + + #3894: Only avoid Records fields detection for deserialization + + #3895: 2.15.0 breaking behaviour change for records and Getter + Visibility + + #3897: 2.15.0 breaks deserialization when POJO/Record only has + a single field and is marked 'Access.WRITE_ONLY' + + #3913: Issue with deserialization when there are unexpected + properties (due to null 'StreamReadConstraints') + + #3914: Fix TypeId serialization for + 'JsonTypeInfo.Id.DEDUCTION', native type ids + * 2.15.0 (23-Apr-2023) + + #2536: Add 'EnumFeature.READ_ENUM_KEYS_USING_INDEX' to work + with existing "WRITE_ENUM_KEYS_USING_INDEX"# + + #2667: Add '@EnumNaming', 'EnumNamingStrategy' to allow use of + naming strategies for Enums + + #2968: Deserialization of '@JsonTypeInfo' annotated type fails + with missing type id even for explicit concrete subtypes + + #2974: Null coercion with '@JsonSetter' does not work with + 'java.lang.Record' + + #2992: Properties naming strategy do not work with Record + + #3053: Allow serializing enums to lowercase + ('EnumFeature.WRITE_ENUMS_TO_LOWERCASE') + + #3180: Support '@JsonCreator' annotation on record classes + + #3262: InvalidDefinitionException when calling + mapper.createObjectNode().putPOJO + + #3297: '@JsonDeserialize(converter = ...)' does not work with + Records + + #3342: 'JsonTypeInfo.As.EXTERNAL_PROPERTY' does not work with + record wrappers + + #3352: Do not require the usage of opens in a modular app when + using records + + #3566: Cannot use both 'JsonCreator.Mode.DELEGATING' and + 'JsonCreator.Mode.PROPERTIES' static creator factory methods + for Enums + + #3637: Add enum features into '@JsonFormat.Feature' + + #3638: Case-insensitive and number-based enum deserialization + are (unnecessarily) mutually exclusive + + #3651: Deprecate "exact values" setting from 'JsonNodeFactory', + replace with + 'JsonNodeFeature.STRIP_TRAILING_BIGDECIMAL_ZEROES' + + #3654: Infer '@JsonCreator(mode = Mode.DELEGATING)' from use + of '@JsonValue') + + #3676: Allow use of '@JsonCreator(mode = Mode.PROPERTIES)' + creator for POJOs with"empty String" coercion + + #3680: Timestamp in classes inside jar showing 02/01/1980 + + #3682: Transient 'Field's are not ignored as Mutators if there + is visible Getter + + #3690: Incorrect target type for arrays when disabling + coercion + + #3708: Seems like 'java.nio.file.Path' is safe for Android API + level 26 + + #3730: Add support in 'TokenBuffer' for lazily decoded (big) + numbers + + #3736: Try to avoid auto-detecting Fields for Record types + + #3742: schemaType of 'LongSerializer' is wrong + + #3745: Deprecate classes in package + 'com.fasterxml.jackson.databind.jsonschema' + + #3748: 'DelegatingDeserializer' missing override of + 'getAbsentValue()' (and couple of other methods) + + #3771: Classloader leak: DEFAULT_ANNOTATION_INTROSPECTOR holds + annotation reference + + #3791: Flush readonly map together with shared on + 'SerializerCache.flush()' + + #3796: Enum Deserialisation Failing with Polymorphic type + validator + + #3809: Add Stream-friendly alternative to + 'ObjectNode.fields()': 'Set> + properties()' + + #3814: Enhance 'StdNodeBasedDeserializer' to support + 'readerForUpdating' + + #3816: TokenBuffer does not implement writeString(Reader + reader, int len) + + #3819: Add convenience method + 'SimpleBeanPropertyFilter.filterOutAll()' as counterpart of + 'serializeAll()' + + #3836: 'Optional' is not recognized as boolean field + + #3853: Add 'MapperFeature.REQUIRE_TYPE_ID_FOR_SUBTYPES' to + enable/disable strict subtype Type Id handling + + #3876: 'TypeFactory' cache performance degradation with + 'constructSpecializedType()' + * 2.14.3 (05-May-2023) + + #3784: 'PrimitiveArrayDeserializers$ByteDeser.deserialize' + ignores 'DeserializationProblemHandler' for invalid Base64 + content + + #3837: Set transformer factory attributes to improve + protection against XXE + * 2.14.2 (28-Jan-2023) + + #1751: '@JsonTypeInfo' does not work if the Type Id is an + Integer value + + #3063: '@JsonValue' fails for Java Record + + #3699: Allow custom 'JsonNode' implementations + + #3711: Enum polymorphism not working correctly with DEDUCTION + + #3741: 'StdDelegatingDeserializer' ignores 'nullValue' of + '_delegateDeserializer'. + * 2.14.1 (21-Nov-2022) + + #3655: 'Enum' values can not be read from single-element array + even with 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS' + + #3665: 'ObjectMapper' default heap consumption increased + significantly from 2.13.x to 2.14.0 + * 2.14.0 (05-Nov-2022) + + #1980: Add method(s) in 'JsonNode' that works like combination + of 'at()' and 'with()': 'withObject(...)' and 'withArray(...)' + + #2541: Cannot merge polymorphic objects + + #3013: Allow disabling Integer to String coercion via + 'CoercionConfig' + + #3212: Add method 'ObjectMapper.copyWith(JsonFactory)' + + #3311: Add serializer-cache size limit to avoid Metaspace + issues from caching Serializers + + #3338: 'configOverride.setMergeable(false)' not supported by + 'ArrayNode' + + #3357: '@JsonIgnore' does not if together with '@JsonProperty' + or '@JsonFormat' + + #3373: Change 'TypeSerializerBase' to skip + 'generator.writeTypePrefix()' for 'null' typeId + + #3394: Allow use of 'JsonNode' field for '@JsonAnySetter' + + #3405: Create DataTypeFeature abstraction (for JSTEP-7) with + placeholder features + + #3417: Allow (de)serializing records using + Bean(De)SerializerModifier even when reflection is unavailable + + #3419: Improve performance of 'UnresolvedForwardReference' for + forward reference resolution + + #3421: Implement 'JsonNodeFeature.READ_NULL_PROPERTIES' to + allow skipping of JSON 'null' values on reading + + #3443: Do not strip generic type from 'Class' when + resolving 'JavaType' + + #3447: Deeply nested JsonNode throws StackOverflowError for + toString() + + #3475: Support use of fast double parse + + #3476: Implement 'JsonNodeFeature.WRITE_NULL_PROPERTIES' to + allow skipping JSON 'null' values on writing + + #3481: Filter method only got called once if the field is null + when using '@JsonInclude(value = JsonInclude.Include.CUSTOM, + valueFilter = SomeFieldFilter.class)' + + #3484: Update 'MapDeserializer' to support + 'StreamReadCapability.DUPLICATE_PROPERTIES' + + #3497: Deserialization of Throwables with + PropertyNamingStrategy does not work + + #3500: Add optional explicit 'JsonSubTypes' repeated names + check + + #3503: 'StdDeserializer' coerces ints to floats even if + configured to fail + + #3505: Fix deduction deserializer with + DefaultTypeResolverBuilder + + #3528: 'TokenBuffer' defaults for parser/stream-read features + neither passed from parser nor use real defaults + + #3530: Change LRUMap to just evict one entry when maxEntries + reached + + #3533: Deserialize missing value of 'EXTERNAL_PROPERTY' type + using custom 'NullValueProvider' + + #3535: Replace 'JsonNode.with()' with 'JsonNode.withObject()' + + #3559: Support 'null'-valued 'Map' fields with "any setter" + + #3568: Change 'JsonNode.with(String)' and 'withArray(String)' + to consider argument as 'JsonPointer' if valid expression + + #3590: Add check in primitive value deserializers to avoid + deep wrapper array nesting wrt 'UNWRAP_SINGLE_VALUE_ARRAYS' + [CVE-2022-42003, bsc#1204370] + + #3609: Allow non-boolean return type for "is-getters" with + 'MapperFeature.ALLOW_IS_GETTERS_FOR_NON_BOOLEAN' + + #3613: Implement 'float' and 'boolean' to 'String' coercion + config + + #3624: Legacy 'ALLOW_COERCION_OF_SCALARS' interacts poorly + with Integer to Float coercion + + #3633: Expose 'translate()' method of standard + 'PropertyNamingStrategy' implementations + * 2.13.5 (23-Jan-2023) + + #3659: Improve testing (likely via CI) to try to ensure + compatibility with specific Android SDKs + + #3661: Jackson 2.13 uses Class.getTypeName() that is only + available on Android SDK 26 (with fix works on ASDK 24) + jackson-dataformats-binary +- Version update to 2.15.2 + * 2.15.2 (30-May-2023) + + #379: (avro) 'logback-test.xml' in wrong place + (avro/src/main/resources) + * 2.15.0 (23-Apr-2023) + + #347: (cbor) Add support for CBOR stringref extension + ('CBORGenerator.Feature.STRINGREF') + + #356: (cbor) Add 'CBORGenerat.Feature.WRITE_MINIMAL_DOUBLES' + for writing 'double's as 'float's if safe to do so + + #373: (cbor) Remove optimized 'CBORParser.nextTextValue()' + implementation + * 2.14.3 (05-May-2023) + + #354: (all) Missing license file in Maven package for newer + versions + + #366: 'CBORGenerator.writeRawUTF8String()' seems to ignore + offset + * 2.14.1 (21-Nov-2022) + + #342: (smile) Possible performance improvement on jdk9+ for + Smile decoding + * 2.14.0 (05-Nov-2022) + + #301: (cbor, smile) Missing configuration methods for + format-specific parser/generator features + + #310: (avro) Avro schema generation: allow override namespace + with new '@AvroNamespace' annotation + + #311: (ion) 'IonObjectMapper' does not throw JacksonException + for some invalid Ion + + #312: (cbor, smile) Short NUL-only keys incorrectly detected + as duplicates + + #325: (ion) Ensure 'IonReader' instances created within + 'IonFactory' are always resource-managed + + #338: Use passed "current value" in 'writeStartObject()' + overload + + #341: (ion) Update to Amazon Ion 1.9.5 + +- Version update to 2.13.3 + * 2.13.3 (14-May-2022) + + #317: (ion) IonValueDeserializer does not handle getNullValue + correctly for a missing property + * 2.13.2 (06-Mar-2022) + + No changes since 2.13.1 + * 2.13.1 (19-Dec-2021) + + #302: (ion) 'IllegalArgumentException' in + 'IonParser.getEmbeddedObject()' + jackson-modules-base +- Version upgrade to 2.15.2 + * 2.15.2 (30-May-2023) + + #207: Mr Bean exposing 'Asm' as Maven dependency despite + shading + + (afterburner, mrbean) 'org.ow2.asm:asm' updated to 9.5 + (from 9.4) + * 2.15.1 (16-May-2023) + + #204: (afterburner, mrbean) Gradle metadata for + 'jackson-core' '2.15.0' adds dependency on shaded + 'org.ow2.asm:asm' + * 2.15.0 (23-Apr-2023) + + #190: Filter annotated by JsonInclude.Include.CUSTOM does not + get called if property is null with Afterburner/Blackbird + module registered + * 2.14.3 (05-May-2023) + + #198: fix failing tests in java17 CI run + + #199: jaxb and jakarta-xmlbind put module-info in versions/11 + + Fix Gradle Module Metadata for Afterburner, Blackbird + * 2.14.0 (05-Nov-2022) + + #138: (blackbird) Blackbird doesn't work on Java 15+ + + #187: Remove stack trace from Blackbirds warnings wrt missing + 'MethodHandles.lookup()' (on Java 8) + + Asm version from 9.0 to 9.4 + jackson-parent +- Upgrade to 2.15 + * 2.15 (23-Apr-2023) + + Upgrade to oss-parent 50 (many plugin version updates) + + Remove settings for 'org.eclipse.m2e:lifecycle-mapping' + * 2.14 (05-Nov-2022) + + Upgrade to oss-parent 48 (Reproducible Builds, many plugin + version updates) + java-21-openjdk +- Modified patch: + * fips.patch + + use the system crypto-policies provided configuration file + by default (bsc#1218061) + jbigkit +- security update +- added patches + fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler + + jbigkit-CVE-2022-1210.patch + jeos-firstboot +- Update to version 1.2.0.9: + * Add KeyringMode=shared + +- Update to version 1.2.0.7: + * Don't pass --setup-machine-id to systemd-firstboot + +- Update to version 1.2.0.6: + * Change EULA/license dialog button label to "Continue" (bsc#1210279) +- Only build the rpiwifi package on SLE/Leap 15 (bsc#1207419) +- Add an explicit dependency on nmtui + kbuild +- Add byacc to BuildRequires fixes problems with bison 3.7 (bsc#1175268) + +- update to svn3427: + * 3 years of changes, see http://trac.netlabs.org/kbuild/timeline +- remove patches: + gcc10-fno-common-fix.patch, glob-interface.patch, + use-alloca.patch, kbuild-gcc7.patch, kbuild-glob.patch, + strsignal.patch: upstream or obsolete + +- strsignal.patch: use strsignal instead of sys_siglist (bsc#1175268) + +- Add gcc10-fno-common-fix.patch in order to fix boo#1160274. + +- Modernise spec file + +- Returned changelist back to a %doc. + +- Changed spec file to require readline-devel, not a specific libreadline version. + Thanks to Jan Engelhardt for suggestion. + +- Add libreadline6 to the BuildRequires list. +- Changed %doc to %license for COPYING as directed by osc. + -- Update to version 0.1.9998svn2720: - + VirtualBox-4.3.6 requires revision 2689 or later -- Dropped patches: - + warnings.diff (obsolete) - + glibc-2.10.diff (solved differently upstream) - + kbuild-func_missing_args.diff (obsolete) -- Rebased patches: - + kbuild-pthread.diff (only offset) - + kbuild-timestamps.diff (only offset) - + kbuild-armv7l.diff (only offset) - + kbuild-dummy_noreturn.diff (manually) -- Add patches: - + kbuild-glob.patch: Include local glob implementation - + kbuild-kmk-makefile-am.patch: Fix wrong file list - -- added patches: - * ppc64le.patch -- Make ppc64le architecture known - kdump +- upgrade to version 2.0.0 + * add support for riscv64 (bsc#1204214) + * mkdumprd: fix the check for updated SSH keys + * prefer by-path and device-mapper aliases (bsc#1217617) + * udev: don't reload kdump if kernel handles hotplug (jsc#PED-5077) + kernel-firmware +- Update to version 20231214 (git commit b80907ec3a81): + * qcom: Add Audio firmware for SM8650 QRD + * qcom: Add Audio firmware for SM8550 QRD + * Add rdfind for deb/rpm build jobs + * wfx: update to firmware 3.17 + * wfx: fix broken firmware + +- Update to version 20231205 (git commit bfc33c1e308e): + * linux-firmware: Update AMD cpu microcode + * cxgb4: Update firmware to revision 1.27.5.0 + * linux-firmware: add firmware for en8811h 2.5G ethernet phy + * s5p-mfc: Add MFC v12 Firmware + * qcom: update qrb4210 firmware + * qcom: update qcm2290 firmware + * qcom: update qcm2290/qrb4210 WiFi firmware file + * qcom: update Venus firmware file for v6.0 + +- Update to version 20231128 (git commit d9f6088f7e91): + * Add a COPYOPTS variable + * rtl_bt: Update RTL8852A BT USB firmware to 0xDFC8_145F + +- Update to version 20231127 (git commit 4124f8f928d5): + * Make rdfind optional + * ice: update ice DDP wireless_edge package to 1.3.13.0 + * linux-firmware: update firmware for mediatek bluetooth chip (MT7922) + * linux-firmware: update firmware for mediatek bluetooth chip (MT7921) + * linux-firmware: update firmware for MT7922 WiFi device + * linux-firmware: update firmware for MT7921 WiFi device + * Makefile, copy-firmware: Use portable "command -v" to detect installed programs + * amdgpu: update DMCUB firmware to 0.0.194.0 for DCN321 and DCN32 + * powervr: add firmware for Imagination Technologies AXE-1-16M GPU + * ice: update ice DDP comms package to 1.3.45.0 + * ice: update ice DDP package to 1.3.35.0 + * mediatek: Remove an unused packed library + * amdgpu: update DMCUB firmware to 0.0.193.0 for DCN31 and DCN314 +- Drop obsoleted copy-file-skip-rdfind.patch; use --ignore-duplicates + +- Update to version 20231120 (git commit 9552083a783e): + * mediatek: Sync shared memory structure changes + * Intel Bluetooth: Update firmware file for Intel Bluetooth BE200 + * i915: Update MTL DMC to v2.19 + * Make email replies more resilient + * Try both utf-8 and windows-1252 for decoding email + +- Update to version 20231116 (git commit 6723a8d90923): + * iwlwifi: fix for the new FWs from core83-55 release + * Enable deb and rpm builds on tags + * linux-firmware: Add firmware for Cirrus CS35L41 on HP G11 Laptops + * linux-firmware: Add firmware for Cirrus CS35L41 on 2024 ASUS Zenbook Laptops + +- Update to version 20231115 (git commit a07fd0b96b5a): + * iwlwifi: add new FWs from core83-55 release + * iwlwifi: update cc/Qu/QuZ firmwares for core83-55 release + * Add a workaround for gitlab.freedesktop.org pull requests + * Add extra debugging output when processing pull requests + * Process pull requets directly from mbox + * linux-firmware: add firmware for mt7988 internal 2.5G ethernet phy + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX210 + +- Update to version 20231110 (git commit 74158e7ac86d): + * amdgpu: DMCUB updates for various AMDGPU ASICs + * Ensure rdfind is installed + * Add checks for destination directory being specified + * Fix symlink creation for some files + * Fix classification of some pull requests + * nvidia: add GSP-RM version 535.113.01 firmware images +- Skip rdfind (not included in our distro as default): + copy-file-skip-rdfind.patch +- Fix make-files.sh to handle symlinked directories + -- Update to version 20231019 (git commit d983107a2dfa): +- Update to version 20231019 (git commit d983107a2dfa) + (bsc#1215823, CVE-2023-20592): + (bsc#1215831, CVE-2021-26345, CVE-2021-46766, CVE-2021-46774, + CVE-2022-23820, CVE-2022-23830, CVE-2023-20519, CVE-2023-20521, + CVE-2023-20526, CVE-2023-20533, CVE-2023-20566): kernel-firmware:uncompressed +- Update to version 20231214 (git commit b80907ec3a81): + * qcom: Add Audio firmware for SM8650 QRD + * qcom: Add Audio firmware for SM8550 QRD + * Add rdfind for deb/rpm build jobs + * wfx: update to firmware 3.17 + * wfx: fix broken firmware + +- Update to version 20231205 (git commit bfc33c1e308e): + * linux-firmware: Update AMD cpu microcode + * cxgb4: Update firmware to revision 1.27.5.0 + * linux-firmware: add firmware for en8811h 2.5G ethernet phy + * s5p-mfc: Add MFC v12 Firmware + * qcom: update qrb4210 firmware + * qcom: update qcm2290 firmware + * qcom: update qcm2290/qrb4210 WiFi firmware file + * qcom: update Venus firmware file for v6.0 + +- Update to version 20231128 (git commit d9f6088f7e91): + * Add a COPYOPTS variable + * rtl_bt: Update RTL8852A BT USB firmware to 0xDFC8_145F + +- Update to version 20231127 (git commit 4124f8f928d5): + * Make rdfind optional + * ice: update ice DDP wireless_edge package to 1.3.13.0 + * linux-firmware: update firmware for mediatek bluetooth chip (MT7922) + * linux-firmware: update firmware for mediatek bluetooth chip (MT7921) + * linux-firmware: update firmware for MT7922 WiFi device + * linux-firmware: update firmware for MT7921 WiFi device + * Makefile, copy-firmware: Use portable "command -v" to detect installed programs + * amdgpu: update DMCUB firmware to 0.0.194.0 for DCN321 and DCN32 + * powervr: add firmware for Imagination Technologies AXE-1-16M GPU + * ice: update ice DDP comms package to 1.3.45.0 + * ice: update ice DDP package to 1.3.35.0 + * mediatek: Remove an unused packed library + * amdgpu: update DMCUB firmware to 0.0.193.0 for DCN31 and DCN314 +- Drop obsoleted copy-file-skip-rdfind.patch; use --ignore-duplicates + +- Update to version 20231120 (git commit 9552083a783e): + * mediatek: Sync shared memory structure changes + * Intel Bluetooth: Update firmware file for Intel Bluetooth BE200 + * i915: Update MTL DMC to v2.19 + * Make email replies more resilient + * Try both utf-8 and windows-1252 for decoding email + +- Update to version 20231116 (git commit 6723a8d90923): + * iwlwifi: fix for the new FWs from core83-55 release + * Enable deb and rpm builds on tags + * linux-firmware: Add firmware for Cirrus CS35L41 on HP G11 Laptops + * linux-firmware: Add firmware for Cirrus CS35L41 on 2024 ASUS Zenbook Laptops + +- Update to version 20231115 (git commit a07fd0b96b5a): + * iwlwifi: add new FWs from core83-55 release + * iwlwifi: update cc/Qu/QuZ firmwares for core83-55 release + * Add a workaround for gitlab.freedesktop.org pull requests + * Add extra debugging output when processing pull requests + * Process pull requets directly from mbox + * linux-firmware: add firmware for mt7988 internal 2.5G ethernet phy + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for Magnetor Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX101 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX203 + * Intel Bluetooth: Update firmware file for SolarF Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX211 + * Intel Bluetooth: Update firmware file for Solar Intel Bluetooth AX210 + +- Update to version 20231110 (git commit 74158e7ac86d): + * amdgpu: DMCUB updates for various AMDGPU ASICs + * Ensure rdfind is installed + * Add checks for destination directory being specified + * Fix symlink creation for some files + * Fix classification of some pull requests + * nvidia: add GSP-RM version 535.113.01 firmware images +- Skip rdfind (not included in our distro as default): + copy-file-skip-rdfind.patch +- Fix make-files.sh to handle symlinked directories + -- Update to version 20231019 (git commit d983107a2dfa): +- Update to version 20231019 (git commit d983107a2dfa) + (bsc#1215823, CVE-2023-20592): + (bsc#1215831, CVE-2021-26345, CVE-2021-46766, CVE-2021-46774, + CVE-2022-23820, CVE-2022-23830, CVE-2023-20519, CVE-2023-20521, + CVE-2023-20526, CVE-2023-20533, CVE-2023-20566): knot +- update to version 3.3.1, see: + https://www.knot-dns.cz/2023-09-11-version-331.html + krb5 +- Update patch 0007-SELinux-integration.patch for SELinux 3.5 + libgit2 -- Verify ssh remote host keys (boo#1207364 CVE-2023-22742): - 0001-ssh-verify-the-remote-s-host-key-against-known_hosts.patch - 0002-tests-append-the-github.com-ssh-keys-so-we-have-acce.patch - 0003-tests-move-online-clone-ssh_auth_methods-into-the-ss.patch - 0004-ssh-look-for-a-key-in-known_hosts-to-set-the-key-typ.patch - -- Add patches from upstream v1.3 branch to fix CVE-2022-29187, - CVE-2022-24765 (bsc#1201431, bsc#1198234): - * 0001-path-refactor-ownership-checks-into-current-user-and.patch - * 0002-repo-ensure-that-repo-dir-is-owned-by-current-user.patch - * 0003-fs_path-mock-ownership-checks.patch - * 0004-repo-test-configuration-ownership-validation.patch - * 0005-repo-refactor-global-config-loader-function.patch - * 0006-repo-honor-safe.directory-during-ownership-checks.patch - * 0007-repo-make-ownership-checks-optional.patch - * 0010-revparse-Remove-error-prone-redundant-test.patch - * 0014-repo-add-tests-for-bare-repo-permissions.patch - * 0015-fs-remove-mock-naming-from-change-ownership-constant.patch - * 0016-fs-refactor-file-ownership-checks.patch - * 0017-fs-allow-ownership-match-if-user-is-in-admin-group.patch - * 0018-repo-allow-admin-owned-configs-by-admin-users.patch - * 0019-repo-validate-gitdir-and-gitlink-ownership.patch - * 0020-repo-allow-users-running-with-sudo-to-access-their-r.patch +- update to 1.7.1: + * proxy: Return an error for invalid proxy URLs instead of crashing + * ssh: fix known_hosts leak in _git_ssh_setup_conn + * repository: make cleanup safe for re-use with grafts + * fix: Add missing include for oidarray + * Revert "CMake: Search for ssh2 instead of libssh2." + +- update to 1.7.0: + * supports shallow clone and shallow repositories + * Simplify custom pluggable allocator (breaking change) + * repo: honor environment variables for more scenarios + * Introduce timeouts on sockets + * some performance improvements and bug fixes + +- Update to 1.6.4: + * config: return GIT_ENOTFOUND for missing programdata +- move experimental cli into libgit2-tools as intended + +- Update to 1.6.3: + * odb: restore git_odb_open by @ethomson in #6520 + * Ensure that git_index_add_all handles ignored directories by @ethomson in #6521 + * pack: use 64 bits for the number of objects by @carlosmn in #6530 +- Drop restore-git-odb-open.patch + +- Add restore-git-odb-open.patch, some code was removed by error + upstream and they fix it after the release. + gh#libgit2/libgit2@e1e0d77c6f15 + +- libgit2 1.6.2: + * Support the notion of a home directory separately from global + configuration directory + * stash: partial stash specific files + * push: revpars refspec source, so user can push things that are + not refs + * Support OpenSSL 3 + * Many bug fixes +- Not enabled: experimental SHA256 support for bare repositories + +- update to 1.5.2: + * Improve SSH key handling functionality: examine all keys in + known_hosts files for matches, to support remote hosts with + multiple key types + +- update to 1.5.1: + * This is a security release to address CVE-2023-22742: when compiled + using the optional, included libssh2 backend, libgit2 fails to verify + SSH keys by default. boo#1207364 + * When using an SSH remote with the optional, included libssh2 backend, + libgit2 does not perform certificate checking by default. Prior versions + of libgit2 require the caller to set the `certificate_check` field of + libgit2's `git_remote_callbacks` structure - if a certificate check + callback is not set, libgit2 does not perform any certificate checking. + This means that by default - without configuring a certificate check + callback, clients will not perform validation on the server SSH keys and + may be subject to a man-in-the-middle attack. + +- Drop baselibs.conf: there is no known consumer of the -32bit + package. + +- update to 1.5.0: + * add the basis for an experimental CLI + * continue prepare for SHA256 support + * add a benchmarking utility + +- update to 1.4.4 (bsc#1198234) + * Compatibility with git's changes to address CVE-2022-29187. As + a follow up to CVE 2022-24765, now not only is the working + directory of a non-bare repository examined for its ownership, + but the .git directory and the .git file (if present) are also + examined for their ownership [boo#1201431] + * A fix for compatibility with git's (new) behavior for + CVE 2022-24765 allows users on POSIX systems to access a git + repository that is owned by them when they are running in sudo +- enable reproducible builds + +- update to 1.4.3: + * compatibility with git's changes for CVE-2022-24765 boo#1187234 + * several correctness fixes where invalid input can lead to a + crash and denial of service + +- update to 1.4.2: + * remote: do store the update_tips callback error value + +- update to 1.4.1: + * improve compatibility with git + * some deprecated API, ABI has changed + * multiple bug fixes and developer visible changes +- build with system PCRE2 +- remove http-parser build dependency, bundled lib has fixes libgpg-error +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Add libgpg-error-nobetasuffix.patch [bsc#1216334] + +- Update to 1.47: + * New error codes for PUKs and reset codes. [T6421] + * Avoid segv in logging with improper use of the "socket://". + * Fixed translation of argparse's internal option --help. + * Interface changes relative to the 1.46 release: + - GPG_ERR_SOURCE_TKD NEW. + - GPG_ERR_BAD_PUK NEW. + - GPG_ERR_NO_RESET_CODE NEW. + - GPG_ERR_BAD_RESET_CODE NEW. + - GPGRT_SPAWN_KEEP_STDIN NEW. + - GPGRT_SPAWN_KEEP_STDOUT NEW. + - GPGRT_SPAWN_KEEP_STDERR NEW. + - GPGRT_SPAWN_INHERIT_FILE NEW. + * Release-info: https://dev.gnupg.org/T6231 + +- Update to 1.46: + * Support for bidirectional pipes under Windows. + * REG_DWORD types are now support in the Windows Registry. + * Added ES_SYSHD_SOCK support for gpgrt_sysopen under Windows. + * Fixed gpgrt_log_get_fd for the file case. + * Avoids header problem with C11 and "noreturn". + * The gpg-error-config command is not installed by default, because + it is now replaced by use of pkg-config/gpgrt-config with + gpg-error.pc. Supply --enable-install-gpg-error-config configure + option, if it's really needed. + * Fixed support of posix-lock for FreeBSD. + * Build fixes for some Mingw tool chain versions. + * Removed remaining support for WindowsCE. + * Updated config.guess, config.sub, and config.rpath. + * gpg-error-config is now only installed when enabled. + * System paths are now stripped from --cflags --and --libs. + +- update to 1.45: + * gpgrt_access and gpgrt_mkdir now support file names longer than + MAX_PATH + +- Update to 1.44: + * Fix dependency to gpg-error-config-test.sh. + * Run the posix locking test only on supported platforms. + * Detect Linux systems using musl. + * Fix gpg-error-config-test for PKG_CONFIG_LIBDIR. + * Fix returning of option attributes for options with args. + * Add Turkish translations. + +- Update to 1.43: + * Fix for building against GNU libc 2.34. + * Fix gpgrt-config problems. + * Fix gpgrt_free for legacy platforms. + * Fix truncation of error message in the middle of a character. + * Fix the --disable-threads configure options. + * Improve lock-obj generation for cross-builds. + * Improve cross-builds. + * Improve gpgrt_wait_processes. + libiio +- Update to version 0.25 + * tests: Standardize programs error codes when scanning + * Make sure we print out LOG_LEVEL during Cmake + * debug.h: Update log macros + * iiod: fix the printing of IP addresses inside iiod + * iiod: remove test code that slipped in + * dnssd: windows: Greatly enhance code + * dns-sd: Remove duplicates before probing URIs + * CI: add next_stable branch to CI triggers + * serial: Pass port name/description as context attributes [ #926 ] + * CMake: Bump minimal required version to 3.10 + libksba -- Security fix: [bsc#1206579, CVE-2022-47629] - * Integer overflow in the CRL signature parser. - * Add libksba-CVE-2022-47629.patch - -- Security fix: [bsc#1204357, CVE-2022-3515] - * Detect a possible overflow directly in the TLV parser. - * Add libksba-CVE-2022-3515.patch +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Run autoreconf for the added patch and add the build + dependecies on autoconf, automake and libtool. + * Add libksba-nobetasuffix.patch [bsc#1216334] + +- Update to 1.6.4: + * Correctly detect CMS write errors. [rK9ced7706f2] + * Release-info: https://dev.gnupg.org/T6543 + +- update to 1.6.3 (bsc#1206579, CVE-2022-47629): + * Fix another integer overflow in the CRL parser. + Release-info: https://dev.gnupg.org/T6304 + +- libksba 1.6.2: [bsc#1204357, CVE-2022-3515] + * Fix integer overflow in the CRL parser. + +- libksba 1.6.1: + * Allow an OCSP server not to return the sent nonce +- fix rpmlint warnings + +- libksba 1.6.0: + * Limited support for the Authenticated-Enveloped-Data + content type. + * Support password based decryption. + * Silence warnings from static analyzers. + * Interface changes relative to the 1.5.0 release: + - KSBA_CT_AUTHENVELOPED_DATA NEW. + +- libksba 1.5.1: + * Support Brainpool curves specified by ECDomainParameters + +- libksba 1.5.0: + * ksba_cms_identify now identifies OpenPGP keyblock content + * Supports TR-03111 plain format ECDSA signature verification + * Fixes a CMS signed data parser bug exhibited by a somewhat + strange CMS message +- remove deprecated texinfo macros and update signing keyring + +- libksba 1.4.0: + * Supports ECDSA and EdDSA certificate creation and parsing. + * Supports ECDH enveloped data. + * Supports ECDSA and EdDSA signed data. + * Supports rsaPSS signature verification. + * Supports standard file descriptors in ksba_reader_read. + * Allows for optional elements in keyinfo objects. + * Fixes error detection in the CMS parser. + * Fixes memory leak in ksba_cms_identify. + * New constants KSBA_VERSION and KSBA_VERSION_NUMBER. + * New API to make creation of DER objects easy. + * Interface changes relative to the 1.3.5 release: + KSBA_VERSION NEW. + KSBA_VERSION_NUMBER NEW. + KSBA_CT_SPC_IND_DATA_CTX NEW. + KSBA_CLASS_* NEW. + KSBA_TYPE_* NEW. + ksba_der_t NEW. + ksba_der_release NEW. + ksba_der_builder_new NEW. + ksba_der_builder_reset NEW. + ksba_der_add_ptr NEW. + ksba_der_add_val NEW. + ksba_der_add_int NEW. + ksba_der_add_oid NEW. + ksba_der_add_bts NEW. + ksba_der_add_der NEW. + ksba_der_add_tag NEW. + ksba_der_add_end NEW. + ksba_der_builder_get NEW. -- libksba 1.3.1: - * Fixed memory leak in CRL parsing - * Build fixes for ppc64el - -- Use URL for source - libmicrohttpd -- Apply patch for bsc#1208745 CVE-2023-27371 - fix parser bug that could be used to crash servers using the MHD_PostProcessor - * fix-parser-bug-MHD_PostProcessor.patch +- libmicrohttpd 0.9.77: + * improvements for Digest and Basic authorizations + * fix efficiency for TLS upgraded connections + * fix processing of folded headers in requests + * fix functionality with blocking sockets +- update upstream signing key + +- libmicrohttpd 0.9.76 + * CVE-2023-27371: Fix potential DoS vector in MHD_PostProcessor + (boo#1208745) + +- libmicrohttpd 0.9.75: + * fixes for where "monotonic" clock may jump back + +- libmicrohttpd 0.9.74: + * new experimental implementation of WebSockets disabled by default + * improved compliance with the RFC HTTP specifications + * new implementation of reply header forming + * new implementation of request chunked encoding parsing + * new automatic error replies + * Keep-alive header is omitted by default for HTTP/1.1 connections. + Use of header can be enforced by response flag. + * Chunked encoding is used for HTTP/1.1 non-keep-alive connections + for responses with unknown size. Previously MHD used "indication + of the end of the response by closing connection" in such cases, + however it is not correct for HTTP/1.1 connections as per HTTP + RFC. + * As required by HTTP RFC, use HTTP/1.1 version instead of HTTP/1.0 + in reply headers when client is HTTP/1.0 . HTTP/1.0 version can + be enforced by response flag. + * User response headers are used in replies in the same order as + was added by application. + * Allowed tab characters in response header values. + * All custom "Connection:" response headers are automatically + combined into single "Connection:" header. + * "keep-alive" token silently dropped from custom "Connection:" + response header. "Keep-alive" cannot be enforced and used + automatically if possible. + * Allow tab character in custom response header value. + * Disallow space character in custom response header value. + * Do not allow responses with 1xx codes for HTTP/1.0 requests. + * Detected and reported incorrect "Upgrade" responses. + +- libmicrohttpd 0.9.73: + * new function for vector-backed responses + * compatibility with autoconf 2.70+ + * Implement ALPN support + +- libmicrohttpd 0.9.72: + * improved performance with stay-alive HTTP and HTTPS connections + * bug fixes +- remove deprecated texinfo macros + +- libmicrohttpd 0.9.71: + * Fix buffer overflow issue in URL parser [boo#1173718] + * Fixed PostProcessor bug + * Documentation and example fixes + +- Update to 0.9.70: + * Fixed 100-continue handling for PATCH method + * Fixed FTBFS from wrong #endif position for certain builds + * Fixed connection overflow issue when combining + MHD_USE_NO_LISTEN_SOCKET with MHD_USE_THREAD_PER_CONNECTION + * Updated m4 script to fix FTBFS when using + - Werror=unused-but-set-parameter + * Adding fix for urlencoding of keys without values in + post-processor logic. + * Adding patch from Ethan Tuttle with test case for urlencoding + in post-processor for keys without values. + +- update to 0.9.69: + * If application suspends a connection before we could send + 100 CONTINUE, give application another shot at queuing a reply + before the upload begins. + +- update to 0.9.68: + * Fix regression where MHD would fail to return an empty response + when used with HTTPS. + * Introduce MHD_RF_INSANITY_HEADER_CONTENT_LENGTH +- drop libmicrohttpd-0.9.67-fix-nonvoid-return.patch, in release + +- update to 0.9.67: + * improvements that eliminate system and C library calls +- drop libmicrohttpd-0.9.66-fix-gnutls-dependency.patch, upstream +- add libmicrohttpd-0.9.67-fix-nonvoid-return.patch from upstream + +- fix build with SLE 12 with older GnuTLS: + * libmicrohttpd-0.9.66-fix-gnutls-dependency.patch + +- update to 0.9.66: + * Fix issue with discarding unhandled upload data discovered + * Fix hanging situation with large transmission over upgraded + (i.e. Web socket) connection with epoll() and HTTPS enabled + * Add MHD_OPTION_HTTPS_CERT_CALLBACK2 to allow OCSP stapling + and MHD_FEATURE_HTTPS_CERT_CALLBACK2 to check for +- clean up build dependency list + +- Update to versin 0.9.65: + * Many fixes and improvements for connection-specific memory pool + * Better handled connection's memory shortage situations: + + error response could be sent to client even if all buffer + space was used; + + if buffer space become low when receiving, do not allocate + last buffer space and use small receive blocks instead. + * Improved sending speed by using all available buffer space for + sending. + +- Update to version 0.9.64: + * Updated HTTP headers, methods and status codes from registries, + * Added scripts to import new headers, methods and status codes + from registries. + * Reodered includes in microhttpd.h + * Fixed compiler warnings + * Updated and fixed libcurl tests. + * Added checks for too long TLS parameters strings. + * Spelling fixes. + * Fixed example for non-64bits platforms. + * Optimized and improved processing speed by using precalculated and + already calculated lengths of strings. + * Store connection's keys and values with sizes; + * Speedup keys search be comparing key length first; + * Added functions for working with keys and values with binary zeros; + * Fixed test_postprocessor_amp to fail on problems. + * Reverted change of MHD_KeyValueIterator, implemented + MHD_KeyValueIteratorN with sizes for connection's key and value to + get keys and values with binary zeros. + * Fixed signed/unsigned comparison in example + http_chunked_compression.c. + * Bit manipulations moved to separate header file. + * Improved shell compatibility for 'bootstrap', removed bash-ism. + * Adding additional "value_length" argument to MHD_KeyValueIterator + callback to support binary zeros in values. This is done in a + backwards-compatible way, but may require adding a cast to + existing code to avoid a compiler warning. + * Added example for how to compress a chunked HTTP response. + +- Update to version 0.9.63: + * Extended test_get to test URI logging and query string parsing + to avoid regression fixed in previous patch in the future. + * Preliminary patch for the raw query string issue, to be tested. + * Added minimal example for how to compress HTTP response. + * Check for GNUTLS_E_AGAIN instead of GNUTLS_E_INTERRUPTED when + giving up on a TLS connection. -LM/CG + * Fix connection timeout logic if in thread-per-connection mode the + working thread takes longer than the timeout to queue the response. + * Add logic to avoid VLA arrays with compilers that do not support them. + * Fixed missing WSA_FLAG_OVERLAPPED which can cause W32 to block on + socket races when using threadpool. (See very detailed description + of the issue in the libmicrohttpd mailinglist post of today.) + * Added test for RFC 7616 and documented new API. +- Update to version 0.9.62: + * Added test for RFC 7616 and documented new API. + * Adding support for RFC 7616, experimental, needs + testing and documentation still! + * Add option to build MHD without any threads + and MHD_FEATURE_THREADS to test for it. + * Renamed all occurrences from _model(s)_ to _mode(s)_. + * Optimized the function MHD_create_response_from_callback() for + Windows by increasing its internal buffer size and allowed to + customize it via macro MHD_FD_BLOCK_SIZE. + * Referenced the gnutls_load_file() function in the HTTPs examples. + * Fix regression causing URLs to be unescaped twice. + +- Update to version 0.9.61: + * parse arguments with (properly) escaped URLs correctly. Replace + sprintf with snprintf in testcases. + * Fix build issue with GnuTLS < 3.0. + * Add MHD_create_response_from_buffer_with_free_callback. +- Update to version 0.9.60: + * gettext updated to 0.19.8 + * can use epoll() without listen socket now + * in thread-per-connection mode, socket closure is now + communicated in a timely fashion to the application + * added MHD_RF_HTTP_VERSION_1_0_RESPONSE option + * preventing bogus transfer-encoding values + * Added MHD_OPTION_GNUTLS_PSK_CRED_HANDLER + * allow digest authentication with hashed password + * ensure request completed callback is called from correct thread + and also for upgraded connections + +- Update to version 0.9.59: + * Fix masking operation. + * Fix deadlock when failing to prepare chunked response + * Fix __clang_major__ related warnings for non-clang compilers. + * Fixed tests on platforms with huge number of CPUs. + * Doxygen configuration was updated. + * Various doxygen fixes. +- Update to version 0.9.58: + * Fixed HTTPS tests on modern platforms. + * Minor documentation installation fixes. + * Tolerate AF_UNIX when trying to determine our binding port + from socket. Use `sockaddr_storage` instead of trying to + guess the sockaddr type before calling getsockname(). libnvme +- Update to version 1.6+5.g68c6ffb: + * avoid stack corruption by unaligned DMA to user space buffers + (bsc#1216344, gh#linux-nvme/libnvme#727) + libpsm2 +- Update to 12.0.1 + - Fix memory leak in psmi_shm_create + libpulp +- Update package with libpulp-0.3.1: + * Add timestamp information on `ulp patches`. + libpwquality +- Update to version 1.4.5: + + Minor bug fixes and documentation enhancements. + + Updated translations. + libqb -- log: Fix potential overflow with long log messages (CVE-2023-39976, bsc#1214066) - * bsc#1214066-0001-fix-potential-overflow-with-long-log-messages.patch +- Update to version 2.0.8+20230721.002171b (v2.0.8): +- log: fix potential overflow with long log messages (gh#ClusterLabs/libqb#490, CVE-2023-39976, bsc#1214066) + +- Update to version 2.0.7+20230607.06c8641 (v2.0.7): +- blackbox: fix potential overlow/memory corruption (gh#ClusterLabs/libqb#486) +- tests: allow -j to work (gh#ClusterLabs/libqb#485) +- strlcpy: avoid compiler warning from strncpy (gh#ClusterLabs/libqb#473) +- timer: Move state check to before time check (gh#ClusterLabs/libqb#479) +- ipc: Retry receiving credentials if the the message is short (gh#ClusterLabs/libqb#476, rh#2111711) +- lib: Fix some small bugs spotted by newest covscan (gh#ClusterLabs/libqb#471) +- doxygen2man: Fix function parameter alignment (gh#ClusterLabs/libqb#468) libqt5-qtbase +- buildrequire pkconfig(icu-i18n) instead of libicu-devel to get + prefered libicuu + +- Add patch from upstream that fixes a buffer overflow in + QXmlStreamReader (bsc#1214327, CVE-2023-37369): + * CVE-2023-37369-qtbase-5.15.diff + libraw -- security update -- added patches - fix CVE-2021-32142 [bsc#1208470], Buffer Overflow in the LibRaw_buffer_datastream:gets function - + libraw-CVE-2021-32142.patch +- update to 0.21.1: + * fixed typo in panasonic metadata parser + * Multiple fixes inspired by oss-fuzz project + * Phase One/Leaf IIQ-S v2 support + * Canon CR3 filmrolls + * Canon CRM (movie) files + * Tiled bit-packed (and 16-bit unpacked) DNGs + * (non-standard) Deflate-compressed integer DNG files are allowed + * Canon EOS R3, R7 and R10 + * Fujifilm X-H2S, X-T30 II + * OM System OM-1 + * Leica M11 + * Sony A7-IV (ILCE-7M4) + * DJI Mavic 3 + * Nikon Z9: standard compression formats only + +- Update to 0.21.0: + * Camera format support: + + Phase One/Leaf IIQ-S v2 support + + Canon CR3 filmrolls/RawBurst + + Canon CRM (movie) files + + Tiled bit-packed (and 16-bit unpacked) DNGs + + (non-standard) Deflate-compressed integer DNG files are allowed + * Camera support: + + Canon EOS R3, R7 and R10 + + Fujifilm X-H2S, X-T30 II + + OM System OM-1 + + Leica M11 + + Sony A7-IV (ILCE-7M4) + + DJI Mavic 3 + + Nikon Z9: standard compression formats only + * Multiple (resultion) thumbnails support + * Misc: + + Nikon makernotes: read NEFCompression tag for HE/HE* files + + Nikon orientation tag: more fixed offsets for known cameras + + Adobe DNG SDK 1.6 support (meaning, just an additional patch for GPR SDK) + * Bugs fixed: + + Fixed possible out-of-buffer read in Nikon orientation tag parser + + Out-of-range read-only array access in postprocessing if output_color is set to 0 (raw color) + + Minolta Z2 was not recognized correctly on 32-bit systems + + Fixed possible buffer overflow in Kodak C330 decoder + + dcraw_process(): check for buffer allocation results to avoid NULL deref + + Multiple bugfixes inspired by oss-fuzz project - CVE-2018-5819 + CVE-2018-5819,CVE-2021-32142 - bsc#1120515,bsc#1120516,bsc#1120517,bsc#1120519) + bsc#1120515,bsc#1120516,bsc#1120517,bsc#1120519,bsc#1208470) libreoffice +- Fix CVE-2023-6186, deny arbitrary script execution for link targets, + bsc#1217578 + * CVE-2023-6186-1.patch + * CVE-2023-6186-2.patch + * CVE-2023-6186-3.patch + * CVE-2023-6186-4.patch + * CVE-2023-6186-5.patch +- Fix CVE-2023-6185, improper input validation enabling arbitrary + Gstreamer pipeline injection, bsc#1217577 + * CVE-2023-6185.patch + libsass +- security update: + * CVE-2022-43357 [bsc#1214573]: + Fix stack overflow in Sass:CompoundSelector:has_real_parent_ref() + * CVE-2022-43358 [bsc#1214575]: + Fix stack overflow in Sass:ComplexSelector:has_placeholde() + * CVE-2022-26592 [bsc#1214576]: + Fix stack overflow in CompoundSelector:has_real_parent_ref function() + + libsass-CVE-2022-43357,CVE-2022-43358,CVE-2022-26592.patch + libselinux +- Repair initrd libselinux check in selinux-ready + +- Do not BuildRequire swig and ruby-devel in the main build phase: + those are only needed for the bindings. + +- (bsc#1212618) Divide libselinux and libselinux-bindings again. + libselinux itself is in Ring0 so it has to have absolutely + minimal dependencies, so it is better to separate + libselinux-bindings into a separate pacakge. + +- Fix python packaging by setting the name to a fixed value + +- Remove separate libselinux-bindings SPEC file (bsc#1212618). + +- Add explicit BuildRequires for python3-pip and python3-wheel on + 15.5, currently the macros don't do the right thing + +- allow building this with different python versions, to make this + usable for the new sle15 macro (using python3.11) + +- Add python-wheel build dependency to build correctly with latest + python-pip version. + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because + of LTO + +- Enable LTO as it works fine now. + +- Update to version 3.5: + * check for truncations + * avoid newline in avc message + * bail out on path truncations + * add getpidprevcon to gather the previous context before the last + exec of a given process + * Workaround for heap overhead of pcre + * fix memory leaks on the audit2why module init + * ignore invalid class name lookup +- Drop restorecon_pin_file.patch, is upstream +- Refreshed python3.8-compat.patch +- Added additional developer key (Jason Zaman) + +- Fixed initrd check in selinux-ready (bnc#1186127) + +- Added restorecon_pin_file.patch. Fixes issus when running + fixfiles/restorecon + +- Update to version 3.4: + * Use PCRE2 by default + * Make selinux_log() and is_context_customizable() thread-safe + * Prevent leakeing file descriptors + * Correctly hash specfiles larger than 4G +- Refreshed skip_cycles.patch + +- Add Requires for exact libselinux1 version for selinux-tools +- Simplyfied check for correct boot paramaters in selinux-ready + (bsc#1195361) + +- Update to version 3.3: + * Lots of smaller issues fixed found by fuzzing + +- Add missing libselinux-utils Provides to selinux-tools so that + %selinux_requires works + +- Remove Recommends for selinux-autorelabel. It's better to have this + in the policy package itself (bsc#1181837) + +- Switch to pcre2: + + Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8) + + Pass USE_PCRE2=y to make. + + Replace pkgconfig(libpcre) Requires in -devel static with + pkgconfig(libpcre2-8). + +- Update to version 3.2: + * Use mmap()'ed kernel status page instead of netlink by default. + See "KERNEL STATUS PAGE" section in avc_init(3) for more details. + * New log callback levels for enforcing and policy load notices - + SELINUX_POLICYLOAD, SELINUX_SETENFORCE + * Changed userspace AVC setenforce and policy load messages to audit + format. + +- Add Recommends: selinux-autorelabel, which is very important + for healthy use of the SELinux on the system (/.autorelabel + mechanism) (bsc#1181837). + +- install to /usr (boo#1029961) + + * Refreshed python3.8-compat.patch +- Added swig4_moduleimport.patch to prevent import errors due to + SWIG 4 + +- Add python3.8-compat.patch which makes build possible even with + Python 3.8, which doesn’t automatically adds -lpython + +- Disable LTO (boo#1133244). + +- Updated spec file to use python3. Added python3.patch to fix + build + +- Update libselinux-2.2-ruby.patch: use RbConfig instead of + deprecated Config. + libsemanage +- Remove build counter syncing for real + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because + of LTO + +- Enable LTO now (boo#1138812). + +- Update to version 3.5 + * Allow user to set SYSCONFDIR + * always write kernel policy when check_ext_changes is specified +- Added additional developer key (Jason Zaman) + +- Update to version 3.4 + * Optionally rebuild policy when modules are changed externally + * Fix USE_AFTER_FREE (CWE-672) in semanage_direct_get_module_info() + * Allow spaces in user/group names + +- Drop Buildrequires for libustr-devel, not needed anymore + +- Update to version 3.3 + * Fixed use-after-free in parse_module_store() + * Fixed use_after_free in semanage_direct_write_langext() + +- Link to correct so version +- Minor spec file cleanups + +- Move configuration file to separate libsemanage-conf package to allow + for parallel installation in future versions + +- Update to version 3.2 + * dropped old and deprecated symbols and functions + libsemanage version was bumped to libsemanage.so.2 + * libsemanage tries to sync data to prevent empty files in SELinux module + store + libsepol +- Enable LTO now (boo#1138813). + +- Update to version 3.5 + * Stricter policy validation + * do not write empty class definitions to allow simpler round-trip tests + * reject attributes in type av rules for kernel policies +- Added additional developer key (Jason Zaman) + +- Update to version 3.4 + * Add 'ioctl_skip_cloexec' policy capability + * Add sepol_av_perm_to_string + * Add policy utilities + * Support IPv4/IPv6 address embedding + * Hardened/added many validations + * Add support for file types in writing out policy.conf + * Allow optional file type in genfscon rules + +- Update to version 3.3 + * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch + are all included + * Lot of smaller fixes identified by fuzzing + +- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928. + Added CVE-2021-36087.patch + +- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965). + Added CVE-2021-36085.patch +- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964). + Added CVE-2021-36086.patch + +- Update to version 3.2 + * more space-efficient form of storing filename transitions in the binary + policy and reduced the size of the binary policy + * dropped old and deprecated symbols and functions. Version was bumped to + libsepol.so.2 + +- install to /usr (boo#1029961) + libssh2_org +- Security fix: [bsc#1218127, CVE-2023-48795] + * Add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack" + * Add libssh2_org-CVE-2023-48795.patch + libstorage-ng +- merge gh#openSUSE/libstorage-ng#968 +- make more use of new SystemCmd interface +- 4.5.161 + +- merge gh#openSUSE/libstorage-ng#967 +- block more udev by-id links (bsc#1217459) +- adapted testsuite +- 4.5.160 + +- Translated using Weblate (Portuguese (Brazil)) (bsc#1149754) +- 4.5.159 + +- merge gh#openSUSE/libstorage-ng#966 +- fixed build with libxml 2.12.0 +- 4.5.158 + +- merge gh#openSUSE/libstorage-ng#965 +- refactored class SystemCmd +- fixed passing huge amount of data to stdin +- coding style +- 4.5.157 + +- merge gh#openSUSE/libstorage-ng#964 +- extended testsuite +- 4.5.156 + +- merge gh#openSUSE/libstorage-ng#963 +- extended testsuite +- 4.5.155 + +- merge gh#openSUSE/libstorage-ng#962 +- improved error reporting in SystemCmd +- 4.5.154 + +- merge gh#openSUSE/libstorage-ng#961 +- added testcase +- 4.5.153 + +- merge gh#openSUSE/libstorage-ng#960 +- make more use of new SystemCmd interface +- added const +- 4.5.152 + +- merge gh#openSUSE/libstorage-ng#959 +- removed unused function + +- merge gh#openSUSE/libstorage-ng#958 +- make more use of new SystemCmd interface +- prefer make_unique over new +- fixed compound action generation for removing btrfs qgroup + relations + libtirpc +- fix sed parsing for libtirpc.pc.in in specfile (boo#1216862) + linuxptp +- Update to version 4.1: + * Version 4.1 + * phc2sys: Fix -n option with -w. + * phc2sys: Avoid segfault with default UDS address. + * phc2sys: Improve logging with single domain. + * ptp4l man: Add description for setting kthreads priorities + * sk: don't report random errno on timeout + * phc_ctl: explicitly check for adjust_phase definition + * raw: Fix PRP trailer detection + * remove C99 style loop variable declarations + * phc2sys: Add multi-domain synchronization. + * phc2sys: Shallow do_loop(). + * phc2sys: Create pmc agent after processing options. + * phc2sys: Rename phc2sys_private to domain. + * Use the 802.1AS peer delay computation when transportSpecific is 1 + * Resolve false hybrid_e2e warning + * Fix SERVO_LOCKED_STABLE behavior. + * Version 4.0 + * clock: Fix summary interval in free-running mode. + * Avoid switching PHC when phc_index is negative + * ts2phc: Fix memory leak on initial error path. + * power profile: Fix regression in the default configuration file. + * msg: append TLV onto all PTP event messages + * Fix detection of VLAN over bond support in case the driver does not support SIOCGHWTSTAMP ioctl. + * Clear pending errors on sockets. + * ntpshm: Invalidate SHM data before releasing the servo + * lstab: Update leapfile validity + * port: Don't switch to PHC with SW timestamping. + * ts2phc: Fix potential null-pointer dereference + * ts2phc: Prevent reporting poll error when received termination signal + * Set controlField to zero in message headers + * tz2alt: Add tz2alt to .gitignore + * Introduce a time zone helper program. + * pmc: Convert internal helper function into global method. + * Implement the ALTERNATE_TIME_OFFSET_ENABLE management message. + * Add the ALTERNATE_TIME_OFFSET_NAME management message. + * Add the ALTERNATE_TIME_OFFSET_PROPERTIES management message. + * Prepare clock based storage of up to four time zones. + * tlv: Encode and decode alternate time offset indicator TLVs. + * Add a custom management message for power profile settings. + * Introduce the power profile. + * tlv: Encode and decode power profile TLVs. + * Accept the full range for domainNumber. + * man pages: Bump date. + * Alphabetize configuration options in the ts2phc man page. + * Alphabetize configuration options in the pmc man page. + * Alphabetize configuration options in the phc2sys man page. + * Remove stray copy/pasteo from the phc2sys man page. + * Alphabetize configuration options in the ptp4l man page. + * ts2phc: reset servo if failed to discipline clock + * phc2sys: reset servo if failed to discipline clock + * ptp4l: reset servo if failed to discipline clock + * clockadj: return error if failed to adjust clock + * unicast: Avoid undefined integer shifts. + * ts2phc: Fix generic pps source when tai offset is not set in OS + * lstab: move update_leapsecond_table function to lstab + * lstab: Add LSTAB_EXPIRED result + * timemaster: Use refclock_sock servo with chrony. + * timemaster: Replace shm_segment with refclock_id. + * Add refclock_sock servo. + * Remove obsolete statement in ptp4l man page. + * Fix up alphetical order in port_private header file. + * port: start sync rx timer on grant + * raw: Use BPF filter based on tcpdump syntax. + * Fix SERVO_JUMP docstring comment + * Improve efficiency of nullf servo synchronization + * clock: Fix stale clock parent pid usage after best master change + * adding delay asymmetry calculation + * organization TLV support for interface rate + * adding speed field information for interface + * function to support get interface speed via ethtool + * unicast_client: cancel sync/delay_response on UC_EV_UNSELECTED event + * unicast_client: fix checkpatch ERROR: trailing whitespace + * unicast_client: stop sending abnormal contract cancel requests + * Don't re-arm fault clearing timer on unrelated netlink events + * port: Avoid faults with vclocks and PHC from command line. + * makefile: use conditional assignment for KBUILD_OUTPUT + * servo: stop rounding initial frequency to nearest ppb + * The PortId is defined as a couple of ClockId (an 8-bytes opaque) and the PortNumber (UInterger16). + * config: Fix -Wformat-truncation warnings. + * unciast_client: trigger BMCA upon CANCEL receive + * ptp4l: Add profile_id configuration support for G.8275.1 and G.8275.2. + * config: allow fractional freq_est_interval + * Added support for Standard Baudrates supported by GNSS receivers + * Extend clockcheck to check for changes in frequency. + * Don't accept errors in clockadj_get_freq(). + * Drop support for old kernels returning zero frequency. + * phc2sys: Add clocks after processing configuration. + * ts2phc: Use system time as the default ToD source + * ts2phc: Add option to specify the ToD source in the config file + * ts2phc: Rename pps_sink to tod_sink in main() + * port: don't clear fault if link is down + * sk: Handle EINTR when waiting for transmit timestamp. + * ts2phc: Update default lstab expiry date + * phc2sys: Update TAI to UTC offset in manual + * Strip Parallel Redundancy Protocol (PRP) trailer + * ts2phc_phc_pps_source: make use of new kernel API for perout waveform + * ts2phc: allow PHC PPS sources to be synchronized + * ts2phc: reconfigure sync direction by subscribing to ptp4l port events + * ts2phc: split PPS sink poll from servo loop + * ts2phc_slave: print offset to the source clock + * ts2phc: instantiate a pmc agent + * util: import port_state_normalize() logic from phc2sys + * ts2phc: instantiate a full clock structure for every PPS source of the PHC kind + * ts2phc: instantiate a full clock structure for every PPS sink + * ts2phc: create a private data structure + * phc2sys: Add support for free-running mode + * G.8275.2 support for delay_mechanism NO_MECHANISM + * port: Disable PHC switch with vclocks. + * unicast: Update announce timer when renew + * phc2sys: Allow multiple sink clocks + * Add new ptp capability. + * Add new management TLVs to pmc.8 + * ptp4l: add VLAN over bond support + * port: refactor port_link_status + * ptp4l: init iface->ts_label when interface created + * phc2sys: Don't exit when reading of PHC fails with EBUSY. + * sysoff: Retry on EBUSY when probing supported ioctls. + * sysoff: Change log level of ioctl error messages. + * sysoff: Change sysoff_measure() to return errno. + * clockadj: Change clockadj_compare() to return errno. + * ts2phc: rename "master" to "source" + * ts2phc: rename "slave clocks" to "PPS sinks" + * ts2phc: rename source code files ("master" to "source", "slave" to "sink") + * pmc_agent: make pmc_agent_query_port_properties take an enum port_state argument + * UDS: allow specifying different file mode for the read-only socket. + * UDS: added option to set file mode for the created socket. + * Fix management TLV print. + * Add new managements TLVs get size. + * port: cancel unicast transmission when closing port. + * port: unicast client - do not add master to foreign master table if not in the unicast master table. + * unicast: Add support to send CANCEL_UNICAST_TRANSMISSION TLVs. + * unicast: Add support to check if message was received from an entry in the unicast master table. + * TLV management messages need to be aligned to 16 bits. + * Fix the descriptions of "G.8275.portDS.localPriority" and "G.8275.defaultDS.localPriority" in ptp4l man page. + * timemaster: Add support for virtual clocks. + * phc2sys: Use PHC index from PORT_HWCLOCK_NP. + * tlv: Add PORT_HWCLOCK_NP. + * port: Check for virtual clocks. + * config: Add port-specific phc_index option. + * Add support for binding sockets to virtual clocks. + * rtnl: Add function to detect virtual clocks. + * rtnl: Fix rtnl_rtattr_parse() to process max attribute. + * phc_ctl: replace calculate_offset with clockadj_compare + * phc2sys: move read_phc into clock_adj.c + * Add UNICAST_MASTER_TABLE_NP management TLV + * pmc: Initialize reserved field in management_tlv_datum. + * Check 'print_log' before arguments are evaluated, not after. + * Add PORT_SERVICE_STATS_NP management TLV + * util: attempt to resolve symlinks to the PHC device in posix_clock_open + * util: fix dangling file descriptors on the error path of posix_clock_open + * Maintain one Sync sequence counter per destination address. + * Maintain one Announce sequence counter per destination address. + * clock: Split update of leap status from clock_time_properties(). + * Delay Response Timeout Feature addition for PTP4L + * clock: Notify servo about leap second on UTC hardware clock. + * clock: Clear leap flags after leap second. + * clock: Print info message when leap flags change. + * clock: Accept new UTC offset after leap second. + * lstab: update expiration to 28 December 2021 + * lstab: Close file after reading. + * Fix quoting in ptp4l man page. + * config: Add workaround for glibc getopt_long(). + * Rename management ID macros. + * clockcheck: Increase minimum interval. + * port: Don't renew raw transport. + * port: Don't check timestamps from non-slave ports. + * clock: Reset clock check on best clock/port change. + * clock: Reset state when switching port with same best clock. + * Increase the default tx_timestamp_timeout to 10 + * ts2phc: Add serial baudrate option + * ts2phc: Update leapfile documentation + * ts2phc: Close socket on peer shutdown + * ts2phc: Fix uninitialized variable in nmea_scan_rmc + * tc: Fix length of follow-up message of one-step sync. + * Validate the messageLength field of incoming messages. + * Log optimization for ptp4l in jbod and client only mode (clientOnly=1 and boundary_clock_jbod=1) + * Log optimization for ptp4l in jbod and client only mode (clientOnly=1 and boundary_clock_jbod=1) + * Add master only management TLV + * Set domainNumber for telecom examples + * Fix SLAVE_ONLY TLV + * Prevent client ports getting stuck in the UNCALIBRATED state. + * tlv: Fix coding style. + * Ensure TLV_PORT_STATS_NP statistics uses little endian. + * Revert "phc2sys: Expand the validation of the PPS mode." + * Avoid undefined integer operations. + * pmc: Fix printed totalCorrectionField. + * Avoid unaligned pointers to packed members. + * Revert "phc2sys: Ensure PHC source when using PPS mode." + * phc_ctl: Fix incorrect memset in do_cmp() + * Fix --initial_delay for automotive profile + * Update man page to reflect the new serverOnly option. + * Convert the example configuration files over to the new serverOnly option. + * Deprecate the masterOnly option in favor of serverOnly. + * Bump to IEEE 1588-2019 version + * Clock Class Threshold Feature addition for PTP4L + * sk: Don't return error for zero-length messages. + * clock: Introduce step_window to free run x Sync events after a clock step. + * timemaster: Set uds_ro_address for ptp4l instances. + * clock: Add read-only UDS port for monitoring. + * clock: Rename UDS variables to read-write. + * clock: Don't allow COMMAND action on non-UDS port. + * port: Ignore non-management messages on UDS port. + * port: Don't assume transport from port number. + * Implement push notification for TIME_STATUS_NP + * tlv: Fix byte reordering in ScaledNs + * Improve port-related log messages. + * port: Cache display name for logs. + * Update man pages to reflect the new clientOnly option. + * Convert the example configuration files over to the new clientOnly option. + * Deprecate the slaveOnly option in favor of clientOnly. + * Check for deprecated "long" options on the command line. + * lstab: Bring expiration up to date. + * util: add SIGHUP handling + * port: Fix link down/up to continue using phc_index set from command line -p option. + * ts2phc: Convert usage message to time source/sink terminology. + * ptp4l: Convert usage messages to client/server terminology. + * phc2sys: Convert usage messages to time source/sink terminology. + * ts2phc: Convert man page to source/sink terminology. + * ptp4l: Convert man page to client/server terminology. + * phc2sys: Convert man page to client/server terminology. + * phc2sys: Convert man page to source/sink terminology. + * phc2sys: Update man page to reflect the new restriction on the PPS mode. + * phc2sys: Ensure PHC source when using PPS mode. + * phc2sys: fix BC sync fault when port in uncalibrated state + * phc2sys: add dbg print for clock state change events + * Update the unicast subscriptions when the GM changes. + * phc2sys: Fix regression in the automatic mode. + * pmc_agent: Remove an obsolete method. + * phc2sys: Simplify the main loop. + * pmc_agent: Let the update method poll for push events. + * phc2sys: Move static configuration to its own subroutine. + * phc2sys: Replace yet another magical test with a proper test. + * phc2sys: Replace magical test with a proper test. + * phc2sys: Expand the validation of the PPS mode. + * phc2sys: Validate the PPS mode right away. + * phc2sys: Replace hard coded tests with a readable helper function. + * phc2sys: Rename PMC agent pointer from node to agent. + * phc2sys: Don't duplicate the command line arguments. + * pmc_agent: Simplify the method that gets of the number of local ports. + * pmc_agent: Generalize the method that queries the local clock identity. + * pmc_agent: Convert the method that queries the port properties. + * pmc_agent: Convert the method that queries TAI-UTC offset into the canonical form. + * phc2sys: Fix null pointer de-reference in manual mode. + * rtnl: Fix trivial spelling error in the name of a helper function. + * Update the description of the time_stamping configuration option. + * Avoid setting clock frequency when free running. + * pmc_agent: Rename the update method and attempt to document it. + * pmc_agent: Perform time comparison using positive logic. + * pmc_agent: Remove bogus comparison between last update and now. + * pmc_agent: Simplify logic in update method. + * pmc_agent: Simplify the update method. + * pmc_agent: Convert the subscribe method into the canonical form. + * Introduce error codes for the run_pmc method. + * Clarify the documentation of the management TLV ID helper function. + * Find a better home for the management TLV data helper function. + * Find a better home for the management TLV ID helper function. + * pmc_agent: Hide the implementation. + * pmc_agent: Rename pmc_node to something more descriptive. + * Introduce the PMC agent module. + * phc2sys: break out pmc code into pmc_common.c + * phc2sys: make PMC functions non-static + * phc2sys: extract PMC functionality into a smaller struct pmc_node + * phc2sys: break long lines in the PTP management message accessors + * phc2sys: Postpone adding of servo to clock. + * phc2sys: Remove superfluous code. + * missing.h: uclic-ng has clock_nanosleep support since v1.0.31 + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * phc2sys.service + * ptp4l.service + lsof +- lsof 4.99.0: + * Do not hard-code fd numbers in epoll test + * --with-selinux configure option. + * Improve performance by using closefrom() + * Introduce liblsof for programmatic access over spawning lsof + in a subprocess +- build with libtirpc +- switch to upstream tarball again as it dropped proprietary code + +- Repacked tarball to remove proprietary code in dialects/uw/uw7/sys/fs + +- lsof 4.98.0: + * Fix two potential null pointer access bug when gethostbyname2() + returns an empty address list + * Fix handling of empty command name + * Add -H switch to print human readable size, e.g. 123.4K + +- update to 4.97.0: + * Remove support because the os is no longer updated for + more than 10 years + * Remove support because the os is no longer updated + for more than 20 years + * Add experimental build system based on Autotools + * Fixed LTsock testing on darwin + * Remove NEW and OLD folders + * Fix FreeBSD testcases + * Rewrite documentation and publish at https://lsof.readthedocs.io/ + +- update to 4.96.5: + * Avoid C89-only constructs is Configure +- drop format.patch, now upstream + +- format.patch: Use correct scanf/printf format for uint64_t +- Build with %{optflags} + +- update to 4.96.4 + * fix hash functions used for finding local tcp/udp IPCs + * Show copyright notice in --version output. + * Avoid some easy collissions for udp/udp6 sockets when hashing + * Changing the number of ipcbuckets to 4096 + * obtain correct information of memory-mapped file. +- drop remove-hostname.patch now upstream + +- Update remove-hostname.patch with the upstream version + +- Fix hostname in reproducible builds, bsc#1199709 + * remove-hostname.patch + +- update to 4.95.0: + * Update perl scripts for the past few decades of progress + * Drop LSOF_CCDATE across all dialects to ensure reproducible builds + * Fix FD field description. + * Adjust alignment of buffer passed to stat(). + * Clean up source code and documents. + - remove trailing whitespace, + - fix some issues in scripts found through shellcheck, and + - fix spelling + * man page: fix hyphen issues + * Fix broken LSOF_CFLAGS_OVERRIDE. + * [linux] Remove sysvlegacy function. + * [linux] use close_range instead of calling close repeatedly + * Add -Q option for adjusting exit status when failed to find a + search item (#129) +- drop lsof-no-build-date-etc.patch (obsolete) + +- Update to 4.94.0: + * Fix various bugs + * Display more information for eventfd and other objects +- Remove lsof-glibc-linux-5.0.patch as it has been fixed upstream +- Remove lsof_4.81-include.patch as it is not needed anymore +- Remove lsof_4.81-perl.patch as this change is now done inside the spec file +- Remove lsof_4.81-fmt.patch as it is not needed anymore + +- update to 4.93.2: + The maintainership is switched from Vic to lsof-org + Made FreeBSD 13 adjustment. + Fix a typo causing a build error. + Fix a potential memory leak. + [linux] use tirpc for rpc if libc doesn't provide rpc.h. + Fix a typo in man page. + fix memory leaks detected by valgrind about unix endpoint + information. + Update the description about -fg and -fG options on linux. + Fix a broken symbolic link. + Update the version number embedded in lsof executable. +- lsof-no-build-date-etc.patch: refreshed against newer base + +- Add lsof-glibc-linux-5.0.patch: Fix build with + linux-glibc-devel-5.0 by including sysmacros.h as needed (bsc#1181571) + -- license update: Zlib - lsof license is most similar to Zlib (also use SPDX format) - -- repack the tarball to remove legally problematic files - (bnc#705143) - -- change perl reference to /usr/bin/perl which actually exists - -- perl4 refference causes missing perl4 dependency - -- portability fixes (by Pascal) - -- Do not include build host specific information including - date and compilation time to make build-compare happy - -- update to lsof 4.84 - * corrects a man page nroff command error - * recognizes FreeBSD 7.3 - * adds improved task support, initially for Linux - -- update to lsof 4.83 - * corrects an over-zealous test that causes lsof to produce no - ouput when the HASSECURITY and HASNOSOCKSECURITTY have been - specified at lsof build time - * fixes a typo with the LINUX_HASSELUNIX Configure variable - * accepts LSOF_RANLIB from the environment - * added Linux test for __UCLIBC__ - -- fix 64bit issue (gcc 4.5) - -- enable parallel build - lvm2 +- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339) + * 2.03.22: + * Fix pv_major/pv_minor report field types so they are integers, not strings. + * Add lvmdevices --delnotfound to delete entries for missing devices. + * Always use cachepool name for metadata backup LV for lvconvert --repair. + * Make metadata backup LVs read-only after pool's lvconvert --repair. + * Handle 'lvextend --usepolicies' for pools for all activation variants. + * Fix memleak in vgchange autoactivation setup. + * Support conversion from thick to fully provisioned thin LV. + * Cache/Thin-pool can use error and zero volumes for testing. + * Individual thin volume can be cached, but cannot take snapshot. + * internal support for handling error and zero target (for testing). + * COW above trimmed maximal size is does not return error. + * Add lvm.conf thin_restore and cache_restore settings. + * Handle multiple mounts while resizing volume with a FS. + * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id. + * Fix failing -S|--select for non-reporting cmds if using LV info/status fields. + * Allow snapshots of raid+integrity LV. + * Fix multisegment RAID1 allocator to prevent using single disk for more legs. + * 2.03.21: + * Allow (write)cache over raid+integrity LV. + * 2.03.20: + * Fix segfault if using -S|--select with log/report_command_log=1 setting. + * 2.03.19: + * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices. + * Ensure udev is processing origin LV before its thick snapshots LVs. + * 2.03.18: + * Fix warning for thin pool overprovisioning on lvextend. + * Add support for writecache metadata_only and pause_writeback settings. + * Fix missing error messages in lvmdbusd. + * 2.03.17: + * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported). + * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away. + * Fix lv_active field type to binary so --select and --binary applies properly. + * Error out in lvm shell if using a cmd argument not supported in the shell. + * Fix lvm shell's lastlog command to report previous pre-command failures. + * Add --valuesonly option to lvmconfig to print only values without keys. + * Add json_std output format for more JSON standard compliant version of output. + * Fix many corner cases in device_id, including handling of S/N duplicates. + * Fix various issues in lvmdbusd. +- device-mapper version upgrade to 1.02.196 + * Improve parallel creation of /dev/mapper/control device node. + * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev. + * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings. + * Improve 'dmsetup create' without given table line with new kernels. + * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format. +- Drop patches that have been merged into upstream + - 0001-devices-file-move-clean-up-after-command-is-run.patch + - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch + - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch + - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch + - 0005-pvdisplay-restore-reportformat-option.patch + - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch + - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch + - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch + - 0009-mm-remove-libaio-from-being-skipped.patch + - 0010-dmsetup-check-also-for-ouf-of-range-value.patch + - 0011-devices-drop-double-from-sysfs-path.patch + - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch + - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch + - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch + - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch + - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch +- Add upstream patch + + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch + + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch + + 0003-lvconvert-fix-regresion-from-integrity-check.patch + + 0004-gcc-cleanup-warnings.patch + + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch + + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch + + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch + + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch + + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch + + 0010-lvmlockd-client-mutex-ordering.patch + + 0011-filesystem-move-stat-after-open-check.patch + + 0012-tests-check-for-writecache.patch + + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch + + 0014-gcc-fix-warnings-for-x32-architecture.patch + + 0015-gcc-warning-missing-braces-around-initializer.patch + + 0016-test-improve-aux-teardown.patch + + 0017-tests-aux-try-with-extra-sleep.patch + + 0018-tests-aux-using-singl-lvmconf-call.patch + + 0019-tests-missing-to-check-for-writecache-support.patch + + 0020-tests-pvmove-large-disk-area.patch + + 0021-tests-enforce-full-fs-check.patch + + 0022-tests-update-for-work-in-fake-dev-environment.patch + + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch + + 0024-tests-better-slowdown.patch +- Update patch + - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch + - bug-1184124-link-tests-as-PIE.patch + - bug-1184687_Add-nolvm-for-kernel-cmdline.patch + - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch +- Rename & Update patch + - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch + + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch +- update lvm2.spec + - change upstream_device_mapper_version to 1.02.196 + - change device_mapper_version to %{lvm2_version}_1.02.196 + - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf + - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package + lvm2:devicemapper +- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339) + * 2.03.22: + * Fix pv_major/pv_minor report field types so they are integers, not strings. + * Add lvmdevices --delnotfound to delete entries for missing devices. + * Always use cachepool name for metadata backup LV for lvconvert --repair. + * Make metadata backup LVs read-only after pool's lvconvert --repair. + * Handle 'lvextend --usepolicies' for pools for all activation variants. + * Fix memleak in vgchange autoactivation setup. + * Support conversion from thick to fully provisioned thin LV. + * Cache/Thin-pool can use error and zero volumes for testing. + * Individual thin volume can be cached, but cannot take snapshot. + * internal support for handling error and zero target (for testing). + * COW above trimmed maximal size is does not return error. + * Add lvm.conf thin_restore and cache_restore settings. + * Handle multiple mounts while resizing volume with a FS. + * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id. + * Fix failing -S|--select for non-reporting cmds if using LV info/status fields. + * Allow snapshots of raid+integrity LV. + * Fix multisegment RAID1 allocator to prevent using single disk for more legs. + * 2.03.21: + * Allow (write)cache over raid+integrity LV. + * 2.03.20: + * Fix segfault if using -S|--select with log/report_command_log=1 setting. + * 2.03.19: + * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices. + * Ensure udev is processing origin LV before its thick snapshots LVs. + * 2.03.18: + * Fix warning for thin pool overprovisioning on lvextend. + * Add support for writecache metadata_only and pause_writeback settings. + * Fix missing error messages in lvmdbusd. + * 2.03.17: + * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported). + * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away. + * Fix lv_active field type to binary so --select and --binary applies properly. + * Error out in lvm shell if using a cmd argument not supported in the shell. + * Fix lvm shell's lastlog command to report previous pre-command failures. + * Add --valuesonly option to lvmconfig to print only values without keys. + * Add json_std output format for more JSON standard compliant version of output. + * Fix many corner cases in device_id, including handling of S/N duplicates. + * Fix various issues in lvmdbusd. +- device-mapper version upgrade to 1.02.196 + * Improve parallel creation of /dev/mapper/control device node. + * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev. + * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings. + * Improve 'dmsetup create' without given table line with new kernels. + * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format. +- Drop patches that have been merged into upstream + - 0001-devices-file-move-clean-up-after-command-is-run.patch + - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch + - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch + - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch + - 0005-pvdisplay-restore-reportformat-option.patch + - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch + - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch + - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch + - 0009-mm-remove-libaio-from-being-skipped.patch + - 0010-dmsetup-check-also-for-ouf-of-range-value.patch + - 0011-devices-drop-double-from-sysfs-path.patch + - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch + - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch + - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch + - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch + - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch +- Add upstream patch + + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch + + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch + + 0003-lvconvert-fix-regresion-from-integrity-check.patch + + 0004-gcc-cleanup-warnings.patch + + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch + + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch + + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch + + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch + + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch + + 0010-lvmlockd-client-mutex-ordering.patch + + 0011-filesystem-move-stat-after-open-check.patch + + 0012-tests-check-for-writecache.patch + + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch + + 0014-gcc-fix-warnings-for-x32-architecture.patch + + 0015-gcc-warning-missing-braces-around-initializer.patch + + 0016-test-improve-aux-teardown.patch + + 0017-tests-aux-try-with-extra-sleep.patch + + 0018-tests-aux-using-singl-lvmconf-call.patch + + 0019-tests-missing-to-check-for-writecache-support.patch + + 0020-tests-pvmove-large-disk-area.patch + + 0021-tests-enforce-full-fs-check.patch + + 0022-tests-update-for-work-in-fake-dev-environment.patch + + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch + + 0024-tests-better-slowdown.patch +- Update patch + - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch + - bug-1184124-link-tests-as-PIE.patch + - bug-1184687_Add-nolvm-for-kernel-cmdline.patch + - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch +- Rename & Update patch + - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch + + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch +- update lvm2.spec + - change upstream_device_mapper_version to 1.02.196 + - change device_mapper_version to %{lvm2_version}_1.02.196 + - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf + - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package + lvm2:lockd +- Update lvm2 from LVM2.2.03.16 to LVM2.2.03.22 (jsc#PED-6339) + * 2.03.22: + * Fix pv_major/pv_minor report field types so they are integers, not strings. + * Add lvmdevices --delnotfound to delete entries for missing devices. + * Always use cachepool name for metadata backup LV for lvconvert --repair. + * Make metadata backup LVs read-only after pool's lvconvert --repair. + * Handle 'lvextend --usepolicies' for pools for all activation variants. + * Fix memleak in vgchange autoactivation setup. + * Support conversion from thick to fully provisioned thin LV. + * Cache/Thin-pool can use error and zero volumes for testing. + * Individual thin volume can be cached, but cannot take snapshot. + * internal support for handling error and zero target (for testing). + * COW above trimmed maximal size is does not return error. + * Add lvm.conf thin_restore and cache_restore settings. + * Handle multiple mounts while resizing volume with a FS. + * Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id. + * Fix failing -S|--select for non-reporting cmds if using LV info/status fields. + * Allow snapshots of raid+integrity LV. + * Fix multisegment RAID1 allocator to prevent using single disk for more legs. + * 2.03.21: + * Allow (write)cache over raid+integrity LV. + * 2.03.20: + * Fix segfault if using -S|--select with log/report_command_log=1 setting. + * 2.03.19: + * Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices. + * Ensure udev is processing origin LV before its thick snapshots LVs. + * 2.03.18: + * Fix warning for thin pool overprovisioning on lvextend. + * Add support for writecache metadata_only and pause_writeback settings. + * Fix missing error messages in lvmdbusd. + * 2.03.17: + * Add new options (--fs, --fsmode) for FS handling when resizing LVs (btrfs is unsupported). + * Fix 'lvremove -S|--select LV' to not also remove its historical LV right away. + * Fix lv_active field type to binary so --select and --binary applies properly. + * Error out in lvm shell if using a cmd argument not supported in the shell. + * Fix lvm shell's lastlog command to report previous pre-command failures. + * Add --valuesonly option to lvmconfig to print only values without keys. + * Add json_std output format for more JSON standard compliant version of output. + * Fix many corner cases in device_id, including handling of S/N duplicates. + * Fix various issues in lvmdbusd. +- device-mapper version upgrade to 1.02.196 + * Improve parallel creation of /dev/mapper/control device node. + * Import previous ID_FS_* udev records in 13-dm-disk.rules for suspended DM dev. + * Remove NAME="mapper/control" rule from 10-dm.rules to avoid udev warnings. + * Improve 'dmsetup create' without given table line with new kernels. + * Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format. +- Drop patches that have been merged into upstream + - 0001-devices-file-move-clean-up-after-command-is-run.patch + - 0002-devices-file-fail-if-devicesfile-filename-doesn-t-ex.patch + - 0003-filter-mpath-handle-other-wwid-types-in-blacklist.patch + - 0004-filter-mpath-get-wwids-from-sysfs-vpd_pg83.patch + - 0005-pvdisplay-restore-reportformat-option.patch + - 0006-exit-with-error-when-devicesfile-name-doesn-t-exist.patch + - 0007-report-fix-pe_start-column-type-from-NUM-to-SIZ.patch + - 0008-_vg_read_raw_area-fix-segfault-caused-by-using-null-.patch + - 0009-mm-remove-libaio-from-being-skipped.patch + - 0010-dmsetup-check-also-for-ouf-of-range-value.patch + - 0011-devices-drop-double-from-sysfs-path.patch + - 0012-devices-file-fix-pvcreate-uuid-matching-pvid-entry-w.patch + - 0013-vgimportdevices-change-result-when-devices-are-not-a.patch + - 0014-vgimportdevices-fix-locking-when-creating-devices-fi.patch + - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch + - bug-1212613_apply-multipath_component_detection-0-to-duplicate-P.patch +- Add upstream patch + + 0001-lvconvert-swapmetadata-fix-lvmlockd-locking.patch + + 0002-lvconvert-fix-ret-values-fro-integrity-remove.patch + + 0003-lvconvert-fix-regresion-from-integrity-check.patch + + 0004-gcc-cleanup-warnings.patch + + 0005-lvmlockd-fix-thick-to-thin-lv-conversion.patch + + 0006-lvmlockd-let-lockd_init_lv_args-set-lock_args.patch + + 0007-lvmlockd-fix-lvconvert-to-thin-pool.patch + + 0008-lvconvert-run-error-path-code-only-for-shared-VG.patch + + 0009-vgchange-acquire-an-exclusive-VG-lock-for-refresh.patch + + 0010-lvmlockd-client-mutex-ordering.patch + + 0011-filesystem-move-stat-after-open-check.patch + + 0012-tests-check-for-writecache.patch + + 0013-lvresize-fix-32-bit-overflow-in-size-calculation.patch + + 0014-gcc-fix-warnings-for-x32-architecture.patch + + 0015-gcc-warning-missing-braces-around-initializer.patch + + 0016-test-improve-aux-teardown.patch + + 0017-tests-aux-try-with-extra-sleep.patch + + 0018-tests-aux-using-singl-lvmconf-call.patch + + 0019-tests-missing-to-check-for-writecache-support.patch + + 0020-tests-pvmove-large-disk-area.patch + + 0021-tests-enforce-full-fs-check.patch + + 0022-tests-update-for-work-in-fake-dev-environment.patch + + 0023-tests-skip-test-when-lvmdbusd-runs-on-the-system.patch + + 0024-tests-better-slowdown.patch +- Update patch + - bug-1037309_Makefile-skip-compliling-daemons-lvmlockd-directory.patch + - bug-1184124-link-tests-as-PIE.patch + - bug-1184687_Add-nolvm-for-kernel-cmdline.patch + - fate-31841-03_tests-new-test-suite-of-fsadm-for-btrfs.patch +- Rename & Update patch + - bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch + + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-rules.patch +- update lvm2.spec + - change upstream_device_mapper_version to 1.02.196 + - change device_mapper_version to %{lvm2_version}_1.02.196 + - add config item "-with-libexecdir=%{_libexecdir}" to fix libexec path since commit a2d33cdf + - add new binary "%{_libexecdir}/lvresize_fs_helper" to lvm2 package + mariadb-connector-c +- Update to release 3.1.22: + * https://mariadb.com/kb/en/mariadb-connector-c-3-1-22-release-notes/ + mcstrans +- Update to version 3.5 + * preserve runtime directory +- Refreshed harden_mcstrans.service.patch +- Added additional developer key (Jason Zaman) + +- Update to version 3.4 + * Port to PCRE2 +- Dropped patches + * add_includes.patch: Upstream + * mcstrans-writepid.patch: Upstream + +- Finish UsrMerge (bsc#1191075) + +- Update to version 3.3 + * No user-visible changes + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_mcstrans.service.patch + +- Update to version 3.2 + * No user-visible changes, only version bump. + mpich:gnu-hpc +- Update to 4.1.2 + - Update UCX module to includes fixes for building with GCC 13 + - Update libfabric module to 1.18.0 with additional fixes for building + with recent versions of LLVM/Clang + - Fix compiler wrapper scripts to be compatible with CUDA memory hooks + - Fix MPIX_WAITALL_ENQUEUE to make a copy of the input request array + - Fix bug in MPI_ALLREDUCE that could result in ranks receiving + different floating point values + - Fix potential deadlock when progressing RMA windows + - Fix potential crash in MPI_REDUCE with non-zero root and MPI_IN_PLACE + - Fix potential crash during probe with libfabric CXI provider + - Fix MPI_PARRIVED when the partitioned request is inactive + - Fix potential bug when an attribute delete callback deletes another + attribute on the same object + - Fix build issue in ROMIO Lustre driver + - Improve Fortran 2008 binding support detection during configure + - Report an error if collective tuning json file fails to open + - Several fixes for testsuite programs and build configuration + - Update embedded UCX module to 1.13.1. Fixes a build issue with + binutils >= 2.39. + - Update yaksa module. Support explicit NVCC setting by the user. Fixes + a build issue when there is no libtool available in PATH. + - Fix ch4:ucx initialization when configured with + - -enable-ch4-vci-method=implicit. + - Fix potential error handler leak during MPI_SESSION_FINALIZE + - Fix value of MPI_UNDEFINED in mpif.h binding + - Fix MPI_IALLTOALLW with MPI_IN_PLACE + - Fix send attribute handling in IPC path + - Fix a bug in persistent MPI_ALLGATHER + - Fix tests for use with non-MPICH libraries + - Add missing MPI_T_ERR_NOT_ACCESSIBLE error code + - Fix manpages for MPIX functions + - Thread-cs in ch4 changed to per-vci. + - Testsuite (test/mpi) is configured separately from mpich configure. + - Added options in autogen to accelerate CI builds, including using pre-built + sub-modules. Added -yaksa-depth option to generate shallower yaksa pup code + for faster build and smaller binaries. + - Support singleton init using hydra. + - Generate mpi.mod Fortran interfaces using Python 3. For many compilers, + including gfortran, flags such as -fallow-mismatched-args is no longer + necessary. + - Fixed message queue debugger interface in ch4. + - PMI (src/pmi) is refactored as a subdir and can be separately distributed. + - Added MPIX_Comm_get_failed. + - Experimental MPIX stream API to enable explicit thread contexts. + - Experimental MPIX gpu enqueue API. It currently only supports CUDA streams. + - Delays GPU resource allocation in yaksa. + - CH3 nemesis ofi netmod is removed. + - New collective algorithms. All collective algorithms are listed in + src/mpi/coll/coll_algorithms.txt + - Removed hydra2. We will port unique features of hydra2, including + tree-launching, to hydra in the future release. + - Added in-repository wiki documentation. + - Added stream workq to support optimizations for enqueue operations. + - Better support for large count APIs by eliminating type conversion issues. + - Hydra now uses libpmi (src/pmi) for handling PMI messages. + - Many bug fixes and enhancements. +- Refresh autogen-only-deal-with-json-yaksa-if-enabled.patch + mpich:gnu-hpc-ofi +- Update to 4.1.2 + - Update UCX module to includes fixes for building with GCC 13 + - Update libfabric module to 1.18.0 with additional fixes for building + with recent versions of LLVM/Clang + - Fix compiler wrapper scripts to be compatible with CUDA memory hooks + - Fix MPIX_WAITALL_ENQUEUE to make a copy of the input request array + - Fix bug in MPI_ALLREDUCE that could result in ranks receiving + different floating point values + - Fix potential deadlock when progressing RMA windows + - Fix potential crash in MPI_REDUCE with non-zero root and MPI_IN_PLACE + - Fix potential crash during probe with libfabric CXI provider + - Fix MPI_PARRIVED when the partitioned request is inactive + - Fix potential bug when an attribute delete callback deletes another + attribute on the same object + - Fix build issue in ROMIO Lustre driver + - Improve Fortran 2008 binding support detection during configure + - Report an error if collective tuning json file fails to open + - Several fixes for testsuite programs and build configuration + - Update embedded UCX module to 1.13.1. Fixes a build issue with + binutils >= 2.39. + - Update yaksa module. Support explicit NVCC setting by the user. Fixes + a build issue when there is no libtool available in PATH. + - Fix ch4:ucx initialization when configured with + - -enable-ch4-vci-method=implicit. + - Fix potential error handler leak during MPI_SESSION_FINALIZE + - Fix value of MPI_UNDEFINED in mpif.h binding + - Fix MPI_IALLTOALLW with MPI_IN_PLACE + - Fix send attribute handling in IPC path + - Fix a bug in persistent MPI_ALLGATHER + - Fix tests for use with non-MPICH libraries + - Add missing MPI_T_ERR_NOT_ACCESSIBLE error code + - Fix manpages for MPIX functions + - Thread-cs in ch4 changed to per-vci. + - Testsuite (test/mpi) is configured separately from mpich configure. + - Added options in autogen to accelerate CI builds, including using pre-built + sub-modules. Added -yaksa-depth option to generate shallower yaksa pup code + for faster build and smaller binaries. + - Support singleton init using hydra. + - Generate mpi.mod Fortran interfaces using Python 3. For many compilers, + including gfortran, flags such as -fallow-mismatched-args is no longer + necessary. + - Fixed message queue debugger interface in ch4. + - PMI (src/pmi) is refactored as a subdir and can be separately distributed. + - Added MPIX_Comm_get_failed. + - Experimental MPIX stream API to enable explicit thread contexts. + - Experimental MPIX gpu enqueue API. It currently only supports CUDA streams. + - Delays GPU resource allocation in yaksa. + - CH3 nemesis ofi netmod is removed. + - New collective algorithms. All collective algorithms are listed in + src/mpi/coll/coll_algorithms.txt + - Removed hydra2. We will port unique features of hydra2, including + tree-launching, to hydra in the future release. + - Added in-repository wiki documentation. + - Added stream workq to support optimizations for enqueue operations. + - Better support for large count APIs by eliminating type conversion issues. + - Hydra now uses libpmi (src/pmi) for handling PMI messages. + - Many bug fixes and enhancements. +- Refresh autogen-only-deal-with-json-yaksa-if-enabled.patch + mpich:ofi +- Update to 4.1.2 + - Update UCX module to includes fixes for building with GCC 13 + - Update libfabric module to 1.18.0 with additional fixes for building + with recent versions of LLVM/Clang + - Fix compiler wrapper scripts to be compatible with CUDA memory hooks + - Fix MPIX_WAITALL_ENQUEUE to make a copy of the input request array + - Fix bug in MPI_ALLREDUCE that could result in ranks receiving + different floating point values + - Fix potential deadlock when progressing RMA windows + - Fix potential crash in MPI_REDUCE with non-zero root and MPI_IN_PLACE + - Fix potential crash during probe with libfabric CXI provider + - Fix MPI_PARRIVED when the partitioned request is inactive + - Fix potential bug when an attribute delete callback deletes another + attribute on the same object + - Fix build issue in ROMIO Lustre driver + - Improve Fortran 2008 binding support detection during configure + - Report an error if collective tuning json file fails to open + - Several fixes for testsuite programs and build configuration + - Update embedded UCX module to 1.13.1. Fixes a build issue with + binutils >= 2.39. + - Update yaksa module. Support explicit NVCC setting by the user. Fixes + a build issue when there is no libtool available in PATH. + - Fix ch4:ucx initialization when configured with + - -enable-ch4-vci-method=implicit. + - Fix potential error handler leak during MPI_SESSION_FINALIZE + - Fix value of MPI_UNDEFINED in mpif.h binding + - Fix MPI_IALLTOALLW with MPI_IN_PLACE + - Fix send attribute handling in IPC path + - Fix a bug in persistent MPI_ALLGATHER + - Fix tests for use with non-MPICH libraries + - Add missing MPI_T_ERR_NOT_ACCESSIBLE error code + - Fix manpages for MPIX functions + - Thread-cs in ch4 changed to per-vci. + - Testsuite (test/mpi) is configured separately from mpich configure. + - Added options in autogen to accelerate CI builds, including using pre-built + sub-modules. Added -yaksa-depth option to generate shallower yaksa pup code + for faster build and smaller binaries. + - Support singleton init using hydra. + - Generate mpi.mod Fortran interfaces using Python 3. For many compilers, + including gfortran, flags such as -fallow-mismatched-args is no longer + necessary. + - Fixed message queue debugger interface in ch4. + - PMI (src/pmi) is refactored as a subdir and can be separately distributed. + - Added MPIX_Comm_get_failed. + - Experimental MPIX stream API to enable explicit thread contexts. + - Experimental MPIX gpu enqueue API. It currently only supports CUDA streams. + - Delays GPU resource allocation in yaksa. + - CH3 nemesis ofi netmod is removed. + - New collective algorithms. All collective algorithms are listed in + src/mpi/coll/coll_algorithms.txt + - Removed hydra2. We will port unique features of hydra2, including + tree-launching, to hydra in the future release. + - Added in-repository wiki documentation. + - Added stream workq to support optimizations for enqueue operations. + - Better support for large count APIs by eliminating type conversion issues. + - Hydra now uses libpmi (src/pmi) for handling PMI messages. + - Many bug fixes and enhancements. +- Refresh autogen-only-deal-with-json-yaksa-if-enabled.patch + mpich:standard +- Update to 4.1.2 + - Update UCX module to includes fixes for building with GCC 13 + - Update libfabric module to 1.18.0 with additional fixes for building + with recent versions of LLVM/Clang + - Fix compiler wrapper scripts to be compatible with CUDA memory hooks + - Fix MPIX_WAITALL_ENQUEUE to make a copy of the input request array + - Fix bug in MPI_ALLREDUCE that could result in ranks receiving + different floating point values + - Fix potential deadlock when progressing RMA windows + - Fix potential crash in MPI_REDUCE with non-zero root and MPI_IN_PLACE + - Fix potential crash during probe with libfabric CXI provider + - Fix MPI_PARRIVED when the partitioned request is inactive + - Fix potential bug when an attribute delete callback deletes another + attribute on the same object + - Fix build issue in ROMIO Lustre driver + - Improve Fortran 2008 binding support detection during configure + - Report an error if collective tuning json file fails to open + - Several fixes for testsuite programs and build configuration + - Update embedded UCX module to 1.13.1. Fixes a build issue with + binutils >= 2.39. + - Update yaksa module. Support explicit NVCC setting by the user. Fixes + a build issue when there is no libtool available in PATH. + - Fix ch4:ucx initialization when configured with + - -enable-ch4-vci-method=implicit. + - Fix potential error handler leak during MPI_SESSION_FINALIZE + - Fix value of MPI_UNDEFINED in mpif.h binding + - Fix MPI_IALLTOALLW with MPI_IN_PLACE + - Fix send attribute handling in IPC path + - Fix a bug in persistent MPI_ALLGATHER + - Fix tests for use with non-MPICH libraries + - Add missing MPI_T_ERR_NOT_ACCESSIBLE error code + - Fix manpages for MPIX functions + - Thread-cs in ch4 changed to per-vci. + - Testsuite (test/mpi) is configured separately from mpich configure. + - Added options in autogen to accelerate CI builds, including using pre-built + sub-modules. Added -yaksa-depth option to generate shallower yaksa pup code + for faster build and smaller binaries. + - Support singleton init using hydra. + - Generate mpi.mod Fortran interfaces using Python 3. For many compilers, + including gfortran, flags such as -fallow-mismatched-args is no longer + necessary. + - Fixed message queue debugger interface in ch4. + - PMI (src/pmi) is refactored as a subdir and can be separately distributed. + - Added MPIX_Comm_get_failed. + - Experimental MPIX stream API to enable explicit thread contexts. + - Experimental MPIX gpu enqueue API. It currently only supports CUDA streams. + - Delays GPU resource allocation in yaksa. + - CH3 nemesis ofi netmod is removed. + - New collective algorithms. All collective algorithms are listed in + src/mpi/coll/coll_algorithms.txt + - Removed hydra2. We will port unique features of hydra2, including + tree-launching, to hydra in the future release. + - Added in-repository wiki documentation. + - Added stream workq to support optimizations for enqueue operations. + - Better support for large count APIs by eliminating type conversion issues. + - Hydra now uses libpmi (src/pmi) for handling PMI messages. + - Many bug fixes and enhancements. +- Refresh autogen-only-deal-with-json-yaksa-if-enabled.patch + mvapich2:gnu-hpc +- Add mvapich2-openpa-add-memory-barriers.patch to fix testsuite issue + on pcc64 (bsc#1216610, bsc#1216612) + mvapich2:gnu-hpc-psm2 +- Add mvapich2-openpa-add-memory-barriers.patch to fix testsuite issue + on pcc64 (bsc#1216610, bsc#1216612) + mvapich2:psm2 +- Add mvapich2-openpa-add-memory-barriers.patch to fix testsuite issue + on pcc64 (bsc#1216610, bsc#1216612) + mvapich2:standard +- Add mvapich2-openpa-add-memory-barriers.patch to fix testsuite issue + on pcc64 (bsc#1216610, bsc#1216612) + ncurses +- Add patch bsc1218014-cve-2023-50495.patch + * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry() + +- Add patch boo1201384.patch + * Do not fully reset serial lines + obs-service-recompress +- update to version 0.5.2: + * zstd compression with rsyncable and higher compression + +- disable zstd on RHEL, the package is not available on OBS + +- use filebased requires on gzip so that zstd can supplement it as + well + +- Fixed checking for zstd support on different distributions + +- Update to version 0.5.1: + * Use at least 2 threads for xz compression + +- Update to version 0.5.0: + * do not follow symlinks (issue 9) + * add license file + * compression using # of core threads for zstd and xz + * Add support for keeping of original file + * use --threads=0 + +- Update to version 0.4.0+git20200123.696d003: + * run test suite during build + +- Update to version 0.4.0+git20200123.946b23f: + * add zstd compression support + -- Update to version 0.3.1: - + debian: use install-file to simplify rules-file - + Initial debianization - + - avoid problematic quoting - + Fix typo - -- Update to version 0.3.1: - + Fix diffing uncompressed files - -- Update to version 0.3: - + Don't overwrite identical files - -- Move service to github.com/openSUSE/obs-service-recompress -- Add _service file to update package from there -- Drop local sources and use tarball from source services - -- Display message on successful (re)compression. - -- always remove uncompressed files -- fix rpmlint warnings - openssh +- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795). + This mitigates a prefix truncation attack that could be used to + undermine channel security. + +- Enhanced SELinux functionality. Added + * openssh-7.8p1-role-mls.patch + Proper handling of MLS systems and basis for other SELinux + improvements + * openssh-6.6p1-privsep-selinux.patch + Properly set contexts during privilege separation + * openssh-6.6p1-keycat.patch + Add ssh-keycat command to allow retrival of authorized_keys + on MLS setups with polyinstantiation + * openssh-6.6.1p1-selinux-contexts.patch + Additional changes to set the proper context during privilege + separation + * openssh-7.6p1-cleanup-selinux.patch + Various changes and putting the pieces together + For now we don't ship the ssh-keycat command, but we need the patch + for the other SELinux infrastructure + This change fixes issues like bsc#1214788, where the ssh daemon + needs to act on behalf of a user and needs a proper context for this + openvpn +- update to 2.6.8: (jsc#PED-5763 bsc#1217073) + * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF + state - the new sanity check function introduced in 2.6.7 sometimes + tried to use a NULL pointer after an unsuccessful TLS handshake + * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly + use a send buffer after it has been free()d in some circumstances, + causing some free()d memory to be sent to the peer. All configurations + using TLS (e.g. not using --secret) are affected by this issue. + * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly + restore --fragment configuration in some circumstances, leading to a + division by zero when --fragment is used. On platforms where division + by zero is fatal, this will cause an OpenVPN crash. + * DCO: warn if DATA_V1 packets are sent by the other side - this a hard + incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 + server, and the only fix is to use --disable-dco. + * Remove OpenSSL Engine method for loading a key. This had to be removed + because the original author did not agree to relicensing the code with + the new linking exception added. This was a somewhat obsolete feature + anyway as it only worked with OpenSSL 1.x, which is end-of-support. + * add warning if p2p NCP client connects to a p2mp server - this is a + combination that used to work without cipher negotiation (pre 2.6 on + both ends), but would fail in non-obvious ways with 2.6 to 2.6. + * add warning to --show-groups that not all supported groups are listed + (this is due the internal enumeration in OpenSSL being a bit weird, + omitting X448 and X25519 curves). + * --dns: remove support for exclude-domains argument (this was a new 2.6 + option, with no backend support implemented yet on any platform, and it + turns out that no platform supported it at all - so remove option again) + * warn user if INFO control message too long, do not forward to management + client (safeguard against protocol-violating server implementations) + * DCO-WIN: get and log driver version (for easier debugging). + * print "peer temporary key details" in TLS handshake + * log OpenSSL errors on failure to set certificate, for example if the + algorithms used are in acceptable to OpenSSL (misleading message would be + printed in cryptoapi / pkcs11 scenarios) + * add CMake build system for MinGW and MSVC builds + * remove old MSVC build system + * improve cmocka unit test building for Windows + p11-kit +- Ensure that programs using can be compiled + with CRYPTOKI_GNU. Fixes GnuTLS builds. [jsc#PED-6705] + * Add p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch + -- new version 0.20.3 - * Fix problems reinitializing managed modules after fork - * Fix bad bookeeping when fail initializing one of the modules - * Fix case where module would be unloaded while in use [#74919] - * Remove assertions when module used before initialized [#74919] - * Fix handling of mmap failure and mapping empty files [#74773] - * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions - * Require automake 1.12 or later - * Build fixes for Windows [#76594 #74149] -- apply patches to avoid errors from certificates with invalid public key - (fdo#82328, bnc#890908, - trust-Dont-use-invalid-public-keys-for-looking-up-.patch, - trust-Print-label-of-certificate-when-complaining-.patch) - pacemaker +- Update to version 2.1.6+20231205.0f6fbd59f: +- scheduler: log reason for recheck time updates +- scheduler: update recheck time for node-pending-timeout + +- Update to version 2.1.6+20231204.e1a1bd808: +- tools: Fix a regression in tool XML output. (clbz#5529) + +- Update to version 2.1.6+20231122.7534cc50a (Pacemaker-2.1.7-rc2): +- rpm: require minimum libxml2 version of 2.6.0 +- libcrmcommon: Write crm_verify detailed messages to XML +- libcrmcommon: Use const for xmlCtxtGetLastError() (CLBZ#5530) +- libcrmcommon: Drop deprecated libxml2 symbols (CLBZ#5530) +- sysconfig: Use CRM_DAEMON_USER and CRM_DAEMON_GROUP +- sysconfig: Fix defaults for dh_min_bits/dh_max_bits +- sysconfig: Document PCMK_stderr +- pacemakerd: Mark PCMK_shutdown_delay as deprecated +- sysconfig: Document PCMK_cluster_type +- sysconfig: Document PCMK_remote_pid1 +- sysconfig: Document PCMK_node_action_limit +- sysconfig: Mark PCMK_cib_timeout as deprecated +- controld/schedullerd: Change the default value of node-pending-timeout to 0. +- controld: Adding default value for node-pending-timeout. +- crm_resource: make --wait wait for pending actions in CIB + +- Update to version 2.1.6+20231031.d0ef74d64 (Pacemaker-2.1.7-rc1): +- attrd: revert faulty T138 fix +- controller: bail if CIB modify fails within transaction +- scheduler: don't show pending nodes as having "<3.15.1" feature set + +- Update to version 2.1.6+20231030.66cc0f083: +- scheduler: *really* ignore monitors for invalid roles +- scheduler: avoid double free with disabled recurring actions +- scheduler: use node when unpacking failure handling for history entries +- scheduler: check for migration actions more accurately +- attrd: avoid regression by reverting 58400e27 +- libcrmcommon: fix readable interval string +- attrd: restore standalone operation for regression testing +- all: avoid "data set" or "working set" in messages +- cts-lab: work around issues with Reattach test +- scheduler: improve node comparison trace messages +- fencer: compare node name case-insensitively +- attrd: Use CIB transaction in attrd_write_attribute() +- attrd: NULL-check the_cib earlier in attrd_write_attribute() +- attrd, controller: Ignore CIB diff if client is safe +- based: Make CIB transactions backward compatible +- libcrmcommon: Bump feature set for CIB transactions +- Rebase: + * bug-812269_pacemaker-fencing-device-register-messages.patch + * bug-995365_pacemaker-cts-restart-systemd-journald.patch + +- Update to version 2.1.6+20231009.5a44f03e4: +- controller: don't fence leaving nodes for node-pending-timeout + +- Update to version 2.1.6+20231004.92cc36b15: +- crm_resource: move/ban fall back to old Promoted equivalent +- libcrmcommon: Ignore text nodes when creating XML patchset + +- Update to version 2.1.6+20231003.0f5df886a: +- scheduler: compare join state case-sensitively +- scheduler: validate "terminate" node attribute better +- controller,scheduler: allow disabling node-pending-timeout + +- Update to version 2.1.6+20231003.c3e159b4d: +- libcrmcommon: Improve error log in pcmk__xml2text() +- scheduler: correct meta-attribute name in message +- scheduler: correct message about only-if-unmigratable inputs +- crm_resource: report error when trying to restart unmanaged resources +- scheduler: properly sort rule-based blocks when overwriting values +- scheduler: properly evaluate rules in action meta-attributes + +- Update to version 2.1.6+20230905.dc65dc35f: +- libcrmcommon: Fix error logging in mainloop_add_ipc_server_with_prio. +- fencer: sleep 1s between reconnects +- attrd: Don't write attributes for a CIB replace that we requested +- controller: Drop CIB replace call recording and forgetting +- attrd: Ignore CIB diff notification if shutdown was requested +- controller: improve another shutdown message +- attrd: avoid race condition at writer election +- controller: improve disconnection messages +- agents: HealthCPU - fix the validation of input +- based: improve request processing messages +- agents: avoid deprecated attrd_updater option in ocf:pacemaker:ping +- tools: make crm_node -R use transaction for CIB changes +- agents: HealthCPU - Add the parameter of attrd_delay and fix attrd_updter command +- tools: improve how crm_node -R purges node from fencer +- tools: improve how crm_node -R purges node from CIB +- tools: crm_node shouldn't try to purge nodes from pacemakerd +- controller: improve logs when processing messages + +- Update to version 2.1.6+20230821.d00694366: +- libcrmcommon: fix unit tests on 32-bit hosts with large files (CLBZ#5526) +- libcrmcommon: Use the new bz2-related error code. +- libcrmcommon, daemons: Use the new network-related return codes. +- tools: improve attrd_updater -U help +- attrd: improve disconnection messages +- attrd: avoid race condition when shutting down +- controller: improve messages for resource history updates +- controller: guard lrm_state_table usage with NULL check +- controller: don't try to execute agent action at shutdown +- scheduler: make validate_on_fail() replace value +- scheduler: compare action names case-sensitively in validate_on_fail() +- schemas: Add a new schema for crm_node. +- tools: Convert crm_node -l/-p to formatted output. +- tools: Convert crm_node -i to formatted output. +- tools: Convert crm_node -q to use formatted output. +- tools: Convert crm_node -n/-N to use formatted output. +- libcrmcommon: Bump feature set for crm_node formatted output +- libpacemaker: Change the type of the node_id argument. +- libcrmcommon: wait for reply from appropriate controller commands +- daemons: Disable sync points in certain circumstances. +- tools: Fix a bug in clone resource description display (rh#2106642) +- tools: The dampen parameter is disabled when setting values with attrd_updater. +- libcrmcommon: fix regression in XML logging +- build: No longer try to package the cts python directory. +- libpe_status: compare action names case-sensitively +- Rebase: + * bug-806256_pacemaker-log-level-notice.patch + * bug-943295_pacemaker-lrmd-log-notice.patch + * bug-995365_pacemaker-cts-restart-systemd-journald.patch + +- Update to version 2.1.6+20230711.ecd2395f8: - * bsc#1213125-0001-Fix-controller-do-not-check-whether-watchdog-fencing.patch +- Update to version 2.1.6+20230710.a6d9205af: +- various: compare XML element names case-sensitively +- libpacemaker: Honor role-based colocations for bundles +- libpacemaker: Anti-colocations affect scores when roles match +- libpacemaker: Don't shuffle clone instances unnecessarily (rh#1931023) +- rpm: allow passing custom rpmbuild options (CLBZ#5520) +- libcrmcommon: improve IPC connection logging and retries +- libcrmcommon: wait 500ms before IPC connection retry +- various: use pcmk__connect_generic_ipc() instead of crm_ipc_connect() +- various: use pcmk__ipc_fd() instead of crm_ipc_get_fd() +- libcrmcommon: implement is_ipc_provider_expected() as series of fallbacks +- libcrmcommon: fix is_ipc_provider_expected() with HAVE_GETPEERUCRED +- libcrmcommon: fix is_ipc_provider_expected() with HAVE_SOCKPEERCRED +- libcrmcommon: don't set libqb object context +- scheduler: continue with non-sequential set members after error +- scheduler: improve colocation unpacking messages (and comments) +- CIB: be more strict about ignoring colocation elements without an ID +- scheduler: consider explicit colocations with group members +- scheduler: improve logs when unpacking colocation sets +- CIB: deprecate "ordering" attribute of "resource_set" +- scheduler: improve error-checking when creating colocations + +- Update to version 2.1.6+20230629.1c619c29a: +- libpacemaker: Respect clone-node-max for cloned groups +- libpacemaker: Log which resource we're adding colocations for +- scheduler: distinguish unrunnable from migration unrunnable in displays +- scheduler: check pointer for NULL *before* dereferencing it +- scheduler: compare strings case-sensitively where appropriate +- scheduler: assert on invalid usage of assignment methods +- rpm: enforce libcmocka-devel version dependency + +- Update to version 2.1.6+20230615.16fc250dc: +- controller: Replace node state atomically at DC join ack step (rh#2000595, CLBZ#5306) +- libpacemaker: Get container attr from assigned node, if any +- Rebase: + * bug-806256_pacemaker-log-level-notice.patch + +- Update to version 2.1.6+20230614.36c04fbf9: +- libpacemaker: use "Assignment" instead of "Allocation" +- libpacemaker: avoid "weight" in log messages +- libpacemaker: use "assignment" terminology consistently +- INSTALL: Add libcmocka version dependency (CLBZ#5518) +- scheduler: improve a couple of bundle messages +- scheduler: compare anti-colocation dependent negative preferences against stickiness + +- Enable crypto-policies support: [bsc#1211301] + * Honor the system-wide crypto-policies, via package-build-time + configurable "pcmk_gnutls_priorities" defaulting to @SYSTEM. + +- Update to version 2.1.6+20230612.dcecc9db0: - * bsc#1198767-0006-Fix-controller-update-node-state-correctly-based-on-.patch - * bsc#1198767-0005-Refactor-libcrmcluster-internal-functions-for-gettin.patch - * bsc#1198767-0004-Refactor-libcrmcluster-ability-to-search-for-a-node-.patch +- controller: trigger a new transition if a pending node has reached `node-pending-timeout` +- controller: pass abort_timer to the timeout function abort_timer_popped() +- controller: read `node-pending-timeout` cluster option +- cts-scheduler: add regression test for fencing a pending node that has reached `node-pending-timeout` +- scheduler: fence a pending node that has reached `node-pending-timeout` +- scheduler: add `node-pending-timeout` cluster option +- scheduler: ability to determine node status from `in_ccm` and `crmd` fields of `node_state` based on timestamps +- controller: record the timestamps of a node becoming a cluster member and online in CPG in CIB `node_state` +- libcrmcluster: add ability to record the timestamps of a node becoming a cluster member and online in CPG +- libcrmcommon: bump feature set to 3.18.0 for handling node pending timeout - * bsc#1198767-0003-Test-cts-scheduler-update-regression-test-about-not-.patch - * bsc#1198767-0002-Fix-scheduler-Do-not-fence-a-pending-node-that-doesn.patch - * bsc#1198767-0001-Test-cts-scheduler-add-regression-test-about-a-pendi.patch + +- Update to version 2.1.6+20230612.e6e89f803: +- libcib: Support transactions for CIB file clients +- libcrmcommon: replace_xml_node() segfaults when doc is shared +- libcib: Allow multiple cib_file clients simultaneously +- crm_verify: Add --quiet option to crm_verify +- based: Support CIB transactions + +- Update to version 2.1.6+20230607.730523cd1: +- libcrmservice: Fix an error when coverage is enabled. +- scheduler: revert recently introduced regression +- cts: self.rsh returns a tuple, not a single value. +- xml: Improve efficiency of attribute value obtainment +- based: NULL-check digest strings in cib_process_command() +- based: Fix use-after-free in cib_process_command() +- based: Fix bad sync check in sync_our_cib() +- scheduler: skip non-exclusive nodes correctly for clones +- scheduler: order clone instances properly + +- Update to version 2.1.6+20230524.f1298840d: +- libcrmcommon: Fix Coverity false positive pcmk__file_contents() +- libcrmcommon: NULL-check argument to pcmk__mark_xml_created() +- controller: When a remote node starts, apply any start state. +- liblrmd: Save a remote node's requested start state +- daemons: Add start state to LRMD handshake XML +- Rebase: + * bug-995365_pacemaker-cts-restart-systemd-journald.patch +- Update to version 2.1.6+20230524.6fdc9deea (Pacemaker-2.1.6): +- scheduler: ensure earlier group member starts happen after later member stops + +- Update to version 2.1.5+20230502.802a72226 (Pacemaker-2.1.6-rc2): +- scheduler: consider mandatory colocations before optional +- Update to version 2.1.5+20230501.832463d94: - * bsc#1210857-0001-Low-daemons-pacemakerd-S-should-wait-for-shutdown-be.patch +- Update to version 2.1.5+20230501.b049bbeea: +- scheduler: deprecate support for Nagios resources (jsc#PED-3877, jsc#PED-4446) +- scheduler: deprecate "moon" in date_spec elements in rules +- daemons: Preserve transient attrs when possible +- daemons: Sync remote connection info with new controllers. +- daemons: Record the node hosting a remote connection resource. +- daemons: Add node hosting connection resource to state XML. +- daemons: Broadcast remote node state changes to all controllers +- daemons: Add daemon uptime to execd XML replies. + +- Update to version 2.1.5+20230424.6127934e3: - * bsc#1210074-0011-Fix-fencer-fencing-timeout-sent-to-peer-takes-no-del.patch - * bsc#1210074-0010-Fix-libpacemaker-initial-timeout-for-fencing-callbac.patch - * bsc#1210074-0009-Log-controller-use-target-terminology-consistently.patch - * bsc#1210074-0008-Log-controller-log-fencing-timeout-consistently-in-s.patch - * bsc#1210074-0007-Fix-controller-initial-timeout-for-fencing-callback-.patch - * bsc#1210074-0006-Fix-fencer-apply-requested-fencing-delay-only-for-th.patch - * bsc#1210074-0005-Fix-fencer-fencing-timeouts-take-any-pcmk_delay_base.patch - * bsc#1210074-0004-Fix-fencer-add-correct-values-of-pcmk_delay_base-max.patch - * bsc#1210074-0003-Fix-fencer-per-operation-fencing-timeout-takes-any-r.patch - * bsc#1210074-0002-Fix-fencer-total-fencing-timeout-takes-any-requested.patch - * bsc#1210074-0001-Test-cts-fencing-regression-test-for-fencing-timeout.patch +- Update to version 2.1.5+20230418.ccc3b3344: +- python: Default CTS iterations to 1. + +- Update to version 2.1.5+20230417.095c09eee (Pacemaker-2.1.6-rc1): +- NLS: update translations for current code base +- sysconfig: improve help text +- sysconfig: overhaul enviroment variable descriptions +- tools: avoid use-after-free of attribute ID +- tools: fix use-after-free of attribute set name + +- Update to version 2.1.5+20230411.dbe567bfd: - * bsc#1209640-0001-Fix-controller-avoid-use-after-free-when-disconnecti.patch +- Update to version 2.1.5+20230410.97fbe1f31: +- daemons: Add the default port to pacemaker-remoted help output. +- controller: Don't use "//" in the fence XML query. +- scheduler: attenuate chained "with this" colocation scores +- scheduler: don't add group colocations twice +- controller: Unlocked lrm_resource should include cleared/expired +- controller: Ensure we don't ignore relevant CIB replacements +- based: Use correct local-only diff logic +- scheduler: make asymmetric ordering handling more efficient +- scheduler: use correct action when determining order set flags +- Rebase: + * bug-806256_pacemaker-log-level-notice.patch + * bug-977201_pacemaker-controld-self-fencing.patch + +- Update to version 2.1.5+20230403.7945075ce: +- tools: Deprecate crm_mon --simple-status +- tools: crm_mon can use update mode with XML, text, none +- tools: Last-one-wins for crm_mon --daemonize and --one-shot +- tools: Fix crm_mon seg fault when curses is missing (CLBZ#5512) +- tools: Don't ignore invalid format in reconcile_output_formats +- tools: Case-sensitive comparisons in reconcile_output_format() +- tools: Implement --output-as=none in crm_mon.c + +- Update to version 2.1.5+20230328.76c42a514: +- python: Disable the too-many-statements warning from pylint. +- scheduler: NULL-check when adding colocations to list +- scheduler: always add clone constraints to instances' lists +- scheduler: avoid trace log and method call if not needed +- scheduler: always add group's own "this with" colocations +- scheduler: always add group's own "with this" colocations +- scheduler: add "group with" colocations to later members independent of assignment +- scheduler: always add "group with" colocations to first member +- scheduler: always add "with group" colocations to last member - * 0001-Fix-controller-Delay-join-finalization-if-a-transiti.patch +- Update to version 2.1.5+20230323.ee1bc67ff: +- crm_resource: Add the --element option for delete & set - * 0001-Fix-extra-resources-SysInfo.in-This-calculation-of-c.patch +- Rebase: + * bug-995365_pacemaker-cts-restart-systemd-journald.patch +- Update to version 2.1.5+20230320.22590c566: - * bsc#1209586-0001-Fix-libcrmcommon-allow-crm_attribute-to-try-OCF_RESO.patch +- libcrmcommon, libpe_status: New enabled meta attr for alerts +- scheduler: message now applies to all nodes - * 0001-Low-libcrmcommon-avoid-libqb-assertion.patch - +- tools: Formatted output in crm_shadow +- schemas: New diff and any-element schemas +- schemas: New crm_shadow and instruction schemas + +- Update to version 2.1.5+20230314.692147cd3: +- tools: Don't teardown on unsuccessful crm_shadow --delete +- tools: Don't print teardown message for crm_shadow --commit +- libcib: Don't unset env var in cib_new_no_shadow() +- scheduler: avoid displaying failed operations as pending (bsc#1206263) - * Drop obsolete bsc#1206263-0004-Fix-libpacemaker-ensure-any-pending-recurring-monito.patch - * 0001-Test-cts-regression-reflect-any-test-failures-again-.patch +- alerts: make alert_snmp.sh.sample compatible with SNMPv3 - * bsc#1208868-0001-Fix-tool-update-crm_mon-synopsis.patch +- Update to version 2.1.5+20230309.a4b0ea1b5: +- controller: compare recordable actions case-sensitively - * CLBZ#5509-0001-Fix-libcrmcommon-Don-t-parse-INFINITY-as-a-list-of-c.patch - * 0001-Fix-tools-crm_shadow-commit-now-works-with-CIB_file.patch +- scheduler: expired results shouldn't affect state +- scheduler: avoid remap log if not remapped +- scheduler: always treat degraded results as success - * 0003-Fix-watchdog-fencing-correctly-derive-timeout-with-t.patch - * 0002-Refactor-watchdog-fencing-convenience-function-pcmk_.patch - * 0001-Fix-watchdog-fencing-terminate-dangling-timer-before.patch +- scheduler: ensure resource history entries have an XML ID +- crm_resource: Add the --element option for --get-parameter - * 0001-Low-libcrmcommon-Fix-problems-with-pcmk__output_and_.patch +- libcrmcommon: Fix memleak in pcmk__output_xml_add_node_copy() +- Rebase: + * bug-806256_pacemaker-log-level-notice.patch + * pacemaker-cts-StartCmd.patch +- Update to version 2.1.5+20230220.c4f6c191a: - * 0001-High-libcrmcommon-Fix-handling-node-NULL-in-pcmk__at.patch - * rh#2166967-0002-Fix-fencer-Avoid-double-source-remove-of-op_timer_to.patch +- Rebase: + * bug-806256_pacemaker-log-level-notice.patch +- Update to version 2.1.5+20230216.ed8bc68bc: +- scheduler: count only containers' active nodes for bundles + +- Update to version 2.1.5+20230208.231b58a40: +- cts: Add a basic cts-attrd program. +- daemons: Modify a couple log messages for testing. +- daemons: Add a -l argument to pacemaker-attrd. +- daemons: Skip connecting to the CIB in attrd standalone mode. +- daemons: Add some additional errors for when startup fails. +- daemons: Add a standalone argument for attrd. - * rh#2166967-0001-Fix-fencer-Prevent-double-g_source_remove-of-op_time.patch +- tools: Don't allow use of --name and --pattern at the same time. +- tools: Add sync point support to crm_attribute. +- tools: Add pattern support to attrd_updater. - * bsc#1182313-0005-Test-scheduler-update-expected-output-for-migration-.patch - * bsc#1182313-0004-Fix-scheduler-handle-cleaned-migrate_from-history-co.patch - * bsc#1182313-0003-Test-scheduler-add-regression-test-for-migration-int.patch - * bsc#1182313-0002-Low-scheduler-unknown_on_node-should-ignore-pending-.patch - * bsc#1182313-0001-Refactor-scheduler-improve-xpath-efficiency-when-unp.patch +- daemons: Fix pointer management in attrd_client_update. +- scheduler: improve migration history validation + +- Update to version 2.1.5+20230201.11c15a89f: +- crm_mon: Display the descriptions in crm_mon output +- libcrmcommon: parse_op_key() can now handle confirmed notifications +- xml: change resources-related schemas and bump PCMK__API_VERSION +- crm_resouce: Add the description to the XML output of crm_resource --list +- python: Disable a couple more pylint warnings. +- scheduler: correctly choose container vs inside resource for interleaving +- scheduler: ignore node when getting resource inside container +- Update to version 2.1.5+20230125.95bb4788a: - * bsc#1207319-0002-Fix-libpacemaker-avoid-assertion-failure-if-a-node_s.patch - * bsc#1207319-0001-Refactor-libpacemaker-unify-bailing-out-in-pcmk__inj.patch +- Update to version 2.1.5+20230124.a29e52df9: - * 0001-High-executor-fix-regression-in-remote-node-shutdown.patch +- scheduler: avoid memory leak when finding compatible instance +- Update to version 2.1.5+20230123.f414133a7: +- libcrmcommon: avoid infinite regression when logging v1 patchsets +- controller: clear last failure from CIB even if executor state unavailable +- scheduler: downgrade message about instance where it shouldn't be +- controller: use %u with g_hash_table_size() +- fenced: use enum fenced_target_by consistently +- scheduler: update Chinese translation + +- Update to version 2.1.5+20230117.dd503ddbb: +- libcrmcommon: bump feature set for crm_attribute --pattern with -v/-D and permanent attributes +- resource agents: add depth="0" to validate-all metadata + +- Update to version 2.1.5+20230111.39e62b78e: +- rpm: Add a python3-pacemaker subpackage. +- python: Add a private pacemaker._cts module. +- python: Add the pacemaker.buildoptions module. +- python: Add the pacemaker.exitstatus module. +- python: Add the very beginnings of a pacemaker python library. + +- Update to version 2.1.5+20230110.292d6bf6b: +- libpe_status: clarify more pointer arguments +- libcrmcommon: Improve prefix spacing in XML logging functions + +- Update to version 2.1.5+20221220.51cc0bfbc: +- scheduler: order cloned fence device probes same as other clones +- libcrmcommon: Remove colon and space from log line after prefix +- libcrmcommon: Avoid out-of-bounds string access in log_data_element +- libcrmcommon: Don't use aliases in XML logging functions +- libcrmcommon: pcmk__output_xml_add_node() -> *_copy() +- libcrmcommon: Assert on failed copy in copy_xml() +- tools: Allow patterns for permanent attribute in crm_attribute. + +- Update to version 2.1.5+20221212.b4db7685a: - * bsc#1206263-0006-Test-cts-scheduler-update-test-for-preventing-inacti.patch - * bsc#1206263-0005-Fix-scheduler-prevent-inactive-instances-from-starti.patch - * bsc#1206263-0004-Fix-libpacemaker-ensure-any-pending-recurring-monito.patch - * bsc#1206263-0003-Test-cts-scheduler-update-test-for-preventing-a-left.patch - * bsc#1206263-0002-Fix-scheduler-prevent-a-leftover-pending-monitor-fro.patch - * bsc#1206263-0001-Test-cts-scheduler-add-test-for-preventing-a-leftove.patch + +- Update to version 2.1.5+20221212.074e9c860: +- tools: Support setting transient utilization attrs from crm_attribute. +- scheduler: Unpack transient utilization attributes. +- daemons: Add support for transient utilization attributes. +- libcrmcommon: Add a block attr to an IPC update request. +- tools: Add a -z option to attrd_updater. + +- Update to version 2.1.5+20221208.cd0f91f51: +- libcrmcommon: Warn if deprecated command line formats are used. +- controller: Don't nack joining node due to old CIB +- based: Successful CIB schema upgrade should always force a write +- based: Don't write to disk if CIB replace failed +- tools: Fix trivial memory leak in cibadmin +- based: Fix double free() in pacemaker-based.c +- libpe_status: avoid memory leak on regular expression error +- controller: Avoid election storm due to incompatible CIB +- libpacemaker: don't regfree() if regcomp() failed +- libpe_status: don't try to use compiled expression if regcomp() failed +- libcrmcommon: don't regfree() if regcomp() failed +- controller: Avoid error if a join request is received after fencing +- controller: Don't double-increment failcount for simulated failures +- daemons, tools: Unregister formats before exiting +- scheduler: Advertise metadata option in scheduler help output +- fencer: Use formatted output in pacemaker-fenced +- fencer: Correct refresh logic in update_cib_cache_cb() +- controller: Reduce CIB deletions during reprobe +- controller: Don't reprobe remotes when target is only cluster node +- add zh_cn translation for error (#2957) +- tools: Validate scope in cibadmin.c +- tools: Add status as valid cibadmin scope +- tools: Fix action danger check in cibadmin +- libcrmcommon: Null-check return value of pcmk__uid2username() +- daemons: Support cluster-wide sync points for multi IPC messages. +- tools: Fix scope/xpath parsing in cibadmin +- libcrmcommon: Bump feature set for daemon formatted output +- executor: Use formatted output in pacemaker-execd +- pacemaker-based: Use formatted output in pacemaker-based +- controller: Use formatted output in pacemaker-controld +- controller: Node exits fatally in response to join nack +- libcrmcommon: Retry pcmk_connect_ipc() if EAGAIN +- controller: Remove CRM_CHECK in update_dc for no current DC +- Pacemaker Explained: Clarify resource maintenance mode (CLBZ#5382) +- libpe_status: Node maintenance mode sets resource maintenance flag +- libpe_status: crm_mon shows "maintenance" for rsc maint meta +- schemas: resources schema supports maintenance attribute +- daemons: Check for NULL in attrd_do_not_expect_from_peer. +- tools: crm_mon fencing history is now in high resolution +- libpe_status: Use correct guint format specifier for failed action +- add zh_CN translation for pacemaker-schedulerd libexec +- daemons: Handle crm_ipc_new returning a NULL. +- tools: crm_mon now shows last_update origin +- schema: Add update origin to crm_mon output +- tools: crm_mon --daemonize should update when disconnected +- tools: Improve log messages in crm_mon.c +- tools: Remove an output format-based sleep() call from crm_mon +- tools: Include Pacemaker status in crm_mon output +- libcib: Preserve return code in cib__signon_query() +- libpacemaker: Use correct pcmkd state format in XML message +- daemons: Avoid infinite confirm loops in attrd. +- daemons: Handle an attrd client timing out. +- attrd: Fix removing clients from the waitlist when they disconnect. +- daemons: Handle cluster-wide sync points in attrd. +- daemons: Keep track of #attrd-protocol from each peer. +- daemons: Respond to received attrd confirmation requests. +- libpacemaker: Show pcmkd status if we can't get native CIB +- libpacemaker: Check conn status in pcmk__get_fencing_history() +- libcib: Allow cib client reuse in cib__signon_query() +- tools: Add --wait=cluster option to attrd_updater. +- libpacemaker: Improve invalid reply type logging in cluster queries +- includes: Bump CRM_FEATURE_SET for local sync points. +- daemons: Add support for local sync points on clearing failures. +- daemons: If a client disconnects, remove it from the waitlist. +- daemons: Add support for local sync points on updates. +- tools: Add --wait= parameter to attrd_updater. +- Rebase: + * bug-806256_pacemaker-log-level-notice.patch -- attrd: don't start a new election when receiving a client update +- attrd: don't start a new election when receiving a client update (bsc#1215446) perl-Cpanel-JSON-XS +- updated to 4.37 + see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes + 4.37 2023-07-04 (rurban) + - Fix NAN/INF for AIX (Tux: AIX-5.3, tested by XSven on AIX-7.3) GH #165 + - Fix empty string result in object stringification (PR #221 jixam) + - Allow \' in strings when allow_singlequote is enabled (PR #217 warpspin) + perl-Mojolicious +- updated to 9.35 + see /usr/share/doc/packages/perl-Mojolicious/Changes + 9.35 2023-10-27 + - Added EXPERIMENTAL support for persistent cookies in Netscape format. + - Added EXPERIMENTAL file attribute to Mojo::UserAgent::CookieJar. + - Added EXPERIMENTAL load, save and to_string methods to Mojo::UserAgent::CookieJar. + - Fixed error reporting when loading applicartions with syntax errors. (haarg) + - Fixed absolute URL support in url_for_file and url_for_asset methods. (rawleyfowler) + plocate +- Add Provides/Obsoletes mlocate for Tumbleweed only + * Since CtLG Leap have try to make SLE compatible as much as possible, + SLE's default locate system is mlocate and it should not be replaced + by other locate service by default. plocate be an option. + policycoreutils +- Re-add "Obsoletes: policycoreutils-python <= 2.6" to avoid file + conflicts with /usr/share/bash-completion/completions/setsebool + of older policycoreutils-python-2.6 + +- Only recommend policycoreutils-devel. The requires causes build issues + and this can be used with a policy from a different source +- Required fixed python3-selinux, not version dependend sub-packages + +- Recommend setools-console as these cli tools compliment policycoreutils + for analysis and debugging of policy issues + +- Add requires for policycoreutils-devel for selinux-policy-devel as + policycoreutils-devel requires this + +- Adjust python requirement for newer SLES versions + +- Add Leap compatibility symlinks between /usr/sbin and /sbin (bsc#1210482) +- Refresh GPG keyring + +- Add python-wheel build dependency to build correctly with latest + python-pip version. + +- Update to version 3.5 + * fixfiles: Unmount temporary bind mounts on SIGINT + * Lots of smaller changes +- Refreshed get_os_version.patch +- Drop chcat_handle_missing_translations.patch, is upstream +- Add additional BuildRequires for python +- Added additional developer key (Jason Zaman) +- Add requires for python3-distro for the devel package + +- Use %_pam_vendordir + +- Error in spec file: No "config" tag in "/usr/ should be used. + +- Migration PAM settings to /usr/etc: Saving user changed + configuration files in /etc and restoring them while an RPM + update. + +- Add recommends for ausearch binary (bsc#1201043) + +- Handle missing translations properly in chcat. Added + chcat_handle_missing_translations.patch (bsc#1200752) + +- Build and package translations for python-utils (boo#1200752). + +- Update to version 3.4 + * fixfiles: Use parallel relabeling +- Refreshed patches + * get_os_version.patch + * run_init.pamd.patch + +- Fix file list: package ru/man8/sepolgen.8 only in the devel + package (was in devel and main). + +- finish UsrMerge (bsc#1191089) + +- Update to version 3.3 + * Lots of fuzzing fixes + * `fixfiles -C` doesn't exclude /dev and /run anymore + Refreshed get_os_version.patch + +- Update to version 3.2 + * Tools using sepolgen, e.g. audit2allow, print extended permissions in + hexadecimal + * sepolgen sorts extended rules like normal ones + * `setfiles` doesn't abort on labeling errors +- Refreshed get_os_version.patch + poppler -- security update -- added patches - fix CVE-2023-34872 [bsc#1213888], remote denial-of-service in OutlineItem::open in Outline.cc - + poppler-CVE-2023-34872.patch +- Add patch to let it build with the heavily patched tiff 4.0.9 + we have in SLE 15: + * reduce-libtiff-required-version.patch + +- version update to 23.10.0 + core: + * cairo: update type 3 fonts for cairo 1.18 api + * Fix crash on malformed files + build system: + * Make a few more dependencies soft-mandatory + * Add more supported gnupg releases + * Check if linker supports version scripts +- modified patches + % reduce-boost-required-version.patch (refreshed) + +- build with gpgmepp for signing documents (bsc#1215632) + +- Update to version 23.09.0: + * core: + - Add Android-specific font matching functionality + - Fix digital signatures for NeedAppearance=true + - Forms: Don't look up same glyph multiple times + - Provide the key location for certificates you can sign with + - Add ToUnicode support for similarequal + - Fix crash on malformed files + * qt5: + - Provide the key location for certificates you can sign with + - Allow to force a rasterized overprint preview during PS + conversion + * qt6: + - Provide the key location for certificates you can sign with + - Allow to force a rasterized overprint preview during PS + conversion + * pdfsig: + - Provide the key location for certificates you can sign with +- Changes from version 23.08.0: + * core: + - Fix GWG 19.2 - DeviceN Overprint (White) + - Splash: avoid bogus memory allocation size in + doTilingPatternFill + - Fix use-of-uninitialized-value in XRef + - Fix float-cast-overflow error in Catalog + - Cleanup gpgme backend code + - Version symbols in poppler core + * glib: + - Improve poppler_get_available_signing_certificates + - Add new members to PopplerCertificateInfo + * utils: + - pdftotext: small improvement to man page +- Bump poppler_sover to 131 following upstream changes. + +- update to 23.07.0: + core: + * Fix reading of utf8-with-bom files + * Fix crash if CERT_ExtractPublicKey doesn't return a public + key + * Fix rendering of some malformed documents. Issue #1395 + * Allow for stream compression and compress font streams in + forms Remove method Hints::getPageRanges + qt5: + * Fix crash when overprint preview is enabled + * Don't fail signature basics tests if backend is not + configured + qt6: + * Fix crash when overprint preview is enabled + * Don't fail signature basics tests if backend is not + configured + utils: + * pdfsig: Allow showung and selecting signature backend + * pdfsig: Describe signature dump format in manual page + +- update to 23.06.0 (bsc#1212255): + * CairoOutputDev: Fix crash when doing type3 rendering + * Fix crash with unknown signature hashing algorithms + * Add gpgme backend for signature handling + * FontInfo: Make it return proper information about font + substitution + * FontInfo: Try harder to get Type 3 font name + * Store embedded fonts widths table in a more effective manner + * Skip font lookup for nonprintable characters + * Fix crash on malformed files + * Add API to allow selecting signature backend (nss or gpgme) + * Convert embedded files to bytearray a bit smarter + +- update to 23.05.0: + * Fix crash when filling some forms + * Set SigFlags when signing unsigned signature + * Add some infrastructure code to support multiple signing + backends + * Fix potential stack overflow in PostScriptFunction::parseCode + * Fix some minor uninitialised memory reads + +- update to 23.04.0: + * Fix memory issue when signing fails. Issue #1372 + * Internal improvements of signature related code + * CairoOutputDev: improve type3 font rendering + * Fix memory leak in + GlobalParams::findSystemFontFileForFamilyAndStyle + * pdftocairo: Fix crash in some special situations + * pdfsig: allow holes in -dump signature list + * pdfsig: Support --help + +- update to 23.03.0: + core: + * PngWriter: Fix potential uninitialized memory use + +- Update to version 23.02.0: + + core: + * CairoOutputDev: + . Fix rendering of color type 3 fonts + . Add handling matte entry + * Fix segfault on wrong nssdir + * Fix "NSS could not shutdown" + + utils: pdfsig: Point out supports PKCS#11 URIs as nickname postfix +- (bsc#1218304) VUL-0: postfix: new SMTP smuggling attack + (bsc#1218314) SMTP Smuggling - Spoofing E-Mails Worldwide + Apply patch containing the feature smtpd_forbid_unauth_pipelining + as default yes. + add patch: + postfix-3.7-patch06 +- Security: the Postfix SMTP server optionally disconnects remote + SMTP clients that violate RFC 2920 (or 5321) command pipelining + constraints. The server replies with "554 5.5.0 Error: SMTP protocol + synchronization" and logs the unexpected remote SMTP client input. + Specify "smtpd_forbid_unauth_pipelining = yes" to enable. +- Workaround to limit collateral damage from OS distributions that + crank up security to 11, increasing the number of plaintext email + deliveries. This introduces basic OpenSSL configuration file support, + with two new parameters "tls_config_file" and "tls_config_name". + Details are in the postconf(5) manpage under "tls_config_file" and + "tls_config_name". + postfix-bdb +- (bsc#1218304) VUL-0: postfix: new SMTP smuggling attack + (bsc#1218314) SMTP Smuggling - Spoofing E-Mails Worldwide + Apply patch containing the feature smtpd_forbid_unauth_pipelining + as default yes. + add patch: + postfix-3.7-patch06 +- Security: the Postfix SMTP server optionally disconnects remote + SMTP clients that violate RFC 2920 (or 5321) command pipelining + constraints. The server replies with "554 5.5.0 Error: SMTP protocol + synchronization" and logs the unexpected remote SMTP client input. + Specify "smtpd_forbid_unauth_pipelining = yes" to enable. +- Workaround to limit collateral damage from OS distributions that + crank up security to 11, increasing the number of plaintext email + deliveries. This introduces basic OpenSSL configuration file support, + with two new parameters "tls_config_file" and "tls_config_name". + Details are in the postconf(5) manpage under "tls_config_file" and + "tls_config_name". + ppc64-diag +- Migrate from cron to systemd timers. + ppp +- bsc#1218251, CVE-2022-4603, ppp-CVE-2022-4603.patch: improper + validation of array index of the component pppdump. + pv +- disable testsuite for s390x [bsc#1215338] +- remove _constraints again as it didn't help +- deleted sources + - _constraints (not needed) + python-apsw +- update to 3.44.2.0: + * Added `logger` parameter to :func:`apsw.ext.log_sqlite` to + use a specific :class:`logging.Logger` (:issue:`493`) + * Added :func:`apsw.ext.result_string` to turn an result code + into a string, taking into account if it is extended or not. + * Provide detail when C implemented objects are printed. For + example :class:`connections ` include the filename. + * Added :meth:`URIFilename.parameters` (:issue:`496`) + * :class:`URIFilename` are only valid for the duration of the + :meth:`VFS.xOpen` call. If you save and use the object later + you will get an exception. (:issue:`501`) + +- update to 3.44.0.0: + * Added virtual table :meth:`VTTable.Integrity` support. + * On 64 bit platforms with the amalgamation, + `SQLITE_MAX_MMAP_SIZE SQLite's default limit is 2GB. + * :meth:`Connection.create_aggregate_function` can take a class + with step and final methods. (:issue:`421`) + * Corrected non :pep:`8` :ref:`compliant names `. + The old names remain as aliases to the new ones, and your + code will not break. + * :doc:`Exception ` handling has been updated, with + multiple exceptions in the same SQLite control flow being + chained together. + +- Update to 3.43.1.0 + - All C code calling into Python and all C code called by Python + uses vectorcall / fastcall (see PEP 590) which reduces the + overhead of passing and receiving positional and keyword + arguments. (APSW issue 477 APSW issue 446): + * Conversion of arguments from Python values to C values drops + generic PyArg_ParseTupleAndKeywords in favour of direct + processing which is more efficient and allows better + exception messages. + * Running speedtest with a VFS that inherits all methods went + from being 17% slower than pure SQLite to 2% slower. + * A virtual table benchmark takes 35% less time. (Remember that + benchmarks are best case!) + - The shell JSON output modes have been fixed. Mode 'json' + outputs a json array, while mode 'jsonl' does newline delimited + json objects, aka json lines. (APSW issue 483) +- Changes from 3.43.1.0 + - This is the last version that supports Python 3.6 and + Python 3.7 (both end of life). The policy as stated in the + about page is that there will be one more APSW release after + a Python version goes end of life supporting that Python + version. (APSW issue 471) + - Added best practice module (APSW issue 460) + - apsw.ext.log_sqlite() outputs SQLite warnings at warning level. + (APSW issue 472) + - sqlite3_stmt_explain is wrapped available as a explain keyword + parameter on execute/executemany methods. (APSW issue 474) + - Added documentation and helper class for implementing custom + pragmas in your own Virtual File System (VFS) (APSW issue 464) + - Reduced overhead of the Column method when using + apsw.ext.make_virtual_module() (APSW issue 465) + +- Update to 3.42.0.1: + - Work with SQLite compiled with + SQLITE_OMIT_DEPRECATED. Connection.setprofile() was changed + from using the deprecated sqlite3_profile to sqlite3_trace_v2 + giving the same results. When including the amalgamation, + SQLITE_OMIT_DEPRECATED is defined. (APSW issue 443) + - Shell updates adding various commands to match the SQLite + shell, as well as code and documentation improvements. (APSW + issue 397) + - Added Connection.read() and apsw.ext.dbinfo() to provide + information from the database and journal/wal files. The + shell command .dbinfo displays it. + - Added apsw.vfs_details(). The shell command .vfslist displays + it. + - Implemented VFS method xCurrentTimeInt64. The default SQLite + VFS no longer provide xCurrentTime (floating point version) + if SQLITE_OMIT_DEPRECATED is defined, so this is needed for + inheritance to work. (APSW issue 451) + - Backwards incompatible change: VFS If you override + xCurrentTime, then you will need to override + xCurrentTimeInt64 in the same way, or exclude + xCurrentTimeInt64 in VFS, or use iVersion of 1. + - speedtest now shows summary statistics, and improved help + text. (APSW issue 444) +- Clean up the SPEC file, use %pyproject_* macros instead. +- Make the test suite pass again (gh#rogerbinns/apsw#462). + +- Add %{?sle15_python_module_pythons} + +- update to 3.42.0.0: + * Shell: Errors when SQLite are preparing a statement now show + the relevant extract of the query, and where the error was + detected. + * Shell: Output modes table (ASCII line drawing, lots of + sanitization), box (Unicode line drawing) and + qbox (box with quoted values) available. + * Shell: if started interactively then box is the default mode + (list remains the default in non-interactive) + * Added :meth:`Connection.pragma` to execute pragmas + and get results. + * Added :attr:`Cursor.get` returning query results with the + least amount of structure. + * Fixed execution tracers should return comment text for + comment only queries, and add :attr:`Cursor.has_vdbe`. + * Ensure that all applicable options are implemented for + :func:`apsw.config`, :meth:`Connection.config` and similar. + * Added :func:`apsw.sleep` + * Strings for :meth:`apsw.VFS.xNextSystemCall` are interned + * Detect unbound recursion not handled by CPython, and handle + better. + +- update to 3.41.2.0: + * Fixed :issue:`412` in :meth:`apsw.ext.make_virtual_module`. + * Added :meth:`apsw.connections` to get all connections. + * :func:`sys.unraisablehook` is called correctly (:issue:`410`) + * Be stricter where :class:`bool` values are expected (eg + * :meth:`VTTable.BestIndex`), only accepting :class:`int` and + :class:`bool`. Previously you could for example supply + strings and lists, which were almost certainly unintended + errors. + +- update to 3.40.1.0: + * Implemented `window functions + * Function flags can be specified to + Connection.createscalarfunction and + Connection.createaggregatefunction + * Added apsw.mapping_function_flags + * Added Connection.trace_v2` with apsw.mapping_trace_codes + and apsw.mapping_statement_status + * Ensure all SQLite APIs are wrapped. + * When an unraisable exception happens, sqlite3_log is + now called so you will have context within SQLite's actions. + * sys.unraisablehook now called first, and if it doesn't exist then + sys.excepthook as before. + * When the wrong type is given for a function argument, the + error message now includes the parameter name and function + signature. + * Let SQLite do size checking instead of APSW for strings and + blobs. + * Added :meth:`apsw.ext.log_sqlite` which installs a handler + that forwards SQLite messages to the logging module + * Added set_default_vfs and unregister_vfs taking vfs + names. + +- update to 3.40.0.0: + * Fixed regression in statement cache update (version 3.38.1-r1) where + trailing whitespace in queries would be incorrectly treated as + incomplete execution (APSW issue 376) + * Added Various interesting and useful bits of functionality (APSW issue + 369) + * Added more Pythonic attributes as an alternative to getters and setters, + including Connection.in_transaction, Connection.exectrace, + Connection.rowtrace, Cursor.exectrace, Cursor.rowtrace, + Cursor.connection (APSW issue 371) + * Completed: To the extent permitted by CPython APIs every item has the + same docstring as this documentation. Every API can use named + parameters. The type stubs cover everything including constants. The + type stubs also include documentation for everything, which for example + Visual Studio Code displays as you type or hover. There is a single + source of documentation in the source code, which is then automatically + extracted to make this documentation, docstrings, and docstrings in the + type stubs. + * Example/Tour updated and appearance improved (APSW issue 367). + * Added Connection.cache_stats() to provide more information about the + statement cache. + * Cursor.execute() now uses sqlite_prepare_v3 which allows supplying + flags. + * Cursor.execute() has a new can_cache parameter to control whether the + query can use the statement cache. One example use is with authorizers + because they only run during prepare, which doesn’t happen with already + cached statements. + * (The Cursor.execute() additional parameters are keyword only and also + present in Cursor.executemany(), and the corresponding + Connection.execute() and Connection.executemany() methods.) + * Added Cursor.is_readonly, Cursor.is_explain, and Cursor.expanded_sql. + * Updated processing named bindings so that types registered with + collections.abc.Mapping (such as collections.UserDict) will also be + treated as dictionaries. (APSW issue 373) + * Test no longer fails if APSW was compiled without + SQLITE_ENABLE_COLUMN_METADATA but sqlite3 was separately compiled with + it. APSW should be compiled with the same flags as sqlite3 to match + functionality and APIs. (APSW issue 363) + * –use-system-sqlite-config setup.py build_ext option added to allow + Matching APSW and SQLite options. (APSW issue 364) + * Source ▪ Downloads ▪ Changelogs ▪ Documentation + * PyPI now includes Python 3.11 builds. + * Instead of using scripts, you can now run several tools directly: + * tests: python3 -m apsw.tests [options] + * tracer: python3 -m apsw.trace [options] + * speed tester: python3 -m apsw.speedtest [options] + * shell: python3 -m apsw [options] + * The shell class has moved from apsw.Shell to apsw.shell.Shell (APSW + issue 356). You can still reference it via the old name (ie existing + code will not break, except on Python 3.6). + * Shell: On Windows the native console support for colour is now used + (previously a third party module was supported). + * You can use –definevalues in setup.py build_ext to provide compiler + defines used for configuring SQLite. (APSW issue 357) + * If SQLITE_ENABLE_COLUMN_METADATA is enabled then Cursor.description_full + is available providing all the column metadata available. (APSW issue + 354) + * Connection.cursor_factory attribute is now present and is used when + Connection.cursor() is called. Added Connection.execute() and + Connection.executemany() which automatically obtain the underlying + cursor. See customizing connections and cursors in the Tips. (APSW issue + 361) + python-cryptography +- Add CVE-2023-49083.patch to fix A null-pointer-dereference and + segfault could occur when loading certificates from a PKCS#7 bundle. + bsc#1217592 + python-pip +- Add CVE-2023-5752-r-param-hg.patch to fix bsc#1217353 + (CVE-2023-5752) avoiding injection of arbitrary configuration + through Mercurial parameter. + python-pytest-console-scripts +- Fix build error for Leap. + +- update to 1.4.1: + * Dropped support for Python 3.7 + * Fix loading scripts with non-UTF-8 encodings. + * Print output when a subprocess runner with `check=True` fails + was missing. + * Added type-hinting for all types, + `pytest_console_scripts.ScriptRunner` + can now be used to hint the `script_runner` fixture. + * Added support for the `shell` and `check` keywords for in- + process mode. + * Passing command arguments in `*args` is now deprecated and + will raise warnings. + * Dropped support for Python 3.6 + * Install-time dependencies have been fixed. + +- Update to 1.3.1: + * Remove use of mock. +- Drop patch remove-mock.patch, included upstream. + +- Update to 1.3: + * Add a note on manual result printing to README - #50 + * Bump Python version to 3.6 - fix #51 +- Add patch remove-mock.patch: + * Remove use of mock. + +- pytest-runner is not required for build + +- version update to 1.2.1 + * no upstream changelog +- deleted patches + - virtualenv-20.patch (upstreamed) + +- do not require pytest-runner for build, it is not needed + +- Do not pull in pytest twice + +- Add patch to work with python-virtualenv >= 20: + * virtualenv-20.patch + python-shaptools +- Create version 0.3.14 +- Make shaptools available for venv-salt-minion (bsc#1212695) + python3-cryptography +- Add CVE-2023-49083.patch to fix A null-pointer-dereference and + segfault could occur when loading certificates from a PKCS#7 bundle. + bsc#1217592 + python312 +- Update patch fix_configure_rst.patch +- Update to 3.12.1 (CVE-2023-6507, bsc#1217939): + - Core and Builtins + - gh-112125: Fix None.__ne__(None) returning NotImplemented + instead of False + - gh-112625: Fixes a bug where a bytearray object could be + cleared while iterating over an argument in the + bytearray.join() method that could result in reading memory + after it was freed. + - gh-105967: Workaround a bug in Apple’s macOS platform zlib + library where zlib.crc32() and binascii.crc32() could produce + incorrect results on multi-gigabyte inputs. Including when + using zipfile on zips containing large data. + - gh-112356: Stopped erroneously deleting a LOAD_NULL bytecode + instruction when optimized twice. + - gh-111058: Change coro.cr_frame/gen.gi_frame to return None + after the coroutine/generator has been closed. This fixes a bug + where getcoroutinestate() and getgeneratorstate() return the + wrong state for a closed coroutine/generator. + - gh-112388: Fix an error that was causing the parser to try to + overwrite tokenizer errors. Patch by pablo Galindo + - gh-112387: Fix error positions for decoded strings with + backwards tokenize errors. Patch by Pablo Galindo + - gh-112367: Avoid undefined behaviour when using the perf + trampolines by not freeing the code arenas until shutdown. + Patch by Pablo Galindo + - gh-112243: Don’t include comments in f-string debug + expressions. Patch by Pablo Galindo + - gh-112266: Change docstrings of __dict__ and __weakref__. + - gh-111654: Fix runtime crash when some error happens in opcode + LOAD_FROM_DICT_OR_DEREF. + - gh-109181: Speed up Traceback object creation by lazily compute + the line number. Patch by Pablo Galindo + - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 + codecs read out of bounds + - gh-111366: Fix an issue in the codeop that was causing + SyntaxError exceptions raised in the presence of invalid syntax + to not contain precise error messages. Patch by Pablo Galindo + - gh-111380: Fix a bug that was causing SyntaxWarning to appear + twice when parsing if invalid syntax is encountered later. + Patch by Pablo galindo + - gh-94438: Fix a regression that prevented jumping across is + None and is not None when debugging. Patch by Savannah + Ostrowski. + - gh-110938: Fix error messages for indented blocks with + functions and classes with generic type parameters. Patch by + Pablo Galindo + - gh-109894: Fixed crash due to improperly initialized static + MemoryError in subinterpreter. + - gh-110782: Fix crash when typing.TypeVar is constructed with a + keyword argument. Patch by Jelle Zijlstra. + - gh-110696: Fix incorrect error message for invalid argument + unpacking. Patch by Pablo Galindo + - gh-110543: Fix regression in Python 3.12 where + types.CodeType.replace() would produce a broken code object if + called on a module or class code object that contains a + comprehension. Patch by Jelle Zijlstra. + - gh-110514: Add PY_THROW to sys.setprofile() events + - gh-110455: Guard assert(tstate->thread_id > 0) with #ifndef + HAVE_PTHREAD_STUBS. This allows for for pydebug builds to work + under WASI which (currently) lacks thread support. + - gh-110259: Correctly identify the format spec in f-strings + (with single or triple quotes) that have multiple lines in the + expression part and include a formatting spec. Patch by Pablo + Galindo + - gh-110237: Fix missing error checks for calls to PyList_Append + in _PyEval_MatchClass. + - gh-109889: Fix the compiler’s redundant NOP detection algorithm + to skip over NOPs with no line number when looking for the next + instruction’s lineno. + - gh-109853: sys.path[0] is now set correctly for + subinterpreters. + - gh-105716: Subinterpreters now correctly handle the case where + they have threads running in the background. Before, such + threads would interfere with cleaning up and destroying them, + as well as prevent running another script. + - gh-109793: The main thread no longer exits prematurely when a + subinterpreter is cleaned up during runtime finalization. The + bug was a problem particularly because, when triggered, the + Python process would always return with a 0 exitcode, even if + it failed. + - gh-109596: Fix some tokens in the grammar that were incorrectly + marked as soft keywords. Also fix some repeated rule names and + ensure that repeated rules are not allowed. Patch by Pablo + Galindo + - gh-109351: Fix crash when compiling an invalid AST involving a + named (walrus) expression. + - gh-109216: Fix possible memory leak in BUILD_MAP. + - gh-109207: Fix a SystemError in __repr__ of symtable entry + object. + - gh-109179: Fix bug where the C traceback display drops notes + from SyntaxError. + - gh-109052: Use the base opcode when comparing code objects to + avoid interference from instrumentation + - gh-88943: Improve syntax error for non-ASCII character that + follows a numerical literal. It now points on the invalid + non-ASCII character, not on the valid numerical literal. + - gh-106931: Statically allocated string objects are now interned + globally instead of per-interpreter. This fixes a situation + where such a string would only be interned in a single + interpreter. Normal string objects are unaffected. + - Library + - gh-79325: Fix an infinite recursion error in + tempfile.TemporaryDirectory() cleanup on Windows. + - gh-112645: Remove deprecation error on passing onerror to + shutil.rmtree(). + - gh-112618: Fix a caching bug relating to typing.Annotated. + Annotated[str, True] is no longer identical to Annotated[str, + 1]. + - gh-112334: Fixed a performance regression in 3.12’s subprocess + on Linux where it would no longer use the fast-path vfork() + system call when it should have due to a logic bug, instead + always falling back to the safe but slower fork(). + - Also fixed a related 3.12 security regression: If a value of + extra_groups=[] was passed to subprocess.Popen or related APIs, + the underlying setgroups(0, NULL) system call to clear the + groups list would not be made in the child process prior to + exec(). This has been assigned CVE-2023-6507. + - This was identified via code inspection in the process of fixing + the first bug. + - gh-110190: Fix ctypes structs with array on Arm platform by + setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo. + - gh-112578: Fix a spurious RuntimeWarning when executing the + zipfile module. + - gh-112509: Fix edge cases that could cause a key to be present + in both the __required_keys__ and __optional_keys__ attributes + of a typing.TypedDict. Patch by Jelle Zijlstra. + - gh-112414: Fix regression in Python 3.12 where calling repr() on + a module that had been imported using a custom loader could fail + with AttributeError. Patch by Alex Waygood. + - gh-112358: Revert change to struct.Struct initialization that + broke some cases of subclassing. + - gh-94722: Fix bug where comparison between instances of DocTest + fails if one of them has None as its lineno. + - gh-112105: Make readline.set_completer_delims() work with + libedit + - gh-111942: Fix SystemError in the TextIOWrapper constructor with + non-encodable “errors” argument in non-debug mode. + - gh-109538: Issue warning message instead of having RuntimeError + be displayed when event loop has already been closed at + StreamWriter.__del__(). + - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when + pass invalid arguments, e.g. non-string encoding. + - gh-111460: curses: restore wide character support (including + curses.unget_wch() and get_wch()) on macOS, which was + unavailable due to a regression in Python 3.12. + - gh-103791: contextlib.suppress now supports suppressing + exceptions raised as part of a BaseExceptionGroup, in addition + to the recent support for ExceptionGroup. + - gh-111804: Remove posix.fallocate() under WASI as the underlying + posix_fallocate() is not available in WASI preview2. + - gh-111841: Fix truncating arguments on an embedded null + character in os.putenv() and os.unsetenv() on Windows. + - gh-111541: Fix doctest for SyntaxError not-builtin subclasses. + - gh-110894: Call loop exception handler for exceptions in + client_connected_cb of asyncio.start_server() so that + applications can handle it. Patch by Kumar Aditya. + - gh-111531: Fix reference leaks in bind_class() and bind_all() + methods of tkinter widgets. + - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and + io.IncrementalNewlineDecoder to io.__all__. + - gh-111342: Fixed typo in math.sumprod(). + - gh-68166: Remove mention of not supported “vsapi” element type + in tkinter.ttk.Style.element_create(). Add tests for + element_create() and other ttk.Style methods. Add examples for + element_create() in the documentation. + - gh-75666: Fix the behavior of tkinter widget’s unbind() method + with two arguments. Previously, widget.unbind(sequence, funcid) + destroyed the current binding for sequence, leaving sequence + unbound, and deleted the funcid command. Now it removes only + funcid from the binding for sequence, keeping other commands, + and deletes the funcid command. It leaves sequence unbound only + if funcid was the last bound command. + - gh-79033: Another attempt at fixing + asyncio.Server.wait_closed(). It now blocks until both + conditions are true: the server is closed, and there are no more + active connections. (This means that in some cases where in + 3.12.0 this function would incorrectly have returned + immediately, it will now block; in particular, when there are no + active connections but the server hasn’t been closed yet.) + - gh-111295: Fix time not checking for errors when initializing. + - gh-111253: Add error checking during _socket module init. + - gh-111251: Fix _blake2 not checking for errors when + initializing. + - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly + for empty BytesIO. + - gh-111187: Postpone removal version for + locale.getdefaultlocale() to Python 3.15. + - gh-111159: Fix doctest output comparison for exceptions with + notes. + - gh-110910: Fix invalid state handling in asyncio.TaskGroup and + asyncio.Timeout. They now raise proper RuntimeError if they are + improperly used and are left in consistent state after this. + - gh-111092: Make turtledemo run without default root enabled. + - gh-110488: Fix a couple of issues in + pathlib.PurePath.with_name(): a single dot was incorrectly + considered a valid name, and in PureWindowsPath, a name with an + NTFS alternate data stream, like a:b, was incorrectly considered + invalid. + - gh-110392: Fix tty.setraw() and tty.setcbreak(): previously they + returned partially modified list of the original tty attributes. + tty.cfmakeraw() and tty.cfmakecbreak() now make a copy of the + list of special characters before modifying it. + - gh-110590: Fix a bug in _sre.compile() where TypeError would be + overwritten by OverflowError when the code argument was a list + of non-ints. + - gh-65052: Prevent pdb from crashing when trying to display + undisplayable objects + - gh-110519: Deprecation warning about non-integer number in + gettext now alwais refers to the line in the user code where + gettext function or method is used. Previously it could refer to + a line in gettext code. + - gh-110395: Ensure that select.kqueue() objects correctly appear + as closed in forked children, to prevent operations on an + invalid file descriptor. + - gh-110378: contextmanager() and asynccontextmanager() context + managers now close an invalid underlying generator object that + yields more then one value. + - gh-110365: Fix termios.tcsetattr() bug that was overwritting + existing errors during parsing integers from term list. + - gh-109653: Fix a Python 3.12 regression in the import time of + random. Patch by Alex Waygood. + - gh-110196: Add __reduce__ method to IPv6Address in order to keep + scope_id + - gh-110036: On Windows, multiprocessing Popen.terminate() now + catchs PermissionError and get the process exit code. If the + process is still running, raise again the PermissionError. + Otherwise, the process terminated as expected: store its exit + code. Patch by Victor Stinner. + - gh-110038: Fixed an issue that caused KqueueSelector.select() to + not return all the ready events in some cases when a file + descriptor is registered for both read and write. + - gh-109631: re functions such as re.findall(), re.split(), + re.search() and re.sub() which perform short repeated matches + can now be interrupted by user. + - gh-109747: Improve errors for unsupported look-behind patterns. + Now re.error is raised instead of OverflowError or RuntimeError + for too large width of look-behind pattern. + - gh-109818: Fix reprlib.recursive_repr() not copying + __type_params__ from decorated function. + - gh-109047: concurrent.futures: The executor manager thread now + catches exceptions when adding an item to the call queue. During + Python finalization, creating a new thread can now raise + RuntimeError. Catch the exception and call terminate_broken() in + this case. Patch by Victor Stinner. + - gh-109782: Ensure the signature of os.path.isdir() is identical + on all platforms. Patch by Amin Alaee. + - gh-109590: shutil.which() will prefer files with an extension in + PATHEXT if the given mode includes os.X_OK on win32. If no + PATHEXT match is found, a file without an extension in PATHEXT + can be returned. This change will have shutil.which() act more + similarly to previous behavior in Python 3.11. + - gh-109786: Fix possible reference leaks and crash when re-enter + the __next__() method of itertools.pairwise. + - gh-109593: Avoid deadlocking on a reentrant call to the + multiprocessing resource tracker. Such a reentrant call, though + unlikely, can happen if a GC pass invokes the finalizer for a + multiprocessing object such as SemLock. + - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for + exceptions. Previously, on Python built in debug mode, these + functions could trigger a fatal Python error (and abort the + process) when a function succeeded with an exception set. Patch + by Victor Stinner. + - gh-109375: The pdb alias command now prevents registering + aliases without arguments. + - gh-107219: Fix a race condition in concurrent.futures. When a + process in the process pool was terminated abruptly (while the + future was running or pending), close the connection write end. + If the call queue is blocked on sending bytes to a worker + process, closing the connection write end interrupts the send, + so the queue can be closed. Patch by Victor Stinner. + - gh-50644: Attempts to pickle or create a shallow or deep copy of + codecs streams now raise a TypeError. Previously, copying failed + with a RecursionError, while pickling produced wrong results + that eventually caused unpickling to fail with a RecursionError. + - gh-108987: Fix _thread.start_new_thread() race condition. If a + thread is created during Python finalization, the newly spawned + thread now exits immediately instead of trying to access freed + memory and lead to a crash. Patch by Victor Stinner. + - gh-108791: Improved error handling in pdb command line + interface, making it produce more concise error messages. + - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock + - gh-106584: Fix exit code for unittest if all tests are skipped. + Patch by Egor Eliseev. + - gh-102956: Fix returning of empty byte strings after seek in + zipfile module + - gh-84867: unittest.TestLoader no longer loads test cases from + exact unittest.TestCase and unittest.FunctionTestCase classes. + - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, + which now no longer dereferences symlinks when working around + file system permission errors. + - gh-73561: Omit the interface scope from an IPv6 address when + used as Host header by http.client. + - gh-86826: zipinfo now supports the full range of values in the + TZ string determined by RFC 8536 and detects all invalid + formats. Both Python and C implementations now raise exceptions + of the same type on invalid data. + - bpo-43153: On Windows, tempfile.TemporaryDirectory previously + masked a PermissionError with NotADirectoryError during + directory cleanup. It now correctly raises PermissionError if + errors are not ignored. Patch by Andrei Kulakov and Ken Jin. + - bpo-35332: The shutil.rmtree() function now ignores errors when + calling os.close() when ignore_errors is True, and os.close() no + longer retried after error. + - bpo-41422: Fixed memory leaks of pickle.Pickler and + pickle.Unpickler involving cyclic references via the internal + memo mapping. + - bpo-40262: The ssl.SSLSocket.recv_into() method no longer + requires the buffer argument to implement __len__ and supports + buffers with arbitrary item size. + - Documentation + - gh-111699: Relocate smtpd deprecation notice to its own section + rather than under locale in What’s New in Python 3.12 document + - gh-108826: dis module command-line interface is now mentioned in + documentation. Test- s + - gh-112769: The tests now correctly compare zlib version when + zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For + example zlib-ng defines the version as 1.3.0.zlib-ng. + - gh-110367: Make regrtest --verbose3 option compatible with + - -huntrleaks -jN options. The ./python -m test -j1 -R 3:3 + - -verbose3 command now works as expected. Patch by Victor + Stinner. + - gh-111165: Remove no longer used functions run_unittest() and + run_doctest() from the test.support module. + - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment + variable is defined: use the variable value as the random seed. + Patch by Victor Stinner. + - gh-110995: test_gdb: Fix detection of gdb built without Python + scripting support. Patch by Victor Stinner. + - gh-110918: Test case matching patterns specified by options + - -match, --ignore, --matchfile and --ignorefile are now tested + in the order of specification, and the last match determines + whether the test case be run or ignored. + - gh-110647: Fix test_stress_modifying_handlers() of test_signal. + Patch by Victor Stinner. + - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make + distclean” instead of “make clean” in the copied source + directory to remove also the “python” program. Patch by Victor + Stinner. + - gh-110167: Fix a deadlock in test_socket when server fails with + a timeout but the client is still running in its thread. Don’t + hold a lock to call cleanup functions in doCleanups(). One of + the cleanup function waits until the client completes, whereas + the client could deadlock if it called addCleanup() in such + situation. Patch by Victor Stinner. + - gh-110388: Add tests for tty. + - gh-81002: Add tests for termios. + - gh-110267: Add tests for pickling and copying PyStructSequence + objects. Patched by Xuehai Pan. + - gh-110031: Skip test_threading tests using thread+fork if Python + is built with Address Sanitizer (ASAN). Patch by Victor Stinner. + - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum + duration, a test should not measure a CI performance. Only + measure the minimum duration when a task has a timeout or delay. + Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner. + - gh-109974: Fix race conditions in test_threading lock tests. + Wait until a condition is met rather than using time.sleep() + with a hardcoded number of seconds. Patch by Victor Stinner. + - gh-110033: Fix test_interprocess_signal() of test_signal. Make + sure that the subprocess.Popen object is deleted before the test + raising an exception in a signal handler. Otherwise, + Popen.__del__() can get the exception which is logged as + Exception ignored in: ... and the test fails. Patch by Victor + Stinner. + - gh-109594: Fix test_timeout() of + test_concurrent_futures.test_wait. Remove the future which may + or may not complete depending if it takes longer than the + timeout ot not. Keep the second future which does not complete + before wait() timeout. Patch by Victor Stinner. + - gh-109972: Split test_gdb.py file into a test_gdb package made + of multiple tests, so tests can now be run in parallel. Patch by + Victor Stinner. + - gh-103053: Skip test_freeze_simple_script() of + test_tools.test_freeze if Python is built with ./configure + - -enable-optimizations, which means with Profile Guided + Optimization (PGO): it just makes the test too slow. The freeze + tool is tested by many other CIs with other (faster) compiler + flags. Patch by Victor Stinner. + - gh-109580: Skip test_perf_profiler if Python is built with ASAN, + MSAN or UBSAN sanitizer. Python does crash randomly in this test + on such build. Patch by Victor Stinner. + - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on + Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt” + command output to detect when gdb fails to retrieve the + traceback. For example, skip a test if Backtrace stopped: frame + did not save the PC is found. Patch by Victor Stinner. + - gh-108927: Fixed order dependence in running tests in the same + process when a test that has submodules (e.g. test_importlib) + follows a test that imports its submodule (e.g. + test_importlib.util) and precedes a test (e.g. test_unittest or + test_compileall) that uses that submodule. + - Build + - gh-112088: Add Tools/build/regen-configure.sh script to + regenerate the configure with an Ubuntu container image. The + quay.io/tiran/cpython_autoconf:271 container image + (tiran/cpython_autoconf) is no longer used. Patch by Victor + Stinner. + - gh-111046: For wasi-threads, memory is now exported to fix + compatibility issues with some wasm runtimes. + - gh-103053: “make check-clean-src” now also checks if the + “python” program is found in the source directory: fail with an + error if it does exist. Patch by Victor Stinner. + - gh-109191: Fix compile error when building with recent versions + of libedit. + - IDLE + - bpo-35668: Add docstrings to the IDLE debugger module. Fix two + bugs: initialize Idb.botframe (should be in Bdb); in + Idb.in_rpc_code, check whether prev_frame is None before trying + to use it. Greatly expand test_debugger. + - C API + - gh-106560: Fix redundant declarations in the public C API. + Declare PyBool_Type and PyLong_Type only once. Patch by Victor + Stinner. + - gh-112438: Fix support of format units “es”, “et”, “es#”, and + “et#” in nested tuples in PyArg_ParseTuple()-like functions. + - gh-109521: PyImport_GetImporter() now sets RuntimeError if it + fails to get sys.path_hooks or sys.path_importer_cache or they + are not list and dict correspondingly. Previously it could + return NULL without setting error in obscure cases, crash or + raise SystemError if these attributes have wrong type. + python312:base +- Update patch fix_configure_rst.patch +- Update to 3.12.1 (CVE-2023-6507, bsc#1217939): + - Core and Builtins + - gh-112125: Fix None.__ne__(None) returning NotImplemented + instead of False + - gh-112625: Fixes a bug where a bytearray object could be + cleared while iterating over an argument in the + bytearray.join() method that could result in reading memory + after it was freed. + - gh-105967: Workaround a bug in Apple’s macOS platform zlib + library where zlib.crc32() and binascii.crc32() could produce + incorrect results on multi-gigabyte inputs. Including when + using zipfile on zips containing large data. + - gh-112356: Stopped erroneously deleting a LOAD_NULL bytecode + instruction when optimized twice. + - gh-111058: Change coro.cr_frame/gen.gi_frame to return None + after the coroutine/generator has been closed. This fixes a bug + where getcoroutinestate() and getgeneratorstate() return the + wrong state for a closed coroutine/generator. + - gh-112388: Fix an error that was causing the parser to try to + overwrite tokenizer errors. Patch by pablo Galindo + - gh-112387: Fix error positions for decoded strings with + backwards tokenize errors. Patch by Pablo Galindo + - gh-112367: Avoid undefined behaviour when using the perf + trampolines by not freeing the code arenas until shutdown. + Patch by Pablo Galindo + - gh-112243: Don’t include comments in f-string debug + expressions. Patch by Pablo Galindo + - gh-112266: Change docstrings of __dict__ and __weakref__. + - gh-111654: Fix runtime crash when some error happens in opcode + LOAD_FROM_DICT_OR_DEREF. + - gh-109181: Speed up Traceback object creation by lazily compute + the line number. Patch by Pablo Galindo + - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 + codecs read out of bounds + - gh-111366: Fix an issue in the codeop that was causing + SyntaxError exceptions raised in the presence of invalid syntax + to not contain precise error messages. Patch by Pablo Galindo + - gh-111380: Fix a bug that was causing SyntaxWarning to appear + twice when parsing if invalid syntax is encountered later. + Patch by Pablo galindo + - gh-94438: Fix a regression that prevented jumping across is + None and is not None when debugging. Patch by Savannah + Ostrowski. + - gh-110938: Fix error messages for indented blocks with + functions and classes with generic type parameters. Patch by + Pablo Galindo + - gh-109894: Fixed crash due to improperly initialized static + MemoryError in subinterpreter. + - gh-110782: Fix crash when typing.TypeVar is constructed with a + keyword argument. Patch by Jelle Zijlstra. + - gh-110696: Fix incorrect error message for invalid argument + unpacking. Patch by Pablo Galindo + - gh-110543: Fix regression in Python 3.12 where + types.CodeType.replace() would produce a broken code object if + called on a module or class code object that contains a + comprehension. Patch by Jelle Zijlstra. + - gh-110514: Add PY_THROW to sys.setprofile() events + - gh-110455: Guard assert(tstate->thread_id > 0) with #ifndef + HAVE_PTHREAD_STUBS. This allows for for pydebug builds to work + under WASI which (currently) lacks thread support. + - gh-110259: Correctly identify the format spec in f-strings + (with single or triple quotes) that have multiple lines in the + expression part and include a formatting spec. Patch by Pablo + Galindo + - gh-110237: Fix missing error checks for calls to PyList_Append + in _PyEval_MatchClass. + - gh-109889: Fix the compiler’s redundant NOP detection algorithm + to skip over NOPs with no line number when looking for the next + instruction’s lineno. + - gh-109853: sys.path[0] is now set correctly for + subinterpreters. + - gh-105716: Subinterpreters now correctly handle the case where + they have threads running in the background. Before, such + threads would interfere with cleaning up and destroying them, + as well as prevent running another script. + - gh-109793: The main thread no longer exits prematurely when a + subinterpreter is cleaned up during runtime finalization. The + bug was a problem particularly because, when triggered, the + Python process would always return with a 0 exitcode, even if + it failed. + - gh-109596: Fix some tokens in the grammar that were incorrectly + marked as soft keywords. Also fix some repeated rule names and + ensure that repeated rules are not allowed. Patch by Pablo + Galindo + - gh-109351: Fix crash when compiling an invalid AST involving a + named (walrus) expression. + - gh-109216: Fix possible memory leak in BUILD_MAP. + - gh-109207: Fix a SystemError in __repr__ of symtable entry + object. + - gh-109179: Fix bug where the C traceback display drops notes + from SyntaxError. + - gh-109052: Use the base opcode when comparing code objects to + avoid interference from instrumentation + - gh-88943: Improve syntax error for non-ASCII character that + follows a numerical literal. It now points on the invalid + non-ASCII character, not on the valid numerical literal. + - gh-106931: Statically allocated string objects are now interned + globally instead of per-interpreter. This fixes a situation + where such a string would only be interned in a single + interpreter. Normal string objects are unaffected. + - Library + - gh-79325: Fix an infinite recursion error in + tempfile.TemporaryDirectory() cleanup on Windows. + - gh-112645: Remove deprecation error on passing onerror to + shutil.rmtree(). + - gh-112618: Fix a caching bug relating to typing.Annotated. + Annotated[str, True] is no longer identical to Annotated[str, + 1]. + - gh-112334: Fixed a performance regression in 3.12’s subprocess + on Linux where it would no longer use the fast-path vfork() + system call when it should have due to a logic bug, instead + always falling back to the safe but slower fork(). + - Also fixed a related 3.12 security regression: If a value of + extra_groups=[] was passed to subprocess.Popen or related APIs, + the underlying setgroups(0, NULL) system call to clear the + groups list would not be made in the child process prior to + exec(). This has been assigned CVE-2023-6507. + - This was identified via code inspection in the process of fixing + the first bug. + - gh-110190: Fix ctypes structs with array on Arm platform by + setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo. + - gh-112578: Fix a spurious RuntimeWarning when executing the + zipfile module. + - gh-112509: Fix edge cases that could cause a key to be present + in both the __required_keys__ and __optional_keys__ attributes + of a typing.TypedDict. Patch by Jelle Zijlstra. + - gh-112414: Fix regression in Python 3.12 where calling repr() on + a module that had been imported using a custom loader could fail + with AttributeError. Patch by Alex Waygood. + - gh-112358: Revert change to struct.Struct initialization that + broke some cases of subclassing. + - gh-94722: Fix bug where comparison between instances of DocTest + fails if one of them has None as its lineno. + - gh-112105: Make readline.set_completer_delims() work with + libedit + - gh-111942: Fix SystemError in the TextIOWrapper constructor with + non-encodable “errors” argument in non-debug mode. + - gh-109538: Issue warning message instead of having RuntimeError + be displayed when event loop has already been closed at + StreamWriter.__del__(). + - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when + pass invalid arguments, e.g. non-string encoding. + - gh-111460: curses: restore wide character support (including + curses.unget_wch() and get_wch()) on macOS, which was + unavailable due to a regression in Python 3.12. + - gh-103791: contextlib.suppress now supports suppressing + exceptions raised as part of a BaseExceptionGroup, in addition + to the recent support for ExceptionGroup. + - gh-111804: Remove posix.fallocate() under WASI as the underlying + posix_fallocate() is not available in WASI preview2. + - gh-111841: Fix truncating arguments on an embedded null + character in os.putenv() and os.unsetenv() on Windows. + - gh-111541: Fix doctest for SyntaxError not-builtin subclasses. + - gh-110894: Call loop exception handler for exceptions in + client_connected_cb of asyncio.start_server() so that + applications can handle it. Patch by Kumar Aditya. + - gh-111531: Fix reference leaks in bind_class() and bind_all() + methods of tkinter widgets. + - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and + io.IncrementalNewlineDecoder to io.__all__. + - gh-111342: Fixed typo in math.sumprod(). + - gh-68166: Remove mention of not supported “vsapi” element type + in tkinter.ttk.Style.element_create(). Add tests for + element_create() and other ttk.Style methods. Add examples for + element_create() in the documentation. + - gh-75666: Fix the behavior of tkinter widget’s unbind() method + with two arguments. Previously, widget.unbind(sequence, funcid) + destroyed the current binding for sequence, leaving sequence + unbound, and deleted the funcid command. Now it removes only + funcid from the binding for sequence, keeping other commands, + and deletes the funcid command. It leaves sequence unbound only + if funcid was the last bound command. + - gh-79033: Another attempt at fixing + asyncio.Server.wait_closed(). It now blocks until both + conditions are true: the server is closed, and there are no more + active connections. (This means that in some cases where in + 3.12.0 this function would incorrectly have returned + immediately, it will now block; in particular, when there are no + active connections but the server hasn’t been closed yet.) + - gh-111295: Fix time not checking for errors when initializing. + - gh-111253: Add error checking during _socket module init. + - gh-111251: Fix _blake2 not checking for errors when + initializing. + - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly + for empty BytesIO. + - gh-111187: Postpone removal version for + locale.getdefaultlocale() to Python 3.15. + - gh-111159: Fix doctest output comparison for exceptions with + notes. + - gh-110910: Fix invalid state handling in asyncio.TaskGroup and + asyncio.Timeout. They now raise proper RuntimeError if they are + improperly used and are left in consistent state after this. + - gh-111092: Make turtledemo run without default root enabled. + - gh-110488: Fix a couple of issues in + pathlib.PurePath.with_name(): a single dot was incorrectly + considered a valid name, and in PureWindowsPath, a name with an + NTFS alternate data stream, like a:b, was incorrectly considered + invalid. + - gh-110392: Fix tty.setraw() and tty.setcbreak(): previously they + returned partially modified list of the original tty attributes. + tty.cfmakeraw() and tty.cfmakecbreak() now make a copy of the + list of special characters before modifying it. + - gh-110590: Fix a bug in _sre.compile() where TypeError would be + overwritten by OverflowError when the code argument was a list + of non-ints. + - gh-65052: Prevent pdb from crashing when trying to display + undisplayable objects + - gh-110519: Deprecation warning about non-integer number in + gettext now alwais refers to the line in the user code where + gettext function or method is used. Previously it could refer to + a line in gettext code. + - gh-110395: Ensure that select.kqueue() objects correctly appear + as closed in forked children, to prevent operations on an + invalid file descriptor. + - gh-110378: contextmanager() and asynccontextmanager() context + managers now close an invalid underlying generator object that + yields more then one value. + - gh-110365: Fix termios.tcsetattr() bug that was overwritting + existing errors during parsing integers from term list. + - gh-109653: Fix a Python 3.12 regression in the import time of + random. Patch by Alex Waygood. + - gh-110196: Add __reduce__ method to IPv6Address in order to keep + scope_id + - gh-110036: On Windows, multiprocessing Popen.terminate() now + catchs PermissionError and get the process exit code. If the + process is still running, raise again the PermissionError. + Otherwise, the process terminated as expected: store its exit + code. Patch by Victor Stinner. + - gh-110038: Fixed an issue that caused KqueueSelector.select() to + not return all the ready events in some cases when a file + descriptor is registered for both read and write. + - gh-109631: re functions such as re.findall(), re.split(), + re.search() and re.sub() which perform short repeated matches + can now be interrupted by user. + - gh-109747: Improve errors for unsupported look-behind patterns. + Now re.error is raised instead of OverflowError or RuntimeError + for too large width of look-behind pattern. + - gh-109818: Fix reprlib.recursive_repr() not copying + __type_params__ from decorated function. + - gh-109047: concurrent.futures: The executor manager thread now + catches exceptions when adding an item to the call queue. During + Python finalization, creating a new thread can now raise + RuntimeError. Catch the exception and call terminate_broken() in + this case. Patch by Victor Stinner. + - gh-109782: Ensure the signature of os.path.isdir() is identical + on all platforms. Patch by Amin Alaee. + - gh-109590: shutil.which() will prefer files with an extension in + PATHEXT if the given mode includes os.X_OK on win32. If no + PATHEXT match is found, a file without an extension in PATHEXT + can be returned. This change will have shutil.which() act more + similarly to previous behavior in Python 3.11. + - gh-109786: Fix possible reference leaks and crash when re-enter + the __next__() method of itertools.pairwise. + - gh-109593: Avoid deadlocking on a reentrant call to the + multiprocessing resource tracker. Such a reentrant call, though + unlikely, can happen if a GC pass invokes the finalizer for a + multiprocessing object such as SemLock. + - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for + exceptions. Previously, on Python built in debug mode, these + functions could trigger a fatal Python error (and abort the + process) when a function succeeded with an exception set. Patch + by Victor Stinner. + - gh-109375: The pdb alias command now prevents registering + aliases without arguments. + - gh-107219: Fix a race condition in concurrent.futures. When a + process in the process pool was terminated abruptly (while the + future was running or pending), close the connection write end. + If the call queue is blocked on sending bytes to a worker + process, closing the connection write end interrupts the send, + so the queue can be closed. Patch by Victor Stinner. + - gh-50644: Attempts to pickle or create a shallow or deep copy of + codecs streams now raise a TypeError. Previously, copying failed + with a RecursionError, while pickling produced wrong results + that eventually caused unpickling to fail with a RecursionError. + - gh-108987: Fix _thread.start_new_thread() race condition. If a + thread is created during Python finalization, the newly spawned + thread now exits immediately instead of trying to access freed + memory and lead to a crash. Patch by Victor Stinner. + - gh-108791: Improved error handling in pdb command line + interface, making it produce more concise error messages. + - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock + - gh-106584: Fix exit code for unittest if all tests are skipped. + Patch by Egor Eliseev. + - gh-102956: Fix returning of empty byte strings after seek in + zipfile module + - gh-84867: unittest.TestLoader no longer loads test cases from + exact unittest.TestCase and unittest.FunctionTestCase classes. + - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, + which now no longer dereferences symlinks when working around + file system permission errors. + - gh-73561: Omit the interface scope from an IPv6 address when + used as Host header by http.client. + - gh-86826: zipinfo now supports the full range of values in the + TZ string determined by RFC 8536 and detects all invalid + formats. Both Python and C implementations now raise exceptions + of the same type on invalid data. + - bpo-43153: On Windows, tempfile.TemporaryDirectory previously + masked a PermissionError with NotADirectoryError during + directory cleanup. It now correctly raises PermissionError if + errors are not ignored. Patch by Andrei Kulakov and Ken Jin. + - bpo-35332: The shutil.rmtree() function now ignores errors when + calling os.close() when ignore_errors is True, and os.close() no + longer retried after error. + - bpo-41422: Fixed memory leaks of pickle.Pickler and + pickle.Unpickler involving cyclic references via the internal + memo mapping. + - bpo-40262: The ssl.SSLSocket.recv_into() method no longer + requires the buffer argument to implement __len__ and supports + buffers with arbitrary item size. + - Documentation + - gh-111699: Relocate smtpd deprecation notice to its own section + rather than under locale in What’s New in Python 3.12 document + - gh-108826: dis module command-line interface is now mentioned in + documentation. Test- s + - gh-112769: The tests now correctly compare zlib version when + zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For + example zlib-ng defines the version as 1.3.0.zlib-ng. + - gh-110367: Make regrtest --verbose3 option compatible with + - -huntrleaks -jN options. The ./python -m test -j1 -R 3:3 + - -verbose3 command now works as expected. Patch by Victor + Stinner. + - gh-111165: Remove no longer used functions run_unittest() and + run_doctest() from the test.support module. + - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment + variable is defined: use the variable value as the random seed. + Patch by Victor Stinner. + - gh-110995: test_gdb: Fix detection of gdb built without Python + scripting support. Patch by Victor Stinner. + - gh-110918: Test case matching patterns specified by options + - -match, --ignore, --matchfile and --ignorefile are now tested + in the order of specification, and the last match determines + whether the test case be run or ignored. + - gh-110647: Fix test_stress_modifying_handlers() of test_signal. + Patch by Victor Stinner. + - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make + distclean” instead of “make clean” in the copied source + directory to remove also the “python” program. Patch by Victor + Stinner. + - gh-110167: Fix a deadlock in test_socket when server fails with + a timeout but the client is still running in its thread. Don’t + hold a lock to call cleanup functions in doCleanups(). One of + the cleanup function waits until the client completes, whereas + the client could deadlock if it called addCleanup() in such + situation. Patch by Victor Stinner. + - gh-110388: Add tests for tty. + - gh-81002: Add tests for termios. + - gh-110267: Add tests for pickling and copying PyStructSequence + objects. Patched by Xuehai Pan. + - gh-110031: Skip test_threading tests using thread+fork if Python + is built with Address Sanitizer (ASAN). Patch by Victor Stinner. + - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum + duration, a test should not measure a CI performance. Only + measure the minimum duration when a task has a timeout or delay. + Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner. + - gh-109974: Fix race conditions in test_threading lock tests. + Wait until a condition is met rather than using time.sleep() + with a hardcoded number of seconds. Patch by Victor Stinner. + - gh-110033: Fix test_interprocess_signal() of test_signal. Make + sure that the subprocess.Popen object is deleted before the test + raising an exception in a signal handler. Otherwise, + Popen.__del__() can get the exception which is logged as + Exception ignored in: ... and the test fails. Patch by Victor + Stinner. + - gh-109594: Fix test_timeout() of + test_concurrent_futures.test_wait. Remove the future which may + or may not complete depending if it takes longer than the + timeout ot not. Keep the second future which does not complete + before wait() timeout. Patch by Victor Stinner. + - gh-109972: Split test_gdb.py file into a test_gdb package made + of multiple tests, so tests can now be run in parallel. Patch by + Victor Stinner. + - gh-103053: Skip test_freeze_simple_script() of + test_tools.test_freeze if Python is built with ./configure + - -enable-optimizations, which means with Profile Guided + Optimization (PGO): it just makes the test too slow. The freeze + tool is tested by many other CIs with other (faster) compiler + flags. Patch by Victor Stinner. + - gh-109580: Skip test_perf_profiler if Python is built with ASAN, + MSAN or UBSAN sanitizer. Python does crash randomly in this test + on such build. Patch by Victor Stinner. + - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on + Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt” + command output to detect when gdb fails to retrieve the + traceback. For example, skip a test if Backtrace stopped: frame + did not save the PC is found. Patch by Victor Stinner. + - gh-108927: Fixed order dependence in running tests in the same + process when a test that has submodules (e.g. test_importlib) + follows a test that imports its submodule (e.g. + test_importlib.util) and precedes a test (e.g. test_unittest or + test_compileall) that uses that submodule. + - Build + - gh-112088: Add Tools/build/regen-configure.sh script to + regenerate the configure with an Ubuntu container image. The + quay.io/tiran/cpython_autoconf:271 container image + (tiran/cpython_autoconf) is no longer used. Patch by Victor + Stinner. + - gh-111046: For wasi-threads, memory is now exported to fix + compatibility issues with some wasm runtimes. + - gh-103053: “make check-clean-src” now also checks if the + “python” program is found in the source directory: fail with an + error if it does exist. Patch by Victor Stinner. + - gh-109191: Fix compile error when building with recent versions + of libedit. + - IDLE + - bpo-35668: Add docstrings to the IDLE debugger module. Fix two + bugs: initialize Idb.botframe (should be in Bdb); in + Idb.in_rpc_code, check whether prev_frame is None before trying + to use it. Greatly expand test_debugger. + - C API + - gh-106560: Fix redundant declarations in the public C API. + Declare PyBool_Type and PyLong_Type only once. Patch by Victor + Stinner. + - gh-112438: Fix support of format units “es”, “et”, “es#”, and + “et#” in nested tuples in PyArg_ParseTuple()-like functions. + - gh-109521: PyImport_GetImporter() now sets RuntimeError if it + fails to get sys.path_hooks or sys.path_importer_cache or they + are not list and dict correspondingly. Previously it could + return NULL without setting error in obscure cases, crash or + raise SystemError if these attributes have wrong type. + python312:doc +- Update patch fix_configure_rst.patch +- Update to 3.12.1 (CVE-2023-6507, bsc#1217939): + - Core and Builtins + - gh-112125: Fix None.__ne__(None) returning NotImplemented + instead of False + - gh-112625: Fixes a bug where a bytearray object could be + cleared while iterating over an argument in the + bytearray.join() method that could result in reading memory + after it was freed. + - gh-105967: Workaround a bug in Apple’s macOS platform zlib + library where zlib.crc32() and binascii.crc32() could produce + incorrect results on multi-gigabyte inputs. Including when + using zipfile on zips containing large data. + - gh-112356: Stopped erroneously deleting a LOAD_NULL bytecode + instruction when optimized twice. + - gh-111058: Change coro.cr_frame/gen.gi_frame to return None + after the coroutine/generator has been closed. This fixes a bug + where getcoroutinestate() and getgeneratorstate() return the + wrong state for a closed coroutine/generator. + - gh-112388: Fix an error that was causing the parser to try to + overwrite tokenizer errors. Patch by pablo Galindo + - gh-112387: Fix error positions for decoded strings with + backwards tokenize errors. Patch by Pablo Galindo + - gh-112367: Avoid undefined behaviour when using the perf + trampolines by not freeing the code arenas until shutdown. + Patch by Pablo Galindo + - gh-112243: Don’t include comments in f-string debug + expressions. Patch by Pablo Galindo + - gh-112266: Change docstrings of __dict__ and __weakref__. + - gh-111654: Fix runtime crash when some error happens in opcode + LOAD_FROM_DICT_OR_DEREF. + - gh-109181: Speed up Traceback object creation by lazily compute + the line number. Patch by Pablo Galindo + - gh-102388: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 + codecs read out of bounds + - gh-111366: Fix an issue in the codeop that was causing + SyntaxError exceptions raised in the presence of invalid syntax + to not contain precise error messages. Patch by Pablo Galindo + - gh-111380: Fix a bug that was causing SyntaxWarning to appear + twice when parsing if invalid syntax is encountered later. + Patch by Pablo galindo + - gh-94438: Fix a regression that prevented jumping across is + None and is not None when debugging. Patch by Savannah + Ostrowski. + - gh-110938: Fix error messages for indented blocks with + functions and classes with generic type parameters. Patch by + Pablo Galindo + - gh-109894: Fixed crash due to improperly initialized static + MemoryError in subinterpreter. + - gh-110782: Fix crash when typing.TypeVar is constructed with a + keyword argument. Patch by Jelle Zijlstra. + - gh-110696: Fix incorrect error message for invalid argument + unpacking. Patch by Pablo Galindo + - gh-110543: Fix regression in Python 3.12 where + types.CodeType.replace() would produce a broken code object if + called on a module or class code object that contains a + comprehension. Patch by Jelle Zijlstra. + - gh-110514: Add PY_THROW to sys.setprofile() events + - gh-110455: Guard assert(tstate->thread_id > 0) with #ifndef + HAVE_PTHREAD_STUBS. This allows for for pydebug builds to work + under WASI which (currently) lacks thread support. + - gh-110259: Correctly identify the format spec in f-strings + (with single or triple quotes) that have multiple lines in the + expression part and include a formatting spec. Patch by Pablo + Galindo + - gh-110237: Fix missing error checks for calls to PyList_Append + in _PyEval_MatchClass. + - gh-109889: Fix the compiler’s redundant NOP detection algorithm + to skip over NOPs with no line number when looking for the next + instruction’s lineno. + - gh-109853: sys.path[0] is now set correctly for + subinterpreters. + - gh-105716: Subinterpreters now correctly handle the case where + they have threads running in the background. Before, such + threads would interfere with cleaning up and destroying them, + as well as prevent running another script. + - gh-109793: The main thread no longer exits prematurely when a + subinterpreter is cleaned up during runtime finalization. The + bug was a problem particularly because, when triggered, the + Python process would always return with a 0 exitcode, even if + it failed. + - gh-109596: Fix some tokens in the grammar that were incorrectly + marked as soft keywords. Also fix some repeated rule names and + ensure that repeated rules are not allowed. Patch by Pablo + Galindo + - gh-109351: Fix crash when compiling an invalid AST involving a + named (walrus) expression. + - gh-109216: Fix possible memory leak in BUILD_MAP. + - gh-109207: Fix a SystemError in __repr__ of symtable entry + object. + - gh-109179: Fix bug where the C traceback display drops notes + from SyntaxError. + - gh-109052: Use the base opcode when comparing code objects to + avoid interference from instrumentation + - gh-88943: Improve syntax error for non-ASCII character that + follows a numerical literal. It now points on the invalid + non-ASCII character, not on the valid numerical literal. + - gh-106931: Statically allocated string objects are now interned + globally instead of per-interpreter. This fixes a situation + where such a string would only be interned in a single + interpreter. Normal string objects are unaffected. + - Library + - gh-79325: Fix an infinite recursion error in + tempfile.TemporaryDirectory() cleanup on Windows. + - gh-112645: Remove deprecation error on passing onerror to + shutil.rmtree(). + - gh-112618: Fix a caching bug relating to typing.Annotated. + Annotated[str, True] is no longer identical to Annotated[str, + 1]. + - gh-112334: Fixed a performance regression in 3.12’s subprocess + on Linux where it would no longer use the fast-path vfork() + system call when it should have due to a logic bug, instead + always falling back to the safe but slower fork(). + - Also fixed a related 3.12 security regression: If a value of + extra_groups=[] was passed to subprocess.Popen or related APIs, + the underlying setgroups(0, NULL) system call to clear the + groups list would not be made in the child process prior to + exec(). This has been assigned CVE-2023-6507. + - This was identified via code inspection in the process of fixing + the first bug. + - gh-110190: Fix ctypes structs with array on Arm platform by + setting MAX_STRUCT_SIZE to 32 in stgdict. Patch by Diego Russo. + - gh-112578: Fix a spurious RuntimeWarning when executing the + zipfile module. + - gh-112509: Fix edge cases that could cause a key to be present + in both the __required_keys__ and __optional_keys__ attributes + of a typing.TypedDict. Patch by Jelle Zijlstra. + - gh-112414: Fix regression in Python 3.12 where calling repr() on + a module that had been imported using a custom loader could fail + with AttributeError. Patch by Alex Waygood. + - gh-112358: Revert change to struct.Struct initialization that + broke some cases of subclassing. + - gh-94722: Fix bug where comparison between instances of DocTest + fails if one of them has None as its lineno. + - gh-112105: Make readline.set_completer_delims() work with + libedit + - gh-111942: Fix SystemError in the TextIOWrapper constructor with + non-encodable “errors” argument in non-debug mode. + - gh-109538: Issue warning message instead of having RuntimeError + be displayed when event loop has already been closed at + StreamWriter.__del__(). + - gh-111942: Fix crashes in io.TextIOWrapper.reconfigure() when + pass invalid arguments, e.g. non-string encoding. + - gh-111460: curses: restore wide character support (including + curses.unget_wch() and get_wch()) on macOS, which was + unavailable due to a regression in Python 3.12. + - gh-103791: contextlib.suppress now supports suppressing + exceptions raised as part of a BaseExceptionGroup, in addition + to the recent support for ExceptionGroup. + - gh-111804: Remove posix.fallocate() under WASI as the underlying + posix_fallocate() is not available in WASI preview2. + - gh-111841: Fix truncating arguments on an embedded null + character in os.putenv() and os.unsetenv() on Windows. + - gh-111541: Fix doctest for SyntaxError not-builtin subclasses. + - gh-110894: Call loop exception handler for exceptions in + client_connected_cb of asyncio.start_server() so that + applications can handle it. Patch by Kumar Aditya. + - gh-111531: Fix reference leaks in bind_class() and bind_all() + methods of tkinter widgets. + - gh-111356: Added io.text_encoding(), io.DEFAULT_BUFFER_SIZE, and + io.IncrementalNewlineDecoder to io.__all__. + - gh-111342: Fixed typo in math.sumprod(). + - gh-68166: Remove mention of not supported “vsapi” element type + in tkinter.ttk.Style.element_create(). Add tests for + element_create() and other ttk.Style methods. Add examples for + element_create() in the documentation. + - gh-75666: Fix the behavior of tkinter widget’s unbind() method + with two arguments. Previously, widget.unbind(sequence, funcid) + destroyed the current binding for sequence, leaving sequence + unbound, and deleted the funcid command. Now it removes only + funcid from the binding for sequence, keeping other commands, + and deletes the funcid command. It leaves sequence unbound only + if funcid was the last bound command. + - gh-79033: Another attempt at fixing + asyncio.Server.wait_closed(). It now blocks until both + conditions are true: the server is closed, and there are no more + active connections. (This means that in some cases where in + 3.12.0 this function would incorrectly have returned + immediately, it will now block; in particular, when there are no + active connections but the server hasn’t been closed yet.) + - gh-111295: Fix time not checking for errors when initializing. + - gh-111253: Add error checking during _socket module init. + - gh-111251: Fix _blake2 not checking for errors when + initializing. + - gh-111174: Fix crash in io.BytesIO.getbuffer() called repeatedly + for empty BytesIO. + - gh-111187: Postpone removal version for + locale.getdefaultlocale() to Python 3.15. + - gh-111159: Fix doctest output comparison for exceptions with + notes. + - gh-110910: Fix invalid state handling in asyncio.TaskGroup and + asyncio.Timeout. They now raise proper RuntimeError if they are + improperly used and are left in consistent state after this. + - gh-111092: Make turtledemo run without default root enabled. + - gh-110488: Fix a couple of issues in + pathlib.PurePath.with_name(): a single dot was incorrectly + considered a valid name, and in PureWindowsPath, a name with an + NTFS alternate data stream, like a:b, was incorrectly considered + invalid. + - gh-110392: Fix tty.setraw() and tty.setcbreak(): previously they + returned partially modified list of the original tty attributes. + tty.cfmakeraw() and tty.cfmakecbreak() now make a copy of the + list of special characters before modifying it. + - gh-110590: Fix a bug in _sre.compile() where TypeError would be + overwritten by OverflowError when the code argument was a list + of non-ints. + - gh-65052: Prevent pdb from crashing when trying to display + undisplayable objects + - gh-110519: Deprecation warning about non-integer number in + gettext now alwais refers to the line in the user code where + gettext function or method is used. Previously it could refer to + a line in gettext code. + - gh-110395: Ensure that select.kqueue() objects correctly appear + as closed in forked children, to prevent operations on an + invalid file descriptor. + - gh-110378: contextmanager() and asynccontextmanager() context + managers now close an invalid underlying generator object that + yields more then one value. + - gh-110365: Fix termios.tcsetattr() bug that was overwritting + existing errors during parsing integers from term list. + - gh-109653: Fix a Python 3.12 regression in the import time of + random. Patch by Alex Waygood. + - gh-110196: Add __reduce__ method to IPv6Address in order to keep + scope_id + - gh-110036: On Windows, multiprocessing Popen.terminate() now + catchs PermissionError and get the process exit code. If the + process is still running, raise again the PermissionError. + Otherwise, the process terminated as expected: store its exit + code. Patch by Victor Stinner. + - gh-110038: Fixed an issue that caused KqueueSelector.select() to + not return all the ready events in some cases when a file + descriptor is registered for both read and write. + - gh-109631: re functions such as re.findall(), re.split(), + re.search() and re.sub() which perform short repeated matches + can now be interrupted by user. + - gh-109747: Improve errors for unsupported look-behind patterns. + Now re.error is raised instead of OverflowError or RuntimeError + for too large width of look-behind pattern. + - gh-109818: Fix reprlib.recursive_repr() not copying + __type_params__ from decorated function. + - gh-109047: concurrent.futures: The executor manager thread now + catches exceptions when adding an item to the call queue. During + Python finalization, creating a new thread can now raise + RuntimeError. Catch the exception and call terminate_broken() in + this case. Patch by Victor Stinner. + - gh-109782: Ensure the signature of os.path.isdir() is identical + on all platforms. Patch by Amin Alaee. + - gh-109590: shutil.which() will prefer files with an extension in + PATHEXT if the given mode includes os.X_OK on win32. If no + PATHEXT match is found, a file without an extension in PATHEXT + can be returned. This change will have shutil.which() act more + similarly to previous behavior in Python 3.11. + - gh-109786: Fix possible reference leaks and crash when re-enter + the __next__() method of itertools.pairwise. + - gh-109593: Avoid deadlocking on a reentrant call to the + multiprocessing resource tracker. Such a reentrant call, though + unlikely, can happen if a GC pass invokes the finalizer for a + multiprocessing object such as SemLock. + - gh-109613: Fix os.stat() and os.DirEntry.stat(): check for + exceptions. Previously, on Python built in debug mode, these + functions could trigger a fatal Python error (and abort the + process) when a function succeeded with an exception set. Patch + by Victor Stinner. + - gh-109375: The pdb alias command now prevents registering + aliases without arguments. + - gh-107219: Fix a race condition in concurrent.futures. When a + process in the process pool was terminated abruptly (while the + future was running or pending), close the connection write end. + If the call queue is blocked on sending bytes to a worker + process, closing the connection write end interrupts the send, + so the queue can be closed. Patch by Victor Stinner. + - gh-50644: Attempts to pickle or create a shallow or deep copy of + codecs streams now raise a TypeError. Previously, copying failed + with a RecursionError, while pickling produced wrong results + that eventually caused unpickling to fail with a RecursionError. + - gh-108987: Fix _thread.start_new_thread() race condition. If a + thread is created during Python finalization, the newly spawned + thread now exits immediately instead of trying to access freed + memory and lead to a crash. Patch by Victor Stinner. + - gh-108791: Improved error handling in pdb command line + interface, making it produce more concise error messages. + - gh-105829: Fix concurrent.futures.ProcessPoolExecutor deadlock + - gh-106584: Fix exit code for unittest if all tests are skipped. + Patch by Egor Eliseev. + - gh-102956: Fix returning of empty byte strings after seek in + zipfile module + - gh-84867: unittest.TestLoader no longer loads test cases from + exact unittest.TestCase and unittest.FunctionTestCase classes. + - gh-91133: Fix a bug in tempfile.TemporaryDirectory cleanup, + which now no longer dereferences symlinks when working around + file system permission errors. + - gh-73561: Omit the interface scope from an IPv6 address when + used as Host header by http.client. + - gh-86826: zipinfo now supports the full range of values in the + TZ string determined by RFC 8536 and detects all invalid + formats. Both Python and C implementations now raise exceptions + of the same type on invalid data. + - bpo-43153: On Windows, tempfile.TemporaryDirectory previously + masked a PermissionError with NotADirectoryError during + directory cleanup. It now correctly raises PermissionError if + errors are not ignored. Patch by Andrei Kulakov and Ken Jin. + - bpo-35332: The shutil.rmtree() function now ignores errors when + calling os.close() when ignore_errors is True, and os.close() no + longer retried after error. + - bpo-41422: Fixed memory leaks of pickle.Pickler and + pickle.Unpickler involving cyclic references via the internal + memo mapping. + - bpo-40262: The ssl.SSLSocket.recv_into() method no longer + requires the buffer argument to implement __len__ and supports + buffers with arbitrary item size. + - Documentation + - gh-111699: Relocate smtpd deprecation notice to its own section + rather than under locale in What’s New in Python 3.12 document + - gh-108826: dis module command-line interface is now mentioned in + documentation. Test- s + - gh-112769: The tests now correctly compare zlib version when + zlib.ZLIB_RUNTIME_VERSION contains non-integer suffixes. For + example zlib-ng defines the version as 1.3.0.zlib-ng. + - gh-110367: Make regrtest --verbose3 option compatible with + - -huntrleaks -jN options. The ./python -m test -j1 -R 3:3 + - -verbose3 command now works as expected. Patch by Victor + Stinner. + - gh-111165: Remove no longer used functions run_unittest() and + run_doctest() from the test.support module. + - gh-110932: Fix regrtest if the SOURCE_DATE_EPOCH environment + variable is defined: use the variable value as the random seed. + Patch by Victor Stinner. + - gh-110995: test_gdb: Fix detection of gdb built without Python + scripting support. Patch by Victor Stinner. + - gh-110918: Test case matching patterns specified by options + - -match, --ignore, --matchfile and --ignorefile are now tested + in the order of specification, and the last match determines + whether the test case be run or ignored. + - gh-110647: Fix test_stress_modifying_handlers() of test_signal. + Patch by Victor Stinner. + - gh-103053: Fix test_tools.test_freeze on FreeBSD: run “make + distclean” instead of “make clean” in the copied source + directory to remove also the “python” program. Patch by Victor + Stinner. + - gh-110167: Fix a deadlock in test_socket when server fails with + a timeout but the client is still running in its thread. Don’t + hold a lock to call cleanup functions in doCleanups(). One of + the cleanup function waits until the client completes, whereas + the client could deadlock if it called addCleanup() in such + situation. Patch by Victor Stinner. + - gh-110388: Add tests for tty. + - gh-81002: Add tests for termios. + - gh-110267: Add tests for pickling and copying PyStructSequence + objects. Patched by Xuehai Pan. + - gh-110031: Skip test_threading tests using thread+fork if Python + is built with Address Sanitizer (ASAN). Patch by Victor Stinner. + - gh-110088: Fix test_asyncio timeouts: don’t measure the maximum + duration, a test should not measure a CI performance. Only + measure the minimum duration when a task has a timeout or delay. + Add CLOCK_RES to test_asyncio.utils. Patch by Victor Stinner. + - gh-109974: Fix race conditions in test_threading lock tests. + Wait until a condition is met rather than using time.sleep() + with a hardcoded number of seconds. Patch by Victor Stinner. + - gh-110033: Fix test_interprocess_signal() of test_signal. Make + sure that the subprocess.Popen object is deleted before the test + raising an exception in a signal handler. Otherwise, + Popen.__del__() can get the exception which is logged as + Exception ignored in: ... and the test fails. Patch by Victor + Stinner. + - gh-109594: Fix test_timeout() of + test_concurrent_futures.test_wait. Remove the future which may + or may not complete depending if it takes longer than the + timeout ot not. Keep the second future which does not complete + before wait() timeout. Patch by Victor Stinner. + - gh-109972: Split test_gdb.py file into a test_gdb package made + of multiple tests, so tests can now be run in parallel. Patch by + Victor Stinner. + - gh-103053: Skip test_freeze_simple_script() of + test_tools.test_freeze if Python is built with ./configure + - -enable-optimizations, which means with Profile Guided + Optimization (PGO): it just makes the test too slow. The freeze + tool is tested by many other CIs with other (faster) compiler + flags. Patch by Victor Stinner. + - gh-109580: Skip test_perf_profiler if Python is built with ASAN, + MSAN or UBSAN sanitizer. Python does crash randomly in this test + on such build. Patch by Victor Stinner. + - gh-104736: Fix test_gdb on Python built with LLVM clang 16 on + Linux ppc64le (ex: Fedora 38). Search patterns in gdb “bt” + command output to detect when gdb fails to retrieve the + traceback. For example, skip a test if Backtrace stopped: frame + did not save the PC is found. Patch by Victor Stinner. + - gh-108927: Fixed order dependence in running tests in the same + process when a test that has submodules (e.g. test_importlib) + follows a test that imports its submodule (e.g. + test_importlib.util) and precedes a test (e.g. test_unittest or + test_compileall) that uses that submodule. + - Build + - gh-112088: Add Tools/build/regen-configure.sh script to + regenerate the configure with an Ubuntu container image. The + quay.io/tiran/cpython_autoconf:271 container image + (tiran/cpython_autoconf) is no longer used. Patch by Victor + Stinner. + - gh-111046: For wasi-threads, memory is now exported to fix + compatibility issues with some wasm runtimes. + - gh-103053: “make check-clean-src” now also checks if the + “python” program is found in the source directory: fail with an + error if it does exist. Patch by Victor Stinner. + - gh-109191: Fix compile error when building with recent versions + of libedit. + - IDLE + - bpo-35668: Add docstrings to the IDLE debugger module. Fix two + bugs: initialize Idb.botframe (should be in Bdb); in + Idb.in_rpc_code, check whether prev_frame is None before trying + to use it. Greatly expand test_debugger. + - C API + - gh-106560: Fix redundant declarations in the public C API. + Declare PyBool_Type and PyLong_Type only once. Patch by Victor + Stinner. + - gh-112438: Fix support of format units “es”, “et”, “es#”, and + “et#” in nested tuples in PyArg_ParseTuple()-like functions. + - gh-109521: PyImport_GetImporter() now sets RuntimeError if it + fails to get sys.path_hooks or sys.path_importer_cache or they + are not list and dict correspondingly. Previously it could + return NULL without setting error in obscure cases, crash or + raise SystemError if these attributes have wrong type. + qt6-webengine +- Build with re2-10 even when re2-11 is available (bsc#1217257). + re2-11 pulls in system abseil which is incompatible with bundled abseil + causing build failure. + qt6-webengine:docs +- Build with re2-10 even when re2-11 is available (bsc#1217257). + re2-11 pulls in system abseil which is incompatible with bundled abseil + causing build failure. + rabbitmq-server +- Introduce HTTP request body limit for definition uploads (CVE-2023-46118, + bsc#1216582) + * fix-CVE-2023-46118-0.patch + * fix-CVE-2023-46118-1.patch + rasdaemon +- Update to version 0.8.0.39.git+cfabd93 (jsc#PED-7381): + * rasdaemon: ras-mc-ctl: Modify check for HiSilicon KunPeng9xx error fields + * rasdaemon: Add Emerald Rapids support + * Add a space between "diskerror_event" and "store" + * rasdaemon: ras-mc-ctl: Add support to display the THead vendor errors + * rasdaemon: add support for THead Yitian non-standard error decoder + * rasdaemon: log non_standard_event at just one line + * rasdaemon: Fix SMCA bank type decoding + * rasdaemon: Identify the DIe Number in multidie system + * rasdaemon: Handle reassigned bit definitions for UMC bank + * rasdaemon: Add new MA_LLC, USR_DP, and USR_CP bank types. + * rasdaemon: Add support for post-processing MCA errors + * rasdaemon: Handle reassigned bit definitions for CS SMCA + * rasdaemon: Update SMCA bank error descriptions + * add ':' before error output + * Add label for mainboard: ASUSTeK COMPUTER INC. Model: Z9PH-D16 Series + * Add label for mainboard: GIGABYTE model MZ62-HD0-00 + * Check CPUs online, not configured. + * rasdaemon: Add support for the CXL memory module events + * rasdaemon: Add support for the CXL dram events + * rasdaemon: Add support for the CXL general media events + * rasdaemon: Add support for the CXL generic events + * rasdaemon: Add support for the CXL overflow events + * rasdaemon: Add common function to get timestamp for the event + * rasdaemon: Add common function to convert timestamp in the CXL event records to the broken-down time format + * rasdaemon: Add support for creating the vendor error tables at startup + * rasdaemon: fix issue of signed and unsigned integer comparison and remove redundant header file + * rasdaemon: fix return value type issue of read/write function from unistd.h + * Rasdaemon: Fix autoreconf build error + * ras-events: quit loop in read_ras_event when kbuf data is broken + rdma-core +- Update to v49.0 (jsc#PED-6891, jsc#PED-6864, jsc#PED-6839, jsc#PED-6836, + jsc#PED-6828, jsc#PED-6824, jsc#PED-6958, jsc#PED-6943, jsc#PED-6933, jsc#PED-6916) + - No release notes available. + restorecond +- Update to version 3.5 + * Code improvements, no user visible changes +- Added additional developer key (Jason Zaman) + +- Update to version 3.4 + * Support parallel relabeling + +- Claim ownership for %{_sysconfdir}/selinux + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_restorecond.service.patch + +- Update to version 3.3 + * No user visible changes + +- Update to version 3.2 + * Fix a double-close of a file descriptor + scap-security-guide +- ssg-fix-journald.patch: switch buggy journald plugindir remediation + to write into journald.conf. (bsc#1217832) + secvarctl +- Update to version 1.0.0~rc3 (jsc#PED-5449): + * Guest/verify: fix misbehaviour of verify and write with -p + * Guest/generate: trustedcadb variable allow only CA certificates + * Guest/Verify: -w option allowed when use -u with -p + * guest/generate: fix potential null reference in pk/append special case + +- Update to version 1.0.0~rc2+git1.1f96bad: + * guest/read: return early if next esd cannot be parsed + * guest: Remove x509 SHA GUID functions and macros + * guest/generate: change --append option to be a boolean based on presence + * guest/read: allow paths with or without a trailing slash + * Makefile: Fix installation after source reorganization +- Remove upstreamed secvarctl-install.patch + setools -- require python3, not python (bsc#1200649) +- Update to version 4.4.3: + * Fix compilation with Cython 3.0.0. + * Improve man pages. + * Remove neverallow options in sediff. + * Add -r option to seinfoflow to get flows into the source type. + * Reject a rule with no permissions as invalid policy. + +- Add python3-setuptools as a runtime requirement of python3-setools + (boo#1213305) + +- Update to version 4.4.2: + * Make NetworkX optional. sedta and seinfoflow tools, along with the + equivalent analyses in apol require NetworkX. + * Remove neverallow options in sesearch and apol. These are not usable + since they are removed in the final binary policy. +- Drop make_networkx_optional.patch, now merged upstream + +- Update to version 4.4.1: + * Replace deprecated NetworkX function use in information flow and domain + transition analysis. This function was removed in NetworkX 3.0. + * Fix bug in apol copy and cut functions when copying from a tree view. + * Fix bug with extended permission set construction when a range includes + 0x0. + * Add sesearch -Sp option for permission subset match. + * Fix error in man page description for sesearch -ep option. + * Improve output stability in constraint, common, class, role, and user + queries. + * Updated permission map. + * Fix bug in sechecker parsing of multiline values. + * Other code cleanups not visible to users. + +- Added README.SUSE and drop recommend for python3-networkx altogether + (bsc#1202676) + +- Add make_networkx_optional.patch to cut down installation requirements +- Change python3-networkx from require into recommend + +- Fix dependency of python3-setools: require python3, not python + (which is python2) (bsc#1200649). + +- Update to the version 4.4.0: + * Added support for old Boolean name substitution in seinfo and sesearch. + * Added sechecker tool which is a configuration file driven analysis tool. + +- Stay on a single python3 flavor even if there are more than one + gh#openSUSE/python-rpm-macros#73 sg3_utils +- Make sure initrd is rebuilt when sg3_utils is updated + (bsc#1215772) + +- Update to version 1.47+15.b6898b8: + * rescan-scsi-bus.sh: remove /tmp/rescan-scsi-mpath-info.txt + (gh#doug-gilbert/sg3_utils#44) + * rescan_scsi_bus.sh: fix multipath issue when called with -s and + without -u (bsc#1215720, bsc#1216355) + spacecmd +- version 4.3.25-1 + * Update translation strings + spotify-easyrpm +- spotify now requires libayatana-appindicator3-1 installed to run + sssd -- ldap password policy: return failure if there are no grace logins - left; (bsc#1214434); Add patch - 0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch - -- Fix sssd entering failed state under heavy load by adding - watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283); - Add patch 0001-sssd-watchdog.patch - -- Fix build with MIT 1.20; Add patch - 0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch - -- Fix sdap_access_host No matching host rule found; - (bsc#1202559); Add patch - 0001-Fix-sdap_access_host-No-matching-host-rule-found.patch - -- Fix shell command injection in sssctl via the logs-fetch and - cache-expire subcommands; (CVE-2021-3621); (bsc#1189492); Add - 0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch - -- Add 'ldap_ignore_unreadable_references' parameter to skip - unreadable objects referenced by 'member' attributte; - (bsc#1190775); (gh#SSSD/sssd#4893); Add patch - 0001-ldap-ignore-unreadable-references.patch - -- Fix 32-bit libraries package. Libraries were moved from sssd to - sssd-common to fix bsc#1182058 and baselibs.conf was not updated - accordingly; (bsc#1196166); +- Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714); + * Remove package sssd-common, merged into sssd + * Continue building deprecated files provider and infopipe + responder + * Disable selinux and semanage + * Provide rcsssd shortcut + +- Fix spec file for Leap + +- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after + update (bsc#1216865) +- Do not install the KRB5 IDP plugin, it is useless without the + OIDC child +- Drop no longer valid --without-secrets configure switch + +- Update to release 2.9.3 + * The proxy provider is now able to handle certificate mapping + and matching rules and users handled by the proxy provider can + be configured for local Smartcard authentication. Besides the + mapping rule local Smartcard authentication should be enabled + with the `local_auth_policy` option in the backend and with + `pam_cert_auth` in the PAM responder. + +- Offer the sssd.conf template as %doc (for examples, do actually + see the "Examples" section of the sssd.conf(5) manpage) + +- Update dependencies to require the same subpackages version and + release +- Fix /usr/etc migration fragment in wrong "%pre kcm" instead of + "%pre" +- Move sss_analyze to sssd-tools package + +- Default config is unworkable, just stop installing it altogether + [boo#1216739] + +- Update to release 2.9.2 + * sssctl cert-show and cert-show cert-eval-rule can now be run as + non-root user. + * New option local_auth_policy is added to control which offline + authentication methods will be enabled by SSSD. + * Fix sssd entering failed state under heavy load by adding + watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283); + Drop SLE patch 0001-sssd-watchdog.patch + +- Update to relese 2.9.1 + * A regression was fixed that prevented autofs lookups to + function correctly when cache_first is set to True. + * A regression where SSSD failed to properly watch for changes + in ``/etc/resolv.conf`` when it was a symbolic link or was a + relative path, was fixed. + * ldap password policy: return failure if there are no grace logins + left; (bsc#1214434); Drop SLE patch + 0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch + +- Update to release 2.9 + * The sss_simpleifp library is deprecated (and for openSUSE, + already removed) + * The "Files provider" (i.e. id_provider = files) is deprecated + (and for openSUSE, already removed) + * SSSD will no longer warn about changed defaults when using + ldap_schema = rfc2307 and default autofs mapping. + * New passkey functionality, which will allow the use of FIDO2 + compliant devices to authenticate a centrally managed user + locally. + * Add support for ldapi:// URLs to allow connections to local + LDAP servers. + * NSS IDMAP has two new methods: getsidbyusername and + getsidbygroupname. + +- Move dbus-1 system.d file to /usr (bsc#1207586) + +- Migration of PAM settings to /usr/lib/pam.d. + +- Take systemd units off the restart list that have + RefuseManualStart=yes [boo#1206592] +- Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166] + +- Update to release 2.8.2 + * New mapping template for serial number, subject key id, SID, + certificate hashes and DN components are added to + libsss_certmap. + +- Update to release 2.8.1 + * A regression when running sss_cache when no SSSD domain is + enabled would produce a syslog critical message was fixed. + +- Update to release 2.8.0 + * Introduced the dbus function + org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, + limit) listing upto limit users matching the filter + attr=value. + * sssctl is now able to create, list and delete indexes on the + local caches. Indexes are useful for the new D-Bus + ListByAttr() function. + * sssctl is now able to read and set each component's debug + level independently. + * A number of new configuration options are available, + cf. https://sssd.io/release-notes/sssd-2.8.0.html . + * Fix sdap_access_host No matching host rule found; + (bsc#1202559); Drop SLE patch + 0001-Fix-sdap_access_host-No-matching-host-rule-found.patch + * Accept krb5 1.20 for building the PAC plugin; Drop SLE patch + 0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch + +- Migration to /usr/etc: Saving user changed configuration files + in /etc and restoring them while an RPM update. + +- Update to release 2.7.4 + * Lock-free client support will be only built if libc provides + pthread_key_create() and pthread_once(). For glibc this means + version 2.34+. + +- Update to release 2.7.3 + * All SSSD client libraries (nss, pam, etc) won't serialize + requests anymore by default, i.e. requests from multiple + threads can be executed in parallel. Old behavior + (serialization) can be enabled by setting environment + variable "SSS_LOCKFREE" to "NO". + +- Removed %config flag for files in /usr directory. + +- Moved logrotate files from user-specific directory /etc/logrotate.d + to vendor-specific directory /usr/etc/logrotate.d. + +- Use pam rpm macros to avoid hardcoding the directory names; + (bsc#1191047); +- Do not take ownership of %_pam_confdir directory, it is owned by + pam package + +- Update to release 2.7.2 + * A sssd-2.7.1 regression preventing successful authentication of + IPA users was fixed. + * Default value of pac_check changed to check_upn, + check_upn_dns_info_ex (for AD and IPA provider). + +- Update to release 2.7.1 + * SSSD can now handle multi-valued RDNs if a unique name must + be determined with the help of the RDN. + * A regression in pam_sss_gss module causing a failure if + KRB5CCNAME environment variable was not set was fixed. + * New option `implicit_pac_responder` to control if the PAC + responder is started for the IPA and AD providers; the + default is true. + * New option `krb5_check_pac` to control the PAC validation + behavior. + * Multiple `crl_file` arguments can be used in the + `certificate_verification` option. + +- Enable subid_sss + +- Update to release 2.7.0 + * Better default for IPA/AD re_expression. Tunning for group + names containing '@' is no longer needed. + * A new debug level is added to show statistical and + performance data. + * Added support for anonymous PKINIT to get FAST credentials. + * SSSD now correctly falls back to UPN search if the user was + not found even with `cache_first = true`. + * Add 'ldap_ignore_unreadable_references' parameter to skip + unreadable objects referenced by 'member' attributte; + (bsc#1190775); (gh#SSSD/sssd#4893); Drop SLE patch + 0001-ldap-ignore-unreadable-references.patch + +- Enable selinux support +- Update Supplements to new format -- Update the private ldb modules installation following libldb2 - changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba +- Update to release 2.6.3 + * A regression introduced in sssd-2.6.2 in the IPA provider + that prevented users from login was fixed. Access control + always denied access because the selinux_child returned an + unexpected reply. + * A critical regression that prevented authentication of users + via AD and IPA providers was fixed. LDAP port was reused for + Kerberos communication and this provider would send + incomprehensible information to this port. + * When authenticating AD users, backtrace was triggered even + though everything was working correctly. This was caused by a + search in the global catalog. Servers from the global catalog + are filtered out of the list before writing the KDC info + file. With this fix, SSSD does not attempt to write to the + KDC info file when performing a GC lookup. + +- Upgrade LDB_DIR shell variable to %ldbdir macro. -- Update to version 2.5.2; (jsc#SLE-17763); +- Update to release 2.6.2 + * Quick log out and log in did not correctly refresh user's + initgroups in no_session PAM schema due to lingering systemd + processes. + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_sssd-ifp.service.patch + * harden_sssd-kcm.service.patch + +- Update to release 2.6.1 + * New infopipe method FindByValidCertificate(). + * The default value of the "ssh_hash_known_hosts" setting was + changed to false for the sake of consistency with OpenSSH + that does not hash host names by default. + +- Update to release 2.6.0 + * Support of legacy json format for ccaches was dropped. + * Support of long time deprecated secrets responder was dropped. + * Support of long time deprecated local provider was dropped. + * The sssctl command was vulnerable to shell command injection + via the logs-fetch and cache-expire subcommands, + which was fixed; (CVE-2021-3621); (bsc#1189492); Drop SLE patch + 0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch + * Basic support of user's 'subuid and subgid ranges' for IPA + provider and corresponding plugin for shadow-utils were added. + +- Update to release 2.5.2; (jsc#SLE-17763); -- Changes from version 2.5.1 + +- Update to release 2.5.1 -- Changes from version 2.5.0 + +- Update to release 2.5.0 -- Changes from version 2.4.2 + +- Move sssctl command from sssd to sssd-tools package; (bsc#1184289); + +- Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285). + +- Make cifs-idmap plugin (cifs_idmap_sss.so) use update-alternatives + mechanism to be able to switch between cifs-utils and sssd; + (bsc#1182682). + +- Update to release 2.4.2 -- Changes from version 2.4.1 + +- Pass --with-pid-path=%{_rundir} to configure: adjust rundir + according the distro settings, i.e. /run on modern systems. + Eliminates a systemd warning like this one in the journal: + Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13: + PIDFile= references a path below legacy directory /var/run/, + updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly. + +- Update to release 2.4.1 -- Changes from version 2.4.0 + * Create timestamp attribute in cache objects if missing; + (bsc#1182637); + +- Update to release 2.4.0 -- Changes from version 2.3.1 + +- Build sssd's KCM. + +- Update to release 2.3.1 -- Changes from version 2.3.0 + * Rotate child debug file descriptors on SIGHUP (bsc#1080156) +- sssd-wbclient is obsolete and no longer shipped + +- Update to release 2.3.0 -- Changes from version 2.2.3 + * Update samba secrets after changing machine password; (jsc#SLE-11503); + * Delete linked local user overrides when deleting a user + (bsc#1133168) +- Drop sssd-gpo_host_security_filter-2.2.2.patch, + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch, + 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged) +- Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch + (unapplicable) + +- Update to 2.2.3 + * New features: -- Changes from version 2.2.2 - * Removing domain from ad_enabled_domain was not reflected in SSSD’s cache. - This has been fixed. - * Because of a race condition SSSD could crash during shutdown. The race - condition was fixed. - * Fixed a bug that limited number of external groups fetched by SSSD - to 2000. - * pam_sss now properly creates gnome keyring during login. - * SSSD with KCM could wrongly pick older ccache instead of the latest one - after login. This was fixed. -- Changes from version 2.2.1 - * New options were added which allow sssd-kcm to handle bigger data. - * SSSD can now automatically refresh cached user data from subdomains - in IPA/AD trust. - * Fixed issue with SSSD hanging when connecting to non-responsive server - with ldaps://. + * Fix domain offline after first boot when resolv.conf is a symlink + (bsc#1136139) +- Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch + +- Fix dynamic DNS updates not using FQDN (bsc#1160587); Add + 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch + +- Remove leftover python2 build dependencies +- Remove python3-devel BuildRequires in favor of pkgconfig(python3) + +- SSSD GPO host entries are ignored if computer cn does not + match its samaccountname, add + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch; + (jsc#SLE-9298); (bsc#1160688) + +- SSSD should accept host entries from GPO's security filter, add + sssd-gpo_host_security_filter-2.2.2.patch; (jsc#SLE-9298) + +- Install infopipe dbus service (bsc#1106598) +- Add systemd service unit files to manage socket or bus activated responders. +- All responders except infopipe are also managed by a socket unit file. +- Add missing post and postun hooks for libsss_certmap0 package. + +- Update to release 2.2.2 + * New options were added which allow sssd-kcm to handle bigger + data. See manual pages for max_ccaches, max_uid_caches and + max_ccache_size. + * SSSD can now automatically refresh cached user data from + subdomains in IPA/AD trust. + * Fixed issue with SSSD hanging when connecting to + non-responsive server with ldaps://. - * Fixed refression when dyndns_update was set to True and - dyndns_refresh_interval was not set or set to 0 then DNS records were - not updated at all. - * Fixed issue when default_domain_suffix was used with files provider - and caused all results from files domain to be fully qualified. - * Fixed issue with sudo rules not being visible on OpenLDAP servers - * Fixed crash with auth_provider = proxy that prevented logins -- Changes from version 2.2.0 + +- Update to new upstream release 2.2.0 - * The sssctl tool has two new commands, "cert-show" and "cert-map". -- Changes from version 2.1.0 - * Any provider can now match and map certificates to user identities. + * The sssctl tool has two new commands, "cert-show" and + "cert-map". + * Added an option to skip GPOs that have groupPolicyContainers, + unreadable by SSSD (bsc#1124194) (CVE-2018-16838) + * Fix fallback_homedir returning '/' for empty home directories + (CVE-2019-3811) (bsc#1121759) + +- Create directory to download and cache GPOs (bsc#1132879) + +- Update to new upstream release 2.1.0 + * Any provider can now match and map certificates to user + identities. - * It is now possible to refresh the KCM configuration without restarting - the whole SSSD deamon -- Changes from version 2.0.0 + * Fix sss_cache spurious error messages when invoked from shadow-utils; + (bsc#1185017); + * Fix building with newer samba versions (bsc#1137876) + * Fix memory leak in nss netgroup enumeration (bsc#1139247); + +- Install systemd service unit file created from source's template + (bsc#1120852); (bsc#1185185); +- Install logrotate configuration (bsc#1004220) +- Set journald as system logger + +- Add krb-noversion.diff so sssd_pac builds even with newer krb. + +- Add dependency to adcli for sssd-ad + (SLE15: fate#326619, bsc#1109849) + (SLE12SP4: fate#326620, bsc#1110121) + +- Update to new upstream release 2.0.0 - * The ldap_groups_use_matching_rule_in_chain and - ldap_initgroups_use_matching_rule_in_chain options and the code - that evaluated them was removed. - * The KCM responder has a new back end to store credential caches - in a local database -- Make cifs-idmap plugin (idmapwb.so) use update-alternatives - mechanism to be able to switch between cifs-utils and sssd; - (bsc#1182682). -- Build sssd's KCM -- Drop obsolete patches: - + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch - + 0002-intg-Do-not-hardcode-nsslibdir.patch - + 0003-MONITOR-Do-not-use-two-configuration-databases.patch - + 0004-Strip-whitespaces-in-netgroup-triple.patch - + 0005-nss-sssd-returns-for-emtpy-home-directories.patch - + 0006-Rotate-child-log-files.patch - + 0007-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch - + 0008-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch - + 0009-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch - + 0010-SUDO-Allow-defaults-sudoRole-without-sudoUser-attrib.patch - + 0011-GPO-Add-option-ad_gpo_ignore_unreadable.patch - + 0012-nss-use-enumeration-context-as-talloc-parent-for-cac.patch - + 0013-Revert-LDAP-IPA-add-local-email-address-to-aliases.patch - + 0014-util-Remove-the-unused-function-is_email_from_domain.patch - + 0015-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch - + 0016-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch - + 0017-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch - + 0018-SYSDB-Delete-linked-local-user-overrides-when-deleti.patch - + 0019-winbind-idmap-plugin-support-inferface-version-6.patch - + 0020-winbind-idmap-plugin-fix-detection.patch - + 0021-nss-imap-add-sss_nss_getsidbyuid-and-sss_nss_getsidb.patch - + 0022-cifs-idmap-plugin-use-new-sss_nss_idmap-calls.patch - + 0023-winbind-idmap-plugin-use-new-sss_nss_idmap-calls.patch - + 0024-libwbclient-sssd-use-new-sss_nss_idmap-calls.patch - + 0025-pysss_nss_idmap-add-python-bindings-for-new-sss_nss_.patch - + 0026-winbind-idmap-plugin-update-struct-idmap_domain-to-l.patch - + 0027-utils-make-N_ELEMENTS-public.patch - + 0028-ad-replace-ARRAY_SIZE-with-N_ELEMENTS.patch - + sssd-gpo_host_security_filter-1.16.1.patch - + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch - + 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch - + 0032-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch - + 0033-Fix-build-failure-against-samba-4.12.0rc1.patch - + 0034-Use-ndr_pull_steal_switch_value-for-modern-samba-ver.patch - + 0035-ad_gpo_ndr.c-refresh-ndr_-methods-from-samba-4.12.patch - + 0036-ad_gpo_ndr.c-more-ndr-updates.patch - + 0037-UTIL-Fix-compilation-with-curl-7.62.0.patch - + 0038-CACHE-Create-timestamp-if-missing.patch - + 0039-sss_cache-Do-not-fail-for-missing-domains.patch - -- Fix sss_cache spurious error messages when invoked from shadow-utils; - (bsc#1185017); Add 0039-sss_cache-Do-not-fail-for-missing-domains.patch - -- Use /run instead of /var/run for daemon PID files; (bsc#1185185); - -- Create timestamp attribute in cache objects if missing; - (bsc#1182637); Add 0038-CACHE-Create-timestamp-if-missing.patch - -- Move sssctl command from sssd to sssd-tools package; (bsc#1184289); - -- Fix a dependency loop by moving internal libraries to sssd-common - package; (bsc#1182058); - -- Fix build against samba >= 4.12 - + 0033-Fix-build-failure-against-samba-4.12.0rc1.patch - + 0034-Use-ndr_pull_steal_switch_value-for-modern-samba-ver.patch - + 0035-ad_gpo_ndr.c-refresh-ndr_-methods-from-samba-4.12.patch - + 0036-ad_gpo_ndr.c-more-ndr-updates.patch -- Fix build with curl >= 7.62.0 - + 0037-UTIL-Fix-compilation-with-curl-7.62.0.patch - -- Fix dynamic DNS updates not using FQDN (bsc#1160587); Add - 0032-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch - -- Update samba secrets after changing machine password; (jsc#SLE-11503); - Add 0031-ad-Add-support-for-passing-add-samba-data-to-adcli.patch - -- Install infopipe dbus service (bsc#1106598) - -- SSSD GPO host entries are ignored if computer cn does not - match it's samaccountname, add - 0001-Resolve-computer-lookup-failure-when-sam-cn.patch; - (jsc#SLE-9298); (bsc#1160688) + * Allow defaults sudoRole without sudoUser attribute (bsc#1135247) -- SSSD should accept host entries from GPO's security filter, add - sssd-gpo_host_security_filter-1.16.1.patch; (jsc#SLE-9298) - -- Fix building with newer samba versions (bsc#1137876) -- Added patches: - * 0027-utils-make-N_ELEMENTS-public.patch - * 0028-ad-replace-ARRAY_SIZE-with-N_ELEMENTS.patch - -- Update winbind idmap plugin to support interface version 6 - (jsc#SLE-9819) -- Added patches: - * 0019-winbind-idmap-plugin-support-inferface-version-6.patch - * 0020-winbind-idmap-plugin-fix-detection.patch - * 0021-nss-imap-add-sss_nss_getsidbyuid-and-sss_nss_getsidb.patch - * 0022-cifs-idmap-plugin-use-new-sss_nss_idmap-calls.patch - * 0023-winbind-idmap-plugin-use-new-sss_nss_idmap-calls.patch - * 0024-libwbclient-sssd-use-new-sss_nss_idmap-calls.patch - * 0025-pysss_nss_idmap-add-python-bindings-for-new-sss_nss_.patch - * 0026-winbind-idmap-plugin-update-struct-idmap_domain-to-l.patch - -- Delete linked local user overrides when deleting a user - (bsc#1133168) -- Added patches: - * 0018-SYSDB-Delete-linked-local-user-overrides-when-deleti.patch - -- Fix domain offline after first boot when resolv.conf is a symlink - (bsc#1136139) -- Added patches: - * 0015-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch - * 0016-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch - * 0017-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch - -- Fix login not possible when email address is duplicated in ldap - attributes (bsc#1149597) -- Added patches: - * 0013-Revert-LDAP-IPA-add-local-email-address-to-aliases.patch - * 0014-util-Remove-the-unused-function-is_email_from_domain.patch - -- Fix memory leak in nss netgroup enumeration (bsc#1139247); -- Added patches: - * 0012-nss-use-enumeration-context-as-talloc-parent-for-cac.patch - -- Allow defaults sudoRole without sudoUser attribute (bsc#1135247) -- Added an option to skip GPOs that have groupPolicyContainers, - unreadable by SSSD (bsc#1124194) (CVE-2018-16838) -- Added patches: - * 0010-SUDO-Allow-defaults-sudoRole-without-sudoUser-attrib.patch - * 0011-GPO-Add-option-ad_gpo_ignore_unreadable.patch - -- Create directory to download and cache GPOs (bsc#1132879) -- Add a netgroup counter to struct nss_enum_index (bsc#1132657) -- Added patches: - * 0007-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch - * 0008-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch - * 0009-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch - -- Rotate child debug file descriptors on SIGHUP (bsc#1080156) -- Added patches: - * 0006-Rotate-child-log-files.patch +- Update to upstream release 1.16.3 + * New Features: + * kdcinfo files for informing krb5 about discovered KDCs are + now also generated for trusted domains in setups that use + id_provider=ad and IPA masters in a trust relationship with + an AD domain. + * The Kerberlos locator plugin can now process multiple + address if SSSD generates more than one. A + * Bug fixes: + * Fixed information leak due to incorrect permissions on + /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377] + * Cached password are now stored with a salt. Old ones will be + regenerated on next authentication, and the auth server needs + to be reachable for that. + * The sss_ssh proces leaked file descriptors when converting + more than one X.509 certificate to an SSH public key. + * The PAC responder is now able to process Domain Local in case + the PAC uses SID compression (Windows Server 2012+). + * Address the issue that some versions of OpenSSH would close + the pipe towards sss_ssh_authorizedkeys when the matching key + is found before the rest of the output is read. + * User lookups no longer fail if user's e-mail address + conflicts with another user's fully qualified name. + * The override_shell and override_homedir options are no longer + applied to entries from the files domain. + * The grace logins with an expired password when authenticating + against certain newer versions of the 389DS/RHDS LDAP server + did not work. + * Fix login not possible when email address is duplicated in ldap + attributes (bsc#1149597) + * Strip whitespaces in netgroup triples (bsc#1087320) +- Removed patches that are included upstream now: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch, + 0002-intg-Do-not-hardcode-nsslibdir.patch, + 0003-Fix-build-for-1-16-2-version.patch -- Fix fallback_homedir returning '/' for empty home directories - (CVE-2019-3811) (bsc#1121759) -- Install logrotate configuration (bsc#1004220) -- Strip whitespaces in netgroup triples (bsc#1087320) -- Align systemd service file with upstream - * Run interactive and change service type to notify (bsc#1120852) - * Replace deprecated '-f' and use '--logger' -- Fix sssd not starting in foreground mode (bsc#1125277) -- Added patches: - * 0003-MONITOR-Do-not-use-two-configuration-databases.patch - * 0004-Strip-whitespaces-in-netgroup-triple.patch - * 0005-nss-sssd-returns-for-emtpy-home-directories.patch - -- Added dependency to adcli for sssd-ad (fate#326619, bsc#1109849) +- Fixed patch name. +- Update to new minor upstream release 1.16.2 + New Features: + * The smart card authentication, or in more general certificate + authentication code now supports OpenSSL in addition to previously + supported NSS (#3489). In addition, the SSH responder can now + return public SSH keys derived from the public keys stored in a + X.509 certificate. Please refer to the ssh_use_certificate_keys + option in the man pages. + * The files provider now supports mirroring multiple passwd or + group files. This enhancement can be used to use the SSSD files + provider instead of the nss_altfiles module + Bugfixes: + * A memory handling issue in the nss_ex interface was fixed. This + bug would manifest in IPA environments with a trusted AD domain + as a crash of the ns-slapd process, because a ns-slapd plugin + loads the nss_ex interface (#3715) + * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633) + * The ad_site override is now honored in GPO code as well (#3646) + * Several potential crashes in the NSS responder’s netgroup code + were fixed (#3679, #3731) + * A potential crash in the autofs responder’s code was fixed (#3752) + * The LDAP provider now supports group renaming (#2653) + * The GPO access control code no longer returns an error if one + of the relevant GPO rules contained no SIDs at all (#3680) + * A memory leak in the IPA provider related to resolving external + AD groups was fixed (#3719) + * Setups that used multiple domains where one of the domains had + its ID space limited using the min_id/max_id options did not + resolve requests by ID properly (#3728) + * Overriding IDs or names did not work correctly when the domain + resolution order was set as well (#3595) + * A version mismatch between certain newer Samba versions (e.g. + those shipped in RHEL-7.5) and the Winbind interface provided + by SSSD was fixed. To further prevent issues like this in the + future, the correct interface is now detected at build time (#3741) + * The files provider no longer returns a qualified name in case + domain resolution order is used (#3743) + * A race condition between evaluating IPA group memberships and + AD group memberships in setups with IPA-AD trusts that would + have manifested as randomly losing IPA group memberships assigned + to an AD user was fixed (#3744) + * Setting an SELinux login label was broken in setups where the + domain resolution order was used (#3740) + * SSSD start up issue on systems that use the libldb library + with version 1.4.0 or newer was fixed. + * Update winbind idmap plugin to support interface version 6 + (jsc#SLE-9819) + * Add a netgroup counter to struct nss_enum_index (bsc#1132657) + * Fix sssd not starting in foreground mode (bsc#1125277) + Introduce a patch: + * Fix build of sssd of 1.16.2 version: + 0003-Fix-build-for-1-16-2-version.patch + (back then called fix-build.patch) + thermald +- Remove use of %with_thermalmonitor where not necessary +- Check for %is_opensuse instead of %suse_version +- Remove wrong %config from a data file +- Package the ThermalMonitor license file + +- build ThermalMonitor only if qcustomplot is available + +- jsc#PED-5716 Enable support for Thermal Controls on platform +- Move of dbus config files from /etc to /usr/share +- Fix wrongly written library name + A fix_qcustomplot_name.patch +- Make use of _service (git scm) service file: + A _service + A _servicedata + A thermal_daemon-2.5.4.0.git+63b290f.obscpio + A thermal_daemon.obsinfo +- Update to version 2.5.4.0.git+63b290f: + * Release 2.5.4 + * Change the sorting order when min_max_valid + * Process case when target matches after init + * Remove memset for pid_param_t to 0 + * Remove check for new_passive < critical + * domain_name not set and used in thd_cdev_rapl + * build warning, ret is assigned for sysfs write + * Remove duplicate type_type == HOT comparison + tinyxml -- Added tinyxml-2.62-fix-infinite-loop.patch to fix an infinite loop - for inputs containing the sequence 0xEF0x00 (bsc#1191576) (CVE-2021-42260) +- avoid assertion on certain malformed input including null-byte + (bsc#1218040) (CVE-2023-34194) +- added tinyxml-null-byte-assert.patch + +- Added tinyxml-2.62-fix-infinite-loop.patch to fix an infinite loop + for inputs containing the sequence 0xEF0x00 (bsc#1191576) + (CVE-2021-42260) -- Only require autoconf 2.62. - tracker-miners +- Add tracker-miners-CVE-2023-5557.patch: A bug in libcue could + lead to possible sandbox escape in tracker-extract, this fixes it + by adding seccomp rules and applying it to the whole process + (bsc#1216199, glgo#GNOME/tracker-miners!480, CVE-2023-5557). +- Refresh tracker-miners-drop-syscalls-in-seccomp.patch: The patch + context is changed by tracker-miners-CVE-2023-5557.patch. + ugrep -- update to 3.4.6: +- 4.4.1 + * ship shell completions (bash,zsh,fish) + * option -t (--file-type) now also accepts filename extensions as + shortcuts, when unambiguous, for example, the shorter form -tpy + for -tpython to select files to search + * TUI ALT-SHIFT-% switches between "bool query lines" mode, + "bool query files" mode, and bool queries off + TUI boolF mode (-%FQ) now applies syntax highlighting + * support legacy grep long options without = to bind option + arguments +- add ugrep-4.4.1-remove-shebang-from-bash-completion.patch + +- update to 4.3.6: webkit2gtk3 +- Update to version 2.42.4 (boo#1218032): + + Fix incorrect random images incorrectly displayed as + backgrounds of
elements. + + Fix videos displayed aliased after being resized e.g. in + YouTube. + + Fix several crashes and rendering issues. + + Security fixes: CVE-2023-42883. + +- Update to version 2.42.3 (boo#1217844): + + Fix flickering while playing videos with DMA-BUF sink. + + Fix color picker being triggered in the inspector when typing + "tan". + + Do not special case the "sans" font family name. + + Fix build failure with libxml2 version 2.12.0 due to an API + change. + + Fix several crashes and rendering issues. + + Security fixes: CVE-2023-42916, CVE-2023-42917. + - boo#1215868 boo#1215869 boo#1215870): + boo#1215868 boo#1215869 boo#1215870 boo#1218033): - + Security fixes: CVE-2023-39928, CVE-2023-41074, CVE-2023-32359. + + Security fixes: CVE-2023-39928, CVE-2023-41074, CVE-2023-32359, + CVE-2023-42890. whois +- Fix build on SLE + * whois-remove-malloc-attribute.patch + +- Update to 5.5.20: + * Added the .gn TLD server. + * Removed 6 new gTLDs which are no longer active. + * Enabled getopt_long(3) support on Solaris. +- Add rpmlintrc file + * whois-rpmlintrc + +- update to 5.5.19: + * Fix english support for Japanese queries to not add again the + /e argument if it had already been provided by the user + * Add the .ye and .বাংলা (.xn--54b7fta0cc, Bangladesh) TLD + servers + * Update the .ba, .bb, .dk, .es, .gt, .jo, .ml, .mo, .pa, .pn, + .sv, .uy, .ﺍﻻﺭﺪﻧ (.xn--mgbayh7gpa, Jordan) and .澳門 + (.xn--mix891f, Macao) TLD servers + * Upgrade the TLD URLs to HTTPS whenever possible + * Update the charset for whois.jprs.jp + * Remove 3 new gTLDs which are no longer active + * Remove support for the obsolete as32 dot notation + +- update to 5.5.18: + * Updated the .ga TLD server. (Closes: #1037288) + * Added new recovered IPv4 allocations. + * Removed the delegation of 43.0.0.0/8 to JPNIC. + * Removed 12 new gTLDs which are no longer active. + * Improved the man page source, courtesy of Bjarni Ingi + Gislason. + * Added the .edu.za SLD server. + * Updated the .alt.za SLD server. + * Added the -ru and -su NIC handles servers. + +- update to 5.5.17: + * Added the .cd TLD server. + * Updated the -kg NIC handles server name. + * Removed 2 new gTLDs which are no longer active. + +- update to 5.5.16: + * Add bash completion support, courtesy of Ville Skyttä. + * Updated the .tr TLD server. + * Removed support for -metu NIC handles. + +- update to 5.5.15: + * Updated the .bd, .nz and .tv TLD servers. + * Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers. + * Updated the .ac.uk and .gov.uk SLD servers. + * Recursion has been enabled for whois.nic.tv. + * Updated the list of new gTLDs with four generic TLDs assigned in + October 2013 which were missing due to a bug. + * Removed 4 new gTLDs which are no longer active. + * Added the Georgian translation, contributed by Temuri Doghonadze. + * Updated the Finnish translation, contributed by Lauri Nurmi. + +- update to 5.5.14: + * Added the .bf and .sd TLD servers. + * Removed the .gu TLD server. + * Updated the .dm, .fj, .mt and .pk TLD servers. + * Updated the charset for whois.nic.tr. + * Updated the list of new gTLDs. + * Removed whois.nic.fr from the list of RIPE-like servers, because it + is not one anymore. (Closes: #1021110) + * Renamed whois.arnes.si to whois.register.si in the list of RIPE-like + servers. + * Added the hiding string for whois.auda.org.au. + +- update to 5.5.13: + * Added the .sd TLD server. + * Updated the list of new gTLDs. + * Added the Turkish translation, contributed by Oğuz Ersen. + +- Update to 5.5.12: + * Updated the .pro TLD server, which was totally broken. + * Fixed the detection of Japanese locales using $LC_MESSAGES. + * Implemented providing partial salt strings to mkpasswd. + * Removed 2 new gTLDs which are no longer active. + * Updated one or more translations. + * Enabled full hardening in debian/rules. +- Cleanup build requirements for SLE-11 + +- update to 5.5.11: + * Implemented a --no-recursion command line option to disable recursion + from registrar to registry servers. + * Updated the .pro, .vu and .xxx TLD servers. + * Updated the list of new gTLDs. + * Removed 7 new gTLDs which are no longer active. + wireless-regdb +- Define %{_firmwaredir} if not defined. This fixes RPM build errors. + +- Update to version 20230901: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for Australia (AU) for June 2023 + +- Update to version 20230721: + * wireless-regdb: Update regulatory info for Türkiye (TR) + * wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidelines + +- Update to version 20230601: + * wireless-regdb: Update regulatory rules for Philippines (PH) + +- Update to version 20230503: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for Hong Kong (HK) + * wireless-regdb: update regulatory rules for India (IN) + * wireless-regdb: Update regulatory rules for Russia (RU). Remove DFS requirement. + * Update regulatory info for Russia (RU) on 6GHz + +- Update to version 20230213: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory info for Russia (RU) on 5GHz + +- Update to version 20221205: + * wireless-regdb: Update regulatory rules for Japan (JP) on 6GHz + * wireless-regdb: Update regulatory rules for Japan (JP) on 5GHz + +- Update to version 20221012: + * wireless-regdb: update regulatory rules for Switzerland (CH) + * wireless-regdb: Update regulatory rules for Brazil (BR) + +- Update to version 20220812: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: update 5 GHz rules for PK and add 60 GHz rule + * wireless-regdb: add 5 GHz rules for GY + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Unify 6 GHz rules for EU contries + * wireless-regdb: Remove AUTO-BW from 6 GHz rules + * wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz + * Regulatory update for 6 GHz operation in FI + * Regulatory update for 6 GHz operation in United States (US) + * Regulatory update for 6 GHz operation in Canada (CA) + +- Update to version 20220606: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Unify 6 GHz rules for EU contries + * wireless-regdb: Remove AUTO-BW from 6 GHz rules + +- Update to version 20220527: + * wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz + * Regulatory update for 6 GHz operation in FI + * Regulatory update for 6 GHz operation in United States (US) + * Regulatory update for 6 GHz operation in Canada (CA) + +- Update to version 20220408: + * wireless-regdb: add db files missing from previous commit + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for Australia (AU) + * wireless-regdb: add missing spaces for US S1G rules + +- Update to version 20220324: + * wireless-regdb: Update regulatory rules for Israel (IL) + +- Update to version 20220218: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for the Netherlands (NL) on 6GHz + * wireless-regdb: Update regulatory rules for China (CN) + * wireless-regdb: Update regulatory rules for South Korea (KR) + * Revert "wireless-regdb: Update regulatory rules for South Korea (KR)" + * wireless-regdb: Update regulatory rules for Spain (ES) on 6GHz + * wireless-regdb: add 802.11ah bands to world regulatory domain + * wireless-regdb: add support for US S1G channels + * wireless-regdb: Update regulatory rules for France (FR) on 6 and 60 GHz + * wireless-regdb: Update regulatory rules for South Korea (KR) + +- Update to version 20220108: + * wireless-regdb: Update regulatory rules for Croatia (HR) on 6GHz + +- Update to version 20211209: + * wireless-regdb: Raise DFS TX power limit to 250 mW (24 dBm) for the US + +- Update to version 20210828: + * wireless-regdb: update regulatory database based on preceding changes + * Update regulatory rules for Ecuador (EC) + * wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz + * wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US + * wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US + * wireless-regdb: recent FCC report and order allows 5850-5895 immediately + * wireless-regdb: update 5725-5850 MHz rule for GB + +- Update to version 20210421: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: re-add source url and info for CU + +- Update to version 20210407: + * wireless-regdb: Update regulatory rules for Cuba (CU) on 5GHz + * wireless-regdb: Do not hardcode 'sforshee' in the certificate commonName + +- Update to version 20210129: + * wireless-regdb: Update regulatory rules for Ukraine (UA) + * wireless-regdb: update CNAF regulation url for ES + +- leverage %{_firmwaredir} to install firmware into correct location (boo#1029961) + +- Update to version 20201120: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: Update regulatory rules for Kazakhstan (KZ) + * wireless-regdb: update 5.8 GHz regulatory rule for GB + * wireless-regdb: Update regulatory rules for Pakistan (PK) on 5GHz + * wireless-regdb: Update regulatory rules for Croatia (HR) + * wireless-regdb: restore channel 12 & 13 limitation in the US + * wireless-regdb: update regulatory rules for Egypt (EG) + +- Fixes for %_libexecdir changing to /usr/libexec + +- Update to version 20200429: + * wireless-regdb: update regulatory database based on preceding changes + * wireless-regdb: update rules for US on 2.4/5G + * GB: Extend to cover DMG channels 5 & 6 + * wireless-regdb: Update regulatory rules for Singapore (SG) + * wireless-regdb: Update regulatory rules for Indonesia (ID) + +- Update to version 20191029: + * regdb: fix compatibility with python2 + * wireless-regdb: Update regulatory rules for Russia (RU) + * wireless-regdb: Harmonize ranges of CEPT countries (stand of July 2019) + * wireless-regdb: Fix ranges of EU countries as they are harmonized since 2014 + * wireless-regdb: Extend 5470-5725 MHz range to 5730 MHz for Taiwan (TW) + * wireless-regdb: Fix overlapping ranges for Switzerland and Liechtenstein + * wireless-regdb: update regulatory database based on preceding changes +- Switch to _service +- Update project url + wireshark +- Wireshark 3.6.19: + * CVE-2023-6175: NetScreen file parser crash (bsc#1217272). +- Further features, bug fixes and updated protocol support as listed in: + https://www.wireshark.org/docs/relnotes/wireshark-3.6.19.html + xf86-video-intel +- n_Mesa-i965-crocus.patch + * Mesa's DRI driver is now called "crocus" (previously "i965"); + fixes hardware OpenGL support when still using "intel" X + driver instead of "modesetting" one ... (boo#1214448) + xfsprogs +- update to v6.5.0 (bsc#1217575, bsc#1217576): + - libxfs: fix atomic64_t detection on x86_32 + - libxfs: use XFS_IGET_CREATE when creating new files + - libfrog: fix overly sleep workqueues + - xfs_db: use directio for device access + - libxfs: make platform_set_blocksize optional with directio + - mkfs: add a config file for 6.6 LTS kernels + - mkfs: enable reverse mapping by default + - mkfs: enable large extent counts by default + - xfs_db: create unlinked inodes + - xfs_db: dump unlinked buckets + - xfsprogs: don't allow udisks to automount XFS filesystems with no prompt + - xfs_repair: fix repair failure caused by dirty flag being abnormally set on buffer +- drop: + - 0001-repair-shift-inode-back-into-place-if-corrupted-by-b.patch + - xfsprogs-mkfs-disable-reflink-support-by-default.patch + - xfsprogs-mkfs-don-t-trample-the-gid-set-in-the-protofile.patch + - xfsprogs-mkfs-enable-bigtime-by-default.patch + - xfsprogs-mkfs-prevent-corruption-of-passed-in-suboption-strin.patch + - xfsprogs-mkfs-terminate-getsubopt-arrays-properly.patch + - xfsprogs-xfs_repair-ignore-empty-xattr-leaf-blocks.patch +- mkfs: disable inobtcnt and nrext64 features by default + - add xfsprogs-mkfs-disable-inobtcnt-and-nrext64-features-by-defaul.patch + xorg-x11-server +- Add missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + (bsc#1217765). + +- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + * Out-of-bounds memory write in XKB button actions (CVE-2023-6377, + ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) +- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + * Out-of-bounds memory read in RRChangeOutputProperty and + RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, + bsc#1217766) + xrdp +- Update xrdp-CVE-2023-42822.patch + + fix bsc#1217759: xrdp login screen does not show any text + xscreensaver +- Update xscreensaver-disable-upgrade-nagging-message.patch to + cover new messages. (boo#1206345, bsc#1217318) + xwayland +- Add missing fixes on U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + (bsc#1217765). + +- U_bsc1217765-Xi-allocate-enough-XkbActions-for-our-buttons.patch + * Out-of-bounds memory write in XKB button actions (CVE-2023-6377, + ZDI-CAN-22412, ZDI-CAN-22413, bsc#1217765) +- U_bsc1217766-randr-avoid-integer-truncation-in-length-check-of-Pr.patch + * Out-of-bounds memory read in RRChangeOutputProperty and + RRChangeProviderProperty (CVE-2023-6478, ZDI-CAN-22561, + bsc#1217766) + yast2-bootloader -- support 32 bit UEFI firmware on x86_64/i386 architecture (bsc#1208003, - jsc#PED-2569) -- 4.6.3 +- Backport: +-- support 32 bit UEFI firmware on x86_64/i386 architecture + (bsc#1208003, jsc#PED-2569) +- 4.6.4 -- Persist zfcp.allow_lun_scan kernel option for s390 arch - (needed for gh#openSUSE/agama#626). -- 4.6.2 +- Branch package for SP6 (bsc#1208913) -- 4.6.1 - -- Bump version to 4.6.0 (bsc#1208913) +- 4.5.9 yast2-network +- Read all the driver modules from hwinfo instead of just the first + driver ones (bsc#1217652). +- 4.6.7 + yast2-s390 -- Fix detection of the zFCP controller running mode to check - whether the controller is doing auto LUN scan (related to - gh#openSUSE/agama#634). -- 4.6.4 +- onpanic: add support for multipathed zfcp-attached SCSI disks + (bsc#1020336, also related to bsc#1216257). +- 4.6.5 -- Add info about allow_lun_scan option (related to - gh#openSUSE/agama#626). -- 4.6.3 - -- Expose zFCP core functionallity (related to - gh#openSUSUE/agama#594) -- 4.6.2 +- Branch package for SP6 (bsc#1208913) -- 4.6.1 - -- Bump version to 4.6.0 (bsc#1208913) +- 4.5.3 zbar +- security update: + * CVE-2023-40889 [bsc#1214770] + Fix heap based buffer overflow in qr_reader_match_centers() + + zbar-CVE-2023-40889.patch + * CVE-2023-40890 [bsc#1214771] + Fix stack based buffer overflow in lookup_sequence() + + zbar-CVE-2023-40890.patch +