Packages changed:
apache2
bash
busybox
chrony (3.4 -> 3.5)
dhcp
file
libssh2_org
ncurses
openssh (7.9p1 -> 8.1p1)
openvpn
perl-Cpanel-JSON-XS (4.14 -> 4.15)
pidgin
pmdk (1.6 -> 1.7)
speech-dispatcher (0.9.0 -> 0.9.1)
talloc
texinfo
vim
virtualbox (6.0.12 -> 6.0.14)
xorg-x11-server (1.20.5 -> 1.20.5+24)
yast2-schema (4.2.4 -> 4.2.5)
zlib
=== Details ===
==== apache2 ====
Subpackages: apache2-devel apache2-doc apache2-example-pages apache2-prefork apache2-utils
- load private keys and certificates from pkcs11 token [SLE-7653]
- added patches
load certificates from openssl engine
+ apache2-load-certificates-from-pkcs11.patch
load private keys from openssl engine
+ apache2-load-private-keys-from-pkcs11.patch
==== bash ====
Subpackages: bash-doc bash-lang
- Remove PILOTPORT and PILOTRATE environment variable from
default ~/.bashrc (/etc/skel/.bashrc) (bsc#1123510)
- Move definitions of environment variables from ~/.bashrc to
~/.profile (/etc/skel/.profile)
==== busybox ====
- Add man.conf to container variant
==== chrony ====
Version update (3.4 -> 3.5)
- Fix asciidoc in Tumbleweed
- Revert clknetsim to version 58c5e8b
- Fix incorrect download link for package signature
- Temporarily disable signature usage as its expired
- Update clknetsim to version ac3c832
- fix chrony-service-helper.patch
- Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
==== dhcp ====
Subpackages: dhcp-client dhcp-doc dhcp-relay dhcp-server
- bsc#1134078, CVE-2019-6470, dhcp-CVE-2019-6470.patch:
DHCPv6 server crashes regularly.
- Add compile option --enable-secs-byteorder to avoid duplicate
lease warnings [bsc#1089524].
- Make systemd a weak dependency as we don't want that in a container
- bsc#1136572: Use IPv6 when called as dhclient6, dhcpd6, and
dhcrelay6 (0021-dhcp-ip-family-symlinks.patch).
==== file ====
Subpackages: file-magic libmagic1
- Add temporary patch CVE-2019-18218-46a8443f.patch from upstream
to fix bsc#1154661 -- heap-based buffer overflow in cdf_read_property_info in cdf.c
- Let python-magic build with latest rpm
==== libssh2_org ====
- Security fix: [bsc#1154862, CVE-2019-17498]
* The SSH_MSG_DISCONNECT:packet.c logic has an integer overflow in
a bounds check that might lead to disclose sensitive information
or cause a denial of service
* Add patch libssh2_org-CVE-2019-17498.patch
==== ncurses ====
Subpackages: libncurses6 ncurses-devel ncurses-utils tack terminfo terminfo-base terminfo-screen
- Add ncurses patch 20191019
+ modify make_hash to not require --disable-leaks, to simplify building
with address-sanitizer.
+ modify tic to exit if it cannot remove a conflicting name, because
treating that as a partial success can cause an infinite loop in
use-resolution (report/testcase by Hongxu Chen, cf: 20111001).
- Add ncurses patch 20191015
+ improve buffer-checks in captoinfo.c, for some cases when the
input string is shorter than expected.
> fix two errata in tic (report/testcases by Hongxu Chen):
+ check for missing character after backslash in write_it
+ check for missing characters after "%>" when converting from termcap
syntax (cf: 980530).
- Avoid recursion trouble in spec file cause by undefined _lto_cflags
- Add ncurses patch 20191012
+ amend recent changes to ncurses*-config and pc-files to filter out
Debian linker-flags (report by Sven Joachim, cf: 20150516).
+ clarify relationship between tic, infocmp and captoinfo in manpage.
+ check for invalid hashcode in _nc_find_type_entry and
_nc_find_name_entry.
> fix several errata in tic (reports/testcases by "zjuchenyuan"):
+ check for invalid hashcode in _nc_find_entry.
+ check for missing character after backslash in fmt_entry
+ check for acsc with odd length in dump_entry in check for one-one
mapping (cf: 20060415);
+ check length when converting from old AIX box_chars_1 capability,
overlooked in changes to eliminate strcpy (cf: 20001007).
- Add ncurses patch 20191005
+ modify the ncurse*-config and pc-files to more closely match for the
- I and -l options.
==== openssh ====
Version update (7.9p1 -> 8.1p1)
Subpackages: openssh-helpers
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).
- Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch
- Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
in /etc/sysconfig/ssh. This is set to "yes" by default, but
can be changed by the system administrator (bsc#1139089).
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).
- Version update to 8.1p1:
* ssh-keygen(1): when acting as a CA and signing certificates with
an RSA key, default to using the rsa-sha2-512 signature algorithm.
Certificates signed by RSA keys will therefore be incompatible
with OpenSSH versions prior to 7.2 unless the default is
overridden (using "ssh-keygen -t ssh-rsa -s ...").
* ssh(1): Allow %n to be expanded in ProxyCommand strings
* ssh(1), sshd(8): Allow prepending a list of algorithms to the
default set by starting the list with the '^' character, E.g.
"HostKeyAlgorithms ^ssh-ed25519"
* ssh-keygen(1): add an experimental lightweight signature and
verification ability. Signatures may be made using regular ssh keys
held on disk or stored in a ssh-agent and verified against an
authorized_keys-like list of allowed keys. Signatures embed a
namespace that prevents confusion and attacks between different
usage domains (e.g. files vs email).
* ssh-keygen(1): print key comment when extracting public key from a
private key.
* ssh-keygen(1): accept the verbose flag when searching for host keys
in known hosts (i.e. "ssh-keygen -vF host") to print the matching
host's random-art signature too.
* All: support PKCS8 as an optional format for storage of private
keys to disk. The OpenSSH native key format remains the default,
but PKCS8 is a superior format to PEM if interoperability with
non-OpenSSH software is required, as it may use a less insecure
key derivation function than PEM's.
- Additional changes from 8.0p1 release:
* scp(1): Add "-T" flag to disable client-side filtering of
server file list.
* sshd(8): Remove support for obsolete "host/port" syntax.
* ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
PKCS#11 tokens.
* ssh(1), sshd(8): Add experimental quantum-computing resistant
key exchange method, based on a combination of Streamlined NTRU
Prime 4591^761 and X25519.
* ssh-keygen(1): Increase the default RSA key size to 3072 bits,
following NIST Special Publication 800-57's guidance for a
128-bit equivalent symmetric security level.
* ssh(1): Allow "PKCS11Provider=none" to override later instances of
the PKCS11Provider directive in ssh_config,
* sshd(8): Add a log message for situations where a connection is
dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect.
* ssh(1): When prompting whether to record a new host key, accept
the key fingerprint as a synonym for "yes". This allows the user
to paste a fingerprint obtained out of band at the prompt and
have the client do the comparison for you.
* ssh-keygen(1): When signing multiple certificates on a single
command-line invocation, allow automatically incrementing the
certificate serial number.
* scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
the scp and sftp command-lines.
* ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
command-line flags to increase the verbosity of output; pass
verbose flags though to subprocesses, such as ssh-pkcs11-helper
started from ssh-agent.
* ssh-add(1): Add a "-T" option to allowing testing whether keys in
an agent are usable by performing a signature and a verification.
* sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
that replicates the functionality of the existing SSH2_FXP_SETSTAT
operation but does not follow symlinks.
* sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
they do not follow symlinks.
* sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
the connection 4-tuple available to PAM modules that wish to use
it in decision-making.
* sshd(8): Add a ssh_config "Match final" predicate Matches in same
pass as "Match canonical" but doesn't require hostname
canonicalisation be enabled.
* sftp(1): Support a prefix of '@' to suppress echo of sftp batch
commands.
* ssh-keygen(1): When printing certificate contents using
"ssh-keygen -Lf /path/certificate", include the algorithm that
the CA used to sign the cert.
- Rebased patches:
* openssh-7.7p1-IPv6_X_forwarding.patch
* openssh-7.7p1-X_forward_with_disabled_ipv6.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-cavstest-kdf.patch
* openssh-7.7p1-disable_openssl_abi_check.patch
* openssh-7.7p1-fips.patch
* openssh-7.7p1-fips_checks.patch
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
* openssh-7.7p1-ldap.patch
* openssh-7.7p1-seed-prng.patch
* openssh-7.7p1-sftp_force_permissions.patch
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
* openssh-8.0p1-gssapi-keyex.patch (formerly
openssh-7.7p1-gssapi_key_exchange.patch)
* openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch)
- Removed patches (integrated upstream):
* 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
* openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
* openssh-7.9p1-CVE-2018-20685.patch
* openssh-7.9p1-brace-expansion.patch
* openssh-CVE-2019-6109-force-progressmeter-update.patch
* openssh-CVE-2019-6109-sanitize-scp-filenames.patch
* openssh-CVE-2019-6111-scp-client-wildcard.patch
- Removed patches (obsolete):
* openssh-openssl-1_0_0-compatibility.patch
==== openvpn ====
- Add p11kit build time dependency for pkcs providers autodetection
==== perl-Cpanel-JSON-XS ====
Version update (4.14 -> 4.15)
- updated to 4.15
see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes
4.15 2019-10-21 (rurban)
- Fix more tests for nvtype long double
==== pidgin ====
Subpackages: libpurple libpurple-lang libpurple-tcl
- Add pidgin-Leaky-deprecation-clean-ups.patch: Fix warnings of
deprecation of GParameter that result in build failures of
plugins that build with -Werror (pidgin.im#17415).
==== pmdk ====
Version update (1.6 -> 1.7)
Subpackages: libpmem1
- Update to PMDK 1.7 (jsc#SLE-9886)
- Introduces new APIs in libpmemobj for managing space used by transactions.
(see pmemobj_tx_log_append_buffer man page for details)
- Introduces new APIs in librpmem, splitting rpmem_persist into rpmem_flush
and rpmem_drain, allowing applications to use the flush + drain model
already known from libpmem. (libpmemobj does not use this feature yet)
- Optimizes large libpmemobj transactions by significantly reducing
the amount of memory modified at the commit phase.
- Optimizes tracking of libpmemobj reservations.
- Adds new flags for libpmemobj's pmemobj_tx_xadd_range[_direct] API:
POBJ_XADD_NO_SNAPSHOT and POBJ_XADD_ASSUME_INITIALIZED, allowing
applications to optimize how memory is tracked by the library.
- To support some of the above changes the libpmemobj on-media layout had
to be changed, which means that old pools have to be converted using
pmdk-convert >= 1.7.
==== speech-dispatcher ====
Version update (0.9.0 -> 0.9.1)
Subpackages: libspeechd2 python3-speechd speech-dispatcher-configure speech-dispatcher-module-espeak
- Drop -ibmtts package for now. It requires a third-party library
which we do not package.
- Drop intltool from BuildRequires. Require gettext.
- Exclude ibmtts.conf from the main package.
- Update to version 0.9.1:
* Add module for the non-free IBM TTS (voxin) speech synthesis.
* Extend licence to later versions of GPL and LGPL.
* Update mailing list address to savannah.
* Make generic modules fallback to existing voices.
- Create separate package for ibmtts module: most users won't use
this.
==== talloc ====
Subpackages: libtalloc2 libtalloc2-32bit python3-talloc
- Add two patches making build compatible with Python 3.8.0:
- waf_upgrade.patch
- waf_use_native_waf_timer.patch
==== texinfo ====
Subpackages: info info-std makeinfo
- Delete info-dir as not required anymore
- Mark /usr/share/info/dir as %ghost
- Add a rpmlintrc file to silent useless warnings
==== vim ====
Subpackages: gvim vim-data vim-data-common
- Add python38-config.patch to make vim buildable with new Python 3.8.
(gh#vim/vim#4080)
==== virtualbox ====
Version update (6.0.12 -> 6.0.14)
Subpackages: virtualbox-guest-tools virtualbox-guest-x11 virtualbox-kmp-default
- Tweak file setup for appstream.
- Add directory %{buildroot}%{_datadir}/metainfo for metafile "virtualbox.appdata.xml
- Add appstream file (boo#1154128)
- Version bumk to 6.0.14 (released October 15 2019 by Oracle)
This is a maintenance release. The following items were fixed and/or added:
Virtualization core: fixed an invalid-guest state guru meditation in some rare circumstances on Intel hosts
Virtualization core: some fixes for systems with lots of processors
Audio: relaxed VRM / VRA (variable rate audio) bit checks to provide more compatibility for guests running ALSA setups with the AC'97 emulation
USB: made device capturing for passthrough more accurate and reliable on Windows host
Network: fixed potential issue with interrupt signalling for network adapters in UEFI guests
3D: fixed flicker and redraw issues when using VBoxSVGA or VMSVGA graphics adapter (bugs #18562, #18956)
3D: fixed crash with some applications when using VBoxSVGA or VMSVGA graphics adapter (bug #18638)
macOS host: fix crash of GUI VM process which showed up frequently with 10.15 Catalina (bug #18990)
Linux host: support Linux 5.3, thank you Larry Finger (see also bug #18911)
Linux host: improve python version detection during rpm package creation, can change package dependencies and fix some installation problems
Linux guests: calls to aio_read(3) and aio_write(3) may fail inside shared folders (bug #18805)
Linux guests: fix problem with shared folder unmounting in service script, thank you Denis Ryndine (bug #18853)
Linux guests: VBox 6.0.10 GAs fail to compile on Red Hat/CentOS/Oracle Linux 7.7 and Red Hat 8.1 Beta (bug #18917)
Fix vulnerabilities CVE-2019-3028 CVE-2019-3017 CVE-2019-2944 CVE-2019-3026 CVE-2019-3021
CVE-2019-2984 CVE-2019-3002 CVE-2019-3005 CVE-2019-3031 CVE-2019-1547
CVE-2019-2926 (bsc#1154166)
Removed file "fixes_for_5.3.patch" - fixes included upstream.
==== xorg-x11-server ====
Version update (1.20.5 -> 1.20.5+24)
Subpackages: xorg-x11-server-Xvfb xorg-x11-server-extra xorg-x11-server-sdk xorg-x11-server-wayland
- Update to version 1.20.5+24:
* Fix crash on XkbSetMap
- Drop unneeded obsinfo file and tweak _service.
- Update to version 1.20.5+22:
* miext/sync:
- Make struct _SyncObject::initialized fully ABI compatible
- Fix needless ABI change
* xf86: Disable unused crtc functions when a lease is revoked
* xwayland:
- Handle the case of windows being realized before redirection
- Refactor surface creation into a separate function
- Separate DamagePtr into separate window data
- Do not free a NULL GBM bo
- Expand the RANDR screen size limits
- Update screen pixmap on output resize
- Reset scheduled frames after hiding tablet cursor
- Check status in GBM pixmap creation
- Avoid a crash on pointer enter with a grab
* GLX:
- Fix previous context validation in xorgGlxMakeCurrent
- Set GlxServerExports::{major,minor}Version
- Add a function to change a clients vendor list
- Use the sending client for looking up XID's
- Add a per-client vendor mapping
* xsync: Add resource inside of SyncCreate, export SyncCreate
* dri2: Sync i965_pci_ids.h from mesa
* Xi: Use current device active grab to deliver touch events if
any
* Revert "present/scmd: Check that the flip and screen pixmap
pitches match"
* glamor: Make pixmap exportable from `gbm_bo_from_pixmap()`
- Drop patches fixed upstream:
* U_xwayland-Separate-DamagePtr-into-separate-window-data.patch
* 0001-xsync-Add-resource-inside-of-SyncCreate-export-SyncC.patch
* 0002-GLX-Add-a-per-client-vendor-mapping.patch
* 0003-GLX-Use-the-sending-client-for-looking-up-XID-s.patch
* 0004-GLX-Add-a-function-to-change-a-clients-vendor-list.patch
* 0005-GLX-Set-GlxServerExports-major-minor-Version.patch
- Switch to gitcheckout via source service, use the stable released
branch but set explicit commit used in _service.
==== yast2-schema ====
Version update (4.2.4 -> 4.2.5)
- Added extra_services to security.rnc file (bsc#1153623).
- 4.2.5
==== zlib ====
Subpackages: libminizip1 libz1 libz1-32bit zlib-devel
- Add SUSE specific patch to fix bsc#1138793, we simply don't want
to test if the app was linked with exactly same version of zlib
like the one that is present on the runtime:
* zlib-no-version-check.patch