Packages changed:
bash
chrony (3.4 -> 3.5)
cloud-init
dhcp
file
ncurses
openssh (7.9p1 -> 8.1p1)
slirp4netns (0.4.1 -> 0.4.2)
talloc
texinfo
vim
zlib
=== Details ===
==== bash ====
- Remove PILOTPORT and PILOTRATE environment variable from
default ~/.bashrc (/etc/skel/.bashrc) (bsc#1123510)
- Move definitions of environment variables from ~/.bashrc to
~/.profile (/etc/skel/.profile)
==== chrony ====
Version update (3.4 -> 3.5)
- Fix asciidoc in Tumbleweed
- Revert clknetsim to version 58c5e8b
- Fix incorrect download link for package signature
- Temporarily disable signature usage as its expired
- Update clknetsim to version ac3c832
- fix chrony-service-helper.patch
- Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
==== cloud-init ====
- Add cloud-init-renderer-detect.patch (bsc#1154092, boo#1142988)
+ Short curcuit the conditional for identifying the sysconfig renderer.
If we find ifup/ifdown accept the renderer as available.
- Add cloud-init-break-resolv-symlink.patch (bsc#1151488)
+ If /etc/resolv.conf is a symlink break it. This will avoid netconfig
from clobbering the changes cloud-init applied.
==== dhcp ====
Subpackages: dhcp-client
- bsc#1134078, CVE-2019-6470, dhcp-CVE-2019-6470.patch:
DHCPv6 server crashes regularly.
- Add compile option --enable-secs-byteorder to avoid duplicate
lease warnings [bsc#1089524].
- Make systemd a weak dependency as we don't want that in a container
- bsc#1136572: Use IPv6 when called as dhclient6, dhcpd6, and
dhcrelay6 (0021-dhcp-ip-family-symlinks.patch).
==== file ====
Subpackages: file-magic libmagic1
- Add temporary patch CVE-2019-18218-46a8443f.patch from upstream
to fix bsc#1154661 -- heap-based buffer overflow in cdf_read_property_info in cdf.c
- Let python-magic build with latest rpm
==== ncurses ====
Subpackages: libncurses6 ncurses-utils terminfo terminfo-base
- Add ncurses patch 20191019
+ modify make_hash to not require --disable-leaks, to simplify building
with address-sanitizer.
+ modify tic to exit if it cannot remove a conflicting name, because
treating that as a partial success can cause an infinite loop in
use-resolution (report/testcase by Hongxu Chen, cf: 20111001).
- Add ncurses patch 20191015
+ improve buffer-checks in captoinfo.c, for some cases when the
input string is shorter than expected.
> fix two errata in tic (report/testcases by Hongxu Chen):
+ check for missing character after backslash in write_it
+ check for missing characters after "%>" when converting from termcap
syntax (cf: 980530).
- Avoid recursion trouble in spec file cause by undefined _lto_cflags
- Add ncurses patch 20191012
+ amend recent changes to ncurses*-config and pc-files to filter out
Debian linker-flags (report by Sven Joachim, cf: 20150516).
+ clarify relationship between tic, infocmp and captoinfo in manpage.
+ check for invalid hashcode in _nc_find_type_entry and
_nc_find_name_entry.
> fix several errata in tic (reports/testcases by "zjuchenyuan"):
+ check for invalid hashcode in _nc_find_entry.
+ check for missing character after backslash in fmt_entry
+ check for acsc with odd length in dump_entry in check for one-one
mapping (cf: 20060415);
+ check length when converting from old AIX box_chars_1 capability,
overlooked in changes to eliminate strcpy (cf: 20001007).
- Add ncurses patch 20191005
+ modify the ncurse*-config and pc-files to more closely match for the
- I and -l options.
==== openssh ====
Version update (7.9p1 -> 8.1p1)
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).
- Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch
- Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
in /etc/sysconfig/ssh. This is set to "yes" by default, but
can be changed by the system administrator (bsc#1139089).
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
This attempts to preserve the permissions of any existing
known_hosts file when modified by ssh-keygen (for instance,
with -R).
- Version update to 8.1p1:
* ssh-keygen(1): when acting as a CA and signing certificates with
an RSA key, default to using the rsa-sha2-512 signature algorithm.
Certificates signed by RSA keys will therefore be incompatible
with OpenSSH versions prior to 7.2 unless the default is
overridden (using "ssh-keygen -t ssh-rsa -s ...").
* ssh(1): Allow %n to be expanded in ProxyCommand strings
* ssh(1), sshd(8): Allow prepending a list of algorithms to the
default set by starting the list with the '^' character, E.g.
"HostKeyAlgorithms ^ssh-ed25519"
* ssh-keygen(1): add an experimental lightweight signature and
verification ability. Signatures may be made using regular ssh keys
held on disk or stored in a ssh-agent and verified against an
authorized_keys-like list of allowed keys. Signatures embed a
namespace that prevents confusion and attacks between different
usage domains (e.g. files vs email).
* ssh-keygen(1): print key comment when extracting public key from a
private key.
* ssh-keygen(1): accept the verbose flag when searching for host keys
in known hosts (i.e. "ssh-keygen -vF host") to print the matching
host's random-art signature too.
* All: support PKCS8 as an optional format for storage of private
keys to disk. The OpenSSH native key format remains the default,
but PKCS8 is a superior format to PEM if interoperability with
non-OpenSSH software is required, as it may use a less insecure
key derivation function than PEM's.
- Additional changes from 8.0p1 release:
* scp(1): Add "-T" flag to disable client-side filtering of
server file list.
* sshd(8): Remove support for obsolete "host/port" syntax.
* ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
PKCS#11 tokens.
* ssh(1), sshd(8): Add experimental quantum-computing resistant
key exchange method, based on a combination of Streamlined NTRU
Prime 4591^761 and X25519.
* ssh-keygen(1): Increase the default RSA key size to 3072 bits,
following NIST Special Publication 800-57's guidance for a
128-bit equivalent symmetric security level.
* ssh(1): Allow "PKCS11Provider=none" to override later instances of
the PKCS11Provider directive in ssh_config,
* sshd(8): Add a log message for situations where a connection is
dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect.
* ssh(1): When prompting whether to record a new host key, accept
the key fingerprint as a synonym for "yes". This allows the user
to paste a fingerprint obtained out of band at the prompt and
have the client do the comparison for you.
* ssh-keygen(1): When signing multiple certificates on a single
command-line invocation, allow automatically incrementing the
certificate serial number.
* scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
the scp and sftp command-lines.
* ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
command-line flags to increase the verbosity of output; pass
verbose flags though to subprocesses, such as ssh-pkcs11-helper
started from ssh-agent.
* ssh-add(1): Add a "-T" option to allowing testing whether keys in
an agent are usable by performing a signature and a verification.
* sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
that replicates the functionality of the existing SSH2_FXP_SETSTAT
operation but does not follow symlinks.
* sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
they do not follow symlinks.
* sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
the connection 4-tuple available to PAM modules that wish to use
it in decision-making.
* sshd(8): Add a ssh_config "Match final" predicate Matches in same
pass as "Match canonical" but doesn't require hostname
canonicalisation be enabled.
* sftp(1): Support a prefix of '@' to suppress echo of sftp batch
commands.
* ssh-keygen(1): When printing certificate contents using
"ssh-keygen -Lf /path/certificate", include the algorithm that
the CA used to sign the cert.
- Rebased patches:
* openssh-7.7p1-IPv6_X_forwarding.patch
* openssh-7.7p1-X_forward_with_disabled_ipv6.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-cavstest-kdf.patch
* openssh-7.7p1-disable_openssl_abi_check.patch
* openssh-7.7p1-fips.patch
* openssh-7.7p1-fips_checks.patch
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
* openssh-7.7p1-ldap.patch
* openssh-7.7p1-seed-prng.patch
* openssh-7.7p1-sftp_force_permissions.patch
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
* openssh-8.0p1-gssapi-keyex.patch (formerly
openssh-7.7p1-gssapi_key_exchange.patch)
* openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch)
- Removed patches (integrated upstream):
* 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
* openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
* openssh-7.9p1-CVE-2018-20685.patch
* openssh-7.9p1-brace-expansion.patch
* openssh-CVE-2019-6109-force-progressmeter-update.patch
* openssh-CVE-2019-6109-sanitize-scp-filenames.patch
* openssh-CVE-2019-6111-scp-client-wildcard.patch
- Removed patches (obsolete):
* openssh-openssl-1_0_0-compatibility.patch
==== slirp4netns ====
Version update (0.4.1 -> 0.4.2)
- Update to 0.4.2
* Do not propagate mounts to the parent ns in sandbox
==== talloc ====
- Add two patches making build compatible with Python 3.8.0:
- waf_upgrade.patch
- waf_use_native_waf_timer.patch
==== texinfo ====
- Delete info-dir as not required anymore
- Mark /usr/share/info/dir as %ghost
- Add a rpmlintrc file to silent useless warnings
==== vim ====
Subpackages: vim-data-common
- Add python38-config.patch to make vim buildable with new Python 3.8.
(gh#vim/vim#4080)
==== zlib ====
- Add SUSE specific patch to fix bsc#1138793, we simply don't want
to test if the app was linked with exactly same version of zlib
like the one that is present on the runtime:
* zlib-no-version-check.patch