Packages changed:
ca-certificates-mozilla
ceph (15.1.0.1521+gcdf35413a0 -> 15.2.0.108+g8cf4f02b08)
cloud-init
conmon (2.0.14 -> 2.0.15)
cpio
cri-tools (1.17.0 -> 1.18.0)
cryptsetup (2.3.0 -> 2.3.1)
elfutils (0.178 -> 0.179)
haproxy (2.1.3+git0.5c020bbdd -> 2.1.4+git0.3cfc2f1d9)
k9s (0.15.2 -> 0.18.1)
kdump
kexec-tools
krb5
kubernetes
mozilla-nss (3.50 -> 3.51)
nano (4.9 -> 4.9.1)
ncurses
open-iscsi
openSUSE-build-key
podman
rook (1.2.6+git0.g99024013 -> 1.2.7+git0.g1acfd182)
setools (4.2.2 -> 4.3.0)
wpa_supplicant
yast2 (4.2.78 -> 4.2.80)
=== Details ===
==== ca-certificates-mozilla ====
- also run update-ca-certificates in %posttrans
==== ceph ====
Version update (15.1.0.1521+gcdf35413a0 -> 15.2.0.108+g8cf4f02b08)
Subpackages: ceph-common libcephfs2 librados2 libradosstriper1 librbd1 librgw2 python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw
- Update to 15.2.0-108-g8cf4f02b08:
+ rebase on tip of upstream "octopus" branch, SHA1 9267cc03e1b1612109dd57cc6ce74c34ed1f1d00
* cephadm: Fix truncated output of "ceph mgr dump"
- Update to 15.2.0-29-g274f7bc2e7:
+ rebase on tip of upstream "octopus" branch, SHA1 a8062613c81ad08815edcdf06e668fcc77270a03
* upstream 15.2.0 (first Octopus stable) release
https://ceph.io/releases/v15-2-0-octopus-released/
- Update to 15.1.1-220-g0f87374dc1:
+ rebase on tip of upstream "octopus" branch, SHA1 243cbd6224921f7f5c2463705c75cb9eafd0db5c
* upstream 15.1.1 (Octopus release candidate) release
https://github.com/ceph/ceph/releases/tag/v15.1.1
+ cephadm: read everything when calling "ceph mgr dump"
- Update to 15.1.0-2160-g310e512e18:
+ rebase on tip of upstream "octopus" branch, SHA1 465f3855623e30f3b4694f3090adbe27c8cd49c3
- Update to 15.1.0-1766-g3d31471523:
+ rebase on tip of upstream master, SHA1 25b8ecc216b02e848f9719ced8c84670de656e78
==== cloud-init ====
- Update cloud-init-write-routes.patch
+ In cases where the config contains 2 or more default gateway
specifications for an interface only write the first default route,
log warning message about skipped routes
+ Avoid writing invalid route specification if neither the network
nor destination is specified in the route configuration
- Update cloud-init-write-routes.patch
+ Still need to consider the "network" configuration uption
for the v1 config implementation. Fixes regression
introduced with update from Wed Feb 12 19:30:42
- Update cloud-init-write-routes.patch (bsc#1165296)
+ Add the default gateway to the ifroute config file when specified
as part of the subnet configuration
+ Fix typo to properly extrakt provided netmask data (bsc#1163178)
==== conmon ====
Version update (2.0.14 -> 2.0.15)
- Enable support for journald logging (bsc#1162432)
- Update to v2.0.15
- store status while waiting for pid
==== cpio ====
- starting with GCC 10, the default of '-fcommon' option will
change to '-fno-common'. Because cpio build fails with
'fno-common', add '-fcommon' option to optflags as a temporary
workaround for this problem till it's properly fixed [bsc#1160870]
==== cri-tools ====
Version update (1.17.0 -> 1.18.0)
- Update to v1.18.0:
* Main Changes
* Update Kubernetes to v1.18.0
* Switch to urfave/cli/v2
* CRI CLI (crictl)
* Use ContextDialer to fix build
* Add go-template option for inspect commands
* Fix invalid log_path in docs
* CRI validation testing (critest)
* Make apparmor failure test more flexible
* Start container before fetching metrics
* Cleanup container create test to reduce duplication
* Add container stats test
==== cryptsetup ====
Version update (2.3.0 -> 2.3.1)
Subpackages: libcryptsetup12
- Split translations to -lang package
- New version to 2.3.1
* Support VeraCrypt 128 bytes passwords.
VeraCrypt now allows passwords of maximal length 128 bytes
(compared to legacy TrueCrypt where it was limited by 64 bytes).
* Strip extra newline from BitLocker recovery keys
There might be a trailing newline added by the text editor when
the recovery passphrase was passed using the --key-file option.
* Detect separate libiconv library.
It should fix compilation issues on distributions with iconv
implemented in a separate library.
* Various fixes and workarounds to build on old Linux distributions.
* Split lines with hexadecimal digest printing for large key-sizes.
* Do not wipe the device with no integrity profile.
With --integrity none we performed useless full device wipe.
* Workaround for dm-integrity kernel table bug.
Some kernels show an invalid dm-integrity mapping table
if superblock contains the "recalculate" bit. This causes
integritysetup to not recognize the dm-integrity device.
Integritysetup now specifies kernel options such a way that
even on unpatched kernels mapping table is correct.
* Print error message if LUKS1 keyslot cannot be processed.
If the crypto backend is missing support for hash algorithms
used in PBKDF2, the error message was not visible.
* Properly align LUKS2 keyslots area on conversion.
If the LUKS1 payload offset (data offset) is not aligned
to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly.
* Validate LUKS2 earlier on conversion to not corrupt the device
if binary keyslots areas metadata are not correct.
==== elfutils ====
Version update (0.178 -> 0.179)
Subpackages: libasm1 libdw1 libelf1
- Update to version 0.179:
debuginfod-client: When DEBUGINFOD_PROGRESS is set and the program doesn't
install its own debuginfod_progressfn_t show download
progress on stderr.
DEBUGINFOD_TIMEOUT is now defined as seconds to get at
least 100K, defaults to 90 seconds.
Default to $XDG_CACHE_HOME/debuginfod_client.
New functions debuginfod_set_user_data,
debuginfod_get_user_data, debuginfod_get_url and
debuginfod_add_http_header.
Support for file:// URLs.
debuginfod: Uses libarchive directly for reading rpm archives.
Support for indexing .deb/.ddeb archives through dpkg-deb
or bsdtar.
Generic archive support through -Z EXT[=CMD]. Which can be
used for example for arch-linux pacman files by using
- Z '.tar.zst=zstdcat'.
Better logging using User-Agent and X-Forwarded-For headers.
More prometheus metrics.
Support for eliding dots or extraneous slashes in path names.
debuginfod-find: Accept /path/names in place of buildid hex.
libelf: Handle PN_XNUM in elf_getphdrnum before shdr 0 is cached
Ensure zlib resource cleanup on failure.
libdwfl: dwfl_linux_kernel_find_elf and dwfl_linux_kernel_report_offline
now find and handle a compressed vmlinuz image.
readelf, elflint: Handle PT_GNU_PROPERTY.
translations: Updated Ukrainian translation.
==== haproxy ====
Version update (2.1.3+git0.5c020bbdd -> 2.1.4+git0.3cfc2f1d9)
- Update to version 2.1.4+git0.3cfc2f1d9: (boo#1168023) CVE-2020-11100
- SCRIPTS: make announce-release executable again
- BUG/MINOR: namespace: avoid closing fd when socket failed in
my_socketat
- BUG/MEDIUM: muxes: Use the right argument when calling the
destroy method.
- BUG/MINOR: mux-fcgi: Forbid special characters when matching
PATH_INFO param
- MINOR: mux-fcgi: Make the capture of the path-info optional in
pathinfo regex
- SCRIPTS: announce-release: use mutt -H instead of -i to include
the draft
- MINOR: http-htx: Add a function to retrieve the headers size of
an HTX message
- MINOR: filters: Forward data only if the last filter forwards
something
- BUG/MINOR: filters: Count HTTP headers as filtered data but
don't forward them
- BUG/MINOR: http-htx: Don't return error if authority is updated
without changes
- BUG/MINOR: http-ana: Matching on monitor-uri should be
case-sensitive
- MINOR: http-ana: Match on the path if the monitor-uri starts by
a /
- BUG/MAJOR: http-ana: Always abort the request when a tarpit is
triggered
- MINOR: ist: add an iststop() function
- BUG/MINOR: http: http-request replace-path duplicates the query
string
- BUG/MEDIUM: shctx: make sure to keep all blocks aligned
- MINOR: compiler: move CPU capabilities definition from config.h
and complete them
- BUG/MEDIUM: ebtree: don't set attribute packed without
unaligned access support
- BUILD: fix recent build failure on unaligned archs
- CLEANUP: cfgparse: Fix type of second calloc() parameter
- BUG/MINOR: sample: fix the json converter's endian-sensitivity
- BUG/MEDIUM: ssl: fix several bad pointer aliases in a few
sample fetch functions
- BUG/MINOR: connection: make sure to correctly tag local PROXY
connections
- MINOR: compiler: add new alignment macros
- BUILD: ebtree: improve architecture-specific alignment
- BUG/MINOR: h2: reject again empty :path pseudo-headers
- BUG/MINOR: sample: Make sure to return stable IDs in the
unique-id fetch
- BUG/MINOR: dns: ignore trailing dot
- BUG/MINOR: http-htx: Do case-insensive comparisons on Host
header name
- MINOR: contrib/prometheus-exporter: Add heathcheck status/code
in server metrics
- MINOR: contrib/prometheus-exporter: Add the last heathcheck
duration metric
- BUG/MEDIUM: random: initialize the random pool a bit better
- MINOR: tools: add 64-bit rotate operators
- BUG/MEDIUM: random: implement a thread-safe and process-safe
PRNG
- MINOR: backend: use a single call to ha_random32() for the
random LB algo
- BUG/MINOR: checks/threads: use ha_random() and not rand()
- BUG/MAJOR: list: fix invalid element address calculation
- MINOR: debug: report the task handler's pointer relative to
main
- BUG/MEDIUM: debug: make the debug_handler check for the thread
in threads_to_dump
- MINOR: haproxy: export main to ease access from debugger
- BUILD: tools: remove obsolete and conflicting trace() from
standard.c
- BUG/MINOR: wdt: do not return an error when the watchdog
couldn't be enabled
- DOC: fix incorrect indentation of http_auth_*
- OPTIM: startup: fast unique_id allocation for acl.
- BUG/MINOR: pattern: Do not pass len = 0 to calloc()
- DOC: configuration.txt: fix various typos
- DOC: assorted typo fixes in the documentation and Makefile
- BUG/MINOR: init: make the automatic maxconn consider the max of
soft/hard limits
- BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
- REGTEST: make the PROXY TLV validation depend on version 2.2
- BUG/MINOR: filters: Use filter offset to decude the amount of
forwarded data
- BUG/MINOR: filters: Forward everything if no data filters are
called
- MINOR: htx: Add a function to return a block at a specific
offset
- BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the
response payload
- BUG/MEDIUM: compression/filters: Fix loop on HTX blocks
compressing the payload
- BUG/MINOR: http-ana: Reset request analysers on a response side
error
- BUG/MINOR: lua: Ignore the reserve to know if a channel is full
or not
- BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject
action
- BUG/MINOR: http-rules: Fix a typo in the reject action function
- BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop
action
- BUG/MINOR: rules: Increment be_counters if backend is assigned
for a silent-drop
- DOC: fix typo about no-tls-tickets
- DOC: improve description of no-tls-tickets
- DOC: assorted typo fixes in the documentation
- DOC: ssl: clarify security implications of TLS tickets
- BUILD: wdt: only test for SI_TKILL when compiled with thread
support
- BUG/MEDIUM: mt_lists: Make sure we set the deleted element to
NULL;
- MINOR: mt_lists: Appease gcc.
- BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
- BUG/MEDIUM: pools: Always update free_list in pool_gc().
- BUG/MINOR: haproxy: always initialize sleeping_thread_mask
- BUG/MINOR: listener/mq: do not dispatch connections to remote
threads when stopping
- BUG/MINOR: haproxy/threads: try to make all threads leave
together
- DOC: proxy_protocol: Reserve TLV type 0x05 as
PP2_TYPE_UNIQUE_ID
- DOC: correct typo in alert message about rspirep
- BUILD: on ARM, must be linked to libatomic.
- BUILD: makefile: fix regex syntax in ARM platform detection
- BUILD: makefile: fix expression again to detect ARM platform
- BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong
cases.
- DOC: assorted typo fixes in the documentation
- MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into
types/signal.h.
- BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in
__signal_process_queue().
- MINOR: memory: Change the flush_lock to a spinlock, and don't
get it in alloc.
- BUG/MINOR: connections: Make sure we free the connection on
failure.
- REGTESTS: use "command -v" instead of "which"
- REGTEST: increase timeouts on the seamless-reload test
- BUG/MINOR: haproxy/threads: close a possible race in soft-stop
detection
- BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
- BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
- BUG/MINOR: peers: Use after free of "peers" section.
- MINOR: listener: add so_name sample fetch
- BUILD: ssl: only pass unsigned chars to isspace()
- BUG/MINOR: stats: Fix color of draining servers on stats page
- DOC: internals: Fix spelling errors in filters.txt
- MINOR: http-rules: Add a flag on redirect rules to know the
rule direction
- BUG/MINOR: http_ana: make sure redirect flags don't have
overlapping bits
- MINOR: http-rules: Handle the rule direction when a redirect is
evaluated
- BUG/MINOR: http-ana: Reset request analysers on error when
waiting for response
- BUG/CRITICAL: hpack: never index a header into the headroom
after wrapping
==== k9s ====
Version update (0.15.2 -> 0.18.1)
- Update to version 0.18.1
- Many bug fixes
- Many new features (auto suggestions, revisited logs, k9 plugins)
- see https://github.com/derailed/k9s/releases/
==== kdump ====
- kdump-make-sure-that-the-udev-runtime-directory-exists.patch:
Make sure that the udev runtime directory exists (bsc#1164713).
==== kexec-tools ====
- kexec-tools-Remove-duplicated-variable-declarations.patch:
Remove duplicated variable declarations (boo#1160399).
- kexec-tools-s390-Reset-kernel-command-line-on-syscal.patch: s390:
Reset kernel command line on syscall fallback (bsc#1167868).
==== krb5 ====
- Fix segfault in k5_primary_domain; (bsc#1167620);
- Added patches:
* 0009-Fix-null-dereference-qualifying-short-hostnames.patch
==== kubernetes ====
Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet-common kubernetes-kubelet1.17 kubernetes-kubelet1.18
- Rename /usr/lib/sysctl.d/50-kubeadm.conf to 90-kubeadm.conf [boo#1163328]
- Dropping all old CaaSP legacy configuration
==== mozilla-nss ====
Version update (3.50 -> 3.51)
- Update previous patch nss-kremlin-ppc64le.patch
slightly modified to support also ppc64 (BE) versus initial
https://github.com/FStarLang/kremlin/issues/166
- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds
- update to NSS 3.51
* Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892)
* Correct swapped PKCS11 values of CKM_AES_CMAC and
CKM_AES_CMAC_GENERAL (bmo#1611209)
* Complete integration of Wycheproof ECDH test cases (bmo#1612259)
* Check if PPC __has_include(<sys/auxv.h>) (bmo#1614183)
* Fix a compilation error for ?getFIPSEnv? "defined but not used"
(bmo#1614786)
* Send DTLS version numbers in DTLS 1.3 supported_versions extension
to avoid an incompatibility. (bmo#1615208)
* SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed
to be null-terminated (bmo#1538980)
* Correct a warning for comparison of integers of different signs:
'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88
(bmo#1561337)
* Add test for mp_int clamping (bmo#1609751)
* Don't attempt to read the fips_enabled flag on the machine unless
NSS was built with FIPS enabled (bmo#1582169)
* Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940)
* Fix compiler warning in secsign.c (bmo#1617387)
* Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval'
(bmo#1618400)
* Fix a crash on unaligned CMACContext.aes.keySchedule when using
AES-NI intrinsics (bmo#1610687)
==== nano ====
Version update (4.9 -> 4.9.1)
- GNU nano 4.9.1
* fix cursor getting misplaced when undoing line cuts
* fix filtering of the whole buffer to a new buffer
==== ncurses ====
Subpackages: libncurses6 ncurses-utils terminfo terminfo-base
- Add ncurses patch 20200321
+ improve configure-checks to reduce warnings about unused variables.
+ improve description of error-returns in waddch and waddnstr manual
pages (prompted by patch by Benno Schulenberg).
+ add test/move_field.c to demonstrate move_field(), and a stub for
a corresponding demo of dup_field().
- Add ncurses patch 20200314
+ add history note to curs_scanw.3x for <stdarg.h> and <varargs.h>
+ add history note to curs_printw.3x for <stdarg.h> and <varargs.h>
+ add portability note to ncurses.3x regarding <stdarg.h>
==== open-iscsi ====
Subpackages: iscsiuio libopeniscsiusr0_2_0
- Update with two upstream commits:
* Fix issue where "iscsi-iname -p" core dumps. (found upstream)
* Fix iscsi.service so it handles restarts better (bsc#1163499)
* Add Wants=remote-fs-pre.target for sequencing. (bsc#1158536)
updating:
* open-iscsi-SUSE-latest.diff.bz2
==== openSUSE-build-key ====
- mark the opensuse-container-key and the suse-container-key
for openSUSE:Containers and SUSE:Containers space.
(same as the build keys for SLE15 and openSUSE respectively.)
- Replace the old security@suse.de email comm key by the new, move
the old one to the oldkey. (bsc#1166334)
==== podman ====
Subpackages: podman-cni-config
- Add "systemd" BUILDFLAGS to build with support for journald
logging (bsc#1162432)
==== rook ====
Version update (1.2.6+git0.g99024013 -> 1.2.7+git0.g1acfd182)
- Update to v1.2.7 (bsc#1168160):
* Apply the expected lower PG count for rgw metadata pools (#5091)
* Reject devices smaller than 5GiB for OSDs (#5089)
* Add extra check for filesystem to skip boot volumes for OSD configuration (#5022)
* Avoid duplication of mon pod anti-affinity (#4998)
* Update service monitor definition during upgrade (#5078)
* Resizer container fix due to misinterpretation of the cephcsi version (#5073-1)
* Set ResourceVersion for Prometheus rules (#4528)
* Upgrade doc clarification for RBAC related to the helm chart (#5054)
==== setools ====
Version update (4.2.2 -> 4.3.0)
- Update to the upstream version 4.3.0:
* Revised sediff method for TE rules. This drastically reduced memory
and run time.
* Added infiniband context support to seinfo, sediff, and apol.
* Added apol configuration for location of Qt assistant.
* Fixed sediff issue where properties header would display when not
requested.
* Fixed sediff issue with type_transition file name comparison.
* Fixed permission map socket sendto information flow direction.
* Added methods to TypeAttribute class to make it a complete Python
collection.
* Genfscon now will look up classes rather than using fixed values
which were dropped from libsepol
- Dropped python3.8-compat.patch
==== wpa_supplicant ====
- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (boo#1166933)
==== yast2 ====
Version update (4.2.78 -> 4.2.80)
- Modify the way YaST detects whether systemd is running or not
(bsc#1168307)
- 4.2.80
- Reread network interfaces configuration after writing it avoiding
wrong values when reopen network configuration dialog during an
installation (bsc#1166778)
- 4.2.79