Removed rpms ============ - openssl Added rpms ========== - alsa-firmware - libblogger2 - libebtc0 - libnftables1 - python3-nftables Package Source Changes ====================== ImageMagick +- security update +- added patches + fix CVE-2021-20241 [bsc#1182335], Division by zero in WriteJP2Image() in coders/jp2.c + + ImageMagick-CVE-2021-20241.patch + fix CVE-2021-20243 [bsc#1182336], Division by zero in GetResizeFilterWeight in MagickCore/resize.c + + ImageMagick-CVE-2021-20243.patch + fix CVE-2021-20244 [bsc#1182325], Division by zero in ImplodeImage in MagickCore/visual-effects.c + + ImageMagick-CVE-2021-20244.patch + fix CVE-2021-20246 [bsc#1182337], Division by zero in ScaleResampleFilter in MagickCore/resample.c + + ImageMagick-CVE-2021-20246.patch + MozillaFirefox +- Firefox Extended Support Release 78.9.0 ESR + * Fixed: Various stability, functionality, and security fixes + MFSA 2021-11 (bsc#1183942) + * CVE-2021-23981 (bmo#1692832) + Texture upload into an unbound backing buffer resulted in an + out-of-bound read + * CVE-2021-23982 (bmo#1677046) + Internal network hosts could have been probed by a malicious + webpage + * CVE-2021-23984 (bmo#1693664) + Malicious extensions could have spoofed popup information + * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, + bmo#1690718) + Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 + +- Firefox Extended Support Release 78.8.0 ESR + * Fixed: Various stability, functionality, and security fixes + MFSA 2021-08 (bsc#1182614) + * CVE-2021-23969 (bmo#1542194) + Content Security Policy violation report could have contained + the destination of a redirect + * CVE-2021-23968 (bmo#1687342) + Content Security Policy violation report could have contained + the destination of a redirect + * CVE-2021-23973 (bmo#1690976) + MediaError message property could have leaked information + about cross-origin resources + * CVE-2021-23978 (bmo#1682928, bmo#1687391, bmo#1687597, + bmo#786797) + Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 +- Update create-tar.sh to use https instead of http (bsc#1182357) + MozillaThunderbird +- Mozilla Thunderbird 78.9.1 + * new: Support recipient aliases for OpenPGP encryption. + Documentation can be found https://wiki.mozilla.org/ + Thunderbird:OpenPGP:Aliases. + * fixed: The key and signature parts of the message security + popup on a received message could not be selected for + copy/paste. + * fixed: Various UX and theme improvements + MFSA 2021-13 (bsc#1184536) + * CVE-2021-23991 (bmo#1673240) + An attacker may use Thunderbird's OpenPGP key refresh + mechanism to poison an existing key + * MOZ-2021-23992 (bmo#1666236) + A crafted OpenPGP key with an invalid user ID could be used + to confuse the user + * CVE-2021-23993 (bmo#1666360) + Inability to send encrypted OpenPGP email after importing a + crafted OpenPGP key + +- Mozilla Thunderbird 78.9 + * fixed: New mail notification displayed old messages that were + unread + * fixed: Spaces following soft line breaks in messages using + quoted-printable and format=flowed were incorrectly encoded; + existing messages which were previously incorrectly encoded + may now display with some words not separated by a space + * fixed: Some fields were unreadable in the Dark theme in the + General preferences panel + * fixed: Sending a message containing an anchor tag with an + invalid data URI failed + * fixed: When switching tabs, input focus was not moved to the + new tab + * fixed: Address Book: Syncing a read-only Google address book + via CardDAV failed + * fixed: Address Book: Importing VCards with non-ascii + characters would fail + * fixed: Address Book: Some values may not have been parsed + when syncing from Google address books. + * fixed: Add-ons Manager did not show if an addon used + experiment APIs + * fixed: Calendar: Removing a recurring task was not possible + * fixed: Various security fixes + MFSA 2021-12 (bsc#1183942) + * CVE-2021-23981 (bmo#1692832) + Texture upload into an unbound backing buffer resulted in an + out-of-bound read + * MOZ-2021-0002 (bmo#1691547) + Angle graphics library out of date + * CVE-2021-23982 (bmo#1677046) + Internal network hosts could have been probed by a malicious + webpage + * CVE-2021-23984 (bmo#1693664) + Malicious extensions could have spoofed popup information + * CVE-2021-23987 (bmo#1513519, bmo#1683439, bmo#1690169, + bmo#1690718) + Memory safety bugs fixed in Thunderbird 78.9 +- cleaned up and fixed mozilla.sh.in for wayland (boo#1177542) + PackageKit +- Add PackageKit-zypp-initialize-pool.patch: zypp: Make sure pool + is initialized at the beginning of some methods + (gh#hughsie/PackageKit/commit#3efa0c524, bsc#1180597). + alsa-oss +- Add upstream patch to fix build with current glibc: + * alsa-drop-libio.patch + -- updated to version 1.0.17: - * just a version bump - autoyast2 +- Do not crash while sorting the list of modules to be processed + during the 2nd stage (bsc#1184316). +- Prevent AutoYaST UI from crashing when trying to apply a module + changes (bsc#1184429). +- 4.3.77 + +- Use 'module' instead of 'listentry' when exporting pre-modules + and post-modules lists (bsc#1184342). + +- Show the only once during autoinstallation + (bsc#1184317). + +- Add the 'mkfs_options' element to the schema (bsc#1184268). + +- Fix crash during using autoyast UI (bsc#1184216) +- 4.3.76 + avahi +- Update avahi-daemon-check-dns.sh from Debian. Our previous + version relied on ifconfig, route, and init.d. +- Rebase avahi-daemon-check-dns-suse.patch, and drop privileges + when invoking avahi-daemon-check-dns.sh (boo#1180827 + CVE-2021-26720). +- Add sudo to requires: used to drop privileges. + blog +- Fix package split done for shared library packaging guideline (bsc#1184479). + +- Update to version 2.20 + * Silent some gcc warnings, also avoid common variable (boo#1160385) + * Include for makedev + * sort input files (boo#1041090) + * libconsole: never return empty list from getconsoles() + * libconsole: Really allow to use /dev/console as a fallback in showconsole + * libconsole: Add console into the list only when successfully allocated + * libconsole: Correctly ignore early consoles +- Remove obsolate patch blog-Remove-unused-header.patch + +- Add blog-Remove-unused-header.patch: Fix build with new glibc + (gh#bitstreamout/showconsole#3). + +- Implement shared library packaging guideline. + +- Update to version 2.19 which integrates the patches now removed: + * sysmacros.patch + * libconsole-Really-allow-to-use-dev-console-as-a-fall.patch + * libconsole-never-return-empty-list-from-getconsoles.patch + * showconsole-2.18.tar.gz + * libconsole-Add-console-into-the-list-only-when-succe.patch + * libconsole-Correctly-ignore-early-consoles.patch + as well as the changes + * Correct wants directory for systemd-ask-password-blog.service + * Sort input files for reproducible builds + +- sysmacros.patch: Include for makedev + btrfsprogs +- Correct check_running_fs_exclop() return value (bsc#1184481) + btrfs-progs-Correct-check_running_fs_exclop-return-v.patch + ca-certificates +- openssl is no longer required but coreutils and findutils are + (boo#1183680). Keep openssl(cli) at runtime for now nevertheless as this + package might be the only one pulling it in. + cups +- cups-2.2.7-web-ui-kerberos-authentication.patch (bsc#1175960) + Fix web UI kerberos authentication + curl +- Security fix: [bsc#1183934, CVE-2021-22890] + * When using a HTTPS proxy and TLS 1.3, libcurl can confuse + session tickets arriving from the HTTPS proxy but work as + if they arrived from the remote server and then wrongly + "short-cut" the host handshake. +- Add curl-CVE-2021-22890.patch + +- Security fix: [bsc#1183933, CVE-2021-22876] + * The automatic referer leaks credentials +- Add curl-CVE-2021-22876.patch + dracut +- Update to version 049.1+suse.186.g320cc3d1: + * network-legacy: fix route parsing issues in ifup (bsc#1182688) + * 90kernel-modules: arm/arm64: Add reset controllers + * Prevent creating unexpected files on the host when running dracut + * As of v246 of systemd "syslog" and "syslog-console" switches have been deprecated + +- Update to version 049.1+suse.185.g9324648a: + * 90kernel-modules: arm/arm64: Add reset controllers (bsc#1180336) + * Prevent creating unexpected files on the host when running dracut (bsc#1176171) + ebtables +- Have the source .service file hold a placeholder for LIBEXECDIR, + which we replace during build/install phase, allowing the package + to be used no matter what value %{_libexecdir} has. + +- replace /usr/lib with /usr/libexec in .service files to follow + %_libexecdir macro changes + +- Revert last /bin/bash -> /bin/sh change + +- Use /bin/sh for ebtables.systemd +- Don't hard require systemd, we don't need that in a container + +- rename /usr/lib/ebtables helper file to /usr/lib/ebtables-helper + otherwise it conflicts with /usr/lib/ebtables library directory + on 32-bit systems [bsc#1159769] + +- add ebtables.keyring as a Source + +- Update to release 2.0.11 + * Add --noflush command line support for ebtables-restore + * Do not print IPv6 mask if it is all ones + * Allow RETURN target rules in user defined chains + * ebt_ip: add support for matching ICMP type and code + * ebt_ip: add support for matching IGMP type + * extensions: Add string filter to ebtables + * Print IPv6 prefixes in CIDR notation + * extensions: Add AUDIT target + * Fix incorrect IPv6 prefix formatting +- Drop ebtables-v2.0.8-makefile.diff (no longer needed) +- Drop ebtables-v2.0.8-initscript.diff, include-linux-if.patch + (not applicable) +- Drop ebtables-v2.0.10-4-audit.patch, + 0001-fix-compilation-warning.patch, + 0001-Use-flock-for-concurrent-option.patch, + 0002-Fix-locking-if-LOCKDIR-does-not-exist.patch (merged) + filesystem +- Remove duplicate line due to merge error + +- add /etc/skel/.cache with perm 0700 (bsc#1181011) + +- Set correct permissions when creating /proc and /sys + +- Ignore postfix user (pulled in from buildsystem) + +- /proc and /sys should be %ghost to allow filesystem package updates in + rootless container environments (rh#1548403) (bsc#1146705) + +- Split /var/tmp out of fs-var.conf, new file is fs-var-tmp.conf. + Allows to override config to add cleanup options of /var/tmp + [bsc#1078466] +- Create fs-tmp.conf to cleanup /tmp regular (required with tmpfs) + [bsc#1175519] +- Fix bug about missing group in tmpfiles.d files +- Generic cleanup: + - Remove /usr/local/games + -- add /usr/share/appdata (bnc#893441) - -- drop /media directory (bnc#890198) - -- make /run/lock %ghost to fix build failure - -- make /var/run and /var/lock just ghost entries and create them - if they do not exist at all and rely on dracut hooks to - actually replace directories with symlinks there (bnc#874748) - -- add vscan user to ignore home list - -- change /etc/cups to mode 0755 (bnc#871640) for new cups version - -- change /sys to mode 0555 (bnc#871640) - -- make /var/lock a symlink to /run/lock (bnc#867873) - -- use lazy umount - -- use os.execute("umount ...") instead of posix.umount("...") - bnc#866964 - -- change pre to pretrans for directory/symlink conversion - -- drop /var/lib/pam_devperm (bnc#866234) - -- replace /var/run by symlink to /run -- try to handle case where /var/run is a bind-mount -- extend lua script in preinstall to handle this transition -- bnc#865893 - -- bump version to 13.2 - -- Drop /usr/X11R6, /usr/X11R6/bin, /usr/X11R6/lib, /var/X11R6 - -- add ppc64le definition - -- Drop /lib/systemd and /lib/systemd/system, everything is now in - /usr/lib/systemd... - -- do not put dir modifiers on symlinks - -- change license to MIT as GPL doesn't make sense for a package that - only contains directories. Also include a LICENSE.txt with the - sources (bnc#822602). - -- bump version to 13.1 - -- Add systemd %_unitdir - -- move sysctl directories here - -- Add directory.list64 for aarch64 - -- Revert /var/run and /var/lock being symlinks for now. - -- remove get_version_number.sh, it's unused since ages - -- Revert last change since aaa_base removed /usr/lib/tmpfiles.d. - -- own /usr/lib/tmpfiles.d - -- Remove also /sbin/conf.d/ (SuSEconfig directory). - -- replace /var/run and /var/lock directories with symlinks to - /run and /run/lock (respectively). - -- Remove SuSEconfig directories [FATE#100011] - -- move directories for man page translations from man package to - filesystem - -- remove /var/run/vi.recover (bnc#765288) -- remove /media/floppy and /media/cdrom ghost entries, they are not - used anywhere since years either - -- remove /var/cache/fonts (bnc#764885) - -- Also create /usr/share/help/$LOCALE for each LOCALE defined in - the languages file. This will allow our packages to have - translations for the XDG help system. - -- bump version to 12.2 - -- digged through logs to find more languages that have >45000 strings - -- remove world writeable /var/crash again (bnc#438041) - -- Apply packaging guidelines (remove redundant/obsolete - tags/sections from specfile, etc.) - -- Add /usr/share/help and /usr/share/help/C: this is the directory - used by the XDG help system specification, and the subdirectory - for the english docs there. - -- remove dirs that are clearly aaa_base specific - -- remove /var/lock/subsys as /var/lock is on tmpfs now - -- Really add language zh. - -- Add languages ga, ia, kk, km, kn, mai, nds, wa (from kde4-l10n) and - zh (from cups). - -- add /etc/skel/{.local,.config} to make sure they have correct - permissions for new users (bnc#676468) - -- Bump version number. -- Remove /etc/skel/.mozilla, it's not needed to have this by default. - -- Increase version number to 12.1. -- Add missing directories from aaa_base: /usr/share/doc/packages/aaa_base, - /lib/aaa_base - -- add /run directory (mode 0755,root,root) - -- reset list of languages to only contain what's translated with - more than 45.000. we might add big ones later if they become popular - to translate - -- bump version to 11.5 - -- fix build whitelisting /lib/udev/devices - -- add new locales (bnc#659001) - -- Add the new locale for "Congo", kg (iso 639-1). - -- add an locale for "Aragonese Spanish" - -- add /lib/systemd and /lib/systemd/system to avoid systemd - dependencies in lots of packages that merely install a text file - there. - -- add /etc/tmpfiles.d - -- add ghost.list with directories only listed in this package - as ghost files, move /tmp/.X11-unix, /tmp/.ICE-unix - and /var/tmp/vi.recover to that list -- also move /media/cdrom and /media/floppy to that list - they were done manually as ghosts in the specfile before -- add /etc/tmpdirs.d (see aaa_base) - -- Set version number to 11.3 - -- change group of /var/lock to 'lock' (bnc#552095, FATE#308360) - -- added ms_my (bnc#561174) - -- Add /usr/$march directories for SPARC. Will be packaging both - sparc-suse-linux and sparc64-suse-linux because the compiler - suite is usually configured with the latter on this arch. - -- minor change for sparc in specfile (bnc#558343) - -- added en@shaw (bnc#559206) - -- add arm gnueabi folders - -- added /selinux (fate#305557) - -- added fil (filipino) to the list of languages (bnc#513962) - -- add bem (Bemba) (fix bnc#501080) - -- fix build (ignore /lib/mkinitrd/scripts for now) - -- add hne (Chhattisgarhi) - -- added jbo (bnc#485455) - firewalld -- Update to 0.7.5 (jsc#SLE-12281) +- Remove dependency on firewalld from firewall-macros (bsc#1183404) + +- Disable FlushAllOnReload option to not retain interface to zone + assignments and direct rules when using --reload option. + * 0002-Disable-FlushAllOnReload-option.patch + +- Update to 0.9.3 (jsc#SLE-17336): + * docs(dbus): fix invalid method names + * fix(forward): iptables: ipset used as zone source + * fix(rich): non-printable characters removed from rich rules + * docs(firewall-cmd): small description grammar fix + * fix(rich): limit table to strip non-printables to C0 and C1 + * fix(zone): add source with mac address + +- Add dependency for firewall-offline-cmd (bsc#1180883) + +- Remove the patch which enforces usage of iptables instead of + nftables (jsc#SLE-16300): + * 0001-firewall-backend-Switch-default-backend-to-iptables.patch +- Add firewalld zone for the docker0 interface. This is the + workaround for lack of nftables support in docker. Without that + additional zone, containers have no Internet connectivity. + (rhbz#1817022, jsc#SLE-16300) +- Update to 0.9.1: + * Bugfixes: + * docs(firewall-cmd): clarify lockdown whitelist command paths + * fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active + * fix(policy): zone interface/source changes should affect all using zone + +- Make use of %service_del_postun_without_restart + And stop using DISABLE_RESTART_ON_UPDATE as this interface is + obsolete. + +- Add python3-nftables as a requirement. + +- update to 0.9.0: + * New major features + * prevention of Zone Drifting + * Intra Zone Forwarding + * Policy Objects + * For a full list of changes, see + https://github.com/firewalld/firewalld/compare/v0.8.0...v0.9.0 + +- update to 0.8.3: + * nftables: convert to libnftables JSON interface + * service: new “helper” element to replace “module” More accurately represents the conntrack helper. Deprecates “module”. + * allow custom helpers using standard helper modules (rhbz 1733066) + * testsuite is now shipped in the dist tarball + * Typo in firewall-config(1) + * Fix typo in TFTP service description + * doc: README: add note about language translations + * fix: rich: source/dest only matching with mark action + * feat: AllowZoneDrifting config option + * feat: nftables: support AllowZoneDrifting=yes + * feat: ipXtables: support AllowZoneDrifting=yes + * fix: firewall-offline-cmd: Don’t print warning about AllowZoneDrifting + * fix: add logrotate policy + * doc: direct: add CAVEATS section + * fix: checkIP6: strip leading/trailing square brackets + * fix: nftables: remove square brackets from IPv6 addresses + * fix: ipXtables: remove square brackets from IPv6 addresses + * fix: nftables: ipset types using “port” + * fix: nftables: zone dispatch with multidimensional ipsets + * fix: ipset: destroy runtime sets on reload/stop + * fix: port: support querying sub ranges + * fix: source_port: support querying sub ranges + * doc: specify accepted characters for object names + * fix: doc: address copy/paste mistakes in short/description + * fix: configure: atlocal: quote variable values + * fix: nftables: allow set intervals with concatenations + * doc: clarify –set-target values “default” vs “reject” + * fix: update dynamic DCE RPC ports in freeipa-trust service + * fix: nftables: ipset: port ranges for non-default protocols + * fix(systemd): Conflict with nftables.service + * fix(direct): rule in a zone chain + * fix(client): addService needs to reduce tuple size + * fix(doc): dbus: signatures for zone tuple based APIs + * fix(config): bool values in dict based import/export + * fix(dbus): service: don’t cleanup config for old set APIs + * fix(ipset): flush the set if IndividiualCalls=yes + * fix(firewall-offline-cmd): remove instances of “[P]” in help text + * fix(rich): source mac with nftables backend + * docs: replace occurrences of the term blacklist with denylist + * fix: core: rich: Catch ValueError on non-numeric priority values + * docs(README): add libxslt for doc generation + * fix(cli): add –zone is an invalid option with –direct + * fix(cli): add ipset type hash:mac is incompatible with the family parameter + +- Update to version 0.7.5 (jsc#SLE-12281): -- Switch firewall backend fallback to 'iptables' (bsc#1102761) - This ensures that existing configuration files will keep working - even if FirewallBackend option is missing. + +- Update to 0.7.4 + This is a bug fix only release. + However, it does reintroduce the zone drifting bug as a feature. See #258 and #441. This behavior is disabled by default. + * improvement: build: add an option to disable building documentation + * Typo in firewall-config(1) + * Fix typo in TFTP service description + * doc: README: add note about language translations + * fix: rich: source/dest only matching with mark action + * feat: AllowZoneDrifting config option + * feat: nftables: support AllowZoneDrifting=yes + * feat: ipXtables: support AllowZoneDrifting=yes + * fix: firewall-offline-cmd: Don't print warning about AllowZoneDrifting + * fix: add logrotate policy + * fix: tests: regenerate testsuite if .../{cli,python}/*.at changes + * doc: direct: add CAVEATS section + * fix: checkIP6: strip leading/trailing square brackets + * fix: nftables: remove square brackets from IPv6 addresses + * fix: ipXtables: remove square brackets from IPv6 addresses + * fix: nftables: zone dispatch with multidimensional ipsets + * fix: ipset: destroy runtime sets on reload/stop + * fix: port: support querying sub ranges + * fix: source_port: support querying sub ranges + * doc: specify accepted characters for object names + * fix: doc: address copy/paste mistakes in short/description + * fix: configure: atlocal: quote variable values + * fix: nftables: allow set intervals with concatenations + * doc: clarify --set-target values "default" vs "reject" + +- Update to version 0.7.3: + * release: v0.7.3 + * chore: update translations + * doc: README: add note about integration tests + * test: check-container: also run check-integration + * test: integration: NM zone overrides interface on reload + * test: build: support integration tests + * test: functions: add macro NMCLI_CHECK + * test: functions: new macros for starting/stopping NetworkManager + * fix: test: leave "cleanup" for tests cases + * test: check-container: add support for fedora rawhide + * test: check-container: add support for debian sid + * test: build: add support for running in containers + * fix: test/functions: FWD_END_TEST: improve grep for errors/warnings + * fix: test: direct passthrough: no need to check for dummy module + * fix: test: CHECK_NAT_COEXISTENCE: only check for kernel version + * fix: reload: let NM interface assignments override permanent config + * chore: tests: rename IF_IPV6_SUPPORTED to IF_HOST_SUPPORTS_IPV6_RULES + * fix: tests: convert host ipv6 checks to runtime + * fix: tests: convert ip6tables checks to runtime + * fix: tests: convert probe of nft numeric args to runtime + * fix: tests: convert nftables fib checks to runtime + * fix: build: distribute testsuite + * fix: don't probe for available kernel modules + * fix: failure to load modules no longer fatal + * fix: tests/functions: canonicalize XML output + * chore: doc: update authors + * fix: test: use debug output based on autotest variable + * fix: src/tests/Makefile: distclean should clean atconfig + +- No longer recommend -lang: supplements are in use. + +- Replace incorrect usage of %_libexecdir with %_prefix/lib + +- rebased the original patch from revision 19 + +- Added a patch to make iptables the default again on openSUSE + +- Update to version 0.7.2: + This is a bug fix only release. + * fix: direct: removeRules() was mistakenly removing all rules + * fix: guarantee zone source dispatch is sorted by zone name + * fix: nftables: fix zone dispatch using ipset sources in nat chains + * doc: add --default-config and --system-config + * fix: --add-masquerade should only affect ipv4 + * fix: nftables: --forward-ports should only affect IPv4 + * fix: direct: removeRules() not removing all rules in chain + * dbus: service: fix service includes individual APIs + * fix: allow custom helpers using standard helper modules + * fix: service: usage of helpers with '-' in name + * fix: Revert "ebtables: drop support for broute table" + * fix: ebtables: don't use tables that aren't available + * fix: fw: initialize _rfc3964_ipv4 + +- Update to version 0.7.1: + * Rich Rule Priorities + * Service Definition Includes - Service definitions can now + include lines like: which will + include all the ports, etc from the https service. + * RFC3964 IPv4 filtering - A new option RFC3964_IPv4 in + firewalld.conf is available. It does filtering based on RFC3964 + in regards to IPv4 addresses. This functionality was + traditionally in network-scripts. + * FlushAllOnReload - A new option FlushAllOnReload in + firewalld.conf is available. Older release retained some + settings (direct rules, interface to zone assignments) during a + - -reload. With the introduction of this configuration option + that is no longer the case. Old behavior can be restored by + setting FlushAllOnReload=no. + * 15 new service definitions + * fix: firewall-offline-cmd: service: use dict based APIs + * fix: client: service: use dict based dbus APIs + * test: dbus: coverage for new service APIs + * fix: dbus: new dict based APIs for services + * test: dbus: service API coverage + * test: functions: add macro DBUS_INTROSPECT + * test: functions: add CHOMP macro for shell output + * fix: tests/functions: use gdbus instead of dbus-send + * fix: dbus: add missing APIs for service includes +- Remove patch for using iptables instead of nftables - we should + finally switch to nftables and fix its issues properly if they + occur again: -- Disable FlushAllOnReload option to not retain interface to zone - assignments and direct rules when using --reload option. - * 0002-Disable-FlushAllOnReload-option.patch -- Remove patches which were included upstream or are not needed - anymore: - * firewalld-add-additional-services.patch +- Remove patch which was released upstream: + * 0002-Add-FlushAllOnReload-config-option.patch + +- Update to version 0.6.4: + * chore: update translations + * treewide: fix over indentation (flake8 E117) + * test: travis: add another test matrix for omitting ip6tables + * chore: travis: split test matrix by keywords + * chore: tests: add AT_KEYWORDS for firewall-offline-cmd + * improvement: tests: Use AT_KEYWORDS for backends + * fix: tests: guard occurrences of IPv6 + * fix: tests/functions: ignore warnings about missing ip6tables + * test: add macro IF_IPV6_SUPPORTED + +- Move RPM macros to %_rpmmacrodir. + +- Revert last change: the macros DO reference firewall-cmd, but as + they are expanded during build time of the package, not at + runtime, the point in time is wrong to require firewalld. The + consumer of the macro is responsible to ask for the right + commands to be present at runtime of the scripts + (boo#1125775#c9). + +- Add dependency between firewall-macros and firewalld. + (boo#1125775) + +- Fix --with-ifcfgdir configure parameter. (boo#1124212) + +- Add upstream patch to make --reload/--complete-reload forget the + runtime configuration and always load the permanent one + (bsc#1121277) + * 0002-Add-FlushAllOnReload-config-option.patch + +- Update to 0.6.3. Some of the changes are: + * update translations + * nftables: fix reject statement in "block" zone + * shell-completion: bash: don't check firewalld state + * firewalld: fix --runtime-to-permanent if NM not in use. + * firewall-cmd: sort --list-protocols output + * firewall-cmd: sort --list-services output + * command: sort services/protocols in --list-all output + * services: add audit + * nftables: fix rich rule log/audit being added to wrong chain + * nftables: fix destination checks not allowing masks + * firewall/core/io/*.py: Let SAX handle the encoding of XML files (gh#firewalld/firewalld#395)(bsc#1083361) + * fw_zone: expose _ipset_match_flags() + * tests/firewall-cmd: exercise multiple interfaces and zones + * fw_transaction: On clear zone transaction, must clear fw and other zones + * Fix translating labels (gh#firewalld/firewalld#392) +- Remove patches which have made it upstream: - * 0001-fw_nm-Make-nm_get_zone_of_connection-only-check-perm.patch - * 0002-firewall-cmd-On-getZoneOfInterface-only-ask-NM-for-p.patch - * 0003-firewall-cmd-For-non-permanent-interface-changes-don.patch - * 0004-fw_nm-New-function-to-get-all-interfaces-from-NM.patch - * 0005-fw_nm-Add-nm_get_interfaces_in_zone.patch - * 0006-firewall-cmd-Ask-NM-when-listing-permanent-interface.patch - * 0007-firewall-cmd-Allow-passing-extra-interfaces-to-print.patch - * 0001-ifcfg-Modify-ZONE-on-permanent-config-changes.patch - * 0001-firewall-core-Always-reload-the-permanent-configurat.patch - * 0001-firewall-core-fw_nm-nm_get_zone_of_connection-should.patch - * 0001-firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch - -- Add upstream patch to fix the error in --runtime-to-permanent - option about 'settings' variable being referenced before - assignment. This error occurs only when NetworkManager is not - used. (bsc#1122151) - * 0001-firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch - -- Import SUSE translations (boo#1108832) - * added firewalld-0.5.5-po-20181105.tar.xz - -- Add upstream patch to fix a python stacktrace when getting the - zone for a NetworkManager connection (bsc#1106319) - * 0001-firewall-core-fw_nm-nm_get_zone_of_connection-should.patch - -- Add adapted upstream patch to make --reload/--complete-reload - forget the runtime configuration and always load the permanent - one (bsc#1112008) - * 0001-firewall-core-Always-reload-the-permanent-configurat.patch + * 0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch -- Add upstream patch to mark more strings as translatable (bsc#1096542) +- Add upstream patch to mark more strings as translatable which is + required by firewall UI when creating rich rules (bsc#1096542) -- Add upstream patches to fix NetworkManager integration (bsc#1109074) - * 0001-fw_nm-Make-nm_get_zone_of_connection-only-check-perm.patch - * 0002-firewall-cmd-On-getZoneOfInterface-only-ask-NM-for-p.patch - * 0003-firewall-cmd-For-non-permanent-interface-changes-don.patch - * 0004-fw_nm-New-function-to-get-all-interfaces-from-NM.patch - * 0005-fw_nm-Add-nm_get_interfaces_in_zone.patch - * 0006-firewall-cmd-Ask-NM-when-listing-permanent-interface.patch - * 0007-firewall-cmd-Allow-passing-extra-interfaces-to-print.patch -- Add upstream patch to fix ifcfg ZONE attribute on permanent firewall - changes (bsc#1109153) - * 0001-ifcfg-Modify-ZONE-on-permanent-config-changes.patch -- Update to 0.5.5 (bsc#1108420) +- Add upstream patch to fix rich rules that uses ipset (bsc#1104990) + * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch + +- Update to 0.6.2. Some of the changes are: - * firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False + * nftables: fix log-denied with values other than "all" or "off" + * fw_ipset: raise FirewallError if backend command fails + * ipset: only use "-exist" on restore + * fw_ipset: fix duplicate add of ipset entries + * *tables: For opened ports/protocols/etc match ct state new,untracked (bsc#1105821) + * ipXtables: increase wait lock to 10s + * nftables: fix rich rules ports/protocols/source ports not considering ct state + * ports: allow querying a single added by range + * fw_zone: do not change rich rule errors into warnings + * fw_zone: fix services with multiple destination IP versions (bsc#1105899) + * fw_zone: consider destination for protocols + * firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False (boo#1106319) -- spec-cleaner fixes - -- Update to 0.5.4 (bsc#1105170) - * update translations + * nftables: fix rich rule audit log + * ebtables: replace RETURN policy with explicit RETURN at end of chain + * direct backends: allow build_chain() to build multiple rules + * fw: on restart set policy from same function + * ebtables: drop support for broute table +- Remove upstream patches + * 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch + * 0001-fw_zone-consider-destination-for-protocols.patch + * 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch + * firewalld-fix-firewalld-config-crash.patch + +- Add upstream patch to fix Neighbor Discovery filtering for IPv6 (bsc#1105821) + * 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch +- Add upstream patch to fix building rules for multiple IP families (bsc#1105899) + * 0001-fw_zone-consider-destination-for-protocols.patch + * 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch + +- Add firewalld-fix-firewalld-config-crash.patch: set + nm_get_zone_of_connection to return 'None' instead of 'False' for + automatically generated connections to avoid firewall-config + crashes. Patch provided by upstream (boo#1106319, + gh#firewalld/firewalld#370). + +- Also switch firewall backend fallback to 'iptables' (bsc#1102761) + This ensures that existing configuration files will keep working + even if FirewallBackend option is missing. + * 0001-firewall-backend-Switch-default-backend-to-iptables.patch + +- Update to 0.6.1. Some of the changes are: + * Correct source/destination in rich rule masquerade + * Only modify ifcfg files for permanent configuration changes + * Fix a backtrace when calling common_reverse_rule() + * man firewalld.conf: Show nftables is the default FirewallBackend + * firewall-config: fix some untranslated strings that caused a UI + bug causing rich rules to not be modify-able (bsc#1096542) - * firewall-config: fix some untranslated strings - * Rich Rule Masquerade inverted source-destination in Forward Chain - * don't forward interface to zone requests to NM for generated interfaces + * fixed many issues if iptables is actually iptables-nft + * Use preferred location for AppData files + * ipXtables: fix ICMP block inversion with set-log-denied + * fixes ICMP block inversion with set-log-denied with + IndividualCalls=yes + * nftables: fix set-log-denied if target is not ACCEPT + * fw_direct: strip _direct chain suffix if using nftables + * NetworkManager integration bugfixes. + +- Switch back to 'iptables' backend as default (bsc#1102761) + +- Update to 0.6.0. Some of the changes are: + * update translations + * firewall-config: Add ipv6-icmp to the protocol dropdown box (#348, bsc#1099698) + * core: logger: Remove world-readable bit from logfile (#349, bsc#1098986) + * IPv6 rpfilter: explicitly allow neighbor solicitation + * nftables backend (default) + * Added loads of new services - * ipset: check type when parsing ipset definition - * firewall-config: Add ipv6-icmp to the protocol dropdown box - * core: logger: Remove world-readable bit from logfile - * IPv6 rpfilter: explicitly allow neighbor solicitation -- Remove patches that have made it upstream: - * 0001-firewall-config-fix-some-untranslated-strings.patch - * 0001-firewall-config-Add-ipv6-icmp-to-the-protocol-dropdo.patch - * 0001-core-logger-Remove-world-readable-bit-from-logfile-3.patch - * firewalld-0.5.3-po-20180417.tar.xz - -- Mark more strings as translatable when creating rich rules (bsc#1096542) - * 0001-firewall-config-fix-some-untranslated-strings.patch - -- Backport the following upstream fixes: - * Add missig ipv6-icmp protocol to UI drop-down list (bsc#1099698) - - 0001-firewall-config-Add-ipv6-icmp-to-the-protocol-dropdo.patch - * Drop global read permissions from the log file (bsc#1098986) - - 0001-core-logger-Remove-world-readable-bit-from-logfile-3.patch - -- Merge SUSE translations to version 0.5.3, fix typos (boo#1094051, - add firewalld-0.5.3-po-20180417.tar.xz, - remove firewalld-po-20180417.tar.xz). + * firewallctl: completely remove all code and references + * dbus: expose FirewallBackend + * dbus: fix erroneous fallback for AutomaticHelpers +- Remove patches which have made it upstream + * firewalld-add-additional-services.patch +- spec-cleaner fixes -- Translations update to version 20180417 (bsc#1081623): - * Minor fixes of ar, ko, nl. - - * firewall-config: Break infinite loop when firewalld is not - running (bsc#1082470, bsc#1085205) + * firewall-config: Break infinite loop when firewalld is not running -- Remove obsolete patches which are now upstream - * 0001-src-firewall-config-Fix-default-value-for-dialog-but.patch - * 0002-src-firewall-config-Break-infinite-loop-when-firewal.patch -- Update to 0.5.1 (bsc#1084026) +- Remove high-availability service. SUSE HA uses the cluster service + provided by the yast2-cluster package (bsc#1078223) + +- Update to 0.5.1 + +- Update to 0.5.0 -- Add upstream patches to fix endless loop in firewall-config when - firewalld is not running (bsc#1082470) - * 0001-src-firewall-config-Fix-default-value-for-dialog-but.patch - * 0002-src-firewall-config-Break-infinite-loop-when-firewal.patch - -- Remove high-availability service. SUSE HA uses the cluster service - provided by the yast2-cluster package (bsc#1078223) - gcc7 +- Remove include-fixed/pthread.h +- Change GCC exception licenses to SPDX format + +- add gcc7-pr81942.patch [bsc#1181618] + glib2 +- Add glib2-CVE-2021-27218.patch: g_byte_array_new_take takes a + gsize as length but stores in a guint, this patch will refuse if + the length is larger than guint. (bsc#1182328, + glgo#GNOME/glib!1944) + +- Add glib2-CVE-2021-27219-add-g_memdup2.patch: g_memdup takes a + guint as parameter and sometimes leads into an integer overflow, + so add a g_memdup2 function which uses gsize to replace it. + (bsc#1182362, glgo#GNOME/glib!1927, glgo#GNOME/glib!1933, + glgo#GNOME/glib!1943) + glibc +- s390-memmove-ifunc-selector-arch13.patch: S390: Also check vector + support in memmove ifunc-selector (bsc#1184035, BZ #27511) + gnutls +- Security fix: [bsc#1183456, CVE-2021-20232] + * A use after free issue in client_send_params + in lib/ext/pre_shared_key.c may lead to memory + corruption and other potential consequences. +- Add gnutls-CVE-2021-20232.patch + +- Security fix: [bsc#1183457, CVE-2021-20231] + * A use after free issue in client sending key_share extension + may lead to memory corruption and other consequences. +- Add gnutls-CVE-2021-20231.patch + gzip +- gzip.spec: move %patch10 from the ifarch condition (mistake) + +- add gzip-1.10-fix_count_of_lines_to_skip.patch to fix count + of lines to skip [bsc#1180713] + hwdata +- Update to version 0.345: + + Updated pci, usb and vendor ids. + + Resolves boo#1182482 jsc#SLE-13791 bnc#1170160 + +- Update to version 0.344: + + Updated pci, usb and vendor ids. + iptables +- Update to release 1.8.7 + * iptables-nft: + * Improved performance when matching on IP/MAC address prefixes + if the prefix is byte-aligned. In ideal cases, this doubles + packet processing performance. + * Dump user-defined chains in lexical order. This way ruleset + dumps become stable and easily comparable. + * Avoid pointless table/chain creation. For instance, + `iptables-nft -L` no longer creates missing base-chains. + +- Update to release 1.8.6 + * iptables-nft had pointlessly added "bitwise" expressions to + each IP address match, needlessly slowing down run-time + performance (by 50% in worst cases). + * iptables-nft-restore: Support basechain policy value of "-" + (indicating to not change the chain's policy). + * nft-translte: Fix translation of ICMP type "any" match. + +- Update to release 1.8.5 + * IDLETIMER: Add alarm timer option + * nft: CT: add translation for NOTRACK +- Drop iptables-apply-mktemp-fix.patch (seemingly applied) + +- Update to release 1.8.4 + * Fix for wrong counter format in `ebtables-nft-save -c` output. + * Print typical iptables-save comments in arptables- and + ebtables-save, too. + * xt_owner: add --suppl-groups option + * Remove support for /etc/xtables.conf + * Restore support for "-4" and "-6" options in rule lines. + kernel-default +- vfio-ccw: Wire in the request callback (bsc#1183225). +- vfio-mdev: Wire in a request handler for mdev parent + (bsc#1183225). +- commit 1a8b567 + +- Update config files. (bsc#1181284) +- commit 09b2083 + +- KVM: SVM: Periodically schedule when unregistering regions on + destroy (bsc#1184511 CVE-2020-36311). +- commit fad3809 + +- crypto: essiv - fix AEAD capitalization and preposition use + in help text (bsc#1184134 ltc#192244). +- commit ba310cd + +- crypto: essiv - create wrapper template for ESSIV generation + (bsc#1184134 ltc#192244). + Update config files. + supported.conf: Add crypto/essiv +- commit 07e8de6 + +- Refresh + patches.suse/powerpc-pseries-mobility-handle-premature-return-fro.patch. +- Refresh + patches.suse/powerpc-pseries-mobility-use-struct-for-shared-state.patch. + Update metadata +- commit 61adb77 + +- xen-blkback: don't leak persistent grants from xen_blkbk_map() + (bsc#1183646, CVE-2021-28688, XSA-371). +- commit d927391 + +- Refresh + patches.suse/netsec-restore-phy-power-state-after-controller-rese.patch. +- commit ea9970d + +- thunderbolt: Add support for Intel Tiger Lake-H (bsc#1184129). +- commit a872918 + +- thunderbolt: Introduce tb_switch_is_tiger_lake() (bsc#1184129). +- commit cb3c283 + +- mm/mremap_pages: fix static key devmap_managed_key updates + (bsc#1181787). +- commit e836b25 + +- iwlwifi: Fix MODULE_FIRMWARE() ucode definitions for SLE15-SP3 + (bsc#1183860). +- commit 8e0bc83 + +- scsi: ibmvfc: Make ibmvfc_wait_for_ops() MQ aware (bsc#1184111 + ltc#192232). +- scsi: ibmvfc: Fix potential race in ibmvfc_wait_for_ops() + (bsc#1184111 ltc#192232). +- commit ecee0a9 + +- arm64/crash_core: Export TCR_EL1.T1SZ in vmcoreinfo + (bsc#1179863). +- crash_core, vmcoreinfo: Append 'MAX_PHYSMEM_BITS' to vmcoreinfo + (bsc#1179863). +- commit 3277e15 + +- s390/vtime: fix increased steal time accounting (bsc#1183859). +- commit 5026f60 + +- Refresh patch metadata. +- Refresh patches.suse/PCI-rpadlpar-Fix-potential-drc_name-corruption-in-st.patch. +- Refresh patches.suse/powerpc-pseries-mobility-handle-premature-return-fro.patch. +- Refresh patches.suse/powerpc-pseries-mobility-use-struct-for-shared-state.patch. +- Refresh patches.suse/scsi-ibmvfc-Free-channel_setup_buf-during-device-tea.patch. +- commit 815f258 + +- Refresh + patches.suse/net-mlx5e-Fix-CQ-params-of-ICOSQ-and-async-ICOSQ.patch. + Fixed backport (bsc#1183773) +- commit 9959a4b + +- net: core: introduce __netdev_notify_peers (bsc#1183871 + ltc#192139). +- commit 658d714 + +- ibmvnic: prefer strscpy over strlcpy (bsc#1183871 ltc#192139). +- ibmvnic: remove unused spinlock_t stats_lock definition + (bsc#1183871 ltc#192139). +- ibmvnic: add comments for spinlock_t definitions (bsc#1183871 + ltc#192139). +- Refresh patches.suse/ibmvnic-serialize-access-to-work-queue-on-remove.patch +- Refresh patches.suse/net-re-solve-some-conflicts-after-net-net-next-merge.patch +- ibmvnic: fix miscellaneous checks (bsc#1183871 ltc#192139). +- ibmvnic: avoid multiple line dereference (bsc#1183871 + ltc#192139). +- ibmvnic: fix braces (bsc#1183871 ltc#192139). +- ibmvnic: fix block comments (bsc#1183871 ltc#192139). +- Refresh patches.suse/ibmvnic-fix-a-race-between-open-and-reset.patch. +- Refresh patches.suse/ibmvnic-serialize-access-to-work-queue-on-remove.patch. +- Refresh patches.suse/net-re-solve-some-conflicts-after-net-net-next-merge.patch. +- ibmvnic: prefer 'unsigned long' over 'unsigned long int' + (bsc#1183871 ltc#192139). +- ibmvnic: remove unnecessary rmb() inside ibmvnic_poll + (bsc#1183871 ltc#192139). +- ibmvnic: rework to ensure SCRQ entry reads are properly ordered + (bsc#1183871 ltc#192139). +- net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours + (bsc#1183871 ltc#192139). +- ibmvnic: merge do_change_param_reset into do_reset (bsc#1183871 + ltc#192139). +- Refresh patches.suse/ibmvnic-fix-a-race-between-open-and-reset.patch +- use __netdev_notify_peers in ibmvnic (bsc#1183871 ltc#192139). +- commit efd07e6 + +- squashfs: fix xattr id and id lookup sanity checks (bsc#1183850). +- commit b1827ac + +- squashfs: fix inode lookup sanity checks (bsc#1183850). +- commit 9b5c651 + +- net: make __dev_alloc_name consider all name nodes when looking + for (bsc#1180103). +- commit 3400412 + +- Update + patches.suse/s390-lock-down-kernel-in-secure-boot-mode.patch + (bsc#1183746 jsc#SLE-7741). +- commit e9dda35 + +- netsec: restore phy power state after controller reset + (bsc#1183756). +- commit 45d0550 + +- powerpc/pseries/mobility: handle premature return from H_JOIN + (bsc#1183662 ltc#191922). +- powerpc/pseries/mobility: use struct for shared state + (bsc#1183662 ltc#191922). +- commit 36f1612 + +- padata: upgrade smp_mb__after_atomic to smp_mb in + padata_do_serial (bsc#1178648). +- commit f3ee3cb + +- ALSA: usb-audio: fix use after free in usb_audio_disconnect + (bsc#1182552 bsc#1183598). +- ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe + (bsc#1182552 bsc#1183598). +- commit 8173e6a + +- Move upstreamed sound fixes into sorted section +- commit 4b54f4c + +- Refresh sorted section. +- commit c4b4430 + +- rpadlpar: fix potential drc_name corruption in store functions + (bsc#1183416 ltc#191079). +- commit 9661ab7 + +- Refresh patches.suse/x86-sev-es-add-a-runtime-vc-exception-handler. +- Refresh patches.suse/x86-sev-es-handle-db-events. + Remove lockdep_assert_irqs_disabled() from + patches.suse/x86-sev-es-add-a-runtime-vc-exception-handler. + It can't possibly work correctly on a 5.3 kernel because + there is no NMI-safe hardirq state tracking yet. +- commit 1234b14 + +- blacklist.conf: Add 62441a1fb532 x86/sev-es: Correctly track IRQ states in runtime #VC handler +- commit 1b48e04 + +- x86/sev-es: Use __copy_from_user_inatomic() (bsc#1183553). +- x86/sev-es: Check regs->sp is trusted before adjusting #VC + IST stack (bsc#1183551). +- x86/sev-es: Introduce ip_within_syscall_gap() helper + (bsc#1183552). +- commit 8bcc6e7 + +- ibmvfc: free channel_setup_buf during device tear down + (bsc#1183440 ltc#191464). +- commit b86b88e + +- s390: lock down kernel in secure boot mode (jsc#SLE-7741). +- Update config files. +- commit 1499b7b + +- iommu/amd: Fix sleeping in atomic in increase_address_space() + (bsc#1183310). +- commit f8bf292 + +- Refresh ibmvfc patches to upstream version. +- commit e1a83f9 + ldb +- Release ldb 2.2.1 + + CVE-2020-27840: Unauthenticated remote heap corruption via bad DNs; + (bso#14595); (bsc#1183572); + + CVE-2021-20277: out of bounds read in ldb_handler_fold; (bso#14655); + (bsc#1183574); + libX11 +- U_0001-_XIOError-dpy-will-never-return-so-remore-dead.patch + U_0002-remove-empty-line.patch + U_0003-poll_for_response-Call-poll_for_event-again-if-xcb_p.patch + U_0004-poll_for_event-Allow-using-xcb_poll_for_queued_event.patch + U_0005-Prepare-for-_XIOError-possibly-returning.patch + U_0006-Fix-poll_for_response-race-condition.patch + * fixes a race condition in libX11 that causes various + applications to crash randomly (boo#1181963) +- refreshed U_0001-Fix-an-integer-overflow-in-init_om.patch + libcap +- Update to libcap 2.26 for supporting the ambient capabilities + (jsc#SLE-17092, jsc#ECO-3460) +- Use "or" in the license tag to avoid confusion (bsc#1180073) + -- updated to libcap-2.19 - * more stuff in capsh.c - * sys/capability.h header clean up and fixes. - -- fixed build on ppc64 (needs to get linux/types.h included first). - -- use %_smp_mflags - -- fix deps for fdupes - -- add baselibs.conf as a source - -- fix a typo in the previous patch (__le64) (bnc#487453) -- don't define __u32 & co if _LINUX_TYPES_H is defined (bnc#487453) - -- fix build error on i386 due to missing __u64 definition in - sys/capability.h - libgnomesu +- Update to version 2.0.6: + * Updated translations. + +- Update to version 2.0.5: + * Gracefully exit on SIGTERM to avoid leaving behind xauth + temporary files due to skipped pam cleanup on shutdown + (bsc#1176514). + +- Use %{_libexecdir} where appropriate (instead of %{_prefix}/lib). + libnftnl -- libnftnl version bump [jsc#SLE-7497] - * iptables 1.8.3 needs libnftnl >= 1.1.3 +- Update to release 1.1.9 + * Improve formatting of registers in bitwise dumps. + +- Update to release 1.1.8 + * libnftnl: export nftnl_set_elem_fprintf + * examples: add support for NF_PROTO_INET family + * table: add userdata support + * object: add userdata and comment support + * chain: add userdata and comment support + * src: add support for chain ID attribute + +- Update to release 1.1.7 + * udata: add NFTNL_UDATA_SET_DATA_INTERVAL + +- Update to release 1.1.6 + * add slave device matching + * support for NFTNL_SET_EXPR + +- Update to release 1.1.5 + * flowtable: add support for handle attribute + * obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data() libstorage-ng +- Translated using Weblate (Spanish) (bsc#1149754) +- 4.3.105 + +- merge gh#openSUSE/libstorage-ng#801 +- allow diagnostics partition id for GPT (bsc#1184073) +- 4.3.104 + +- Translated using Weblate (French) (bsc#1149754) +- 4.3.103 + +- Translated using Weblate (German) (bsc#1149754) +- 4.3.102 + +- Translated using Weblate (Italian) (bsc#1149754) +- 4.3.101 + +- Translated using Weblate (Italian) (bsc#1149754) +- 4.3.100 + +- Translated using Weblate (Indonesian) (bsc#1149754) +- 4.3.99 + +- Translated using Weblate (Spanish) (bsc#1149754) +- 4.3.98 + +- Translated using Weblate (Chinese (Taiwan)) (bsc#1149754) +- 4.3.97 + +- Translated using Weblate (Chinese (China)) (bsc#1149754) +- 4.3.96 + libunistring +- version update to 0.9.10 [bsc#1183794] + * The functions + u8_casing_prefix_context, u8_casing_prefixes_context, + u8_casing_suffix_context, u8_casing_suffixes_context, + u16_casing_prefix_context, u16_casing_prefixes_context, + u16_casing_suffix_context, u16_casing_suffixes_context, + u32_casing_prefix_context, u32_casing_prefixes_context, + u32_casing_suffix_context, u32_casing_suffixes_context, + that are documented since version 0.9.1, are now actually + implemented. + * bump gnulib version + -- libunistring-gnulib-ppc64le.patch: Fix imported gnulib long double - math tests for little-endian PowerPC. - -- license update: LGPL-3.0+ and GPL-3.0+ - Numerous files in tests/ and woedll are GPL-3.0+ licensed. Either put - them in a separate GPL-3.0+ labelled subpackage or use this label for the - main License: line - -- Nuke unnecessary libunistring binary package: move documentation - files to devel subpackage - -- Remove redundant tags/sections per specfile guideline suggestions -- Parallel building using %_smp_mflags - -- Workaround qemu-arm bugs. - -- updated to version 0.9.3: - * Bug fixes in unistr.h functions: - - The functions u16_to_u32, u16_to_u8, u8_to_u32, u8_to_u16 now fail when - the argument is not valid. Previously, they returned a converted string - where invalid parts were each replaced with U+FFFD. - - The function u8_mbsnlen now counts an incomplete character at the end - of the argument string as 1 character. Previously, it could count as 2 - or 3 characters. - - The return value of the u8_stpncpy, u16_stpncpy, u32_stpncpy functions - was incorrect. - - The u8_strcoll, u16_strcoll, u32_strcoll now try harder to give a non-zero - return value. - -- updated to version 0.9.2.1: - * The function uc_locale_language now uses the locale of the - current thread, if a thread-specific locale has been set. - -- initial version of package 0.9.1.1 -- spec file taken from - http://www.pixelbeat.org/patches/libunistring - (PĂĄdraig Brady options.extension was allocated before + checking async_context + * CONC-517: C/C looks for plugins in wrong location on Windows + mdadm +- cluster-md/mdadm : avoid useless re-sync (bsc#1181341) + 0114-super1-fix-Floating-point-exception.patch + 0115-super1.c-avoid-useless-sync-when-bitmap-switches-fro.patch + multipath-tools +- Update to version 0.8.5+30+suse.633836e: + * multipathd: give up "add missing path" after multiple failures + (bsc#1183963) + netpbm +- skip failing tests for armv7hl (bsc#1181571) + nftables +- Update to release 0.9.8 + * Complete support for matching ICMP header content fields. + * Added raw tcp option match support. + * Added ability to check for the presence of any tcp option. + * Support for rejecting traffic from the ingress chain. + +- Update to release 0.9.7 + * Support for implicit chains + * Support for ingress inet chains + * Support for reject from prerouting chain + * Support for --terse option in json + * Support for the reset command with json + +- Update to release 0.9.6 + * Fix two ASAN runtime errors + +- Update to release 0.9.5 + * Support for set counters. + * Support for restoring set element counters via nft -f. + * Counter support for flowtables. + * typeof concatenations support for sets. + * Support for concatenated ranges in anonymous sets. + * Allow to reject packets with 802.1q from the bridge family. + * Support for matching on the conntrack ID. +- Drop anonset-crashfix.patch (upstream solved differently) + +- Add anonset-crashfix.patch [boo#1171321] + +- Update to release 0.9.4 + * Add a helper for concat expression handling. + * Add "typeof" build/parse/print support. + +- Add json, python [boo#1158723] + +- Update to release 0.9.3 + * meta: Introduce new conditions "time", "day" and "hour". + * src: add ability to set/get secmarks to/from connection. + * flowtable: add support for named flowtable listing. + * flowtable: add support for delete command by handle. + * json: add support for element deletion. + * Add `-T` as the short option for `--numeric-time`. + * meta: add ibrpvid and ibrvproto support + +- Update to new upstream release 0.9.2 + * Transport header port matching, e.g. "th dport 53" + * Support for matching on IPv4 options + * Support for synproxy + +- Remove unused dblatex BuildRequires, only needed for the optional + and disabled PDF generation (same contents as shipped manpage). + +- Update to new upstream release 0.9.0 + * Support to check if packet matches an existing socket. + * Support to limit number of active connections by arbitrary + criteria, such as ip addresses, networks, conntrack zones or + any combination thereof. + * Added support for "audit" logging. + +- Update to new upstream release 0.8.5 + * support to add/insert a rule at a given index position + * meter statement now supports a configureable upper max size + * timeouts for sets can now be specified in milliseconds + * re-add iptables-like empty skeleton rulesets + +- Update to new upstream release 0.8.4 + * Support to match IPv6 segment routing headers. + * New "meta ibrname" and "meta obrname" arguments to match the + name of the logical bridge a packet is passing through. + These new names replace the old (misnamed) "ibriport"/"obriport". + * `nft -a` will now show handle identifier for all objects, + including tables and chains. + * nft can now delete objects by their handle number. + * Support to update maps from the ruleset (packet path). + * the "--echo" option now prints handle id for tables and + object too. + * `nft -f -` will now read from standard input + * Support for flow tables, cf. man page or + https://lwn.net/Articles/738214/ . + +- Update to new upstream release 0.8.3 + * raw payload support to match headers that do not yet have + received a mnemonic. + -- Update to new upstream release 0.3 - * More compact syntax for the queue action - * Match input and output bridge interface name through "meta - ibriport" and "meta obriport" - * netlink event monitor, to monitor ruleset events, set changes, etc. - * New transaction infrastructure - fully atomic updates for all - object available in the upcoming 3.16. - -- Initial package for build.opensuse.org - nghttp2 +- security update +- added patches + fix CVE-2020-11080 [bsc#1181358], HTTP/2 Large Settings Frame DoS + + nghttp2-CVE-2020-11080.patch + open-iscsi +- Updated to latest upstream 2.1.4 as 2.1.4-suse, which contains + these changes not already present: + * Enable iscsi.service asynchronous logins, cleanup services + (bsc#1183421) + * libopeniscsiusr: dont error loudly if a session isn't found when + working through iscsi_sessions_get() + * libopeniscsiusr: skip over removed sessions + * libopeniscsiusr: fix error messages + * Avoid hardcoding pkg-config to fix cross build + * Fix iscsistart login issue when target is delayed. + openldap2 +- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the + X.509 DN parsing in decode.c ber_next_element, resulting in denial + of service. + * 0220-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch +- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN + parsing in ad_keystring, resulting in denial of service. + * 0222-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch +- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash + in the Certificate List Exact Assertion processing, resulting in + denial of service. + * 0223-ITS-9427-fix-issuerAndThisUpdateCheck.patch +- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the + cancel_extop Cancel operation, resulting in denial of service. + * 0224-ITS-9428-fix-cancel-exop.patch +- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the + saslAuthzTo processing, resulting in denial of service. + * 0218-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch +- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash + in the saslAuthzTo processing, resulting in denial of service. + * 0217-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch + * 0216-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch +- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd + crash in the saslAuthzTo processing, resulting in denial of service. + * 0219-ITS-9413-fix-slap_parse_user.patch +- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the + saslAuthzTo validation, resulting in denial of service. + * 0213-ITS-9406-9407-remove-saslauthz-asserts.patch + * 0214-ITS-9406-fix-debug-msg.patch +- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact + Assertion processing, resulting in denial of service (schema_init.c + serialNumberAndIssuerCheck). + * 0212-ITS-9404-fix-serialNumberAndIssuerCheck.patch + * 0221-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch +- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter + control handling, resulting in denial of service (double free and + out-of-bounds read). + * 0215-ITS-9408-fix-vrfilter-double-free.patch + +- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur + in the issuerAndThisUpdateCheck function via a crafted packet, + resulting in a denial of service (daemon exit) via a short timestamp. + This is related to schema_init.c and checkTime. + * patch: 0211-ITS-9454-fix-issuerAndThisUpdateCheck.patch + openssl-1_1 +- Fix NULL pointer deref in signature_algorithms + * CVE-2021-3449 + * bsc#1183852 + * Add openssl-1_1-CVE-2021-3449-NULL_pointer_deref_in_signature_algorithms.patch + +- Security fixes: + * Integer overflow in CipherUpdate: Incorrect SSLv2 rollback + protection [bsc#1182333, CVE-2021-23840] + * Null pointer deref in X509_issuer_and_serial_hash() + [bsc#1182331, CVE-2021-23841] +- Add openssl-CVE-2021-23840.patch openssl-CVE-2021-23841.patch + +- Fix unresolved error codes [bsc#1182959] +- Update openssl-1.1.1-fips.patch + parted +- Direct file system manipulation support was removed in 2011. + - Removed build dependencies on libreiserfs-devel and + e2fsprogs-devel. + perl-Bootloader +- merge gh#openSUSE/perl-bootloader#134 +- install with --removable if efivars are not writable + (bsc#1182749, bsc#1174111, bsc#1184160) +- fix whitespace +- 0.934 + plymouth +- Disable plymouth-systemd-KillMode-mixed.patch: Temporary disable + it, because aarch64 and ppc64le system could not booting in + release period, and this is only a enhancement with no harm to + rollback (bnc#1177082, bnc#1182145, bnc#1184087). + +- Add plymouth-systemd-KillMode-mixed.patch: Backport from upstream + change plymouth systemd plymouth-start.service KillMode=mixed, + the old method is unsafe and deprecated (bnc#1177082, + bnc#1182145). + poppler +- Add 0001-Fix-opening-files-by-some-generators-that-are-a-bit-.patch: + Some PDF generators generate PDF with some wrong numbers in entry + table, but the content is still valid, this patch ignores those + problems. (bsc#1181551) + postgresql13 +- Upgrade to version 13.2: + * https://www.postgresql.org/docs/13/release-13-2.html + * Updating stored views and reindexing might be needed after + applying this update. + * CVE-2021-3393, bsc#1182040: Fix information leakage in + constraint-violation error messages. + * CVE-2021-20229, bsc#1182039: Fix failure to check per-column + SELECT privileges in some join queries. + * Obsoletes postgresql-icu68.patch. + +- Add postgresql-icu68.patch: fix build with ICU 68 + +- boo#1179765: BuildRequire libpq5 and libecpg6 when not building + them to avoid dangling symlinks in the devel package. protobuf +- Fix Requires for python3 to python3-six. + +- Add missing dependency of python subpackages on python-six + (bsc#1177127). + psmisc +- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch + * Fix bsc#1178407: fuser does not show open kvm storage image files + such as qcow2 files. Patch from Ali Abdallah + python3 +Update to 3.6.13, final release of 3.6 branch: + * Security + - bpo#42967 (bsc#1182379, CVE-2021-23336): Fix web cache + poisoning vulnerability by defaulting the query args + separator to &, and allowing the user to choose a custom + separator. + - bpo#42938 (bsc#1181126, CVE-2021-3177): Avoid static + buffers when computing the repr of ctypes.c_double and + ctypes.c_longdouble values. + - bpo#42103: Prevented potential DoS attack via CPU and RAM + exhaustion when processing malformed Apple Property List + files in binary format. + - bpo#42051: The plistlib module no longer accepts entity + declarations in XML plist files to avoid XML + vulnerabilities. This should not affect users as entity + declarations are not used in regular plist files. + - bpo#40791: Add volatile to the accumulator variable in + hmac.compare_digest, making constant-time-defeating + optimizations less likely. + * Core and Builtins + - bpo#35560: Fix an assertion error in format() in debug + build for floating point formatting with “n” format, zero + padding and small width. Release build is not impacted. + Patch by Karthikeyan Singaravelan. + * Library + - bpo#42103: InvalidFileException and RecursionError are now + the only errors caused by loading malformed binary Plist + file (previously ValueError and TypeError could be raised + in some specific cases). + * Tests + - bpo#42794: Update test_nntplib to use offical group name of + news.aioe.org for testing. Patch by Dong-hee Na. + - bpo#41944: Tests for CJK codecs no longer call eval() on + content received via HTTP. +- Patches removed, because they were included in the upstream + tarball: + - CVE-2020-27619-no-eval-http-content.patch + - CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch + +- Resync with python36 Factory package. +- Make this %primary_interpreter + +- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing + bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in + _ctypes/callproc.c, which may lead to remote code execution. + +- Provide the newest setuptools wheel (bsc#1176262, + CVE-2019-20916) in their correct form (bsc#1180686). + -- Change setuptools and pip version numbers according to new wheels +- Change setuptools and pip version numbers according to new + wheels (bsc#1179756). ruby2 +- Update suse.patch: (boo#1177125) + Backport fix CVE-2020-25613: Potential HTTP Request Smuggling + Vulnerability in WEBrick + +- replace all patches with suse.patch (v2_5_8..2.5-suse) + (we keep remove-unneeded-files.patch as it can not be done in our + backports branch) +- backport patch to enable optimizations also on ARM64 + (boo#1177222) + +- make sure that update-alternative weight for the default + distribution is always greater than our normal weight + +- make the update-alternative weight based on the ruby version + s390-tools +- Added s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch + dasd: change default scheduler to reduce CPU consumption (bsc#1183810) +- Modified s390-tools-sles12-create-filesystem-links.patch to fit after + applying s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch +- Removed 59-dasd.rules-wait_for.patch obsoleted by bsc#1183810. + sed +- Build fix for the new glibc-2.31 (bsc#1183797, + sed-tests-build-fix.patch). + -- keep binary in /usr tree (UsrMerge project) - -- license update: GPL-3.0+ - There are no "GPL-3.0 only" licenses in sed - -- add automake as buildrequire to avoid implicit dependency - -- Update to version 4.2.1: - + fix parsing of s/[[[[[[[[[]// - + security contexts are preserved by -i too under SELinux - + temporary files for sed -i are not made group/world-readable - until they are complete -- Changes from version 4.2: - + now released under GPLv3 - + added a new extension `z` to clear pattern space even in the - presence of invalid multibyte sequences - + a preexisting GNU gettext installation is needed in order to - compile GNU sed with NLS support - + new option --follow-symlinks, available when editing a file - in-place. - + hold-space is reset between different files in -i and -s modes. - + multibyte processing fixed - + fixed bug in 'i\' giving a segmentation violation if given - alone. - + much improved portability - + much faster in UTF-8 locales - + will correctly replace ACLs when using -i - + will now accept NUL bytes for `.' -- Drop upstream included [atches: - + sed-follow_symlinks.patch - + sed-4.1.5-fix_warnings.patch -- Remove --enable-html from configure: the option is no longer - supported and sed.html no longer created. - -- use %_smp_mflags - -- enable parallel building - smartmontools +- Remove obsolete service parameter (bsc#1183699, + smartmontools-smartd-service.patch). + snapper +- fixed creating root config (root prefix handling) + (gh#openSUSE/snapper#627) + squashfs +- enabled ZSTD compression support for openSUSE >= 15.1 + +- Add -fcommon in order to fix boo#1160294. + +- Version 4.4 - 2019-08-29: + * Reproducible builds, new compressors, + CVE fixes, security hardening and new options + for Mksquashfs/Unsquashfs. +- Overall improvements: + * Mksquashfs now generates reproducible images by default. + * Mkfs time and file timestamps can also be specified. + * Support for the Zstandard (ZSTD) compression algorithm. + * CVE-2015-4645 and CVE-2015-4646 have been fixed. +- Mksquashfs improvements and major bug fixes: + * Pseudo files now support symbolic links. + * New -mkfs-time option. + * New -all-time option. + * New -root-mode option. + * New -quiet option. + * New -noId option. + * New -offset option. + * Update lz4 wrapper to use new functions introduced + in 1.7.0. + * Bug fix, don't allow "/" pseudo filenames. + * Bug fix, allow quoting of pseudo files, to + better handle filenames with spaces. + * Fix compilation with glibc 2.25+. +- Unsquashfs improvements and major bug fixes: + * CVE-2015-4645 and CVE-2015-4646 have been fixed. + * Unsquashfs has been further hardened against corrupted + filestems. + * Unsquashfs is now more strict about error handling. + * New -ignore-errors option. + * New -strict-errors option. + * New -lln[umeric] option. + * New -lc option. + * New -llc option. + * New -mkfs-time option. + * New -UTC option. + * New -offset option. + * New -quiet option. + * Update lz4 wrapper to use new functions introduced + in 1.7.0. + * Bug fix, fatal and non-fatal errors now set the exit + code to 1. + * Bug fix, fix time setting for symlinks. + * Bug fix, try to set sticky-bit when running as a + user process. + * Fix compilation with glibc 2.25+. +- build changes: + * re-created patches to fit squashfs 4.4 + * removed 0001-mksquashfs-fix-rare-race-in-fragment-waiting-in-file.patch + (new version includes this change) + * removed 0002-Fix-2GB-limit-of-the-is_fragment-.-function.patch + (new version includes this change) + * removed 0003-Add-offset-function-to-skip-n-bytes.patch + (new version includes this change) + * removed sysmacros.patch + (new version includes this change) + +- Add -offset function to skip n bytes at the beginning of the squashfs… + https://github.com/plougher/squashfs-tools/commit/5a498ad24dcfeac9f3d747e894f22901f3ac10 + (0003-Add-offset-function-to-skip-n-bytes.patch) + +- Disable LTO (boo#1133284). + +- Use | instead of / that can be part of -L or -I options. + +- Use / as sed command delimiter. Comma can actually show up in + optflags (think -Wl,…), which then breaks the sed command line + parsing. + +- sysmacros.patch: Include for major/minor/makedev + -- Since version 4.3, squasfs does not require attr-devel - but uses glibc instead. - -- update to 4.3: - - unsquashfs: add checks for corrupted data in opendir functions - - unsquashfs: completely empty filesystems incorrectly generate an error - - unsquashfs: fix open file limit - - mksquashfs: Use linked list to store directory entries rather - - mksquashfs: Remove qsort and add a bottom up linked list merge sort - - mksquashfs: optimise lookup_inode2() for dirs - - pseudo: fix handling of modify pseudo files - - pseudo: fix handling of directory pseudo files - - xattr: Fix ERROR() so that it is synchronised with the progress bar - - mksquashfs/sort: Fix INFO() so that it is synced with the progress bar - - mksquashfs: Add -progress to force progress bar when using -info - - error.h: consolidate the various error macros into one header file - - mksquashfs: fix stack overflow in write_fragment_table() - - mksquashfs: move list allocation from off the stack - - unsquashfs: fix oversight in directory permission setting - - mksquashfs: dynamically allocate recovery_file - - mksquashfs: dynamically allocate buffer in subpathname() - - mksquashfs: dynamically allocate buffer in pathname() - - unsquashfs: fix CVE-2012-4024 - - unsquashfs: fix CVE-2012-4025 - - mksquashfs: fix potential stack overflow in get_component() - - mksquashfs: add parse_number() helper for numeric command line options - - mksquasfs: check return value of fstat() in reader_read_file() - - mksquashfs: dynamically allocate filename in old_add_exclude() - - unsquashfs: dynamically allocate pathname in dir_scan() - - unsquashfs: dynamically allocate pathname in pre_scan() - - sort: dynamically allocate filename in add_sort_list() - - mksquashfs: fix dir_scan() exit if lstat of source directory fails - - pseudo: fix memory leak in read_pseudo_def() if exec_file() fails - - pseudo: dynamically allocate path in dump_pseudo() - - mksquashfs: dynamically allocate path in display_path2() - - mksquashfs: dynamically allocate b_buffer in getbase() - - pseudo: fix potential stack overflow in get_component() - - pseudo: avoid buffer overflow in read_pseudo_def() using sscanf() - - pseudo: dynamically allocate filename in exec_file() - - pseudo: avoid buffer overflow in read_sort_file() using fscanf() - - sort: tighten up sort file parsing - - unsquashfs: fix name under-allocation in process_extract_files() - - unsquashfs: avoid buffer overflow in print_filename() using sprintf() - - Fix some limits in the file parsing routines - - pseudo: Rewrite pseudo file processing - - read_fs: fix small memory leaks in read_filesystem() - - mksquashfs: fix fclose leak in reader_read_file() on I/O error - - mksquashfs: fix frag struct leak in write_file_{process|blocks|frag} - - unsquashfs_xattr: fix memory leak in write_xattr() - - read_xattrs: fix xattr free in get_xattr() in error path - - unsquashfs: add -user-xattrs option to only extract user.xxx xattrs - - unsquashfs: add code to only print "not superuser" error message once - - unsquashfs: check for integer overflow in user input - - mksquashfs: check for integer overflow in user input - - mksquashfs: fix "new" variable leak in dir_scan1() - - read_fs: prevent buffer {over|under}flow in read_block() with - corrupted filesystems - - read_fs: check metadata blocks are expected size in scan_inode_table() - - read_fs: check the root inode block is found in scan_inode_table() - - read_fs: Further harden scan_inode_table() against corrupted - filesystems - - unsquashfs: prevent buffer {over|under}flow in read_block() with - corrupted filesystems - - read_xattrs: harden xattr data reading against corrupted filesystems - - unsquash-[23]: harden frag table reading against corrupted filesystems - - unsquash-4.c: harden uid/gid & frag table reading against corruption - - unsquashfs: harden inode/directory table reading against corruption - - mksquashfs: improve out of space in output filesystem handling - - mksquashfs: flag lseek error in writer as probable out of space - - mksquashfs: flag lseek error in write_destination as probable out of - space - - mksquashfs: print file being squashed when ^\ (SIGQUIT) typed - - mksquashfs: make EXIT_MKSQUASHFS() etc restore via new restore thread - - mksquashfs: fix recursive restore failure check - - info: dump queue and cache status if ^\ hit twice within one second - - mksquashfs: fix rare race condition in "locked fragment" queueing - - lz4: add experimental support for lz4 compression - - lz4: add support for lz4 "high compression" - - lzo_wrapper: new implementation with compression options - - gzip_wrapper: add compression options - - mksquashfs: redo -comp parsing - - mksquashfs: display compressor options when -X option isn't recognised - - mksquashfs: add -Xhelp option - - mksquashfs/unsquashfs: fix mtime signedness - - Mksquashfs: optimise duplicate checking when appending - - Mksquashfs: introduce additional per CPU fragment process threads - - Mksquashfs: significantly optimise fragment duplicate checking - - read_fs: scan_inode_table(), fix memory leak on filesystem corruption - - pseudo: add_pseudo(), fix use of freed variable - - mksquashfs/unsquashfs: exclude/extract/pseudo files, fix handling of - leaf name - - mksquashfs: rewrite default queue size so it's based on physical mem - - mksquashfs: add a new -mem option - - mksquashfs: fix limit on the number of dynamic pseudo files - - mksquashfs: make -mem take a normal byte value, optionally with a - K, M or G - -- Remove redundant tags/sections from specfile -- Parallel build with %_smp_mflags - -- enable support for xz and lzo (kernel has support already) - -- The ppc64 kernel uses a page size of 64kB but mksquashfs only - pads to a 4kB boundary. When we loopback mount a squashfs file - that isn't 64kB aligned and access the last sector of the - associated loopback device we see a stream of errors. - Disk partitioning tools seem to like accessing the last 512 - bytes of partitions. - This should fix warnings seen during starting installation on - ppc64 and IA64 - -- Update to version 4.2: - + Filesystem improvements: - - Added XZ compression - - Added compression options support - + Miscellaneous improvements/bug fixes: - - Add missing NO_XATTR filesystem flag to indicate no-xattrs - option was specified and no xattrs should be stored when - appending. - - Add suppport in Unquashfs -stat option for displaying - NO_XATTR flag. - - Remove checkdata entry from Unsquashfs -stat option if a 4.0 - filesystem - checkdata is no longer supported. - - Fix appending bug when appending to an empty filesystem - - this would be incorrectly treated as an error. - - Use glibc sys/xattr.h include rather than using attr/xattr.h - which isn't present by default on some distributions. - - Unsquashfs, fix block calculation error with regular files - when file size is between 2^32-block_size+1 and 2^32-1. - - Unsquashfs, fix sparse file writing when holes are larger - than 2^31-1. - - Add external CFLAGS and LDFLAGS support to Makefile, and - allow build options to be specified on command line. - Also don't over-write passed in CFLAGS definition. - -- update to 4.1 - - support for lzo (>= 2.6.36) and lzma (not yet mainline) - - xattr support - - misc fixes for the tools - -- removed obsolete source file - -- update to squashfs 4.0 (unsquashfs actually works) - systemd +- Fix 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch (bsc#1184254) + When a symlink is removed because there's no more references to it + make sure to remove the parent dir of the symlink as well. Also add + some logging when something goes wrong during the removal. + +- systemd.spec: clean some of the build deps up: + - libpcre is redundant with libpcre2 (only required by the full + build) and the mini variant needs none of them. Hence drop the ref + to libpcre. + - normally libidn2 is needed by some optional features in + systemd-network (only). But it's implicitly pulled in by libgnutls + (required by the main package). Let's make sure the related + features won't be disabled inadvertently in the future by making + the dep explicit. + +- Fix fd leak in 1001-udev-use-lock-when-selecting-the-highest-priority-de.patch (bsc#1184238) + +- Import commit 480a6d14725509307a0f3edefef3876c107ee7f1 (merge of v246.13) + 423b1e759c Revert "resolved: gracefully handle with packets with too large RR count" (bsc#1183745) + 4723778738 meson.build: make xinitrcdir configurable (bsc#1183408) + [...] + For a complete list of changes, visit: + https://github.com/openSUSE/systemd/compare/8baed1c6f82798c2374bdbfdd440dd065d09fb99...480a6d14725509307a0f3edefef3876c107ee7f1 + -- Update 1004-udev-don-t-create-by-partlabel-primary-and-.-logical.patch +- Update 1004-udev-don-t-create-by-partlabel-primary-and-.-logical.patch (bsc#1183702) systemd-presets-common-SUSE +- Enable user service pipewire-media-session.service (used with + pipewire >= 0.3.23). + +- Enable user services pipewire.socket and pipewire-pulse.socket + (boo#1183012). + +- Enable btrfsmaintenance-refresh.path and disable + btrfsmaintenance-refresh.service to avoid needless refresh on boot + (boo#1165780) + +- Enable dnf-makecache.timer + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut the build queues by allowing usage of systemd-mini + +- Enable ignition-firstboot-complete.service + +- Enable logwatch.timer (bsc#1112500). + +- Recent versions of mlocate don't use updatedb.timer any more. + Instead, the unit is called mlocate.timer. [boo#1115408] + +- Add default user preset: currently containing only the new + pulseaudio.socket (bsc#1083473) + sysvinit +- (re)add also support for SLE-15-SP3 + +- Update to sysvinit 2.99: + * Mostly typo and just better documentation and easier to read + code comments + +- prepare usrmerge (boo#1029961) + +- Update to sysvinit 2.98: + * Fixed time parsing in shutdown when there is a + in front of a 0 time offset. + Commands with a postiive time offset (+1) would work but +0 fails. + This has been corrected by Arkadiusz Miskiewicz. + +- Drop /bin/pidof and /sbin/pidof, including corresponding man + page: let's switch to pidof as provided by procps-ng. + +- Update to sysvinit 2.97: + * Check $(ROOT) filesystem for libcrypt instead of a hardcoded + path to /usr. + * Code clean-up and making sure we avoid freeing unused memory. + * Added shell script which converts systemd unit files into + init.d style scripts. + * Allow init to load configuration data from files stored in + /etc/inittab.d/ + * Allow shutdown time to be specified in the format +hh:mm. This + is in addition to the existing formats such as hh:mm, +m, and + "now". + * Fixed typos in manual pages. +- Update startpar to 0.65: + + Make sure startpar testsuite can find insserv executable in + /usr/sbin or /sbin. + + Added PREFIX variable to Makefile and testsuite to make + location of startpar and insserv more flexible. +- Rebase sysvinit-2.90.dif. +- Drop SCVER defines: not used in any place. +- Drop startpar-sysmacros.patch: fixed upstream. + +- Update to sysvinit 2.96 + * Added -z command line paramter to pidof which tells pidof to + try to find processes in uninterruptable (D) or zombie (Z) states. + This can cause pidof to hang, but produces a more complete process + list. + * Reformatted init code to make if/while logic more clear. + * Make sure src/Makefile cleans up all executable files + when parent Makefile calls "make clean". + +- Update to killproc 2.23 + * killproc has its upstream at https://github.com/bitstreamout/killproc + * Use new system call statx(2) to replace old stat(2)/lstat(2) +- Remove patches now upstream: + * killproc-2.18-open_flags.dif + * killproc-2.21.dif + * killproc-sysmacros.patch + * killproc-mntinf-optional.patch + +- Remove logsave as well as the manual page as those as part of + package e2fsprogs already + +- Update to sysvinit 2.95 + * new logsave helper +- Update to startpar-0.63 + * move startpar from /sbin to /bin +- Port our patches + * startpar-0.58.dif + * sysvinit-2.88dsf-suse.patch + * sysvinit-2.90-no-kill.patch + * sysvinit-2.90.dif + +- Add patch killproc-mntinf-optional.patch to handle various optional + fields of /proc//mountinfo on the entry/ies before the hypen + (bsc#1131982) + +- Update to sysvinit 2.90 +- Remove now upstream patches + * sysvinit-2.88+dsf-dostat.patch + * sysvinit-2.88+dsf-sulogin.diff + * sysvinit-2.88+dsf.tar.bz2 + * sysvinit-2.88dsf-scripts2.patch +- Port our patches + sysvinit-2.88dsf-no-kill.patch becomes sysvinit-2.90-no-kill.patch + sysvinit-2.88+dsf.dif becomes sysvinit-2.90.dif + +- killproc-sysmacros.patch, startpar-sysmacros.patch: Include + for makedev + +- Use %license instead of %doc [bsc#1082318] + -- For systemd distributions and products do not build the package - sysvinit anymore - -- use systemd-rpm-macros instead of systemd-devel to avoid build - dependency on systemd and it's deps in turn -- don't install mkinitrd stuff on > 131 anymore - -- The former entry adds the patch killproc-2.18-open_flags.dif (bnc#863518) - -- open("/dev/tty", ...) should use O_RDWR, not O_WRONLY. Otherwise, - after dup2(fd, 0);, a process cannot read from stdin. [bnc#863518] - -- Add patch sysvinit-2.88+dsf-xen.patch to enable sulogin to find - suitable console device even if first is not usable (bnc#862078) - -- Add patch sysvinit-2.88+dsf-sulogin.diff from upstream to handle - e.g. strange names of executables in killall5 - -- Split off powerd from sysvinit -- Make powerd work together with systemd -- Modify patch powerd-2.0.2.dif to remove sysvinit features -- Adding the systemd unit file powerd.service - -- Remove usage of absolute paths -- List all needed binaries in programs tag - -- Skip binaries now part of util-linux - -- Add sanity check for /etc/inittab to avoid reload on systemd - systems (bnc#813510) - -- move mkinitrd scripts of blogs to sysvinit-init, it's breaking - systemd/plymouth (bnc#804458) - -- Added patch from Roger Leigh to correct the manual page of startpar - -- Increase daemon detection time in startproc to give started - process the time to daemonize (bnc#757643) - -- Add fix/workaround in blogd for new glibc internal pthread API to - avoid an glibc nptl assert report in bnc#772055 - -- fix deadlock in blogd that happens on shutdown (bnc#730193) - -- Fix parameter turner in fscanf to really detect the file system - type in startproc/checkproc/killproc (bnc#762489) - -- Add two patch from upstream - + Avoid crash for exported environment for processes init spawns -- Fix typo as the script for powerd (bnc#758920) - -- add mingetty to Requires - * remove it as dependency from aaa_base ad it's needed for sysvinit only - -- Add two patch from upstream - + Handle deleted binaries in pidof (was upstream bug #34992) - + Allow init to delte extra environment variables (was upstream - bug #35858) - + Avoid that init double environment variables for its childs - (was upstream bug #35855) - -- Work around dully check script of obs - -- Avoid useless check for runlevel as access(2) now works on - kernel 3.0 and above, this fixes bnc#744538 - -- New killproc-2.21 which includes the last bug fixes as well as - new features like support for ionice with startproc -- New showconsole-1.16 which includes the last bug fixes -- New startpar-0.58 which includes the last bug fixes as well as - the patches from Debian -- Make rpmlint happy - -- Avoid trouble with indirect console names (bnc#731563) -- Unmount proc file system if initial not mounted (bnc#718385) - -- Use pipe to synch parent with child in startproc (bnc#713342) - -- Add option -x to be able to identify scripts overwriting their - command line (bnc#723708) - -- There was never a version 1.16 for showconsole -- Add some code to be able to detect programs even as user with - kernel 3.0 and above (bnc#723072) - -- do not telinit u if /sbin/init is not sysvinit - -- split out the symlink /sbin/init into a special subpackage, - which does _NOT_ do a split provide. systemd-sysvinit will - provide this, so you need to do extra work if you want to stay - on sysvinit - -- remove unused files - -- cross-build fix: use %__cc, %configure macros - -- update to showconsole-1.16 (manual page syntax) - -- Update to killproc-2.20 -- Update to showconsole-1.15 -- Clean spec file - -- added documentation (including mandatory COPYING) -- corrected errors in manual pages -- incorporated showconsole-1.14.dif into showconsole-1.15 - -- libblogger: check for SIGPIPE and block SIGPIPE during write, this - also does help startpar not to die on SIGPIPE (bnc#679671) -- blogd: add a further check for nsigsys in writelog() (bnc#679671) - -- Add workaround for blowfish signedness bug (CVE-2011-2483) - -- Sulogin: respect byte order that is do not mix chars and ints - (bnc#707724) - -- Sulogin: enforce reconnection of stdin/stdout/stderr if a device - was specified. -- Sulogin: if zero is read at reading the passwd guess it's done. - -- Fix build without libcrypt.a (without static glibc), added - patch sysvinit-2.88+dsf-crypt.patch. - -- use /run for utmp as that's already mounted by the initrd - -- Add latest change for sulogin multiple console devices support - -- Aoid possible trouble due raw pts/ptmx terminal line in both - blogd and startpar -- Block SIGTTOU during tcsetattr(3) library call in both blogd - and startpar -- Replace select(2) with pselect(2) in blogd and ensure that - the timeout structure will be reseted after a timeout - -- Correct shutdown messages of startpar send via blogd - -- Avoid possible races which can be happen if blogd sees a signal - and will exit then (related to bnc#642289) - -- Fix exit code of checkproc in case of an existing pid file - without running process (bnc#687547) - -- Fix bug in killproc that is do not stop searching for a match if - a mountpoint does not match, reported by Friedrich Haubensak. - -- Let sulogin respect device on the command line as well as the - standard input -- Let sulogin initialize serial terminals - -- Remove debug code from showconsole/blogd -- Make serial console tc init work even with blogd -- sulogin: add support for multiple console devices - -- New showconsole verion 1.14 - * Use sysfs file as fallback if possible - * Add more sanity checks to avoid looping on tty0 - -- Fix triggered endless loop in blogd (bnc#642289) - * Writing on tty0 caused blogd to re-read its own messages - * The usage of ttyname(3) on /dev/console can fail - -- Update to current SVN version of sysvinit 2.88dsf: - * Fix counting message lines in wall. Patch from Petr Lautrbach. - * Fix bad printf conversion specifier in wall. Patch from Sébastien Luttringer. - * Add patches from Openwall project. Thanks goes to Solar Designer. - * Add code to detect the system consoles with the help of the - new /proc/consoles files of linux kernel 2.6.38+ - * Try to make utmpdump IPv6 valid, change based on suggestion from - Navdeep Bhatia (see local bug #32429) - * Fix signal and alarm handling based on the patch from Florent Viard. - (was local bug #32304) - * Add fix for Redhat bug #573346: last incorrectly displays IPv6 - addresses (was local bug #29497) - * Correct fix for Debian bug #547073: use IUTF8 flag if defined - and if already set to make sure the utf-8 flag is not cleared - from the tty. Patch from Samuel Thibault. - * Include limits.h in killall.c to enforce definition of PATH_MAX - * Fix sysvinit bug #29758 Linker invocation should not contain - headers. Change based on patch from Elias Pipping. - * Add fix for Debian bug #580272: use return value 1 of - is_selinux_enabled() to determine if SELinux is enabled, - otherwise initialize SELinux and load the policy. Patch from - Petter Reinholdtsen. - * Make quotes visible in example of the manual page of fstab-decode - * Add #ifdef in bootlogd.c to avoid gcc warnings about unused - variable on non-linux platforms. - * Only set the VSWTC field for termios in init if it is available, - to get the source building on FreeBSD. - -- startpar: fix location of consoles under /proc -- startpar: ignore errors from system console not being a tty - -- Make blogd work together with kernel from 11.4 even on a - serial system console (bnc#672450) - -- Make option -k for killproc utilities work for normal users even - if the exe link of an own process remains to root (bnc#664941) - -- New killproc version 2.19: bug fix update - -- Support the socket forwarding of systemd (bnc#656104) - -- Make real device comparision in killproc/checkproc to fix bnc#644171 -- Also make ignore mode in checkproc work -- Enhance mkill to work on root fs and ignore kernel threads - -- New killproc version 2.18 - -- Killproc: - * Add new program rvmtab to write out the current content of - /proc/mounts in the reverse mount order determined with the - help of /proc/self/mountinfo - * Use faster pointer list implementation - -- Killproc: Sort mount info pointers in the reverse order of the - directory depth to become the string compare of the readed link - name of the exe link more safely. - -- Killproc: Do not be fooled if a device is mounted several times - -- Change showconsole to use newest /proc/tty/consoles API - -- Add newline after blogger message - -- Fix cast&past error in killproc/checkproc - -- New killproc version 2.17 - * Use /proc/self/mountinfo to avoid system call stat(2) on - running binaries not located on the mount point of the - current handled program - * Avoid to be detect sub (shadow) mounts on NFS mounts -- New showconsole 1.13 -- Correct position of string pointer in NFS struct used in - killall5/pidof - -- libblogger: set O_CLOEXEC for named FIFO /dev/blog (bnc#645793) - -- Add exit code exception for checkproc for the case of a not - installed program, use exit code 4 (bnc#643433) - -- blogd: correct order of setting back termios and termios locks -- startpar: avoid EIO in do_forward if do_forward becomes a - background process -- Make sure that after installation of /sbin/init the init - process does re-execute that is split %post into one for - the tools sub package and one of the main package - -- New showconsole version 1.12 - * Use /proc/tty/consoles if ioctl TIOCGDEV does not exist - * Make pseudo terminal raw as it is not show anything -- New startpar 0.57 - * Set raw pseudo terminals only once - * Set SIGTTIN to default before executing child - * Ignore error on reading termios - -- New showconsole version 1.11 - * Handle more than two console devices - * Speed up used pts/tty pair by enabling raw mode - * Implement termios locking scheme but disable it as it may - interfere with sulogin and others using the old console -- Enabling full raw mode for pty/tty pairs of startpar - -- New startpar version 0.56 - * Handle processes within signal handler - * Make first process loop more readable - * Use pselect(2) to wait on SIGCHLD without using a pipe - -- Fix typo that is use "cmdline" instead of "cmd" (bnc#623766) - -- Enforce killproc to wait even if the SIGTERM has been specified - on the command line. This should avoid the in most cases that - the daemon has not finished its response on SIGTERM, see bug - bnc#623460 and bug bnc#595796. - -- Newer killproc sends only SIGTERM as required by LSB if -TERM is - specified on the command line. Use the default which is SIGTERM - followed by SIGKILL if the timeout of 5 seconds is reached. - -- prereq does not fix bnc#610628, the real problem is the cycle - of sysvinit->sysvinit-tools->mkinitrd <--, which is broken up by - simply ignoring one requirement. If this requirement is the one - between sysvinit->sysvinit-tools, we get in deep trouble. Way - deeper trouble than missing mkinitrd_setup in sysvinit-tools's - %post - -- Use Prereq instead of normal Requires to force an early installation - of sysvinit-tools (bnc#610628) - -- Implemenation of a workaround of missing console messages in - blogd (bnc#593957) - -- Avoid crash due changed common-session-pc (bnc#605681) - -- Add patch from Thomas for moving powerd from using gethostbyname() - to getaddrinfo() -- Add upstream patch for correct using SELinux API - -- Apply sysvinit-2.88dsf-utf8.dif without -p2. -- Fix sysvinit-2.88dsf-utf8.dif (Changelog patch didn't apply). - -- Add URL of upstream location - -- Do not overwrite UTF8 input terminal setting as this may cause - trouble on system consoles forwarded to a foreign serial console - -- Add patch to make last(1) knowing latest IPv6 specs - -- Be LSB compliant with killproc (bnc#595796, bnc#578246) - -- Correct Pre-Requires to reflect package split -- Update to sysvinit (2.88dsf) world; urgency=low - * Mention new home on Savannah in README. - * Revert change from Fedora/RedHat where the now obsolete command - INIT_CMD_CHANGECONS was introduced. Based on feedback and patch - from Bill Nottingham. - * Adjust makefile to make sure the install directories are created - before files are copied into them. - * Simplify build rules, based on patch from Mike Frysinger and Gentoo. - * Fix minor bug in optimizing of argument parsing. Based on - report from jakemus on freshmeat. - * Add casts to get rid of compiler warning about signed/unsigned issues. - * Change tty handling in init to make sure the UTF-8 flag is not cleared - on boot. Patch from Samuel Thibault. - * Add Makefile in toplevel directory. - * Print usage information when shutdown is used by non-root user. - Patch from Mike Frysinger and Gentoo. - * Sync shutdown manual page and usage information. Patch from Mike - Frysinger and Gentoo. - * Fix race condition in utmp writing. Patch from Gil Kloepfer via - Mike Frysinger and Gentoo. - * Rewrite findtty() in bootlogd to recursively search /dev/ for the - correct device, to handle terminal devices for example in /dev/pty/. - Patch from Debian. - * Make sure bootlogd findpty() returns an error value when it fails to - find a usable pty. Patch from Rob Leslie via Debian. - * Make sure bootlogd fflush() every line, even if asked not to flush - to disk using fdatasync(). Patch from Scott Gifford via Debian. - * Add compatibility code to handle old path "/etc/powerstatus" for a - while. - * Incude definition for MNT_DETACH which is missing in older GNU libc - headers. - * Do not strip binaries before installing them, to make it easier to - get binaries with debug information installed. - * Add the comment from Andrea Arcangeli about the correct - place of setting the default childhandler within spawn(). - * Make sure that newline is printed out for last(1) even - if an utmp record entry is truncated. - * Check if utmp not only exists but also is writable and delay - writing out of the utmp runlevel record if utmp is not writable. - * Be able to find libcrypt also on 64 bit based architectures. - * Add option -w to the last command to display the full user and - domain names in the output. Patch from Petr Lautrbach. - * Add a manual page for utmpdump as this tool is sometimes - very useful even if not intended for normal use. - * Use paths.h macros for wall - * Change path "/etc/powerstatus" to "/var/run/powerstatus" - * Detected also removable block devices at halt/reboot to be able - to flush data and send them the ATA standby command. This should - avoid data loss on USB sticks and other removable block devices. - * Flush block devices on halt/reboot if not done by the kernel. - * Set SHELL to /bin/sh in the environmant of shutdown. - * Retry to write out shutdown messages if interrupted. - * pidof/killall5 - make omit pid list a dynamic one. - * pidof - provide '-n' to skip stat(2) syscall on network based FS. - * init - avoid compiler warnings - * init - initialize console by using the macros from ttydefaults.h - * init - add the possiblity to ignore further interrupts from keyboard - * init - add the possiblity to set sane terminal line settings - * sulogin - add the possibility to reset the terminal io - * Fix some minor problems - * init - enable is_selinux_enabled() to detect selinuxfs - * Add fix for Debian bug #536574 -- Can be enabled by -DACCTON_OFF - * Add helper program fstab-decode to make it easier to handle - /etc/mtab content. Patch by Miloslav Trmac and Fedora. - * Add fix for Debian bug #335023 - Make sure TERM is set on FreeBSD. - * Add fix for Debian bug #374038 - Make it clear that shutdown -c can - only cancel a waiting shutdown, not an active one. - * Add note to pidof manual page about the use of readlink(2). Patch by - Bill Nottingham and Fedora. - * Add PAM patch contrib/notify-pam-dead.patch based on Debian bug - [#68621], which will add PAM support for programs spawned by init on - the console like sulogin. Based on patch by Topi Miettinen. This - patch is not applied by default yet while we review its - usefullness. It is only helpful for session handling, as sulogin - do not use and will not use a PAM conv() function. The current - sulogin is able to handle DES as well as MD5, SHA, and Blowfish - encrypted passwords due using getpwnam(3). - * Move utmp/wtmp before the execvp() in spawn() to be sure to - use the correct pid even on a controlling tty - * Remaining problem is that the pid of the second fork() for - getting a controlling tty isn't that reported by spawn() - * Re-enable writting utmp/wtmp for boot scripts - * Extend sulogin to support additional encryption algorithms - * Re-enable maintenance message of sulogin - * Enable the sulogin fallback password check to handle MD5, SHA, and - Blowfish encrypted passwords in case of getpwnam(3) fails. - * sulogin picking the SELinux context was broken. Patch by Daniel Walsh - -- Start the service sshd as early as possible (bnc#594223) - -- Test out sysvinit (2.88dsf) UNRELEASED; urgency=low -- Update to sysvinit (2.87dsf) world; urgency=low - * Document -e and -t options for telinit in init(8). - * Document in halt(8) that -n might not disable all syncing. - Patch by Bill Nottingham and Fedora - * Adjust output from "last -x". In reboot lines, print endpoint - of uptime too. In shutdown lines print downtimes rather than - the time between downs. Fix typo in string compare in last.c. - Patch by Thomas Hood. - * Improve handling of IPv6 addresses in last. Patch from Fedora. - * Add new option -F to last, to output full date string instead - of the short form provided by default. Patch from Olaf Dabrunz - and SuSe. - * Fix utmp/wtmp updating on 64-bit platforms. Patch by Bill - Nottingham and Fedora. - * Avoid unchecked return value from malloc() in utmpdump. - Patch from Christian 'Dr. Disk' Hechelmann and Fedora. - * Make sure to use execle and no execl when passing environment to - the new process. Patch from RedHat. - * Correct init to make sure the waiting status is preserved across - re-exec. Patch from RedHat. - * Correct init to avoid race condition when starting programs during - boot. Patch from SuSe. - * Allow 'telinit u' in runlevels 0 and 6. Patch from Thomas Hood. - * Improve error message from init if fork() fail. Patch found in Suse. - * Add support for SE Linux capability handling. Patch from Manoj - Srivastava, adjusted to avoid aborting if SE policy was loaded in - the initrd with patch from Bill Nottingham and Fedora. - * Add -c option to pidof for only matching processes with the same - process root. Ignore -c when not running as root. Patch from - Thomas Woerner and Fedora. - * Add usleep in killall5 after killing processes, to force the kernel - to reschedule. Patch from SuSe. - * Modify pidof to not print empty line if no pid was found. - * Modify init and sulogin to fix emergency mode's tty, making sure ^C - and ^Z work when booting with 'emergency' kernel option. Patch from - Samuel Thibault. - * Modify init to allow some time for failed opens to resolve themselves. - Patch from Bill Nottingham and Fedora. - * Modify init to shut down IDE, SCSI and SATA disks properly. Patches - from Sebastian Reichelt, Werner Fink and SuSe. - * Modify wall to use UT_LINESIZE from instead of hardcoded - string lengths. Patch from SuSe. - * Change wall to make halt include hostname in output. - * Change killall to avoid killing init by mistake. Patch from SuSe. - * Change killall5 to use the exit value to report if it found any - processes to kill. Patch from Debian. - * Add option -o opmitpid to killall5, to make it possible to skip - some pids during shutdown. Based on patch from Colin Watson and - Ubuntu. - * Modify killall to work better with user space file system, by - changing cwd to /proc when stopping and killing processes, and - avoiding stat() when the value isn't used. Also, lock process - pages in memory to avoid paging when user processes are stopped. - Patch from Debian and Goswin von Brederlow with changes by Kel - Modderman. - * Change shutdown to only accept flags -H and -P with the -h flag, - and document this requirement in the manual page. - * Change reboot/halt to work properly when used as a login shell. - Patch by Dale R. Worley and Fedora. - * Let sulogin fall back to the staticly linked /bin/sash if both roots - shell and /bin/sh fail to execute. - -- provide sbin_init (so external packages can require either sysvinit - or upstart) - -- Split out tools not specific to System V into a tool subpackage - to support alternative init implementations (fate#305690) - -- Add a manual page for utmpdump (bnc#576967) - -- Remove start-stop-daemon binary (bnc#568950) - -- Write pid file if /var is mounted rw (bnc#565620) - -- enable parallel building - -- The same procedure for killproc.c its self (caused by bnc#559534) - -- Add missed line to startproc.c and also make manual page more - clear how startproc works (caused by bnc#559534) - -- refresh all patches with fuzz=0 - -- fixed killproc-2.16.dif. - -- killall5: do not kill /sbin/mdmon (fate#306823). - -- Avoid message on terminated process during reading its /proc files - -- Make killproc utils more stable in case that during read(2) a proc - file the corresponding process has already terminated (bnc#542717) - -- Make a new showconsole version 1.10 - * Add time stamps to blogger API (fate #305596) - * Add newline before writing out blogger fifo content -- Make a new startpar version 0.52 - * Use blogd API (fate #305596) -- Make a new killproc version 2.16 - -- Do not loop around in the forwarder of startpar - -- Add patch from Olaf Kirch to avoid using mutex locking for every - character (from Moblin:Factory) - -- Start boot scripts with their symlinks name - -- Increase hash size for runtime linker of often used tools - -- Make it build - -- Reorder last patch in spec file - -- link /sbin/init dynamically, tested in 11.1, also - all other distros work just fine this way. - -- Blogd: shorten minimal timeout at the end and hold all pages - in physical RAM - -- For usleep(8) use nanosleep(2) instead of obsolete usleep(3) - -- mkill: Do not remove all pid's from list for one fuse process - -- Disable blogd on fastboot or quiet boot - -- Make initrd script for blogd depend on initrd script clock - -- Update to killproc 2.15 - * New option -w for making startproc waiting on daemons parent - process (bnc#489473, bnc#482096 comment#21 ff) - * New option -W for making startproc waiting on files created - by the daemon (bnc#482096 comment#24 ff) -- Merge changes for preload code of startpar into one patch -- nfs4pidof: avoid nfs code for process which are on shadow mounts - points of NFS mounts - -- exec one more time so that the preload part does not appear - under the name of the init script in bootcharts - -- fix the preload functionality in telling the parent process through - SIGUSR1 and SIGUSR2 about preload's presence - -- mkill: avoid signaling process which are on shadow mounts points - that is e.g. processes on /dev/pts while running mkill on /dev - -- Do not overwrite SUSE define - -- startpar: fix file descriptor leak (bnc#485112) - -- nfs4pidof: make sure not to stumble on short named mount points - to avoid to terminate processes on wrong mount points - -- mkill: make sure not to stumble on short named mount points to - avoid to terminate processes on wrong mount points (bnc#466484) - -- Add patch from Debian people to startpar and mode to version 0.53 - -- Update to killproc 2.14 to include most of our patches and to - use openat(2), readlinkat(2), and opendirat(2) system calls. -- Remove /dev/initctl from file list, do not create blogd pipe - /dev/blogd (bnc#475580) - tar +- security update +- added patches + fix CVE-2021-20193 [bsc#1181131], Memory leak in read_header() in list.c + + tar-CVE-2021-20193.patch + -- Improve on RPM group classification - -- GNU tar 1.28: - * New --checkpoint-action=totals - * Extended checkpoint format specification - * New option --one-top-level - * New option --sort - * New exclusion options: - - -exclude-ignore=FILE - - -exclude-ignore-recursive=FILE - - -exclude-vcs-ignores - * refuses to read input from and write output to a tty -- packaging changes: - * adjust patch for context change: add_readme-tests.patch - * remove patch applied upstream: - tar-fix_eternal_loop_in_handle_option.patch - -- don't print lone zero blocks warning (bnc#881863) - * there are many tar implementations around that create invalid - archives with a zero block in the middle - * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=235820 - * added tar-ignore_lone_zero_blocks.patch from Fedora - -- fix an infinite loop in handle_option (bnc#867919 and bnc#870422) - * added tar-fix_eternal_loop_in_handle_option.patch - -- add tests subpackage. - * It is the same testsuite that is run during make check. - * It is now possible to run it in real system to verify that - nothing is broken by incompatible libraries, etc. -- add add_readme-tests.patch: README for testsuite - -- update to 1.27.1 - * Fix unquoting of file names obtained via the -T option. - * Fix GNU long link header timestamp (backward compatibility). - * Fix extracting sparse members from star archives. - -- update to 1.27 -- bug fixes: - * PAX-format sparse archive files no longer restricted to 8 GiB. - * adjust diagnostics and output to GNU coding -- new features: - * The --owner and --group options now accept numeric IDs - * restore traditional functionality of --keep-old-files and - - -skip-old-files, treat existing file as errors for the former - * --warning=existing-file gives verbose notice for this - * Support for POSIX ACLs, extended attributes and SELinux context - - -xattrs, --acls and --selinux and their `--no-' counterparts - - -xattrs-include and --xattrs-exclude allows selective control - * Any option taking a command name as its argument now accepts a - full command line as well: - - -checkpoint-action=exec - - I, --use-compress-program - - F, --info-script - - -to-command - * environment variables supplied to such commands can now be used - in the command line itself - * New warning control option --warning=[no-]record-size controls - display of actual record size, if it differs from the default - * New command line option --keep-directory-symlink to disable - default behaviour that unlinks exising symbolic link for an - extracted directory of the corresponding name -- packaging changes: - * drop tar-1.26-stdio.in.patch, committed upstream - * drop config-guess-sub-update.patch, newer version in upstream - * verify source signature - -- added fix for paxutils rtapelib which is bundled with tar. - the very same fix was added to cpio too (bnc#658031) - * paxutils-rtapelib_mtget.patch - -- Add Source URL, see https://en.opensuse.org/SourceUrls - -- Add config-guess-sub-update.patch: - Update config.guess/sub for aarch64 - -- Fix build failure with undefined gets (glibc 2.16). - -- avoid automake dependency - -- disable 'runtime checks' in m4/*.m4 that override - system calls with custom implementations to workaround - very old kernel/libc bugs (dating 2003-2009) - we do not ship those buggy components nowdays. - -- Switch to default archive type to POSIX.1-2001, which is ten years - old and has no limits on filesize,filename length etc. - -- tar-1.26-remove_O_NONBLOCK.patch: - don't use O_NONBLOCK as a flag for read, - when file is offline, read with O_NONBLOCK returns EAGAIN, - but tar doesn't handle it - (bnc#737331) - -- disable testsuite on qemu build - -- minor portability fixes - -- spec cleaner, avoid some deprecated macros -- fix non-utf8-spec-file -- fix macro-in-comment -- enable make check -- remove upstream-fixed/obsolete patches (fortifysourcessigabrt, - disable-listed02-test, disable_languages) -- call help2man inside specfile instead of paching tar's build chain - -- update to tar-1.26 - * Fix the --verify option, which broke in version 1.24. - * Fix storing long sparse file names in PAX archives. - * Fix correctness of --atime-preserve=replace - * tar --atime-preserve=replace no longer tries to restore atime of - zero-sized files. - * Fix bug with --one-file-system --listed-incremental - -- fix tar-backup-scripts (bnc#654199) -- add tar-backup-spec-fix-paths.patch -- cleanup spec - -- update to tar-1.25 - * Fix extraction of empty directories with the -C option in effect. - * Fix extraction of device nodes. - * Make sure name matching occurs before eventual name transformation. - * Fix the behavior of tar -x --overwrite on hosts lacking O_NOFOLLOW. - * Support alternative decompression programs. -- update to tar-1.24 - * The new --full-time option instructs tar to output file - time stamps to the full resolution. - * More reliable directory traversal when creating archives - * When extracting symbolic links, tar now restores attributes - such as last-modified time and link permissions, if the - operating system supports this. - * The --dereference (-h) option now applies to files that are - copied into or out of archives, independently of other options. - * When receiving SIGPIPE, tar would exit with error status and - "write error" diagnostics. -- disable-silent-rules -- updated tar-fortifysourcessigabrt.patch - -- use %_smp_mflags - -- updated to version 1.23 - * Improved record size autodetection - * Use of lseek on seekable archives - * New command line option --warning - * New command line option --level - * Improved behavior if some files were removed during incremental dumps - * Modification times of PAX extended headers - * Time references in the --pax-option argument - * Augmented environment of the --to-command script - * Fix handling of hard link targets by -c --transform - * Fix hard links recognition with -c --remove-files - * Fix restoring files from backup (debian bug #508199) - * Correctly restore modes and permissions on existing directories - * The --remove-files option removes files only if they were succesfully stored in the archive - * Fix storing and listing of the volume labels in POSIX format - * Improve algorithm for splitting long file names (ustar format) - * Fix possible memory overflow in the rmt client code (CVE-2010-0624) -- deprecated heap_overflow_in_rtapelib.patch - -- added heap_overflow_in_rtapelib.patch fix possible heap overflow in - rtapelib.c (bnc#579475) - -- updated to version 1.22 - * Support for xz compression (--xz option) - * Short option -J is reassigned as a shortcut for --xz - * The option -I is a shortcut for --use-compress-program - * The --no-recursive option works with --incremental -- deprecated recognize_xz.patch -- created tar-backup-scripts subpackage (bnc#574688) - -- enable parallel building - -- fixed FORTIFY_SOURCE=2 issue with gcc 4.5. - -- recommend not require language subpackage - -- Recognize .xz as lzma archive. - tcl +- bsc#1181840: Same fix as for tclConfig.sh is needed for tcl.pc. + tk +- bsc#1181840: Same fix as for tkConfig.sh is needed for tk.pc. + -- tkcon requires xhost (bnc#846953) - util-linux +- ipcs: Avoid overflows (bsc#1178236, + util-linux-ipcs-shmall-overflow-1.patch, + util-linux-ipcs-shmall-overflow-2.patch). + util-linux-systemd +- ipcs: Avoid overflows (bsc#1178236, + util-linux-ipcs-shmall-overflow-1.patch, + util-linux-ipcs-shmall-overflow-2.patch). + vim +- install suse vimrc in /usr (boo#1182324, vim-8.0.1568-globalvimrc.patch) + +- source correct suse.vimrc file (boo#1182324) + - doesn't leave not owned directories (boo#1173256) + doesn't leave not owned directories (boo#1173256). - build against Tumbleweed repo + build against Tumbleweed repo. webkit2gtk3 +- Update to version 2.30.5 (boo#1182286): + + Bring back the WebKitPluginProcess installation that was + removed by mistake. + + Fix RunLoop objects leaked in worker threads. + + Fix aarch64 llint build with JIT disabled. + + Use Internet Explorer quirk for Google Docs. + + Security fixes: CVE-2020-13558. +- Drop gir-multilib.patch: fixed upstream. + +- Add gir-multilib.patch: Fix multilib conflict in gir files. +- Disable gold linker for ppc64le + +- Add webkit-font-scaling.patch: Fix system font scaling not + applied to 'font-size: XXXpt'; patch taken from upstream and + rebased to apply cleanly + (https://bugs.webkit.org/show_bug.cgi?id=218450). +- Pass `-q` to setup to disable printing long list of files + extracted from source tarball. + +- Update to version 2.30.4: + + Fix text data sent with WebSockets when using libsoup < 2.68. + + Fix the rendering on Raspberry Pi 3 using the proprietary video + driver. + + Fix clipping of descedant layers of a mask layer. + + Fix the build with ICU 68.1. +- Drop upstream merged patch: + + 0001-ICU-68.1-no-longer-exposes-FALSE-and-TRUE-macros-by-.patch + wicked +- dhcp4: discover on reboot timeout after start-delay (bsc#1181812) + [+ 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch] +- dhcp6: request nis options on sle15 by default (bsc#1181812) + [+ 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch] + wpa_supplicant +- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability + (bsc#1182805) + xdm +- display-manager.service: fixed path of PIDFile (bsc#1183698) + -- Use the option (--)enable-ssh-support of the gpg-agent if the - user has configured this (boo#899647) - -- sysconfig.displaymanager/DM list: added lightdm,sddm; removed - kdm3,kdm4 (bnc#898876) - -- replaced 'Also=' by 'Alias=' in display-manager.service - (bnc#890413) -- make sure not to restart DM on package update; remove confusing - comment about no longer existing %%stop_on_removal, - %restart_on_update macros from specfile (bnc#886641) - -- udpate to release 1.1.11 -- refreshed xdm-tolerant-hostname-changes.diff, xdm-consolekit.diff -- supersedes the following patches: - U_xdm_config-AC_LIBTOOL_DLOPEN-is-required-for-dynamic-lin.patch, - U_xdm_Fix-missing-linking-dependency-on-ldl.patch, - U_xdm_config-use-libtool-export-dynamic-option-for-reverse.patch - -- Use KillMode=process for systemd service, this ensures Xorg won't - receive SIGKILL while switching to runlevel 3 [bnc#871808]. -- Add "Also=xdm.service" to display-manager.service to better - handle migration. - -- added necessary macros for systemd files - -- Don't run dbus-launch if the socket /run/user//bus exists, since - this means that dbus is already handled by systemd - -- just don't "package" pid file. It's called xdm.pid, so it's pretty - obvious what package it is from -- take the pid file out of the xdm.tar - -- DISPLAYMANAGER_STARTS_XSERVER needs to be set to "no" on s390x - and ppc64le (bnc#869267) - -- Move forward to systemd, that is use a real service unit file (bnc#869260) - -- Add support for in-line environment variable settings - Handling case like: - Exec=env GNOME_SHELL_SESSION_MODE=classic gnome --session gnome-classic - For now, this is only needed to fix session management issue as in bnc#863709. - -- fix two array iteration bug in etc/X11/xdm/Xsession (xdm.tar.bz2) - 1. "${#argv[@]}" is just the size of the array instead of all the elements, - i.e. "${argv[@]}", no sharp "#" sign. - 2. index of array starting from 0, so "argc" should be increased at the end - of iteration loop. (bnc#866874) - -- /etc/X11/xdm/keytable: make use of systemd's localectl to - generate Xserver's configuration snippet for keyboard layout; - rely on systemd's kbd --> X keyboard mapping; the old mapping - table originating from SaX2 is no longer being used (bnc#861819) - -- Change the default /etc/X11/xdm/Xsession, (fate#316129) - don't save standard output information to ~/.xsession-errors - Modify the xdm.tar.bz2 - -- /etc/X11/xdm/RunChooser calls pidof, so require it - -- don't set twm as hardcoded default if DEFAULT_WM is empty, rely on - the detection in xinitrc.common instead - -- removed u_xdm-sig11-bug-598422.diff - * problem has been resolved differently - -- Added support for qiv in /etc/X11/xdm/Xsetup - -- fixed typo in /etc/X11/xdm/Xsetup - -- fixed loading of .xkb files (bnc#840408) - -- adjusted u_xdm-sig11-bug-598422.diff for openSUSE 12.2 build - (which still applies xdm-consolekit.diff) - -- u_xdm-sig11-bug-598422.diff - * fix Sig11 in xdm when pressing Ctr-c (bnc#598422, bnc#831870) - -- Add some GNOME specifiv magics to Xsession to allow that ~/.i18n - is always sourced (bnc#567324) - -- Some shells do not know about HOSTNAME variable and print error - messages therefore export this variable -- Make check for dbus smart, that is check if threre is already - an active session and use this if possible -- Be aware that one user may use several X sessions in parallel - on the same system as well as on several systems with HOME on - an NFS based share. That is do not override ~/.xsession-errors - -- do not use '-k' option for checkproc for ssh-agent since - /proc//exe link is apparently not readable by the user - used for that program (bnc#812783) - -- Add systemd-user-sessions to xdm initscript X-Should-Start, to - ensure user login is available when xdm is started. - -- /etc/X11/xdm/SuSEconfig.xdm: copied required function from old - /lib/YaST/SuSEconfig.functions, which no longer exists since - openSUSE 12.3 (bnc#806738) - -- /etc/X11/xdm/Keyboard.map: - * added missing mac-dvorak entry (bnc#796170) - -- Be aware the mktemp(1) without XXXXXX will do exactly nothing, - therefore use mv(1) which uses rename(2) on the same file system - to use the files created by mktemp(1) to the log output file - -- Add display-manager as provides to xdm initscript, to comply with - systemd defaults. - -- Added a switch to enable building against systemd-logind and - to remove the dependency on ConsoleKit -- Enabled the systemd switch already for Factory - -- Make failsafe work after a failed exec bash builtin -- Add dbus-launch and ck-launch-session to final session command - line for case of using xdm - -- add dependency on xtrans, otherwise TCP is not supported for - xdmcp (bnc#780122) - -- separate *.fallback displaymanager files from xdm.tar.bz2 into - xdm-fallbacks.tar.bz2 and build only suse version < 1210. - (bnc#714003) - -- /etc/init.d/xdm: add plymouth_quit function, use it in xdm - displaymanager file (bnc#775548) - -- /etc/init.d/xdm: overwrite displaymanager's PIDFILE symlink if - neccessary (bnc#774555) - -- avoid plymouth quit for kdm and gdm (bnc#762909) - -- remove --retain-splash option from plymouth quit (bnc#769209) - -- /etc/init.d/xdm - * quit plymouth properly before starting displaymanager - (bnc#769209) - -- Skip LANG argument from command line of session managers (bnc#661946) - -- /etc/pam.d/xdm-np: add session require to pam_loginuid.so in - order to fix running commands via sudo (bnc #746704) - -- Split xdm from xorg-x11. Initial version: 1.1.10. - xorg-x11-server +- U_modesetting-Fix-broken-manpage-in-autoconf-build.patch + * modesetting: Fix broken manpage in autoconf build (boo#1182510) + +- add U_hw_do-not-include-sys-io-with-glibc.patch (bsc#1182884) + yast2 +- Add a AbstractWidget#displayed? to determine whether + a widget is in the UI (bsc#1184115). +- 4.3.60 + yast2-firewall +- Do not display "No widget..." error messages when opening + a firewall zone widget (bsc#1184115). +- 4.3.11 + yast2-firstboot +- Revert adding starting YaST2 Control Center after first boot as + it does not have production quality and just confuse users + (bsc#1180266) +- 4.3.11 + yast2-installation +- Expert console: fixed "shell" command + - Run X terminal in GUI instead of "dash" (related to the previous + fix for job control error messages bsc#1183648) + - Override TERM to "vt100" when running in fbiterm, + a workaround for frozen vim (bsc#1183652) +- 4.3.36 + yast2-network +- Write DNS servers to NetworkManager connection files when using + a static configuration (bsc#1181701). +- 4.3.64 + +- Use the ESSID to name the NetworkManager configuration files + for wireless networks (bsc#1183733). +- 4.3.63 + +- AutoYaST: Write NetworkManager configuration according to the + profile (bsc#1181701) +- 4.3.62 + yast2-packager +- Revert copying the libzypp cache to the target system and + replacing it by a symlink, it is not safe and it can + cause crash (segfault) in some cases (bsc#1183711) +- 4.3.21 + +- Do not create zypp cache symlink when running in installed + system, it would create /var/cache/zypp -> /var/cache/zypp + loop (bsc#1183683) +- Remove the "Software Repositories" button from the YaST console, + users can easily break the installer with it. Added + "configure_repositories" command to the command line interface + for experts (bsc#1183687) +- 4.3.20 + yast2-schema +- Add the 'mkfs_options' element to the 'partition' section + (bsc#1184268). +- 4.3.22 + yast2-storage-ng +- Avoid to call private methods over self because it raises an + exception with ruby < 2.7 (related to bsc#1180723). +- 4.3.50 + +- Round-down the number of physical extends according to the + stripes of the logical volume (bsc#1180723). +- Add extra validations when creating a striped volume and when + editing the physical volumes. +- 4.3.49 + yast2-trans -- Update to version 84.87.20210314.90853260a8: - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Italian) - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * New POT for text domain 'network'. - * New POT for text domain 'add-on'. - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Dutch) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Catalan) - * Translated using Weblate (Japanese) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Czech) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) - * Translated using Weblate (Japanese) +- Update to version 84.87.20210411.9a07deafea: + * Translated using Weblate (French) + * New POT for text domain 'installation'. + * New POT for text domain 'autoinst'. + * Translated using Weblate (Portuguese) + * Translated using Weblate (Hindi) + * New POT for text domain 'autoinst'. + * New POT for text domain 'network'. + * New POT for text domain 'users'. + +- Update to version 84.87.20210402.ed8ff6d0a2: + * New POT for text domain 'users'. + * New POT for text domain 'samba-client'. + * New POT for text domain 'autoinst'. - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Slovak) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Portuguese (Brazil)) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * Translated using Weblate (Dutch) - * New POT for text domain 'storage'. - * New POT for text domain 'country'. - * New POT for text domain 'bootloader'. - * Translated using Weblate (Spanish) - * Translated using Weblate (Japanese) + * Translated using Weblate (German) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) - * Translated using Weblate (Finnish) - * Translated using Weblate (Croatian) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (China)) - * New POT for text domain 'packager'. - * New POT for text domain 'base'. - * New POT for text domain 'packager'. - * New POT for text domain 'base'. + * Translated using Weblate (Dutch) + * Translated using Weblate (Catalan) + * Translated using Weblate (Slovak) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) - * Translated using Weblate (Hindi) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (German) - * Translated using Weblate (German) - * Translated using Weblate (Italian) - * Translated using Weblate (Italian) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (German) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (Portuguese) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (German) - * Translated using Weblate (French) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (German) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (German) - * Translated using Weblate (German) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Japanese) + * New POT for text domain 'storage'. + * New POT for text domain 'firstboot'. + * Translated using Weblate (Italian) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (German) - * Translated using Weblate (Spanish) + * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Spanish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Finnish) - * Translated using Weblate (Portuguese (Portugal)) - * Translated using Weblate (Italian) - * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Russian) + * Translated using Weblate (Russian) - * Translated using Weblate (Spanish) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (Italian) - * Translated using Weblate (Chinese (Taiwan)) + * Fixed string interpolations + +- Update to version 84.87.20210327.c94c0a6cbe: + * Translated using Weblate (Slovak) + * Translated using Weblate (Dutch) + * Translated using Weblate (Catalan) + * Translated using Weblate (Japanese) + * New POT for text domain 'network'. + * New POT for text domain 'control'. + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (French) + * Translated using Weblate (French) + * Translated using Weblate (French) + * Translated using Weblate (French) + * Translated using Weblate (French) + * Translated using Weblate (French) + * Translated using Weblate (French) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) - * Translated using Weblate (Italian) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Spanish) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (Spanish) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Galician) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Portuguese) - * Translated using Weblate (German) - * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (French) + * Translated using Weblate (French) + * Translated using Weblate (French) - * Translated using Weblate (Spanish) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (German) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (Chinese (Taiwan)) - * Translated using Weblate (Turkish) - * Translated using Weblate (Spanish) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (Chinese (China)) - * Translated using Weblate (Italian) - * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (French) + * Translated using Weblate (French) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (Spanish) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Finnish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (German) + * Translated using Weblate (German) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Italian) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Catalan) + * Translated using Weblate (Slovak) + * Translated using Weblate (Slovak) + +- Update to version 84.87.20210321.8a6c5507f2: + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) - * Translated using Weblate (German) - * Translated using Weblate (Spanish) - * Translated using Weblate (French) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) - * Added translation using Weblate (Sinhala) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Chinese (Taiwan)) + * New POT for text domain 'packager'. - * Translated using Weblate (Italian) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (China)) + * New POT for text domain 'security'. - * Translated using Weblate (Russian) - * Translated using Weblate (Finnish) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Italian) + * New POT for text domain 'network'. + * New POT for text domain 'installation'. + * New POT for text domain 'autoinst'. + * Translated using Weblate (Slovak) + +- Update to version 84.87.20210314.90853260a8: + * New POT for text domain 'add-on'. + * New POT for text domain 'base'. + * New POT for text domain 'bootloader'. + * New POT for text domain 'country'. + * New POT for text domain 'installation'. + * New POT for text domain 'network'. + * New POT for text domain 'packager'. + * New POT for text domain 'storage'. + * Added translation using Weblate (Sinhala) + * Translated using Weblate (Catalan) + * Translated using Weblate (Chinese (China)) + * Translated using Weblate (Chinese (Taiwan)) + * Translated using Weblate (Croatian) + * Translated using Weblate (Czech) + * Translated using Weblate (Dutch) + * Translated using Weblate (Finnish) + * Translated using Weblate (French) + * Translated using Weblate (Galician) + * Translated using Weblate (German) + * Translated using Weblate (Hindi) + * Translated using Weblate (Italian) + * Translated using Weblate (Japanese) + * Translated using Weblate (Portuguese (Brazil)) + * Translated using Weblate (Portuguese (Portugal)) + * Translated using Weblate (Portuguese) + * Translated using Weblate (Russian) + * Translated using Weblate (Slovak) + * Translated using Weblate (Spanish) + * Translated using Weblate (Turkish) zlib +- Fix hw compression on z15 bsc#1176201 +- Add zlib-s390x-z15-fix-hw-compression.patch + zstd +- Add 0001-PATCH-Use-umask-to-Constrain-Created-File-Permission.patch + fixing (CVE-2021-24031, bsc#1183371) and (CVE-2021-24032, bsc#1183370). + Use umask() to constrain created file permission. +