Packages changed: ceph (14.1.0.559+gf1a72cff25 -> 14.2.0.300+gacd2f2b9e1) checkpolicy (2.8 -> 2.9) cronie exim (4.91 -> 4.92) fftw3 (3.3.6 -> 3.3.8) fuse google-noto-fonts gpg2 (2.2.13 -> 2.2.14) grub2 kernel-source (5.0.2 -> 5.0.3) libglvnd (1.1.0 -> 1.1.1) libgpg-error (1.35 -> 1.36) libselinux (2.8 -> 2.9) libselinux-bindings (2.8 -> 2.9) libsemanage (2.8 -> 2.9) libsepol (2.8 -> 2.9) libssh2_org (1.8.0 -> 1.8.1) patterns-xfce perl-Text-CSV_XS (1.37 -> 1.39) policycoreutils (2.8 -> 2.9) python-semanage (2.8 -> 2.9) strace (4.26 -> 5.0) suse-module-tools (15.1.11 -> 15.1.13) vlc webkit2gtk3 === Details === ==== ceph ==== Version update (14.1.0.559+gf1a72cff25 -> 14.2.0.300+gacd2f2b9e1) Subpackages: librados2 librbd1 - Update to 14.2.0-300-gacd2f2b9e1: + spec/ceph-mgr: drop "Recommends: ceph-mgr-ssh" + cmake: empty INSTALL_RPATH for libceph_crypto_openssl.so (boo#1129921) - Update to 14.2.0-296-g063d979413: + rebase on top of upstream nautilus branch, SHA1 3a54b2b6d167d4a2a19e003a705696d4fe619afc * upstream Nautilus 14.2.0 (stable) release release notes: http://docs.ceph.com/docs/master/releases/nautilus/ + rpm: fix "rhel <= 7" conditional (bsc#1129595) + rpm: refrain from building ceph-resource-agents on SLE (bsc#1129597) - Update to 14.1.1-457-g1411dbed54: + rebase on top of upstream nautilus branch, SHA1 98653b3db92f69023cb62526791d4d9aa5d6ec23 * upstream Nautilus 14.1.1 (RC2) release * mgr: Fix broken get_localized_module_option function (bsc#1127342) * spec: ceph-osd gets new runtime dependency, libstoragemgmt + dashboard: Update downstream branding (bsc#1129224) + spec: build ceph-test package on x86_64 arch only (bsc#1129274) ==== checkpolicy ==== Version update (2.8 -> 2.9) - Update to version 2.9 * Add option to sort contexts when creating a binary policy * Update manpage * check the result value of hashtable_search * destroy the class datum if it fails to initialize * remove extraneous policy build noise ==== cronie ==== Subpackages: cron - update to 1.5.3 * Fix CVE-2019-9704 [bnc#1128937] and CVE-2019-9705 [bnc#1128935] to avoid local DoS of the crond * crontab: Make crontab without arguments fail * crond: In PAM configuration include system-auth instead of password-auth * crond: In the systemd service file restart crond if it fails * crond: Use the role from the crond context for system job contexts * Multiple small cleanups and fixes. - refresh cronie-nheader_lines.diff and cronie-pam_config.diff ==== exim ==== Version update (4.91 -> 4.92) - update to exim 4.92 * ${l_header:} expansion * ${readsocket} now supports TLS * "utf8_downconvert" option (if built with SUPPORT_I18N) * "pipelining" log_selector * JSON variants for ${extract } expansion * "noutf8" debug option * TCP Fast Open support on MacOS - add workaround patch for compile time error on missing printf format annotation (gnu_printf.patch) ==== fftw3 ==== Version update (3.3.6 -> 3.3.8) Subpackages: libfftw3-3 libfftw3_threads3 - Update to 3.3.8: * Fixed AVX, AVX2 for gcc-8. - Release notes for 3.3.7: * Experimental support for CMake. * Fixes for armv7a cycle counter. * Official support for aarch64, now that we have hardware to test it. * Tweak usage of FMA instructions in a way that favors newer processors (Skylake and Ryzen) over older processors (Haswell). * tests/bench: use 64-bit precision to compute mflops. ==== fuse ==== Subpackages: libfuse2 - Use %make_build in order to provide verbose output. ==== google-noto-fonts ==== Subpackages: google-noto-fonts-doc noto-coloremoji-fonts noto-sans-fonts - Changed dependecy status of doc sub-package from Required to Recommended because fonts load just fine without it. ==== gpg2 ==== Version update (2.2.13 -> 2.2.14) Subpackages: gpg2-lang - Update to 2.2.14: * gpg: Allow import of PGP desktop exported secret keys. Also avoid importing secret keys if the secret keyblock is not valid. * gpg: Do not error out on version 5 keys in the local keyring. * gpg: Make invalid primary key algo obvious in key listings. * sm: Do not mark a certificate in a key listing as de-vs compliant if its use for a signature will not be possible. * sm: Fix certificate creation with key on card. * sm: Create rsa3072 bit certificates by default. * sm: Print Yubikey attestation extensions with --dump-cert. * agent: Fix cancellation handling for scdaemon. * agent: Support --mode=ssh option for CLEAR_PASSPHRASE. * scd: Fix flushing of the CA-FPR DOs in app-openpgp. * scd: Avoid a conflict error with the "undefined" app. * dirmngr: Add CSRF protection exception for protonmail. * dirmngr: Fix build problems with gcc 9 in libdns. * gpgconf: New option --show-socket for use wity --launch. * gpgtar: Make option -C work for archive creation. - Removed patches that are included upstream by now: - 0001-libdns-Avoid-using-compound-literals.patch - 0002-libdns-Avoid-using-compound-literals-2.patch - 0003-libdns-Avoid-using-compound-literals-3.patch - 0004-libdns-Avoid-using-compound-literals-4.patch - 0005-libdns-Avoid-using-compound-literals-5.patch - 0006-libdns-Avoid-using-compound-literals-6.patch - 0007-libdns-Avoid-using-compound-literals-7.patch - 0008-libdns-Avoid-using-compound-literals-8.patch ==== grub2 ==== Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen - Use %doc for older products for compatibility, or may end up with unsuccessful build result * grub2.spec - Revert grub2-ieee1275-open-raw-mode.patch for regression of crashing lvm on multipath SAN (bsc#1113702) * deleted grub2-ieee1275-open-raw-mode.patch - Add exception handling to FCP lun enumeration (bsc#1113702) * grub2-ieee1275-FCP-methods-for-WWPN-and-LUNs.patch ==== kernel-source ==== Version update (5.0.2 -> 5.0.3) Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs kernel-macros kernel-syms kernel-vanilla - Do not provide kernel-default-srchash from kernel-default-base. - commit d6c71ce - rpm/kernel-subpackage-build: handle arm kernel zImage. - commit 81a63c3 - config: disable IMA_ARCH_POLICY for now When IMA_ARCH_POLICY was enabled during the 5.0-rc* stage, IMA causes kdump load to fail: kexec_file_load failed: Permission denied ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall. We have to fix kexec tooling before enabling IMA for everyone. BTW IMA_APPRAISE_BOOTPARAM was disabled by IMA_ARCH_POLICY=y. So restore the original state (and functionality). - commit 3fe0cfc - rpm/kernel-source.changes.old: Really drop old changelogs (bsc#1098995) - commit 9e463cf - config: disable BPFILTER_UMH on arm (bsc#1127188). - commit a705565 - Linux 5.0.3 (bnc#1012628). - drm: Block fb changes for async plane updates (bnc#1012628). - It's wrong to add len to sector_nr in raid10 reshape twice (bnc#1012628). - perf/x86/intel: Make dev_attr_allow_tsx_force_abort static (bnc#1012628). - perf/x86/intel: Fix memory corruption (bnc#1012628). - ALSA: hda/realtek: Enable headset MIC of Acer TravelMate X514-51T with ALC255 (bnc#1012628). - ALSA: hda/realtek - Reduce click noise on Dell Precision 5820 headphone (bnc#1012628). - ALSA: hda/realtek: Enable audio jacks of ASUS UX362FA with ALC294 (bnc#1012628). - ALSA: hda - add more quirks for HP Z2 G4 and HP Z240 (bnc#1012628). - ALSA: hda: Extend i915 component bind timeout (bnc#1012628). - ALSA: firewire-motu: fix construction of PCM frame for capture direction (bnc#1012628). - ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 (bnc#1012628). - perf/x86: Fixup typo in stub functions (bnc#1012628). - f2fs: wait on atomic writes to count F2FS_CP_WB_DATA (bnc#1012628). - net: sched: flower: insert new filter to idr after setting its mask (bnc#1012628). - vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock (bnc#1012628). - net: hns3: fix to stop multiple HNS reset due to the AER changes (bnc#1012628). - net: dsa: mv88e6xxx: Set correct interface mode for CPU/DSA ports (bnc#1012628). - net/mlx4_core: Fix qp mtt size calculation (bnc#1012628). - net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling (bnc#1012628). - net/mlx4_core: Fix reset flow when in command polling mode (bnc#1012628). - vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() (bnc#1012628). - vxlan: Fix GRO cells race condition between receive and link delete (bnc#1012628). - tcp: handle inet_csk_reqsk_queue_add() failures (bnc#1012628). - tcp: Don't access TCP_SKB_CB before initializing it (bnc#1012628). - tcp: do not report TCP_CM_INQ of 0 for closed connections (bnc#1012628). - sctp: remove sched init from sctp_stream_init (bnc#1012628). - rxrpc: Fix client call queueing, waiting for channel (bnc#1012628). - route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race (bnc#1012628). - ravb: Decrease TxFIFO depth of Q3 and Q2 to one (bnc#1012628). - pptp: dst_release sk_dst_cache in pptp_sock_destruct (bnc#1012628). - net/x25: reset state in x25_connect() (bnc#1012628). - net/x25: fix use-after-free in x25_device_event() (bnc#1012628). - net: sit: fix UBSAN Undefined behaviour in check_6rd (bnc#1012628). - net/hsr: fix possible crash in add_timer() (bnc#1012628). - net: hsr: fix memory leak in hsr_dev_finalize() (bnc#1012628). - net: hns3: add dma_rmb() for rx description (bnc#1012628). - lan743x: Fix TX Stall Issue (bnc#1012628). - lan743x: Fix RX Kernel Panic (bnc#1012628). - l2tp: fix infoleak in l2tp_ip6_recvmsg() (bnc#1012628). - ipv4/route: fail early when inet dev is missing (bnc#1012628). - gro_cells: make sure device is up in gro_cells_receive() (bnc#1012628). - fou, fou6: avoid uninit-value in gue_err() and gue6_err() (bnc#1012628). - connector: fix unsafe usage of ->real_parent (bnc#1012628). - commit 843d1cc - config: armv6hl: Update to v5.0.2 - commit a2d3030 - config: armv7hl: Update to v5.0.2 - commit 70aaed6 - Trim build dependencies of sample subpackage spec file (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1128910). - commit 2eae420 - cifs: Fix NULL pointer dereference of devname (bnc#1129519). - commit 018878b - config: enable RANDOM_TRUST_CPU The outcome from mailing list discussion when this config option appeared was that it makes more sense to enable it by default and let those who do not trust their CPU override it on command line; but then I forgot to actually change the value. - commit 138b5df - Update config files: disable CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER (bsc#1127552) The deferred fbcon takeover makes little sense with the current openSUSE boot setup, and it's harmful (more glitches, etc). Disable it for now. - commit 14fa903 - Remove the previous subpackage infrastructure. This partially reverts commit 9b3ca32c11854156b2f950ff5e26131377d8445e ("Add kernel-subpackage-build.spec (FATE#326579).") - commit a5ee24e - Add sample kernel-default-base spec file (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1128910). - commit 35c4a52 ==== libglvnd ==== Version update (1.1.0 -> 1.1.1) Subpackages: libglvnd-32bit - Update to release 1.1.1 * Fixed a potential race condition with entrypoint patching * Fixed the TSD dispatch stubs for PPC64LE * Fixed a segfault when generating GLX dispatch stubs for AARCH64 ==== libgpg-error ==== Version update (1.35 -> 1.36) Subpackages: libgpg-error0 libgpg-error0-32bit - Update to 1.36: * Two new error codes to better support PIV cards * Support armv7a-unknown-linux-gnueabihf ==== libselinux ==== Version update (2.8 -> 2.9) Subpackages: libselinux1 libselinux1-32bit selinux-tools - Update to version 2.9 * Add security_reject_unknown(3) man page * Change matchpathcon usage to match with matchpathcon manpage * Do not define gettid() if glibc >= 2.30 is used * Fix RESOURCE_LEAK defects reported by coverity scan * Fix line wrapping in selabel_file.5 * Do not dereference symlink with statfs in selinux_restorecon * Fix overly strict validation of file_contexts.bin * Fix selinux_restorecon() on non-SELinux hosts * Fix the whatis line for the selinux_boolean_sub.3 manpage * Fix printf format string specifier for uint64_t * Fix handling of unknown classes/perms * Set an appropriate errno in booleans.c - Dropped python3.patch, is now upstream ==== libselinux-bindings ==== Version update (2.8 -> 2.9) - Update to version 2.9 * Add security_reject_unknown(3) man page * Change matchpathcon usage to match with matchpathcon manpage * Do not define gettid() if glibc >= 2.30 is used * Fix RESOURCE_LEAK defects reported by coverity scan * Fix line wrapping in selabel_file.5 * Do not dereference symlink with statfs in selinux_restorecon * Fix overly strict validation of file_contexts.bin * Fix selinux_restorecon() on non-SELinux hosts * Fix the whatis line for the selinux_boolean_sub.3 manpage * Fix printf format string specifier for uint64_t * Fix handling of unknown classes/perms * Set an appropriate errno in booleans.c - Dropped python3.patch, is now upstream ==== libsemanage ==== Version update (2.8 -> 2.9) Subpackages: libsemanage-migrate-store libsemanage1 - Update to version 2.9 * Always set errno to 0 before calling getpwent() * Include user name in ROLE_REMOVE audit events * genhomedircon - improve handling large groups * improve semanage_migrate_store import failure * reset umask before creating directories * set selinux policy root around calls to selinux_boolean_sub * use previous seuser when getting the previous name ==== libsepol ==== Version update (2.8 -> 2.9) - Update to version 2.9 * Add two new Xen initial SIDs * Check that initial sid indexes are within the valid range * Create policydb_sort_ocontexts() * Eliminate initial sid string definitions in module_to_cil.c * Rename kernel_to_common.c stack functions * add missing ibendport port validity check * destroy the copied va_list * do not call malloc with 0 byte * do not leak memory if list_prepend fails * do not use uninitialized value for low_value * fix endianity in ibpkey range checks * ibpkeys.c: fix printf format string specifiers for subnet_prefix * mark permissive types when loading a binary policy ==== libssh2_org ==== Version update (1.8.0 -> 1.8.1) - Version update to 1.8.1: Bug Fixes: * [bsc#1128471, CVE-2019-3855] Integer overflow when reading a specially crafted packet * [bsc#1128493, CVE-2019-3863] Integer overflow in userauth_keyboard_interactive with a number of extremely long prompt strings * [bsc#1128472, CVE-2019-3856] Integer overflow if the server sent an extremely large number of keyboard prompts * [bsc#1128490, CVE-2019-3861] Out of bounds read when processing a specially crafted packet * [bsc#1128474, CVE-2019-3857] Integer overflow when receiving a specially crafted exit signal message channel packet * [bsc#1128492, CVE-2019-3862] Out of bounds read when receiving a specially crafted exit status message channel packet * [bsc#1128476, CVE-2019-3858] Zero byte allocation when reading a specially crafted SFTP packet * [bsc#1128481, CVE-2019-3860] Out of bounds reads when processing specially crafted SFTP packets * [bsc#1128480, CVE-2019-3859] Out of bounds reads in _libssh2_packet_require(v) ==== patterns-xfce ==== Subpackages: patterns-xfce-xfce patterns-xfce-xfce_basis patterns-xfce-xfce_laptop patterns-xfce-xfce_office - recommend gcr-ssh-askpass (bnc#1108381) ==== perl-Text-CSV_XS ==== Version update (1.37 -> 1.39) - update to 1.39 1.39 - 2019-03-15, H.Merijn Brand * It's 2019 * Fix tests to skip on Encode failing (PR#17 charsbar + klapperl) * Tested on Z/OS (s390x - Hercules) :) * Test with new Module::CPANTS::Analyse * Add options -w/-b/-Z to csvdiff * Fix strict on streaming EOF * Now also tested with cperl 1.38 - 2018-12-30, H.Merijn Brand * Name the duplicate headers on error 1013 * Add missing attributes to default list (doc only, David H. Gutteridge) * Add support for combined keys * Look at $NO_COLOR for csvdiff * Add support for key-value pair ==== policycoreutils ==== Version update (2.8 -> 2.9) Subpackages: policycoreutils-lang python3-policycoreutils - Update to version 2.9 * secon: free scon_trans before returning * audit2allow/sepolgen-ifgen: show errors on stderr * audit2allow: allow using audit2why as non-root user * chcat: use check_call instead of getstatusoutput * restorecon: add force option * semanage module: Fix handling of -a/-e/-d/-r options * semanage/seobject: Fix listing boolean values * semanage: Drop python shebang from seobject.py * semanage: Fix logger class definition * semanage: Include MCS/MLS range when exporting local customizations * semanage: Load a store policy and set the store SELinux policy root * semanage: Start exporting "ibendport" and "ibpkey" entries * semanage: Stop logging loginRecords changes * semanage: Stop rejecting aliases in semanage commands * semanage: Use standard argparse.error() method in handlePermissive * semanage: do not show "None" levels when using a non-MLS policy * semanage: import sepolicy only when it's needed * semanage: move valid_types initialisations to class constructors * sepolgen: close /etc/selinux/sepolgen.conf after parsing it * sepolgen: fix access vector initialization * sepolgen: fix refpolicy parsing of "permissive" * sepolgen: print all AV rules correctly * sepolgen: refpolicy installs its Makefile in include/Makefile * sepolgen: return NotImplemented instead of raising it * sepolgen: silence linter warning about has_key * sepolgen: use self when accessing members in FilesystemUse * sepolicy: Add sepolicy.load_store_policy(store) * sepolicy: Make policy files sorting more robust * sepolicy: Stop rejecting aliases in sepolicy commands * sepolicy: Update to work with setools-4.2.0 * sepolicy: add missing % in network tab help text * sepolicy: initialize mislabeled_files in __init__() * sepolicy: search() also for dontaudit rules * add xperms support to audit2allow * replace aliases with corresponding type names - Dropped python3.patch, upstream now ==== python-semanage ==== Version update (2.8 -> 2.9) - Update to version 2.9 * Always set errno to 0 before calling getpwent() * Include user name in ROLE_REMOVE audit events * genhomedircon - improve handling large groups * improve semanage_migrate_store import failure * reset umask before creating directories * set selinux policy root around calls to selinux_boolean_sub * use previous seuser when getting the previous name ==== strace ==== Version update (4.26 -> 5.0) - Update to strace 5.0 * Changes in behavior * -D option now implies -I4 * Diagnostic message is no longer printed if an attempt to restart a process has failed with ESRCH. * ASCII dump no longer tries to read the whole buffer at once. * Improvements * Changed the way tracees are handled: all pending tracees are now waited for before further processing, this improves fairness of tracee processing. * Enhanced xlat styles support configured by -X option. * Enhanced decoding of bpf syscall. * Enhanced pid formatting in strace-log-merge output. * Wired up kexec_file_load and rseq syscalls on aarch64, arc, metag, nios2, or1k, riscv, and tile architectures. * Updated lists of BPF_*, BTRFS_*, FAN_*, IFLA_*, KERN_*, KVM_CAP_*, NDA_*, NETNSA_*, NT_*, PR_*, REL_*, SECCOMP_*, SCTP_*, UDP_*, V4L2_*, and *_MAGIC constants. * Updated lists of ioctl commands from Linux 5.0. * Bug fixes * Fixed ordering of sockaddr_in6 fields. * Fixed strace-k test on alpha. * Fixed build on mips o32. * Fixed build on NOMMU architectures. * Fixed build in --with-libiberty=yes mode. * Fixed potential NULL dereference during printing of line continuation for syscalls that haven't been decoded. * Fixed strace-log-merge error diagnostics. ==== suse-module-tools ==== Version update (15.1.11 -> 15.1.13) - Update to version 15.1.13: * spec file: add conflicts for dracut < 44.2 (bsc#1127891) - Update to version 15.1.12 (git 1ab0b84): * modprobe.conf.common: add csiostor->cxgb4 dependency (bsc#1100989) * Load fbcon together with virtio_gpu on s390 (bsc#1121996, fate#327159) ==== vlc ==== Subpackages: libvlc5 libvlccore9 vlc-codec-gstreamer vlc-lang vlc-noX vlc-qt vlc-vdpau - Add vlc-libssh2-ECDSA-version.patch: sftp: fix version for ECDSA known hosts (fixes vlc#22060). - Add conditional pkgconfig(dav1d) BuildRequires: build av1 decoding via dav1d decoder. ==== webkit2gtk3 ==== Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 libwebkit2gtk3-lang typelib-1_0-JavaScriptCore-4_0 typelib-1_0-WebKit2-4_0 webkit2gtk-4_0-injected-bundles - Disable openjpeg on SLE 12. Our version isn't new enough.