Packages changed: btrfsprogs c-ares (1.17.0 -> 1.17.1) conmon (2.0.21 -> 2.0.22) dosfstools (4.1 -> 4.1+git.1610658652.9443732) gpg2 (2.2.25 -> 2.2.27) iptables (1.8.6 -> 1.8.7) kustomize (3.9.1 -> 3.9.2) libcontainers-common (20200727 -> 20210112) libnftnl (1.1.8 -> 1.1.9) libusb-1_0 openssh (8.3p1 -> 8.4p1) python-jsonschema === Details === ==== btrfsprogs ==== Subpackages: btrfsprogs-udev-rules libbtrfs0 - prepare usrmerge (boo#1029961) - Update to 5.9: * mkfs: * switch default to single profile for multi-device filesystem, up to now it was raid0 that may not be simple to convert to some other profile as raid0 needs a workspace on all device for that * new option -R for run-time options (eg. mount time enabled), now understands free-space-tree * subvolume delete: * refuse to delete the default subvolume (kernel will not allow that but the error reason is not obvious) * warn on EPERM, eg. if send is on progress on the subvolume * convert: * fix 32bit overflows on large filesystems * improved error handling and error messages * check free space taking fragmentation into account * check: * detect and repair wrong inode generation * minor improvement in error reporting on roots * libbtrfsutils: follow main package versioning (5.9) * add pkg-config file definitions * python-btrfsutil: follow main package versioning (5.9) * inspect tree-stats: print node counts for each level, fanout * other: * docs: * remove obsolete mount options (alloc_start, subvolrootid) * deleting default subvolume is not permitted * updated or fixed tests * .editorconfig updates * move files to kernel-shared/ * CI: * updated to use zstd 1.4.5 * fix reiserfs build * more builds with asan, ubsan * sb-mod updates * build: * print .so versions of libraries in configure summary - Update to 5.7: * mkfs: * new option to enable features otherwise enabled at runtime, now implemented for quotas, 'mkfs.btrfs -R quota' * fix space accounting for small image, DUP and --rootdir * option -A removed * check: detect ranges with overlapping csum items * fi usage: report correct numbers when plain RAID56 profiles are used * convert: ensure the data chunks size never exceed device size * libbtrfsutil: update documentation regarding subvolume deletion * build: support libkcapi as implementation backend for cryptographic primitives * core: global options for verbosity (-v, -q), subcommands -v or -q are aliases and will continue to work but are considered deprecated, current command output is preserved to keep scripts working * other: * build warning fixes * btrfs-debugfs ported to python 3 - Update to 5.6.1: * print warning when multiple block group profiles exist, update 'fi usage' summary, add docs to maual page explaining the situation * build: optional support for libgcrypt or libsodium, providing hash implementations * updated docs - Fix content of _dracutmodulesdir variable: this definitively does not belong to libexecdir. - Update to 5.6: * inspect logical-resolve: support LOGICAL_INO_V2 as new option '-o', helps advanced dedupe tools * inspect: user larger buffer (64K) for results * subvol delete: support deletion by id (requires kernel 5.7+) * dump-tree: new option --hide-names, replace any names (file, directory, subvolume, xattr) in the output with stubs * various fixes - Update to 5.4.1 * build: fix docbook5 build * check: do extra verification of extent items, inode items and chunks * qgroup: return ENOTCONN if quotas not running (needs updated kernel) * other: various test fixups - BuildRequire pkgconfig(udev) instead of udev: Allow OBS to shortcut through the -mini flavor. - Use pkg-config --modversion udev to identify the current udev version. This is more portable and supports the -mini flavors. - Update to 5.4 * support new hash algorithms (kernel 5.5): * mkfs.btrfs and btrfs-convert with --csum, crc32c, xxhash, sha256, blake2 * mkfs: support new raid1c3 and raid1c4 block group profiles (kernel 5.5) * check: * --repair delays start with a warning, can be skipped using --force * enhanced detetion of inode types from partial data, more options for repair * receive: fix quiet option * image: speed up chunk loading * fi usage: * sort devices by id * print ratio of used/total per block group type * rescue zero-log: reset the log pointers directly, avoid reading some other potentially damaged structures * new make target install-static to install only static binaries/libraries * other * docs updates * new tests * cleanups and refactoring - Update to 5.3.1: * libbtrfs: fix link breakage due to missing symbols - Updaet to 5.3: * mkfs: * new option to specify checksum algorithm (only crc32c) * fix xattr enumeration * dump-tree: BFS (breadth-first) traversal now default * libbtrfsutil: remove stale BTRFS_DEV_REPLACE_ITEM_STATE_x defines * ci: add support for gitlab * other: * preparatory work for more checksum algorithms * docs update * switch to docbook5 backend for asciidoc * fix build on uClibc due to missing backtrace() * lots of printf format fixups - Enable build of python-bindings for libbtrfsutil - Update to 5.2.2: * check: * fix false report of wrong byte count for orphan inodes * option -E was not handled correctly * new check and repair for root item generation * balance: check for full-balance before background fork * mkfs: check that total device size does not overflow 16EiB * dump-tree: print DEV_STATS key type * other: * new and updated tests * doc fixups and updates - update to 5.2.1 * scrub status: fix ETA calculation after resume * check: fix crash when using -Q * restore: fix symlink owner restoration * mkfs: fix regression with mixed block groups * core: fix commit to process all delayed refs * other: * minor cleanups * test updates - update to 5.2 * subvol show: print qgroup information when available * scrub: * status: show ETA, revamp the whole output * fix reading/writing of last position on resume/cancel, potentially skipping part of the filesystem on next resume * dump-tree: add new option --noscan to use only devices given on the commandline * all-in-one binary (busybox style) with mkfs.btrfs, btrfs-image, btrfs-convert, btrfstune * image: fix hang when there are more than 32 cpus online and compression is requested * convert: fix some false ENOSPC errors when --rootdir is used * build: fix gcc9 warnings * core changes * command handling cleanups * dead code removal * cmds-* files moved to cmds/ * other shared userspace files moved to common/ * utils.c split into more files * preparatory work for more output formats * libbtrfsutil: fix unaligned access * other * new and updated tests * fix tests so CI passes again * sb-mod can modify more superblock items - update to version 5.1 * repair: flush/FUA support to avoid breaking metadata COW * file extents repair no longer relies on data in extent tree * lowmem: fix false error reports about gaps between extents * add inode mode check and repair for various objects * add check for invalid combination of nocow/compressed extents * device scan option to forget scanned devices [new] * mkfs: use same chunk size as kernel for initial creation * dev-repace: better report when other exclusive operation runs * help for sntax errors on command lines, print relevant msgs * defrag: able to open files in RO mode * dump-tree: --block can be specified multiple times - update to version 4.20.2 * dump-super: minor output fixup * revert fix for prefix detection of receive path, this is temporary and unbreaks existing user setups - Use correct path for dracut-fsck-help.txt in module-setup.sh (bsc#1122539) * Remove module-setup.sh * Add module-setup.sh.in - Advise user of fs recovery options when we fail to mount (fate#320443, bsc#1122539) * Add dracut-fsck-help.txt * Add module-setup.sh - update to version 4.20.1 * libbtrfs: fix build of external tools due to missing symbols * ci: enable library test - update to version 4.20 * new feature: metadata uuid * lightweight change of UUID without rewriting all metadata (incompatible change) * done by btrfstune -m/-M, needs kernel support, 5.0+ * image: * fix block groups when restoring from multi-device image * only enlarge result image if it's a regular file * check * more device extent checks and fixes * can repair dir item with mismatched hash * mkfs: uuid tree created with proper contents * fix mount point detection due to partial prefix match * other: * new tests, build fixes, doc updates * libbtrfsutil: fix tests if kernel lacks support for new subvolume ioctls - partial cleanup with spec-cleaner - drop 0001-btrfs-progs-Add-support-for-metadata_uuid-field.patch - drop 0002-btrfs-progs-btrfstune-Add-support-for-changing-the-u.patch - drop 0003-btrfs-progs-Remove-fsid-metdata_uuid-fields-from-fs_.patch - drop 0004-btrfs-progs-Remove-btrfs_fs_info-new_fsid.patch - drop 0005-btrfs-progs-Directly-pass-root-to-change_devices_uui.patch - Use %license instead of %doc [bsc#1082318] - Implement fate#325871 * Added 0001-btrfs-progs-Add-support-for-metadata_uuid-field.patch * Added 0002-btrfs-progs-btrfstune-Add-support-for-changing-the-u.patch * Added 0003-btrfs-progs-Remove-fsid-metdata_uuid-fields-from-fs_.patch * Added 0004-btrfs-progs-Remove-btrfs_fs_info-new_fsid.patch * Added 0005-btrfs-progs-Directly-pass-root-to-change_devices_uui.patch - update to version 4.19.1 * check * many lowmem mode improvements * properly report qgroup mismatch errors * check symlinks with append/immutable flags * fi usage * correctly calculate allocated/unallocated for raid10 * minor output updates * mkfs * detect ENOSPC on thinly provisioned devices * fix spurious EEXIST during directory traversal * restore: fix relative path for restore target * dump-tree: print symbolic tree names for backrefs * send: fix regression preventing send -p with subvolumes mounted on "/" * corrupt-tree: refactoring and command line updates * build * make it work with e2fsprogs < 1.42 again * restore support for autoconf 2.63 * detect if -std=gnu90 is supported * other * new tests * cleanups - update to version 4.19 * check: support repair of fs with free-space-tree feature * core: * port delayed ref infrastructure from kernel * support write to free space tree * dump-tree: new options for BFS and DFS enumeration of b-trees * quota: rescan is now done automatically after 'assign' * btrfstune: incomplete fix to uuid change * subvol: fix 255 char limit checks * completion: complete block devices and now regular files too * docs: * ship uncompressed manual pages * btrfsck uses a manual page link instead of symlink * other * improved error handling * docs * new tests - update to version 4.17.1 * check: * add ability to fix wrong ram_bytes for compressed inline files * beautify progress output * btrfstune: allow to continue uuid change after unclean interruption * several fuzz fixes: * detect overalpping chunks * chunk loading error handling * don't crash with unexpected root refs to extents * relax option parsing again to allow mixing options and non-options arguments * fix qgroup rescan status reporting * build: * drop obsolete dir-test * new configure option to disable building of tools * add compatibility options --disable-static and --disable-shared * other: * cleanups and preparatory work * new test images - spec cleanup - update to version 4.17 * check * many lowmem mode improvements * properly report qgroup mismatch errors * check symlinks with append/immutable flags * fi usage * correctly calculate allocated/unallocated for raid10 * minor output updates * mkfs * detect ENOSPC on thinly provisioned devices * fix spurious EEXIST during directory traversal * restore: fix relative path for restore target * dump-tree: print symbolic tree names for backrefs * send: fix regression preventing send -p with subvolumes mounted on "/" * corrupt-tree: refactoring and command line updates * build * make it work with e2fsprogs < 1.42 again * restore support for autoconf 2.63 * detect if -std=gnu90 is supported - Removed patches (upstreamed): * 0001-btrfs-progs-convert-fix-support-for-e2fsprogs-1.42.patch * 0002-btrfs-progs-build-autoconf-2.63-compatibility.patch * 0003-btrfs-progs-build-detect-whether-std-gnu90-is-suppor.patch - Don't require libzstd-devel-static on builds that don't use it. - fix installation of btrfs.5.gz - Fix building on SLE11: * btrfs-progs: convert: fix support for e2fsprogs < 1.42 * btrfs-progs: build: detect whether -std=gnu90 is supported * btrfs-progs: build: autoconf 2.63 compatibility * Fixed mismerged addition of libbtrfsutil1 package description - Added patches: * 0001-btrfs-progs-convert-fix-support-for-e2fsprogs-1.42.patch * 0002-btrfs-progs-build-autoconf-2.63-compatibility.patch * 0003-btrfs-progs-build-detect-whether-std-gnu90-is-suppor.patch - update to version 4.16.1 * remove obsolete tools: btrfs-debug-tree, btrfs-zero-log, btrfs-show-super, btrfs-calc-size * sb-mod: new debugging tool to edit superblock items * mkfs: detect if thin-provisioned device does not have enough space * check: don't try to verify checksums on metadata dump images * build: fail documentation build if xmlto is not found * build: fix build of btrfs.static - Remove patch: 0001-btrfs-progs-build-fix-static-build.patch (upstream) - Update initrd script - update to version 4.16 * libbtrfsutil - new LGPL library to wrap userspace functionality * several 'btrfs' commands converted to use it: * properties * filesystem sync * subvolume set-default/get-default/delete/show/sync * python bindings, tests * build * use configured pkg-config path * CI: add python, musl/clang, built dependencies caching * convert: build fix for e2fsprogs 1.44+ * don't install library links with wrong permissions * fixes * prevent incorrect use of subvol_strip_mountpoint * dump-super: don't verify csum for unknown type * convert: fix inline extent creation condition * check: * lowmem: fix false alert for 'data extent backref lost for snapshot' * lowmem: fix false alert for orphan inode * lowmem: fix false alert for shared prealloc extents * mkfs: * add UUID and otime to root of FS_TREE - with the uuid, snapshots will be now linked to the toplevel subvol by the parent UUID * don't follow symlinks when calculating size * pre-create the UUID tree * fix --rootdir with selinux enabled * dump-tree: add option to print only children nodes of a given block * image: handle missing device for RAID1 * other * new tests * test script cleanups (quoting, helpers) * tool to edit superblocks * updated docs - Add patch: 0001-btrfs-progs-build-fix-static-build.patch - Add new library packages: libbtrfsutil - use documentation shipped by upstream tar, reduce dependencies - enable static build again, zstd now has static version - update to version 4.15 * mkfs --rootdir reworked, does not minimize the final image but can be still done using a new option --shrink * fix allocation of system chunk, don't allocate from the reserved area * other * new and updated tests * cleanups, refactoring * doc updates - spec: fix distro version condition - update to version 4.14.1 * dump-tree: print times of root items * check: fix several lowmem mode bugs * convert: fix rollback after balance * other * new and updated tests, enabled lowmem mode in CI * docs updates * fix travis CI build * build fixes * cleanups - update to version 4.14 * build: libzstd now required by default * check: more lowmem mode repair enhancements * subvol set-default: also accept path * prop set: compression accepts no/none, same as "" * filesystem usage: enable for filesystem on top of a seed device * rescue: new command fix-device-size * other * new tests * cleanups and refactoring * doc updates - Removed patches: - rollback-regression-fix.patch - upstreamed - spec: disable static build, missing libzstd-devel-static - spec: disable zstd support for non-Tumbleweed distros ==== c-ares ==== Version update (1.17.0 -> 1.17.1) - update to 1.17.1: Travis: add iOS target built with CMake (#378) Issue #377 suggested that CMake builds for iOS with c-ares were broken. This PR adds an automatic Travis build for iOS CMake. - fix build External projects were using non-public header ares_dns.h, make public again (#376) It appears some outside projects were relying on macros in ares_dns.h, even though it doesn't appear that header was ever meant to be public. That said, we don't want to break external integrators so we should distribute this header again. - note that so versioning has moved to configure.ac - note about 1.17.1 - fix sed gone wrong autotools cleanup (#372) * buildconf: remove custom logic with autoreconf - remove missing_header.patch (upstream) ==== conmon ==== Version update (2.0.21 -> 2.0.22) - Update to version 2.0.22: * added man page * attach: always chdir * conn_sock: Explicitly free a heap-allocated string * refactor I/O and add SD_NOTIFY proxy support ==== dosfstools ==== Version update (4.1 -> 4.1+git.1610658652.9443732) - Update to version 4.1+git.1610658652.9443732 (bsc#1172863): * testsuite: Add mkfs test for 600MB large 4K disk * mkfs.fat: Do not show verbose messages not relevant to selected FAT size * mkfs.fat: Fix text of verbose messages * mkfs.fat: Fix limits for number of clusters * mkfs.fat: Fix calculation of FAT32 cluster size on non 512 bytes sector disks * mkfs.fat: Fix printing number of sectors * mkfs.fat: Align total number of sectors to be multiple of sectors per track * testsuite: Add referenceFAT32mbr test data to dist_check_DATA * manpages: Escape dot in fsck.fat manpage at the beginning of the line * fsck.fat: properly check for valid "." and ".." entries ==== gpg2 ==== Version update (2.2.25 -> 2.2.27) - GnuPG 2.2.27: * gpgconf: Fix case with neither local nor global gpg.conf * gpgconf: Fix description of two new options - includes changes from 2.2.26: * gpg: New AKL method "ntds" * gpg: Fix --trusted-key with fingerprint arg * scd: Fix writing of ECC keys to an OpenPGP card * scd: Make an USB error fix specific to SPR532 readers * dirmngr: With new LDAP keyservers store the new attributes. Never store the useless pgpSignerID. Fix a long standing bug storing some keys on an ldap server. * dirmngr: Support the new Active Direcory LDAP schema for keyservers * dirmngr: Allow LDAP OpenPGP searches via fingerprint * dirmngr: Do not block other threads during keyserver LDAP calls * Support global configuration files * Fix the iconv fallback handling to UTF-8 ==== iptables ==== Version update (1.8.6 -> 1.8.7) Subpackages: libip4tc2 libip6tc2 libxtables12 xtables-plugins - Update to release 1.8.7 * iptables-nft: * Improved performance when matching on IP/MAC address prefixes if the prefix is byte-aligned. In ideal cases, this doubles packet processing performance. * Dump user-defined chains in lexical order. This way ruleset dumps become stable and easily comparable. * Avoid pointless table/chain creation. For instance, `iptables-nft -L` no longer creates missing base-chains. ==== kustomize ==== Version update (3.9.1 -> 3.9.2) - Update to version 3.9.2 - Pin to api v0.7.2 - Pin to cmd/config v0.8.8 - Pin to kyaml v0.10.6 and cli-utils v0.22.4 - Move plugin lister to avoid import cycle. - Unpin kyaml, cmd/config, api - Refresh vendor.tar.xz ==== libcontainers-common ==== Version update (20200727 -> 20210112) - Update common to 0.33.0 - Update image to 5.9.0 - Update podman to 2.2.1 - Update storage to 1.24.5 - Switch to seccomp profile provided by common instead of podman - Update containers.conf to match latest version ==== libnftnl ==== Version update (1.1.8 -> 1.1.9) - Update to release 1.1.9 * Improve formatting of registers in bitwise dumps. ==== libusb-1_0 ==== - Add 0001-fix-descriptor-parsing.patch to fix detection of some devices. ==== openssh ==== Version update (8.3p1 -> 8.4p1) Subpackages: openssh-clients openssh-common openssh-server - update to 8.4p1: Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. New Features - ----------- * sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use. bz#69 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time limit for keys in addition to its current flag options. Time- limited keys will automatically be removed from ssh-agent after their expiry time has passed. * scp(1), sftp(1): allow the -A flag to explicitly enable agent forwarding in scp and sftp. The default remains to not forward an agent, even when ssh_config enables it. * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the destination. This allows, e.g., keeping host keys in individual files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654 * ssh(1): add %-TOKEN, environment variable and tilde expansion to the UserKnownHostsFile directive, allowing the path to be completed by the configuration (e.g. bz#1654) * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted from stdin. bz#3180 * sshd(8): improve logging for MaxStartups connection throttling. sshd will now log when it starts and stops throttling and periodically while in this state. bz#3055 Bugfixes - ------- * ssh(1), ssh-keygen(1): better support for multiple attached FIDO tokens. In cases where OpenSSH cannot unambiguously determine which token to direct a request to, the user is now required to select a token by touching it. In cases of operations that require a PIN to be verified, this avoids sending the wrong PIN to the wrong token and incrementing the token's PIN failure counter (tokens effectively erase their keys after too many PIN failures). * sshd(8): fix Include before Match in sshd_config; bz#3122 * ssh(1): close stdin/out/error when forking after authentication completes ("ssh -f ...") bz#3137 * ssh(1), sshd(8): limit the amount of channel input data buffered, avoiding peers that advertise large windows but are slow to read from causing high memory consumption. * ssh-agent(1): handle multiple requests sent in a single write() to the agent. * sshd(8): allow sshd_config longer than 256k * sshd(8): avoid spurious "Unable to load host key" message when sshd load a private key but no public counterpart * ssh(1): prefer the default hostkey algorithm list whenever we have a hostkey that matches its best-preference algorithm. * sshd(1): when ordering the hostkey algorithms to request from a server, prefer certificate types if the known_hosts files contain a key marked as a @cert-authority; bz#3157 * ssh(1): perform host key fingerprint comparisons for the "Are you sure you want to continue connecting (yes/no/[fingerprint])?" prompt with case sensitivity. * sshd(8): ensure that address/masklen mismatches in sshd_config yield fatal errors at daemon start time rather than later when they are evaluated. * ssh-keygen(1): ensure that certificate extensions are lexically sorted. Previously if the user specified a custom extension then the everything would be in order except the custom ones. bz#3198 * ssh(1): also compare username when checking for JumpHost loops. bz#3057 * ssh-keygen(1): preserve group/world read permission on known_hosts files across runs of "ssh-keygen -Rf /path". The old behaviour was to remove all rights for group/other. bz#3146 * ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen manual page and usage(). * sshd(8): explicitly construct path to ~/.ssh/rc rather than relying on it being relative to the current directory, so that it can still be found if the shell startup changes its directory. bz#3185 * sshd(8): when redirecting sshd's log output to a file, undo this redirection after the session child process is forked(). Fixes missing log messages when using this feature under some circumstances. * sshd(8): start ClientAliveInterval bookkeeping before first pass through select() loop; fixed theoretical case where busy sshd may ignore timeouts from client. * ssh(1): only reset the ServerAliveInterval check when we receive traffic from the server and ignore traffic from a port forwarding client, preventing a client from keeping a connection alive when it should be terminated. bz#2265 * ssh-keygen(1): avoid spurious error message when ssh-keygen creates files outside ~/.ssh * sftp-client(1): fix off-by-one error that caused sftp downloads to make one more concurrent request that desired. This prevented using sftp(1) in unpipelined request/response mode, which is useful when debugging. bz#3054 * ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect() helpers. bz#3071 * ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to write to it so we don't leave an empty .ssh directory when it's not needed. bz#3156 * ssh(1), sshd(8): fix multiplier when parsing time specifications when handling seconds after other units. bz#3171 ==== python-jsonschema ==== - Disable python2 build as indirect build dependencies to python2-cffi are not resolvable anymore