Packages changed: amavisd-new bcm43xx-firmware fetchmail (6.4.15 -> 6.4.16) gnutls (3.6.15 -> 3.7.0) kernel-source (5.10.16 -> 5.11.2) libsoup libvirt (7.0.0 -> 7.1.0) libwps (0.4.11 -> 0.4.12) mousepad (0.5.2 -> 0.5.3) ntp openssl (1.1.1h -> 1.1.1j) openssl-1_1 (1.1.1h -> 1.1.1j) pavucontrol pentobi (18.4 -> 18.5) perl-Date-Manip (6.83 -> 6.85) perl-IO-Socket-SSL (2.068 -> 2.070) perl-URI (5.07 -> 5.08) python python-base python-importlib-metadata (3.4.0 -> 3.7.0) python-libvirt-python (7.0.0 -> 7.1.0) python-qt5 (5.15.2 -> 5.15.3) rubygem-lightbox2 (2.11.1.1 -> 2.11.3) rubygem-rails-6.0 xfce4-panel (4.16.1 -> 4.16.2) xfce4-pulseaudio-plugin yast2-hardware-detection (4.1.1 -> 4.1.2) yast2-installation (4.3.29 -> 4.3.30) yast2-security (4.3.11 -> 4.3.14) === Details === ==== amavisd-new ==== Subpackages: amavisd-new-docs - Package amavisd-milter in a separate package - Add perl(Convert::BinHex) to required packages - Disable BerkeleyDB in configuration + amavisd-new-no-berkeleydb.patch ==== bcm43xx-firmware ==== - Cater for old and new ways of configuring bluetooth on RPi. Users of 'hciattach' expect the firmware in '/lib/firmware' while users of the serdev configured bluetooth setups will expect it in '/lib/firmware/brcm' (bsc#1177189). ==== fetchmail ==== Version update (6.4.15 -> 6.4.16) Subpackages: fetchmailconf - update to 6.4.16: * fetchmail's --configdump, and fetchmailconf, lacked support for the sslcertfile option. * fetchmail --version [fetchmail -V] now queries and prints the SSL/TLS library's "SSL default trusted certificate" file or directory (mind the word "default"), where the OpenSSL-compatible TLS implementation will look for trusted root, meaning certification authority (CA), certificates. * fetchmail --version now prints version of the OpenSSL library that it was compiled against, and that it is using at runtime, and also the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available). ==== gnutls ==== Version update (3.6.15 -> 3.7.0) Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-32bit libgnutls30-hmac - Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565] * Don't unset system priority settings in gnutls-cli-debug.sh * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387 - Add gnutls-gnutls-cli-debug.patch - Fix: Test certificates in tests/testpkcs11-certs have expired * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 - Add gnutls-test-fixes.patch - gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131 - Add gnutls-ignore-duplicate-certificates.patch - Update to 3.7.0 * Depend on nettle 3.6 * Added a new API that provides a callback function to retrieve missing certificates from incomplete certificate chains * Added a new API that provides a callback function to output the complete path to the trusted root during certificate chain verification * OIDs exposed as gnutls_datum_t no longer account for the terminating null bytes, while the data field is null terminated. The affected API functions are: gnutls_ocsp_req_get_extension, gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension * Added a new set of API to enable QUIC implementation * The crypto implementation override APIs deprecated in 3.6.9 are now no-op * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support * Support for padlock has been fixed to make it work with Zhaoxin CPU * The maximum PIN length for PKCS #11 has been increased from 31 bytes to 255 bytes - Remove patch fixed upstream: * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - Add version guards for the crypto-policies package - Fix threading bug in libgnutls [bsc#1173434] * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044 - Require the crypto-policies package [bsc#1180051] - Use the centralized crypto policy profile (jsc#SLE-15832) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - FIPS: Add TLS KDF selftest (bsc#1176671) * add gnutls-FIPS-TLS_KDF_selftest.patch ==== kernel-source ==== Version update (5.10.16 -> 5.11.2) Subpackages: kernel-default kernel-docs - Linux 5.11.2 (bsc#1012628). - KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped() (bsc#1012628). - mm: provide a saner PTE walking API for modules (bsc#1012628). - KVM: do not assume PTE is writable after follow_pfn (bsc#1012628). - KVM: x86: Zap the oldest MMU pages, not the newest (bsc#1012628). - hwmon: (dell-smm) Add XPS 15 L502X to fan control blacklist (bsc#1012628). - arm64: tegra: Add power-domain for Tegra210 HDA (bsc#1012628). - Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working (bsc#1012628). - ntfs: check for valid standard information attribute (bsc#1012628). - usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (bsc#1012628). - USB: quirks: sort quirk entries (bsc#1012628). - HID: make arrays usage and value to be the same (bsc#1012628). - bpf: Fix truncation handling for mod32 dst reg wrt zero (bsc#1012628). - commit 6fd6105 - config: refresh - fix misspelled USB gadget debugging options - commit 20be8e3 - Update config files. Update config files. Enable USB_GADGET(jsc#SLE-14042) - supported.conf: After discussion what the feature request implied, it was decided that gadget mode is also needed on x86_64 - commit 4adcbc0 - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - commit d0b887e - update mainline references - update mainline references: patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch patches.suse/floppy-reintroduce-O_NDELAY-fix.patch patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch - commit 4eacbc9 - Linux 5.11.1 (bsc#1012628). - Xen/x86: don't bail early from clear_foreign_p2m_mapping() (bsc#1012628). - Xen/x86: also check kernel mapping in set_foreign_p2m_mapping() (bsc#1012628). - Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages() (bsc#1012628). - Xen/gntdev: correct error checking in gntdev_map_grant_pages() (bsc#1012628). - xen/arm: don't ignore return errors from set_phys_to_machine (bsc#1012628). - xen-blkback: don't "handle" error by BUG() (bsc#1012628). - xen-netback: don't "handle" error by BUG() (bsc#1012628). - xen-scsiback: don't "handle" error by BUG() (bsc#1012628). - xen-blkback: fix error handling in xen_blkbk_map() (bsc#1012628). - tty: protect tty_write from odd low-level tty disciplines (bsc#1012628). - Bluetooth: btusb: Always fallback to alt 1 for WBS (bsc#1012628). - commit 3652ea1 - arm: Update config files. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - commit 702d1a3 - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - commit b74d860 - Update config files: Set reset-raspberrypi as builtin (bsc#1180336) This driver is needed in order to boot through USB. Ideally the kernel module should be selected by dracut, but it's not. So make it builtin until the relevant dracut fixes are available. - commit 8186eab - series.conf: cleanup - move patches on the way to mainline into respective section patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch patches.suse/media-dvb-usb-Fix-memory-leak-at-error-in-dvb_usb_de.patch patches.suse/media-dvb-usb-Fix-use-after-free-access.patch patches.suse/media-pwc-Use-correct-device-for-DMA.patch - commit 8309a4e - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - commit 606c9d1 - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - commit c29e77d - Refresh patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch. - Refresh patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch. Update upstream status. - commit 1916d9d - Update to 5.11 final - refresh configs - commit 253d8c6 ==== libsoup ==== Subpackages: libsoup-2_4-1 libsoup-lang typelib-1_0-Soup-2_4 - Run the regression tests using GnuTLS NORMAL priority - Disable tls_interaction-test until resolved upstream * See https://gitlab.gnome.org/GNOME/libsoup/issues/120 - Add libsoup-skip-tls_interaction-test.patch - Fix tests: fix SSL test with glib-networking >= 2.65.90 * See https://gitlab.gnome.org/GNOME/libsoup/issues/201 - Add libsoup-fix-SSL-test.patch - Remove patches: * libsoup-disable-ssl-tests.patch * libsoup-disable-hsts-tests.patch ==== libvirt ==== Version update (7.0.0 -> 7.1.0) Subpackages: libvirt-bash-completion libvirt-client libvirt-daemon libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs - libxl: Fix node device detach when driver unspecified libxl-default-pcistub-name.patch boo#1182885 - spec: Bump minimum glib version to 2.56 - Update to libvirt 7.1.0 - Many incremental improvements and bug fixes, see https://libvirt.org/news.html - bsc#1182367, bsc#1182515 - Dropped patches: 32c5e432-revert-f035f53b.patch, e3d60f76-fix-socket-file-gen.patch, 7cf60006-qemu-swtpm-aarch64.patch, afb823fc-qemu-validate-swtpm.patch, 8a4b8996-conf-move-virDomainCheckVirtioOptions.patch, c05f0066-conf-drop-empty-virDomainNetDefPostParse.patch, 19d4e467-conf-improve-virDomainVirtioOptionsCheckABIStability.patch, bd112c9e-qemu-virtio-options-vsock.patch - Remove old initscript patching of libvirt-guests.sh Modified suse-libvirt-guests-service.patch boo#1182494 ==== libwps ==== Version update (0.4.11 -> 0.4.12) - udpate to 0.4.12: - add a minimalist parser for Pocket Word .psw and .pwi files ==== mousepad ==== Version update (0.5.2 -> 0.5.3) Subpackages: mousepad-lang - Update to version 0.5.3 * Use old style menu alignment (gxo#apps/mousepad#97, gxo#apps/mousepad!77) * Add a keybinding to reset font size * Fix inverted return value of scroll event handler * Various small improvements regarding accels * Block the right signal handler for tooltip updates * A clarification about action groups * Translation Updates ==== ntp ==== - Disown /var/lib/ntp, it is now part of the sysuser-ntp package. ==== openssl ==== Version update (1.1.1h -> 1.1.1j) - Update to 1.1.1j release - Update to 1.1.1i release ==== openssl-1_1 ==== Version update (1.1.1h -> 1.1.1j) Subpackages: libopenssl1_1 libopenssl1_1-32bit libopenssl1_1-hmac - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Removed patch because it was causing problems with other servers. * openssl-zero-pad-DHE-public-key.patch * bsc#1181796 - Zero pad the DHE public key in ClientKeyExchange for interoperability with Windows Server 2019. * openssl-zero-pad-DHE-public-key.patch * bsc#1181796 * sourced from https://github.com/openssl/openssl/pull/12331/files - Add version guards for the crypto-policies - Disable test_srp subsection from 90-test_sslapi.t test - Use SECLEVEL 2 in 80-test_ssl_new.t - Add patches: * openssl-1_1-use-seclevel2-in-tests.patch * openssl-1_1-disable-test_srp-sslapi.patch - Allow SHA1 in SECLEVEL 2 in non-FIPS mode - Add openssl-1_1-seclevel.patch - Require the crypto-policies package [bsc#1180051] - Update to 1.1.1i (bsc#1179491) * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) - Refresh openssl-1.1.1-fips-post-rand.patch ==== pavucontrol ==== Subpackages: pavucontrol-lang - Require the pulseaudio-daemon capability instead of the pulseaudio package, so alternative implementations can be used (boo#1182730). ==== pentobi ==== Version update (18.4 -> 18.5) - Update to version 18.5 * Require GNU gettext >=0.19.6, which has built-in support for AppData, such the appstream package is no longer needed for compilation. * Added missing include that broke the compilation with GCC 11 * Complete Russian translation of the manual. ==== perl-Date-Manip ==== Version update (6.83 -> 6.85) - updated to 6.85 see /usr/share/doc/packages/perl-Date-Manip/Changes 6.85 2021-03-01 - Test fixes Missed some tests that were failing. 6.84 2021-03-01 - Time zone fixes Newest zoneinfo data (tzdata 2021a). - Language fixes Corrections and additions to Italian. Patch supplied by Leo Cacciari (GitHub #33) ==== perl-IO-Socket-SSL ==== Version update (2.068 -> 2.070) - updated to 2.070 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.070 2021/02/26 - changed bugtracker in Makefile.PL to github, away from obsolete rt.cpan.org 2.069 2021/01/22 - IO::Socket::Utils CERT_asHash and CERT_create now support subject and issuer with multiple same parts (like multiple OU). In this case an array ref instead of a scalar is used as hash value. https://github.com/noxxi/p5-io-socket-ssl/issues/95 ==== perl-URI ==== Version update (5.07 -> 5.08) - updated to 5.08 see /usr/share/doc/packages/perl-URI/Changes 5.08 2021-02-28 18:08:32Z - added URI::nntps (GH#82) ==== python ==== - Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids use of semicolon as a query string separator (bpo#42967, bsc#1182379, CVE-2021-23336). ==== python-base ==== Subpackages: libpython2_7-1_0 python-xml - Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids use of semicolon as a query string separator (bpo#42967, bsc#1182379, CVE-2021-23336). ==== python-importlib-metadata ==== Version update (3.4.0 -> 3.7.0) - update to 3.7.0: * #131: Added ``packages_distributions`` to conveniently resolve a top-level package or module to its distribution(s). * #284: Introduces new ``EntryPoints`` object, a tuple of ``EntryPoint`` objects but with convenience properties for selecting and inspecting the results: - ``.select()`` accepts ``group`` or ``name`` keyword parameters and returns a new ``EntryPoints`` tuple with only those that match the selection. - ``.groups`` property presents all of the group names. - ``.names`` property presents the names of the entry points. - Item access (e.g. ``eps[name]``) retrieves a single entry point by name. ``entry_points`` now accepts "selection parameters", same as ``EntryPoint.select()``. ``entry_points()`` now provides a future-compatible ``SelectableGroups`` object that supplies the above interface but remains a dict for compatibility. In the future, ``entry_points()`` will return an ``EntryPoints`` object, but provide for backward compatibility with a deprecated ``__getitem__`` accessor by group and a ``get()`` method. If passing selection parameters to ``entry_points``, the future behavior is invoked and an ``EntryPoints`` is the result. Construction of entry points using ``dict([EntryPoint, ...])`` is now deprecated and raises an appropriate DeprecationWarning and will be removed in a future version. * #280: ``entry_points`` now only returns entry points for unique distributions (by name). ==== python-libvirt-python ==== Version update (7.0.0 -> 7.1.0) - Update to 7.1.0 - Add all new APIs and constants in libvirt 7.1.0 ==== python-qt5 ==== Version update (5.15.2 -> 5.15.3) - Update to version 5.15.3 * Added the missing QImage.setAlphaChannel(). * Support for the QtNetworkAuth library has been moved to a separate PyQtNetworkAuth package. * Bug fixes. - Disable the build for SIPv4 and Python2. It does not build anymore. According to upstream, the change was not intentional, albeit SIP v4 is not officially supported anymore. We use this opportunity to ditch the old cruft. Moves the SLE/Leap builds to SIP v5. - Remove unused QtWebEngine libraries from build system. Those are handled in the python-qtwebengine-qt5 package. - Remove the unnecessary strict binary compatibility requirement for PyQt5.sip: python-sip[56]-devel will not runtime require any PyQt[56].sip module anymore and the %requires_eq would do nothing because the package is not installed. - Some rpmlint runs were complaining that the PyQt5 dir was not also owned by the nonring extra packages ==== rubygem-lightbox2 ==== Version update (2.11.1.1 -> 2.11.3) - updated to version 2.11.3 * Updated lightbox2 to upstream version 2.11.3 ([Upstream changelog](https://github.com/lokesh/lightbox2/releases/tag/v2.11.3)) ==== rubygem-rails-6.0 ==== - Fixed recommended dependencies (boo#1177517) ==== xfce4-panel ==== Version update (4.16.1 -> 4.16.2) Subpackages: libxfce4panel-2_0-4 xfce4-panel-lang xfce4-panel-restore-defaults - Update to 4.16.2 * Add icons to help and about items in panel menu * Modernize documentation (developer.xfce.org) * Translation Updates ==== xfce4-pulseaudio-plugin ==== Subpackages: xfce4-pulseaudio-plugin-lang - Require the pulseaudio-daemon capability instead of the pulseaudio package, so alternative implementations can be used (boo#1182730). ==== yast2-hardware-detection ==== Version update (4.1.1 -> 4.1.2) - Fixed pointer check to compile with GCC 11 (bsc#1181916) - 4.1.2 ==== yast2-installation ==== Version update (4.3.29 -> 4.3.30) - Do not write selinux and polkit default rules during upgrade (bsc#1182894) - 4.3.30 ==== yast2-security ==== Version update (4.3.11 -> 4.3.14) - Ensure defined SELinux patterns are set (bsc#1182543). - 4.3.14 - Do not write bootloader in insts-sys (bsc#1182894). - 4.3.13