Removed rpms ============ - libabsl2308_0_0 Added rpms ========== - NetworkManager-applet-openconnect - NetworkManager-applet-pptp - alts - dolphin-part-lang - libabsl2401_0_0 - libalternatives1 - libnfsidmap1 Package Source Changes ====================== NetworkManager-openconnect +- Add missing supplements(bsc#1220391): + + NMA subpackage: Main package and gnome-control-center + +- Rename gnome subpackage to NetworkManager-applet-openconnect + to more accurately reflect its usage +- Add missing supplements: + - NM and openconnect + - NMA subpackage: Main package and NMA + NetworkManager-openvpn +- Add missing supplements(bsc#1220391): + + NMA subpackage: Main package and gnome-control-center + NetworkManager-pptp +- Add missing supplements(bsc#1220391): + + NMA subpackage: Main package and gnome-control-center + +- Rename gnome subpackage to NetworkManager-applet-pptp + to more accurately reflect its usage +- Add missing supplements: + - NM and pptp + - NMA subpackage: Main package and NMA + abseil-cpp +- SLE-only: import upstream patch to fix build with gcc7 in C++17 + mode: hash-fix-gcc7-cpp17-build.patch (bsc#1222261) + + Upstream commit bb83aceacb554e79e7cd2404856f0be30bd00303 + +- update to 20240116.1: + * Add absl::NoDestructor<T> to simplify defining static types + that do not need to be destructed upon program exit. + * Add configurable verbose logging (also known as VLOG). + * Added absl::Overload(), which returns a functor that provides + overloads based on the functors passed to it. Note that this + functionality requires C++17 or newer. + * Breaking Change: AbslHashValue() no longer accepts C-style + arrays as a parameter, caller need to wrap C-string literals in + absl::string_view. + * Breaking Change: absl::weak_equality and absl::strong_equality + have been removed. The corresponding std types were removed + before C++20 was finalized + adwaita-xfce-icon-theme +- Update to version 0.0.4+git0.b33d65a + * Remove superfluous /apps directory from index.theme + branding-openSUSE +- Use png for wallpapers for Leap 15.6 +- SLES seems to be using png +- Using a compat symlink wallpapers/openSUSEdefault-> wallpapers/SLEdefault + allows running certain apps without rebuild. Such as cockpit. +- Use optipng -o5 to compress files (has to be reflected in spec) +- Bump date + c-ares +- CVE-2024-25629.patch: fix out of bounds read in ares__read_line() + (bsc#1220279, CVE-2024-25629) + curl +- Security fix: [bsc#1221666, CVE-2024-2379] + * curl: QUIC certificate check bypass with wolfSSL + * Add curl-CVE-2024-2379.patch + +- Security fix: [bsc#1221668, CVE-2024-2466] + * curl: TLS certificate check bypass with mbedTLS + * Add curl-CVE-2024-2466.patch + +- Security fix: [bsc#1221665, CVE-2024-2004] + * Usage of disabled protocol + * Add curl-CVE-2024-2004.patch + +- Security fix: [bsc#1221667, CVE-2024-2398] + * curl: HTTP/2 push headers memory-leak + * Add curl-CVE-2024-2398.patch + distribution-logos-openSUSE +- Update to version 20240404: + * Turn apple-touch-icon into round square ones + * SLES Compatability supply apple-touch-icon for Leap, LeapMicro, TW + * Delete dist/package directory + * fix source mismatch with package name + +- Add handling for Leap Micro 6.X and Leap 16.X + dolphin +- Add an unconditional supplements in dolphin-part-lang, automatic + locale provides are missing in 15.x (boo#1222694) + expat +- Security fix (boo#1221289, CVE-2024-28757): XML Entity Expansion + attack when there is isolated use of external parsers. + * Added expat-CVE-2024-28757.patch + +- Security fix: + * (CVE-2023-52425, bsc#1219559) denial of service (resource + consumption) caused by processing large tokens. + - Added patch expat-CVE-2023-52425-1.patch + - Added patch expat-CVE-2023-52425-2.patch + - Added patch expat-CVE-2023-52425-backport-parser-changes.patch + - Added patch expat-CVE-2023-52425-fix-tests.patch + gcc13 +- Add gcc13-pr111731.patch to fix unwinding for JIT code. + [bsc#1221239] + +- Revert libgccjit dependency change. [boo#1220724] + +- Fix libgccjit-devel dependency, a newer shared library is OK. +- Fix libgccjit dependency, the corresponding compiler isn't required. + +- Use %patch -P N instead of %patchN. + +- Add gcc13-sanitizer-remove-crypt-interception.patch to remove + crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 + breaks them. [bsc#1219520] + +- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285 +- Add gcc13-pr88345-min-func-alignment.diff to add support for + - fmin-function-alignment. [bsc#1214934] + +- Use %{_target_cpu} to determine host and build. + +- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250 + * Includes fix for building TVM. [boo#1218492] + +- Add cross-X-newlib-devel requires to newlib cross compilers. + [boo#1219031] + +- Package m2rte.so plugin in the gcc13-m2 sub-package rather than + in gcc13-devel. [boo#1210959] +- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs + are linked against libstdc++6. + +- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205 + +- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109 + * Includes fix for building mariadb on i686. [bsc#1217667] + * Remove pr111411.patch contained in the update. + +- Avoid update-alternatives dependency for accelerator crosses. +- Package tool links to llvm in cross-amdgcn-gcc13 rather than in + cross-amdgcn-newlib13-devel since that also has the dependence. +- Depend on llvmVER instead of llvm with VER equal to + %product_libs_llvm_ver where available and adjust tool discovery + accordingly. This should also properly trigger re-builds when + the patchlevel version of llvmVER changes, possibly changing + the binary names we link to. [bsc#1217450] + glibc +- Add workaround for invalid use of libc_nonshared.a with non-SUSE libc + (bsc#1221482) + gnome-control-center +- Add gnome-control-center-datetime-Avoid-emitting-the-time-changed-signal.patch: + Avoid emitting the time-changed signal + (bsc#1222149, bsc#1221799, glgo#GNOME/gnome-control-center#2943). + gnutls +- Security fix: [bsc#1221747, CVE-2024-28835] + * gnutls: certtool crash when verifying a certificate chain + * Add gnutls-CVE-2024-28835.patch + +- Security fix: [bsc#1221746, CVE-2024-28834] + * gnutls: side-channel in the deterministic ECDSA + * Add gnutls-CVE-2024-28834.patch + +- jitterentropy: Release the memory of the entropy collector when + using jitterentropy with phtreads as there is also a + pre-intitization done in the main thread. [bsc#1221242] + * Add gnutls-FIPS-jitterentropy-deinit-threads.patch + grub2 +- Fix os name is used for root file system mount (bsc#1220949) + * 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch + hwdata +- update to 0.380: + * Update pci, usb and vendor ids + +- update to 0.379: + * Update pci, usb and vendor ids + icewm-theme-branding:openSUSE +- Do not substitute png to jpg for default wallpaper + Details at https://github.com/openSUSE/branding/pull/149 +- Keep openSUSEDefault although SLEDefault compat symlink exist + +- Make sure flavor is never defined without content, but at least + has %nil. +- Use an invalid arch for "" flavor (do-not-build): %nil is not + actually supported and worked by accident. + +- Use %autosetup macro. Allows to eliminate the usage of deprecated + %patchN + +- Add fix-web-browser-icon.patch: + The Adwaita theme does not provide much legacy apps icon now, + redirect icewm web-browser icon to the right place. See: + https://gitlab.gnome.org/GNOME/adwaita-icon-theme/-/issues/163 + https://gitlab.gnome.org/GNOME/adwaita-icon-theme/-/merge_requests/34/ + +- Add pass-env-var-to-systemd-user-session.patch instead of changing + the tar ball to fix the bsc#1179237. +- Update the tar ball to sync with upstream. + kdump +- upgrade to version 2.0.3+git10.gfdb71b2 + * add a note to README.txt about the flattened format (bsc#1221374) + * use the same persistent device links as dracut (bsc#1222009, bsc#1219471) + * remove dracut parse-root.sh hook (bsc#1221288) + kernel-64kb +- selinux: saner handling of policy reloads (bsc#1222230). +- commit 35fdf2d + +- Move upstreamed patches into sorted section +- commit ebe113d + +- blacklist.conf: fbdev: flush deferred IO before closing (bsc#1221814) +- commit 6339fe4 + +- netfilter: nf_tables: skip set commit for deleted/destroyed sets + (CVE-2024-0193 bsc#1218495). +- commit e7bf1c3 + +- README.BRANCH: Remove copy of branch name +- commit fc25aed + +- scsi: lpfc: Copyright updates for 14.4.0.1 patches + (bsc#1221777). +- scsi: lpfc: Update lpfc version to 14.4.0.1 (bsc#1221777). +- scsi: lpfc: Define types in a union for generic void *context3 + ptr (bsc#1221777). +- scsi: lpfc: Define lpfc_dmabuf type for ctx_buf ptr + (bsc#1221777). +- scsi: lpfc: Define lpfc_nodelist type for ctx_ndlp ptr + (bsc#1221777). +- scsi: lpfc: Use a dedicated lock for ras_fwlog state + (bsc#1221777). +- scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() + (bsc#1221777). +- scsi: lpfc: Replace hbalock with ndlp lock in + lpfc_nvme_unregister_port() (bsc#1221777). +- scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic + (bsc#1221777). +- scsi: lpfc: Remove IRQF_ONESHOT flag from threaded IRQ handling + (bsc#1221777 bsc#1217958). +- scsi: lpfc: Move NPIV's transport unregistration to after + resource clean up (bsc#1221777). +- scsi: lpfc: Remove unnecessary log message in queuecommand path + (bsc#1221777). +- scsi: lpfc: Correct size for cmdwqe/rspwqe for memset() + (bsc#1221777). +- scsi: lpfc: Correct size for wqe for memset() (bsc#1221777). +- commit 561883a + +- scsi: qla2xxx: Update version to 10.02.09.200-k (bsc#1221816). +- scsi: qla2xxx: Delay I/O Abort on PCI error (bsc#1221816). +- scsi: qla2xxx: Change debug message during driver unload + (bsc#1221816). +- scsi: qla2xxx: Fix double free of fcport (bsc#1221816). +- scsi: qla2xxx: Fix double free of the ha->vp_map pointer + (bsc#1221816). +- scsi: qla2xxx: Fix command flush on cable pull (bsc#1221816). +- scsi: qla2xxx: NVME|FCP prefer flag not being honored + (bsc#1221816). +- scsi: qla2xxx: Update manufacturer detail (bsc#1221816). +- scsi: qla2xxx: Split FCE|EFT trace control (bsc#1221816). +- scsi: qla2xxx: Fix N2N stuck connection (bsc#1221816). +- scsi: qla2xxx: Prevent command send on chip reset (bsc#1221816). +- commit 5c3d977 + +- net/bnx2x: Prevent access to a freed page in page_pool + (bsc#1215322). +- commit c9d3937 + +- Revert "fbdev: flush deferred IO before closing (git-fixes)." (bsc#1221814) + This reverts commit 81476d7e609a6d383f3d404542eebc93cebd0a4d. + This fixes bsc#1221814 +- commit a7a9087 + kernel-default +- selinux: saner handling of policy reloads (bsc#1222230). +- commit 35fdf2d + +- Move upstreamed patches into sorted section +- commit ebe113d + +- blacklist.conf: fbdev: flush deferred IO before closing (bsc#1221814) +- commit 6339fe4 + +- netfilter: nf_tables: skip set commit for deleted/destroyed sets + (CVE-2024-0193 bsc#1218495). +- commit e7bf1c3 + +- README.BRANCH: Remove copy of branch name +- commit fc25aed + +- scsi: lpfc: Copyright updates for 14.4.0.1 patches + (bsc#1221777). +- scsi: lpfc: Update lpfc version to 14.4.0.1 (bsc#1221777). +- scsi: lpfc: Define types in a union for generic void *context3 + ptr (bsc#1221777). +- scsi: lpfc: Define lpfc_dmabuf type for ctx_buf ptr + (bsc#1221777). +- scsi: lpfc: Define lpfc_nodelist type for ctx_ndlp ptr + (bsc#1221777). +- scsi: lpfc: Use a dedicated lock for ras_fwlog state + (bsc#1221777). +- scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() + (bsc#1221777). +- scsi: lpfc: Replace hbalock with ndlp lock in + lpfc_nvme_unregister_port() (bsc#1221777). +- scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic + (bsc#1221777). +- scsi: lpfc: Remove IRQF_ONESHOT flag from threaded IRQ handling + (bsc#1221777 bsc#1217958). +- scsi: lpfc: Move NPIV's transport unregistration to after + resource clean up (bsc#1221777). +- scsi: lpfc: Remove unnecessary log message in queuecommand path + (bsc#1221777). +- scsi: lpfc: Correct size for cmdwqe/rspwqe for memset() + (bsc#1221777). +- scsi: lpfc: Correct size for wqe for memset() (bsc#1221777). +- commit 561883a + +- scsi: qla2xxx: Update version to 10.02.09.200-k (bsc#1221816). +- scsi: qla2xxx: Delay I/O Abort on PCI error (bsc#1221816). +- scsi: qla2xxx: Change debug message during driver unload + (bsc#1221816). +- scsi: qla2xxx: Fix double free of fcport (bsc#1221816). +- scsi: qla2xxx: Fix double free of the ha->vp_map pointer + (bsc#1221816). +- scsi: qla2xxx: Fix command flush on cable pull (bsc#1221816). +- scsi: qla2xxx: NVME|FCP prefer flag not being honored + (bsc#1221816). +- scsi: qla2xxx: Update manufacturer detail (bsc#1221816). +- scsi: qla2xxx: Split FCE|EFT trace control (bsc#1221816). +- scsi: qla2xxx: Fix N2N stuck connection (bsc#1221816). +- scsi: qla2xxx: Prevent command send on chip reset (bsc#1221816). +- commit 5c3d977 + +- net/bnx2x: Prevent access to a freed page in page_pool + (bsc#1215322). +- commit c9d3937 + +- Revert "fbdev: flush deferred IO before closing (git-fixes)." (bsc#1221814) + This reverts commit 81476d7e609a6d383f3d404542eebc93cebd0a4d. + This fixes bsc#1221814 +- commit a7a9087 + kexec-tools +- fix kexec-bootloader path in kexec-load.service (bsc#1222245) + libnvme +- Update to version 1.8+8.g8c9685f: (bsc#1222026) + * nbft: Whitespace fixes + * tests: Add complex NBFT table from Dell R660 + * tests: Adapt to added NBFT SSNS flags + * nbft: Add SSNS 'discovered' flag + * nbft: Add SSNS 'unavailable' flag + * doc: Document the NBFT API + * log: Respect DEFAULT_LOGLEVEL on uninitialized logging + * log: Introduce nvme_get_logging_level() + libssh +- Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385) + * Added libssh-fix-ipv6-hostname-regression.patch + libssh2_org +- Fix an issue with Encrypt-then-MAC family. [bsc#1221622] + * Test the ETM feature in the remote end's configuration when + receiving data. Upstream issue: #1331. + * Add libssh2_org-ETM-remote.patch + libvirt +- security: Ensure file exists before attempting to restore label + bsc#1220714 + +- qemu: Fix migration from libvirt older than 9.10.0 when vmx is enabled + bsc#1221879 + lightdm-gtk-greeter-branding-openSUSE +- Use 1600x1200.png now when we've changed backgrounds to png + Details in https://github.com/openSUSE/branding/pull/149 + +- Fix default theme entry because Greybird-Geeko-Light renamed to + Greybird-geeko + ncurses +- Add patch ncurses-6.1-bsc1220061.patch (bsc#1220061, CVE-2023-45918) + * Backport from ncurses-6.4-20230615.patch + improve checks in convert_string() for corrupt terminfo entry + + (bsc#1218014) nfs-utils +- Update to 2.6.4, to get many improvements, particularly + got NFS-over-TLS support + (bsc#1220075) + Patches removed because that have been included upstream: + nsm-headers.patch + 0001-conffile-ignore-empty-environment-variables.patch + 0002-mount-call-setgroups-before-setuid.patch + 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch + 0002-Let-systemd-know-when-rpc.statd-is-needed.patch + 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch + 0007-statd-user-from-sm + 0008-gssd-replace-non-thread-safe-strtok-with-strsep.patch + 0009-Convert-remaining-python-scripts-to-python3.patch + 0010-gssd-Fix-locking-for-machine-principal-list.patch + 0011-manpage-Add-a-description-of-the-nconnect-mount-opti.patch + 0012-mountd-reject-unknown-client-IP-when-use_ipaddr.patch + 0013-mountd-Don-t-proactively-add-export-info-when-fh-inf.patch + 0014-mountd-update-man-page.patch + 0015-mountd-add-logging-for-authentication-results-for-ac.patch + 0016-mountd-add-cache-use-ipaddr-option-to-force-use_ipad.patch + 0017-mountd-make-default-ttl-settable-by-option.patch + 0018-Replace-all-var-run-with-run.patch + 0019-gssd-use-mutex-to-protect-decrement-of-refcount.patch + 0020-mountd-Initialize-logging-early.patch + 0021-mount.nfs-insert-sloppy-at-beginning-of-the-options.patch + 0022-mount.nfs-Fix-the-sloppy-option-processing.patch + 0023-cache.c-removed-a-couple-warning.patch + 0024-systemd-Apply-all-sysctl-settings-when-NFS-related-m.patch + 0025-nfsdcltrack-getopt_long-fails-on-a-non-x86_64-archs.patch + 0026-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch + 0027-nfsd-allow-server-scope-to-be-set-with-config-or-com.patch + 0028-mount.nfs-always-include-mountpoint-or-spec-if-error.patch + 0029-nfsd.man-fix-typo-in-section-on-scope.patch + 0030-systemd-use-correct-modprobe-d-directory + 0031-mountd-don-t-advertise-krb5-for-v4root-when-not-conf.patch + 0032-exportfs-Ingnore-export-failures-in-nfs-server.seriv.patch + Patches added from upstream, or to fix build errors: + 0001-exportfs-remove-warning-if-neither-subtree_check-or-.patch + 0002-conffile-don-t-report-error-from-conf_init_file.patch + 0003-conffile-allow-usr-etc-to-provide-any-config-files-e.patch + 0004-fsidd-call-anonymous-sockets-by-their-name-only-don-.patch + buildfix.patch + nghttp2 + fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + + nghttp2-CVE-2024-28182-1.patch + fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + + nghttp2-CVE-2024-28182-2.patch + +- security update +- added patches nvme-cli +- Update to version 2.8+12.g34d799c: + * sed: update SED password when initalizing (bsc#1222168) + * nbft: Include SSNS index in error messages (bsc#1222026) + * nbft: Pause logging for expected connection failures (bsc#1222026) + * nbft: Silence connection failures for unavailable SSNS (bsc#1222026) + * nbft: Fix 'verbose' argument type (bsc#1222026) + * logging: track log level globally + * logging: move logging code to a new file + * nvme: update include for libnvme + * nvme-netapp: add nspath tlv handling (bsc#1220971) + openssh +- Update to openssh 9.6p1: + = Security + * ssh(1), sshd(8): implement protocol extensions to thwart the + so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus + Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a + limited break of the integrity of the early encrypted SSH transport + protocol by sending extra messages prior to the commencement of + encryption, and deleting an equal number of consecutive messages + immediately after encryption starts. A peer SSH client/server + would not be able to detect that messages were deleted + (bsc#1217950, CVE-2023-48795). + * ssh-agent(1): when adding PKCS#11-hosted private keys while + specifying destination constraints, if the PKCS#11 token returned + multiple keys then only the first key had the constraints applied. + Use of regular private keys, FIDO tokens and unconstrained keys + are unaffected. + * ssh(1): if an invalid user or hostname that contained shell + metacharacters was passed to ssh(1), and a ProxyCommand, + LocalCommand directive or "match exec" predicate referenced the + user or hostname via %u, %h or similar expansion token, then + an attacker who could supply arbitrary user/hostnames to ssh(1) + could potentially perform command injection depending on what + quoting was present in the user-supplied ssh_config(5) directive. + = Potentially incompatible changes + * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides + a TCP-like window mechanism that limits the amount of data that + can be sent without acceptance from the peer. In cases where this + limit was exceeded by a non-conforming peer SSH implementation, + ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH + 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer + exceeds the window limit by more than a small grace factor. This + change should have no effect of SSH implementations that follow + the specification. + = New features + * ssh(1): add a %j token that expands to the configured ProxyJump + hostname (or the empty string if this option is not being used) + that can be used in a number of ssh_config(5) keywords. bz3610 + * ssh(1): add ChannelTimeout support to the client, mirroring the + same option in the server and allowing ssh(1) to terminate + quiescent channels. + * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for + reading ED25519 private keys in PEM PKCS8 format. Previously + only the OpenSSH private key format was supported. + * ssh(1), sshd(8): introduce a protocol extension to allow + renegotiation of acceptable signature algorithms for public key + authentication after the server has learned the username being + used for authentication. This allows varying sshd_config(5) + PubkeyAcceptedAlgorithms in a "Match user" block. + * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow + specifying certificates when loading PKCS#11 keys. This allows the + use of certificates backed by PKCS#11 private keys in all OpenSSH + tools that support ssh-agent(1). Previously only ssh(1) supported + this use-case. + = Bugfixes + * ssh(1): when deciding whether to enable the keystroke timing + obfuscation, enable it only if a channel with a TTY is active. + * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals + before checking flags set in signal handler. Avoids potential + race condition between signaling ssh to exit and polling. bz3531 + * ssh(1): when connecting to a destination with both the + AddressFamily and CanonicalizeHostname directives in use, + the AddressFamily directive could be ignored. bz5326 + * sftp(1): correct handling of the limits@openssh.com option when + the server returned an unexpected message. + * A number of fixes to the PuTTY and Dropbear regress/integration + tests. + * ssh(1): release GSS OIDs only at end of authentication, avoiding + unnecessary init/cleanup cycles. bz2982 + * ssh_config(5): mention "none" is a valid argument to IdentityFile + in the manual. bz3080 + * scp(1): improved debugging for paths from the server rejected for + not matching the client's glob(3) pattern in old SCP/RCP protocol + mode. + * ssh-agent(1): refuse signing operations on destination-constrained + keys if a previous session-bind operation has failed. This may + prevent a fail-open situation in future if a user uses a mismatched + ssh(1) client and ssh-agent(1) where the client supports a key type + that the agent does not support. +- Update to openssh 9.5p1: + = Potentially incompatible changes + * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys + are very convenient due to their small size. Ed25519 keys are + specified in RFC 8709 and OpenSSH has supported them since version 6.5 + (January 2014). + * sshd(8): the Subsystem directive now accurately preserves quoting of + subsystem commands and arguments. This may change behaviour for exotic + configurations, but the most common subsystem configuration + (sftp-server) is unlikely to be affected. + = New features + * ssh(1): add keystroke timing obfuscation to the client. This attempts + to hide inter-keystroke timings by sending interactive traffic at + fixed intervals (default: every 20ms) when there is only a small + amount of data being sent. It also sends fake "chaff" keystrokes for + a random interval after the last real keystroke. These are + controlled by a new ssh_config ObscureKeystrokeTiming keyword. + * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds + a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to + implement a ping capability. These messages use numbers in the "local + extensions" number space and are advertised using a "ping@openssh.com" + ext-info message with a string version number of "0". + * sshd(8): allow override of Subsystem directives in sshd Match blocks. + = Bugfixes + * scp(1): fix scp in SFTP mode recursive upload and download of + directories that contain symlinks to other directories. In scp mode, + the links would be followed, but in SFTP mode they were not. bz3611 + * ssh-keygen(1): handle cr+lf (instead of just cr) line endings in + sshsig signature files. + * ssh(1): interactive mode for ControlPersist sessions if they + originally requested a tty. + * sshd(8): make PerSourceMaxStartups first-match-wins + * sshd(8): limit artificial login delay to a reasonable maximum (5s) + and don't delay at all for the "none" authentication mechanism. + bz3602 + * sshd(8): Log errors in kex_exchange_identification() with level + verbose instead of error to reduce preauth log spam. All of those + get logged with a more generic error message by sshpkt_fatal(). + * sshd(8): correct math for ClientAliveInterval that caused the probes + to be sent less frequently than configured. + * ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused + multiplexed sessions to ignore SIGINT under some circumstances. +- Update to openssh 9.4p1: + = Potentially incompatible changes + * This release removes support for older versions of libcrypto. + OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. + Note that these versions are already deprecated by their upstream + vendors. + * ssh-agent(1): PKCS#11 modules must now be specified by their full + paths. Previously dlopen(3) could search for them in system + library directories. + = New features + * ssh(1): allow forwarding Unix Domain sockets via ssh -W. + * ssh(1): add support for configuration tags to ssh(1). + This adds a ssh_config(5) "Tag" directive and corresponding + "Match tag" predicate that may be used to select blocks of + configuration similar to the pf.conf(5) keywords of the same + name. + * ssh(1): add a "match localnetwork" predicate. This allows matching + on the addresses of available network interfaces and may be used to + vary the effective client configuration based on network location. + * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL + extensions. This defines wire formats for optional KRL extensions + and implements parsing of the new submessages. No actual extensions + are supported at this point. + * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now + accept two additional %-expansion sequences: %D which expands to + the routing domain of the connected session and %C which expands + to the addresses and port numbers for the source and destination + of the connection. + * ssh-keygen(1): increase the default work factor (rounds) for the + bcrypt KDF used to derive symmetric encryption keys for passphrase + protected key files by 50%. + = Bugfixes + * ssh-agent(1): improve isolation between loaded PKCS#11 modules + by running separate ssh-pkcs11-helpers for each loaded provider. + * ssh(1): make -f (fork after authentication) work correctly with + multiplexed connections, including ControlPersist. bz3589 bz3589 + * ssh(1): make ConnectTimeout apply to multiplexing sockets and not + just to network connections. + * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 + modules being loaded by checking that the requested module + contains the required symbol before loading it. + * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand + appears before it in sshd_config. Since OpenSSH 8.7 the + AuthorizedPrincipalsCommand directive was incorrectly ignored in + this situation. bz3574 + * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL + signatures When the KRL format was originally defined, it included + support for signing of KRL objects. However, the code to sign KRLs + and verify KRL signatues was never completed in OpenSSH. This + release removes the partially-implemented code to verify KRLs. + All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in + KRL files. + * All: fix a number of memory leaks and unreachable/harmless integer + overflows. + * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 + modules; GHPR406 + * sshd(8), ssh(1): better validate CASignatureAlgorithms in + ssh_config and sshd_config. Previously this directive would accept + certificate algorithm names, but these were unusable in practice as + OpenSSH does not support CA chains. bz3577 + * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature + algorithms that are valid for CA signing. Previous behaviour was + to list all signing algorithms, including certificate algorithms. + * ssh-keyscan(1): gracefully handle systems where rlimits or the + maximum number of open files is larger than INT_MAX; bz3581 + * ssh-keygen(1): fix "no comment" not showing on when running + `ssh-keygen -l` on multiple keys where one has a comment and other + following keys do not. bz3580 + * scp(1), sftp(1): adjust ftruncate() logic to handle servers that + reorder requests. Previously, if the server reordered requests then + the resultant file would be erroneously truncated. + * ssh(1): don't incorrectly disable hostname canonicalization when + CanonicalizeHostname=yes and ProxyJump was expicitly set to + "none". bz3567 + * scp(1): when copying local->remote, check that the source file + exists before opening an SFTP connection to the server. Based on + GHPR#370 +- Dropped patches: + * cb4ed12f.patch - implemented upstream. +- Rebased patches: + * openssh-7.7p1-fips.patch + * openssh-7.8p1-role-mls.patch + * openssh-8.0p1-gssapi-keyex.patch +- Add patches from obs: + * Mon Mar 4 09:57:06 UTC 2024 - Pedro Monreal <pmonreal@suse.com> +- Add crypto-policies support [bsc#1211301] + * Add patches: + - openssh-9.6p1-crypto-policies.patch + - openssh-9.6p1-crypto-policies-man.patch + +- Rebase openssh-7.7p1-fips.patch (bsc#1221928) + Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream + +- Use %config(noreplace) for sshd_config . In any case, it's + recommended to drop a file in sshd_config.d instead of editing + sshd_config (bsc#1221063) +- Add patches from obs package that were also in SP3/SP4/SP5: + * Fri Nov 3 10:44:14 UTC 2023 - Johannes Segitz <jsegitz@suse.com> + - Enhanced SELinux functionality. Added + * openssh-7.8p1-role-mls.patch + Proper handling of MLS systems and basis for other SELinux + improvements + * openssh-6.6p1-privsep-selinux.patch + Properly set contexts during privilege separation + * openssh-6.6p1-keycat.patch + Add ssh-keycat command to allow retrival of authorized_keys + on MLS setups with polyinstantiation + * openssh-6.6.1p1-selinux-contexts.patch + Additional changes to set the proper context during privilege + separation + * openssh-7.6p1-cleanup-selinux.patch + Various changes and putting the pieces together + For now we don't ship the ssh-keycat command, but we need the patch + for the other SELinux infrastructure + This change fixes issues like bsc#1214788, where the ssh daemon + needs to act on behalf of a user and needs a proper context for this + openssh-askpass-gnome +- Update to openssh 9.6p1: + * No changes for askpass, see main package changelog for + details. + plasma5-openSUSE +- Set also defaultFileSuffix in metadata.desktop to the right + wallpaper file extension (boo#1223125) + +- Remove unneeded echo and double whitespace + +- Remove patches used as sources and replace them with direct + ln -s and sed commands: + * lookandfeel.diff, sddmtheme.diff, lookandfeel_jpg.diff, + sddmtheme_jpg.diff +- Use %require_ge for wallpaper-branding-openSUSE + +- Use lookandfeel_jpg.diff and sddmtheme_jpg.diff on Leap <=15.5 + TW and Leap 15.6+ use png for the default wallpaper + +- Modify lookandfeel.diff and sddmtheme.diff to support + branding-openSUSE 84.87.20240405 which replaces jpg wallpapers + with png ones. +- Require at least wallpaper-branding-openSUSE 84.87.20240405 + to make sure the png wallpapers exist. + python3 +- Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109, + gh#python/cpython!16557) fixes syslog making default "ident" + from sys.argv[0]. + rpm +- backport signature reserved space handling from upstream + * new patch: sigreserved.diff + +- turn on imaevm file signature support and move the imaevm code + that needs the libimaevm library into a plugin. Put this + plugin into a new "rpm-imaevmsign" subpackage. [jsc#PED-7246] + * new patch: imaevmsignplugin.diff + systemd +- Update 1010-sysv-generator-add-back-support-for-SysV-scripts-for.patch (bsc#1221479) + Really skip redundant dependencies specified the LSB description that + references the file name of the service itself for early boot scripts. + Note that the dropped code was incorrect as it didn't freed the original + allocated pointer 'filename' but 'filename+5'. + +- Add 1018-man-Restore-systemd.unified_cgroup_hierarchy-0-cmdli.patch (jsc#PED-5849) + +- Import commit 0dfcbead8caf4cac7db6d03e7b52b7516e5842fb (merge of v254.10) + For a complete list of changes, visit: + https://github.com/openSUSE/systemd/compare/8baddb9037b88fec2b700226914fa2eac2c04a13...0dfcbead8caf4cac7db6d03e7b52b7516e5842fb + tecla-keyboard-layout-viewer +- Add tecla-return-NULL-if-no-xkb_keymap.patch: + Backporting d6760195 from upstream, Fix tecla crash in Czech(QWERTY) + keyboard in SLE. avoid to return NULL if no xkb_keymap could be + created due to does not know about the given name/variant. + (bsc#1220208) + +- Add tecla-handle-TeclaModel-constructor-returning-NULL.patch: + Backporting 931112ae from upstream, Fix tecla crash in Czech(QWERTY) + keyboard in SLE. This might be the case if an unknown keymap name + is passed as a commandline argument. We ATM just show a window with + empty keys. + (bsc#1220208) + transmission +- Build with gcc13 on Leap 15 + +- Fix build with recent cmake macro change (DOCDIR): do not install + the documentation using cmake, as we already do so using %doc. + Change if(INSTALL_DOC) to if(FALSE) in CMakeLists.txt. The more + obvious option of passing -DINSTALL_DOC=OFF is ot viable, as that + also disables installing the man pages. + +- Migrate from update-alternatives to libalternatives (bsc#1219107). + +- Add correct creation of the transmission user/group (needed by the + latest RPM 4.19). +- Remove now useless Provides in the daemon subpackage. + +- Have transmission-daemon provide user(transmission) and + group(transmission): the user/group are generated in the pre + scriptlet using useradd/groupadd. + +- Update to version 4.0.5: + + Fixed 4.0.0 bug where the IP address field in UDP announces were + not encoded in network byte order. + + Fixed a bug that incorrectly escaped JSON strings in some locales. + + Fixed 4.0.4 decreased download speeds for people who set a low + upload bandwidth limit. + + Fixed bug that prevented editing trackers on magnet links. + + Fixed HTTP tracker announces and scrapes sometimes failing after + adding a torrent file by HTTPS URL. + + In RPC responses, change the default sort order of torrents + to match Transmission 3.00. + + Fixed tr_sys_path_copy() behavior on some Synology Devices. + + Fix: only append .added suffix to watchdir files. + + Fixed crash when opening torrent file from "Recently used" + section in GTK 4. + +- Update to version 4.0.4: + + Fixed bug in sending torrent metadata to peers. + + Avoid unnecessary heap memory allocations. + + Fixed filename collision edge case when renaming files. + + Fixed locale errors that broke number rounding when displaying + statistics, e.g. upload / download ratios. + + Always use a fixed-length key query in tracker announces. This + isn't required by the spec, but some trackers rely on that + fixed length because it's common practice by other BitTorrent + clients. + + Fixed potential Windows crash when getstdhandle() returns NULL. + + Fixed 4.0.0 bug where the port numbers in LDP announces are + sometimes malformed. + + Fixed a bug that prevented editing the query part of a tracker + URL. + + Fixed a bug where Transmission may not announce LPD on its + listening interface. + + Made small performance improvements in libtransmission. + + Qt Client: + - Fixed torrent name rendering when showing magnet links in + compact view. + - Fixed bug that broke the "Move torrent file to trash" + setting. + - Fixed Qt 6.4 deprecation warning. + - Fixed poor resolution of Qt application icon. + + GTK Client: Fixed missing 'Remove torrent' tooltip. + + Web Client: + - Don't show null as a tier name in the inspector's tier list. + - Fixed truncated play / pause icons. + - Fixed overflow when rendering peer lists and made speed + indicators honor prefers-color-scheme media queries. + - Made the main menu accessible even on smaller displays. + + transmission-cli: + - Fixed "no such file or directory" warning when adding a + magnet link. + - Fixed bug that caused the wrong decimal separator to be used + in some locales. + + transmission-remote: Fixed display bug that failed to show some + torrent labels. + + Everything Else: + - Ran all PNG files through lossless compressors to make them + smaller. + - Fixed potential build issue when compiling on macOS with gcc. + wicked +- client: do not convert sec to msec twice (bsc#1222105) + [+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch] + wireplumber +- Update to version 0.5.1: + * Highlights: + - Added a guide documenting how to migrate configuration from + 0.4 to 0.5, also available online at: + https://pipewire.pages.freedesktop.org/wireplumber/daemon/configuration/migration.html + If you are packaging WirePlumber for a distribution, please + consider informing users about this. Installing the + wireplumber-doc subpackage, this file can be read by running: + xdg-open /usr/share/doc/wireplumber/html/daemon/configuration/migration.html + * Fixes: + - Fixed an odd issue where microphones would stop being usable + when a Bluetooth headset was connected in the HSP/HFP profile + (#598, !620) + - Fixed an issue where it was not possible to store the + volume/mute state of system notifications (#604) + - Fixed a rare crash that could occur when a node was destroyed + while the 'select-target' event was still being processed + (!621) + - Fixed deleting all the persistent settings via + wpctl --delete (!622) + - Fixed using Bluetooth autoswitch with A2DP profiles that have + an input route (!624) + - Fixed sending an error to clients when linking fails due to a + format mismatch (!625) + * Additions: + - Added a check that prints a verbose warning when old-style + 0.4.x Lua configuration files are found in the system. (#611) + - The "policy-dsp" script, used in Asahi Linux to provide a + software DSP for Apple Sillicon devices, has now been ported + to 0.5 properly and documented (#619, !627) +- Remove patch already included upstream: + * 0001-filter-utils-fix-handling-of-targetless-smart-filters.patch +- Enable documentation generation and create new doc subpackage + including the documentation that can be read by running: + xdg-open /usr/share/doc/wireplumber/html/index.html + xfce4-branding-openSUSE +- Update to version 4.18.0+git4.79f6d44: + * Fix wallpaper folder structure + * Better split tumbleweed and leap wallpapers + * Added old wallpaper symlinks still needed by leap + +- Update to version 4.18.0+git1.8b02118: + * Tumbleweed now uses png for default.wallpaper + xorg-x11-server +- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch + * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, + boo#1222442, gitlab xserver issue #1659) + +- U_CVE-2024-31080-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch + * Xi: ProcXIGetSelectedEvents needs to use unswapped length + (CVE-2024-31080, bsc#1222309) +- U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch + * Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply + (CVE-2024-31081, bsc#1222310) +- U_CVE-2024-31082-Xquartz-ProcAppleDRICreatePixmap-needs-to-use-unswap.patch + * Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply + (CVE-2024-31082, bsc#1222311) +- U_CVE-2024-31083-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch + * render: fix refcounting of glyphs during ProcRenderAddGlyphs + (CVE-2024-31083, bsc#1222312) + xterm +- xterm-reset-parsing-state.patch: A bug in the parser for several + escape sequences causes the first character following the + sequence to be ignored (bsc#1220585). Patch backported from + version 335n. + xwayland +- U_render-Avoid-possible-double-free-in-ProcRenderAddGl.patch + * fixes regression for security fix for CVE-2024-31083 (bsc#1222312, + boo#1222442, gitlab xserver issue #1659) + +- U_CVE-2024-31080-Xi-ProcXIGetSelectedEvents-needs-to-use-unswapped-le.patch + * Xi: ProcXIGetSelectedEvents needs to use unswapped length + (CVE-2024-31080, bsc#1222309) +- U_CVE-2024-31081-Xi-ProcXIPassiveGrabDevice-needs-to-use-unswapped-le.patch + * Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply + (CVE-2024-31081, bsc#1222310) +- U_CVE-2024-31083-render-fix-refcounting-of-glyphs-during-ProcRenderAd.patch + * render: fix refcounting of glyphs during ProcRenderAddGlyphs + (CVE-2024-31083, bsc#1222312) + xz -- Build static library on SLE - -- update to 5.4.6: - * Fixed a bug involving internal function pointers in liblzma - not being initialized to NULL. The bug can only be - triggered if lzma_filters_update() is called on a LZMA1 - encoder, so it does not affect xz or any application known - to us that uses liblzma. - * Fixed a regression introduced in 5.4.2 that caused - encoding in the raw format to unnecessarily fail if --suffix - was not used. For instance, the following command no longer - reports that --suffix must be used: - echo foo | xz --format=raw --lzma2 | wc -c - * Fixed an issue on MinGW-w64 builds that prevented - reading from or writing to non-terminal character devices - like NUL. - * Added a new test. +- revert to 5.4.1, last release from Lasse Collin -- Update to version 5.4.5: - * liblzma: - - Fixed an assertion failure that could be triggered by a large - unpadded_size argument. It was verified that there was no - other bug than the assertion failure. - - Fixed a bug that prevented building with Windows Vista - threading when __attribute__((__constructor__)) is not - supported. - * xz now properly handles special files such as "con" or "nul" on - Windows. Before this fix, the following wrote "foo" to the - console and deleted the input file "con_xz": - echo foo | xz > con_xz - xz --suffix=_xz --decompress con_xz - * Small fixes and improvements to the tests. - * Updated translations: Chinese (simplified) and Esperanto. +- Build static library on SLE -- Update to version 5.4.4: - * liblzma and xzdec can now build against WASI SDK when threading - support is disabled. xz and tests don't build yet. - * documentation update - * translations update - -- Update to version 5.4.3: - * Build system fixes - * Translation updates: Croatian -- update signing key - -- Update to version 5.4.2: - * All fixes from 5.2.11 that were not included in 5.4.1. - * If xz is built with support for the Capsicum sandbox but running - in an environment that doesn't support Capsicum, xz now runs - normally without sandboxing instead of exiting with an error. - * liblzma: - - Documentation was updated to improve the style, consistency, - and completeness of the liblzma API headers. - - The Doxygen-generated HTML documentation for the liblzma API - header files is now included in the source release and is - installed as part of "make install". All JavaScript is - removed to simplify license compliance and to reduce the - install size. - - Fixed a minor bug in lzma_str_from_filters() that produced - too many filters in the output string instead of reporting - an error if the input array had more than four filters. This - bug did not affect xz. - * Build systems: - - autogen.sh now invokes the doxygen tool via the new wrapper - script doxygen/update-doxygen, unless the command line option - - -no-doxygen is used. - - Added microlzma_encoder.c and microlzma_decoder.c to the - VS project files for Windows and to the CMake build. These - should have been included in 5.3.2alpha. - * Tests: - - Added a test to the CMake build that was forgotten in the - previous release. - - Added and refactored a few tests. - * Translations: - - Updated the Brazilian Portuguese translation. - - Added Brazilian Portuguese man page translation. - yast2-bootloader +- Follow up of previous change to use even more precise wording + (bsc#1219989,bsc#1222353) +- 4.6.7 + yast2-installation +- Adapted call for connecting all discovered NVMe-over-Fabrics + subsystems (bsc#1222246). +- 4.6.12 + yast2-storage-ng +- Fix unlimited-sized fake device graphs (bsc#1221222) +- 4.6.17 +