Packages changed: ca-certificates-mozilla ceph (15.1.0.1521+gcdf35413a0 -> 15.2.0.108+g8cf4f02b08) cloud-init conmon (2.0.14 -> 2.0.15) cpio cri-tools (1.17.0 -> 1.18.0) cryptsetup (2.3.0 -> 2.3.1) elfutils (0.178 -> 0.179) haproxy (2.1.3+git0.5c020bbdd -> 2.1.4+git0.3cfc2f1d9) k9s (0.15.2 -> 0.18.1) kdump kexec-tools krb5 kubernetes mozilla-nss (3.50 -> 3.51) nano (4.9 -> 4.9.1) ncurses open-iscsi openSUSE-build-key podman rook (1.2.6+git0.g99024013 -> 1.2.7+git0.g1acfd182) setools (4.2.2 -> 4.3.0) wpa_supplicant yast2 (4.2.78 -> 4.2.80) === Details === ==== ca-certificates-mozilla ==== - also run update-ca-certificates in %posttrans ==== ceph ==== Version update (15.1.0.1521+gcdf35413a0 -> 15.2.0.108+g8cf4f02b08) Subpackages: ceph-common libcephfs2 librados2 libradosstriper1 librbd1 librgw2 python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw - Update to 15.2.0-108-g8cf4f02b08: + rebase on tip of upstream "octopus" branch, SHA1 9267cc03e1b1612109dd57cc6ce74c34ed1f1d00 * cephadm: Fix truncated output of "ceph mgr dump" - Update to 15.2.0-29-g274f7bc2e7: + rebase on tip of upstream "octopus" branch, SHA1 a8062613c81ad08815edcdf06e668fcc77270a03 * upstream 15.2.0 (first Octopus stable) release https://ceph.io/releases/v15-2-0-octopus-released/ - Update to 15.1.1-220-g0f87374dc1: + rebase on tip of upstream "octopus" branch, SHA1 243cbd6224921f7f5c2463705c75cb9eafd0db5c * upstream 15.1.1 (Octopus release candidate) release https://github.com/ceph/ceph/releases/tag/v15.1.1 + cephadm: read everything when calling "ceph mgr dump" - Update to 15.1.0-2160-g310e512e18: + rebase on tip of upstream "octopus" branch, SHA1 465f3855623e30f3b4694f3090adbe27c8cd49c3 - Update to 15.1.0-1766-g3d31471523: + rebase on tip of upstream master, SHA1 25b8ecc216b02e848f9719ced8c84670de656e78 ==== cloud-init ==== - Update cloud-init-write-routes.patch + In cases where the config contains 2 or more default gateway specifications for an interface only write the first default route, log warning message about skipped routes + Avoid writing invalid route specification if neither the network nor destination is specified in the route configuration - Update cloud-init-write-routes.patch + Still need to consider the "network" configuration uption for the v1 config implementation. Fixes regression introduced with update from Wed Feb 12 19:30:42 - Update cloud-init-write-routes.patch (bsc#1165296) + Add the default gateway to the ifroute config file when specified as part of the subnet configuration + Fix typo to properly extrakt provided netmask data (bsc#1163178) ==== conmon ==== Version update (2.0.14 -> 2.0.15) - Enable support for journald logging (bsc#1162432) - Update to v2.0.15 - store status while waiting for pid ==== cpio ==== - starting with GCC 10, the default of '-fcommon' option will change to '-fno-common'. Because cpio build fails with 'fno-common', add '-fcommon' option to optflags as a temporary workaround for this problem till it's properly fixed [bsc#1160870] ==== cri-tools ==== Version update (1.17.0 -> 1.18.0) - Update to v1.18.0: * Main Changes * Update Kubernetes to v1.18.0 * Switch to urfave/cli/v2 * CRI CLI (crictl) * Use ContextDialer to fix build * Add go-template option for inspect commands * Fix invalid log_path in docs * CRI validation testing (critest) * Make apparmor failure test more flexible * Start container before fetching metrics * Cleanup container create test to reduce duplication * Add container stats test ==== cryptsetup ==== Version update (2.3.0 -> 2.3.1) Subpackages: libcryptsetup12 - Split translations to -lang package - New version to 2.3.1 * Support VeraCrypt 128 bytes passwords. VeraCrypt now allows passwords of maximal length 128 bytes (compared to legacy TrueCrypt where it was limited by 64 bytes). * Strip extra newline from BitLocker recovery keys There might be a trailing newline added by the text editor when the recovery passphrase was passed using the --key-file option. * Detect separate libiconv library. It should fix compilation issues on distributions with iconv implemented in a separate library. * Various fixes and workarounds to build on old Linux distributions. * Split lines with hexadecimal digest printing for large key-sizes. * Do not wipe the device with no integrity profile. With --integrity none we performed useless full device wipe. * Workaround for dm-integrity kernel table bug. Some kernels show an invalid dm-integrity mapping table if superblock contains the "recalculate" bit. This causes integritysetup to not recognize the dm-integrity device. Integritysetup now specifies kernel options such a way that even on unpatched kernels mapping table is correct. * Print error message if LUKS1 keyslot cannot be processed. If the crypto backend is missing support for hash algorithms used in PBKDF2, the error message was not visible. * Properly align LUKS2 keyslots area on conversion. If the LUKS1 payload offset (data offset) is not aligned to 4 KiB boundary, new LUKS2 keyslots area in now aligned properly. * Validate LUKS2 earlier on conversion to not corrupt the device if binary keyslots areas metadata are not correct. ==== elfutils ==== Version update (0.178 -> 0.179) Subpackages: libasm1 libdw1 libelf1 - Update to version 0.179: debuginfod-client: When DEBUGINFOD_PROGRESS is set and the program doesn't install its own debuginfod_progressfn_t show download progress on stderr. DEBUGINFOD_TIMEOUT is now defined as seconds to get at least 100K, defaults to 90 seconds. Default to $XDG_CACHE_HOME/debuginfod_client. New functions debuginfod_set_user_data, debuginfod_get_user_data, debuginfod_get_url and debuginfod_add_http_header. Support for file:// URLs. debuginfod: Uses libarchive directly for reading rpm archives. Support for indexing .deb/.ddeb archives through dpkg-deb or bsdtar. Generic archive support through -Z EXT[=CMD]. Which can be used for example for arch-linux pacman files by using - Z '.tar.zst=zstdcat'. Better logging using User-Agent and X-Forwarded-For headers. More prometheus metrics. Support for eliding dots or extraneous slashes in path names. debuginfod-find: Accept /path/names in place of buildid hex. libelf: Handle PN_XNUM in elf_getphdrnum before shdr 0 is cached Ensure zlib resource cleanup on failure. libdwfl: dwfl_linux_kernel_find_elf and dwfl_linux_kernel_report_offline now find and handle a compressed vmlinuz image. readelf, elflint: Handle PT_GNU_PROPERTY. translations: Updated Ukrainian translation. ==== haproxy ==== Version update (2.1.3+git0.5c020bbdd -> 2.1.4+git0.3cfc2f1d9) - Update to version 2.1.4+git0.3cfc2f1d9: (boo#1168023) CVE-2020-11100 - SCRIPTS: make announce-release executable again - BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat - BUG/MEDIUM: muxes: Use the right argument when calling the destroy method. - BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO param - MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo regex - SCRIPTS: announce-release: use mutt -H instead of -i to include the draft - MINOR: http-htx: Add a function to retrieve the headers size of an HTX message - MINOR: filters: Forward data only if the last filter forwards something - BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them - BUG/MINOR: http-htx: Don't return error if authority is updated without changes - BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive - MINOR: http-ana: Match on the path if the monitor-uri starts by a / - BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered - MINOR: ist: add an iststop() function - BUG/MINOR: http: http-request replace-path duplicates the query string - BUG/MEDIUM: shctx: make sure to keep all blocks aligned - MINOR: compiler: move CPU capabilities definition from config.h and complete them - BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support - BUILD: fix recent build failure on unaligned archs - CLEANUP: cfgparse: Fix type of second calloc() parameter - BUG/MINOR: sample: fix the json converter's endian-sensitivity - BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions - BUG/MINOR: connection: make sure to correctly tag local PROXY connections - MINOR: compiler: add new alignment macros - BUILD: ebtree: improve architecture-specific alignment - BUG/MINOR: h2: reject again empty :path pseudo-headers - BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch - BUG/MINOR: dns: ignore trailing dot - BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name - MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics - MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric - BUG/MEDIUM: random: initialize the random pool a bit better - MINOR: tools: add 64-bit rotate operators - BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG - MINOR: backend: use a single call to ha_random32() for the random LB algo - BUG/MINOR: checks/threads: use ha_random() and not rand() - BUG/MAJOR: list: fix invalid element address calculation - MINOR: debug: report the task handler's pointer relative to main - BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump - MINOR: haproxy: export main to ease access from debugger - BUILD: tools: remove obsolete and conflicting trace() from standard.c - BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled - DOC: fix incorrect indentation of http_auth_* - OPTIM: startup: fast unique_id allocation for acl. - BUG/MINOR: pattern: Do not pass len = 0 to calloc() - DOC: configuration.txt: fix various typos - DOC: assorted typo fixes in the documentation and Makefile - BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits - BUG/MAJOR: proxy_protocol: Properly validate TLV lengths - REGTEST: make the PROXY TLV validation depend on version 2.2 - BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data - BUG/MINOR: filters: Forward everything if no data filters are called - MINOR: htx: Add a function to return a block at a specific offset - BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload - BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload - BUG/MINOR: http-ana: Reset request analysers on a response side error - BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not - BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action - BUG/MINOR: http-rules: Fix a typo in the reject action function - BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action - BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop - DOC: fix typo about no-tls-tickets - DOC: improve description of no-tls-tickets - DOC: assorted typo fixes in the documentation - DOC: ssl: clarify security implications of TLS tickets - BUILD: wdt: only test for SI_TKILL when compiled with thread support - BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL; - MINOR: mt_lists: Appease gcc. - BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 - BUG/MEDIUM: pools: Always update free_list in pool_gc(). - BUG/MINOR: haproxy: always initialize sleeping_thread_mask - BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping - BUG/MINOR: haproxy/threads: try to make all threads leave together - DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID - DOC: correct typo in alert message about rspirep - BUILD: on ARM, must be linked to libatomic. - BUILD: makefile: fix regex syntax in ARM platform detection - BUILD: makefile: fix expression again to detect ARM platform - BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. - DOC: assorted typo fixes in the documentation - MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. - BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue(). - MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc. - BUG/MINOR: connections: Make sure we free the connection on failure. - REGTESTS: use "command -v" instead of "which" - REGTEST: increase timeouts on the seamless-reload test - BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection - BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized - BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL - BUG/MINOR: peers: Use after free of "peers" section. - MINOR: listener: add so_name sample fetch - BUILD: ssl: only pass unsigned chars to isspace() - BUG/MINOR: stats: Fix color of draining servers on stats page - DOC: internals: Fix spelling errors in filters.txt - MINOR: http-rules: Add a flag on redirect rules to know the rule direction - BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits - MINOR: http-rules: Handle the rule direction when a redirect is evaluated - BUG/MINOR: http-ana: Reset request analysers on error when waiting for response - BUG/CRITICAL: hpack: never index a header into the headroom after wrapping ==== k9s ==== Version update (0.15.2 -> 0.18.1) - Update to version 0.18.1 - Many bug fixes - Many new features (auto suggestions, revisited logs, k9 plugins) - see https://github.com/derailed/k9s/releases/ ==== kdump ==== - kdump-make-sure-that-the-udev-runtime-directory-exists.patch: Make sure that the udev runtime directory exists (bsc#1164713). ==== kexec-tools ==== - kexec-tools-Remove-duplicated-variable-declarations.patch: Remove duplicated variable declarations (boo#1160399). - kexec-tools-s390-Reset-kernel-command-line-on-syscal.patch: s390: Reset kernel command line on syscall fallback (bsc#1167868). ==== krb5 ==== - Fix segfault in k5_primary_domain; (bsc#1167620); - Added patches: * 0009-Fix-null-dereference-qualifying-short-hostnames.patch ==== kubernetes ==== Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet-common kubernetes-kubelet1.17 kubernetes-kubelet1.18 - Rename /usr/lib/sysctl.d/50-kubeadm.conf to 90-kubeadm.conf [boo#1163328] - Dropping all old CaaSP legacy configuration ==== mozilla-nss ==== Version update (3.50 -> 3.51) - Update previous patch nss-kremlin-ppc64le.patch slightly modified to support also ppc64 (BE) versus initial https://github.com/FStarLang/kremlin/issues/166 - Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds - update to NSS 3.51 * Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892) * Correct swapped PKCS11 values of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL (bmo#1611209) * Complete integration of Wycheproof ECDH test cases (bmo#1612259) * Check if PPC __has_include() (bmo#1614183) * Fix a compilation error for ?getFIPSEnv? "defined but not used" (bmo#1614786) * Send DTLS version numbers in DTLS 1.3 supported_versions extension to avoid an incompatibility. (bmo#1615208) * SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed to be null-terminated (bmo#1538980) * Correct a warning for comparison of integers of different signs: 'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88 (bmo#1561337) * Add test for mp_int clamping (bmo#1609751) * Don't attempt to read the fips_enabled flag on the machine unless NSS was built with FIPS enabled (bmo#1582169) * Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940) * Fix compiler warning in secsign.c (bmo#1617387) * Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval' (bmo#1618400) * Fix a crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics (bmo#1610687) ==== nano ==== Version update (4.9 -> 4.9.1) - GNU nano 4.9.1 * fix cursor getting misplaced when undoing line cuts * fix filtering of the whole buffer to a new buffer ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo terminfo-base - Add ncurses patch 20200321 + improve configure-checks to reduce warnings about unused variables. + improve description of error-returns in waddch and waddnstr manual pages (prompted by patch by Benno Schulenberg). + add test/move_field.c to demonstrate move_field(), and a stub for a corresponding demo of dup_field(). - Add ncurses patch 20200314 + add history note to curs_scanw.3x for and + add history note to curs_printw.3x for and + add portability note to ncurses.3x regarding ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Update with two upstream commits: * Fix issue where "iscsi-iname -p" core dumps. (found upstream) * Fix iscsi.service so it handles restarts better (bsc#1163499) * Add Wants=remote-fs-pre.target for sequencing. (bsc#1158536) updating: * open-iscsi-SUSE-latest.diff.bz2 ==== openSUSE-build-key ==== - mark the opensuse-container-key and the suse-container-key for openSUSE:Containers and SUSE:Containers space. (same as the build keys for SLE15 and openSUSE respectively.) - Replace the old security@suse.de email comm key by the new, move the old one to the oldkey. (bsc#1166334) ==== podman ==== Subpackages: podman-cni-config - Add "systemd" BUILDFLAGS to build with support for journald logging (bsc#1162432) ==== rook ==== Version update (1.2.6+git0.g99024013 -> 1.2.7+git0.g1acfd182) - Update to v1.2.7 (bsc#1168160): * Apply the expected lower PG count for rgw metadata pools (#5091) * Reject devices smaller than 5GiB for OSDs (#5089) * Add extra check for filesystem to skip boot volumes for OSD configuration (#5022) * Avoid duplication of mon pod anti-affinity (#4998) * Update service monitor definition during upgrade (#5078) * Resizer container fix due to misinterpretation of the cephcsi version (#5073-1) * Set ResourceVersion for Prometheus rules (#4528) * Upgrade doc clarification for RBAC related to the helm chart (#5054) ==== setools ==== Version update (4.2.2 -> 4.3.0) - Update to the upstream version 4.3.0: * Revised sediff method for TE rules. This drastically reduced memory and run time. * Added infiniband context support to seinfo, sediff, and apol. * Added apol configuration for location of Qt assistant. * Fixed sediff issue where properties header would display when not requested. * Fixed sediff issue with type_transition file name comparison. * Fixed permission map socket sendto information flow direction. * Added methods to TypeAttribute class to make it a complete Python collection. * Genfscon now will look up classes rather than using fixed values which were dropped from libsepol - Dropped python3.8-compat.patch ==== wpa_supplicant ==== - With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331) - Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933) ==== yast2 ==== Version update (4.2.78 -> 4.2.80) - Modify the way YaST detects whether systemd is running or not (bsc#1168307) - 4.2.80 - Reread network interfaces configuration after writing it avoiding wrong values when reopen network configuration dialog during an installation (bsc#1166778) - 4.2.79