Packages changed: Mesa-drivers bash-completion codec2 gcr (3.40.0 -> 3.41.0) glibc hwdata (0.351 -> 0.352) hwinfo (21.76 -> 21.77) libx86emu (3.2 -> 3.3) libzypp (17.28.4 -> 17.28.5) mdadm open-iscsi openssh (8.4p1 -> 8.8p1) patterns-gnome patterns-microos polkit-default-privs (1550+20210818.b0c41fd -> 1550+20211008.9751669) pulseaudio xwayland === Details === ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium - Fix build with LLVM 13: * U_gallivm-add-new-wrapper-around-Module.patch * U_gallivm-fix-FTBFS-on-i386-with-LLVM-13.patch ==== bash-completion ==== - Add patch boo1190929-9af4afd0.patch for boo#1190929 add support for compeletion modinfo completion recognize .ko.zst as well as .ko.bz2 ==== codec2 ==== - Added a patch moved-freedv_callback_rx_sym-into-internal-header.patch to fix building gnuradio (patch taken from upstream) - Drop handcrafted generation of the pkgconfig file - Remove "-Wno-dev" ==== gcr ==== Version update (3.40.0 -> 3.41.0) Subpackages: gcr-data gcr-prompter gcr-ssh-askpass libgck-1-0 libgcr-3-1 typelib-1_0-Gck-1 typelib-1_0-Gcr-3 - Update to version 3.41.0: + Port ssh-agent from gnome-keyring. + build: Fix parallel build failure due to missing marshal dependency. + Fix warnings by dropping `volatile` for g_once_init_inter locations. + tests: More robust against GTask unref race condition. + Updated translations. - Add pkgconfig(libsecret-1), pkgconfig(libsystemd), pkgconfig(systemd) and openssh-clients BuildRequires: Build new standalone ssh-agent, and split it out in own sub-package. ==== glibc ==== Subpackages: glibc-locale glibc-locale-base - ld-show-auxv-colon.patch: elf: Fix missing colon in LD_SHOW_AUXV output (BZ #282539 - x86-string-control-test.patch: x86-64: Use testl to check __x86_string_control - pthread-kill-fail-after-exit.patch: nptl: pthread_kill, pthread_cancel should not fail after exit (BZ #19193) - pthread-kill-race-thread-exit.patch: nptl: Fix race between pthread_kill and thread exit (BZ #12889) - getcwd-attribute-access.patch: posix: Fix attribute access mode on getcwd (BZ #27476) - pthread-kill-return-esrch.patch: nptl: pthread_kill needs to return ESRCH for old programs (BZ #19193) - pthread-mutexattr-getrobust-np-type.patch: nptl: Fix type of pthread_mutexattr_getrobust_np, pthread_mutexattr_setrobust_np (BZ [#28036]) - setxid-deadlock-blocked-signals.patch: nptl: Avoid setxid deadlock with blocked signals in thread exit (BZ #28361) - pthread-kill-send-specific-thread.patch: nptl: pthread_kill must send signals to a specific thread (BZ #28407) - sysconf-nprocessors-affinity.patch: linux: Revert the use of sched_getaffinity on get_nproc (BZ #28310) - iconv-charmap-close-output.patch: renamed from icon-charmap-close-output.patch ==== hwdata ==== Version update (0.351 -> 0.352) - Update to version 0.352 (bsc#1191375: + Updated pci, usb and vendor ids. ==== hwinfo ==== Version update (21.76 -> 21.77) - merge gh#openSUSE/hwinfo#105 - Use license file from gnu.org - Fix spelling - Add missing final newline - Trim excess whitespace - Simple maintenance improvements - 21.77 ==== libx86emu ==== Version update (3.2 -> 3.3) - merge gh#wfeldt/libx86emu#34 - Migrate CI to GitHub Actions - 3.3 ==== libzypp ==== Version update (17.28.4 -> 17.28.5) - Downloader does not respect checkExistsOnly flag (bsc#1190712) A missing check causes zyppng::Downloader to always download full files even if the checkExistsOnly flag is set. This patch adds the missing logic. - Fix kernel-*-livepatch removal in purge-kernels (bsc#1190815) The kernel-*-livepatch packages are supposed to serve as a stable handle for the ephemeral kernel livepatch packages. See FATE#320268 for details. As part of the kernel live patching ecosystem, kernel-*-livepatch packages should not block the purge-kernels step. - version 17.28.5 (22) ==== mdadm ==== - Install mdadm in _sbindir rather than /sbin. This is more appropriate now that we have a merged-/usr. (bsc#1191076) ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Fix possible systemd cycle by adding an "obsoletes" for the old libopeniscsiusr for older versions. ==== openssh ==== Version update (8.4p1 -> 8.8p1) Subpackages: openssh-clients openssh-common openssh-server - Version update to 8.8p1: = Security * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege. Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5). = Potentially-incompatible changes * This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for argv conversion. Multiple backslashes were not being dequoted correctly and quoted space in the middle of a string was being incorrectly split. GHPR223 * ssh(1): return non-zero exit status when killed by signal; bz#3281 * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum packet size. Also handle zero-length reads that are not explicitly banned by the spec. - Additional changes from 8.5p1 release: = Security * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. = Potentially-incompatible changes * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. = New features * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. = Bugfixes * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. - Rebased patches: * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-X11_trusted_forwarding.patch * openssh-7.7p1-X_forward_with_disabled_ipv6.patch * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-disable_openssl_abi_check.patch * openssh-7.7p1-eal3.patch * openssh-7.7p1-enable_PAM_by_default.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-host_ident.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-no_fork-no_pid_file.patch * openssh-7.7p1-pam_check_locks.patch * openssh-7.7p1-pts_names_formatting.patch * openssh-7.7p1-remove_xauth_cookies_on_exit.patch * openssh-7.7p1-seccomp_ipc_flock.patch * openssh-7.7p1-seccomp_stat.patch * openssh-7.7p1-send_locale.patch * openssh-7.7p1-sftp_force_permissions.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-7.7p1-systemd-notify.patch * openssh-7.9p1-keygen-preserve-perms.patch * openssh-7.9p1-revert-new-qos-defaults.patch * openssh-8.0p1-gssapi-keyex.patch * openssh-8.1p1-audit.patch * openssh-8.1p1-seccomp-clock_gettime64.patch * openssh-8.1p1-seccomp-clock_nanosleep.patch * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch * openssh-8.1p1-use-openssl-kdf.patch * openssh-8.4p1-vendordir.patch * openssh-fips-ensure-approved-moduli.patch * openssh-link-with-sk.patch * openssh-reenable-dh-group14-sha1-default.patch * openssh-whitelist-syscalls.patch - Removed openssh-fix-ssh-copy-id.patch (fixed upstream). - openssh.keyring: rotated to new key from https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc - sshd-gen-keys-start: - only source sysconfig file if it exists. - create /etc/ssh if it does not exists. Required for image based installation/updates. ==== patterns-gnome ==== Subpackages: patterns-gnome-gnome_basic patterns-gnome-gnome_basis - Drop gnome-power-manager Recommends: Package is dormant upstream and on its way to be replaced by new features inside of gnome-control-center. ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-desktop-common patterns-microos-desktop-gnome patterns-microos-desktop-kde patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap - Add xdg-desktop-portal-gnome to gnome pattern - Drop gnome-power-manager Requires: Package is dormant upstream and on it's way to be replaced by new features inside of gnome-control-center. ==== polkit-default-privs ==== Version update (1550+20210818.b0c41fd -> 1550+20211008.9751669) - drop backward compatibility symlink in /etc/polkit-default-privs.standard. rpmlint 2.0 is now in Factory and the check there directly uses the profile in /usr/etc/polkit-default-privs/profiles/standard. - drop polkit-whitelisting sub-package. This is now handled in rpmlint 2.0 internally. - Update to version 1550+20211008.9751669: * whitelist power-profiles-daemon actions (bsc#1189900) * cleanup: remove polkit-rules-whitelist.json ==== pulseaudio ==== Subpackages: libpulse-mainloop-glib0 libpulse0 - Make system-user-pulse noarch - Split sysusers.d file to separate package as needed by brltty (bsc#1191465) ==== xwayland ==== - Specfile cleanup