Packages changed: brotli (1.0.3 -> 1.0.5) checkmedia (3.8 -> 4.0) efivar (31 -> 36) ffmpeg (4.0 -> 4.0.1) fwupdate (9+git21.gcd8f7d7 -> 11) glibc glibc grub2 libiscsi libqt5-qtwebengine linux-glibc-devel (4.16 -> 4.17) lz4 (1.8.1.2 -> 1.8.2) mariadb-connector-c opal openldap2 p11-kit (0.23.2 -> 0.23.12) python-pytz (2018.3 -> 2018.5) rdma-core (16.4 -> 18.1) spec-cleaner (1.0.9 -> 1.1.0) sqlite3 srt sssd (1.16.1 -> 1.16.2) xen (4.10.1_02 -> 4.10.1_08) === Details === ==== brotli ==== Version update (1.0.3 -> 1.0.5) Subpackages: libbrotlicommon1 libbrotlidec1 libbrotlienc1 - Update to version 1.0.5: * improve q=1 compression on small files * inverse Bazel workspace tree * add rolling-composite-hasher for large-window mode * add tools to download and transform static dictionary data - Changes for version 1.0.4: * fix unaligned access for aarch64-cross-armhf build * fix aarch64 target detection * allow CLI to compress with enabled "large window" feature * add NPOSTFIX / NDIRECT encoder parameters * automatic NDIRECT/NPOSTFIX tuning (better compression) * fix "memory leak" in python tests * fix bug in durchschlag * fix source file lists (add params.h) * fix Bazel/MSVC compilator options * fix "fall though" warnings ==== checkmedia ==== Version update (3.8 -> 4.0) - merge gh#openSUSE/checkmedia#6 - change tagmedia to also store checksum over partition (bsc#1000947) - update Makefile - update documentation - rewrite checkmedia to use new mediacheck library - digestdemo: add simple demo tool for libmediacheck usage - mediacheck library header file - mediacheck library code - add test tool for mediachecks - test data - enhance code - fix typo in tagmedia - 4.0 ==== efivar ==== Version update (31 -> 36) - Update to version 36 - adjust libefiboot-export-disk_get_partition_info.patch to fit new version ==== ffmpeg ==== Version update (4.0 -> 4.0.1) Subpackages: libavcodec58 libavdevice58 libavfilter7 libavformat58 libavresample4 libavutil56 libpostproc55 libswresample3 libswscale5 - Enable ffnvcodec when building with NVIDIA support - Add pkgconfig(srt) BuildRequires and pass --enable-libsrt to configure, enable srt support. - Refresh patches with quilt: * cve-2017-17555.diff * ffmpeg-codec-choice.diff * ffmpeg-libcdio_cdda-pkgconfig.patch * ffmpeg-new-coder-errors.diff - Enable libxml2 (used by MPEG DASH demuxer) - Update to new upstream release 4.0.1 * Fixed some integer overflows, undefined shifts, negative shifts, division by 0, and a null pointer deref. - Enable pkgconfig(vidstab) BuildRequires unconditionally, now available in openSUSE. ==== fwupdate ==== Version update (9+git21.gcd8f7d7 -> 11) - Correct the requirement of efivar-devel version - Update to version 11 + lots of fixes from cov-scan and clang analyzer + support for Lenovo machines + experimental support for UI Capsules + Dell WMI support + lots of bugfixes + configurable EFI ESP location by setting ESPMOUNTPOINT or the git config property fwupdate.espmountdir during the build. + Lots of coverity work + ABI compatibility checking during the release process + Make subdirectory builds work - removed fwupdate-list-firmware-types.patch ==== glibc ==== Subpackages: glibc-32bit glibc-locale-32bit - Use python3-pexpect instead of python-pexpect - riscv-kernel-sigaction.patch: fix struct kernel_sigaction to match the kernel version (BZ #23069) - glibc-2.3.90-langpackdir.diff: No longer search in /usr/share/locale-bundle ==== glibc ==== Subpackages: glibc-devel glibc-extra glibc-info glibc-locale nscd - Use python3-pexpect instead of python-pexpect - riscv-kernel-sigaction.patch: fix struct kernel_sigaction to match the kernel version (BZ #23069) - glibc-2.3.90-langpackdir.diff: No longer search in /usr/share/locale-bundle ==== grub2 ==== Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen - Replace "GRUB_DISABLE_LINUX_RECOVERY" by "GRUB_DISABLE_RECOVERY" in /etc/default/grub and remove test from s390x install section in upec file. [bsc#1042433, grub.default, grub2.spec] ==== libiscsi ==== - Fix building of recent rdma (boo#1098749): * libiscsi-rdma.patch ==== libqt5-qtwebengine ==== - Enable building against the system ICU again - Add physicalmemory >= 5GiB to _constraints in the hope to speed up builds ==== linux-glibc-devel ==== Version update (4.16 -> 4.17) - Update to kernel headers 4.17 ==== lz4 ==== Version update (1.8.1.2 -> 1.8.2) Subpackages: liblz4-1 liblz4-1-32bit - lz4 1.8.2: * speed inprovemtns for compression and decompression * fix compression compatible with low memory addresses * fix decompression segfault when provided with NULL input * cli: new command --favor-decSpeed * cli: benchmark mode more accurate for small inputs ==== mariadb-connector-c ==== - Drop libmysqlclient_r Provides from the -devel package. (bsc#1097938) ==== opal ==== - Pass --disable-ixj to configure instead of --enable-ixj: Linux 4.17 no longer brings the public telephony headers and future versions of opal (starting with 3.14) would not support xJACK neither (addresses boo#1098764). ==== openldap2 ==== Subpackages: libldap-2_4-2 libldap-2_4-2-32bit libldap-data openldap2-client openldap2-devel - fixed shee-bang in openldap_update_modules_path.sh (bsc#1099705) ==== p11-kit ==== Version update (0.23.2 -> 0.23.12) Subpackages: libp11-kit0 libp11-kit0-32bit p11-kit-tools - New version 0.23.12 * Fix compile error when PKCS#11 GNU calling convention enabled - Changelog from version 0.23.11 * trust: Add extractor for edk2/cacerts.bin * modules: Add option to control module visibility from proxy * trust: Prevent trust module being loaded by proxy module * library: Use dedicated locale object for printing error * Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly * Improve const correctness for P11KitUri * PKCS#11 URI scheme comparison is now case insensitive - Drop p11-kit-biarch.patch: Obsolete since 0.23.10 - New version 0.23.10 * New p11-kit server command * The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY attribute * New trust dump command * New envvar P11_KIT_NO_USER_CONFIG to stop looking at user configurations * trust: Respect anyExtendedKeyUsage in CA certificates * Support x-init-reserved argument of C_Initialize() in remote modules * install private executables in libexecdir, obsoletes p11-kit-biarch.patch - new server subpackage - change keyring to new maintainer Daiki Ueno ==== python-pytz ==== Version update (2018.3 -> 2018.5) - update to 2018.5: * various python compatibility fixes - fix upstream signing key ==== rdma-core ==== Version update (16.4 -> 18.1) Subpackages: libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1 - Remove pandoc BuildRequires * Add prebuilt-pandoc.sh to pre-generate the man pages * Add prebuilt-pandoc.tgz containing pre-generated man pages * Extract man pages in the appropriate directory during build - Update to rdma-core v18.1 * Fix compilation issue with recent glibc - Drop Remove-the-obsolete-libibcm-library.patch and umad-Do-not-check-for-umad-sysfs-files-in-umad_init.patch as they were fixed upstream. - Update to rdma-core v16.5 * Backport fixes: * buildilb: Fix -msse breakage on ARM builds * buildlib: Use -msse if the compiler does not support target(sse) (bsc#1086910) * suse: do not call %service rules on a template file (bsc#1093170) * mlx5: Convert ah_attr static rate to mlx5 static rate * ccan: Add array_size.h file * iwpmd: Initialize address of sockaddr * mlx5: Fix need_uuar_lock when there are no medium bfregs * verbs: Fix wrong clean up flow in ibv_rc_pingpong * Match kernel ABI to for 4.17 for 32 bit * librdmacm: Set errno correctly if status is positive * verbs: Remove bogus cq_fd * verbs: Fix typo in copying IBV_FLOW_SPEC_UDP/TCP 'val' ==== spec-cleaner ==== Version update (1.0.9 -> 1.1.0) - Version update to 1.1.0 bsc#1099674: * Fix issue with previous release not finding datadirs ==== sqlite3 ==== Subpackages: libsqlite3-0 libsqlite3-0-32bit - Run tests during build ==== srt ==== - Add baselibs.conf: build 32bit support libs. - Update Summary and Descriptions fields. ==== sssd ==== Version update (1.16.1 -> 1.16.2) Subpackages: libnfsidmap-sss libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 libsss_simpleifp0 sssd-32bit sssd-krb5-common sssd-ldap - Fixed patch name. - Introduce patches: * Create sockets with right permissions: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch (bsc#1098377, CVE-2018-10852) * Fix for sssd upstream integration tests 0002-intg-Do-not-hardcode-nsslibdir.patch (bsc#1098163) - Update to new minor upstream release 1.16.2 New Features: * The smart card authentication, or in more general certificate authentication code now supports OpenSSL in addition to previously supported NSS (#3489). In addition, the SSH responder can now return public SSH keys derived from the public keys stored in a X.509 certificate. Please refer to the ssh_use_certificate_keys option in the man pages. * The files provider now supports mirroring multiple passwd or group files. This enhancement can be used to use the SSSD files provider instead of the nss_altfiles module Bugfixes: * A memory handling issue in the nss_ex interface was fixed. This bug would manifest in IPA environments with a trusted AD domain as a crash of the ns-slapd process, because a ns-slapd plugin loads the nss_ex interface (#3715) * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633) * The ad_site override is now honored in GPO code as well (#3646) * Several potential crashes in the NSS responder?s netgroup code were fixed (#3679, #3731) * A potential crash in the autofs responder?s code was fixed (#3752) * The LDAP provider now supports group renaming (#2653) * The GPO access control code no longer returns an error if one of the relevant GPO rules contained no SIDs at all (#3680) * A memory leak in the IPA provider related to resolving external AD groups was fixed (#3719) * Setups that used multiple domains where one of the domains had its ID space limited using the min_id/max_id options did not resolve requests by ID properly (#3728) * Overriding IDs or names did not work correctly when the domain resolution order was set as well (#3595) * A version mismatch between certain newer Samba versions (e.g. those shipped in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further prevent issues like this in the future, the correct interface is now detected at build time (#3741) * The files provider no longer returns a qualified name in case domain resolution order is used (#3743) * A race condition between evaluating IPA group memberships and AD group memberships in setups with IPA-AD trusts that would have manifested as randomly losing IPA group memberships assigned to an AD user was fixed (#3744) * Setting an SELinux login label was broken in setups where the domain resolution order was used (#3740) * SSSD start up issue on systems that use the libldb library with version 1.4.0 or newer was fixed. Introduce a patch: * Fix build of sssd of 1.16.2 version: 0003-Fix-build-for-1-16-2-version.patch (back then called fix-build.patch) ==== xen ==== Version update (4.10.1_02 -> 4.10.1_08) Subpackages: xen-doc-html xen-libs xen-tools xen-tools-domU - Upstream patches from Jan (bsc#1027519) 5b02c786-x86-AMD-mitigations-for-GPZ-SP4.patch (Replaces Spectre-v4-1.patch) 5b02c786-x86-Intel-mitigations-for-GPZ-SP4.patch (Replaces Spectre-v4-2.patch) 5b02c786-x86-msr-virtualise-SPEC_CTRL-SSBD.patch (Replaces Spectre-v4-3.patch) 5b0bc9da-x86-XPTI-fix-S3-resume.patch 5b0d2286-libxc-x86-PV-dont-hand-through-CPUID-leaf-0x80000008.patch 5b0d2d91-x86-suppress-sync-when-XPTI-off.patch 5b0d2dbc-x86-correct-default_xen_spec_ctrl.patch 5b0d2ddc-x86-CPUID-dont-override-tool-stack-hidden-STIBP.patch 5b150ef9-x86-fix-error-handling-of-pv-dr7-shadow.patch 5b21825d-1-x86-support-fully-eager-FPU-context-switching.patch (Replaces xsa267-1.patch) 5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFPU.patch (Replaces xsa267-2.patch) 5b238b92-x86-HVM-account-for-fully-eager-FPU.patch 5b2b7172-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch 5b31e004-x86-HVM-emul-attempts-FPU-set-fpu_initialised.patch 5b323e3c-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch 5b34882d-x86-mm-dont-bypass-preemption-checks.patch (Replaces xsa264.patch) 5b348874-x86-refine-checks-in-DB-handler.patch (Replaces xsa265.patch) 5b348897-libxl-qemu_disk_scsi_drive_string-break-out-common.patch (Replaces xsa266-1-<>.patch) 5b3488a2-libxl-restore-passing-ro-to-qemu-for-SCSI-disks.patch (Replaces xsa266-2-<>.patch) 5b34891a-x86-HVM-dont-cause-NM-to-be-raised.patch 5b348954-x86-guard-against-NM.patch - Fix more build gcc8 related failures with xen.fuzz-_FORTIFY_SOURCE.patch - bsc#1098403 - fix regression introduced by changes for bsc#1079730 a PV domU without qcow2 and/or vfb has no qemu attached. Ignore QMP errors for PV domUs to handle PV domUs with and without an attached qemu-xen. xen.bug1079730.patch - bsc#1097521 - VUL-0: CVE-2018-12891: xen: preemption checks bypassed in x86 PV MM handling (XSA-264) xsa264.patch - bsc#1097522 - VUL-0: CVE-2018-12893: xen: x86: #DB exception safety check can be triggered by a guest (XSA-265) xsa265.patch - bsc#1097523 - VUL-0: CVE-2018-12892: xen: libxl fails to honour readonly flag on HVM emulated SCSI disks (XSA-266) xsa266-1-libxl-qemu_disk_scsi_drive_string-Break-out-common-p.patch xsa266-2-libxl-restore-passing-readonly-to-qemu-for-SCSI-disk.patch - bsc#1095242 - VUL-0: CVE-2018-3665: xen: Lazy FP Save/Restore (XSA-267) xsa267-1.patch xsa267-2.patch