Removed rpms ============ - alsa-plugins-pulse-32bit - dhcp - dhcp-client - glibc-locale-base-32bit - alsa-oss-32bit - cyrus-sasl-gssapi-32bit - fontconfig-32bit - glibc-locale-32bit - libXau6-32bit - libattr1-32bit - libblkid1-32bit - libbrotlidec1-32bit - libcurl4-32bit - libdw1-32bit - libffi7-32bit - libfreetype6-32bit - libgdbm4-32bit - libgobject-2_0-0-32bit - liblz4-1-32bit - libmount1-32bit - libpulse0-32bit - libtextstyle0-32bit - libxml2-2-32bit - nss-mdns-32bit - pam_pwquality-32bit - perl-base-32bit - rpm-32bit - krb5-32bit - libLLVM11 - libacl1-32bit - libaudit1-32bit - libcrypt1-32bit - libexiv2-26 - libexpat1-32bit - libfontconfig1-32bit - libgmodule-2_0-0-32bit - libgnutls30-32bit - libidn2-0-32bit - libigdgmm11 - libkeyutils1-32bit - libldb2-32bit - liblzma5-32bit - libmagic1-32bit - libnettle8-32bit - libnss_usrfiles2-32bit - libparted0-32bit - libpci3-32bit - libpcre1-32bit - libpopt0-32bit - libselinux1-32bit - libstdc++6-pp-gcc11 - libstdc++6-pp-gcc11-32bit - libteamdctl0 - libtirpc3-32bit - libudev1-32bit - libunistring2-32bit - libuuid1-32bit - libvdpau_r300 - libvdpau_r600 - libvdpau_radeonsi - libvorbis0-32bit - libvorbisenc2-32bit - libxcb1-32bit - libz1-32bit - p11-kit-nss-trust - pam-32bit - qemu-seabios - rp-pppoe - xf86-video-glint - xf86-video-tga - xf86-video-trident Added rpms ========== - NetworkManager-bluetooth - NetworkManager-tui - NetworkManager-wwan - alsa-oss-32bit - busybox-ed - cyrus-sasl-gssapi-32bit - fontconfig-32bit - glibc-locale-32bit - alsa-plugins-pulse-32bit - glibc-locale-base-32bit - krb5-32bit - libacl1-32bit - libaudit1-32bit - libcrypt1-32bit - libexpat1-32bit - libfontconfig1-32bit - libgmodule-2_0-0-32bit - libgnutls30-32bit - libidn2-0-32bit - libkeyutils1-32bit - libldb2-32bit - liblzma5-32bit - libmagic1-32bit - libnettle8-32bit - libnss_usrfiles2-32bit - libparted0-32bit - libpci3-32bit - libpcre1-32bit - libpopt0-32bit - libselinux1-32bit - libtirpc3-32bit - libudev1-32bit - libunistring2-32bit - libuuid1-32bit - libvorbis0-32bit - libvorbisenc2-32bit - libxcb1-32bit - libz1-32bit - pam-32bit - qemu-seabios - kguiaddons - libKF5Archive5-lang - libLLVM15 - libXau6-32bit - libattr1-32bit - libblkid1-32bit - libbrotlidec1-32bit - libcurl4-32bit - libdw1-32bit - libffi7-32bit - libfprint-2-tod1 - libfreetype6-32bit - libgdbm4-32bit - libgobject-2_0-0-32bit - libigdgmm12 - liblz4-1-32bit - libmount1-32bit - libnvme-mi1 - libpulse0-32bit - libqrtr-glib0 - libsnmp40 - libstdc++6-pp - libstdc++6-pp-32bit - libtextstyle0-32bit - libxcvt0 - libxml2-2-32bit - mozilla-nss-certs - nss-mdns-32bit - pam_pwquality-32bit - perl-base-32bit - rpm-32bit - xorg-x11-server-Xvfb Package Source Changes ====================== Mesa -- changing default driver from 'iris' to 'i965' for Intel Gen8-11 - hardware again, but this time the correct way; "-Dprefer-iris=false" - needs to be set for both builds - Mesa-drivers *and* Mesa - (boo#1202850, comment#29) - -- revert previous change, since it resulted in Xorg and Mesa no - longer being able to load "i965" driver at all! This affects many - if not almost all Intel GPU users. I can't tell why this happens, - but I'm afraid we need to act immediately (boo#1202850); reopened - boo#1200965 for now ... - -- change default driver from 'iris' back to 'i965' for Intel - Gen8-11 hardware; that way we also use the same driver used by X - and Mesa (boo#1200965); related bugs: boo#1197045, boo#1197046 +- update to 22.2.4: + * clover: windows: library filename has \`-1` suffix and a \`lib` prefix + when built with mingw + * radv, dxvk: Rendering errors in World of Tanks after "Switch to dynamic + rendering only" + * gen9 gt3e/gt4e skus fail dEQP-VK.pipeline.multisample.sample_locations_ext.* + * v3d: Wrong colors (pink) in videos in Firefox (likely YUV->RGB shader issue) + * panfrost t860 glmark-es2 regression + * radv: Flickering in Spider-Man Remastered (Regression) (Bisected) + * radv: Hitman 2 using Direct3D 12 has discolored squares on RDNA2 with DCC + enabled + * panfrost/midgard - on Duckstation PSX emulator: segfault on GLES 3.0 and + bad shader compilations on 3.3 + +- try to fix build on ppc64le due to running OOM (boo#1205441) + * let's request 20G of physical memory via _constraints file + +- third bugfix release + * some regressions in CI worked out + * a bit of everything, and nothing too crazy +- supersedes u_0001-gallivm-Fix-LLVM-optimization-with-the-new-pass-mana.patch +- supersedes u_nouveau-corrupted-colors-boo1203949.patch +- get rid of Mesa-libVulkan-devel(-32bit) package, which is no + longer needed at all by providing/obsoleting it by + libvulkan_intel + +- Release 22.2.2 covers bugfixes for bsc#1197045,bsc#1197046,bsc#1200965,bsc#1202850 + +- build against llvm15/clang15 on sle15-sp5/Leap 15.5 + +- u_nouveau-corrupted-colors-boo1203949.patch + * fixes corrupted colors in videos on nouveau with Kepler in + Firefox (boo#1203949, issue#7416) + +- moved drirc.d config snippets from Mesa to Mea-dri package; + radv driver specific conf was missing completely (boo#1204866) + +- Add patch to fix LLVM optimization to avoid failure on armv7 + (https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/19217, + boo#1204267): + * u_0001-gallivm-Fix-LLVM-optimization-with-the-new-pass-mana.patch + +- update to 22.2.2 + * This is the second bug fix release, back on the regular + schedule. There's a lot here: nir, panfrost, gallium video, + freedreno, nouveau, turnip, r300, gallium core, r600, virgl, + core vulkan, anv, clover, d3d12, utils, radv, and plenty of + zink. + +- update to 22.2.1 + * lots of stuff here: llvmpipe, lavapipe, freedreno, aco, mesa, + turnip, virgl, r600, zink, radv, core gallium, and nir. All in + all, lots of good fixes all over the tree. + +- Add build_orig conditional switch for video codecs define. + +- re-disable video codecs + https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/15258 + +- Pass -Dvideo-codecs=h264dec,h264enc,h265dec,h265enc,vc1dec to + meson, keep support for hardware codecs inside vaapi, vdpau and + vulkan. These were previously enabled automatically. +- enabled "swrast" and "amd" Vulkan drivers on riscv64, which is + upstream default anyway ... + +- update to 22.2.0 + * AMD RDNA3 Prep, Intel Arc Graphics, Many Vulkan Improvements; + more details on Phoronix: + https://www.phoronix.com/news/Mesa-22.2-Released +- supersedes llvm15.patch +- refreshed n_no-sse2-on-ix86-except-for-intel-drivers.patch + +- llvm15.patch: backport of commits 2037c34f245, 301bcbac0e5, 6983c8580a2 + to support LLVM 15 + +- update to 22.1.7: + * fixes and cleanups all over the tree + * most of the fixes are for zink + * nice batch of fixes for the gallium dx9 frontend + * some other fixes across the board + +- update to 22.1.6: + * llvmpipe: make last_fence a screen/rast object not a context one. llvmpipe: + keep context list and use to track resource usage. + * Revert "pan/bi: Require ATEST coverage mask input in R60" + * intel/dev: drop warning for unhandled hwconfig keys + * anv: Use sampleLocationsEnable for sample locations + +- Enable zink driver build on x86_64 + +- update to 22.1.5: + * radv: dynamic vertex input failure + * anv: KHR-GL46.tessellation_shader.single.xfb_captures_data_from_correct_stage fails on TGL + * anv: GTF-GL46.gtf32.GL3Tests.packed_pixels.packed_pixels_pbo failure + * anv: ICL hiz issue + * Error compiling gallium-nine on i686 using musl libc + * dEQP-VK.memory.mapping.dedicated_alloc failing on bsw and gen9atom + +- update to 22.1.4: + * anv: disable non uniform indexing of UBOs + * anv: use the right helper to invalidate memory + * intel/fs: ray query fix for global address + * isl: add new helper for format component compatibility + * radeonsi: fix random PS wave size + * r300: Keep rc_rename_regs() from overflowing + * aco/ra: update register file when updating phi definition + * radv: Fix vkCmdCopyQueryResults -> vkCmdResetPool hazard + +- let Mesa ignore Mesa-dri as dep to resolve a build cycle + (related to boo#1201474 + +- Update to 22.1.3 + * a lot of zink fixes + * There's a bit of everything else here, including some + performance fixes for wsi/x11. + +- Update to 22.1.2 + " There's a lot of zink here, thanks to Mike for help with manually + backporting parts of it! We've als got a bunch of fixes for panfrost, + and some for intel, radeon, llvmpip, dzn, broadcom, nir, core gallium, + the va state tracker, and freedren." + +- let Mesa-libGL-devel require libX11-devel via pkgconfig(x11) + (boo#1200559) + +- removed libkms BuildRequires, since it has been dropped from + libdrm + +- Update to 22.1.1 + * first bugfix release +- supersedes U_llvmpipe-flush-resources-for-kms-swrast-path.patch + +- Add patch to fix glitches with KMS (boo#1199885): + * U_llvmpipe-flush-resources-for-kms-swrast-path.patch + +- buildrequire DirectX-Headers only on %{ix86} x86_64, since it's + only relevant on these platforms + +- Calling patch with '-p1' (as the others are) so 'git show' + .patch output works. + +- Generating 'n_stop-iris-flicker.patch' from 'git format-patch' vs. + a standard diff. + +- Fixing up 'stop-iris-flicker.patch' patch name to follow standards. + +- Update to 22.1.0 + * lot of great featurres, including (since rc5) additional + kopper backports for zink, and support for Intel's Alchemist + DG2 platform. + +- autoselect libvdpau_r300/libvdpau_r600/libvdpau_radeonsi packages + via hardware supplements on AMD GPUs + +- Update to 22.0.3 + * bugfix release with fixes for most of the major drivers +- Switching out 'directx-headers' for 'DirectX-Headers'. + +- Update to 22.0.2 + * bugfix release with almost all nominated patches + +- Adding changes I need for iris to not flicker and have d3d12 + available for use in WSL. + +- use _multibuild + +- Update to 22.0.1 + * fixes in lavapipe and zink, maintainer scripts and panfrost +- supersedes U_meson-restore-private-requires-to-libdrm-in-dri.pc-f.patch + +- get rid of Mesa-libVulkan-devel(-32bit) package, which no longer + makes sense since Mesa 21.1.0 + * https://gitlab.freedesktop.org/mesa/mesa/-/commit/5e6db1916860ec217eac60903e0a9d10189d1c53 + +- U_meson-restore-private-requires-to-libdrm-in-dri.pc-f.patch + * Due to a typo the private requires to libdrm were lost in dri.pc. + Fixed another typo (only comment). + +- enabled "i915" Gallium-based Intel Gen3 driver + +- fixed llvm/clang buildrequires for sle15-sp4/Leap 15.4 + +- no longer try to build classic non-Gallium OpenGL drivers + i915, i965, nouveau, r100 and r200, which have been dropped with + Mesa 22.0.0; see also some documentation on Phoronix + https://www.phoronix.com/scan.php?page=news_item&px=Mesa-Classic-Retired + +- update to 22.0.0 + * lavapipe,radv,anv KHR_dynamic_rendering + * radv EXT_image_view_min_lod + * VK_KHR_synchronization2 on RADV. + * OpenSWR has been moved to the Amber branch + * radeonsi, zink ARB_sparse_texture + * d3d12 GLES3.1 (shader storage buffers, images, compute, indirect draw, draw params, + ARB_framebuffer_no_attachments, ARB_sample_shading, and GLSL400) + * radeonsi, zink ARB_sparse_texture2 + * zink EXT_memory_object, EXT_memory_object_fd, EXT_semaphore, EXT_semaphore_fd + * anv VK_VALVE_mutable_descriptor_type + * Vulkan 1.3 on RADV,Anv. + * radeonsi, zink ARB_sparse_texture_clamp + +- raise memory limit to 1024 in the hope of avoiding OOM on ppc64 + (boo#1196640) + +- update to 21.3.7 + * sixth bugfix release + +- update to 21.3.6 + * sixth bugfix release + +- update to 21.3.5 + * bugfix release: mostly Zink fixes + +- using memory-constraints on ppc64 for trying to avoid OOM during + build (boo#1194739) + +- update to 21.3.4 + * bugfix release + +- rename n_no-sse2-on-ix86.patch to + n_no-sse2-on-ix86-except-for-intel-drivers.patch + * no longer disable sse2 support for intel drivers, since this + breaks build, which is probably unresolvable (boo1190409) + +- Adding 'stop-iris-flicker.patch'. + +- n_no-sse2-on-ix86.patch + * disabled sse2 support on %ix86 (boo#1190409) + +- update to 21.3.3 + * Bug fixes + * Assassin’s Creed Syndicate crashes with Mesa 21.3.0+ ACO + * [21.3 regression] swr: Build failure with MSVC + * anv: dEQP-VK.graphicsfuzz.spv-stable-pillars-volatile-nontemporal-store fails + +- update to 21.3.1 + * mostly AMD, Intel & Zink fixes. + +- n_buildfix-21.3.0.patch + * fixes Mesa-drivers build + +- update to 21.3.0 + * Panfrost is now officially GLES 3.1 conformant + * RADV has (experimental) ray tracing support + * Iris gained threaded shader compilation + * Zink has seen an enormous amount of work, and now supports GLES 3.2 + * Lavapipe has a bunch of new extensions, and now supports Vulkan 1.2 + * LLVMpipe got 2-3 times faster for 2D workloads, and gained support for + the compatibility profile on GL 4.5 + * VA-API gained support for AV1 videos + * EGL now works on Windows + * Wayland got a workaround for games making bad assumption (alpha means + transparency? who could have known) + * VK_EXT_color_write_enable on lavapipe + * GL_ARB_texture_filter_anisotropic in llvmpipe + * Anisotropic texture filtering in lavapipe + * VK_EXT_shader_atomic_float2 on Intel and RADV. + * VK_EXT_vertex_input_dynamic_state on RADV. + * VK_KHR_timeline_semaphore on lavapipe + * VK_EXT_external_memory_host on lavapipe + * GL_AMD_pinned_memory on llvmpipe + * GL 4.5 compatibility on llvmpipe + * VK_EXT_primitive_topology_list_restart on RADV and lavapipe. + * ES 3.2 on zink + * VK_KHR_depth_stencil_resolve on lavapipe + * VK_KHR_shader_integer_dot_product on RADV. + * OpenGL FP16 support on llvmpipe + * VK_KHR_shader_float16_int8 on lavapipe + * VK_KHR_shader_subgroup_extended_types on lavapipe + * VK_KHR_spirv_1_4 on lavapipe + * Experimental raytracing support on RADV + * VK_KHR_synchronization2 on Intel + * NGG shader based culling is now enabled by default on GFX10.3 on RADV. + * VK_KHR_maintenance4 on RADV + * VK_KHR_format_feature_flags2 on RADV. + * EGL_EXT_present_opaque on wayland + +- update to 21.2.5 + * bit of everything: general vulkan, panfrost, and zink are the + biggest changes. + ModemManager +- Update to version 1.18.10: + + Build: Require libqmi 1.30.8. + + FCC unlock: Updated SDX55 unlock script to handle the new + method introduced in the latest firmware releases. + + Modem interface: + - Set signal quality to 0% on shutdown. + - Set signal quality as recent on init. + + MBIM: + - Fix task completion when peeking device fails. + - Fix several GError double-frees. + + mmcli: Don't print signal quality until modem is enabled. + + Plugins: foxconn: remove carrier mapping table for T99W175. + + Several other minor improvements and fixes. +- Changes from version 1.18.8: + + A new connection status dispatcher setup is provided, where + users can provide custom scripts that will be called on bearer + connect/disconnect events. This dispatcher will make the netifd + integration in openwrt work much better, as we'll be able to + report network-initiated disconnections cleanly to netifd. + There are no default connection status dispatcher scripts + installed, but it's suggested distributions make sure the + following directories exist: + - ${sysconfdir}/ModemManager/connection.d/ + - ${libdir}/ModemManager/connection.d/ + + API: Add missing Simple interface definitions in + ModemManager-names.h. + + Build: + - meson: + . fix daemon enums dependencies. + . fix port enums includes. + . fix 'export_packages' in GIR setup. + . fix simtech plugin module name. + - systemd: don't run ModemManager in containers. + + Core: + - serial: ensure the port object is valid after BUFFER_FULL + handling. + - netlink: + . use unaligned netlink attribute length. + . only change IFF_UP flag. + - bearer: match unknown auth to chap in loose comparisons. + - charsets: return error if UTF-8 validation fails. + - fcc-unlock: make scripts POSIX shell compatible. + - modem-helpers: + . consider minimum ID when choosing best profile. + . fix reading given in COPS=? responses. + - sms: prevent crash if date is out of range. + - profile-manager: fix copy-paste error on tags for quarks. + + QMI: + - Ignore slot status indications until initial status is known. + - Return error when loading capabilities if none is found. + + MBIM: + - Default initial EPS bearer's auth to chap when unknown. + - Update default error when network error is out of range. + + mmcli: Fix key length when printing list of items. + + Plugins: + - linktop: new port type hints. + - cinterion: add support for PLSx3w modems. + - huawei: disable +CPOL based features in Huawei E226. + + Several other minor improvements and fixes. + +- Enable QRTR support + * Add BR pkgconfig(qrtr-glib) + +- Update to version 1.18.6: + + The ModemManager.service file for systemd integration provided + in the sources is updated as follows: + ++ 'CAP_NET_ADMIN' is now required in the + 'CapabilityBoundingSet' field. + ++ 'AF_NETLINK' and 'AF_QIPCRTR' are now required in the + 'RestrictAddressFamilies' field. + + The LEGACY and PARANOID filter types that were allowed + options in the '--filter-policy' option in the ModemManager + daemon were deprecated in version 1.16.0 and have now been + completely removed, along with the vid:pid blacklist of + devices and the vid:pid greylist of RS232<->USB adapters. + + The ModemManager daemon can run now in a 'quick suspend/resume' + mode, in which no explicit data disconnection is triggered on + suspend, and no explicit device re-probing from scratch is + launched on resume. Instead, the daemon will try to refresh + the state of all interfaces upon suspend, e.g. to see if the + module keeps registered to the same operator, to see if it is + still connected, and so on. + + core: added support for the new 'WWAN' subsystem in Linux kernel + 5.13, enabling PCIe-only modules. + + core: The charset conversion methods rework, including the + avoiding of the iconv() + + qmi: the logic managing allowed/preferred modes was fixed for + multimode devices like the MC7304, making sure the acquisition + order preference always had the same items. + + serial: when modem is connected with AT+PPP, ignore forced + disconnections, so that we don't take ownership of the PPP + port before pppd has released it. + + foxconn: added support for the T99W175 (SDX55) module, + including built-in FCC unlock procedure. + + foxconn: added new MBIM QDU firmware update method. +- Move the dbus-1 system.d file to /usr (bsc#1196170) +- Use source verification +- Update Supplements to new format +- Add BRs needed for new tests: + * python3-gobject-Gdk + * python3-dbus-python + MozillaFirefox -- Firefox 102.4.0esr ESR - Placeholder changelog-entry (bsc#1204421) +- Firefox Extended Support Release 102.5.0 ESR + Placeholder changelog-entry (bsc#1205270) + +- Firefox Extended Support Release 102.4.0 ESR + * Fixed: Various stability, functionality, and security fixes. + MFSA 2022-45 (bsc#1204421) + * CVE-2022-42927 (bmo#1789128) + Same-origin policy violation could have leaked cross-origin + URLs + * CVE-2022-42928 (bmo#1791520) + Memory Corruption in JS Engine + * CVE-2022-42929 (bmo#1789439) + Denial of Service via window.print + * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) + Memory safety bugs fixed in Firefox 106 and Firefox ESR 102.4 MozillaThunderbird +- Mozilla Thunderbird 102.5 + * changed: `Ctrl+N` shortcut to create new contacts from + address book restored (bmo#1751288) + * fixed: Account Settings UI did not update to reflect default + identity changes (bmo#1782646) + * fixed: New POP mail notifications were incorrectly shown for + messages marked by filters as read or junk (bmo#1787531) + * fixed: Connecting to an IMAP server configured to use + `PREAUTH` caused Thunderbird to hang (bmo#1798161) + * fixed: Error responses received in greeting header from NNTP + servers did not display error message (bmo#1792281) + * fixed: News messages sent using "Send Later" failed to send + after going back online (bmo#1794997) + * fixed: "Download/Sync Now..." did not completely sync all + newsgroups before going offline (bmo#1795547) + * fixed: Username was missing from error dialog on failed login + to news server (bmo#1796964) + * fixed: Thunderbird can now fetch RSS channel feeds with + incomplete channel URL (bmo#1794775) + * fixed: Add-on "Contribute" button in Add-ons Manager did not + work (bmo#1795751) + * fixed: Help text for `/part` Matrix command was incorrect + (bmo#1795578) + * fixed: Invite Attendees dialog did not fetch free/busy info + for attendees with encoded characters in their name + (bmo#1797927) + * fixed: Various security fixes + MFSA 2022-49 (bsc#1205270) + * CVE-2022-45403 (bmo#1762078) + Service Workers might have learned size of cross-origin media + files + * CVE-2022-45404 (bmo#1790815) + Fullscreen notification bypass + * CVE-2022-45405 (bmo#1791314) + Use-after-free in InputStream implementation + * CVE-2022-45406 (bmo#1791975) + Use-after-free of a JavaScript Realm + * CVE-2022-45408 (bmo#1793829) + Fullscreen notification bypass via windowName + * CVE-2022-45409 (bmo#1796901) + Use-after-free in Garbage Collection + * CVE-2022-45410 (bmo#1658869) + ServiceWorker-intercepted requests bypassed SameSite cookie + policy + * CVE-2022-45411 (bmo#1790311) + Cross-Site Tracing was possible via non-standard override + headers + * CVE-2022-45412 (bmo#1791029) + Symlinks may resolve to partially uninitialized buffers + * CVE-2022-45416 (bmo#1793676) + Keystroke Side-Channel Leakage + * CVE-2022-45418 (bmo#1795815) + Custom mouse cursor could have been drawn over browser UI + * CVE-2022-45420 (bmo#1792643) + Iframe contents could be rendered outside the iframe + * CVE-2022-45421 (bmo#1767920, bmo#1789808, bmo#1794061) + Memory safety bugs fixed in Thunderbird 102.5 + +- Mozilla Thunderbird 102.4.2 + * changed: "Address Book" button in Account Central will now + create a CardDAV address book instead of a local address book + (bmo#1793903) + * fixed: Messages fetched from POP server in `Fetch headers + only` mode disappeared when moved to different folder by + filter action (bmo#1793374) + * fixed: Thunderbird re-downloaded locally deleted messages + from a POP server when "Leave messages on server" and "Until + I delete them" were enabled (bmo#1796903) + * fixed: Multiple password prompts for the same POP account + could be displayed (bmo#1786920) + * fixed: IMAP authentication failed on next startup if ImapMail + folder was deleted by user (bmo#1793599) + * fixed: Retrieving passwords for authenticated NNTP accounts + could fail due to obsolete preferences in a users profile on + every startup (bmo#1770594) + * fixed: `Get Next n Messages` did not consistently fetch all + messages requested from NNTP server (bmo#1794185) + * fixed: `Get Messages` button unable to fetch messages from + NNTP server if root folder not selected (bmo#1792362) + * fixed: Thunderbird text branding did not always match locale + of localized build (bmo#1786199) + * fixed: Thunderbird installer and Thunderbird updater created + Windows shortcuts with different names (bmo#1787264) + * fixed: LDAP search filters unable to work with non-ASCII + characters (bmo#1794306) + * fixed: "Today" highlighting in Calendar Month view did not + update after date change at midnight (bmo#1795176) + +- Mozilla Thunderbird 102.4.1 + * new: Thunderbird will now catch and report errors parsing + vCards that contain incorrectly formatted dates (bmo#1793415) + * fixed: Dynamic language switching did not update interface + when switched to right-to-left languages (bmo#1794289) + * fixed: Custom header data was discarded after messages were + saved as draft and reopened (bmo#195716) + * fixed: `-remote` command line argument did not work, + affecting integration with various applications such as + LibreOffice (bmo#1793323) + * fixed: Messages received via some SMS-to-email services could + not display images (bmo#1774805) + * fixed: VCards with nickname field set could not be edited + (bmo#1793877) + * fixed: Some recurring events were missing from Agenda on + first load (bmo#1771168) + * fixed: Download requests for remote ICS calendars incorrectly + set "Accept" header to text/xml (bmo#1793757) + * fixed: Monthly events created on the 31st of a month with <30 + days placed first occurrence 1-2 days after the beginning of + the following month (bmo#1266797) + * fixed: Various visual and UX improvements + (bmo#1781437,bmo#1785314,bmo#1794139,bmo#1794155,bmo#1794399) + - Placeholder changelog-entry (bsc#1204421) + * changed: Thunderbird will automatically detect and repair + OpenPGP key storage corruption caused by using the profile + import tool in Thunderbird 102 (bmo#1790610) + * fixed: POP message download into a large folder (~13000 + messages) caused Thunderbird to temporarily freeze + (bmo#1792675) + * fixed: Forwarding messages with special characters in Subject + failed on Windows (bmo#1782173) + * fixed: Links for FileLink attachments were not added when + attachment filename contained Unicode characters + (bmo#1789589) + * fixed: Address Book display pane continued to show contacts + after deletion (bmo#1777808) + * fixed: Printing address book did not include all contact + details (bmo#1782076) + * fixed: CardDAV contacts without a Name property did not save + to Google Contacts (bmo#1792101) + * fixed: "Publish Calendar" did not work (bmo#1794471) + * fixed: Calendar database storage improvements (bmo#1792124) + * fixed: Incorrectly handled error responses from CalDAV + servers sometimes caused events to disappear from calendar + (bmo#1792923) + * fixed: Various visual and UX improvements (bmo#1776093,bmo#17 + 80040,bmo#1780425,bmo#1792876,bmo#1792872,bmo#1793466,bmo#179 + 3543) + * fixed: Various security fixes + MFSA 2022-46 (bsc#1204421) + * CVE-2022-42927 (bmo#1789128) + Same-origin policy violation could have leaked cross-origin + URLs + * CVE-2022-42928 (bmo#1791520) + Memory Corruption in JS Engine + * CVE-2022-42929 (bmo#1789439) + Denial of Service via window.print + * CVE-2022-42932 (bmo#1789729, bmo#1791363, bmo#1792041) + Memory safety bugs fixed in Thunderbird 102.4 NetworkManager +- Bring back /sbin/netconfig as build option since the netconfig + in SLE is not ready for usrmerge. + +- Update to version 1.38.2: + + Fix race condition with pppd that caused failures when + activating PPPoE connections. + + Unbreak DHCPv6 over PPP. + + Don't ignore IPv6 DNS servers received from PPP. + + Fix crash while checking WEP capability of Wi-Fi interfaces. + + Ensure DHCP is restarted every time the link goes up. + + Fix struct alignment issues seen on some architectures. + + Various other bugfixes and improvements. + +- Fold NetworkManager-wifi back into the main package: The dep + chain is not really different and it causes too many problems for + users having that split. Not worth the pain (boo#1199710, + boo#1199706). +- As a consequence, also drop the recommends fro the main package + to -wifi. + +- Update to version 1.38.0: + + Add support for route type "throw". + + Fix bug setting priority for IP addresses. + + Static IPv6 addresses from "ipv6.addresses" are now preferred + over addresses from DHCPv6, which are preferred over addresses + from autoconf. This affects IPv6 source address selection, if + the rules from RFC 6724, section 5 don't give a exhaustive + match. + + Static IPv6 addresses from "ipv6.addresses" are now interpreted + with first address being preferred. Their order got inverted. + This is now consistent with IPv4. + + Wi-Fi hotspots will use a (stable) random channel number unless + one is chosen manually. + + Don't use unsupported SAE/WPA3 mode for AP mode. + + NetworkManager will no longer advertise frequencies as + supported when they're disallowed in configured regulatory + domain. + + Attempt to connect to WEP-encrypted Wi-Fi network will now fail + gracefully with a recent version of wpa_supplicant when built + without WEP support. As long as wpa_supplicant supports WEP, + NetworkManager will continue to work. + + Disable WPA3 transition mode for wifi.key-mgmt=wpa-psk if the + NIC does not support PMF. This is known to cause problems in + some setups. It is still possible to explicitly configure + wifi.key-mgmt=sae for WPA3. + + Add new dummy crypto backend "null" that does nothing. + NetworkManager uses the crypto library when handling + certificates for 802.1x profiles. + + Veth devices with name "eth*" are now managed by default via + the udev rule. This is to support managing the network in LXD + containers. + + The hostname received from DHCP is now shortened to the first + dot (or to 64 characters, whatever comes first) if it's too + long. + + As the insecure WEP encryption for Wi-Fi network is phased out, + nmcli now discourages its use when activating or modifying a + profile. + + Fix connectivity checks in case the check endpoint address + resolves to multiple addresses. + + Workaround libcurl blocking NetworkManager while resolving DNS + names. + + nmcli: indicate missing Wi-Fi hardware when showing rfkill + setting. + + nmcli: add connection migrate command to move a profile to a + specified settings plugin. This allows to convert profiles in + the deprecated ifcfg-rh format to keyfile. + + Set "src" attribute for routes from DHCPv4 to the leased + address. This helps with source address selection. + + Various bugfixes and internal improvements. + + Updated translations. +- Recommend NetworkNanager-wifi from the main package: after the + split, there is currently nothing pulling in NM-wifi. Preferably + this would happen based on wifi chips prsence, but that is not + yet done (boo#1199550). + +- Modify NetworkManager.spec: Split into a few small subpackages + (bsc#1198128). + +- Install nfs dispatcher script in /usr/lib/NetworkManager, not /etc + +- Update to version 1.36.4: + + The internal DHCPv4 client now discards NAKs packets coming + from servers different from the one that sent the offer. + + Fix activation of PPPoE connections with "pppoe.parent" unset. + + Fix potential libnm crash when the client object initialization + gets canceled. + + Other various fixes and improvements. + +- Do not requires dhcp-client, NM is using its internal client + by default for a long time now. +- Convert iproute2 and iputils requires to recommends, they + should not be hard requires. + +- Update to version 1.36.2: + + When the list of plugins is not specified via "main.plugins" in + NetworkManager.conf and no build-time default is set with + "--with-config-plugins-default" configure argument, now all + known plugins found in the plugin directory are loaded (and the + built-in "keyfile" plugin is preferred over others). + + Preserve external ports during checkpoint rollback. + + Fix removal of ovsdb entry when an OVS interface goes away. + + Fix DNS configuration for WWAN connections. + +- Update to version 1.36.0: + + The handling of Layer 3 configurations has been substantially + reworked. While this is mostly internal change, it results in + more robust behavior when addressing information from multiple + sources (DHCP, manually configured, VPN) need to be applied + simultaneously. Overall performance and memory use have also + slightly improved. + + Manually configured addresses can no longer expire even if the + same addresses are also obtained dynamically. + + Code for systemd-based DHCP and DHCPv6 clients has been updated + from upstream. + + NTP servers obtained via DHCPv6 are now exposed on the DBus + API, visible in nmcli and available for use by dispatcher + scripts. + + 5G NR (New Radio) modems are now supported. + + The "rd.znet_ifnames" kernel command line option is now honored + on network bootups on an IBM s390 platform. + + Wi-Fi P2P support does now work with the IWD backend, in + addition to wpa_supplicant backend. + + Support for special route types have been added: "prohibit", + "blackhole" and "unreachable". + + Routes managed by routing daemons are now ignored. This is done + to address a performance bottleneck on specialized routers. + + Handling of IP addressing and routing information is now + slightly more efficient and uses less memory. This is apparent + on systems with large amount of IP configuration information. + + It is now possible to start NetworkManager without root user + privileges. This is experimental doesn't necessarily result in + a working daemon. NetworkManager service already drops many of + capabilities available to the root user. + + WPA3 Wi-FI network security have been improved by enabling new + H2E (hash to element) method for generating SAE password + element. + + It is now possible to select the default Wi-Fi backend + (wpa_supplicant or IWD) at build-time. + + Replies from broken DHCP servers that send duplicate address or + mask options are now handled gracefully. + + Bridge support has gained the possibility of turning off MAC + ageing. + + "configure-and-quit" mode and nm-iface-helper have been + removed. + + A number of bugs that could cause NetworkManager to crash in + rare conditions have been fixed. +- Drop pkgconfig(libteam) BuildRequires and stop passing + teamdctl=true to meson: No longer build teamdctl support. +- Drop patches fixed upstream: + + 4685651e7671e064b911a3a05f096908e5ef0580.patch + + 471e987add98b36520ece72ee493176fc7bc863c.patch + + 6329f1db5ac75ee3b7d2f7ce062e951a598625fe.patch + + 634e023e72d4729788a022ea1fae665af28d1b0f.patch + + aadf0fb64f491f94b2771058621dc140c562b62b.patch +- Drop nm-dhcp-use-valid-lease-on-timeout.patch: Patch was rejected + upstream. +- Rebase patches with quilt. + +- Add upstream bug fix patches: + + 4685651e7671e064b911a3a05f096908e5ef0580.patch: glib-aux: fix + nm_ref_string_equal_str() Fix comparison with a NULL string + + 6329f1db5ac75ee3b7d2f7ce062e951a598625fe.patch: libnm/tests: + fix maybe-uninitialized warning in "test-setting" + + aadf0fb64f491f94b2771058621dc140c562b62b.patch: libnm/tests: + fix maybe-uninitialized warning in "test-libnmc-setting" + + 471e987add98b36520ece72ee493176fc7bc863c.patch: device: + initialize nm_auto variable in _ethtool_features_reset() + + 634e023e72d4729788a022ea1fae665af28d1b0f.patch: glib-aux: + workaround maybe-uninitialized warning with LTO in + nm_uuid_generate_from_string_str() + +- Use meson LTO setup as NM makes changes to CFLAGS + +- Packaging additions with Autotools replacement: + + Add Meson build requirement and replace Automake macros with + Meson equivalent ones as autotools will be deprecated in the + future. + + Options passed to Meson to mimmic our default preferences: + systemdsystemunitdir=%{_unitdir}, udev_dir=%{_udevdir}, + dbus_conf_dir=%{_dbusconfdir}, iptables=%{_sbindir}/iptables, + dnsmasq=%{_sbindir}/dnsmasq, dnssec_trigger=%{_libexecdir}\ + /dnssec-trigger-script, dist_version=%{version}, + polkit_agent_helper_1=%{_libexecdir}/polkit-1\ + /polkit-agent-helper-1, hostname_persist=suse, switchable + libaudit=%{libaudit_meson_opt}, iwd=true, pppd=%{_sbindir}\ + /pppd, pppd_plugin_dir=%{_pppddir}, nm_cloud_setup=true, + bluez5_dun=true, netconfig=%{_sbindir}/netconfig, + dhclient=%{_sbindir}/dhclient, docs=true, switchable + tests=%{tests_meson_opt}, more_asserts=0, more_logging=false, + qt=false, and switchable teamdctl=true (teamctl is about to be + deprecated). + + Add conditionalized audit pkgconfig module build requirement to + allow easier feature testing, and pass + 'yes-disabled-by-default' to 'libaudit' Meson option. As an + observation: Meson defaults passing 'yes' to this feature. + + Add explicit c++_compiler build requirement to avoid build + abortion. + + Add explicit libselinux pkgconfig module build requirement + checked by Meson and was already being pulled in by some other + package. + + Add polkit-gobject-1 pkgconfig module build requirement checked + by Meson and needed for user auth-polkit support. + + Add mobile-broadband-provider-info pkgconfig module build + requirement checked by Meson and needed for ModemManager1 + interface support. + + Add sed command to fix server.conf config file location from + defaultdocdir/NetworkManager/examples to + defaultdocdir/NetworkManager. + + Add useful %{_pppddir} and %{_dbusconfdir} macros to spec file, + while dropping no longed needed pppddir shell variable + definition and 'test -n "$pppddir" || exit 1' construct. + + Add "< 1.21" version to libnm-glib-vpn1, libnm-glib4, and + libnm-util2 < 1.21 to main package's Obsoletes tags, following + packaging good practices to avoid future unwated behavior + regarding versioning schemes. + + Replace %version macro with hardcoded "0.9.1" version to the + devel subpackage's %name-doc Obsoletes tag following packaging + good practices to avoid future unwanted behaviors regarding + versioning schemes (the doc subpackage was merged with the + devel one in the 0.9.0 release). + + Pass "%{?no_lang_C}" to %find_lang macro to avoid stripping + any English translations (the default language) from main + package. +- Packaging deletions with Autotools replacement: + + Remove data/server.conf from %doc macro in files section as it + no longer works with Meson. + + Remove "rm" command on server.conf file following sed command + addition to fix the right location of the file. + + Remove no longer useful conditional build abortion depending + whether or not netconfig support was found + 'grep "with_netconfig='no'" config.log' since this file isn't + generated by Meson. + + Remove no longer needed "find" command for GNU Libtool LA files + deletion. + + Drop no longer needed libtool build requirement as Meson does + not use it. + + Drop redundant sysconfig-netconfig build requirement as it does + not add anything to the build anymore. + + Drop comment about suse-release build requirement not being + needed anymore, it's been deprecated for almost a decade now. + + Drop setBadness for 'dbus-file-unauthorized' in the rpmlintrc: + the new dbus file has been whitelisted already (bsc#1194799). + +- Split out NetworkManager-pppoe, needed to configure regular PPPoE + connections (Not very common, as most users have PPPoE routers + for the DSL connections). + +- Update to version 1.34.0: + + initrd: wait for both IPv4 and IPv6 with "ip=dhcp,dhcp6" + + core: better handle sd-resolved errors when resolving hostnames + + nmcli: fix import WireGuard profile with DNS domain and address + family disabled + + ndisc: send router solicitations before expiry + + policy: send earlier the ip configs to the DNS manager + + core: support linking with LLD 13 + + wireguard: importing wg-quick configuration files with nmcli + no longer sets a negative, exclusive "dns-priority". This plays + better with common split DNS setups that use systemd-resolved. + Adjust the "dns-priority" to your liking after import yourself. + + NetworkManager no longer listens for netlink events for traffic + control objects (qdiscs and filters). + + core: add internal nm-priv-helper service for separating + privileges and have a way to drop capabilities from + NetworkManager daemon. + + bond: add support for setting queue-id of bond port. + + dns: support configuring DNS over TLS (DoT) with + systemd-resolved. + + nmtui: add support for WireGuard profiles. + + nmcli: add aliases `nmcli device up|down` beside + connect|disconnect. + + conscious language: Deprecate 'Device.Slaves' D-Bus property in + favor of new 'Device.Ports' property. Depracate + 'nm_device_*_get_slaves()' in favor of 'nm_device_get_ports()' + in libnm. + + nmcli: invoking nmcli command without arguments will now show + 'default' instead of null address in route4 or route6 section. +- Refresh patches with quilt. +- Replace addFilter("suse-branding-unversioned-requires*") from + rpmlintrc, with the current branding-requires-unversioned. +- Update our Supplements to current standard. +- Add the new internal nm-priv-helper.service to pre(un)/post(un) + handling. + PackageKit +- Add PackageKit-zypp-dont-remove-locked-packages.patch: zypp: + Check if packages are locked before removing + (gh#PackageKit/PackageKit/commit/8649a07bc, bsc#1199895). +- Add PackageKit-zypp-add-repo-in-packageid.patch: zypp: add + repository data in package id + (gh#PackageKit/PackageKit/commit/8eb2ef0ae, bsc#1202585). +- Remove PackageKit-zypp-locked-packages.patch: reverted upstream + (gh#PackageKit/PackageKit/commit/ed3e38043). + +- Add PackageKit-zypp-dont-refresh-before-searching.patch: + zypp: Don't refresh repos before searching + (gh#PackageKit/PackageKit/commit/58c7c0285, bsc#1199895). + +- Modified PackageKit.spec: bump libzypp dependency version to + 17.31.0. +- Add PackageKit-zypp-avoid-statuReset.patch: zypp: Avoid + statuReset() on locked packages + (gh#PackageKit/PackageKit/commit/dd1964255, bsc#1199895). +- Add PackageKit-zypp-disable-upgrade-system-in-sle.patch: zypp: + Disable upgrade-system support in SLE + (gh#PackageKit/PackageKit/commit/0fcd820c2). +- Add PackageKit-zypp-restore-pool-status-after-simulating-update.patch: + zypp: restore pool status after simulating an update + (gh#PackageKit/PackageKit/commit/2b61a6649, bsc#1199895). +- Add PackageKit-zypp-fix-is-tumbleweed-check.patch: zypp: build + the pool before calling is_tumbleweed() + (gh#PackageKit/PackageKit/commit/146890153). +- Add PackageKit-zypp-update-libzypp-dependency-version.patch: + zypp: update libzypp dependency version + (gh#PackageKit/PackageKit/commit/58c7c0285, bsc#1199895). + +- Add PackageKit-zypp-add-upgrade-system.patch: implement + upgrade-system method(gh#hughsie/PackageKit/commit/930dd201b). + abseil-cpp +- Add options-old.patch + * Make the headers always tell the truth about the ABI to fix + linker error when using new compilers (boo#1203378) +- Add Fix-maes-msse41-leaking-into-pkgconfig.patch + * Do not make programs compiled with abseil require new-ish CPUs (boo#1203379) + acl -- test: Add helper library to fake passwd/group files -- quote: escape literal backslashes (bsc#953659). -- Added patch: - * 0001-test-Add-helper-library-to-fake-passwd-group-files.patch - * 0002-quote-escape-literal-backslashes.patch - -- refresh acl-2.2.52-tests.patch to work with perl 5.26 - -- BuildRequires gettext-tools-mini instead of gettext-tools: as - acl is part of the bootstrap, we want to try to keep the dep - chain as small as possible. - -- Remove --with-pic that's just for static libraries. -- Replace %__-type macro indirections. - Replace old $RPM_ by their macro equivalents for consistency. - Make the macro style consistent across the file again. - -- reenable full Larg File Support for i586 - -- Make it possible to disable tests (for Ring0) -- Add BuildRequires: system-user-daemon for the testsuite - -- Add BuildRequires for system user bin needed by test suite - -- Update to git snapshot dated 21 Sep 2015. - - Added: - * 0001-Install-the-libraries-to-the-appropriate-directory.patch - * 0002-setfacl.1-fix-typo-inclu-de-include.patch - * 0003-test-fix-insufficient-quoting-of.patch - * 0004-Makefile-rename-configure.in-to-configure.ac.patch - * 0005-Bad-markup-in-acl.5-page.patch - * 0006-.gitignore-ignore-and-config.h.in.patch - * 0007-Use-autoreconf-rather-than-autoconf-to-regenerate-th.patch - * 0008-libacl-Make-sure-that-acl_from_text-always-sets-errn.patch - * 0009-libacl-fix-SIGSEGV-of-getfacl-e-on-overly-long-group.patch - * 0010-punt-debian-rpm-packaging-logic.patch - * 0011-move-gettext-logic-into-misc.h.patch - * 0012-test-make-running-parallel-out-of-tree-safe.patch - * 0013-modernize-build-system.patch - * 0014-po-regenerate-files-after-move.patch - * 0015-build-drop-aclincludedir-use-pkgincludedir.patch - * 0016-build-make-use-of-an-aux-dir-to-stow-away-helper-scr.patch - * 0017-build-ship-a-pkgconfig-file-for-libacl.patch - * 0018-read_acl_-comments-seq-rename-line-to-lineno.patch - * 0019-read_acl_-comments-seq-switch-to-next_line.patch - * 0020-telldir-return-value-and-seekdir-second-parameters-a.patch - * 0021-mark-libmisc-funcs-as-hidden-so-they-are-not-exporte.patch - * 0022-add-__acl_-prefixes-to-internal-symbols.patch - * 0023-cp.test-Check-permissions-of-the-right-file.patch - * 0024-libacl-acl_set_file-Remove-unnecesary-racy-check.patch - * 0025-fix-compilation-with-latest-xattr-git.patch - * 0026-getfacl-Fix-memory-leak.patch - * 0027-Fix-the-display-block-nesting-in-acl.5.patch - * 0028-setfacl-man-page-Minor-wording-improvements.patch - * 0029-getfacl-Fix-minor-resource-leak.patch - * 0030-Do-not-export-symbols-that-are-not-supposed-to-be-ex.patch - * 0031-walk_tree-mark-internal-variables-as-static.patch - * 0032-ignore-configure.lineno.patch -- Signficant spec file restructuring due to 0013-modernize-build-system.patch -- removed builddefs.in.diff - -- Reduce size of filelist by using wildcards; - remove %doc (some locations are always %doc), - remove %attr (files already have proper permissions) - -- add acl-2.2.52-tests.patch and enable tests, check section taken - from Fedora package - -- remove gpg-offline calls from bootstrap package - -- Update to new upstream release 2.2.52 - * This release fixes a few build system issues that were found and - merges in a tree walking bug fix. -- Remove acl-fiximplicit.patch (merged upstream), - config-guess-sub-update.diff (no longer applies) -- Sync baselibs.conf with in-.spec obsoletes/provides. - -- add gpg checking - -- use source url - -- Add config-guess-sub-update.diff: - update config.guess/sub to latest state for AArch64 - -- Use OS byteswapping routines, application already Includes - "endian.h" but then goes ahead defining ad-hoc equivalent - functionality (0001-Use-OS-byteswapping-macros.patch) - -- remove useless automake deps - -- patch license to follow spdx.org standard - -- license update: GPL-2.0+;LGPL-2.1+ - SPDX format - -- add automake as buildrequire to avoid implicit dependency - -- Fix provides/Obsoletes - -- Implement shlib package (libacl1) -- Enable libacl-devel on all baselib arches - -- upgrade to 2.2.51 - - Test fixes - -- upgrade to 2.2.50 - - OPTIONS in man pages should be a section heading, not a subsection heading - - Fix a typo in the setfacl man page - - setfacl: Clarify that removing a non-existent acl entry is not an error - - Prevent setfacl --restore from SIGSEGV on malformed restore file - - setfacl: make sure that -R only calls stat(2) on symlinks when it needs to - - libacl: fix potential null pointer dereference - - setfacl: fix restore crash on malformed input - - setfacl: print useful error from read_acl_comments - - setfacl: changing owner and when S_ISUID should be set --restore fix - -- use %_smp_mflags - -- add baselibs.conf as a source -- adjust baselibs.conf for SPARC - -- readded incorrectly removed libattr-devel requires in -devel - -- fixed implicit strchr() usage. - -- do not package static libraries -- fix -devel package dependencies - -- Version bump to 2.2.48 - - Document the new flags comments - - Include the S_ISUID, S_ISGID, S_ISVTX flags in the getfacl output, and restore them with "setfacl --restore=file". - - Make sure that getfacl -R only calls stat(2) on symlinks when it needs to - - Stop quoting nonprintable characters in the getfacl output - - Avoid unnecessary but destructive chown calls - - Clarify license notice - alsa-oss +- use https for urls + +- Drop the superfluous buildreq alsa-topology-devel again; + it's no longer mandatory + +- Fix build breakage by the new alsa update; now it requires + alsa-topology-devel + +- Avoid repetition of name in summary. Update description. + +- Update to alsa-oss 1.1.8 (bsc#1181571): + Fix the build with the recent glibc +- Remove obsoleted patch: + remove-libio.patch: + +- remove-libio.patch: don't use obsolete + +- Remove old kludges +- Run spec-cleaner + +- Update to alsa-oss 1.1.6: + * Change FSF address (Franklin Street) +- Use %license file tag + +- Updated to alsa-oss 1.0.28: + All pervious fix patches are obsoleted: + 0002-Add-AM_MAINTAINER_MODE-enable-to-configure.in.patch + 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch + 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch + +- Fix for dmix with unaligned sample rate: + 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch + 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch + amarok +- Update to version 2.9.75git.20221114T020258~457db492b4: + * Use VERSION_LESS to compare versions, not STRLESS + * remove test for ecm version which breaks on 5.100 and just + depend on newer ecm version + * Install translations + * Added mandatory AppStream metadata + * Remove CTest/CDash config again + * KDE CI: fix phonon reference + * Use non-deprecated KDEInstallDirs variables + * Complete port away from QTEST_KDEMAIN + * Use more nullptr + * Mark include directories for libraries as SYSTEM + * Port away from deprecated KMessageBox::sorry + * Change org.kde.amarok.desktop in order to use "true" instead of + "True" + apparmor +- add profiles-permit-php-fpm-pid-files-directly-under-run.patch + https://gitlab.com/apparmor/apparmor/-/merge_requests/914 (bsc#1202344) + attica-qt5 +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- No code change since 5.99.0 + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * .gitlab-ci.yml: enable static builds + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Remove CTestConfig.cmake, the repo isn't using my.cdash.org + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Pass the HTTP status code as the MetaData status code + * Properly detect failed jobs + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- No code change since 5.95.0 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Require unittests to pass for CI jobs to pass + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- No code change since 5.92.0 + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI qt6 support + autoyast2 +- Fix hash vs keyword arguments in RSpec expectations (bsc#1204871) +- 4.5.10 + +- Add needed packages for kdump even when kdump section is not + defined if product enable kdump by default (bsc#1204180) +- 4.5.9 + +- Add support for security policies validation (jsc#SLE-24764). + binutils +- Add binutils-maxpagesize.diff for a problem on old code + streams, where we would generate too large binaries. + +- s390-pic-dso.diff: use %pB instead of %B + +- SLE toolchain update of binutils. Update to 2.39 from 2.37, + which means obsoleting and hence removing these patches: + binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff, + binutils-add-efi-aarch64-3.diff, binutils-fix-keepdebug.diff, + binutils-add-z16-name.diff. + Implements [jsc#SLE-25046, jsc#PED-2029, jsc#PED-2035, jsc#PED-2033, + jsc#PED-2030, jsc#PED-2038, jsc#PED-2032, jsc#PED-2034, jsc#PED-2031, + jsc#SLE-25047] +- This fixes these CVEs relative to 2.37: + [bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648 + [bsc#1193929] aka PR28694 aka CVE-2021-45078 + [bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195 + [bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943 + [bsc#1202966] aka PR29289 aka CVE-2022-38126 + [bsc#1202967] aka PR29290 aka CVE-2022-38127 + [bsc#1202969] aka CVE-2021-3826 + +- Add binutils-pr29482.diff for PR29482, aka CVE-2022-38533 + [bsc#1202816] + +- Rebase binutils-2.39-branch.diff.gz that contains fix for PR29451. + +- Add binutils-2.39-branch.diff.gz. +- Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes. +- Add gprofng subpackage. + +- Update to binutils 2.39: + * The ELF linker will now generate a warning message if the stack is made + executable. Similarly it will warn if the output binary contains a + segment with all three of the read, write and execute permission + bits set. These warnings are intended to help developers identify + programs which might be vulnerable to attack via these executable + memory regions. + The warnings are enabled by default but can be disabled via a command + line option. It is also possible to build a linker with the warnings + disabled, should that be necessary. + * The ELF linker now supports a --package-metadata option that allows + embedding a JSON payload in accordance to the Package Metadata + specification. + * In linker scripts it is now possible to use TYPE= in an output + section description to set the section type value. + * The objdump program now supports coloured/colored syntax + highlighting of its disassembler output for some architectures. + (Currently: AVR, RiscV, s390, x86, x86_64). + * The nm program now supports a --no-weak/-W option to make it ignore + weak symbols. + * The readelf and objdump programs now support a -wE option to prevent + them from attempting to access debuginfod servers when following + links. + * The objcopy program's --weaken, --weaken-symbol, and + - -weaken-symbols options now works with unique symbols as well. +- Rebase binutils-compat-old-behaviour.diff, binutils-revert-hlasm-insns.diff, + binutils-revert-plt32-in-branches.diff and remove binutils-2.38-branch.diff.gz. +- For now use --disable-gprofng. +- Includes fixes for these CVEs: + bnc#1142579 aka CVE-2019-1010204 aka PR23765 + +(Fake entry from SLE for tracking purposes:) +- Use https for variosu links. + +- Update binutils-2.38-branch.diff.gz (to 93054037f1e304e) + in order to include PR29087. + +- Enable multitarget build on riscv64 +- On SLE15 and later, use make -Oline to synchronize configure output by + lines + +(Fake entry from SLE for tracking purposes:) +- Renumber Sources. + +- Fix ExcludeArch for ppc. + +- Make multibuild utilize only the main binutils.spec file. +- Remove not needed README.First-for.SUSE.packagers, pre_checkin.sh. + +- Start using _multibuild for cross binutils. + + (forward port from SLE) +- Update binutils-2.38-branch.diff.gz (to c210342d7f5) to include + recognition of 'z16' name for 'arch14' on s390. [bsc#1198237] + +(Fake entry from SLE for tracking purposes:) +- Add usage of a SUSE_ZNOW environment variable which allows switching + on "-z now" by default using "export SUSE_ZNOW=1", similar to + the SUSE_ASNEEDED variable. Adds binutils-znow.patch. + +- Update binutils-skip-rpaths.patch: add back fix for boo#1191473, + which got lost in the update to 2.38. + +- Update binutils-2.38-branch.diff.gz in order to include PR28879. + +- From Stefan Brüns : + * Install symlinks for all target specific tools on + arm-eabi-none [bsc#1185712] + +- Do not re-generate ld/ldlex.c, ld/ldgram.c, ld/ldgram.h and verify + that corresponding flex/bison files are not modified by a patch. + +- Use verbose mode for make for cross compilers. + +- Make it build on SLE-11 again. + +- Use verbose mode for make. + +- Update to binutils 2.38: + * elfedit: Add --output-abiversion option to update ABIVERSION. + * Add support for the LoongArch instruction set. + * Tools which display symbols or strings (readelf, strings, nm, objdump) + have a new command line option which controls how unicode characters are + handled. By default they are treated as normal for the tool. Using + - -unicode=locale will display them according to the current locale. + Using --unicode=hex will display them as hex byte values, whilst + - -unicode=escape will display them as escape sequences. In addition + using --unicode=highlight will display them as unicode escape sequences + highlighted in red (if supported by the output device). + * readelf -r dumps RELR relative relocations now. + * Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been + added to objcopy in order to enable UEFI development using binutils. + * ar: Add --thin for creating thin archives. -T is a deprecated alias without + diagnostics. In many ar implementations -T has a different meaning, as + specified by X/Open System Interface. + * Add support for AArch64 system registers that were missing in previous + releases. + * Add support for the LoongArch instruction set. + * Add a command-line option, -muse-unaligned-vector-move, for x86 target + to encode aligned vector move as unaligned vector move. + * Add support for Cortex-R52+ for Arm. + * Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64. + * Add support for Cortex-A710 for Arm. + * Add support for Scalable Matrix Extension (SME) for AArch64. + * The --multibyte-handling=[allow|warn|warn-sym-only] option tells the + assembler what to when it encoutners multibyte characters in the input. The + default is to allow them. Setting the option to "warn" will generate a + warning message whenever any multibyte character is encountered. Using the + option to "warn-sym-only" will make the assembler generate a warning whenever a + symbol is defined containing multibyte characters. (References to undefined + symbols will not generate warnings). + * Outputs of .ds.x directive and .tfloat directive with hex input from + x86 assembler have been reduced from 12 bytes to 10 bytes to match the + output of .tfloat directive. + * Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and + 'armv9.3-a' for -march in AArch64 GAS. + * Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a', + 'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS. + * Add support for Intel AVX512_FP16 instructions. + * Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF + linker to pack relative relocations in the DT_RELR section. + * Add support for the LoongArch architecture. + * Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF + linker to control canonical function pointers and copy relocation. + * Add --max-cache-size=SIZE to set the the maximum cache size to SIZE + bytes. +- Add binutils-2.38-branch.diff.gz. +- Removed deletion of man pages as they should be properly packages + in tarball. +- Rebased patches: aarch64-common-pagesize.patch, add-ulp-section.diff, + binutils-bfd_h.patch, binutils-revert-nm-symversion.diff, + binutils-revert-plt32-in-branches.diff, binutils-skip-rpaths.patch + and binutils-compat-old-behaviour.diff. + +- Enable PRU architecture for AM335x CPU (Beagle Bone Black board) + +- use fdupes on datadir +- remove RPM_BUILD_ROOT usage and other cleanups + +- Rebase binutils-2.37-branch.diff: fixes PR28494. + busybox +- Fix build under SLE-12 + +- Annotate CVEs already fixed in upstream, but not mentioned in .changes: + * CVE-2014-9645 (bsc#914660): strips of / in module names that can lead to loading unwanted modules + +- prepare spec file for rpmbuild --build-in-place --noprep +- use bcond for static and ww3 subpackages +- fix verbose flag + +- Enable switch_root + With this change virtme --force-initramfs works as expected. + +- Enable udhcpc + +- BuildRequire hostname: the test suite wants to compare the output + of 'hostname' against 'busybox hostname'. We should not rely + hostname to be present in the build environment. + +- Update to 1.35.0 + - awk: fix printf %%, fix read beyond end of buffer + - chrt: silence analyzer warning + - libarchive: remove duplicate forward declaration + - mount: "mount -o rw ...." should not fall back to RO mount + - ps: fix -o pid=PID,args interpreting entire "PID,args" as header + - tar: prevent malicious archives with long name sizes causing OOM + - udhcpc6: fix udhcp_find_option to actually find DHCP6 options + - xxd: fix -p -r + - support for new optoins added to basename, cpio, date, find, + mktemp, wget and others +- Adjust busybox.config for new features in find, date and cpio + +- Annotate CVEs already fixed in upstream, but not mentioned in .changes: + * CVE-2017-16544 (bsc#1069412): Insufficient sanitization of filenames when autocompleting + * CVE-2015-9261 (bsc#1102912): huft_build misuses a pointer, causing segfaults + * CVE-2016-2147 (bsc#970663): out of bounds write (heap) due to integer underflow in udhcpc + * CVE-2016-2148 (bsc#970662): heap-based buffer overflow in OPTION_6RD parsing + * CVE-2016-6301 (bsc#991940): NTP server denial of service flaw + * CVE-2017-15873 (bsc#1064976): The get_next_block function in archival/libarchive/decompress_bunzip2.c has an Integer Overflow + * CVE-2017-15874 (bsc#1064978): archival/libarchive/decompress_unlzma.c has an Integer Underflow + * CVE-2019-5747 (bsc#1121428): out of bounds read in udhcp components + * CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, + CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, + CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, + CVE-2021-42385, CVE-2021-42386 (bsc#1192869) : v1.34.0 bugfixes + - CVE-2021-28831 (bsc#1184522): invalid free or segmentation fault via malformed gzip data + - CVE-2018-20679 (bsc#1121426): out of bounds read in udhcp + - CVE-2018-1000517 (bsc#1099260): Heap-based buffer overflow in the retrieve_file_data() + - CVE-2011-5325 (bsc#951562): tar directory traversal + - CVE-2018-1000500 (bsc#1099263): wget: Missing SSL certificate validation + chromium +- Chromium 107.0.5304.121 (boo#1205736) + * CVE-2022-4135: Heap buffer overflow in GPU + +- Build with llvm15 on openSUSE:Backports:SLE-15-SP5 and up + cpupower +- Update to latest intel-speed-select package version from 1.10 to 1.13 + (jsc#PED-2137): + 1.13: + * Fix build failure when using gcc options -Wl,--as-needed + * Fix warning for perf_cap.cpu may be uninitialized + * Fix off by one check for MAX_DIE_PER_PACKAGE + * Fix issue with use of get_physical_die_id instead of + get_physical_die_id + * Warn if turbo is disabled and SST turbo-freq feature is requested + 1.12: + * Allows out of band SST support, where some remote agent + changes SST profiles via some Board Management Controller. + * HFI support to process config level changes in oob mode + 1.11: + * Update max performance when BIOS disabled turbo + - jsc#PED-394 + jsc#PED-1028 - jsc#PED-393 + jsc#PED-1027 - jsc#PED-391 + jsc#PED-1029 + Add RPL-S platform to Turbostat + jsc#PED-1026 - jsc#PED-2065 + jsc#PED-2066 dconf +- Bring back 0001-gvdb-Restore-permissions-on-changed-files.patch + since the useful fix was never merged to upstream (bsc#971074 + bgo#758066 bsc#1203344). + digikam +- Explicitly use FFmpeg 4 to build Digikam for the moment + duktape +- duktape-link-m.patch: link against libm for sin() and related functions, + in case the compiler with -Os creates external references. bsc#1205805 + emacs +- Add upstream commit as patch d48bb487.patch (bsc#1205822, CVE-2022-45939) + * shell command injection via source code files when using ctags + expat -- Security fix: - * (CVE-2022-43680, bsc#1204708) use-after free caused by overeager - destruction of a shared DTD in XML_ExternalEntityParserCreate in - out-of-memory situations - - Added patch expat-CVE-2022-43680.patch - -- Security fix: - * (CVE-2022-40674, bsc#1203438) use-after-free in the doContent - function in xmlparse.c - - Added patch expat-CVE-2022-40674.patch - -- Security fixes: - * (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236 - breaks biboumi, ClairMeta, jxmlease, libwbxml, - openleadr-python, rnv, xmltodict - - Added expat-CVE-2022-25236-relax-fix.patch - -- Security fixes: - * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows - attackers to insert namespace-separator characters into - namespace URIs - - Added expat-CVE-2022-25236.patch - * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before - 2.4.5 does not check whether a UTF-8 character is valid in a - certain context. - - Added expat-CVE-2022-25235.patch - * (CVE-2022-25313, bsc#1196168) Stack exhaustion in - build_model() via uncontrolled recursion - - Added expat-CVE-2022-25313.patch - - The fix upstream introduced a regression that was later - amended in 2.4.6 version - + Added expat-CVE-2022-25313-fix-regression.patch - * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString - - Added expat-CVE-2022-25314.patch - * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames - - Added expat-CVE-2022-25315.patch - -- Update to latest version 2.4.4 in SLE-15-SP4 [jsc#SLE-21253] - -- update to 2.4.4 (bsc#1195217, bsc#1195054): - * Security fixes: - - CVE-2022-23852 -- Fix signed integer overflow - (undefined behavior) in function XML_GetBuffer - that is also called by function XML_Parse internally) - for when XML_CONTEXT_BYTES is defined to >0 (which is both - common and default). - Impact is denial of service or more. - - CVE-2022-23990 -- Fix unsigned integer overflow in function - doProlog triggered by large content in element type - declarations when there is an element declaration handler - present (from a prior call to XML_SetElementDeclHandler). - Impact is denial of service or more. - * Bug fixes: - - xmlwf: Fix a memory leak on output file opening error - * Other changes: - - Version info bumped from 9:3:8 to 9:4:8; - see https://verbump.de/ for what these numbers do - * Drop unused file valid-xhtml10.png - -- update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474, - bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480): - * CVE-2021-45960 -- Fix issues with left shifts by >=29 places - resulting in - a) realloc acting as free - b) realloc allocating too few bytes - c) undefined behavior - depending on architecture and precise value - for XML documents with >=2^27+1 prefixed attributes - on a single XML tag a la - "" - where XML_ParserCreateNS is used to create the parser - (which needs argument "-n" when running xmlwf). - Impact is denial of service, or more. - * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow - on variable m_groupSize in function doProlog leading - to realloc acting as free. - Impact is denial of service or more. - * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows - near memory allocation at multiple places. Mitre assigned - a dedicated CVE for each involved internal C function: - - CVE-2022-22822 for function addBinding - - CVE-2022-22823 for function build_model - - CVE-2022-22824 for function defineAttribute - - CVE-2022-22825 for function lookup - - CVE-2022-22826 for function nextScaffoldPart - - CVE-2022-22827 for function storeAtts - Impact is denial of service or more. - -- update to 2.4.2: - * Link againgst libm for function "isnan" - * Include expat_config.h as early as possible - * Autotools: Include files with release archives: - - buildconf.sh - - fuzz/*.c - * Autotools: Sync CMake templates - * docs: Document that function XML_GetBuffer may return NULL - when asking for a buffer of 0 (zero) bytes size - * docs: Fix return value docs for both - XML_SetBillionLaughsAttackProtection* functions - * Version info bumped from 9:1:8 to 9:2:8 - -- Update to 2.4.1 in SLE-15-SP4 [jsc#SLE-21253] - * Remove expat-CVE-2018-20843.patch upstream - -- Update to 2.4.1: - * Bug fixes: - - Autotools: Fix installed header expat_config.h for multilib - systems; regression introduced in 2.4.0 by pull request #486 - * Other changes: - - Version info bumped from 9:0:8 to 9:1:8; see - https://verbump.de/ for what these numbers do - -- Update to 2.4.0: [CVE-2013-0340 "Billion Laughs"] - * Security fixes: - - CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks - (denial-of-service; flavors targeting CPU time or RAM or both, - leveraging general entities or parameter entities or both) - by tracking and limiting the input amplification factor - ( := ( + ) / ). - By conservative default, amplification up to a factor of 100.0 - is tolerated and rejection only starts after 8 MiB of output bytes - (= + ) have been processed. - The fix adds the following to the API: - - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to - signals this specific condition. - - Two new API functions .. - - XML_SetBillionLaughsAttackProtectionMaximumAmplification and - - XML_SetBillionLaughsAttackProtectionActivationThreshold - .. to further tighten billion laughs protection parameters - when desired. Please see file "doc/reference.html" for details. - If you ever need to increase the defaults for non-attack XML - payload, please file a bug report with libexpat. - - Two new XML_FEATURE_* constants .. - - that can be queried using the XML_GetFeatureList function, and - - that are shown in "xmlwf -v" output. - - Two new environment variable switches .. - - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and - - EXPAT_ENTITY_DEBUG=(0|1) - .. for runtime debugging of accounting and entity processing. - Specific behavior of these values may change in the future. - - Two new command line arguments "-a FACTOR" and "-b BYTES" - for xmlwf to further tighten billion laughs protection - parameters when desired. - If you ever need to increase the defaults for non-attack XML - payload, please file a bug report with libexpat. - * Bug fixes: - - For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) - or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault - for UTF-16 payloads containing CDATA sections. - - Autotools: Fix generated CMake files for non-64bit and - non-Linux platforms (e.g. macOS and MinGW in particular) - that were introduced with release 2.3.0 - * Other changes: - - xmlwf: Improve help output and the xmlwf man page - - xmlwf: Improve maintainability through some refactoring - - xmlwf: Fix man page DocBook validity - - CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR - and CMAKE_INSTALL_INCLUDEDIR - - CMake: Add support for standard variable BUILD_SHARED_LIBS - - Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters - - Resolve macro HAVE_EXPAT_CONFIG_H - - Delete unused legacy helper file "conftools/PrintPath" - - doc/reference.html: Fix XHTML validity - - doc/reference.html: Replace the 90s look by OK.css - - Version info bumped from 8:0:7 to 9:0:8 due to addition of - new symbols and error codes; see https://verbump.de/ for - what these numbers do - -- Do not BuildRequire cmake: expat is part of the distro bootstrap - cycle and any additional dependency makes the ring larger. In - this case here, cmake was even only used to own a directory. - -- update to 2.3.0: - * When calling XML_ParseBuffer without a prior successful call to - XML_GetBuffer as a user, no longer trigger undefined behavior - (by adding an integer to a NULL pointer) but rather return - XML_STATUS_ERROR and set the error code to (new) code - XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) - of Clang 11 (but not Clang 9). - * xmlwf: Exit status 2 was used for both: - - malformed input files (documented) and - - invalid command-line arguments (undocumented). - case of invalid command-line arguments now - has its own exit status 4, resolving the ambiguity. - * Other changes - -- Update to 2.2.10: - * Bug fixes: - - Fix undefined behavior during parsing caused by pointer - arithmetic with NULL pointers - - Fix reading uninitialized variable during parsing - - xmlwf: Add missing check for malloc NULL return - * Other changes: - - xmlwf: Document exit codes in xmlwf manpage and exit with code 3 - (rather than code 1) for output errors when used with "-d DIRECTORY" - - Autotools: Use -Werror while configure tests the compiler for - supported compile flags to avoid false positives - - Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, e.g. - ensure that they have the last word over flags added while - running ./configure - - CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis - on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) - - CMake: Detect and deny unsupported build combinations - involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) - - CMake: Install pre-compiled shipped xmlwf.1 manpage in case - of -DEXPAT_BUILD_DOCS=OFF - - CMake: Fix use of Expat by means of add_subdirectory - - CMake: Keep expat target name constant at "expat" (i.e. refrain - from using the target name to control build artifact filenames) - - CMake: Expose man page compilation as target "xmlwf-manpage" - - CMake: Introduce option EXPAT_BUILD_PKGCONFIG to control - generation of pkg-config file "expat.pc" - - CMake: Add minimalistic support for building binary packages - with CMake target "package"; based on CPack - - CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with default - OFF to build fuzzer code against OSS-Fuzz and related - environment variable LIB_FUZZING_ENGINE - - Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF - - Address compiler warnings - - Address pngcheck warnings with doc/*.png images: Version info - bumped from 7:11:6 to 7:12:6 - -- Version update to 2.2.9 - * Other changes: - - examples: Drop executable bits from elements.c - [#349] Windows: Change the name of the Windows DLLs from expat*.dll - to libexpat*.dll once more (regression from 2.2.8, first - fixed in 1.95.3, issue #61 on SourceForge today, - was issue #432456 back then); needs a fix due - case-insensitive file systems on Windows and the fact that - Perl's XML::Parser::Expat compiles into Expat.dll. - [#347] Windows: Only define _CRT_RAND_S if not defined - Version info bumped from 7:10:6 to 7:11:6 - -- Version update to 2.2.8 - * Security fixes: (CVE-2019-15903, bsc#1149429) - - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber - (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype; - * Bug fixes: - - Fix cases where XML_StopParser did not have any effect - when called from inside of an end element handler - - xmlwf: Fix exit code for operation without "-d DIRECTORY"; - previously, only "-d DIRECTORY" would give you a proper exit code: - Now both cases return exit code 2. - * Other changes: - - examples: Improve elements.c - - Autotools: Add argument --enable-xml-attr-info - - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom - - Autotools: Fix linking issues with "./configure LD=clang" - - Autotools: Fix "make run-xmltest" for out-of-source builds - - CMake: Pull all options from Expat <=2.2.7 into namespace - - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF - - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF - - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF - - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO - - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO - - CMake: Install expat_config.h to include directory - - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..]) - - CMake: Now produces a summary of applied configuration - - CMake: Require C++ compiler only when tests are enabled - - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) - - CMake: Port "make run-xmltest" from GNU Autotools to CMake - - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF -- Removed patches fixed in the update: - * expat-CVE-2019-15903.patch - * expat-CVE-2019-15903-tests.patch - -- Security fix (CVE-2019-15903, bsc#1149429) - * Crafted XML input results in heap-based buffer over-read by fooling - the parser into changing from DTD parsing to document parsing - * Added patches: - - expat-CVE-2019-15903.patch - - expat-CVE-2019-15903-tests.patch - -- Version update to 2.2.7 (CVE-2018-20843, bsc#1139937) - * Security fixes: - - CVE-2018-20843 - Fix extraction of namespace prefixes from - XML names; XML names with multiple colons could end up in - the wrong namespace, and take a high amount of RAM and CPU - resources while processing, opening the door to use for - denial-of-service attacks - * Other changes: - - Autotools/CMake: Utilize -fvisibility=hidden to stop - exporting non-API symbols - - Autotools: Add --without-examples and --without-tests - - Autotools: Modernize configure.ac - - Autotools: Fix check for -fvisibility=hidden for Clang - - Autotools: Fix compilation for lack of docbook2x-man - - CMake: Make libdir of pkgconfig expat.pc support multilib - - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR - - Remove fallback to bcopy, assume that memmove(3) exists -- Removed expat-2.2.6-fix-make-clean.patch - -- Add expat-2.2.6-fix-make-clean.patch -- Allow profile guided optimization again - -- Drop docbook2x dependency, the manpages are generated in - the upstream archive and this way we break buildcycle - -- Version update to 2.2.6 Sun August 12 2018 - * Bug fixes: - - Avoid doing arithmetic with NULL pointers in XML_GetBuffer - - Fix 2.2.5 regression with suspend-resume while parsing - a document like '' - * Other changes: - - Autotools: Fix docbook-related configure syntax error - - Autotools: Avoid grep option `-q` for Solaris - - Autotools: Support - ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" - - Autotools: Support DOCBOOK_TO_MAN command which produces - xmlwf.1 rather than XMLWF.1; also covers case insensitive - file systems - - Autotools: Drop -rpath option passed to libtool - - Autotools: Detect and deny SGML docbook2man as ours is XML - - Autotools/CMake: Support command db2x_docbook2man as well - - CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF - - CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF - - CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, - both defaulting to OFF - - CMake: Prefer check_symbol_exists over check_function_exists - - CMake: Create the same pkg-config file as with GNU Autotools - - CMake: Use GNUInstallDirs module to set proper defaults for - install directories - - CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM - - Address compiler warnings - - Fix miscellaneous typos - -- Expand description of expat-devel. - -- Do not generate manpages from docbook -- Temporarily disable profiling due to bug in build system - -- Version update to 2.2.5 Tue October 31 2017 - * Bug fixes: - - If the parser runs out of memory, make sure its internal - state reflects the memory it actually has, not the memory - it wanted to have. - - The default handler wasn't being called when it should for - a SYSTEM or PUBLIC doctype if an entity declaration handler - was registered. - - Fix a case of mistakenly reported parsing success where - XML_StopParser was called from an element handler - - Function XML_ErrorString was returning NULL rather than - a message for code XML_ERROR_INVALID_ARGUMENT - introduced with release 2.2.1 - * Other changes: - - Add argument -N adding notation declarations - - various compiler-specific fixes - - Improve docbook2x-man detection -- drop expat-docbook.patch - * fixed in 0f5186c7b8e503c669e332d944712de010b265f3 -- switch to github for release tarballs and website - -- Version update to 2.2.4 Sat August 19 2017 - * Bug fixes: - [#115] Fix copying of partial characters for UTF-8 input - * Other changes: - [#109] Fix "make check" for non-x86 architectures that default - to unsigned type char (-128..127 rather than 0..255) - [#109] coverage.sh: Cover -funsigned-char - Autotools: Introduce --without-xmlwf argument - [#65] Autotools: Replace handwritten Makefile with GNU Automake - [#43] CMake: Auto-detect high quality entropy extractors, add new - option USE_libbsd=ON to use arc4random_buf of libbsd - [#74] CMake: Add -fno-strict-aliasing only where supported - [#114] CMake: Always honor manually set BUILD_* options - [#114] CMake: Compile man page if docbook2x-man is available, only - [#117] Include file tests/xmltest.log.expected in source tarball - (required for "make run-xmltest") - [#111] Fix some typos in documentation - Version info bumped from 7:5:6 to 7:6:6 -- Release 2.2.3 Wed August 2 2017 - * Bug fixes: - [#85] Fix a dangling pointer issue related to realloc - * Other changes: - [#91] Linux: Allow getrandom to fail if nonblocking pool has not - yet been initialized and read /dev/urandom then, instead. - This is in line with what recent Python does. - [#86] Check that a UTF-16 encoding in an XML declaration has the - right endianness - [#4] #5 #7 Recover correctly when some reallocations fail - Repair "./configure && make" for systems without any - provider of high quality entropy - and try reading /dev/urandom on those - Ensure that user-defined character encodings have converter - functions when they are needed - Fix mis-leading description of argument -c in xmlwf.1 - Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) - for CloudABI - [#100] Fix use of SIPHASH_MAIN in siphash.h - [#23] Test suite: Fix memory leaks - Version info bumped from 7:4:6 to 7:5:6 -- Release 2.2.2 Wed July 12 2017 - * Security fixes: - [#43] Protect against compilation without any source of high - quality entropy enabled, e.g. with CMake build system; - * [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; - resulted in NULL dereference, previously; - * Bug fixes: - [#69] Fix improper use of unsigned long long integer literals - * Other changes: - [#73] Start requiring a C99 compiler - [#49] Fix "==" Bashism in configure script - [#58] Address compile warnings - [#68] Fix "./buildconf.sh && ./configure" for some versions - of Dash for /bin/sh - [#72] CMake: Ease use of Expat in context of a parent project - with multiple CMakeLists.txt files - [#72] CMake: Resolve mistaken executable permissions - [#76] Address compile warning with -DNDEBUG (not recommended!) - [#77] Address compile warning about macro redefinition - * Added patch expat-docbook.patch to compile the man pages with - docbook-to-man - * Cleaned spec file with spec-cleaner - -- Allow building when do_profiling is undefined - -- Build with profiling when possible - -- Version update to 2.2.1 Sat June 17 2017 - - Security fixes: - CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS - Details: https://libexpat.github.io/doc/cve-2017-9233/ - Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f - - [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow; - (Fixed version of existing downstream patches!) - - (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off - longer tag names; - [#25] More integer overflow detection (function poolGrow); - - [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; - - [MOX-005] #30 Use high quality entropy for hash initialization: - * arc4random_buf on BSD, systems with libbsd - (when configured with --with-libbsd), CloudABI - * RtlGenRandom on Windows XP / Server 2003 and later - * getrandom on Linux 3.17+ - In a way, that's still part of CVE-2016-5300. - https://github.com/libexpat/libexpat/pull/30/commits - - [MOX-005] For the low quality entropy extraction fallback code, - the parser instance address can no longer leak, - - [MOX-003] Prevent use of uninitialised variable; commit - - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b - Add missing parameter validation to public API functions - and dedicated error code XML_ERROR_INVALID_ARGUMENT: - - [MOX-006] * NULL checks; commits - * Negative length (XML_Parse); commit - - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f - - [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash - to go further with fixing CVE-2012-0876. - https://github.com/libexpat/libexpat/pull/39/commits - - Bug fixes: - [#32] Fix sharing of hash salt across parsers; - relevant where XML_ExternalEntityParserCreate is called - prior to XML_Parse, in particular (e.g. FBReader) - [#28] xmlwf: Auto-disable use of memory-mapping (and parsing - as a single chunk) for files larger than ~1 GB (2^30 bytes) - rather than failing with error "out of memory" - [#3] Fix double free after malloc failure in DTD code; commit - 7ae9c3d3af433cd4defe95234eae7dc8ed15637f - [#17] Fix memory leak on parser error for unbound XML attribute - prefix with new namespaces defined in the same tag; - found by Google's OSS-Fuzz; commits - xmlwf on Windows: Add missing calls to CloseHandle - - New features: - [#30] Introduced environment switch EXPAT_ENTROPY_DEBUG=1 - for runtime debugging of entropy extraction - Bump version info from 7:2:6 to 7:3:6 - -- Remove pointless --with-pic (for static only) - -- Version update to 2.2.0: - * Fixes bnc#983215 CVE-2012-6702 - * Fixes bnc#983216 CVE-2016-5300 - * Various cmake and autotools script updates - * Fix detection of utf8 character boundaries -- Remove all patches merged upstream: - * expat-2.1.1-avoid_relying_on_undef_behaviour.patch - * expat-2.1.1-parser_crashes_on_malformed_input.patch - * expat-alloc-size.patch - * expat-visibility.patch - -- add expat-2.1.1-avoid_relying_on_undef_behaviour.patch to avoid - relying on undefined behavior in the original CVE-2015-1283 fix - [bnc#980391], [bnc#983985], [CVE-2016-4472] -- add expat-2.1.1-parser_crashes_on_malformed_input.patch to fix - Expat XML parser that mishandles certain kinds of malformed input - documents [bnc#979441], [CVE-2016-0718] -- use spec-cleaner to clean specfile - -- After simplification of expat-visibility.patch, it became - uneffective as no symbols are getting hidden. add - - fvisibility=hidden to CFLAGS again. -- expat-alloc-size.patch: fix braino, realloc()-like functions - should not take __attribute__(malloc) - -- Update to version 2.1.1 - * Fixes CVE-2015-1283 — Multiple integer overflows in the - XML_GetBuffer function - * Fix potential null pointer dereference - * Symbol XML_SetHashSalt was not exported - * Output of xmlwf -h was incomplete - * Document behavior of calling XML_SetHashSalt with salt 0 - * Minor improvements to man page xmlwf(1) -- Simplify expat-visibility.patch, refresh expat-alloc-size.patch -- Drop config-guess-sub-update.patch, fixed upstream. - -- Cleanup spec file with spec-cleaner -- Remove old ppc obsoletes/provides - ffmpeg-4 +- Add ffmpeg-CVE-2022-3964.patch: Backport from upstream to fix + out of bounds read in update_block_in_prev_frame() (bsc#1205388). + freerdp +- Add freerdp-CVE-2022-39318.patch (bsc#1205563) + * Fixed division by zero in urbdrc +- Add freerdp-CVE-2022-39319.patch (bsc#1205564) + * Fixed missing input buffer length check in urbdrc + +- Add freerdp-CVE-2022-39282.patch (bsc#1204258) + * Fix to init data read by `/parallel` command line switch +- Add freerdp-CVE-2022-39283.patch (bsc#1204257) + * Fix to prevent video channel from reading uninitialized data + freetype2 +- disable brotli linkage / WOFF2 support for now to keep dependencies + as before. + +- Added patches: + * CVE-2022-27404.patch + + fixes bsc#1198830, CVE-2022-27404: Buffer Overflow + * CVE-2022-27405.patch + + fixes bsc#1198832, CVE-2022-27405: Segmentation Fault + * CVE-2022-27406.patch + + fixes bsc#1198823, CVE-2022-27406: Segmentation violation + +- Update to version 2.10.4 + * Fix a heap buffer overflow has been found in the handling of + embedded PNG bitmaps, introduced in FreeType version 2.6 + (CVE-2020-15999 bsc#1177914) + * Minor improvements to the B/W rasterizer. + * Auto-hinter support for Medefaidrin script. + * Fix various memory leaks (mainly for CFF) and other issues that + might cause crashes in rare circumstances. + +- Update to version 2.10.2 + * Support for WOFF2 fonts, add BR on pkgconfig(libbrotlidec) + * Function `FT_Get_Var_Axis_Flags' returned random data for Type 1 + MM fonts. + * Type 1 fonts with non-integer metrics are now supported by the new + (CFF) engine introduced in FreeType 2.9. + * Drop support for Python 2 in Freetype's API reference generator + * Auto-hinter support for Hanifi Rohingya + * Document the `FT2_KEEP_ALIVE' debugging environment variable. + +- Use the compiler default C std, since 2012 gcc defaults + have changed, we now only need to get rid of ANSIFLAGS, override + that variable instead. + +- Update to version 2.10.1 + * The bytecode hinting of OpenType variation fonts was flawed, since + the data in the `CVAR' table wasn't correctly applied. + * Auto-hinter support for Mongolian. + * The handling of the default character in PCF fonts as introduced + in version 2.10.0 was partially broken, causing premature abortion + of charmap iteration for many fonts. + * If `FT_Set_Named_Instance' was called with the same arguments + twice in a row, the function returned an incorrect error code the + second time. + * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug + introduced in version 2.10.0). + * Increased precision while computing OpenType font variation + instances. + * The flattening algorithm of cubic Bezier curves was slightly + changed to make it faster. This can cause very subtle rendering + changes, which aren't noticeable by the eye, however. + * The auto-hinter now disables hinting if there are blue zones + defined for a `style' (i.e., a certain combination of a script and + its related typographic features) but the font doesn't contain any + characters needed to set up at least one blue zone. +- Add tarball signatures and freetype2.keyring + +- Update to version 2.10.0 + * A bunch of new functions has been added to access and process + COLR/CPAL data of OpenType fonts with color-layered glyphs. + * As a GSoC 2018 project, Nikhil Ramakrishnan completely + overhauled and modernized the API reference. + * The logic for computing the global ascender, descender, and + height of OpenType fonts has been slightly adjusted for + consistency. + * `TT_Set_MM_Blend' could fail if called repeatedly with the same + arguments. + * The precision of handling deltas in Variation Fonts has been + increased.The problem did only show up with multidimensional + designspaces. + * New function `FT_Library_SetLcdGeometry' to set up the geometry + of LCD subpixels. + * FreeType now uses the `defaultChar' property of PCF fonts to set + the glyph for the undefined character at glyph index 0 (as + FreeType already does for all other supported font formats). As + a consequence, the order of glyphs of a PCF font if accessed + with FreeType can be different now compared to previous + versions. + This change doesn't affect PCF font access with cmaps. + * `FT_Select_Charmap' has been changed to allow parameter value + `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT + formats to access built-in cmaps that don't have a predefined + `FT_Encoding' value. + * A previously reserved field in the `FT_GlyphSlotRec' structure + now holds the glyph index. + * The usual round of fuzzer bug fixes to better reject malformed + fonts. + * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have + been removed.These two functions were public by oversight only + and were never documented. + * A new function `FT_Error_String' returns descriptions of error + codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is + defined. + * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new + functions limited to Adobe MultiMaster fonts to directly set and + get the weight vector. + +- Remove old ppc64 parts in spec file +- Refresh patches: + + bugzilla-308961-cmex-workaround.patch + + don-t-mark-libpng-as-required-library.patch + + enable-long-family-names-by-default.patch +- Enable subpixel rendering with infinality config: + + enable-subpixel-rendering.patch + + enable-infinality-subpixel-hinting.patch + +- Re-enable freetype-config, there is just too many fallouts. + +- Update to version 2.9.1 + * Type 1 fonts containing flex features were not rendered + correctly (bug introduced in version 2.9). + * CVE-2018-6942: Older FreeType versions can crash with certain + malformed variation fonts. + * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. + * Emboldening of bitmaps didn't work correctly sometimes, showing + various artifacts (bug introduced in version 2.8.1). + * The auto-hinter script ranges have been updated for Unicode 11. + No support for new scripts have been added, however, with the + exception of Georgian Mtavruli. +- freetype-config is now deprecated by upstream and not enabled + by default. +- Drop upstreamed patches: + * bnc1079600.patch + * psaux-flex.patch + * 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch + * 0001-truetype-Better-protection-against-invalid-VF-data.patch + +- Add bnc1079600.patch: Fix several integer overflow issues in + truetype/ttinterp.c (bsc#1079600) + +- Refresh spec-file via spec-cleaner. +- Add shell script freetype2.sh in separate package + freetype2-profile-tti35 in order to be able to set TrueType + interpreter version 35 (boo#1084085). + +- Added patch: + * enable-long-family-names-by-default.patch + + Define PCF_CONFIG_OPTION_LONG_FAMILY_NAMES to obtain 2.7.1 + behaviour + +- Added patches: + * 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch + + Upstream fix for bsc#1079603: Avoid NULL reference in + src/truetype/ttinterp.c + * 0001-truetype-Better-protection-against-invalid-VF-data.patch + + Upstream fix for bsc#1079601: Protection against invalid VF + data + +- Add psaux-flex.patch to fix a regression in Type1 rendering + +- Update to version 2.9 + * Advance width values of variation fonts were often wrong. + * More fixes for variation font support; you should update to + this version if you want to support them. + * As a GSoC project, Ewald Hew extended the new (Adobe) CFF + engine to handle Type 1 fonts also, thus greatly improving + the rendering of this format. This is the new default. + * A new function, `FT_Set_Named_Instance', can be used to set + or change the current named instance. + * Starting with this FreeType version, resetting variation + coordinates will return to the currently selected named + instance. Previously, FreeType returned to the base font + (i.e., no instance set). + * Some fuzzer fixes to better reject malformed fonts. + +- Update to version 2.8.1 + * B/W hinting of TrueType fonts didn't work properly if + interpreter version 38 or 40 was selected. + * Some severe problems within the handling of TrueType Variation + Fonts were found and fixed. + * Function `FT_Set_Var_Design_Coordinates' didn't correctly handle + the case with less input coordinates than axes. + * By default, FreeType now offers high quality LCD-optimized + output without resorting to ClearType techniques of resolution + tripling and filtering. In this method, called Harmony, each + color channel is generated separately after shifting the glyph + outline, capitalizing on the fact that the color grids on LCD + panels are shifted by a third of a pixel. This output is + indistinguishable from ClearType with a light 3-tap filter. + * Using the new function `FT_Get_Var_Axis_Flags', an application + can access the `flags' field of a variation axis (introduced in + OpenType version 1.8.2) + * FreeType now synthesizes a missing Unicode cmap for (older) + TrueType fonts also if glyph names are available. + * The warping option has moved from `light' to `normal' hinting + where it replaces the original hinting algorithm. The `light' + mode is now always void of any hinting in x-direction. + +- Update to version 2.8 + * Support for OpenType Variation Fonts is now complete. The last + missing part was handling the `VVAR' and `MVAR' tables, which is + available with this release. + * A new function `FT_Face_Properties' allows the control of some + module and library properties per font. Currently, the + following properties can be handled: stem darkening, LCD filter + weights, and the random seed for the `random' CFF operator. + * The PCF change to show more `colourful' family names (introduced + in version 2.7.1) was too radical; it can now be configured with + PCF_CONFIG_OPTION_LONG_FAMILY_NAMES at compile time. If + activated, it can be switched off at run time with the new pcf + property `no-long-family-names'. If the `FREETYPE_PROPERTIES' + environment variable is available, you can say + FREETYPE_PROPERTIES=pcf:no-long-family-names=1 + * Support for the following scripts has been added to the + auto-hinter. + Adlam, Avestan, Bamum, Buhid, Carian, Chakma, Coptic, Cypriot, + Deseret, Glagolitic, Gothic, Kayah, Lisu, N'Ko, Ol Chiki, Old + Turkic, Osage, Osmanya, Saurashtra, Shavian, Sundanese, Tai + Viet, Tifinagh, Unified Canadian Syllabics, Vai + * `Light' auto-hinting mode no longer uses TrueType metrics for + TrueType fonts. This bug was introduced in version 2.4.6, + causing horizontal scaling also. Almost all GNU/Linux + distributions (with Fedora as a notable exception) disabled the + corresponding patch for good reasons; chances are thus high that + you won't notice a difference. + * If a TrueType font gets loaded with FT_LOAD_NO_HINTING, FreeType + now scales the font linearly again (bug introduced in version + 2.4.6). + * Fixed CVE-2017-8105, CVE-2017-8287: Older FreeType versions + have out-of-bounds writes caused by heap-based buffer overflows + related to Type 1 fonts. (boo#1035807, boo#1036457) +- See https://sourceforge.net/projects/freetype/files/freetype2/2.8/ for + the complete changelog. + +- Update to version 2.7.1: + * IMPORTANT CHANGES + + Support for the new CFF2 font format as introduced with + OpenType 1.8 has been contributed by Dave Arnolds from Adobe. + + Preliminary support for variation fonts as specified in + OpenType 1.8 (in addition to the already existing support for + Adobe's MM and Apple's GX formats). Dave Arnolds contributed + handling of advance width change variation; more will come in + the next version. + * IMPORTANT BUG FIXES + + Handling of raw CID fonts was partially broken (bug introduced + in 2.6.4). + * MISCELLANEOUS + + Some limits for TrueType bytecode execution have been tightened + to speed up FreeType's handling of malformed fonts, in + particular to quickly abort endless loops. + + The number of twilight points can no longer be set to an + arbitrarily large value. + + The total number of jump opcode instructions (like JMPR) with + negative arguments is dynamically restricted; the same holds + for the total number of iterations in LOOPCALL opcodes. + + The dynamic limits are based on the number of points in a glyph + and the number of CVT entries. Please report if you encounter a + font where the selected values are not adequate. + + PCF family names are made more `colourful'; they now include the + foundry and information whether they contain wide characters. + For example, you no longer get `Fixed' but rather `Sony Fixed' + or `Misc Fixed Wide'. + + A new function `FT_Get_Var_Blend_Coordinates' (with its alias + name `FT_Get_MM_Blend_Coordinates') to retrieve the normalized + blend coordinates of the currently selected variation instance + has been added to the Multiple Masters interface. + + A new function `FT_Get_Var_Design_Coordinates' to retrieve the + design coordinates of the currently selected variation instance + has been added to the Multiple Masters interface. + + A new load flag `FT_LOAD_BITMAP_METRICS_ONLY' to retrieve bitmap + information without loading the (embedded) bitmap itself. + + Retrieving advance widths from bitmap strikes (using + `FT_Get_Advance' and `FT_Get_Advances') have been sped up. + + The usual round of fuzzer fixes to better reject malformed + fonts. +- Drop freetype2-bitmap-foundry.patch, merged upstream. + +- update to version 2.7: + * IMPORTANT CHANGES + + As announced earlier, the 2.7.x series now uses the new subpixel + hinting mode as the default, emulating a modern version of + ClearType. + This change inevitably leads to different rendering results, and + you might change the `TT_CONFIG_OPTION_SUBPIXEL_HINTING' + configuration option to adapt it to your taste (or use the new + `FREETYPE_PROPERTIES' environment variable). See the + corresponding entry below for version 2.6.4, which gives more + information. + + A new option `FT_CONFIG_OPTION_ENVIRONMENT_PROPERTIES' has been + introduced. If set (which is the default), an environment + variable `FREETYPE_PROPERTIES' can be used to control driver + properties. Example: + FREETYPE_PROPERTIES=truetype:interpreter-version=35 \ + cff:no-stem-darkening=1 \ + autofitter:warping=1 + This allows to select, say, the subpixel hinting mode at runtime + for a given application. See file `ftoption.h' for more. + * IMPORTANT BUG FIXES + + After loading a named instance of a GX variation font, the + `face_index' value in the returned `FT_Face' structure now + correctly holds the named instance index in the upper 16bits as + documented. + * MISCELLANEOUS + + A new macro `FT_IS_NAMED_INSTANCE' to test whether a given face + is a named instance. + + More fixes to GX font handling. + + Apple's `GETVARIATION' bytecode operator (needed for GX + variation font support) has been implemented. + + Another round of fuzzer fixes, mainly to reject invalid fonts + faster. + + Handling of raw CID fonts was broken (bug introduced in version + 2.6.4). + + The smooth rasterizer has been streamlined to make it faster by + approx. 20%. + + The `ftgrid' demo program now understands command line option + `-d' to give start-up design coordinates. + + The `ftdump' demo program has a new command line option `-p' to + dump TrueType bytecode instructions. +- removed freetype2-subpixel.patch in favor of above + FREETYPE_PROPERTIES environment variable + +- Update to version 2.6.5: + + Compilation works again on Mac OS X (bug introduced in version + 2.6.4). + + The new subpixel hinting mode is now disabled by default; it + will be enabled by default in the forthcoming 2.7.x series. + Main reason for reverting this feature is the principle of least + surprise: a sudden change in appearance of all fonts (even if + the rendering improves for almost all recent fonts) should not + be expected in a new micro version of a series. +- Rebase freetype2-subpixel.patch. + +- Upadte to version 2.6.4: + * A new subpixel hinting mode, which is now the default rendering + mode for TrueType fonts. It implements (almost everything of) + version 40 of the bytecode engine. The existing code base in + FreeType (the `Infinality code') was stripped to the bare + minimum and all configurability removed in the name of speed + and simplicity. The configurability was mainly aimed at legacy + fonts like Arial, Times New Roman, or Courier. [Legacy fonts + are fonts that modify vertical stems to achieve clean + black-and-white bitmaps.] The new mode focuses on applying a + minimal set of rules to all fonts indiscriminately so that + modern and web fonts render well while legacy fonts render + okay. Activation of the subpixel hinting support can be + controlled with the `TT_CONFIG_OPTION_SUBPIXEL_HINTING' + configuration option at compile time: If set to value 1, you + get the old Infinality mode (which was never the default due to + its slowness). Value 2 activates the new subpixel hinting mode, + and value 3 activates both. The default is value 2. At run + time, you can select the subpixel hinting mode with the + `interpreter-version' property (provided you have compiled in + the corresponding hinting mode); see `ftttdrv.h' for more. + * Support for the following scripts has been added to the + auto-hinter: Armenian, Cherokee, Ethiopic, Georgian, Gujarati, + Gurmukhi, Malayalam, Sinhala, Tamil. +- Rebase freetype2-subpixel.patch. + +- Update to version 2.6.3 + * IMPORTANT CHANGES + - Khmer, Myanmar, Bengali, and Kannada script support has been + added to the auto-hinter. + * MISCELLANEOUS + - Better support of Indic scripts like Devanagari by using a + top-to-bottom hinting flow. + - All FreeType macros starting with two underscores have been + renamed to avoid a violation of both the C and C++ standards. + Example: Header macros of the form `__FOO_H__' are now called + `FOO_H_'. In most cases, this should be completely transparent + to the user. The exception to this is `__FTERRORS_H__', which + must be sometimes undefined by the user to get FreeType error + strings: Both this form and the new `FTERRORS_H_' macro are + accepted for backwards compatibility. + - Minor improvements mainly to the Type 1 driver. + - The new CFF engine now supports all Type 2 operators except + `random'. + - The macro `_STANDALONE_', used for compiling the B/W and smooth + rasterizers as stand-alone modules, has been renamed to + `STANDALONE_', since macro names starting with an underscore and + followed by an uppercase letter are reserved in both C and C++. + - Function `FT_Library_SetLcdFilterWeights' now also activates + custom LCD filter weights (instead of just adjusting them). + - Support for `unpatented hinting' has been completely removed: + Consequently, the two functions `FT_Face_CheckTrueTypePatents' + and `FT_Face_SetUnpatentedHinting' now return always false, + doing nothing. + +- Update to version 2.6.2 + * IMPORTANT CHANGES + - The auto-hinter now supports stem darkening, to be controlled by + the new `no-stem-darkening' and `darkening-parameters' + properties. This is an experimental feature contributed by + Nikolaus Waxweiler, and the interface might change in a future + release. + - By default, stem darkening is now switched off (for both the CFF + engine and the auto-hinter). The main reason is that you need + linear alpha blending and gamma correction to get correct + rendering results, and the latter is not yet available in most + freely available rendering stacks like X11. Applying stem + darkening without proper gamma correction leads to far too dark + rendering results. + - The meaning of `FT_RENDER_MODE_LIGHT' has been slightly + modified. It now essentially means `no hinting along the + horizontal axis'; in particular, no change of glyph advance + widths. Consequently, the auto-hinter is used for all scalable + font formats except for CFF. It is planned that other + font-specific rendering engines (TrueType, Type 1) will follow. + * MISCELLANEOUS + - The default LCD filter has been changed to be normalized and + color-balanced. + - For better compatibility with FontConfig, function + `FT_Library_SetLcdFilter' accepts a new enumeration value + `FT_LCD_FILTER_LEGACY1' (which has the same meaning as + `FT_LCD_FILTER_LEGACY'). + - A large number of bugs have been detected by using the libFuzzer + framework, which should further improve handling of invalid + fonts. Thanks again to Kostya Serebryany and Bungeman! + - `TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES', a new configuration + option, controls the maximum number of executed opcodes within a + bytecode program. You don't want to change this except for very + special situations (e.g., making a library fuzzer spend less + time to handle broken fonts). + - The smooth renderer has been made faster. + +- Update to version 2.6.1 + * IMPORTANT BUG FIXES + - It turned out that for CFFs only the advance widths should be + taken from the `htmx' table, not the side bearings. This bug, + introduced in version 2.6.0, makes it necessary to upgrade if + you are using CFFs; otherwise, you get cropped glyphs with GUI + interfaces like GTK or Qt. + - Accessing Type 42 fonts returned incorrect results if the glyph + order of the embedded TrueType font differs from the glyph order + of the Type 42 charstrings table. + * IMPORTANT CHANGES + - The header file layout has been changed (again), moving all + header files except `ft2build.h' into a subdirectory tree. + Doing so reduces the possibility of header file name clashes + (e.g., FTGL's `FTGlyph.h' with FreeType's `ftglyph.h') on case + insensitive file systems like Mac OS X or Windows. + Applications that use (a) the `freetype-config' script or + FreeType's `freetype2.pc' file for pkg-config to get the include + directory for the compiler, and (b) the documented way for + header inclusion like + [#]include + [#]include FT_FREETYPE_H + ... + don't need any change to the source code. + - Simple access to named instances in GX variation fonts is now + available (in addition to the previous method via FreeType's MM + interface). In the `FT_Face' structure, bits 16-30 of the + `face_index' field hold the current named instance index for the + given face index, and bits 16-30 of `style_flags' contain the + number of instances for the given face index. `FT_Open_Face' + and friends also understand the extended bits of the face index + parameter. + You need to enable TT_CONFIG_OPTION_GX_VAR_SUPPORT for this new + feature. Otherwise, bits 16-30 of the two fields are zero (or + are ignored). + - Lao script support has been added to the auto-hinter. + * MISCELLANEOUS + - The auto-hinter's Arabic script support has been enhanced. + - Superscript-like and subscript-like glyphs as used by various + phonetic alphabets like the IPA are now better supported by the + auto-hinter. + - The TrueType bytecode interpreter now runs slightly faster. + - Improved support for builds with cmake. + - The function `FT_CeilFix' now always rounds towards plus + infinity. + - The function `FT_FloorFix' now always rounds towards minus + infinity. + - A new load flag `FT_LOAD_COMPUTE_METRICS' has been added; it + makes FreeType ignore pre-computed metrics, as needed by font + validating or font editing programs. Right now, only the + TrueType module supports it to ignore data from the `hdmx' + table. + - Another round of bug fixes to better handle broken fonts, found + by Kostya Serebryany . +- Dropping upstreamed patch Dont-use-hmtx-table-for-LSB.patch. + +- Add Dont-use-hmtx-table-for-LSB.patch: Fixes gnu#45520, cut off + fonts in gtk and qt. Taken from upstream git. + +- Update to version 2.6 + * Thread safety improvements + * Thai script support has been added to the auto-hinter. + * Arabic script support has been added to the auto-hinter. + * Following OpenType version 1.7, advance widths and side bearing + values in CFFs (wrapped in an SFNT structure) are now always + taken from the `hmtx' table. + * Following OpenType version 1.7, the PostScript font name of a + CFF font (wrapped in an SFNT structure) is now always taken from + the `name' table. This is also true for OpenType Collections + (i.e., TTCs using CFFs subfonts instead of TTFs), where it may + have a significant difference. + * Fonts natively hinted for ClearType are now supported, properly + handling selector index 3 of the INSTCTRL bytecode instruction. + * Major improvements to the GX TrueType variation font handling. + +- Merge with the version 2.5.5 from openSUSE:Factory +- Removed patches: + * CVE-2014-9656.patch + * CVE-2014-9657.patch + * CVE-2014-9658.patch + * CVE-2014-9659.patch + * CVE-2014-9660.patch + * CVE-2014-9661.patch + * CVE-2014-9662.patch + * CVE-2014-9663.patch + * CVE-2014-9664.patch + * CVE-2014-9665.patch + * CVE-2014-9666.patch + * CVE-2014-9667.patch + * CVE-2014-9668.patch + * CVE-2014-9669.patch + * CVE-2014-9670.patch + * CVE-2014-9671.patch + * CVE-2014-9672.patch + * CVE-2014-9673.patch + * CVE-2014-9674.patch + * CVE-2014-9675.patch + - Integrated in the 2.5.5 release +- Modified patches: + * don-t-mark-libpng-as-required-library.patch + * bugzilla-308961-cmex-workaround.patch + * freetype2-subpixel.patch + * freetype2-bitmap-foundry.patch + * overflow.patch + - Adapt to the new version of sources + +- Modified patch: + * CVE-2014-9671.patch + - Adapt the code to correspond to the current git master of + freetype2 (fixes bsc#933247) + +- Enable the bz2 compression in freetype2 +- Remove patch overflow.patch from freetype2.spec where it is not + applied. +- Run spec-cleaner on the spec file. + +- fixed vulnerabilities (bnc#916847, bnc#916856, bnc#916857, + bnc#916858, bnc#916859, bnc#916860, bnc#916861, bnc#916862, + bnc#916863, bnc#916864, bnc#916865, bnc#916867, bnc#916868, + bnc#916870, bnc#916871, bnc#916872, bnc#916873, bnc#916874, + bnc#916879, bnc#916881) + - CVE-2014-9656.patch + - CVE-2014-9657.patch + - CVE-2014-9658.patch + - CVE-2014-9659.patch + - CVE-2014-9660.patch + - CVE-2014-9661.patch + - CVE-2014-9662.patch + - CVE-2014-9663.patch + - CVE-2014-9664.patch + - CVE-2014-9665.patch + - CVE-2014-9666.patch + - CVE-2014-9667.patch + - CVE-2014-9668.patch + - CVE-2014-9669.patch + - CVE-2014-9670.patch + - CVE-2014-9671.patch + - CVE-2014-9672.patch + - CVE-2014-9673.patch + - CVE-2014-9674.patch + - CVE-2014-9675.patch + +- Update to version 2.5.5 + * IMPORTANT BUG FIXES + - Handling of uncompressed PCF files works again (bug + introduced in version 2.5.4). +- Drop freetype2-2.5.3-fix-pcf.patch, merged upstream + +- Update to version 2.5.4 + * IMPORTANT BUG FIXES + - A variant of vulnerability CVE-2014-2240 was identified + (cf. http://savannah.nongnu.org/bugs/?43661) and fixed + in the new CFF driver. All users should upgrade. + - The new auto-hinter code using HarfBuzz crashed for some + invalid fonts. + - Many fixes to better protect against malformed input. + * IMPORTANT CHANGES + - Full auto-hinter support of the Devanagari script. + - Experimental auto-hinter support of the Telugu script. + - CFF stem darkening behaviour can now be controlled at + build time using the eight macros + CFF_CONFIG_OPTION_DARKENING_PARAMETER_{X,Y}{1,2,3,4} . + - Some fields in the `FT_Bitmap' structure have been changed + from signed to unsigned type, which better reflects + the actual usage. It is also an additional means to + protect against malformed input. This change doesn't break + the ABI; however, it might cause compiler warnings. + * MISCELLANEOUS + - Improvements to the auto-hinter's algorithm to recognize + stems and local extrema. + - Function `FT_Get_SubGlyph_Info' always returned an error + even in case of success. + - Version 2.5.1 introduced major bugs in the cjk part of + the auto-hinter, which are now fixed. + - The `FT_Sfnt_Tag' enumeration values have been changed to + uppercase, e.g. `FT_SFNT_HEAD'. The lowercase variants + are deprecated. This is for orthogonality with all other + enumeration (and enumeration-like) values in FreeType. + - `cmake' now supports builds of FreeType as an OS X framework + and for iOS. + - Improved project files for vc2010, + introducing a property file + - The documentation generator for the API reference has been + updated to produce better HTML code (with proper CSS). + At the same time, the documentation got a better structure. + - The FT_LOAD_BITMAP_CROP flag is obsolete; it is not used + by any driver. + - The TrueType DELTAP[123] bytecode instructions now work in + subpixel hinting mode as described in the ClearType + whitepaper (i.e., for touched points in the + non-subpixel direction). + - Many small improvements to the internal arithmetic routines. +- Rebase don-t-mark-libpng-as-required-library.patch, + bugzilla-308961-cmex-workaround.patch, freetype2-subpixel.patch, + freetype2-bitmap-foundry.patch and overflow.patch +- Add freetype2-2.5.3-fix-pcf.patch from upstream to resolve + http://savannah.nongnu.org/bugs/?43774, "Freetype 2.5.4 does not + load ungzipped PCF fonts" + gmmlib +- needed for jira#PED-1174 (Video decoding/encoding support + (VA-API, ...) for Intel GPUs is outside of Mesa) + +- Update to version 22.3.0: + * Support for default build types + * Add ATS-M Device Ids + * Adding more dg2 device Ids + * Fixing XE_HPC macro usage for Cache Policy settings + * Fix QPtich calculations for CCS + * PVC PAT table implementations + * Initialize NumPATRegisters + * Add PVC Device IDs + * Fix GetPrivatePATEntry API + * Introducing MTL Support + +- No code changes +- Update to version 22.1.4 was part of Intel oneVPL GPU Runtime + 2022Q2 Release 22.4.4 + +- Update to version 22.1.4: + * No upstream changelog available + +- Update to version 22.1.2: + * No upstream changelog available + +- Update to version 22.0.1: + * No upstream changelog available. +- Bump somajor define to 12 and in baselibs.conf following upstream + so bump. +- Replace gcc-c++ with generic c++_compiler BuildRequires. + +- Update to version 21.3.3: + * No upstream changelog available. + gnutls -- Fix AVX CPU feature detection for OSXSAVE [bsc#1203299] - * Fixes a SIGILL termination at the verzoupper instruction when - trying to run GnuTLS on a Linux kernel with the noxsave command - line parameter set. Relevant mostly for virutal systems. - * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1282 - * Add gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch - -- FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146] - * Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch - -- FIPS: Make XTS key check failure not fatal [bsc#1203779] - * Add gnutls-Make-XTS-key-check-failure-not-fatal.patch - -- FIPS: Zeroize the calculated hmac and new_hmac in the - check_binary_integrity() function. [bsc#1191021] - * Add gnutls-FIPS-Zeroize-check_binary_integrity.patch - -- FIPS: Additional modifications to the SLI. [bsc#1190698] - * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2(). - * Mark HMAC keylength less than 112 bits as non-approved in - gnutls_pbkfd2(). - * Adapt the pbkdf2 selftest and the regression tests accordingly. - * Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch - -- FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941] - * Add new dependency on jitterentropy - * Add gnutls-FIPS-jitterentropy.patch - -- Security fix: [bsc#1202020, CVE-2022-2509] - * Fixed double free during verification of pkcs7 signatures - * Add gnutls-CVE-2022-2509.patch - -- FIPS: - * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979] - - gnutls_fips140_run_self_tests now properly releases fips_context - -- FIPS: - * Add gnutls_ECDSA_signing.patch [bsc#1190698] - - Check minimum keylength for symmetric key generation - - Only allows ECDSA signature with valid set of hashes - (SHA2 and SHA3) - * Add gnutls-FIPS-force-self-test.patch [bsc#1198979] - - Provides interface for running library self tests on-demand - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 - -- FIPS: Make sure zeroization is performed in all API functions - * Add gnutls-zeroization-API-functions.patch [bsc#1191021] - * Upsream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1573 - -- FIPS: Add missing requirements for the SLI [bsc#1190698] - * Remove 3DES from FIPS approved algorithms: - - gnutls-Remove-3DES-from-FIPS-approved-algos.patch - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1570 - * DRBG service (gnutls_rnd) should be considered approved: - - gnutls-Add-missing-FIPS-service-indicator-transitions.patch - - gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch - - gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1569 - -- FIPS: Mark AES-GCM as approved in the TLS context [bsc#1194907] - * Add gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch - * Upstream issue: https://gitlab.com/gnutls/gnutls/issues/1311 - -- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669] - * The IG 10.3.A and SP800-132 require some minimum parameters for - the salt length, password length and iteration count. These - parameters should be also used in the KAT. - * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch - * Upstream: https://gitlab.com/gnutls/gnutls/merge_requests/1561 -- Enable to run the regression tests also in FIPS mode. - -- Update to 3.7.3: [bsc#1190698, bsc#1190796] - * libgnutls: The allowlisting configuration mode has been added - to the system-wide settings. In this mode, all the algorithms - are initially marked as insecure or disabled, while the - applications can re-enable them either through the [overrides] - section of the configuration file or the new API (#1172). - * The build infrastructure no longer depends on GNU AutoGen for - generating command-line option handling, template file parsing - in certtool, and documentation generation (#773, #774). This - change also removes run-time or bundled dependency on the - libopts library, and requires Python 3.6 or later to regenerate - the distribution tarball. Note that this brings in known backward - incompatibility in command-line tools, such as long options are - now case sensitive, while previously they were treated in a case - insensitive manner: for example --RSA is no longer a valid option - of certtool. The existing scripts using GnuTLS tools may need - adjustment for this change. - * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded - and used as a gnutls_privkey_t (#594). The code was originally written - for the OpenConnect VPN project by David Woodhouse. To generate such - blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: - https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations - or the tpm2_encodeobject tool from unreleased tpm2-tools. - * libgnutls: The library now transparently enables Linux KTLS (kernel - TLS) when the feature is compiled in with --enable-ktls configuration - option (#1113). If the KTLS initialization fails it automatically falls - back to the user space implementation. - * certtool: The certtool command can now read the Certificate Transparency - (RFC 6962) SCT extension (#232). New API functions are also provided to - access and manipulate the extension values. - * certtool: The certtool command can now generate, manipulate, and evaluate - x25519 and x448 public keys, private keys, and certificates. - * libgnutls: Disabling a hashing algorithm through "insecure-hash" - configuration directive now also disables TLS ciphersuites that use it - as a PRF algorithm. - * libgnutls: PKCS#12 files are now created with modern algorithms by default - (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and - HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with - PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the - default PBKDF2 iteration count has been increased to 600000. - * libgnutls: PKCS#12 keys derived using GOST algorithm now uses - HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, - to conform with the latest TC-26 requirements (#1225). - * libgnutls: The library now provides a means to report the status - of approved cryptographic operations (!1465). To adhere to the - FIPS140-3 IG 2.4.C., this complements the existing mechanism to - prohibit the use of unapproved algorithms by making the library - unusable state. - * gnutls-cli: The gnutls-cli command now provides a --list-config - option to print the library configuration (!1508). - * libgnutls: Fixed possible race condition in - gnutls_x509_trust_list_verify_crt2 when a single trust list object - is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17, - CVSS: low] - * API and ABI modifications: - GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in - gnutls_privkey_flags_t - GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in - gnutls_certificate_verify_flags - gnutls_ecc_curve_set_enabled: Added. - gnutls_sign_set_secure: Added. - gnutls_sign_set_secure_for_certs: Added. - gnutls_digest_set_secure: Added. - gnutls_protocol_set_enabled: Added. - gnutls_fips140_context_init: New function - gnutls_fips140_context_deinit: New function - gnutls_fips140_push_context: New function - gnutls_fips140_pop_context: New function - gnutls_fips140_get_operation_state: New function - gnutls_fips140_operation_state_t: New enum - gnutls_transport_is_ktls_enabled: New function - gnutls_get_library_configuration: New function - * Remove patches fixed in the update: - - gnutls-FIPS-module-version.patch - - gnutls-FIPS-service-indicator.patch - - gnutls-FIPS-service-indicator-public-key.patch - - gnutls-FIPS-service-indicator-symmetric-key.patch - - gnutls-FIPS-RSA-PSS-flags.patch - - gnutls-FIPS-RSA-mod-sizes.patch - -- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468] - * Add gnutls-FIPS-disable-failing-tests.patch - * Remove patches: - - gnutls-temporarily_disable_broken_guile_reauth_test.patch - - gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - - disable-psk-file-test.patch - -- FIPS: Provide module identifier and version [bsc#1190796] - * Add configurable options to output the module name/identifier - (--with-fips140-module-name) and the module version - (--with-fips140-module-version). - * Add the CLI option list-config that reports the configuration - of the library. - * Add gnutls-FIPS-module-version.patch - -- FIPS: Provide a service-level indicator [bsc#1190698] - * Add support for a "service indicator" as required in - the FIPS140-3 Implementation Guidance in section 2.4.C - * Add patches: - - gnutls-FIPS-service-indicator.patch - - gnutls-FIPS-service-indicator-public-key.patch - - gnutls-FIPS-service-indicator-symmetric-key.patch - - gnutls-FIPS-RSA-PSS-flags.patch - -- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008] - * fips: allow more RSA modulus sizes - * Add gnutls-FIPS-RSA-mod-sizes.patch - * Delete gnutls-3.6.7-fips-rsa-4096.patch - -- Drop bogus condition "> 1550": that would mean 'more recent than - Tumbleweed' which is technically impossible, as Tumbleweed is the - leading project (and the condition causes issues as Tumbleweed - needs to move away from 1550 due to CODE 15 SP5 plans). - -- Add crypto-policies support in SLE-15-SP4 [jsc#SLE-20287] - -- Account for the libnettle soname bump [jsc#SLE-19765] - -- Update to 3.7.2 in SLE-15-SP4: [jsc#SLE-19765, jsc#SLE-18139] - - Add gnutls-temporarily_disable_broken_guile_reauth_test.patch - - Rebased patches: - * disable-psk-file-test.patch - * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - * gnutls-fips_mode_enabled.patch - - Remove patches merged upstream: - * gnutls-CVE-2020-11501.patch - * gnutls-CVE-2020-13777.patch - * gnutls-CVE-2020-24659.patch - * gnutls-CVE-2021-20231.patch - * gnutls-CVE-2021-20232.patch - * gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch - * gnutls-fips_XTS_key_check.patch - * 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch - * 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch - * 0003-x509-trigger-fallback-verification-path-when-cert-is.patch - * 0004-tests-add-test-case-for-certificate-chain-supersedin.patch - * 0001-Add-Full-Public-Key-Check-for-DH.patch - * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch - * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch - * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch - * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch - * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch - * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch - * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch - * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch - * 0001-dh-check-validity-of-Z-before-export.patch - * 0002-ecdh-check-validity-of-P-before-export.patch - * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch - * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch - * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch - * 0001-Vendor-in-XTS-functionality-from-Nettle.patch - * 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch - * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - * gnutls-3.6.7-fix-FTBFS-2024.patch - * gnutls-3.6.7-reproducible-date.patch - -- Update to version 3.7.2 - * Added Linux kernel AF_ALG based acceleration - * Fixed timing of early data exchange - * The priority string option DISABLE_TLS13_COMPAT_MODE was added - to disable TLS 1.3 middlebox compatibility mode - * The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to - GNUTLS_NO_IMPLICIT_INIT to reflect the purpose - * certtool: - * When signing a CSR, CRL distribution point (CDP) is no - longer copied from the signing CA by default - * When producing certificates and certificate requests, subject - DN components that are provided individually will now be - ordered by assumed scale - -- Add gnutls-3.6.7-fix-FTBFS-2024.patch to let tests pass after 2024 (boo#1186579) -- Add gnutls-3.6.7-reproducible-date.patch to override build date (boo#1047218) - -- Security fix: [bsc#1183456, CVE-2021-20232] - * A use after free issue in client_send_params - in lib/ext/pre_shared_key.c may lead to memory - corruption and other potential consequences. -- Add gnutls-CVE-2021-20232.patch - -- Security fix: [bsc#1183457, CVE-2021-20231] - * A use after free issue in client sending key_share extension - may lead to memory corruption and other consequences. -- Add gnutls-CVE-2021-20231.patch - -- Update to 3.7.1: - [bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231] - * Fixed potential use-after-free in sending "key_share" and - "pre_shared_key" extensions. - * Fixed a regression in handling duplicated certs in a chain. - * Fixed sending of session ID in TLS 1.3 middlebox compatibility - mode. In that mode the client shall always send a non-zero - session ID to make the handshake resemble the TLS 1.2 - resumption; this was not true in the previous versions. - * Removed dependency on the external 'fipscheck' package, - when compiled with --enable-fips140-mode. - * Added padlock acceleration for AES-192-CBC. -- Remove patches upstream: - * gnutls-gnutls-cli-debug.patch - * gnutls-ignore-duplicate-certificates.patch - * gnutls-test-fixes.patch - -- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565] - * Don't unset system priority settings in gnutls-cli-debug.sh - * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387 -- Add gnutls-gnutls-cli-debug.patch - -- Fix: Test certificates in tests/testpkcs11-certs have expired - * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 -- Add gnutls-test-fixes.patch - -- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates - * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131 -- Add gnutls-ignore-duplicate-certificates.patch - -- Update to 3.7.0 - * Depend on nettle 3.6 - * Added a new API that provides a callback function to retrieve - missing certificates from incomplete certificate chains - * Added a new API that provides a callback function to output the - complete path to the trusted root during certificate chain - verification - * OIDs exposed as gnutls_datum_t no longer account for the - terminating null bytes, while the data field is null terminated. - The affected API functions are: gnutls_ocsp_req_get_extension, - gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension - * Added a new set of API to enable QUIC implementation - * The crypto implementation override APIs deprecated in 3.6.9 are - now no-op - * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support - * Support for padlock has been fixed to make it work with Zhaoxin CPU - * The maximum PIN length for PKCS #11 has been increased from 31 - bytes to 255 bytes -- Remove patch fixed upstream: - * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch -- Fix threading bug in libgnutls [bsc#1173434] - * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044 - -- Avoid spurious audit messages about incompatible signature algorithms - (bsc#1172695) - * add 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch - -- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch -- FIPS: Add TLS KDF selftest (bsc#1176671) - * add gnutls-FIPS-TLS_KDF_selftest.patch - -- Escape rpm command %%expand when used in comment. - -- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - -- FIPS: Add TLS KDF selftest (bsc#1176671) - * add gnutls-FIPS-TLS_KDF_selftest.patch - -- Fix heap buffer overflow in handshake with no_renegotiation alert sent - * CVE-2020-24659 (bsc#1176181) -- add gnutls-CVE-2020-24659.patch - -- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) -- add patches - * 0001-Add-Full-Public-Key-Check-for-DH.patch - * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch - * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch - * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch - * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch - * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch - * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch - * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch - * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch - * 0001-dh-check-validity-of-Z-before-export.patch - * 0002-ecdh-check-validity-of-P-before-export.patch - * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch - * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch - * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch -- drop obsolete gnutls-3.6.7-fips_DH_ECDH_key_tests.patch - -- Update to 3.6.15 - * libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing. - [GNUTLS-SA-2020-09-04, CVSS: medium] - * libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now - indicates that with a false return value (!1306). - * libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked - accordingly to SP800-56A rev 3 (!1295, !1299). - * libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than - the size of the internal base64 blob (#1025). - * libgnutls: Certificate verification failue due to OCSP must-stapling is not - honered is now correctly marked with the GNUTLS_CERT_INVALID flag - * libgnutls: The audit log message for weak hashes is no longer printed twice - * libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is - disabled in the priority string. Previously, even when TLS 1.2 is explicitly - disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is - enabled (#1054). -- drop upstreamed patches: - * gnutls-detect_nettle_so.patch - * 0001-crypto-api-always-allocate-memory-when-serializing-i.patch - -- Correctly detect gmp, nettle, and hogweed libraries (bsc#1172666) - * add gnutls-detect_nettle_so.patch - -- Fix a memory leak that could lead to a DoS attack against Samba - servers (bsc#1172663) - * add 0001-crypto-api-always-allocate-memory-when-serializing-i.patch -- Temporarily disable broken guile reauth test (bsc#1171565) - * add gnutls-temporarily_disable_broken_guile_reauth_test.patch - -- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction) - The TLS server would not bind the session ticket encryption key with a - value supplied by the application until the initial key rotation, allowing - attacker to bypass authentication in TLS 1.3 and recover previous - conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) - * add patches: - + gnutls-CVE-2020-13777.patch -- Fixed handling of certificate chain with cross-signed intermediate - CA certificates (#1008). (bsc#1172461) - * add patches: - + 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch - + 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch - + 0003-x509-trigger-fallback-verification-path-when-cert-is.patch - + 0004-tests-add-test-case-for-certificate-chain-supersedin.patch - -- Update to 3.6.14 - * libgnutls: Fixed insecure session ticket key construction, since 3.6.4. - The TLS server would not bind the session ticket encryption key with a - value supplied by the application until the initial key rotation, allowing - attacker to bypass authentication in TLS 1.3 and recover previous - conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) - [GNUTLS-SA-2020-06-03, CVSS: high] - * libgnutls: Fixed handling of certificate chain with cross-signed - intermediate CA certificates (#1008). (bsc#1172461) - * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). - * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName - (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority - Key Identifier (AKI) properly (#989, #991). - * certtool: PKCS #7 attributes are now printed with symbolic names (!1246). - * libgnutls: Use accelerated AES-XTS implementation if possible (!1244). - Also both accelerated and non-accelerated implementations check key block - according to FIPS-140-2 IG A.9 (!1233). - * libgnutls: Added support for AES-SIV ciphers (#463). - * libgnutls: Added support for 192-bit AES-GCM cipher (!1267). - * libgnutls: No longer use internal symbols exported from Nettle (!1235) - * API and ABI modifications: - GNUTLS_CIPHER_AES_128_SIV: Added - GNUTLS_CIPHER_AES_256_SIV: Added - GNUTLS_CIPHER_AES_192_GCM: Added - gnutls_pkcs7_print_signature_info: Added -- Add key D605848ED7E69871: public key "Daiki Ueno " to - the keyring -- Drop gnutls-fips_correct_nettle_soversion.patch (upstream) - -- Add RSA 4096 key generation support in FIPS mode (bsc#1171422) - * add gnutls-3.6.7-fips-rsa-4096.patch - -- Don't check for /etc/system-fips which we don't have (bsc#1169992) - * add gnutls-fips_mode_enabled.patch - -- Backport AES XTS support (bsc#1168835) - * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch - * add gnutls-fips_XTS_key_check.patch - -- Use correct nettle .so version when looking for a FIPS checksum - (bsc#1166635) - * add gnutls-fips_correct_nettle_soversion.patch - -- Update to 3.6.13 - * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support) - The DTLS client would not contribute any randomness to the DTLS negotiation, - breaking the security guarantees of the DTLS protocol (#960) - [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345) - * libgnutls: Added new APIs to access KDF algorithms (#813). - * libgnutls: Added new callback gnutls_keylog_func that enables a custom - logging functionality. - * libgnutls: Added support for non-null terminated usernames in PSK - negotiation (#586). - * gnutls-cli-debug: Improved support for old servers that only support - SSL 3.0. - -- Fix zero random value in DTLS client hello - (CVE-2020-11501, bsc#1168345) - * add gnutls-CVE-2020-11501.patch - -- Split off FIPS checksums into a separate libgnutls30-hmac - subpackage (bsc#1152692) - * update baselibs.conf - -- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue - * No longer truncate output IV if input is shorter than block size. - * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch - -- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test - * Added Diffie Hellman public key verification test. - * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch - -- gnutls 3.6.12 - * libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) - to identify sessions that client request OCSP status request (#829). - * libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 - signature algorithm (RFC 8032) under TLS (#86). - * libgnutls: Added the default-priority-string option to system configuration; - it allows overriding the compiled-in default-priority-string. - * libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by - draft-smyshlyaev-tls12-gost-suites-07). - By default this ciphersuite is disabled. It can be enabled by adding - +GOST to priority string. In the future this priority string may enable - other GOST ciphersuites as well. Note, that server will fail to negotiate - GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It - is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites - are enabled on GnuTLS-based servers. - * libgnutls: added priority shortcuts for different GOST categories like - CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. - * libgnutls: Reject certificates with invalid time fields. That is we reject - certificates with invalid characters in Time fields, or invalid time formatting - To continue accepting the invalid form compile with --disable-strict-der-time - * libgnutls: Reject certificates which contain duplicate extensions. We were - previously printing warnings when printing such a certificate, but that is - not always sufficient to flag such certificates as invalid. Instead we now - refuse to import them (#887). - * libgnutls: If a CA is found in the trusted list, check in addition to - time validity, whether the algorithms comply to the expected level prior - to accepting it. This addresses the problem of accepting CAs which would - have been marked as insecure otherwise (#877). - * libgnutls: The min-verification-profile from system configuration applies - for all certificate verifications, not only under TLS. The configuration can - be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. - * libgnutls: The stapled OCSP certificate verification adheres to the convention - used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag. - * libgnutls: On client side only send OCSP staples if they have been requested - by the server, and on server side always advertise that we support OCSP stapling - * libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible - with gnutls_ocsp_req_t but const. - * certtool: Added the --verify-profile option to set a certificate - verification profile. Use '--verify-profile low' for certificate verification - to apply the 'NORMAL' verification profile. - * certtool: The add_extension template option is considered even when generating - a certificate from a certificate request. - -- gnutls 3.6.11.1: - * libgnutls: Corrected issue with TLS 1.2 session ticket - handling as client during resumption - * libgnutls: gnutls_base64_decode2() succeeds decoding the empty - string to the empty string. This is a behavioral change of the - API but it conforms to the RFC4648 expectations - * libgnutls: Fixed AES-CFB8 implementation, when input is shorter - than the block size. Fix backported from nettle. - * certtool: CRL distribution points will be set in CA - certificates even when non self-signed - * gnutls-cli/serv: added raw public-key handling capabilities - (RFC7250). Key material can be set via the --rawpkkeyfile and - - -rawpkfile flags. - -- gnutls 3.6.10: - * Add support for deterministic ECDSA/DSA (RFC6979) - * Add functions for in-place encryption/decryption of data buffers - * server now selects the highest TLS protocol version, if TLS 1.3 - is enabled and the client advertises an older protocol version - first - * Add support for GOST 28147-89 cipher in CNT (GOST counter) mode - and MAC generation based on GOST 28147-89 (IMIT) - * certtool: when outputting an encrypted private key do not - insert the textual description of it - -- Install checksums for binary integrity verification which are - required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - -- gnutls 3.6.9: - * add support for copying digest or MAC contexts - * Mark the crypto implementation override APIs as deprecated - * Add support for AES-GMAC, as a separate to GCM, MAC algorithm - * Add support for Generalname registeredID - * The priority configuration was enhanced to allow more elaborate - system-wide configuration of the library -- includes changes from 3.6.8: - * Add support for AES-XTS cipher - * Fix calculation of Streebog digests - * During Diffie-Hellman operations in TLS, verify that the peer's - public key is on the right subgroup (y^q=1 mod p), when q is - available (under TLS 1.3 and under earlier versions when RFC7919 - parameters are used). - * Apply STD3 ASCII rules in gnutls_idna_map() to prevent - hostname/domain crafting via IDNA conversion - * certtool: allow the digital signature key usage flag in CA - certificates - * gnutls-cli/serv: add the --keymatexport and --keymatexportsize - options. These allow testing the RFC5705 using these tools -- drop patches to re-enable tests: - * disable-psk-file-test.patch - * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - -- Explicitly require libnettle 3.4.1 (bsc#1134856) - * The RSA decryption code was rewritten in GnuTLS 3.6.5 in order - to fix CVE-2018-16868, the new implementation makes use of a new - rsa_sec_decrypt() function introduced in libnettle 3.4.1 - * libnettle was recently updated to the 3.4.1 version but we need - to add explicit dependency on it to prevent missing symbol errors - with the older versions - -- Restored autoreconf in build. -- Removed gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch - since the version requirements of required libraries are once again - automatically determined. -- Added gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch because it is a - better patch name for handling the '--with-guile-site-dir=' problem in - 3.6.7. - -- Trim useless %if..%endif guards that do not affect the build. -- Fix language errors in description again. - -- Update gnutls to 3.6.7 - * * libgnutls, gnutls tools: Every gnutls_free() will automatically set - the free'd pointer to NULL. This prevents possible use-after-free and - double free issues. Use-after-free will be turned into NULL dereference. - The counter-measure does not extend to applications using gnutls_free(). - * * libgnutls: Fixed a memory corruption (double free) vulnerability in the - certificate verification API. Reported by Tavis Ormandy; addressed with - the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829) - * * libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; - Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836) - * * libgnutls: enforce key usage limitations on certificates more actively. - Previously we would enforce it for TLS1.2 protocol, now we enforce it - even when TLS1.3 is negotiated, or on client certificates as well. When - an inappropriate for TLS1.3 certificate is seen on the credentials structure - GnuTLS will disable TLS1.3 support for that session (#690). - * * libgnutls: the default number of tickets sent under TLS 1.3 was increased to - two. This makes it easier for clients which perform multiple connections - to the server to use the tickets sent by a default server. - * * libgnutls: enforce the equality of the two signature parameters fields in - a certificate. We were already enforcing the signature algorithm, but there - was a bug in parameter checking code. - * * libgnutls: fixed issue preventing sending and receiving from different - threads when false start was enabled (#713). - * * libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable - session, as non-writeable security officer sessions are undefined in PKCS#11 - (#721). - * * libgnutls: no longer send downgrade sentinel in TLS 1.3. - Previously the sentinel value was embedded to early in version - negotiation and was sent even on TLS 1.3. It is now sent only when - TLS 1.2 or earlier is negotiated (#689). - * * gnutls-cli: Added option --logfile to redirect informational messages output. -- Disabled dane support since dane is not shipped with SLE-15 -- Changed configure script to hardware guile site directory since command-line - option '--with-guile-site-dir=' was removed from the configure script in 3.6.7. - * * Modified gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch -- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix - compilation issues on PPC -- Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification - and padding oracle verification (in 3.6.5) [bsc#1118087] (CVE-2018-16868) - -- FATE#327114 - Update gnutls to 3.6.6 to support TLS 1.3 - * * libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits - on the public key (#640). - * * libgnutls: Added support for raw public-key authentication as defined in RFC7250. - Raw public-keys can be negotiated by enabling the corresponding certificate - types via the priority strings. The raw public-key mechanism must be explicitly - enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280). - * * libgnutls: When on server or client side we are sending no extensions we do - not set an empty extensions field but we rather remove that field competely. - This solves a regression since 3.5.x and improves compatibility of the server - side with certain clients. - * * libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if - the CKA_SIGN is not set (#667). - * * libgnutls: The priority string option %NO_EXTENSIONS was improved to completely - disable extensions at all cases, while providing a functional session. This - also implies that when specified, TLS1.3 is disabled. - * * libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. - The previous definition was non-functional (#609). - * Removed patches: - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch - * Added Patches: - * * disable failing psk-file test (race condition): - disable-psk-file-test.patch - * * Patch configure script to accept specific versions of autotools and guile - that are present in SUSE-SLE15. (A bug prevents configure from accepting - a range of compatible versions. Upstream's solution is to hardwire for - the most current versions.) - gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch - * Modified: - * * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch -- drop no longer needed gnutls-enbale-guile-2.2.patch -- refresh disable-psk-file-test.patch - -- Update to 3.6.5 - * * libgnutls: Provide the option of transparent re-handshake/reauthentication - when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571). - * * libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127) - * * libgnutls: The priority functions will ignore and not enable TLS1.3 if - requested with legacy TLS versions enabled but not TLS1.2. That is because - if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) - servers which do not support TLS1.3 will negotiate TLS1.2 which will be - rejected by the client as disabled (#621). - * * libgnutls: Change RSA decryption to use a new side-channel silent function. - This addresses a security issue where memory access patterns as well as timing - on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher - attacks. Side-channel resistant code is slower due to the need to mask - access and timings. When used in TLS the new functions cause RSA based - handshakes to be between 13% and 28% slower on average (Numbers are indicative, - the tests where performed on a relatively modern Intel CPU, results vary - depending on the CPU and architecture used). This change makes nettle 3.4.1 - the minimum requirement of gnutls (#630). [CVSS: medium] - * * libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword - in the priority string. It is only accepted as legacy option and is ignored. - * * libgnutls: Added support for EdDSA under PKCS#11 (#417) - * * libgnutls: Added support for AES-CFB8 cipher (#357) - * * libgnutls: Added support for AES-CMAC MAC (#351) - * * libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers - have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D - S-BOXes). They are fixed now. - * * libgnutls: Added support for GOST key unmasking and unwrapped GOST private - keys parsing, as specified in R 50.1.112-2016. - * * gnutls-serv: It applies the default settings when no --priority option is given, - using gnutls_set_default_priority(). - * * p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin - option (#561) - * * certtool: Add parameter --no-text that prevents certtool from outputting - text before PEM-encoded private key, public key, certificate, CRL or CSR. -- minimum required libnettle is now 3.4.1 -- refresh - * disable-psk-file-test.patch - * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - -- search for guile-2.2 during configure, part of boo#1117121 - add patches: - * gnutls-enbale-guile-2.2.patch: search for guile-2.2 - refresh patches: - * disable-psk-file-test.patch: disable psk-file in Makefile.am - -- Temporarily disable failing psk-file test (race condition) - * add disable-psk-file-test.patch - -- Version update to 3.6.4 (bsc#1111757): - * * libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol. - * * libgnutls: Corrected regression since 3.6.3 in the callbacks set with - gnutls_certificate_set_retrieve_function() which could not handle the case where - no certificates were returned, or the callbacks were set to NULL (see #528). - * * libgnutls: gnutls_handshake() on server returns early on handshake when no - certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START - is specified. - * * libgnutls: Added session ticket key rotation on server side with TOTP. - The key set with gnutls_session_ticket_enable_server() is used as a - master key to generate time-based keys for tickets. The rotation - relates to the gnutls_db_set_cache_expiration() period. - * * libgnutls: The 'record size limit' extension is added and preferred to the - 'max record size' extension when possible. - * * libgnutls: Provide a more flexible PKCS#11 search of trust store certificates. - This addresses the problem where the CA certificate doesn't have a subject key - identifier whereas the end certificates have an authority key identifier (#569) - * * libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(), - gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import - and export GOST parameters in the "native" little endian format used for these - curves. This is an intentional incompatible change with 3.6.3. - * * libgnutls: Added support for seperately negotiating client and server certificate types - as defined in RFC7250. This mechanism must be explicitly enabled via the - GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init(). -- Drop upstreamed patch: - * gnutls-3.6.3-backport-upstream-fixes.patch - -- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch - test/Makefile.in as autoreconf does not work - -- Backport of upstream fixes (boo#1108450) - * gnutls-3.6.3-backport-upstream-fixes.patch - Fixes taken from upstream commits: - * * 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function") - * * 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks") - * * 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello") - The patch was taken from https://github.com/weechat/weechat/issues/1231 - -- Security update - Improve mitigations against Lucky 13 class of attacks - * "Just in Time" PRIME + PROBE cache-based side channel attack - can lead to plaintext recovery (CVE-2018-10846, bsc#1105460) - * HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of - wrong constant (CVE-2018-10845, bsc#1105459) - * HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not - enough dummy function calls (CVE-2018-10844, bsc#1105437) - * add patches: - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch - -- Update to 3.6.3 - Fixes security issues: - CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790 - (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002) - Other Changes: - * * libgnutls: Introduced support for draft-ietf-tls-tls13-28 - * * libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or - earlier and TLS 1.3. - * * Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836. - * * Provide a uniform cipher list across supported TLS protocols - * * The SSL 3.0 protocol is disabled on compile-time by default. - * * libgnutls: Introduced function to switch the current FIPS140-2 operational - mode - * * libgnutls: Introduced low-level function to assist applications attempting client - hello extension parsing, prior to GnuTLS' parsing of the message. - * * libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no - modifications to the certificate. - * * libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups - which are preferred by the server. - * * Improved counter-measures for TLS CBC record padding. - * * Introduced the %FORCE_ETM priority string option. This option prevents the negotiation - of legacy CBC ciphersuites unless encrypt-then-mac is negotiated. - * * libgnutls: gnutls_privkey_import_ext4() was enhanced with the - GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag. - * * libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2, - gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default - unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API - change for these functions which make them err towards safety. - * * libgnutls: improved aarch64 cpu features detection by using getauxval(). - * * certtool: It is now possible to specify certificate and serial CRL numbers greater - than 2**63-2 as a hex-encoded string both when prompted and in a template file. - Default certificate serial numbers are now fully random. -- don't run autoreconf to avoid pulling in gtk-doc - -- Require pkgconfig(autoopts) for building - -- Simplify the DANE support %ifdef condition - * build with DANE on openSUSE only - -- Adjust RPM groups. Drop %if..%endif guards that are idempotent. - -- build without DANE support on SLE-15, as it doesn't have unbound - (bsc#1086428) - -- add back refreshed gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - the dtls-resume test still keeps randomly failing on PPC - -- remove gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - patch does not apply any more and apparently the build - suceeds even if the formerly flaky testcase is run (bsc#1086579) - -- gnutls.keyring: Nikos key refreshed to be unexpired - -- GnuTLS 3.6.2: - * libgnutls: When verifying against a self signed certificate ignore issuer. - That is, ignore issuer when checking the issuer's parameters strength, - resolving issue #347 which caused self signed certificates to be - additionally marked as of insufficient security level. - * libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data - MTU calculation now, it correctly accounts for the fixed overhead due to - padding (as 1 byte), while at the same time considers the rest of the - padding as part of data MTU. - * libgnutls: Address issue of loading of all PKCS#11 modules on startup - on systems with a PKCS#11 trust store (as opposed to a file trust store). - Introduced a multi-stage initialization which loads the trust modules, and - other modules are deferred for the first pure PKCS#11 request. - * libgnutls: The SRP authentication will reject any parameters outside - RFC5054. This protects any client from potential MitM due to insecure - parameters. That also brings SRP in par with the RFC7919 changes to - Diffie-Hellman. - * libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters - for SRP authentication. - * libgnutls: Addressed issue in the accelerated code affecting - interoperability with versions of nettle >= 3.4. - * libgnutls: Addressed issue in the AES-GCM acceleration under aarch64. - * libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by - Vitezslav Cizek). - * srptool: the --create-conf option no longer includes 1024-bit parameters. - * p11tool: Fixed the deletion of objects in batch mode. -- Dropped gnutls-check_aes_keysize.patch as it is included upstream now. - -- Use %license (boo#1082318) - -- Sanity check key size in SSSE3 AES cipher implementation (bsc#1074303) - * add gnutls-check_aes_keysize.patch - -- GnuTLS 3.6.1: - * Fix interoperability issue with openssl when safe renegotiation - was used - * gnutls_x509_crl_sign, gnutls_x509_crt_sign, - gnutls_x509_crq_sign, were modified to sign with a better - algorithm than SHA1. They will now sign with an algorithm that - corresponds to the security level of the signer's key. - * gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign() - accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That - will signal the function to auto-detect an appropriate hash - algorithm to use. - * Remove support for signature algorithms using SHA2-224 in TLS. - TLS 1.3 no longer uses SHA2-224 and it was never a widespread - algorithm in TLS 1.2 - * Refuse to use client certificates containing disallowed - algorithms for a session, reverting a change on 3.5.5 - * Refuse to resume a session which had a different SNI advertised - That improves RFC6066 support in server side. - * p11tool: Mark all generated objects as sensitive by default. - * p11tool: added options --sign-params and --hash. This allows - testing signature with multiple algorithms, including RSA-PSS. - -- Disable flaky dtls_resume test on Power - * add gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - -- GnuTLS 3.6.0: - * Introduce a lock-free random generator which operates per- - thread and eliminates random-generator related bottlenecks in - multi-threaded operation. - * Replace the Salsa20 random generator with one based on CHACHA. - The goal is to reduce code needed in cache (CHACHA is also - used for TLS), and the number of primitives used by the - library. That does not affect the AES-DRBG random generator - used in FIPS140-2 mode. - * Add support for RSA-PSS key type as well as signatures in - certificates, and TLS key exchange - * Add support for Ed25519 signing in certificates and TLS key - exchange following draft-ietf-tls-rfc4492bis-17 - * Enable X25519 key exchange by default, following - draft-ietf-tls-rfc4492bis-17. - * Add support for Diffie-Hellman group negotiation following - RFC7919. - * Introduce various sanity checks on certificate import - * Introduce gnutls_x509_crt_set_flags(). This function can set - flags in the crt structure. The only flag supported at the - moment is GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the - certificate sanity checks on import. - * PKIX certificates with unknown critical extensions are rejected - on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS - * Refuse to generate a certificate with an illegal version, or an - illegal serial number. That is, gnutls_x509_crt_set_version() - and gnutls_x509_crt_set_serial(), will fail on input considered - to be invalid in RFC5280. - * Call to gnutls_record_send() and gnutls_record_recv() prior to - handshake being complete are now refused - * Add support for PKCS#12 files with no salt (zero length) in - their password encoding, and PKCS#12 files using SHA384 and - SHA512 as MAC. - * libgnutls: Exported functions to encode and decode DSA and ECDSA - r,s values. - * Add new callback setting function to gnutls_privkey_t for - external keys. The new function (gnutls_privkey_import_ext4), - allows signing in addition to previous algorithms (RSA PKCS#1 - 1.5, DSA, ECDSA), with RSA-PSS and Ed25519 keys. - * Introduce the %VERIFY_ALLOW_BROKEN and - %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string options. These - allows enabling all broken and SHA1-based signature algorithms - in certificate verification, respectively. - * 3DES-CBC is no longer included in the default priorities list. - It has to be explicitly enabled, e.g., with a string like - "NORMAL:+3DES-CBC". - * SHA1 was marked as insecure for signing certificates. - Verification of certificates signed with SHA1 is now considered - insecure and will fail, unless flags intended to enable broken - algorithms are set. Other uses of SHA1 are still allowed. - * RIPEMD160 was marked as insecure for certificate signatures. - Verification of certificates signed with RIPEMD160 hash - algorithm is now considered insecure and will fail, unless - flags intended to enable broken algorithms are set. - * No longer enable SECP192R1 and SECP224R1 by default on TLS - handshakes. These curves were rarely used for that purpose, - provide no advantage over x25519 and were deprecated by TLS 1.3. - * Remove support for DEFLATE, or any other compression method. - * OpenPGP authentication was removed; the resulting library is ABI - compatible, with the openpgp related functions being stubs that - fail on invocation. - Drop gnutls-broken-openpgp-tests.patch, no longer required. - * Remove support for libidn (i.e., IDNA2003); gnutls can now be - compiled only with libidn2 which provides IDNA2008. - * certtool: The option '--load-ca-certificate' can now accept - PKCS#11 URLs in addition to files. - * certtool: The option '--load-crl' can now be used when - generating PKCS#12 files (i.e., in conjunction with '--to-p12' option). - * certtool: Keys with provable RSA and DSA parameters are now - only read and exported from PKCS#8 form, following - draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt. - This removes support for the previous a non-standard key format. - * certtool: Added support for generating, printing and handling - RSA-PSS and Ed25519 keys and certificates. - * certtool: the parameters --rsa, --dsa and --ecdsa to - - -generate-privkey are now deprecated, replaced by the - - -key-type option. - * p11tool: The --generate-rsa, --generate-ecc and --generate-dsa - options were replaced by the --generate-privkey option. - * psktool: Generate 256-bit keys by default. - * gnutls-server: Increase request buffer size to 16kb, and added - the --alpn and --alpn-fatal options, allowing testing of ALPN - negotiation. - * Enables FIPS 140-2 mode during build - -- Buildrequire iproute2: the test suite calls /usr/bin/ss and as - such we have to ensure to pull it in. - -- GnuTLS 3.5.15: - * libgnutls: Disable hardware acceleration on aarch64/ilp32 mode - * certtool: Keys with provable RSA and DSA parameters are now - only exported in PKCS#8 form - -- RPM group fix. Diversification of summaries. -- Avoid aims and future plans in description. Say what it does now. - -- Drop the deprecated openssl compat ; discussed and suggested by - vcizek -- Cleanup a bit with spec-cleaner - -- GnuTLS 3.5.14: - * Handle specially HSMs which request explicit authentication - * he GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login on HSMs - * do not set leading zeros when copying integers on HSMs - * Fix issue discovering certain OCSP signers, and improved the - discovery of OCSP signer in the case where the Subject Public - Key identifier field matches - * ensure OCSP responses are saved with --save-ocsp even if - certificate verification fails. - -- GnuTLS 3.5.13: - * libgnutls: fixed issue with AES-GCM in-place encryption and - decryption in aarch64 - * libgnutls: no longer parse the ResponseID field of the status - response TLS extension. The field is not used by GnuTLS nor is - made available to calling applications. That addresses a null - pointer dereference on server side caused by packets containing - the ResponseID field. GNUTLS-SA-2017-4, bsc#1043398 - * libgnutls: tolerate certificates which do not have strict DER - time encoding. It is possible using 3rd party tools to generate - certificates with time fields that do not conform to DER - requirements. Since 3.4.x these certificates were rejected and - cannot be used with GnuTLS, however that caused problems with - existing private certificate infrastructures, which were - relying on such certificates. Tolerate reading and using these - certificates. - * minitasn1: updated to libtasn1 4.11. - * certtool: allow multiple certificates to be used in --p7-sign - with the --load-certificate option - -- GnuTLS 3.5.12: - * libgnutls: gnutls_x509_crt_check_hostname2() no longer matches - IP addresses against DNS fields of certificate (CN or DNSname). - The previous behavior was to tolerate some misconfigured - servers, but that was non-standard and skipped any IP - constraints present in higher level certificates. - * libgnutls: when converting to IDNA2008, fallback to IDNA2003 - (i.e., transitional encoding) if the domain cannot be converted. - That provides maximum compatibility with browsers like firefox - that perform the same conversion. - * libgnutls: fix issue in RSA-PSK client callback which resulted - in no username being sent to the peer - * libgnutls: fix regression causing stapled extensions in trust - modules not to be considered. - * certtool: introduced the email_protection_key option. This - option was introduced in documentation for certtool without an - implementation of it. It is a shortcut for option - 'key_purpose_oid = 1.3.6.1.5.5.7.3.4'. - * certtool: made printing of key ID and key PIN consistent - between certificates, public keys, and private keys. That is - the private key printing now uses the same format as the rest. - * gnutls-cli: introduced the --sni-hostname option. This allows - overriding the hostname advertised to the peer. - -- skip trust-store tests to avoid build cycle with - ca-certificates-mozilla, add gnutls-3.5.11-skip-trust-store-tests.patch - -- GnuTLS 3.5.11: - * gnutls.pc: do not include libtool options into Libs.private. - * libgnutls: Fixed issue when rehandshaking without a client certificate in - a session which initially used one - * libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP - certificate parsing (bsc#1038337) - * libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access. - That allows PKCS#11 operations such as signing to be performed with the - same object from multiple threads. - * libgnutls: when disabling OpenPGP authentication, the resulting library - is ABI compatible (will openpgp related functions being stubs that fail - on invocation). - -- call gzip -n to make build fully reproducible - -- update to 3.5.10 - * addresses GNUTLS-SA-2017-3 CVE-2017-7869 bsc#1034173 - * gnutls.pc: do not include libidn2 in Requires.private - * libgnutls: optimized access to subject alternative names (SANs) in parsed - certificates - * libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469 - when printing certificate information. - * libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify() - flags can be set from the gnutls_certificate_verify_flags enumeration. - This allows the functions to pass the same flags available for certificates - to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or - GNUTLS_VERIFY_ALLOW_BROKEN). - * libgnutls: gnutls_store_commitment() can accept flag - GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate - in applications which use SHA1 for example, after SHA1 is deprecated. - * certtool: No longer ignore the 'add_critical_extension' template option if - the 'add_extension' option is not present. - * gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the - starttls-proto command- drop gnutls-3.5.9-pkgconfig.patch (upstream) -- drop gnutls-3.5.9-pkgconfig.patch (upstream) -- remove unknown --disable-srp flag (bsc#901857) - -- disable the deprecated OpenPGP authentication support - * see https://gitlab.com/gnutls/gnutls/issues/102 -- add gnutls-broken-openpgp-tests.patch - -- GnuTLS 3.5.9: - * libgnutls: OpenPGP references removed, functionality deprecated - * libgnutls: Improve detection of AVX support - * libgnutls: Add support for IDNA2008 with libidn2 FATE#321897 - * p11tool: re-use ID from corresponding objects when writing - certificates. - * API and ABI modifications: - gnutls_idna_map: Added - gnutls_idna_reverse_map: Added -- prevent pkgconfig issues due to libidn2 when building with GnuTLS - add gnutls-3.5.9-pkgconfig.patch - -- Version 3.5.8 (released 2016-01-09) - * libgnutls: Ensure that multiple calls to the gnutls_set_priority_* - functions will not leave the verification profiles field to an - undefined state. The last call will take precedence. - * libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned - by PKCS#8 decryption functions when an invalid key is provided. This - addresses regression on decrypting certain PKCS#8 keys. - * libgnutls: Introduced option to override the default priority string - used by the library. The intention is to allow support of system-wide - priority strings (as set with --with-system-priority-file). The - configure option is --with-default-priority-string. - * libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption. - This prevents crashes when decrypting malformed PKCS#8 keys. - * libgnutls: Fix crash on the loading of malformed private keys with certain - parameters set to zero. - * libgnutls: Fix double free in certificate information printing. If the PKIX - extension proxy was set with a policy language set but no policy specified, - that could lead to a double free. - * libgnutls: Addressed memory leaks in client and server side error paths - (issues found using oss-fuzz project) - * libgnutls: Addressed memory leaks in X.509 certificate printing error paths - (issues found using oss-fuzz project) - * libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate - parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) - * libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing. - (issues found using oss-fuzz project) -- security issues fixed: GNUTLS-SA-2017-1 GNUTLS-SA-2017-2 - -- GnuTLS 3.5.7, the next stable branch, with the following - highlights: - * SHA3 as a certificate signature algorithm - * X25519 (formerly curve25519) for ephemeral EC diffie-hellman - key exchange - * TLS false start - * New APIs to access the Shawe-Taylor-based provable RSA and DSA - parameter generation - * Prevent the change of identity on rehandshakes by default - -- GnuTLS 3.4.17: - * libgnutls: Introduced time and constraints checks in the end - certificate in the gnutls_x509_crt_verify_data2() and - gnutls_pkcs7_verify_direct() functions. - * libgnutls: Set limits on the maximum number of alerts handled. - That is, applications using gnutls could be tricked into an - busy loop if the peer sends continuously alert messages. - Applications which set a maximum handshake time (via - gnutls_handshake_set_timeout) will eventually recover but - others may remain in a busy loops indefinitely. This is related - but not identical to CVE-2016-8610, due to the difference in - alert handling of the libraries (gnutls delegates that handling - to applications). boo#1005879 - * libgnutls: Enhanced the PKCS#7 parser to allow decoding old - (pre-rfc5652) structures with arbitrary encapsulated content. - * libgnutls: Backported cipher priorities order from 3.5.x branch - That adds CHACHA20-POLY1305 ciphersuite to SECURE priority - strings. - * certtool: When exporting a CRQ in DER format ensure no text data - are intermixed. - * API and ABI modifications: - gnutls_pkcs7_get_embedded_data_oid: Added -- includes changes from 3.4.16: - * libgnutls: Ensure proper cleanups on - gnutls_certificate_set_*key() failures due to key mismatch. - This prevents leaks or double freeing on such failures. - * libgnutls: Increased the maximum size of the handshake message - hash. This will allow the library to cope better with larger - packets, as the ones offered by current TLS 1.3 drafts. - * libgnutls: Allow to use client certificates despite them - containing disallowed algorithms for a session. That allows for - example a client to use DSA-SHA1 due to his old DSA - certificate, without requiring him to enable DSA-SHA1 (and thus - make it acceptable for the server's certificate). - * guile: Backported all improvements from 3.5.x branch. - * guile: Update code to the I/O port API of Guile >= 2.1.4 - This makes sure the GnuTLS bindings will work with the - forthcoming 2.2 stable series of Guile, of which 2.1 is a - preview. - -- GnuTLS 3.4.15: - * libgnutls: Corrected the comparison of the serial size in OCSP - response. Previously the OCSP certificate check wouldn't verify - the serial length and could succeed in cases it shouldn't - (GNUTLS-SA-2016-3). - * libgnutls: Fixes in gnutls_x509_crt_list_import2, which was - ignoring flags if all certificates in the list fit within the - initially allocated memory. - * libgnutls: Corrected issue which made - gnutls_certificate_get_x509_crt() to return invalid pointers - when returned more than a single certificate. - * libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the - complete chain. - * libgnutls: Added support for decrypting PKCS#8 files which use - the HMAC-SHA256 as PRF. - * libgnutls: Addressed issue with PKCS#11 signature generation on - ECDSA keys. The signature is now written as unsigned integers - into the DSASignatureValue structure. Previously signed - integers could be written depending on what the underlying - module would produce. Addresses #122. -- fix build error for 13.2, 42.1 and 42.2 - -- GnuTLS 3.4.14: - * libgnutls: Address issue when utilizing the p11-kit trust store - for certificate verification (GNUTLS-SA-2016-2, boo#988276) - * libgnutls: Fixed DTLS handshake packet reconstruction. - * libgnutls: Fixed issues with PKCS#11 reading of sensitive - objects from SafeNet Network HSM - * libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER -- drop upstreamed - 0001-tests-use-datefudge-in-name-constraints-test.patch - -- Fix a problem with expired test certificate by using datefudge - (boo#987139) - * add 0001-tests-use-datefudge-in-name-constraints-test.patch - -- Version 3.4.13 (released 2016-06-06) - * libgnutls: Consider the SSLKEYLOGFILE environment to be compatible with - NSS instead of using a separate variable; in addition append any keys to - the file instead of overwriting it. - * libgnutls: use secure_getenv() where available to obtain environment - variables. Addresses GNUTLS-SA-2016-1. -- Version 3.4.12 (released 2016-05-20) - * libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default. This - cipher is prioritized after AES-GCM. - * libgnutls: Fixes in gnutls_privkey_import_ecc_raw(). - * libgnutls: Fixed gnutls_pkcs11_get_raw_issuer() usage with the - GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. Previously that - operation could fail on certain PKCS#11 modules. - * libgnutls: gnutls_pkcs11_obj_import_url() and gnutls_x509_crt_import_url() - can accept the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. - * libgnutls: gnutls_certificate_set_key() was enhanced to import the DNS - name of the certificates if the provided names are NULL. - * libgnutls: when receiving SNI names, only save and expose to application - the supported DNS names. - * libgnutls: when importing the certificate names at the - gnutls_certificate_set* functions, only consider the CN as a fallback - if DNS names are provided via the alternative name extension. - * gnutls-cli: on OCSP verification do not fail if we have a single valid - reply. Report and reproducer by Thomas Klute. - * libgnutls: The GNUTLS_KEYLOGFILE environment variable can be used to - log session keys in client side. These session keys are compatible with - the NSS Key Log Format and can be used to decrypt the session for - debugging using wireshark. - -- enabled guile support -- removed duplicates - -- Updated to 3.4.11 - * Version 3.4.11 (released 2016-04-11) - * * libgnutls: Fixes in gnutls_record_get/set_state() with DTLS. - Reported by Fridolin Pokorny. - * * libgnutls: Fixes in DSA key generation under PKCS #11. Report and - patches by Jan Vcelak. - * * libgnutls: Corrected behavior of ALPN extension parsing during - session resumption. Report and patches by Yuriy M. Kaminskiy. - * * libgnutls: Corrected regression (since 3.4.0) in - gnutls_server_name_set() which caused it not to accept non-null- - terminated hostnames. Reported by Tim Ruehsen. - * * libgnutls: Corrected printing of the IP Adress name constraints. - * * ocsptool: use HTTP/1.0 for requests. This avoids issue with servers - serving chunk encoding which ocsptool doesn't support. Reported by - Thomas Klute. - * * certtool: do not require a CA for OCSP signing tag. This follows the - recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate - OCSP signing to another certificate without requiring it to be a CA. - Reported by Thomas Klute. - * Version 3.4.10 (released 2016-03-03) - * * libgnutls: Eliminated issues preventing buffers more than 2^32 bytes - to be used with hashing functions. - * * libgnutls: Corrected leaks and other issues in - gnutls_x509_crt_list_import(). - * * libgnutls: Fixes in DSA key handling for PKCS #11. Report and - patches by Jan Vcelak. - * * libgnutls: Several fixes to prevent relying on undefined behavior - of C (found with libubsan). - * Version 3.4.9 (released 2016-02-03) - * * libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would - negotiate the last commonly supported protocol, rather than the - first. Reported by Remi Denis-Courmont (#63). - * * libgnutls: Tolerate empty DN fields in informational output - functions. - * * libgnutls: Corrected regression causes by incorrect fix in - gnutls_x509_ext_export_key_usage() at 3.4.8 release. - -- follow the work in the unbound package and use the - libunbound-devel symbol for the buildrequires. we override it for - the distro build with libunbound-devel-mini to avoid build loops. - -- reenable dane support, require unbound-devel bsc#964346 -- split out libgnutls-dane-devel to try to avoid build cycle. - -- Update to 3.4.8 - All changes since 3.4.4: - * libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey() - when used with PKCS #11 keys. - * libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import - their public keys from either a public key object or a certificate. - That is, because private keys do not contain all the required - parameters for a direct import. - * libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11 - tokens. - * libgnutls: Fixed out-of-bounds read in - gnutls_x509_ext_export_key_usage() - * libgnutls: The CHACHA20-POLY1305 ciphersuites were updated to - conform to draft-ietf-tls-chacha20-poly1305-02. - * libgnutls: Several fixes in PKCS #7 signing which improve - compatibility with the MacOSX tools. - * libgnutls: The max-record extension not negotiated on DTLS. This - resolves issue with the max-record being negotiated but ignored. - * certtool: Added the --p7-include-cert and --p7-show-data options. - * libgnutls: Properly require TLS 1.2 in all CBC-SHA256 and CBC-SHA384 - ciphersuites. This solves an interoperability issue with openssl. - * libgnutls: Corrected the setting of salt size in - gnutls_pkcs12_mac_info(). - * libgnutls: On a rehandshake allow switching from anonymous to ECDHE - and DHE ciphersuites. - * libgnutls: Corrected regression from 3.3.x which prevented - ARCFOUR128 from using arbitrary key sizes. - * libgnutls: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs - skipping the implicit global initialization. - * gnutls.pc: Don't include libtool specific options to link flags. - * tools: Better support for FTP AUTH TLS negotiation - * libgnutls: Added new simple verification functions. That avoids the - need to install a callback to perform certificate verification. See - doc/examples/ex-client-x509.c for usage. - * libgnutls: Introduced the security parameter 'future' which is at - the 256-bit level of security, and 'ultra' was aligned to its - documented size at 192-bits. - * libgnutls: When writing a certificate into a PKCS #11 token, ensure - that CKA_SERIAL_NUMBER and CKA_ISSUER are written. - * libgnutls: Allow the presence of legacy ciphers and key exchanges in - priority strings and consider them a no-op. - * libgnutls: Handle the extended master secret as a mandatory - extension. That fixes incompatibility issues with Chromium (#45). - * libgnutls: Added the ability to copy a public key into a PKCS #11 - token. - * tools: Added support for LDAP and XMPP negotiation for STARTTLS. - * p11tool: Allow writing a public key into a PKCS #11 token. - * certtool: Key generation security level was switched to HIGH. That - is, by default the tool generates 3072 bit keys for RSA and DSA. - * libgnutls: When re-importing CRLs to a trust list ensure that there - no duplicate entries. - * certtool: Removed any arbitrary limits imposed on input file sizes - and maximum number of certificates imported. - * certtool: Allow specifying fixed dates on CRL generation. - * gnutls-cli-debug: Added check for inappropriate fallback support - (RFC7507). - -- Update to 3.4.4 - This update contains a fix for a denial of service vulnerability: - * Allow the parsing of very long DNs. Also fixes double free - in DN decoding [GNUTLS-SA-2015-3]. boo#941794 CVE-2015-6251 - Other changes: - * Add high level API (gnutls_prf_rfc5705) to access the PRF as - specified by RFC5705. - * Link to trousers (TPM library) dynamically when this - functionality is requested. (disabled in SUSE package) - * Fix issue with server side sending the status request extension - even when not requested. - * Add support for RFC7507 by introducing the %FALLBACK_SCSV - priority string option. - * gnutls_pkcs11_privkey_generate2() will store the generated - public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY - flag is specified. - * Correct regression from 3.4.3 in loading PKCS #8 keys as fallback. - * API and ABI modifications: - gnutls_prf_rfc5705: Added - gnutls_hex_encode2: Added - gnutls_hex_decode2: Added -- build with autogen for libopts compatibility -- fix failures in test suite, add upstream commits - 0001-certtool-lifted-limits-on-file-size-to-load.patch - 0002-certtool-eliminated-memory-leaks-due-to-new-cert-loa.patch - -- update to 3.4.3 - * * libgnutls: Follow closely RFC5280 recommendations and use UTCTime for - dates prior to 2050. - * * libgnutls: Force 16-byte alignment to all input to ciphers (previously it - was done only when cryptodev was enabled). - * * libgnutls: Removed support for pthread_atfork() as it has undefined - semantics when used with dlopen(), and may lead to a crash. - * * libgnutls: corrected failure when importing plain files - with gnutls_x509_privkey_import2(), and a password was provided. - * * libgnutls: Don't reject certificates if a CA has the URI or IP address - name constraints, and the end certificate doesn't have an IP address - name or a URI set. - * * libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites. - * * p11tool: Added --list-token-urls option, and print the token module name - in list-tokens. - * * libgnutls: DTLS blocking API is more robust against infinite blocking, - and will notify of more possible timeouts. - * * libgnutls: corrected regression with Camellia-256-GCM cipher. Reported - by Manuel Pegourie-Gonnard. - * * libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That - allows to disable SIGPIPE for writes done within gnutls. - * * libgnutls: Enhanced the PKCS #7 API to allow signing and verification - of structures. API moved to gnutls/pkcs7.h header. - * * certtool: Added options to generate PKCS #7 bundles and signed - structures. -- includes changes from 3.4.2: - * DTLS blocking API is more robust against infinite blocking, - and will notify of more possible timeouts. - * Correct regression with Camellia-256-GCM cipher. - * Introduce the GNUTLS_NO_SIGNAL flag to gnutls_init(). That - allows to disable SIGPIPE for writes done within gnutls. - * Enhance the PKCS #7 API to allow signing and verification - of structures. Move API to gnutls/pkcs7.h header. - * certtool: Added options to generate PKCS #7 bundles and signed - structures. - -- disable testsuite run against valgrind on aarch64 - -- Updated to 3.4.1 (released 2015-05-03) - * * libgnutls: gnutls_certificate_get_ours: will return the certificate even - if a callback was used to send it. - * * libgnutls: Check for invalid length in the X.509 version field. Without - the check certificates with invalid length would be detected as having an - arbitrary version. Reported by Hanno Böck. - * * libgnutls: Handle DNS name constraints with a leading dot. Patch by - Fotis Loukos. - * * libgnutls: Updated system-keys support for windows to compile in more - versions of mingw. Patch by Tim Kosse. - * * libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by - Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. bsc#929690 - * * libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout - by default. That caused issues with non-blocking programs. - * * certtool: It can generate SHA256 key IDs. - * * gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos. - * * API and ABI modifications: gnutls_x509_crt_get_pk_ecc_raw: Added -- gnutls-fix-double-mans.patch: fixed upstream - -- Disable buggy valgrind on armv7l - -- updated to 3.4.0 (released 2015-04-08) - * * libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251) - ciphersuites. The former are enabled by default, the latter need to be - explicitly enabled, since they reduce the overall security level. - * * libgnutls: Added support for Chacha20-Poly1305 ciphersuites following - draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. - That is currently provided as technology preview and is not enabled by - default, since there are no assigned ciphersuite points by IETF and there - is no guarrantee of compatibility between draft versions. The ciphersuite - priority string to enable it is "+CHACHA20-POLY1305". - * * libgnutls: Added support for encrypt-then-authenticate in CBC - ciphersuites (RFC7366 -taking into account its errata text). This is - enabled by default and can be disabled using the %NO_ETM priority - string. - * * libgnutls: Added support for the extended master secret - (triple-handshake fix) following draft-ietf-tls-session-hash-02. - * * libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h). - * * libgnutls: SSL 3.0 is no longer included in the default priorities - list. It has to be explicitly enabled, e.g., with a string like - "NORMAL:+VERS-SSL3.0". - * * libgnutls: ARCFOUR (RC4) is no longer included in the default priorities - list. It has to be explicitly enabled, e.g., with a string like - "NORMAL:+ARCFOUR-128". - * * libgnutls: DSA signatures and DHE-DSS are no longer included in the - default priorities list. They have to be explicitly enabled, e.g., with - a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The - DSA ciphersuites were dropped because they had no deployment at all - on the internet, to justify their inclusion. - * * libgnutls: The priority string EXPORT was completely removed. The string - was already defunc as support for the EXPORT ciphersuites was removed in - GnuTLS 3.2.0. - * * libgnutls: Added API to utilize system specific private keys in - "gnutls/system-keys.h". It is currently provided as technology preview - and is restricted to windows CNG keys. - * * libgnutls: gnutls_x509_crt_check_hostname() and friends will use - RFC6125 comparison of hostnames. That introduces a dependency on libidn. - * * libgnutls: Depend on p11-kit 0.23.1 to comply with the final - PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21). - * * libgnutls: Depend on nettle 3.1. - * * libgnutls: Use getrandom() or getentropy() when available. That - avoids the complexity of file descriptor handling and issues with - applications closing all open file descriptors on startup. - * * libgnutls: Use pthread_atfork() to detect fork when available. - * * libgnutls: The gnutls_handshake() process will enforce a timeout by - default. - * * libgnutls: If a key purpose (extended key usage) is specified for verification, - it is applied into intermediate certificates. The verification result - GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. - * * libgnutls: When gnutls_certificate_set_x509_key_file2() is used in - combination with PKCS #11, or TPM URLs, it will utilize the provided - password as PIN if required. That removes the requirement for the - application to set a callback for PINs in that case. - * * libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are - restricted to the corresponding protocols only, and the VERS-ALL - string is introduced to catch all possible protocols. - * * libgnutls: Added helper functions to obtain information on PKCS #8 - structures. - * * libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t - will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED. - * * libgnutls: Added functions to export and set the record state. That - allows for gnutls_record_send() and recv() to be offloaded (to kernel, - hardware or any other subsystem). - * * libgnutls: Added the ability to register application specific URL - types, which express certificates and keys using gnutls_register_custom_url(). - * * libgnutls: Added API to override existing ciphers, digests and MACs, e.g., - to override AES-GCM using a system-specific accelerator. That is, (crypto.h) - gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(), - gnutls_crypto_register_mac(), and gnutls_crypto_register_digest(). - * * libgnutls: Added gnutls_ext_register() to register custom extensions. - Contributed by Thierry Quemerais. - * * libgnutls: Added gnutls_supplemental_register() to register custom - supplemental data handshake messages. Contributed by Thierry Quemerais. - * * libgnutls-openssl: it is no longer built by default. - * * certtool: Added --p8-info option, which will print PKCS #8 information - even if the password is not available. - * * certtool: --key-info option will print PKCS #8 encryption information - when available. - * * certtool: Added the --key-id and --fingerprint options. - * * certtool: Added the --verify-hostname, --verify-email and --verify-purpose - options to be used in certificate chain verification, to simulate verification - for specific hostname and key purpose (extended key usage). - * * certtool: --p12-info option will print PKCS #12 MAC and cipher information - when available. - * * certtool: it will print the A-label (ACE) names in addition to UTF-8. - * * p11tool: added options --set-id and --set-label. - * * gnutls-cli: added options --priority-list and --save-cert. - * * guile: Deprecated priority API has been removed. The old priority API, - which had been deprecated for some time, is now gone; use 'set-session-priorities!' - instead. - * * guile: Remove RSA parameters and related procedures. This API had been - deprecated. - * * guile: Fix compilation on MinGW. Previously only the static version of the - 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. - -- updated to 3.3.13 (released 2015-03-30) - * * libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo - structures use BER to decode them (requires libtasn1 4.3). That allows - to decode some more complex structures. - * * libgnutls: When an end-certificate with no name is present and there - are CA name constraints, don't reject the certificate. This follows RFC5280 - advice closely. Reported by Fotis Loukos. - * * libgnutls: Fixed handling of supplemental data with types > 255. - Patch by Thierry Quemerais. - * * libgnutls: Fixed double free in the parsing of CRL distribution points certificate - extension. Reported by Robert Święcki. - * * libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That - protocol is not enabled by default (used by openconnect VPN). - * * libgnutls: The maximum user data send size is set to be the same for - block and non-block ciphersuites. This addresses a regression with wine: - https://bugs.winehq.org/show_bug.cgi?id=37500 - * * libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN, - and CKA_DECRYPT when needed. - * * libgnutls: Allow names with zero size to be set using - gnutls_server_name_set(). That will disable the Server Name Indication. - Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2 -- new main library major version .so.30 -- requires new libnettle >= 3.1, p11-kit-devel >= 0.23.1 -- Now need to configure --enable-openssl-compatibility (might go away) -- added gnutls-fix-double-mans.patch: avoid double installing manpages -- dropped gnutls-3.0.26-skip-test-fwrite.patch: does not seem to be needed - anymore -- install_info_delete moved from %postun to %preun - -- for DANE support, use bcond_with -- for tpm support, same -- note p11-kit >= 0.20.7 requirement -- note libtasn1 3.9 requirement (built-in lib used otherwise) - -- disable trousers and unbound again for now, as it causes too long - build cycles. - -- added unbound-devel (for DANE) and trousers-devel (for TPM support) -- removed now upstreamed gnutls-implement-trust-store-dir-3.2.8.diff -- libgnutls-dane0 new library added -- updated to 3.3.13 (released 2015-02-25) - * * libgnutls: Enable AESNI in GCM on x86 - * * libgnutls: Fixes in DTLS message handling - * * libgnutls: Check certificate algorithm consistency, i.e., - check whether the signatureAlgorithm field matches the signature - field inside TBSCertificate. - * * gnutls-cli: Fixes in OCSP verification. -- Version 3.3.12 (released 2015-01-17) - * * libgnutls: When negotiating TLS use the lowest enabled version in - the client hello, rather than the lowest supported. In addition, do - not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0 - is the only protocol supported. That addresses issues with servers that - immediately drop the connection when the encounter SSL 3.0 as the record - version number. See: - http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html - * * libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters. - * * libgnutls: Handle zero length plaintext for VIA PadLock functions. - This solves a potential crash on AES encryption for small size plaintext. - Patch by Matthias-Christian Ott. - * * libgnutls: In DTLS don't combine multiple packets which exceed MTU. - Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715 - * * libgnutls: In DTLS decode all handshake packets present in a record - packet, in a single pass. Reported by Andreas Schultz. - https://savannah.gnu.org/support/?108712 - * * libgnutls: When importing a CA file with a PKCS #11 URL, simply - import the certificates, if the URL specifies objects, rather than - treating it as trust module. - * * libgnutls: When importing a PKCS #11 URL and we know the type of - object we are importing, don't require the object type in the URL. - * * libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2 - was used by the server. - * * certtool: --pubkey-info will also attempt to load a public key from stdin. - * * gnutls-cli: Added --starttls-proto option. That allows to specify a - protocol for starttls negotiation. -- Version 3.3.11 (released 2014-12-11) - * * libgnutls: Corrected regression introduced in 3.3.9 related to - session renegotiation. Reported by Dan Winship. - * * libgnutls: Corrected parsing issue with OCSP responses. -- Version 3.3.10 (released 2014-11-10) - * * libgnutls: Refuse to import v1 or v2 certificates that contain - extensions. - * * libgnutls: Fixes in usage of PKCS #11 token callback - * * libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used - with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag. - Reported by David Woodhouse. - * * libgnutls: Removed superfluous random generator refresh on every call - of gnutls_deinit(). That reduces load and usage of /dev/urandom. - * * libgnutls: Corrected issue in export of ECC parameters to X9.63 format. - Reported by Sean Burford [GNUTLS-SA-2014-5]. - * * libgnutls: When gnutls_global_init() is called for a second time, it - will check whether the /dev/urandom fd kept is still open and matches - the original one. That behavior works around issues with servers that - close all file descriptors. - * * libgnutls: Corrected behavior with PKCS #11 objects that are marked - as CKA_ALWAYS_AUTHENTICATE. - * * certtool: The default cipher for PKCS #12 structures is 3des-pkcs12. - That option is more compatible than AES or RC4. -- Version 3.3.9 (released 2014-10-13) - * * libgnutls: Fixes in the transparent import of PKCS #11 certificates. - Reported by Joseph Peruski. - * * libgnutls: Fixed issue with unexpected non-fatal errors resetting the - handshake's hash buffer, in applications using the heartbeat extension - or DTLS. Reported by Joeri de Ruiter. - * * libgnutls: When both a trust module and additional CAs are present - account the latter as well; reported by David Woodhouse. - * * libgnutls: added GNUTLS_TL_GET_COPY flag for - gnutls_x509_trust_list_get_issuer(). That allows the function to be used - in a thread safe way when PKCS #11 trust modules are in use. - * * libgnutls: fix issue in DTLS retransmission when session tickets - were in use; reported by Manuel Pégourié-Gonnard. - * * libgnutls-dane: Do not require the CA on a ca match to be direct CA. - * * libgnutls: Prevent abort() in library if getrusage() fails. Try to - detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. - * * guile: new 'set-session-server-name!' procedure; see the manual for - details. - * * certtool: The authority key identifier will be set in a certificate only - if the CA's subject key identifier is set. -- Version 3.3.8 (released 2014-09-18) - * * libgnutls: Updates in the name constraints checks. No name constraints - will be checked for intermediate certificates. As our support for name - constraints is limited to e-mail addresses in DNS names, it is pointless - to check them on intermediate certificates. - * * libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple - object listing would fail completely if a single object could not be exported. - * * libgnutls: Improved the performance of PKCS #11 object listing/retrieving, - by retrieving them in large batches. Report and suggestion by David - Woodhouse. - * * libgnutls: Fixed issue with certificates being sanitized by gnutls prior - to signature verification. That resulted to certain non-DER compliant modifications - of valid certificates, being corrected by libtasn1's parser and restructured as - the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from - Codenomicon. - * * libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle - strings with embedded spaces and escaped commas. - * * libgnutls: when comparing a CA certificate with the trusted list compare - the name and key only instead of the whole certificate. That is to handle - cases where a CA certificate was superceded by a different one with the same - name and the same key. - * * libgnutls: when verifying a certificate against a p11-kit trusted - module, use the attached extensions in the module to override the CA's - extensions (that requires p11-kit 0.20.7). - * * libgnutls: In DTLS prevent sending zero-size fragments in certain cases - of MTU split. Reported by Manuel Pégourié-Gonnard. - * * libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows - verifying using a hostname and a purpose (extended key usage). That - enhances PKCS #11 trust module verification, as it can now check the purpose - when this function is used. - * * libgnutls: Corrected gnutls_x509_crl_verify() which would always report - a CRL signature as invalid. Reported by Armin Burgmeier. - * * libgnutls: added option --disable-padlock to allow disabling the padlock - CPU acceleration. - * * p11tool: when listing tokens, list their type as well. - * * p11tool: when listing objects from a trust module print any attached - extensions on certificates. -- Version 3.3.7 (released 2014-08-24) - * * libgnutls: Added function to export the public key of a PKCS #11 - private key. Contributed by Wolfgang Meyer zu Bergsten. - * * libgnutls: Explicitly set the exponent in PKCS #11 key generation. - That improves compatibility with certain PKCS #11 modules. Contributed by - Wolfgang Meyer zu Bergsten. - * * libgnutls: When generating a PKCS #11 private key allow setting - the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten. - * * libgnutls: gnutls_pkcs11_privkey_t will always hold an open session - to the key. - * * libgnutls: bundle replacements of inet_pton and inet_aton if not - available. - * * libgnutls: initialize parameters variable on PKCS #8 decryption. - * * libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 - algorithms. - * * libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125 - requirement of checking the Common Name (CN) part of DN only if there is - a single CN present in the certificate. - * * libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used - to force the FIPS mode, when set to 1. - * * libgnutls: In DTLS ignore only errors that relate to unexpected packets - and decryption failures. - * * p11tool: Added --info parameter. - * * certtool: Added --mark-wrap parameter. - * * danetool: --check will attempt to retrieve the server's certificate - chain and verify against it. - * * danetool/gnutls-cli-debug: Added --app-proto parameters which can - be used to enforce starttls (currently only SMTP and IMAP) on the connection. - * * danetool: Added openssl linking exception, to allow linking - with libunbound. -- Version 3.3.6 (released 2014-07-23) - * * libgnutls: Use inet_ntop to print IP addresses when available - * * libgnutls: gnutls_x509_crt_check_hostname and friends will also check - IP addresses, and match documented behavior. Reported by David Woodhouse. - * * libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024 - bit parameters. - * * libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens - being usable after a reinitialization. - * * libgnutls: fixed PKCS #11 private key operations after a fork. - * * libgnutls: fixed PKCS #11 ECDSA key generation. - * * libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to - explicitly enable/disable the use of certain CPU capabilities. Note that CPU - detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel - CPU. The currently available options are: - 0x1: Disable all run-time detected optimizations - 0x2: Enable AES-NI - 0x4: Enable SSSE3 - 0x8: Enable PCLMUL - 0x100000: Enable VIA padlock - 0x200000: Enable VIA PHE - 0x400000: Enable VIA PHE SHA512 - * * libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott. - * * p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set. - * * p11tool: ask for label when one isn't provided. - * * p11tool: added --batch parameter to disable any interactivity. - * * p11tool: will not implicitly enable so-login for certain types of - objects. That avoids issues with tokens that require different login - types. - * * certtool/p11tool: Added the --curve parameter which allows to explicitly - specify the curve to use. -- Version 3.3.5 (released 2014-06-26) - * * libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit(). - These functions provide a variant of gnutls_record_recv() that avoids - the final memcpy of data. - * * libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a - faster variant of gnutls_x509_crl_get_crt_serial() when coping with - very large structures. - * * libgnutls: When the decoding of a printable DN element fails, then treat - it as unknown and print its hex value rather than failing. That works around - an issue in a TURKTRST root certificate which improperly encodes the - X520countryName element. - * * libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number - of certificates present in a PKCS #11 token when loading it. - * * libgnutls: Allow the post client hello callback to put the handshake on - hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED. - * * certtool: option --to-p12 will now consider --load-ca-certificate - * * certtol: Added option to specify the PKCS #12 friendly name on command line. - * * p11tool: Allow marking a certificate copied to a token as a CA. -- Version 3.3.4 (released 2014-05-31) - * * libgnutls: Updated Andy Polyakov's assembly code. That prevents a - crash on certain CPUs. -- Version 3.3.3 (released 2014-05-30) - * * libgnutls: Eliminated memory corruption issue in Server Hello parsing. - Issue reported by Joonas Kuorilehto of Codenomicon. - * * libgnutls: gnutls_global_set_mutex() was modified to operate with the - new initialization process. - * * libgnutls: Increased the maximum certificate size buffer - in the PKCS #11 subsystem. - * * libgnutls: Check the return code of getpwuid_r() instead of relying - on the result value. That avoids issue in certain systems, when using - tofu authentication and the home path cannot be determined. Issue reported - by Viktor Dukhovni. - * * libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to - create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552 - * * gnutls-cli: --dane will only check the end certificate if PKIX validation - has been disabled. - * * gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot - be emulated with the implicit initialization of gnutls. - * * certtool: Allow multiple organizations and organizational unit names to - be specified in a template. - * * certtool: Warn when invalid configuration options are set to a template. - * * ocsptool: Include path in ocsp request. This resolves #108582 - (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. -- Version 3.3.2 (released 2014-05-06) - * * libgnutls: Added the 'very weak' certificate verification profile - that corresponds to 64-bit security level. - * * libgnutls: Corrected file descriptor leak on random generator - initialization. - * * libgnutls: Corrected file descriptor leak on PSK password file - reading. Issue identified using the Codenomicon TLS test suite. - * * libgnutls: Avoid deinitialization if initialization has failed. - * * libgnutls: null-terminate othername alternative names. - * * libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly - on a PKCS #11 trust list. - * * libgnutls: Several small bug fixes identified using valgrind and - the Codenomicon TLS test suite. - * * libgnutls-dane: Accept a certificate using DANE if there is at least one - entry that matches the certificate. Patch by simon [at] arlott.org. - * * libgnutls-guile: Fixed compilation issue. - * * certtool: Allow exporting a CRL on DER format. - * * certtool: The ECDSA keys generated by default use the SECP256R1 curve - which is supported more widely than the previously used SECP224R1. -- Version 3.3.1 (released 2014-04-19) - * * libgnutls: Enforce more strict checks to heartbeat messages - concerning padding and payload. Suggested by Peter Dettman. - * * libgnutls: Allow decoding PKCS #8 files with ECC parameters - from openssl. - * * libgnutls: Several small bug fixes found by coverity. - * * libgnutls: The conditionally available self-test functions - were moved to self-test.h. - * * libgnutls: Fixed issue with the check of incoming data when two - different recv and send pointers have been specified. Reported and - investigated by JMRecio. - * * libgnutls: Fixed issue in the RSA-PSK key exchange, which would - result to illegal memory access if a server hint was provided. Reported - by André Klitzing. - * * libgnutls: Fixed client memory leak in the PSK key exchange, if a - server hint was provided. - * * libgnutls: Corrected the *get_*_othername_oid() functions. -- Version 3.3.0 (released 2014-04-10) - * * libgnutls: The initialization of the library was moved to a - constructor. That is, gnutls_global_init() is no longer required - unless linking with a static library or a system that does not - support library constructors. - * * libgnutls: static libraries are not built by default. - * * libgnutls: PKCS #11 initialization is delayed to first usage. - That avoids long delays in gnutls initialization due to broken PKCS #11 - modules. - * * libgnutls: The PKCS #11 subsystem is re-initialized "automatically" - on the first PKCS #11 API call after a fork. - * * libgnutls: certificate verification profiles were introduced - that can be specified as flags to verification functions. They - are enumerations in gnutls_certificate_verification_profiles_t - and can be converted to flags for use in a verification function - using GNUTLS_PROFILE_TO_VFLAGS(). - * * libgnutls: Added the ability to read system-specific initial - keywords, if they are prefixed with '@'. That allows a compile-time - specified configuration file to be used to read pre-configured priority - strings from. That can be used to impose system specific policies. - * * libgnutls: Increased the default security level of priority - strings (NORMAL and PFS strings require at minimum a 1008 DH prime), - and set a verification profile by default. The LEGACY keyword is - introduced to set the old defaults. - * * libgnutls: Added support for the name constraints PKIX extension. - Currently only DNS names and e-mails are supported (no URIs, IPs - or DNs). - * * libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to - SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL. - * * libgnutls: Added new API in x509-ext.h to handle X.509 extensions. - This API handles the X.509 extensions in isolation, allowing to parse - similarly formatted extensions stored in other structures. - * * libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS - can be used to specify a particular subgroup as the number of bits in - gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256). - * * libgnutls: DH parameter generation is now delegated to nettle. - That unfortunately has the side-effect that DH parameters longer than - 3072 bits, cannot be generated (not without a nettle update). - * * libgnutls: Separated nonce RNG from the main RNG. The nonce - random number generator is based on salsa20/12. - * * libgnutls: The buffer alignment provided to crypto backend is - enforced to be 16-byte aligned, when compiled with cryptodev - support. That allows certain cryptodev drivers to operate more - efficiently. - * * libgnutls: Return error when a public/private key pair that doesn't - match is set into a credentials structure. - * * libgnutls: Depend on p11-kit 0.20.0 or later. - * * libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has - been removed. It was not approved by IETF. - * * libgnutls: The experimental xssl library is removed from the gnutls - distribution. - * * libgnutls: Reduced the number of gnulib modules used in the main library. - * * libgnutls: Added priority string %DISABLE_WILDCARDS. - * * libgnutls: Added the more extensible verification function - gnutls_certificate_verify_peers(), that allows checking, in addition - to a peer's DNS hostname, for the key purpose of the end certificate - (via PKIX extended key usage). - * * certtool: Timestamps for serial numbers were increased to 8 bytes, - and in batch mode to 12 (appended with 4 random bytes). - * * certtool: When no CRL number is provided (or value set to -1), then - a time-based number will be used, similarly to the serial generation - number in certificates. - * * certtool: Print the SHA256 fingerprint of a certificate in addition - to SHA1. - * * libgnutls: Added --enable-fips140-mode configuration option (unsupported). - That option enables (when running on FIPS140-enabled system): - o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes) - o The DRBG-CTR-AES256 deterministic random generator from SP800-90A. - o Self-tests on initialization on ciphers/MACs, public key algorithms - and the random generator. - o HMAC-SHA256 verification of the library on load. - o MD5 is included for TLS purposes but cannot be used by the high level - hashing functions. - o All ciphers except AES are disabled. - o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5). - o All keys (temporal and long term) are zeroized after use. - o Security levels are adjusted to the FIPS140-2 recommendations (rather - than ECRYPT). - -- build with PIE for commandline tools - -- Updated to 3.2.21 (released 2014-12-11) - - libgnutls: Corrected regression introduced in 3.2.19 related to - session renegotiation. Reported by Dan Winship. - - libgnutls: Corrected parsing issue with OCSP responses. - -- Updated to 3.2.20 (released 2014-11-10) - * * libgnutls: Removed superfluous random generator refresh on every - call of gnutls_deinit(). That reduces load and usage of /dev/urandom. - * * libgnutls: Corrected issue in export of ECC parameters to X9.63 - format. Reported by Sean Burford [GNUTLS-SA-2014-5]. - (CVE-2014-8564 bnc#904603) -- Updated to 3.2.19 (released 2014-10-13) - * * libgnutls: Fixes in the transparent import of PKCS #11 certificates. - Reported by Joseph Peruski. - * * libgnutls: Fixed issue with unexpected non-fatal errors resetting the - handshake's hash buffer, in applications using the heartbeat extension - or DTLS. Reported by Joeri de Ruiter. - * * libgnutls: fix issue in DTLS retransmission when session tickets were - in use; reported by Manuel Pégourié-Gonnard. - * * libgnutls: Prevent abort() in library if getrusage() fails. Try to - detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. - * * guile: new 'set-session-server-name!' procedure; see the manual - for details. - grub2 +- Support grub2-install on LUKS2 encrypted device + * 0001-devmapper-getroot-Have-devmapper-recognize-LUKS2.patch + * 0002-devmapper-getroot-Set-up-cheated-LUKS2-cryptodisk-mo.patch + * 0003-disk-cryptodisk-When-cheatmounting-use-the-sector-in.patch + +- Security fixes and hardenings + * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch + * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch +- Fix CVE-2022-2601 (bsc#1205178) + * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch + * 0004-font-Remove-grub_font_dup_glyph.patch + * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch + * 0006-font-Fix-integer-overflow-in-BMP-index.patch + * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch + * 0008-fbutil-Fix-integer-overflow.patch +- Fix CVE-2022-3775 (bsc#1205182) + * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch + * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch + * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch + * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch +- Bump upstream SBAT generation to 3 + hugin +- Add xdg-data.patch: fixes bsc#1204546 + +- fixed on flann side by Stefan Brüns +- deleted patches + - hugin-flann-lz4.patch (not needed) + +- require liblz4-devel temporarily for build, it should be required + by flann-devel +- added patches + workaround, lz4 is not returned by pkg_check_modules(), hardcode it now + + hugin-flann-lz4.patch + +- switch source url to https + hwdata +- update to 0.363: + + Updated pci, usb and vendor ids. + +- update to 0.362: + + Updated pci, usb and vendor ids. + +- update to 0.361: + + Updated pci, usb and vendor ids. + intel-media-driver +- needed for jira#PED-1174 (Video decoding/encoding support + (VA-API, ...) for Intel GPUs is outside of Mesa) + +- Update to version 2.6.1 + * Revert "[Decode] Legacy MI interface removal" +- specfile cleanup +- updated Supplements + +- Update to version 2.6.0: + * Revert "[Decode] Virtual Node Assign Policy Optimization" +- Code changes from version 2.5.4: + * Enabled Memory Decompression for ADLS and ADLN. + * Fixed MPEG2 decode crash issue. + * Fixed AV1 decode film grain hang issue. + * Fixed color fill corruption issue. + * Fixed first VPP operation color artifacts. + * Enhanced I420 and UYVY format support in creating surface and derive image. + * Fixed aux table l2 page fault +- Remove u_libva-2.16.0.patch + +- adding _constraints in the hope to reserve enough disk space; + trying with 7GB for now ... + +- u_libva-2.16.0.patch + * fixes build against libva 2.16.0 + * culprit: https://github.com/intel/libva/commit/8682f9e30f2fabf2ccc6f7609db035ed1af44703 + +- No code changes +- Update to version 22.4.4 was part of Intel oneVPL GPU Runtime + 2022Q2 Release 22.4.4 + +- updated supplements.inc + +- Update to version 22.4.4: + * Enabled HDR10 and HVS support + * Added RPL-P platform enabling + * Added HDR10 capability report + +- disabling Werror from build no longer needed; therefore commented + out this sed line for now ... + +- Update to version 22.4.2: + * [Encode] AVC RC mode - Implement abs QP map (MBQP) and CQP QP + - Enable abs QP map mode caps + - Implement programming for abs QP map mode +- removed no longer needed Werror-initialize-in-right-order.patch + +- Update to version 22.1.1: + * New Features and Enhancement: + - Enabled Alchemist/ATS-M platform decoding and video + processing features + - Added ADL-N platform support + - Enhanced AV1 decoding robustness for error clips handling + - Added vaCopy caps reporting + - Enabled GPU copy for small resolution in vaMap/unMap + - Optimized GetImage perf for NV12 format + - Added HEVC sub-features caps reporting + - Improved compatibility by disabling compression when creating + surface + - Improved debuggability by enabling OCA support + * Bugs fixed: + - Fixed multiple layer composition corruption issue + - Fixed OCA stability issue in multi-thread scenario + - Fixed render copy mem leak + +- Update to version 21.3.5: + * Enabled vaCopy by GPU HW + * Added 0YUV decode output format support + irqbalance +- add irqbalance-systemd-netlink.patch (related to bsc#1205308) + +- update to 1.9.2: + * avoid coredump on build_one_dev_entry() + * avoid double free on deinit_thermal() + * change the log level in thermal.c + * fix a minor typo +- drop Avoid-double-free-on-deinit_thermal.patch, uninitialized.patch: (upstream) + issue-generator +- Update to version 1.13 + - SELinux: Do not call agetty --reload [bsc#1186178] + +- Update to version 1.12 + - Update manual page + - Use python3 instead of python 2.x + +- Update to version 1.11 + - Don't display issue.d/*.issue files, agetty will do that [bsc#1177891] + - Ignore /run/issue.d in issue-generator.path, else issue-generator will + be called too fast too often [bsc#1177865] + - Ignore *.bak, *~ and *.rpm* files [bsc#1118862] + +- Handle the .path unit in scriptlets as well + +- Update to version 1.10 + - Display wlan interfaces [bsc#1169070] + +- Update to version 1.9 + - Fix path for systemd files + +- Update to version 1.8 + - Handle network interface renames + java-11-openjdk +- Update to upstream tag jdk-11.0.17+8 (October 2022 CPU) + * Security fixes: + + JDK-8289366, bsc#1204480, CVE-2022-39399: Improve HTTP/2 + client usage + + JDK-8288508: Enhance ECDSA usage + + JDK-8286918, bsc#1204472, CVE-2022-21628: Better HttpServer + service + + JDK-8287446, bsc#1204475, CVE-2022-21624: Enhance icon + presentations + + JDK-8286910: Improve JNDI lookups + + JDK-8286511: Improve macro allocation + + JDK-8286526, bsc#1204473, CVE-2022-21619: Improve NTLM support + + JDK-8286533, bsc#1204471, CVE-2022-21626: Key X509 usages + + JDK-8286077, bsc#1204468, CVE-2022-21618: Wider MultiByte + conversions + + JDK-8286519: Better memory handling + + JDK-8285662: Better permission resolution + + JDK-8282252: Improve BigInteger/Decimal validation + + JDK-8289853: Update HarfBuzz to 4.4.1 + + JDK-8290334: Update FreeType to 2.12.1 + + JDK-8293429: [11u] minor update in attribute style + * Other fixes: + + JDK-6606767: resexhausted00[34] fail + assert(!thread->owns_locks(), "must release all locks when + leaving VM") + + JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/ + /SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 + & jdk7 + + JDK-7131823: bug in GIFImageReader + + JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/ + /bug4634626.java sometimes failed on mac + + JDK-8028265: Add legacy tz tests to OpenJDK + + JDK-8069343: Improve gc/g1/TestHumongousCodeCacheRoots.java + to use jtreg @requires + + JDK-8139348: Deprecate 3DES and RC4 in Kerberos + + JDK-8159694: HiDPI, Unity, + java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java + + JDK-8164804: sun/security/ssl/SSLSocketImpl/CloseSocket.java + makes not reliable time assumption + + JDK-8169468: NoResizeEventOnDMChangeTest.java fails because + FS Window didn't receive all resizes! + + JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The + selected index should be "aad" + + JDK-8183372: Refactor java/lang/Class shell tests to java + + JDK-8186143: keytool -ext option doesn't accept wildcards for + DNS subject alternative names + + JDK-8193462: Fix Filer handling of package-info initial + elements + + JDK-8203277: preflow visitor used during lambda attribution + shouldn't visit class definitions inside the lambda body + + JDK-8208471: nsk/jdb/unwatch/unwatch002/unwatch002.java fails + with "Prompt is not received during 300200 milliseconds" + + JDK-8209052: Low contrast in docs/api/constant-values.html + + JDK-8209736: runtime/RedefineTests/ModifyAnonymous.java fails + with NullPointerException when running in CDS mode + + JDK-8210107: vmTestbase/nsk/stress/network tests fail with + Cannot assign requested address (Bind failed) + + JDK-8210722: JAXP Tests: CatalogSupport2 and CatalogSupport3 + generate incorrect messages upon failure + + JDK-8210960: Allow --with-boot-jdk-jvmargs to work during + configure + + JDK-8212904: JTextArea line wrapping incorrect when using UI + scale + + JDK-8213695: gc/TestAllocateHeapAtMultiple.java is slow in + some configs + + JDK-8214078: (fs) SecureDirectoryStream not supported on arm32 + + JDK-8214427: probable bug in logic of + ConcurrentHashMap.addCount() + + JDK-8215291: Broken links when generating from project + without modules + + JDK-8217170: gc/arguments/TestUseCompressedOopsErgo.java + timed out + + JDK-8217332: JTREG: Clean up, use generics instead of raw + types + + JDK-8218128: vmTestbase/nsk/jvmti/ResourceExhausted/ + /resexhausted003 and 004 use wrong path to test classes + + JDK-8218413: make reconfigure ignores configure-time AUTOCONF + environment variable + + JDK-8219074: [TESTBUG] runtime/containers/docker/ + /TestCPUAwareness.java typo of printing parameters (period + should be shares) + + JDK-8219149: ProcessTools.ProcessBuilder should print timing + info for subprocesses + + JDK-8220744: [TESTBUG] Move RedefineTests from runtime to + serviceability + + JDK-8221871: javadoc should not set role=region on
+ elements + + JDK-8221907: make reconfigure breaks when configured with + relative paths + + JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/ + /DrawString/LCDTextSrcEa.java has issues + + JDK-8223575: add subspace transitions to gc+metaspace=info + log lines + + JDK-8225122: Test AncestorResized.java fails when Windows + desktop is scaled. + + JDK-8226976: SessionTimeOutTests uses == operator for String + value check + + JDK-8230708: Hotspot fails to build on linux-sparc with gcc-9 + + JDK-8233712: Limit default tests jobs based on ulimit -u + setting + + JDK-8235870: C2 crashes in + IdealLoopTree::est_loop_flow_merge_sz() + + JDK-8236490: Compiler bug relating to @NonNull annotation + + JDK-8236823: Ensure that API documentation uses minified + libraries + + JDK-8238203: Return value of GetUserDefaultUILanguage() + should be handled as LANGID + + JDK-8238268: Many SA tests are not running on OSX because + they do not attempt to use sudo when available + + JDK-8238196: tests that use SA Attach should not be allowed + to run against signed binaries on Mac OS X 10.14.5 and later + + JDK-8238586: [TESTBUG] vmTestbase/jit/tiered/Test.java failed + when TieredCompilation is disabled + + JDK-8239265: JFR: Test cleanup of jdk.jfr.api.consumer package + + JDK-8239379: ProblemList + serviceability/sa/sadebugd/DebugdConnectTest.java on OSX + + JDK-8271512: ProblemList serviceability/sa/sadebugd/ + /DebugdConnectTest.java due to 8270326 + + JDK-8239423: jdk/jfr/jvm/TestJFRIntrinsic.java failed with + - XX:-TieredCompilation + + JDK-8239902: [macos] Remove direct usage of JSlider, + JProgressBar classes in CAccessible class + + JDK-8240903: Add test to check that jmod hashes are + reproducible + + JDK-8242188: error in jtreg test jdk/jfr/api/consumer/ + /TestRecordedFrame.java on linux-aarch64 + + JDK-8247546: Pattern matching does not skip correctly over + supplementary characters + + JDK-8247907: XMLDsig logging does not work + + JDK-8247964: All log0() in + com/sun/org/slf4j/internal/Logger.java should be private + + JDK-8249623: test @ignore-d due to 7013634 should be returned + back to execution + + JDK-8251152: ARM32: jtreg c2 Test8202414 test crash + + JDK-8251551: Use .md filename extension for README + + JDK-8252145: Unify Info.plist files with correct version + strings + + JDK-8253829: Wrong length compared in SSPI bridge + + JDK-8253916: ResourceExhausted/resexhausted001 crashes on + Linux-x64 + + JDK-8254178: Remove .hgignore + + JDK-8254318: Remove .hgtags + + JDK-8255724: [XRender] the BlitRotateClippedArea test fails + on Linux in the XR pipeline + + JDK-8255729: com.sun.tools.javac.processing.JavacFiler + .FilerOutputStream is inefficient + + JDK-8257623: vmTestbase/nsk/jvmti/ResourceExhausted/ + /resexhausted001/TestDescription.java shouldn't use timeout + + JDK-8258946: Fix optimization-unstable code involving signed + integer overflow + + JDK-8261160: Add a deserialization JFR event + + JDK-8262085: Hovering Metal HTML Tooltips in different + windows cause IllegalArgExc on Linux + + JDK-8264400: (fs) WindowsFileStore equality depends on how + the FileStore was constructed + + JDK-8264792: The NumberFormat for locale sq_XK formats price + incorrectly. + + JDK-8265100: (fs) WindowsFileStore.hashCode() should read + cached hash code once + + JDK-8265531: doc/building.md should mention homebrew install + freetype + + JDK-8266250: WebSocketTest and WebSocketProxyTest call + assertEquals(List, List) + + JDK-8266254: Update to use jtreg 6 8265020: tests must be + updated for new TestNG module name + + JDK-8266460: java.io tests fail on null stream with upgraded + jtreg/TestNG + + JDK-8266461: tools/jmod/hashes/HashesTest.java fails: static + @Test methods 8267180: Typo in copyright header for + HashesTest + + JDK-8266490: Extend the OSContainer API to support the pids + controller of cgroups + + JDK-8266675: Optimize IntHashTable for encapsulation and ease + of use + + JDK-8266774: System property values for stdout/err on Windows + UTF-8 + + JDK-8266881: Enable debug log for + SSLEngineExplorerMatchedSNI.java + + JDK-8267271: Fix gc/arguments/TestNewRatioFlag.java + expectedNewSize calculation + + JDK-8267880: Upgrade the default PKCS12 MAC algorithm + + JDK-8268185: Update GitHub Actions for jtreg 6 + + JDK-8269039: Disable SHA-1 Signed JARs + + JDK-8269517: compiler/loopopts/ + /TestPartialPeelingSinkNodes.java crashes with + - XX:+VerifyGraphEdges + + JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over + projections + + JDK-8270312: Error: Not a test or directory containing tests: + java/awt/print/PrinterJob/XparColor.java + + JDK-8271010: vmTestbase/gc/lock/malloc/malloclock04/ + /TestDescription.java crashes intermittently + + JDK-8271078: jdk/incubator/vector/Float128VectorTests.java + failed a subtest + + JDK-8272352: Java launcher can not parse Chinese character + when system locale is set to UTF-8 + + JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + + JDK-8273526: Extend the OSContainer API pids controller with + pids.current + + JDK-8274506: TestPids.java and TestPidsLimit.java fail with + podman run as root + + JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java + fails with expected [true] but found [false] + + JDK-8274687: JDWP deadlocks if some Java thread reaches wait + in blockOnDebuggerSuspend + + JDK-8275008: gtest build failure due to stringop-overflow + warning with gcc11 + + JDK-8275689: [TESTBUG] Use color tolerance only for XRender + in BlitRotateClippedArea test + + JDK-8275887: jarsigner prints invalid digest/signature + algorithm warnings if keysize is weak/disabled + + JDK-8277893: Arraycopy stress tests + + JDK-8278067: Make HttpURLConnection default keep alive + timeout configurable + + JDK-8278344: sun/security/pkcs12/ + /KeytoolOpensslInteropTest.java test fails because of + different openssl output + + JDK-8278519: serviceability/jvmti/FieldAccessWatch/ + /FieldAccessWatch.java failed "assert(handle != __null) + failed: JNI handle should not be null" + + JDK-8279032: compiler/loopopts/ + /TestSkeletonPredicateNegation.java times out with + - XX:TieredStopAtLevel < 4 + + JDK-8279385: [test] Adjust sun/security/pkcs12/ + /KeytoolOpensslInteropTest.java after 8278344 + + JDK-8279622: C2: miscompilation of map pattern as a vector + reduction + + JDK-8280913: Create a regression test for + JRootPane.setDefaultButton() method + + JDK-8281181: Do not use CPU Shares to compute active + processor count + + JDK-8281535: Create a regression test for JDK-4670051 + + JDK-8281569: Create tests for Frame.setMinimumSize() method + + JDK-8281628: KeyAgreement : generateSecret intermittently not + resetting + + JDK-8281738: Create a regression test for checking the + 'Space' key activation of focused Button + + JDK-8281745: Create a regression test for JDK-4514331 + + JDK-8281988: Create a regression test for JDK-4618767 + + JDK-8282214: Upgrade JQuery to version 3.6.0 + + JDK-8282234: Create a regression test for JDK-4532513 + + JDK-8282280: Update Xerces to Version 2.12.2 + + JDK-8282343: Create a regression test for JDK-4518432 + + JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + + JDK-8282548: Create a regression test for JDK-4330998 + + JDK-8282555: Missing memory edge when spilling MoveF2I, + MoveD2L etc + + JDK-8282789: Create a regression test for the JTree usecase + of JDK-4618767 + + JDK-8282860: Write a regression test for JDK-4164779 + + JDK-8282933: Create a test for JDK-4529616 + + JDK-8282947: JFR: Dump on shutdown live-locks in some + conditions + + JDK-8283015: Create a test for JDK-4715496 + + JDK-8283017: GHA: Workflows break with update release versions + + JDK-8283087: Create a test or JDK-4715503 + + JDK-8283245: Create a test for JDK-4670319 + + JDK-8283277: ISO 4217 Amendment 171 Update + + JDK-8283441: C2: segmentation fault in + ciMethodBlocks::make_block_at(int) + + JDK-8283493: Create an automated regression test for RFE + 4231298 + + JDK-8283507: Create a regression test for RFE 4287690 + + JDK-8283621: Write a regression test for CCC4400728 + + JDK-8283623: Create an automated regression test for + JDK-4525475 + + JDK-8283624: Create an automated regression test for + RFE-4390885 + + JDK-8283803: Remove jtreg tag manual=yesno for + java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix + test + + JDK-8284898: Enhance PassFailJFrame + + JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + + JDK-8283903: GetContainerCpuLoad does not return the correct + result in share mode + + JDK-8284077: Create an automated test for JDK-4170173 + + JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 + + JDK-8284535: Fix PrintLatinCJKTest.java test that is failing + with Parse Exception + + JDK-8283712: Create a manual test framework class + + JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks + charset + + JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice + + JDK-8284754: print more interesting env variables in hs_err + and VM.info + + JDK-8284758: [linux] improve print_container_info + + JDK-8284882: SIGSEGV in Node::verify_edges due to compilation + bailout + + JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in + loop optimization + + JDK-8284950: CgroupV1 detection code should consider + memory.swappiness + + JDK-8284956: Potential leak awtImageData/color_data when + initializes X11GraphicsEnvironment + + JDK-8285081: Improve XPath operators count accuracy + + JDK-8285097: Duplicate XML keys in XPATHErrorResources.java + and XSLTErrorResources.java + + JDK-8285380: Fix typos in security + + JDK-8285398: Cache the results of constraint checks + + JDK-8285693: Create an automated test for JDK-4702199 + + JDK-8285696: AlgorithmConstraints:permits not throwing + IllegalArgumentException when 'alg' is null + + JDK-8285728: Alpine Linux build fails with busybox tar + + JDK-8285820: C2: LCM prioritizes locally dependent CreateEx + nodes over projections after 8270090 + + JDK-8286114: [test] show real exception in bomb call in + sun/rmi/runtime/Log/checkLogging/CheckLogging.java + + JDK-8286177: C2: "failed: non-reduction loop contains + reduction nodes" assert failure + + JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 + + JDK-8286314: Trampoline not created for far runtime targets + outside small CodeCache + + JDK-8286582: Build fails on macos aarch64 when using + - -with-zlib=bundled + + JDK-8287017: Bump update version for OpenJDK: jdk-11.0.17 + + JDK-8287073: NPE from CgroupV2Subsystem.getInstance() + + JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts + with freezer controller + + JDK-8287202: GHA: Add macOS aarch64 to the list of default + platforms for workflow_dispatch event + + JDK-8287223: C1: Inlining attempt through MH::invokeBasic() + with null receiver + + JDK-8287336: GHA: Workflows break on patch versions + + JDK-8287366: Improve test failure reporting in GHA + + JDK-8287432: C2: assert(tn->in(0) != __null) failed: must + have live top node + + JDK-8287463: JFR: Disable TestDevNull.java on Windows + + JDK-8287663: Add a regression test for JDK-8287073 + + JDK-8287672: jtreg test com/sun/jndi/ldap/ + /LdapPoolTimeoutTest.java fails intermittently in nightly run + + JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer + controller) was incomplete + + JDK-8288360: CI: ciInstanceKlass::implementor() is not + consistent for well-known classes + + JDK-8288467: remove memory_operand assert for spilled + instructions + + JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp + + JDK-8288763: Pack200 extraction failure with invalid size + + JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too + small + + JDK-8288865: [aarch64] LDR instructions must use legitimized + addresses + + JDK-8288928: Incorrect GPL header in pnglibconf.h (backport + of JDK-8185041) + + JDK-8289471: Issue in Initialization of keys in ErrorMsg.java + and XPATHErrorResources.java + + JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on + muslc + + JDK-8289486: Improve XSLT XPath operators count efficiency + + JDK-8289549: ISO 4217 Amendment 172 Update + + JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails + on Alpine/musl + + JDK-8289799: Build warning in methodData.cpp memset + zero-length parameter + + JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() + after JDK-8289060 + + JDK-8290000: Bump macOS GitHub actions to macOS 11 + + JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) + failed: must have PC + + JDK-8290198: Shenandoah: a few Shenandoah tests failure after + JDK-8214799 11u backport + + JDK-8290246: test fails "assert(init != __null) failed: + initialization not found" + + JDK-8290813: jdk/nashorn/api/scripting/test/ + /ScriptObjectMirrorTest.java fails: assertEquals is ambiguous + + JDK-8290886: [11u]: Backport of JDK-8266250 introduced test + failures + + JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u + + JDK-8291713: assert(!phase->exceeding_node_budget()) failed: + sanity after JDK-8223389 + + JDK-8291794: [11u] Corrections after backport of JDK-8212028 + + JDK-8292255: Bump update version for OpenJDK: jdk-11.0.16.1 + + JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when + allocating array of size too large (bsc#1204523) + + JDK-8292579: (tz) Update Timezone Data to 2022c + + JDK-8292852: [11u] TestMemoryWithCgroupV1 fails after + JDK-8292768 + + JDK-8295057: [11u] Remove designator + DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.17 +- Modified patch: + * fips.patch + + sync with newest RedHat version + +- Package the JAVA_HOME/release files in *-headless package + * fixes boo#1203476 + karchive +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Make error messages translatable + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * .gitlab-ci.yml: enable static builds + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + * ktar fix underflow + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * k7zip: Merge two functions to the constructor + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- No code change since 5.95.0 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * KArchive::addLocalDirectory: preserve empty directories + * Fix zstd KCompressionDevice not compressing as much as it could (kde#451816) + * Always delete device if we created it (kde#432726) + * port to standard C++ smart pointers where possible + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * add Windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI pipelines to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Utilize ECMDeprecationSettings to manage deprecate Qt API + * Add CI qt6 support + kauth +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Config.cmake.in: declare static dependencies + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * .gitlab-ci.yml: enable static builds + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Fix polkit-qt-1 dependency + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- No code change since 5.96.0 + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- No code change since 5.95.0 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add INSTALL_BROKEN_KAUTH_POLICY_FILES cmake option + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * add chrono overload for setTimeout + * Require unittests to pass for CI pipelines to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Remove broken Python bindings generation + * Normalize header names and include path layout to KF standards + * Prepare KF6 KAuthWidgets library, with an interface lib for KF5 + +- Replace %_libdir/libexec with %_libexecdir (boo#1174075) + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Make code more compact (idea from Samir) + * Use kf6/ for qt6 or old path for keeping compatibility + * Move plugins in kf directory + * Add CI qt6 support + * Seems my text editor munched the syntax, fix + * Correct the dependencies specified for KAuth. + * Bump minimum required version of Polkit-Qt-1 to 0.112.0 + * Remove Polkit-Qt build support, Polkit-Qt-1 replaced it a long time ago + * Adjust CMake code to find PolkitQt{5,6}-1 + kbookmarks +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Don't use KXmlGui when building without deprecated stuff + * Add Qt6 windows CI support + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- No code change since 5.98.0 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- No code change since 5.96.0 + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Bump deprecation KF version in ecm_set_disabled_deprecation_versions + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * port to standard C++ smart pointers where possible + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI pipelines to pass + * Add Android to supported platforms in repo metadata + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Check executables exist in PATH before passing them to QProcess + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Utilize ECMDeprecationSettings to manage deprecate Qt/KF API + * Add CI qt6 support + kcodecs +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Prepare for 5.15.7: adapt test + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * .gitlab-ci.yml: enable static builds + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- No code change since 5.96.0 + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- No code change since 5.95.0 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * port to standard C++ smart pointers where possible + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Remove broken Python bindings generation + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI qt6 support + kcompletion +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add Qt 6 Windows CI + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Show header in qtc6 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * KCompletion: clean-up private class + * KCompletion*: general clean-up + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- No code change since 5.95.0 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Remove broken Python bindings generation + * Make the BUILD_DESIGNERPLUGIN option dependent on not cross-compiling + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI qt6 support + kconfig +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * kconfig_compiler: switch away from bit mask for signal enum values + * kconfig_compiler: fix generation of bit masks enum items for signals + * kconfig_compiler: perform signals count check earlier + * .gitlab-ci.yml: enable static builds + * Fix KConfigGui initialization in case of static builds (kde#459337) + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Only warn about a file being inaccessible if we know which file it is + * Add Qt6 windows CI support + * Fix size and position restoration on multimonitor setups (kde#427875) + * Warn when accessing an inaccessible config file + * Fix minValue/maxValue for KConfigCompilerSignallingItem + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + * Add KServiceAction as a friend of KConfigGroup + * KConfigWatcher: initialize d->m_config in constructor + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Add explicit option to disable QML support + * Don't inherit from containers + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- No code change since 5.95.0 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * Change "Actual Size" shortcut's text to "Zoom to Actual Size" + * remove unused includes + * Fix enum doc: close tags + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * KConfigGroup: fix writePathEntry/readPathEntry roundtrip for symlinks + * autotests: skip KStandardShortcutWatcherTest on Windows + * Support storing QUuid + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + * Disable DBus support on Windows by default + * Make KConfig::mainConfigName() public. + * kconf_update: Fix checking for changes of update files + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Remove broken Python bindings generation + * Add KWindowStateSaver + * Remove warning from kauthorized.h + * KConfigCompiler: support ItemAccessors=true with signalling items + * Add Qt6 Android CI + * Use our deprecation macros rather than Q_DECL_DEPRECATED directly + * KConfigPropertyMap: Clean up internal leftovers of autosave feature + * QMake pri files: fix missing new path to version header + * Support build without Qt session manager + * Add KConfig GUI logging category + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Fix build on Windows + * Don't use saveShortcut for setting up tests + * Fix build on Windows + * Introduce StandardShortcutWatcher to watch for runtime changes + * Make singleton teardown work with Qt6 as well + * Utilize ECMDeprecationSettings to manage deprecate Qt/KF API + * Add CI qt6 support + * Add Samir variable fix too + * Use KDE_INSTALL_FULL_LIBEXECDIR_KF + * Extract isNonDeletedKey() helper function + * Look for entries with common group prefix in entryMap's subrange + * Improve the documentation of KConfigPrivate::allSubGroups() + * KConfigPrivate::copyGroup: remove redundant entryMap lookup + * groupList: convert each group name from UTF-8 once + * Exclude deleted groups from groupList() (kde#384039) + * groupList: don't copy unnecessarily; add const + kconfigwidgets +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * avoid stating files during restore of recent files (kde#460868) + * Ensure icon is always set for recent files actions + * Add file icons to open recent menu + * Replace custom color preference code with KColorSchemeWatcher + * Intialize default decoration colors + * [KCommandBar] Fix shortcut background + * Add Qt6 windows CI support + * Adapt native event filter code to Qt 6 + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Remove unused includes + * Show headers in qtc6 + * add KHamburgerMenu::insertIntoMenuBefore() method + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Deduplicate color loading code + * refresh git-blame-ignore-revs for latest clang-format run + * automatic clang-format run (clang 14) + * Fix build after cmakedefine01-related changes + * Add FreeBSD Qt6 CI support + * [KCommandBar] Add action to clear command history + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * [KCommandBar] Improve position and size + * follow symlinks during search for help + * Avoid tracking dangling KConfigDialogManager + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Add edit-clear-list icon to the Clear List action + * Bump deprecation KF version in ecm_set_disabled_deprecation_versions + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * Change "Actual Size" Action's text to "Zoom to Actual Size" + * KRecentFilesAction: remove the corresponding element in m_recentActions when calling removeAction(action) + * KRecentFilesAction: refactor some code related to removing an action + * KRecentFilesAction: do not reuse removed actions and adding an URL that is already in the menu + * Allow specifying a Qt::ConnectionType in KStandardAction::create + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * KCommandBar: remove installed event filter in destructor (kde#452527) + * [kcolorschememanager] Rework and improve auto theme switching (kde#452091) + * [kcolorschememanager] Pass explicit role to data() + * [kcolorschememanager] Use bespoke role names instead of generic Qt ones + * [kcolorschememanager] Rename method call that was missed before + * [kcolorschememanager] Rename method for clarity + * [kcolorschememanager] Don't save colors on application start + * fix: KRecentFilesAction saveEntries and loadEntries use the correct group when no group is passed + * Move kstatefulbrush implementation to its own file + * More conventional memory managment for KStatefulBrushPrivate + * Add windows CI + * Fix copy and paste mistake + * Fix finding data for KLanguageNameTest on Windows + * Add move constructor and assignment operator for KColorScheme + * Default copy constructor, assignment operator and destructor + * Make it clear that KStandardAction::name gives you ascii + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Merge KColorSchemePrivate::init and constructor + * Unify both KColorSchemePrivate constructors + * Add a test for reading colorscheme data + * Default to light mode, where AppsUseLightTheme isn't set + (notably Windows 8.1) + * Require unittests to pass for CI jobs to pass + * Move KStatefulBrush to its own dedicated header + * KColorScheme::contrast(F) match code to documentation + * Deprecate KColorScheme::contrast + * Fix automatic color scheme on Windows + * khamburgermenu: Ensure menu is polished before creating window + * autotests: skip test for changing standard shortcuts on Windows + * Fix blame ignore list + * [kcolorschememanager] Initialize selected scheme from config + * Add Android to supported platforms in the repo metadata. + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Remove broken Python bindings generation + * KHamburgerMenu: Avoid null receiver warning upon showing menubar + * Port away from deprecated KAuth includes + * Add @since 5.92 in KColorScheme::operator== API docs + * Add a KColorScheme::operator== + * Make the BUILD_DESIGNERPLUGIN option dependent on not cross-compiling + * Add explicit CMake option HAVE_KAUTH + * KHambugerMenu: Fix crash on windows when showing the window menubar + from the KHamburgerMenu (kde#449806) + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * KLanguageButton: Don't insert duplicates + * KLanguageButton: Adapt to new .desktop filenames + * Change shortcuts of standard actions if standard shortcut changes (kde#426656) + * Use BUILD* deprecation wrapper for virtual method (kde#448680) + * Improve naming a little bit + * Simplify + use reserve + * Remove unnecessary QBrush->QColor conversions + * Fix iconWidth calculation + * Utilize ECMDeprecationSettings to manage deprecate Qt/KF API + * Simplify KHamburgerMenu menu items + * Add CI qt6 support + * Only require KAuth on Linux/FreeBSD + * Don't use KAuth on Windows +- Drop 0001-Use-BUILD-deprecation-wrapper-for-virtual-method.patch + Merged upstream + kcoreaddons +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add missing . in error string + * KPluginMetaData: Check applicationDirPath first when resolving plugin + paths (kde#459830) + * Fix static build of downstream consumers + * Fix the translation folder name + * KFileSystem: add Fuse Type; use libudev to probe underlying fuseblk type + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Remove unused includes + * Show all headers in qtc6 + * Cache portal urls + * Add new bugReportUrl standard metadata property + * KSignalHandler: Fix documentation + * Add Qt 6 Windows CI + * .gitlab-ci.yml: enable static builds + * Add support for static builds + * Fix moc configuration of K_PLUGIN_CLASS macro + * Use a non-deprecated notify signal for the KJob::percent property + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * kcoreaddons_add_plugin: Add cmake option to skip plugin installation in autotests + * Remove extra semi colon + * Add FreeBSD Qt 6 CI + * kfuzzymatchertest replace "QStringLiteral("")" with "QString("")" + * Fix KUrlMimeData::exportUrlsToPortal for mixed files-and-directories URIs + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Deprecate KMessage system + * KUserGroup: fix data race by porting from getgrgid to getgrgid_r + * KUserGroup: centralize calls to getgrgid(), at least for constructors + * KUser: fix data race by porting to getpwuid_r and getpwnam_r + * KUser: use member initialization, call getpwuid in a single place + * fix up the kpluingmetadata::value doc + * Add KRuntimePlatform as alternative for KDeclarative::runtimePlatform + * Fix klibexectest when build dir path contains symlink + * Fix unit tests in kpluginfactorytest + * Bump shared-mime-info to 1.8 + * make kprocess a more proper qprocess + * new ksandbox function to start processes + * refresh git-blame-ignore-revs for latest clang-format run + * automatic clang-format run (clang 14) + * Adapt libexec paths for KF6 + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Remove duplicate header between cpp/h files + * Add missing errno header + * xdg drag and drop portal support + * Install KMemoryInfo headers + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * KPluginFactory: Create un-deprecated overload to register CreateInstanceWithMetaDataFunction + * KSignalHandler: add error warnings when reading or writing signal + * Use the versionless KDE_INSTALL_FULL_KSERVICETYPESDIR variant + * port to standard C++ smart pointers where possible + * kmemoryinfo class + * KPluginFactory: Provide better context in error message if instance could not be created + * KJob: add method to check if job was started with exec() + * Add autotest for KStringHandler::lsqueeze/csqueeze/rsqueeze + * new util ksandbox + * KDirWatch: handle IN_Q_OVERFLOW events + * KProcess: wrap Qt5-only QProcess API also with Qt version check + * KListOpenFilesJob: check lsof executable exist in PATH before starting it with QProcess + * KProcess: replace an assert with a check for empty + * KAboutData: improve the API docs for LicenseKey enum + * Install KMemoryInfo headers + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Fix kprocesstest for Qt6 + * autotests: fix kdelibs4configmigratortest for Windows + * autotests: skip KNetworkMountsTestCanonical::testCanonicalSymlinkPath on Windows + * autotests: skip KFileUtilsTest::testfindAllUniqueFiles on Windows + * KNetworkMounts: fix some warnings + * KPluginMetaData: Fix setting of MetaDataOption when building without deprecations + * KPluginMetaData: Delegate to other constructors where possible + * KPluginMetaData: Always initialize d-ptr + * API dox: typofix, name of header to include + * API dox: typofix, match @p with the actual params of expandMacro() + * autotests: check for ZFS and expect failure then + * autotests: make the FreeBSD test pass + * processlist: don't call procstat_getpathname() at all + * ListOpenFilesJob: avoid creating the processlist on FreeBSD multiple times + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Add default argument for KPluginFactory::create where no keyword + and args have to be specified + * CI: require tests to pass on Linux + * Also wrap Kdelibs4ConfigMigrator in a QT_VERSION check for Qt6 + * Optimize KPluginMetaData::findPluginById by using QPluginLoader directly + * Remove *.doc pattern for text/plain + * KPluginMetaData: find plugins in the directory of the executable, too + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Deprecate KPluginMetaData::fromDesktopFile + * KPluginMetaDataTest: Explicitly call dedicated constructors + * KPluginMetaData: Emit runtime deprecation warnings for deprecated code path + * KPluginMetaData: Add note for deprecated code paths to constructor + * KPluginMetaData: Use QFileInfo::completeBaseName for deriving plugin id + * Remove broken Python bindings generation + * Downgrade mismatched host tool version to WARNING + * Add a way to indicate to not show a notification on finished + * Allow to create valid KPluginMetaData for plugins without embedded JSON metadata + * Add an OUTPUT_FILE argument to kcoreaddons_desktop_to_json() + * KSignalHandler: attempt to fix Windows build + * Add KSignalHandler + * Build benchmarks of kdirwatch test as separate lib + * Build benchmarks of ktexttohtml as separate executable + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Search in kf plugin + * kcoreaddons_target_static_plugins: Use private linking for plugin registration file + * Fix kprocesslist in Windows + * Fix kformattest on Windows + * Fix krandomtest on Windows + * klibexec helper to resolve libexec path relative + * Set timezone to what the test expects + * KPluginMetaDataTest: Fix check for service type querying error essage + * Fix KPluginMetaDataTest::testPathIsAbsolute + * desktopfileparser: Avoid a run-time string concatenation + * KF5CoreAddonsConfig: check desktoptojson version when cross-compiling + * KPluginMetaData: Fix a typo in a comment + * desktoptojson: Further improvements to cross-compilation mode + * Fix kcoreaddons_desktop_to_json when cross-compiling + * Fix compiler warnings in posix_fallocate_mac.h + * Add KPluginMetaData::fromJsonFile() + * KPluginMetadata: store all paths as absolute ones + * KPluginMetaData::metaDataFileName: Fix broken check if we have the metaDataFileName value set + * Use directly kf${QT_MAJOR_VERSION} (Volker idea) + * Use QT_STRINGIFY(QT_VERSION_MAJOR) Instead of the if stuff + * Use kf6 for installing licenses + * Utilize ECMDeprecationSettings to manage deprecate Qt API + * kcoreaddons_add_plugin: Throw error when we have unparsed args + * Add CI qt6 support + * Port deprecated enum in qt6 + * Need to build static lib + * Improve formatRelativeDateTime + * KProcessList: Remove dead Q_OS_FREEBSD branches + * Improve error message for KPluginFactory::loadFactory + * Add missing copying of error text in KPluginFactory::instantiatePlugin + kcrash +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add Qt 6 Windows CI + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- No code change since 5.98.0 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- No code change since 5.96.0 + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Bump deprecation KF version in ecm_set_disabled_deprecation_versions + * Use cmakedefine01 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Port away from QX11Info + * Remove Android CI + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + * autotests: fix on non-linux (e.g. FreeBSD) + * metainfo.yaml - add macOS as a supported platform + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI qt6 support + * Utilize ECMDeprecationSettings to manage deprecate Qt/KF API + kdbusaddons +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * Don't assume we have X11 on Windows with Qt 6 + * Remove obsolete KDBusConnectionPool from the Qt 6 build + * .gitlab-ci.yml: enable static builds + * Fix static compilation on non-X11 systems + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- No code change since 5.96.0 + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Require unit tests to pass for the CI to pass + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * Rename UpdateLaunchEnvironmentJob's private class to UpdateLaunchEnvironmentJobPrivate + * Add Windows CI + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- No code change since 5.93.0 + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- No code change since 5.92.0 + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Remove broken Python bindings generation + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI qt6 support + kded +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- No code change since 5.99.0 + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- No code change since 5.98.0 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + * Don't install service type definition when building against Qt6 + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * README.md remove trailing space + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Shorten KSycoca update delay + * Bump deprecation KF version in ecm_set_disabled_deprecation_versions + +- Dropped patches, reimplemented upstream: + * 0001-Decrease-the-delay-between-change-notification-and-s.patch + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add missing include and link + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- No code change since 5.91.0 + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * install plugins in kf + * Add Linux Qt6 CI + * Utilize ECMDeprecationSettings to manage deprecate Qt/KF API + * Set order of kded launching with systemd boot + * kded supports building on Windows, make sure we have our dependencies available + * General code cleanup + kdoctools +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- No code change since 5.99.0 + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * .gitlab-ci.yml: enable static builds + * Spelling: sync the Valencian language with the latest changes into GUI + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Add Han Young to the contributors list + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * catalog: Avoid needlessly copying a list to be returned. + * meinproc: Simplify loop building param list for libxml. + * meinproc: Fix usage of QString reference to temporary. + * meinproc: Remove old comment from porting. + * meinproc: Remove dead entry parsing code. + * allow build with nix package manager + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * update French user.entities + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * add Windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * [ca@valencia] Add Catalan (Valencian) Language + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Check executables exist in PATH before passing them to QProcess + * Fix install test with Qt6 + * Don't hardcode "kf5" for the catalog search path + * Add CI qt6 support + keyutils -- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) - -- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, - the library is just LGPL-2.1+) (bsc#1180603) - -- update to 1.6.3: - * Revert the change notifications that were using /dev/watch_queue. - * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). - * Allow "keyctl supports" to retrieve raw capability data. - * Allow "keyctl id" to turn a symbolic key ID into a numeric ID. - * Allow "keyctl new_session" to name the keyring. - * Allow "keyctl add/padd/etc." to take hex-encoded data. - * Add "keyctl watch*" to expose kernel change notifications on keys. - * Add caps for namespacing and notifications. - * Set a default TTL on keys that upcall for name resolution. - * Explicitly clear memory after it's held sensitive information. - * Various manual page fixes. - * Fix C++-related errors. - * Add support for keyctl_move(). - * Add support for keyctl_capabilities(). - * Make key=val list optional for various public-key ops. - * Fix system call signature for KEYCTL_PKEY_QUERY. - * Fix 'keyctl pkey_query' argument passing. - * Use keyctl_read_alloc() in dump_key_tree_aux(). - * Various manual page fixes. -- spec-cleaner run (fixup failing homepage url) - -- prepare usrmerge (boo#1029961) - -- updated to 1.6 - - Apply various specfile cleanups from Fedora. - - request-key: Provide a command line option to suppress helper execution. - - request-key: Find least-wildcard match rather than first match. - - Remove the dependency on MIT Kerberos. - - Fix some error messages - - keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. - - Fix doc and comment typos. - - Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). - - Add pkg-config support for finding libkeyutils. -- upstream isn't offering PGP signatures for the source tarballs anymore - -- Replace krb5-devel BuildRequires with pkgconfig(krb5): Allow OBS - to shortcut the ring0 bootstrap cycle by also using krb5-mini. - -- add upstream signing key and verify source signature - -- updated to 1.5.11 (bsc#1113013) - - Add keyring restriction support. - - Add KDF support to the Diffie-Helman function. - - DNS: Add support for AFS config files and SRV records - -- Use %license (boo#1082318) - -- add keyutils-devel for baselibs, to allow biarch LTP builds. - (bsc#1061591) - -- updated to 1.5.10 - - added "dh_compute" callback - - manpage improvements - -- move binaries from /bin to /usr/bin (bsc#1029969) -- keyutils-usr-move.patch: also adjust the request-key.conf file - -- keyutils-nodate.patch: avoid including the timestamp. bsc#916180 - kglobalaccel +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Remove misplaced comment + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Only build kglobalshortcuttest with BUILD_RUNTIME=TRUE + * Add FreeBSD Qt6 CI support + * GlobalShortcutsRegistry: use std::unique_ptr to manage Components + * Let GlobalShortcutsRegistry manage all components + * Use KFileUtils::findAllUniqueFiles for listing desktop files + * GlobalShortcutsRegistry: add two methods providing info about components + * Set QGuiApplication::desktopSettingsAware to false + * Treat key sequence string as PortableText when parsing + * Avoid iterating a container while it's being mutated + * Don't set NoDisplay when cleaning up service components (kde#454396) + * Don't pass Exec arguments to kstart when launching via desktop entry name (kde#440507) +- Drop patch, fixed upstream: + * 0001-Avoid-iterating-a-container-while-it-s-being-mutated.patch + +- Add patch to fix crashes (kde#437364): + 0001-Avoid-iterating-a-container-while-it-s-being-mutated.patch + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Add a clang-format commit to blame ignore file + * Minor code optimisation + * GlobalShortcutsRegistry: don't use a QHash for a couple of elements + * General code cleanup + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Launch app in terminal when Terminal=true (kde#455117) + * Don't duplicate headers between cpp/.h files + * Bump deprecation KF version in ecm_set_disabled_deprecation_versions + * Fix D-Bus de/marshalling KGlobalAccel::MatchType (kde#454704) + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * Encapsulate duplicate code in a local function + * Expose enum to QObject + * Remove unused method + * Properly create lists of items + * Remove weird comments + * Use KWindowSystem to request activation tokens if necessary (kde#453748) + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add BUILD_RUNTIME option (default ON) + * x11: Implement deactivation + * Add KGlobalAccel::globalShortcutActiveChanged + * Create test app + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Add macOS to supported platforms list + * Require unittests to pass for CI jobs to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- No code change since 5.91.0 + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Fix action registration and unregistration order (kde#448369) + * Check executables exist in PATH before passing them to QProcess + * Add Linux Qt6 CI + * Utilize ECMDeprecationSettings to manage deprecate Qt/KF API + kguiaddons -- Fix a clipboard memory leak on Wayland (kde#454590) - * 0001-WaylandClipboard-DataControlSource-delete-m_mimeData.patch +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add misisng find_dependency's for static builds + * systemclipboard: Don't signals data source cancellation (kde#460248) + * Guard the global was actually intialised + * Implement destuctor for keystate protocol implementation + * kcolorschemewatcher: make changing colour schemes work as expected on macOS + * [kcolorschemewatcher] Default to light mode, where AppsUseLightTheme isn't + set (notably Windows 8.1) + * enable automatic dark-mode switching on macOS + * Add API for system color preference reading + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Show all headers in qtc6 + * KeySequenceRecorder: Do not emit gotKeySequence when cancelling + * Add Qt6 windows CI support + * .gitlab-ci.yml: enable static builds + * recorder: Allow setting the initial value of currentKeySequence + * recorder: Fix workaround in KDeclarative + * recorder: Do not keep two sequences at the same time (kde#458795) + * recorder: Never request inhibition twice for the same surface or seat + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Make QtX11Extras required when building with X11 support (kde#458290) + * Add FreeBSD Qt6 CI support + * Add missing license file + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * QtWaylandClient is required when building with Wayland support + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Remove extra ';' + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * WaylandClipboard: DataControlSource: delete m_mimeData in dtor (kde#454590) + * keysequence: Fix race between recording and currentKeySequence + * keysequence: Fix warning message about sequence size to be more precise + * keysequence: Replace magic number 4 with enum constant + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Remove outdated comment about qt11extras_p.h + * Un-pluginify modifierkeyinfo + * Add plugin for wayland keystates + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * CI: require tests to pass + * Gracefully ignore SIGPIPE + * Use nativeInterface to access the x11 display + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Remove broken Python bindings generation + * [KOverlayIconEngine] Implement ScaledPixmapHook for high-dpi support + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add Google Maps Geo URI handler + * Add Qwant Maps to CMakeLists + * Add Qwant Maps Geo URI handler + * Add a fallback handler for the geo: URI scheme + * Install plugins in kf + * Add CI qt6 support ki18n +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Try fixing build on Windows mingw + * Add missing include + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add useful info to warning + * Really support :usagetip cue (kde#459283) + * Add Qt6 windows CI support + * .gitlab-ci.yml: enable static builds + * Warn if the domain is empty + * Mark codeLanguage as const + * KCatalog: make setting LANGUAGE env var more robust + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Fix typo ki18ndc -> kxi18ndc / ki18ndp -> kxi18ndp + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- No code change since 5.96.0 + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Accept null strings from QML (kde#451807) + * Don't print debug message in double quotes + * Don't duplicate headers between cpp/.h files + * Use a struct instead of pair + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * Directly load catalogs from Android assets + * Port to ECMQmlModule + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * add Windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + * autotests: Require minimum cmake version for ki18n_install + * KF5I18nConfig: Add missing find_dependency call + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Remove broken Python bindings generation + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Default initialize QVariants as such, not as a QString + * install plugins in kf + * Fix warning info + * Add CI qt6 support + * KuitSetup: fix setting classification of tags + kiconthemes +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add Qt6 windows CI support + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * KIconEngine: Use QFileInfo::completeBaseName + * KIconEngine: Return actual icon name of loaded icon (kde#432293) + * Add dedicated kiconloader_p.h header for KIconLoaderPrivate + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Remove unused KItemViews dependency + * Import KIconProvider from KDeclarative + * Add FreeBSD Qt6 CI support + * KIconTheme: fix if condition + * KIconLoader: remove unneeded calls to d->initIconThemes() + * KIconLoader: call methods in Private class constructor + * KIconButton: Add tooltip + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Do not use QIcon::setThemeName to set system theme + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Use entryInfo list + * Use range for loop + * Improve warning messages a bit + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * Make testfailures CI failures + * port to standard C++ smart pointers where possible + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add context to debug + * Mark as supported on Android + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- No code change since 5.92.0 + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Make the BUILD_DESIGNERPLUGIN option dependent on not cross-compiling + * Fix pixelated icons in item views (kde#450336) + * [KIconEngine] Create high-dpi pixmap in paint + * Read the reference icon already scaled + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Check executables exist in PATH before passing them to QProcess + * Add Linux Qt6 CI + * Don't create a new KColorScheme for each KIconColors + kio +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Too many changes since 5.99.0, only listing bugfixes: + * AskUserActionInterface: add DeleteInsteadOfTrash deletion type (kde#431351) +- Drop patch, merged upstream: + * kio-mr1008-fix-webdav.diff + +- Add kio-mr1008-fix-webdav.diff + * Fixes WebDAV upload (kde#460717) + * https://invent.kde.org/frameworks/kio/-/merge_requests/1008 + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * DesktopExecParser: Fix parsing of TerminalApplication when it contains args (kde#459408) + * KPropertiesDialog: Split single command entry box into separate exec and args + * allow hiding permissions tab + * port http to workerbase + * Worker template: fix install location + * kcms/webshortcuts: hide from System Settings' main navigation + * disable state validation + * UserNotificationHandler: fix messagebox type mismatches + * Fix missing details in message dialogs from worker + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Install WidgetsAskUserActionHandler header + * file_unix: optimize copy (kde#458001) + * Add FreeBSD Qt6 CI support + * KFilePlacesItem: Remove unused enum + * KFilePlacesModel: Don't show error message on UserCanceled + * Add overloads for Utils::concatPaths() + * Use AskUserActionInterface (async) in UserNotificationHandler (kde#451834) + * Ensure iconForStandardPath() returns user-home for QStandardPaths::HomeLocation (kde#447238) + * trash:/ set the UDS_LOCAL_PATH (kde#368104) + * KUrlNavigator: check if typed text matches a relative dir first (kde#353883) + * FileUndoManager: for copyjob only add undo if it copied something (kde#454226) + * Use Functors with QMetaObject::invokeMethod() + * DesktopExecParser: don't kioexec if there is a handler for scheme (kde#442721) + * force admin worker to run in a thread + * install workerfactory header + * introduce RealWorkerFactory + * revise jobuidelegate factorization + * [kfileitemactions] Show desktop file actions more prominently (kde#417012) + * clear state after timeout'd special call + * make loading UDSEntries from streams thread safe + * Remove ServiceType from KDED metadata + * Drop obsolete X11 dependency, introduce WITH_X11 option instead + * KProcessRunner: fix OpenUrlJob and CommandLauncherJob unittests + * Don't install service type definition for properties plugins when building without deprecated things + * Remove service type definition for DnD plugins + * Sync QT_MIN_VERSION with KF's REQUIRED_QT_VERSION + * disable state validation + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Too many changes since 5.96.0, only listing bugfixes: + * KRecentDocument: better prevent duplicate bookmark for same href (kde#456046) + * FileUndoManager: fix job description when undoing a batch-renaming (kde#437510) + * Fix crash in DropJob (kde#454747) + * Fix thumbnailer result for parent mime types being overwritten (kde#453480) + * KImageFilePreview: if no current preview, don't show last one on resize (kde#434912) + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Remove calls to no-op KNewFileMenu::setViewShowsHiddenFiles + * rename ioslave_defaults to ioworker_defaults + * Don't treat KJob::UserDefinedError as unknown error + * move global enum to worker nomenclature + * [webrunner] Add debian as new keyword for webrunner + * [knewfilemenu] Don't forcibly change file extension (kde#456091) + * [knewfilemenu] Write Name when creating Link files + * Pass JobUiDelegate's window to created dialogs + * [knewfilemenu] Always add .desktop suffix when creating link file + * Deprecated global file class code in KFileWidget + * KRecentDirs: Deprecate reading/writing to global file + * [kfileplacesmodel] Cache device display name + * PreviewJob: Add note about plugins being cached internally + * KRecentDocuments: Improve indentation in recentlyused.xbel (kde#456046) + * Add template for empty file (kde#297003) + * We need it when we build with strict compile + * Don't duplicate headers between cpp/.h files + * Don't leak the slave's worker thread + * filewidgets: update location text after selected files are renamed (kde#455327) + * Add "Get more Apps in Discover" button to kopenwithdialog + * new worker API + * Bump deprecation KF version in ecm_set_disabled_deprecation_versions + * KPropertiesDialog: fix saving changes when editing a .desktop file symlink (kde#450727) + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * KCoreUrlNavigator: add urlSelectionRequested signal (kde#453289) + * kio_file: fix data race on static user cache (kde#454619) + * file_unix: use thread id rather than pid for filehelper socket + * [KDirOperator] Add option to show hidden files last + * [KFileItemDelegate] Add a semi-transparent effect to the labels of hidden files + * PreviewJob: Resolve parent mime types before checking wildcards (kde#453480) + * [kemailclientlauncherjob] Allow setting BCC + * TrashSizeCache: fix parsing of directory cachesize file and improve code + * DirectorySizeJob: use targetUrl as url + * KFileItem: GetStatusBarInfo: Improve display for urls + * KDirModel: don't nuke query and fragment in URLs + * [KFilePlacesView] Show inline eject button only for removable drives (kde#453890) + * [KFilePlacesView] Don't show capacity bar for network shares + * kpasswdserver: fix mistake + * port to standard C++ smart pointers where possible + * rfc search provider: Fix URL + * Skip generation of KCM symlinks on windows + * KCMs: Define plugin id to match the desktop file name + * Embed json metadata in KCMs, port to new systemsettings namespaces + * quickfix crash if element not found, we want to use the range erase here + * Add env var KIO_ENABLE_WORKER_THREADS in case of trouble. + * Initialize std::atomic variables. + * SlaveBase: skip sighandlers when run in thread + * kio_file: remove use of QDir::setCurrent() + * Implement running KIO workers in-process using a thread + * [StatJob] Set total amount to 1 Item + * KSambashare: handle "Weak crypto is allowed" error message + * dropjob: don't create PasteJob when `m_hasArkFormat` is true + * KFileWidget: initialize KFilePlaceModel before KUrlNavigator + * [previewjob] Deduplicate legacy plugins based on desktop file name instead of pluginId + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Too many changes since 5.93.0, only listing bugfixes: + * KFileWidget: allow icon sizes to go up to 512 (kde#452139) + * dropjob: Extract Ark data in ctor (kde#453390) + * Don't put job/ioworker on hold after getting the mimetype (kde#452729) + * [KUrlNavigatorPlacesSelector] Do storage setup also when requesting a new tab (kde#452923) + * KFilePlacesView: use animations only if QStyle::SH_Widget_Animation_Duration > 0 (kde#448802) + * KUrlNavigator: offer open in new window action too (kde#451809) + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Fix KRecentDocumentTest + * fix reading wrong integer type from config (kde#452048) + * Add Yandex search keywords + * [KFilePlacesView] Don't append "(hidden)" to disappearing groups + * Don't use KCrash on Android, currently not used there + * KOpenWithDialog: alternative fix for the sort filter model regex + * Introduce KCoreUrlNavigator + * filewidgets: Auto-select filename before extension in filename dialog + * Add support in krecentdocument to add to recently-used.xbel + * [KFilePlacesView] Drop now unused placeEntered/Left handling + * [KFilePlacesView] Show free space as permanent thin line + * include QStandardPaths + * autotests: port kdirmodeltest to QSignalSpy::wait + * KRecentDocuments: don't save history for hidden files by default + * KUrlNavigator: don't force LtR + * [KPropertiesDialog] Use PlainText format for most labels + * autotests: use temp dir to avoid issues with parallel tests + * KFileItem: protect againt ' ' passed mimeType + * KFileItem: use passed mimeType to determine isDir + * KOpenWithDialog: Include arguments in name when writing a new desktop file + * Add Android to the list of supported platforms + * [KPropertiesDialog] Make read-only filename label selectable by mouse + * [KFilePlacesModel] Improve outcome of dropped places + * Add autotest for KDirLister::setMimeFilter + * [ftp] Simplify code + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Too many changes since 5.91.0, only listing bugfixes: + * KFilePlacesView: Fix crash when dragging over topmost section header (kde#450813) + * Hide mount point labels if mount point can't be found (kde#449791) + * Fix trash KCM not having any icon on wayland (kde#449859) + * Fix potential crash in pastejob (kde#439948) + * [KFilePlacesView] Mount place when dropping onto it (kde#206629) + * [knewfilemenu] Bind stat job connection lifetime to dialog, not the whole menu (kde#433347) + +- Force PIE when building with gcc-10 (boo#1195628) + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Too many changes since 5.90.0, only listing bugfixes: + * Consider slow files as remote files in previewjob (kde#349161) + * [desktopexecparser] Consider associations from mimeapps.list to + determine whether an app supports a scheme (kde#440062) + * [kopenwithdialog] Fix filtering (kde#449330) + * kdirmodel: Allow using full path for Icon in .desktop file (kde#448116) + * file_unix: Do not try to preserve ownership when permission is -1 (kde#447779) + * KPropertiesDialog: use the KFileItem when checkig if the url is local (kde#444624) + kitemviews +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * KCategoryDrawer: Update design to match Kirigami list categories + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * .gitlab-ci.yml: enable static builds + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- No code change since 5.96.0 + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Require tests to pass for the CI to pass + * Add two KF6 TODO notes for API improvements + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * KExtendableItemDelegate: Fix HiDPI positioning of indicator arrows + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Remove broken Python bindings generation + * Add Android Qt6 CI + * Make the BUILD_DESIGNERPLUGIN option dependent on not cross-compiling + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI qt6 support + kjobwidgets +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add Qt6 windows CI support + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * .gitlab-ci.yml: enable static builds + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + * kuiserverv2jobtracker: Don't terminate a null JobView + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Fix some Clazy and switch handling warnings. + * ui-server: Fix crash by only re-registering live KJobs. (kde#450325) + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- No code change since 5.95.0 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Remove broken Python bindings generation + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Check executables exist in PATH before passing them to QProcess + * Add CI qt6 support + knotifications +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Port TTS support to Qt 6 + * Fix the translation folder name + * Add Qt6 windows CI support + * Port from QStringRef to QStringView + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add CMake option to build WITHOUT_X11 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Remove notificationplugin service type + * Drop lib prefix when building for Windows (MinGW) + * use ksandbox instead of hardcoding sandbox detection + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Remove extra ';' + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add missing endif + * Remove outdated comment about qt11extras_p.h + * Don't send alpha channel if pixmap has none + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Port away from QX11Info + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Allow to build the Java parts with Gradle from both Qt5 and Qt6 + * Fix compilation on Android with Qt6 + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI for Qt6 + * Remove Phonon from Linux CI + * Add KStatusNotifierItem::hideAssociatedWidget() + * KStatusNotifierItem: use actions instead of Yes/No in Quit confirm dialog + krb5 -- Update to 1.19.2 - * Fix a denial of service attack against the KDC encrypted challenge - code; (CVE-2021-36222); - * Fix a memory leak when gss_inquire_cred() is called without a - credential handle. -- Changes from 1.19.1 - * Fix a linking issue with Samba. - * Better support multiple pkinit_identities values by checking whether - certificates can be loaded for each value. -- Changes from 1.19 - Administrator experience - * When a client keytab is present, the GSSAPI krb5 mech will refresh - credentials even if the current credentials were acquired manually. - * It is now harder to accidentally delete the K/M entry from a KDB. - Developer experience - * gss_acquire_cred_from() now supports the "password" and "verify" - options, allowing credentials to be acquired via password and - verified using a keytab key. - * When an application accepts a GSS security context, the new - GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor - both provided matching channel bindings. - * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests - to identify the desired client principal by certificate. - * PKINIT certauth modules can now cause the hw-authent flag to be set - in issued tickets. - * The krb5_init_creds_step() API will now issue the same password - expiration warnings as krb5_get_init_creds_password(). - Protocol evolution - * Added client and KDC support for Microsoft's Resource-Based Constrained - Delegation, which allows cross-realm S4U2Proxy requests. A third-party - database module is required for KDC support. - * kadmin/admin is now the preferred server principal name for kadmin - connections, and the host-based form is no longer created by default. - The client will still try the host-based form as a fallback. - * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT - extension, which causes channel bindings to be required for the - initiator if the acceptor provided them. The client will send this - option if the client_aware_gss_bindings profile option is set. - User experience - * kinit will now issue a warning if the des3-cbc-sha1 encryption type is - used in the reply. This encryption type will be deprecated and removed - in future releases. - * Added kvno flags --out-cache, --no-store, and --cached-only - (inspired by Heimdal's kgetcred). -- Changes from 1.18.3 - * Fix a denial of service vulnerability when decoding Kerberos - protocol messages. - * Fix a locking issue with the LMDB KDB module which could cause - KDC and kadmind processes to lose access to the database. - * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded - and unloaded while libkrb5support remains loaded. -- Changes from 1.18.2 - * Fix a SPNEGO regression where an acceptor using the default credential - would improperly filter mechanisms, causing a negotiation failure. - * Fix a bug where the KDC would fail to issue tickets if the local krbtgt - principal's first key has a single-DES enctype. - * Add stub functions to allow old versions of OpenSSL libcrypto to link - against libkrb5. - * Fix a NegoEx bug where the client name and delegated credential might - not be reported. -- Changes from 1.18.1 - * Fix a crash when qualifying short hostnames when the system has - no primary DNS domain. - * Fix a regression when an application imports "service@" as a GSS - host-based name for its acceptor credential handle. - * Fix KDC enforcement of auth indicators when they are modified by - the KDB module. - * Fix removal of require_auth string attributes when the LDAP KDB - module is used. - * Fix a compile error when building with musl libc on Linux. - * Fix a compile error when building with gcc 4.x. - * Change the KDC constrained delegation precedence order for consistency - with Windows KDCs. -- Changes from 1.18 - Administrator experience: - * Remove support for single-DES encryption types. - * Change the replay cache format to be more efficient and robust. - Replay cache filenames using the new format end with ".rcache2" - by default. - * setuid programs will automatically ignore environment variables - that normally affect krb5 API functions, even if the caller does - not use krb5_init_secure_context(). - * Add an "enforce_ok_as_delegate" krb5.conf relation to disable - credential forwarding during GSSAPI authentication unless the KDC - sets the ok-as-delegate bit in the service ticket. - * Use the permitted_enctypes krb5.conf setting as the default value - for default_tkt_enctypes and default_tgs_enctypes. - Developer experience: - * Implement krb5_cc_remove_cred() for all credential cache types. - * Add the krb5_pac_get_client_info() API to get the client account - name from a PAC. - Protocol evolution: - * Add KDC support for S4U2Self requests where the user is identified - by X.509 certificate. (Requires support for certificate lookup from - a third-party KDB module.) - * Remove support for an old ("draft 9") variant of PKINIT. - * Add support for Microsoft NegoEx. (Requires one or more third-party - GSS modules implementing NegoEx mechanisms.) - User experience: - * Add support for "dns_canonicalize_hostname=fallback", causing - host-based principal names to be tried first without DNS - canonicalization, and again with DNS canonicalization if the - un-canonicalized server is not found. - * Expand single-component hostnames in host-based principal names - when DNS canonicalization is not used, adding the system's first DNS - search path as a suffix. Add a "qualify_shortname" krb5.conf relation - to override this suffix or disable expansion. - * Honor the transited-policy-checked ticket flag on application servers, - eliminating the requirement to configure capaths on servers in some - scenarios. - Code quality: - * The libkrb5 serialization code (used to export and import krb5 GSS - security contexts) has been simplified and made type-safe. - * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED - messages has been revised to conform to current coding practices. - * The test suite has been modified to work with macOS System Integrity - Protection enabled. - * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support - can always be tested. -- Changes from 1.17.1 - * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin. - * Fix a bug preventing time skew correction from working when a KCM - credential cache is used. -- Changes from 1.17: - Administrator experience: - * A new Kerberos database module using the Lightning Memory-Mapped - Database library (LMDB) has been added. The LMDB KDB module should - be more performant and more robust than the DB2 module, and may - become the default module for new databases in a future release. - * "kdb5_util dump" will no longer dump policy entries when specific - principal names are requested. - Developer experience: - * The new krb5_get_etype_info() API can be used to retrieve enctype, - salt, and string-to-key parameters from the KDC for a client - principal. - * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise - principal names to be used with GSS-API functions. - * KDC and kadmind modules which call com_err() will now write to the - log file in a format more consistent with other log messages. - * Programs which use large numbers of memory credential caches should - perform better. - Protocol evolution: - * The SPAKE pre-authentication mechanism is now supported. This - mechanism protects against password dictionary attacks without - requiring any additional infrastructure such as certificates. SPAKE - is enabled by default on clients, but must be manually enabled on - the KDC for this release. - * PKINIT freshness tokens are now supported. Freshness tokens can - protect against scenarios where an attacker uses temporary access to - a smart card to generate authentication requests for the future. - * Password change operations now prefer TCP over UDP, to avoid - spurious error messages about replays when a response packet is - dropped. - * The KDC now supports cross-realm S4U2Self requests when used with a - third-party KDB module such as Samba's. The client code for - cross-realm S4U2Self requests is also now more robust. - User experience: - * The new ktutil addent -f flag can be used to fetch salt information - from the KDC for password-based keys. - * The new kdestroy -p option can be used to destroy a credential cache - within a collection by client principal name. - * The Kerberos man page has been restored, and documents the - environment variables that affect programs using the Kerberos - library. - Code quality: - * Python test scripts now use Python 3. - * Python test scripts now display markers in verbose output, making it - easier to find where a failure occurred within the scripts. - * The Windows build system has been simplified and updated to work - with more recent versions of Visual Studio. A large volume of - unused Windows-specific code has been removed. Visual Studio 2013 - or later is now required. -- Replace old $RPM_* shell vars -- Removal of SuSEfirewall2 service since SuSEfirewall2 has been replaced - by firewalld -- Remove cruft to support distributions older than SLE 12 -- Use macros where applicable -- Switch to pkgconfig style dependencies -- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d - notation: libexecdir is likely changing away from /usr/lib to - /usr/libexec -- Build with full Cyrus SASL support. Negotiating SASL credentials with - an EXTERNAL bind mechanism requires interaction. Kerberos provides its - own interaction function that skips all interaction, thus preventing the - mechanism from working. -- Removed patches: - * 0007-krb5-1.12-ksu-path.patch - * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch - * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch -- Renamed patches: - * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch - * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch - * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch - * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch - * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch => - 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch - -- Fix KDC null pointer dereference via a FAST inner body that - lacks a server field; (CVE-2021-37750); (bsc#1189929); -- Added patches: - * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch - -- Fix KDC null deref on bad encrypted challenge; (CVE-2021-36222); - (bsc#1188571); -- Added patches: - * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch - -- Use /run instead of /var/run for daemon PID files; (bsc#1185163); - -- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196); - (bsc#1178512); -- Added patches: - * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch - -- Fix prefix reported by krb5-config, libraries and headers are not - installed under /usr/lib/mit prefix. (bsc#1174079) - -- Update logrotate script, call systemd to reload the services - instead of init-scripts. (boo#1169357) - -- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947); - (bsc#1144047); - -- Move LDAP schema files from /usr/share/doc/packages/krb5 to - /usr/share/kerberos/ldap; (bsc#1134217); - -- Upgrade to 1.16.3 - * Fix a regression in the MEMORY credential cache type which could cause - client programs to crash. - * MEMORY credential caches will not be listed in the global collection, - with the exception of the default credential cache if it is of type MEMORY. - * Remove an incorrect assertion in the KDC which could be used to cause - a crash [CVE-2018-20217]. - * Fix bugs with concurrent use of MEMORY ccache handles. - * Fix a KDC crash when falling back between multiple OTP tokens configured - for a principal entry. - * Fix memory bugs when gss_add_cred() is used to create a new credential, - and fix a bug where it ignores the desired_name. - * Fix the behavior of gss_inquire_cred_by_mech() when the credential does - not contain an element of the requested mechanism. - * Make cross-realm S4U2Self requests work on the client when no - default_realm is configured. - * Add a kerberos(7) man page containing documentation of the environment - variables that affect Kerberos programs. -- Use systemd-tmpfiles to create files under /var/lib/kerberos, required - by transactional updates; (bsc#1100126); -- Rename patches: - * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch - * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch - * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch - * krb5-1.6.3-gssapi_improve_errormessages.dif to - 0004-krb5-1.6.3-gssapi_improve_errormessages.patch - * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch - * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch - * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch - * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch - * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch - -- Upgrade to 1.16.1 - * kdc client cert matching on client principal entry - * Allow ktutil addent command to ignore key version and use - non-default salt string. - * add kpropd pidfile support - * enable "encrypted_challenge_indicator" realm option on tickets - obtained using FAST encrypted challenge pre-authentication. - * dates through 2106 accepted - * KDC support for trivially renewable tickets - * stop caching referral and alternate cross-realm TGTs to prevent - duplicate credential cache entries - -- BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package - so it is avaiable for krb5-client as well. - -- Upgrade to 1.15.3 - * Fix flaws in LDAP DN checking, including a null dereference KDC - crash which could be triggered by kadmin clients with administrative - privileges [CVE-2018-5729, CVE-2018-5730]. - * Fix a KDC PKINIT memory leak. - * Fix a small KDC memory leak on transited or authdata errors when - processing TGS requests. - * Fix a null dereference when the KDC sends a large TGS reply. - * Fix "kdestroy -A" with the KCM credential cache type. - * Fix the handling of capaths "." values. - * Fix handling of repeated subsection specifications in profile files - (such as when multiple included files specify relations in the same - subsection). - -- Added support for /etc/krb5.conf.d/ for configuration snippets - -- Replace references to /var/adm/fillup-templates with new - %_fillupdir macro (boo#1069468) - -- Remove build dependency doxygen, python-Cheetah, python-Sphinx, - python-libxml2, python-lxml, most of which are python 2 programs. - Consequently remove -doc subpackage. Users are encouraged to use - online documentation. (bsc#1066461) - -- Update package descriptions. - -- Upgrade to 1.15.2 - * Fix a KDC denial of service vulnerability caused by unset status - strings [CVE-2017-11368] - * Preserve GSS contexts on init/accept failure [CVE-2017-11462] - * Fix kadm5 setkey operation with LDAP KDB module - * Use a ten-second timeout after successful connection for HTTPS KDC - requests, as we do for TCP requests - * Fix client null dereference when KDC offers encrypted challenge - without FAST - * Ignore dotfiles when processing profile includedir directive - * Improve documentation - -- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf - in order to improve client security in handling service principle - names. (bsc#1054028) - -- Prevent kadmind.service startup failure caused by absence of - LDAP service. (bsc#903543) - -- There is no change made about the package itself, this is only - copying over some changelog texts from SLE package: -- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355 - krb5: denial of service in krb5_read_message -- bug#912002 owned by varkoly@suse.com: VUL-0 - CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423: - krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token -- bug#910458 owned by varkoly@suse.com: VUL-1 - CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries -- bug#928978 owned by varkoly@suse.com: VUL-0 - CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading - to requires_preauth bypass -- bug#910457 owned by varkoly@suse.com: VUL-1 - CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy - name as a password policy name -- bug#991088 owned by hguo@suse.com: VUL-1 - CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted -- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires -- [fate#320326](https://fate.suse.com/320326) -- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference - from \cite - -- Remove wrong PreRequires from krb5 - -- use HTTPS project and source URLs - -- use source urls. -- krb5.keyring: Added Greg Hudson - -- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch -- Upgrade to 1.15.1 - * Allow KDB modules to determine how the e_data field of principal - fields is freed - * Fix udp_preference_limit when the KDC location is configured with - SRV records - * Fix KDC and kadmind startup on some IPv4-only systems - * Fix the processing of PKINIT certificate matching rules which have - two components and no explicit relation - * Improve documentation - -- remove useless environment.pickle to make build-compare happy - -- Introduce patch - krb5-1.15-fix_kdb_free_principal_e_data.patch - to fix freeing of e_data in the kdb principal - -- Upgrade to 1.15 -- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2 -- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since - file is not available in upstream source anymore -- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15 -- Upgrade from 1.14.4 to 1.15 - major changes: - Administrator experience: - * Add support to kadmin for remote extraction of current keys without - changing them (requires a special kadmin permission that is excluded - from the wildcard permission), with the exception of highly - protected keys. - * Add a lockdown_keys principal attribute to prevent retrieval of the - principal's keys (old or new) via the kadmin protocol. In newly - created databases, this attribute is set on the krbtgt and kadmin - principals. - * Restore recursive dump capability for DB2 back end, so sites can - more easily recover from database corruption resulting from power - failure events. - * Add DNS auto-discovery of KDC and kpasswd servers from URI records, - in addition to SRV records. URI records can convey TCP and UDP - servers and master KDC status in a single DNS lookup, and can also - point to HTTPS proxy servers. - * Add support for password history to the LDAP back end. - * Add support for principal renaming to the LDAP back end. - * Use the getrandom system call on supported Linux kernels to avoid - blocking problems when getting entropy from the operating system. - * In the PKINIT client, use the correct DigestInfo encoding for PKCS - [#1] signatures, so that some especially strict smart cards will work. - Code quality: - * Clean up numerous compilation warnings. - * Remove various infrequently built modules, including some preauth - modules that were not built by default. - Developer experience: - * Add support for building with OpenSSL 1.1. - * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of - authenticators in the replay cache. This helps sites that must - build with FIPS 140 conformant libraries that lack MD5. - Protocol evolution: - * Add support for the AES-SHA2 enctypes, which allows sites to conform - to Suite B crypto requirements. -- Upgrade from 1.14.3 to 1.14.4 - major changes: - * Fix some rare btree data corruption bugs - * Fix numerous minor memory leaks - * Improve portability (Linux-ppc64el, FreeBSD) - * Improve some error messages - * Improve documentation - -- add pam configuration file required for ksu - just use a copy of "su" one from Tumbleweed - -- Upgrade from 1.14.2 to 1.14.3: - * Improve some error messages - * Improve documentation - * Allow a principal with nonexistent policy to bypass the minimum - password lifetime check, consistent with other aspects of - nonexistent policies - * Fix a rare KDC denial of service vulnerability when anonymous client - principals are restricted to obtaining TGTs only [CVE-2016-3120] - -- Remove comments breaking post scripts. - -- Do no use systemd_requires macros in main package, it adds - unneeded dependencies which pulls systemd into minimal chroot. -- Only call %insserv_prereq when building for pre-systemd - distributions. -- Optimise some %post/%postun when only /sbin/ldconfig is called. - -- Remove source file ccapi/common/win/OldCC/autolock.hxx - that is not needed and does not carry an acceptable license. - (bsc#968111) - -- removed obsolete patches: - * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch - * krb5-mechglue_inqure_attrs.patch -- Upgrade from 1.14.1 to 1.14.2: - * Fix a moderate-severity vulnerability in the LDAP KDC back end that - could be exploited by a privileged kadmin user [CVE-2016-3119] - * Improve documentation - * Fix some interactions with GSSAPI interposer mechanisms - -- Upgrade from 1.14 to 1.14.1: - * Remove expired patches: - 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch - 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch - 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch - krbdev.mit.edu-8301.patch - * Replace source archives: - krb5-1.14.tar.gz -> - krb5-1.14.1.tar.gz - krb5-1.14.tar.gz.asc -> - krb5-1.14.1.tar.gz.asc - * Adjust line numbers in: - krb5-fix_interposer.patch - -- Introduce patch - 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch - to fix CVE-2016-3119 (bsc#971942) - -- Remove krb5-mini pieces from spec file. - Hence remove pre_checkin.sh -- Remove expired macros and other minor clean-ups in spec file. - -- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character - with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch - (bsc#963968) -- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request - with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch - (bsc#963975) -- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask - with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch - (bsc#963964) - -- Add two patches from Fedora, fixing two crashes: - * krb5-fix_interposer.patch - * krb5-mechglue_inqure_attrs.patch - -- Update to 1.14 -- dropped krb5-kvno-230379.patch -- added krbdev.mit.edu-8301.patch fixing wrong function call - Major changes in 1.14 (2015-11-20) - Administrator experience: - * Add a new kdb5_util tabdump command to provide reporting-friendly - tabular dump formats (tab-separated or CSV) for the KDC database. - Unlike the normal dump format, each output table has a fixed number - of fields. Some tables include human-readable forms of data that - are opaque in ordinary dump files. This format is also suitable for - importing into relational databases for complex queries. - * Add support to kadmin and kadmin.local for specifying a single - command line following any global options, where the command - arguments are split by the shell--for example, "kadmin getprinc - principalname". Commands issued this way do not prompt for - confirmation or display warning messages, and exit with non-zero - status if the operation fails. - * Accept the same principal flag names in kadmin as we do for the - default_principal_flags kdc.conf variable, and vice versa. Also - accept flag specifiers in the form that kadmin prints, as well as - hexadecimal numbers. - * Remove the triple-DES and RC4 encryption types from the default - value of supported_enctypes, which determines the default key and - salt types for new password-derived keys. By default, keys will - only created only for AES128 and AES256. This mitigates some types - of password guessing attacks. - * Add support for directory names in the KRB5_CONFIG and - KRB5_KDC_PROFILE environment variables. - * Add support for authentication indicators, which are ticket - annotations to indicate the strength of the initial authentication. - Add support for the "require_auth" string attribute, which can be - set on server principal entries to require an indicator when - authenticating to the server. - * Add support for key version numbers larger than 255 in keytab files, - and for version numbers up to 65535 in KDC databases. - * Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC - during pre-authentication, corresponding to the client's most - preferred encryption type. - * Add support for server name identification (SNI) when proxying KDC - requests over HTTPS. - * Add support for the err_fmt profile parameter, which can be used to - generate custom-formatted error messages. - Code quality: - * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that - could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] - [CVE-2015-2698] - * Fix build_principal memory bug that could cause a KDC - crash. [CVE-2015-2697] - Developer experience: - * Change gss_acquire_cred_with_password() to acquire credentials into - a private memory credential cache. Applications can use - gss_store_cred() to make the resulting credentials visible to other - processes. - * Change gss_acquire_cred() and SPNEGO not to acquire credentials for - IAKERB or for non-standard variants of the krb5 mechanism OID unless - explicitly requested. (SPNEGO will still accept the Microsoft - variant of the krb5 mechanism OID during negotiation.) - * Change gss_accept_sec_context() not to accept tokens for IAKERB or - for non-standard variants of the krb5 mechanism OID unless an - acceptor credential is acquired for those mechanisms. - * Change gss_acquire_cred() to immediately resolve credentials if the - time_rec parameter is not NULL, so that a correct expiration time - can be returned. Normally credential resolution is delayed until - the target name is known. - * Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, - which can be used by plugin modules or applications to add prefixes - to existing detailed error messages. - * Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which - implement the RFC 6113 PRF+ operation and key derivation using PRF+. - * Add support for pre-authentication mechanisms which use multiple - round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error - code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth - interface; these callbacks can be used to save marshalled state - information in an encrypted cookie for the next request. - * Add a client_key() callback to the kdcpreauth interface to retrieve - the chosen client key, corresponding to the ETYPE-INFO2 entry sent - by the KDC. - * Add an add_auth_indicator() callback to the kdcpreauth interface, - allowing pre-authentication modules to assert authentication - indicators. - * Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to - suppress sending the confidentiality and integrity flags in GSS - initiator tokens unless they are requested by the caller. These - flags control the negotiated SASL security layer for the Microsoft - GSS-SPNEGO SASL mechanism. - * Make the FILE credential cache implementation less prone to - corruption issues in multi-threaded programs, especially on - platforms with support for open file description locks. - Performance: - * On slave KDCs, poll the master KDC immediately after processing a - full resync, and do not require two full resyncs after the master - KDC's log file is reset. - User experience: - * Make gss_accept_sec_context() accept tickets near their expiration - but within clock skew tolerances, rather than rejecting them - immediately after the server's view of the ticket expiration time. - -- Update to 1.13.3 -- removed patches for security fixes now in upstream source: - 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch - 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch - 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch - 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch - Major changes in 1.13.3 (2015-12-04) - This is a bug fix release. The krb5-1.13 release series is in - maintenance, and for new deployments, installers should prefer the - krb5-1.14 release series or later. - * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that - could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] - [CVE-2015-2698] - * Fix build_principal memory bug that could cause a KDC - crash. [CVE-2015-2697] - * Allow an iprop slave to receive full resyncs from KDCs running - krb5-1.10 or earlier. - -- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch - to fix a memory corruption regression introduced by resolution of - CVE-2015-2698. bsc#954204 - -- Make kadmin.local man page available without having to install krb5-client. bsc#948011 -- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch - to fix build_principal memory bug [CVE-2015-2697] bsc#952190 -- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch - to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 -- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch - to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 - -- Let server depend on libev (module of libverto). This was the - preferred implementation before the seperation of libverto from krb. - -- Drop libverto and libverto-libev Requires from the -server - package: those package names don't exist and the shared libs - are pulled in automatically. - -- Unconditionally buildrequire libverto-devel: krb5-mini also - depends on it. - -- pre_checkin.sh aligned changes between krb5/krb5-mini -- added krb5.keyring - -- update to krb5 1.13.2 -- DES transition - ============== - The Data Encryption Standard (DES) is widely recognized as weak. The - krb5-1.7 release contains measures to encourage sites to migrate away -- From using single-DES cryptosystems. Among these is a configuration - variable that enables "weak" enctypes, which defaults to "false" - beginning with krb5-1.8. - Major changes in 1.13.2 (2015-05-08) - This is a bug fix release. - * Fix a minor vulnerability in krb5_read_message, which is primarily - used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] - * Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. - [CVE-2015-2694] - * Fix some issues with the LDAP KDC database back end. - * Fix an iteration-related memory leak in the DB2 KDC database back - end. - * Fix issues with some less-used kadm5.acl functionality. - * Improve documentation. - -- Use externally built libverto - -- update to krb5 1.13.1 - Major changes in 1.13.1 (2015-02-11) - This is a bug fix release. - * Fix multiple vulnerabilities in the LDAP KDC back end. - [CVE-2014-5354] [CVE-2014-5353] - * Fix multiple kadmind vulnerabilities, some of which are based in the - gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421 - CVE-2014-9422 CVE-2014-9423] - -- Update to krb5 1.13 - * Add support for accessing KDCs via an HTTPS proxy server using the - MS-KKDCP protocol. - * Add support for hierarchical incremental propagation, where slaves - can act as intermediates between an upstream master and other downstream - slaves. - * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf - files in addition to /etc/gss/mech. - * Add support to the LDAP KDB module for binding to the LDAP server using - SASL. - * The KDC listens for TCP connections by default. - * Fix a minor key disclosure vulnerability where using the "keepold" option - to the kadmin randkey operation could return the old keys. [CVE-2014-5351] - * Add client support for the Kerberos Cache Manager protocol. If the host - is running a Heimdal kcm daemon, caches served by the daemon can be - accessed with the KCM: cache type. - * When built on OS X 10.7 and higher, use "KCM:" as the default cache type, - unless overridden by command-line options or krb5-config values. - * Add support for doing unlocked database dumps for the DB2 KDC back end, - which would allow the KDC and kadmind to continue accessing the database - during lengthy database dumps. -- Removed patches, useless or upstreamed - * krb5-1.9-kprop-mktemp.patch - * krb5-1.10-ksu-access.patch - * krb5-1.12-doxygen.patch - * bnc#897874-CVE-2014-5351.diff - * krb5-1.13-work-around-replay-cache-creation-race.patch - * krb5-1.10-kpasswd_tcp.patch -- Refreshed patches - * krb5-1.12-pam.patch - * krb5-1.12-selinux-label.patch - * krb5-1.7-doublelog.patch - kservice +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Do not warn if KService("") is instantiated + * .kde-ci.yml: enable static CI builds + * Add Qt 6 Windows CI + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- No code change since 5.98.0 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Add property def for X-Flatpak key + * Define HAVE_MMAP to 0 instead of undefining it (kde#456780) + * KSycocaDict: don't inherit from containers + * use ksandbox to determine if we are inside a flatpak + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * General code clean up + * Bump deprecation KF version in ecm_set_disabled_deprecation_versions + * add aliasfor custom property + * refresh git-blame-ignore-revs for latest clang-format run + * automatic clang-format run (clang 14) + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * kbuildsycoca: Ignore last modified time when set to UNIX Epoch (kde#442011) + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add missing KCoreAddons and KConfig to tests + * Add windows CI + * KService: Do not link KCoreAddons and KConfig publicly when building without deprecations + * kservice.h: Wrap public KCoreAddons includes in deprecation macros + * Add Android to supported platforms in repo metadata + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Add Android to supported platforms in repo metadata + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Use :/kservicetypes5 instead of :/kf/kservicetypes5 + * Add Qt6 Android CI + * Explicitely call KPluginMetaData::fromDesktopFile instead of + KPluginMetaData(QString fileName) constructor + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Fix warning (qt6 warning) + * Utilize ECMDeprecationSettings to manage deprecate Qt/KF API + * Install kservice_version.h in KService include prefix + * Add CI qt6 support + * Make parseLayoutNode function const + * Make "missing merge tag" error actionable + * Silence deprecation warnings for implementation of deprecated API & their autotests + ktextwidgets +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add Qt6 windows CI support + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- No code change since 5.98.0 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Fix heading level line break handling with Qt 6.3 + * Adapt tests to Qt 6.3 HTML generation changes + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- No code change since 5.95.0 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Mark Android as supported + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Make the BUILD_DESIGNERPLUGIN option dependent on not cross-compiling + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI qt6 support + kwallet +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * mark some binaries as non-gui + * Add support for plain transfer algorithm to Secret Service API (kde#458341) + * Change naming and order of FreedesktopSecret members to match the spec + * Add Qt6 windows CI support + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- No code change since 5.98.0 + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Don't register dummy org.freedesktop.secrets service when api is disabled (kde#458069) + * Add FreeBSD Qt6 CI support + * Only build kwallet-query's manpage if it's enabled + * Don't build blowfishtest with -DBUILD_KWALLET=FALSE + * Add missing cerrno header + * backendpersisthandler parentheses around assignment used as truth value + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Remove duplicate header between cpp/h + * Do not try to rename label twice in entryRenamed() + * Do not create EntryLocation with empty key + * Introduce Secret Service API + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * KNewWalletDialogGpg: code cleanup + * Use cmakedefine01 + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- No code change since 5.91.0 + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Add CI qt6 support + * Fix install headers + * Change the build system to enable building with Qt6 + * Port away from KToolInvocation::startServiceByDesktopName() + kwidgetsaddons +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * avoid stating files during restore of recent files (kde#460868) + * Add a method to remove all actions in one go + * KTitleWidget: Constraint the frame size so it properly aligns (kde#460542) + * KPageDialog: Collapse margins also for flat list + * KToolBarPopupAction: Apply popupMode to existing widgets + * Deprecate KStandardGuiItem::yes() KStandardGuiItem::no() + * KMessageDialog: add API using "action" terms instead of "Yes" & "No" + * KMessageBox: add API using "action" terms instead of "Yes" & "No" + * Fix potential crash in fix for 458335 + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * .gitlab-ci.yml: enable static builds + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Fix KMessageBoxes buttons not having the contents they should the first time (kde#458335) + * Improve code quality + * Disable test for accepting short date format on Windows + * Support dates in ISO format + * Avoid usage of ambiguous two-digit year in date picker + * Share helper returning 4-digit date format with other classes + * Add FreeBSD Qt6 CI support + * only remove ... not & + * Paint frame before contents + * Add manual test for kgradientselector + * ensure consistent ... removal in iconText (kde#428372) + * KMessageWidget: Ensure correct tab order of action buttons + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * [KMessageDialog] Emit notification sound just like KMessageBox + * Make OK button configurable in KMessageBox::error/detailedError + * Deprecate KMessage*::sorry + * Remove declaration of unimplemented sorryWId(buttonOk) overload + * Deprecate unsupported & unused KMessageBox::PlainCaption flag + * Deprecate KMessageBox::about() + * Add edit-clear-history icon to the Clear List action + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * avoid margin if we have no text set + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * Update kcharselect-data to Unicode 14.0 + * port to standard C++ smart pointers where possible + * KMessageDialog: handle the dialog getting closed without using the buttonBox + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * KDateComboBox: Add test for date picker integration + * KDateComboBox: Add a test app for KDateComboBox + * Use KDatePickerPopup in KDateComboBox + * Add support for custom date word maps, as done in KDateComboBox + * Share date range support between KDateComboBox and KDatePickerPopup + * KDateComboBoxPrivate does not need a virtual dtor + * Allow to change KDatePickerPopup modes at runtime + * Implement date word actions as done in KDateCombobox + * Build the date picker menu dynamically on demand + * Add KDatePickerPopup + * Add windows CI + * KPageDialog: Add a new face type with a flat list of small icons + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Align buttons (and icon) on top, also when word wrap is off, but text is + pre-formatted to span multiple lines. + * avoid quadratic search of children widgets + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * KCharSelect: connect to the appropriate QFontComboBox signal (kde#445477) + * Remove broken Python bindings generation + * Check executables exist in PATH before passing them to QProcess + * Add Android Qt6 CI + * Make the BUILD_DESIGNERPLUGIN option dependent on not cross-compiling + * Make KSqueezedTextLabel more robust wrt QFontMetrics + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Use kf + * Add CI qt6 support + kwindowsystem +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Qt6 windows CI support + * Port QtWinExtra uses for Qt 6 + * Remove QWindow::isExposed() check in activateWindow() (kde#458983) + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Remove extra ';' + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Doc: Update WM spec URL + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Make enum Q_ENUM + * Implement _GTK_SHOW_WINDOW_MENU. + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * port to standard C++ smart pointers where possible + * Add a new window type named AppletPopup. + * Fix API docs for requestXdgActivationToken + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * autotests: improve test-reporting, comment-typo + * Require passing tests + * Fix skipping wayland test when weston is not found + * Mark as supported on Android + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- No code change since 5.92.0 + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Add Qt6 Android CI + * Ensure that xdgActivationTokenArrived is always emitted asynchronously (kde#450342) + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Check executables exist in PATH before passing them to QProcess + * fix typo + * install plugins in kf + * Fix doxygen docs for requestXdgActivationToken + * Add CI qt6 support + * Avoid XKeycodeToKeysym in KKeyServer::initializeMods (kde#426684) + * Remove placeholder wayland platform plugin + * [kwindowinfo] Add support for reading _GTK_APPLICATION_ID + * Add KWindowSystem::updateStartupId(QWindow *window) + kxmlgui +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add Qt6 windows CI support + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * use same config for position restoration as for position saving + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Fix crash in addActionToSchemesMoreButton() introduced by merge mistake + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * [KShortcutsDialog] Make it possible to reload shortcut schemes + * [KShortcutsDialog] Make it possible to add a custom edit action + * [KShortcutSchemesEditor] Fix bug introduced by refactoring in commit de0790fe + * Fix crash of KMix in Legacy Tray + * [KShortcutsDialog] Add icons for actions + * KKeySequenceWidget: don't use a QHash to hold a few elements + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Fix QWhatsThis links not being clickable + * Allow to load rc file in kf6 + * Fix typo in local variable name + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * KShortcutsDialog: hide Global columns when there are no Global shortcuts (kde#427129) + * Silence UBSan false positive in KActionCollection + * port to standard C++ smart pointers where possible + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * autotests: skip kde-global settings changes on Windows (no DBus) + * ui_standards.rc: add tag so kate can insert a menu between Edit and View + * Add autotests for autosaving in combination with separate state config + * Fix saving of state config if one has autosave enabled (kde#451725) + * Add windows CI + * Port away from QObject::sender() + * KToolBar: code refactoring + * Replace OS-specific system information code with QSysInfo (kde#450862) + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Require unittests to pass for CI jobs to pass + * KShortcutsEditorDelegate: Fix HiDPI rendering of indicator arrows (kde#414904) + * Tests: Enable HiDPI pixmap rendering + * Add Android to supported platforms in repo metadata + * Fix broken "Add to Toolbar" action + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Remove outdated readme file + * Add Qt6 Android CI + * Add an old formatting commit to git blame ignore file + * Make the BUILD_DESIGNERPLUGIN option dependent on not cross-compiling + * Support build without Qt session manager + * Add an action in help menu for command bar + * Update translation context of two strings + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Check executables exist in PATH before passing them to QProcess + * Use uppercase includes + * Allow KToolBar to be in other places than MainWindow's ToolBarArea + * Fix i18n comment not being properly extracted + * Add CI qt6 support + libX11 +- U_fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch + * security update for CVE-2022-3554 (bsc#1204422) +- U_Fix-two-memory-leaks-in-_XFreeX11XCBStructure.patch + * security update for CVE-2022-3555 (bsc#1204425) + libapparmor +- add profiles-permit-php-fpm-pid-files-directly-under-run.patch + https://gitlab.com/apparmor/apparmor/-/merge_requests/914 (bsc#1202344) + libarchive +- Fix CVE-2022-36227, Handle a calloc returning NULL + (CVE-2022-36227, bsc#1205629) + * CVE-2022-36227.patch + libdb-4_8 +- Security fix: [bsc#1174414, CVE-2019-2708] + * libdb: Data store execution leads to partial DoS + * Backport the upsteam commits: + - Fixed several possible crashes when running db_verify + on a corrupted database. [#27864] + - Fixed several possible hangs when running db_verify + on a corrupted database. [#27864] + - Added a warning message when attempting to verify a queue + database which has many extent files. Verification will take + a long time if there are many extent files. [#27864] + * Add libdb-4_8-CVE-2019-2708.patch + -- Explicit add a conflict to other providers of /usr/lib/libdb.so - and /usr/lib/libdb-4.so - libdrm +- Apply n_libdrm-drop-valgrind-dep-generic.patch and + n_libdrm-drop-valgrind-dep-intel.patch only when the build uses + meson < 0.64. With meson 0.64, we don't get the dependency on + valgraind added. + +- split n_libdrm-drop-valgrind-dep.patch into + n_libdrm-drop-valgrind-dep-generic.patch and + n_libdrm-drop-valgrind-dep-intel.patch to fix build on s390 and + armv7l + +- Only apply libdrm-drop-valgrind-dep.patch if valgrnid_support is + enabled (fix build on e.g. aarch64). + +- renamed libdrm-drop-valgrind-dep.patch to + n_libdrm-drop-valgrind-dep.patch in order to mark it as 'never + to be upstreamed' + +- Add libdrm-drop-valgrind-dep.patch (as source): drop dependency + on valgrind on generated pkgconfig files. The .pc files are + auto-generated by meson and are 'technically' correct, but we do + not want to inject valgrind here (we can get away with this hack + as it's only relevant when using pkg-config --static, and we + do not provide static libs anyway). + +- Update to 2.4.114 + * amdgpu.ids: use consistent formatting for RID + * amdgpu.ids: sort the file + * amdgpu.ids: update to the latest marketing name + * amdgpu_ids: add MI marketing names + * amdgpu: Add a default marketing name if none is found + * meson: fast-fail on unsupported OSes + * include/drm/drm_fourcc.h: Update from Linux v6.0-rc7 + * include/drm/i915_drm.h: Update from Linux v6.0-rc7 + * tests/util: add imx-lcdif driver + * intel: move declarations to top in drm_intel_gem_bo_unreference() + * build: automatically disable Intel if pciaccess is not found + * xf86drm: handle DRM_FORMAT_BIG_ENDIAN in drmGetFormatName() + * amdgpu: silence uninitialized variable warning + * xf86drmMode: add helpers for dumb buffers + * modetest: drop unused offset field in struct bo + * modetest: use sized integers in struct bo + * modetest: use dumb buffer helpers + +- disabled intel driver on s390x + +- update to 2.4.113: + * amdgpu: update marketing names + * sync i915_pciids with kernel + * atomic: fix atomic_add_unless() fallback's return value + * intel: Avoid aliasing violation + * intel: Hook up new platforms IDs + * meson: auto-enable etnaviv on arm, arc, mips and loongarch architectures + * modetest: use drmGetFormatName() + * lots of testsuite and CI improvements +- enable intel support everywhere as there are now discrete intel GPUs +- enable vc4 support on armv7/aarch64 +- simplify valgrind support ifdefery + +- update to 2.4.112: + * xf86drmMode: introduce drmModeConnectorGetPossibleCrtcs + * xf86drmMode: introduce drmModeGetConnectorTypeName + * xf86drmMode: constify drmModeAtomicReq functions + * gen_table_fourcc: strip _MODIFIER suffix for INVALID + * testsuite fixes + +- update to 2.4.111 + * bugfixes + * drops libkms +- added tegra-* tools on aarch64 to spefile + +- update to 2.4.110: + * build system updates + * amdgpu: implement new CTX OP to set/get stable pstates + * amdgpu: update_drm for new CTX OP to set/get stable pstates + * intel: Add support for ADL-N + * intel: Add support for RPLS platform + * intel: sync pciids with Linux kernel + * update to tests + +- update to 2.4.109: + * amdgpu: add new function to get fd + * radeon: remove duplicate struct declaration + * xf86drm: fix compiler warnings + * ci fixes + +- update to 2.4.108: + * amdgpu: add amdgpu_stress utility v2 + * amdgpu: add marketing names from 21.30 + * amdgpu: add new marketing name + * amdgpu: Make marketing names consistent + * amdgpu: use drmCloseBufferHandle + * build: bump version to 2.4.108 + * drm_fourcc: sync drm_fourcc with latest drm-next kernel + * etnaviv: use drmCloseBufferHandle + * exynos: use drmCloseBufferHandle + * Fix -Werror=format build errors on FreeBSD + * freedreno: use drmCloseBufferHandle + * headers: drm: Sync with drm-next + * intel: Do not assert on unknown chips in drm_intel_decode_context_alloc + * intel: Drop legacy execbuffer support + * intel: sync ADL-S PCI IDs with kernel + * intel: Sync pci ids + * intel: use drmCloseBufferHandle + * man: refer to drmCloseBufferHandle instead of DRM_IOCTL_GEM_CLOSE + * meson: Build libdrm.so as an unversioned lib on Android. + * meson: Don't build libkms for Android. + * nouveau: print bo address in the GPU/CPU vm and its size + * nouveau: use drmCloseBufferHandle + * omap: use drmCloseBufferHandle + * radeon: use drmCloseBufferHandle + * tegra: use drmCloseBufferHandle + * test/amdgpu: Bob to Alice copy should be TMZ in secure bounce test + * tests/amdgpu: Fix TMZ secure bounce test + * xf86drm: add GEM_CLOSE ioctl wrapper + * xf86drm: add iterator API for DRM/KMS IN_FORMATS blobs + * xf86drm: fix mem leak in drm_usb_dev_path() + * xf86drmMode: make drm_property_type_is arg const + * xf86drmMode: simplify drm_property_type_is + * xf86drmMode: switch to standard inline qualifier + * xf86drm: Update drmGetFormatModifierNameFromArm to handle AFRC + libeconf +- Update to version 0.4.6+git20220427.3016f4e: + * econftool: + * * Parsing error: Reporting file and line nr. + * * --delimeters=spaces Taking all kind of spaces for delimiter + * libeconf: + Fixed bsc#1198165: Parsing files correctly which have space characters + AND none space characters as delimiters. + +- Update to version 0.4.5+git20220406.c9658f2: + * econftool: + * * New call "syntax" for checking the configuration files only. + Returns an error string with line number if an error occurs. + * * New options "--comment" and "--delimeters" + * * Parsing one file only if needed. + libepoxy +- needed by jira#PED-1174 (Mesa needs sync with Xserver, which + then needs updated libepoxy) + +- Update to version 1.5.10: + + Fix for building with MSVC on non-English locale. + + Fix build on Android. + + Add the right include paths for EGL and X11 headers. +- Upstream tarball url changed, probably by mistake, so leave old + url in place, but disabled. + libfprint +- Move to libfprint-tod fork: + This fork allows loading of external modules (typically non-free) + located in /usr/lib64/libfprint-2/tod-1/. This is neccessary for + fingerprint sensors that do on-device verifaction. + These non-free modules shall be included in Packman repositories. + libglvnd +- update to 1.5.0: + * Add BTI landing pads for aarch64 + * Set current thread state to NULL in teardown + * Moving setspecific to before DestroyThreadState + * Fix a memory leak in libGLdispatch + * Use assembly stubs on armv6 +- drop libglvnd-add-bti.patch (upstream) + +- let libglvnd require Mesa-dri so GL drivers are available on + Wayland-only desktop installations (boo#1201474) + +- Update libglvnd-add-bti.patch from latest upstream submission + +- Re-enable asm on aarch64 +- Add patch to fix run with BTI enabled on aarch64: + * libglvnd-add-bti.patch - boo#1188928 + +- update to 1.4.0: + * tests cleanups + * Update bin/symbols-check.py from mesa/mesa@6f854145 + * Remove extra paragraph from license text. + * Add one more missing dep_x11_headers + * Update uthash to v2.3.0 + * EGL: Add support for eglQueryDisplayAttribKHR and NV. + libidn2 -- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, - match factory licenses (bsc#1180138) - -- Update to version 2.2.0 CVE-2019-12290 bsc#1154884: - * Perform A-Label roundtrip for lookup functions by default - * Stricter check of input to punycode decoder - * Fix punycode decoding with no ASCII chars but given delimiter - * Fix 'idn2 --no-tr64' (was a no-op) - * Allow _ as a basic code point in domain labels - * Fail building documentation if 'ronn' isn't installed - * git tag changed to reflect https://semver.org/ - -- update to 2.1.1 CVE-2019-18224 bsc#1154887: - * Revert SONAME bump from release 2.1.0 - * Fix NULL dereference in idn2_register_u8() and - idn2_register_ul() - * Fix free of random value in idn2_to_ascii_4i() - * Improved fuzzer (which found the above issues) - * Check for valid unicode input in punycode encoder - * Avoid excessive CPU usage in punycode encoding with - large inputs - * Deprecate idn2_to_ascii_4i() in favor of idn2_to_ascii_4i2() - * Restrict output length of idn2_to_ascii_4i() to 63 bytes - -- update to 2.1.0: - * Two internal functions are no longer exposed, soname bump - * Fix label length check for idn2_register_u8() - * Add missing error messages to idn2_strerror_name() - -- update to 2.0.5: - * Switch the default library behavior to IDNA2008 as amended by - TR#46 (non-transitional). That default behavior is enabled when - no flags are specified to function calls. Applications can - utilize the %IDN2_NO_TR46 flag to switch to the unamended - IDNA2008. This is done in the interest of interoperability - based on the fact that this is what application writers care - about rather than strict compliance with a particular protocol - * Fixed memory leak in idn2_to_unicode_8zlz() - * Return error (IDN2_ICONV_FAIL) on charset conversion errors - * Fixed issue with STD3 rules applying in non-transitional TR46 - mode - * idn2: added option --usestd3asciirules -- put translations into libidn2-lang -- correct location of install_info_prereq macro to be on tools - -- update to 2.0.4: - * Fix integer overflow in bidi.c/_isBidi() bsc#1056451 - * Fix integer overflow in puny_decode.c/decode_digit() - bsc#1056450 - * Fix idna_free() to idn_free() -- enable documentation again - -- update to 2.0.3: - * %IDN2_USE_STD3_ASCII_RULES disabled by default. - Previously libidn2 was eliminating non-STD3 characters from - domain strings such as _443._tcp.example.com, or IPs such as - 1.2.3.4/24 provided to libidn2 functions. That was an - unexpected regression for applications switching from libidn - and thus it is no longer applied by default. - Use %IDN2_USE_STD3_ASCII_RULES to enable that behavior again. -- disable documentation, does not build correctly - -- update to 2.0.2: - * Fix TR46 transitional mode - * Fix several documentation issues - -- Sources updated from http://alpha.gnu.org to https://ftp.gnu.org - -- Update to version 2.0.1 -- Version 2.0.1 (released 2017-04-22) - * idn2 utility now using IDNA2008 + TR46 by default -- Version 2.0.0 (released 2017-03-29) [alpha] - * Version numbering scheme changed - * Added to ASCII conversion functions corresponding to libidn1 - functions: - - idn2_to_ascii_4i - idn2_to_ascii_4z - - idn2_to_ascii_8z - idn2_to_ascii_lz - * Added to unicode conversion functions corresponding to libidn1 - functions: - - idn2_to_unicode_8z4z - idn2_to_unicode_4z4z - - idn2_to_unicode_44i - idn2_to_unicode_8z8z - - idn2_to_unicode_8zlz - idn2_to_unicode_lzlz - * Including idn2.h will provide libidn1 compatibility functions - unless IDN2_SKIP_LIBIDN_COMPAT is defined. That allows converting - applications from libidn1 (which offers IDNA2003) to libidn2 (which - offers IDNA2008) by replacing idna.h to idn2.h in the applications' - source. -- Dropped patch not needed after revision - * libidn2-no-examples-build.patch - -- Update to version 0.16 - * build: Fix idn2_cmd.h build rule. - * API and ABI is backwards compatible with the previous version. -- Update to version 0.15 (released 2017-01-14) - * Fix out-of-bounds read. - * Fix NFC input conversion (regression). - * Shrink TR46 static mapping data. - * API and ABI is backwards compatible with the previous version. -- Update to version 0.14 (released 2016-12-30) - * build: Fix gentr46map build. - * API and ABI is backwards compatible with the previous version. -- Update to version 0.13: - * build: Doesn't download external files during build. - * doc: Clarify license. - * build: Generate ChangeLog file properly. - * doc: API documentation related to TR46 flags. - * API and ABI is backwards compatible with the previous version. -- Update to version 0.12: - * Builds/links with libunistring. - * Fix two possible crashes with unchecked NULL pointers. - * Memleak fix. - * Binary search for codepoints in tables. - * Do not taint output variable on error in idn2_register_u8(). - * Do not taint output variable on error in idn2_lookup_u8(). - * Update to Unicode 6.3.0 IDNA tables. - * Add TR46 / UTS#46 support to API and idn2 utility. - * Add NFC quick check. - * Add make target 'check-coverage' for test coverage report. - * Add tests to increase test code coverage. - * API and ABI is backwards compatible with the previous version. - -- update to 0.11: - * Fix stack underflow in 'idn2' command line tool. [boo#1014473] - * Fix gdoc script to fix texinfo syntax error. - * API and ABI is backwards compatible with the previous version. - -- Convert to libidn2 package started to being used, namely by curl -- Alternative implementation based on new specification from 2008 - + completely different codebase with no ties to libidn - -- libidn 1.33: - * bnc#990189 CVE-2015-8948 CVE-2016-6262 - * bnc#990190 CVE-2016-6261 - * bnc#990191 CVE-2016-6263 - * libidn: Fix out-of-bounds stack read in idna_to_ascii_4i. - * idn: Solve out-of-bounds-read when reading one zero byte as input. - * libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. - -- Update to 1.32 - * libidn: Fix crash in idna_to_unicode_8z8z and - idna_to_unicode_8zlz. This problem was introduced in 1.31. - * API and ABI is backwards compatible with the previous version. -- Update gpg keyring - -- Add Apache-2.0 license to the license line. Under this is the - java code, but we don't build it -> just the sources license - -- Version bump to 1.31: - * Fixes bnc#923241 CVE-2015-2059 out-of-bounds read with stringprep on - invalid UTF-8 - * Few other triv changes - -- Version bump to 1.30: - * punycode.{c,h} files were reimported -- Cleanup with spec-cleaner - -- update version 1.29: - * libidn: Mark internal variable "g_utf8_skip" as static. - * idn: Flush stdout to simplify for tools that buffer too heavily. - * i18n: Added Brazilian Portuguese translation. - * Update gnulib files. - * API and ABI is backwards compatible with the previous version. - libinput -- Update to version 1.19.4 (boo#1198111): - * This release includes a fix for CVE-2022-1215, a format string - vulnerability in the evdev device handling. +- Update to release 1.21 + * This version includes a new configuration option that, + similarly to its touchpad counterpart, allows disabling the + trackpoint while typing. + * The flat acceleration profile has been improved in this + version. + +- Enable building libinput-replay [boo#1190065] + +- Update to release 1.20.1 + * Format string issue resolved [CVE-2022-1215 bsc#1198111] + +- Update to release 1.20.0 + * High-resolution scroll is more reliable thanks to the + inclusion of new heuristics. + * Better handling of BTN_TOOL_PEN on top of BTN_TOOL_RUBBER on + graphics tablets that trigger a kernel bug. + * libinput does not handle joysticks and gamepads. The + detection algorithm has been improved to avoid tagging some + of those devices as keyboards. + * Improved clickpad detection + * New quirks and bug fixing libmfx +- needed for jira#PED-1174 (Video decoding/encoding support + (VA-API, ...) for Intel GPUs is outside of Mesa) + +- Update to version 22.6.1 + * latest bugfix release + +- No code changes +- Update to version 22.4.4 was part of Intel oneVPL GPU Runtime + 2022Q2 Release 22.4.4 + +- Update to version 22.4.4 + * Decode + + Fix VC1 Decode assertion failure when frame type is NONE_PICTURE + * Software requirements + + Libdrm 2.4.84 or later + + Kernel 4.14 or later (5.4 recommended, consult kernel support matrix + wiki page for details) + * Known issues + + Kernel 5.0 have known issue with endurance on Skylake see + https://bugs.freedesktop.org/show_bug.cgi?id=110285 for details. + * Windows support + + Samples and dispatcher API 1.35 supported by Windows Intel(r) graphics + driver since 27.20.100.8935 version. + * Limited support on certain platforms: + + MPEG-2 encode is not supported on Apollo Lake + + H.264 Flexible Encode Infrastructure only supported on Broadwell and + Skylake + + Multi Frame Encode (MFE), HEVC Flexible Encode Infrastructure only + supported on Skylake + + VP9 decoder is supported starting from Kabylake platform + + VP9 encoder is supported starting from Icelake platform + + SW fallback is unsupported for all components but MJPEG + + Keem Bay requires a VPU runtime library + + The following features are supported by Keem Bay runtime and are not + supported by Gen graphics runtime: + * mfxExtInsertHeaders + * mfxExtEncoderIPCMArea + +- Update to version 21.3.5: + * single change: Updates release notes for 21.3.4 release + * New features: + + VP9 Encode: Added WebRTC mode. + + Samples: + . Added "VuiTC" option to set VUI TransferCharacteristics in + sample_multi_transcode. + . Added the verification of input params before used in Init + for sample_encode + + Misc: + . Added support of DRM_FORMAT_NV12 for console mode + rendering. + . Added runtimes support matrix for Media SDK and oneVPL GPU + Runtime. + + Software requirements: + . Libdrm 2.4.84 or later + . Kernel 4.14 or later (5.4 recommended, consult kernel + support matrix wiki page for details) + + Known issues: Kernel 5.0 have known issue with endurance on + Skylake see + https://bugs.freedesktop.org/show_bug.cgi?id=110285 for + details. + * Limited support on certain platforms: + + MPEG-2 encode is not supported on Apollo Lake + + H.264 Flexible Encode Infrastructure only supported on + Broadwell and Skylake + + Multi Frame Encode (MFE), HEVC Flexible Encode Infrastructure + only supported on Skylake + + VP9 decoder is supported starting from Kabylake platform + + VP9 encoder is supported starting from Icelake platform + + SW fallback is unsupported for all components but MJPEG + + Keem Bay requires a VPU runtime library + + The following features are supported by Keem Bay runtime and + are not supported by Gen graphics runtime: + . mfxExtInsertHeaders + . mfxExtEncoderIPCMArea + libnvme +- Update to version 1.2 (jsc#PED-553): + * 64-bit Reference Tags and TP-4068 changes + * Add more details for return code of MI admin cmds + * Fix poll.h includes + * Parse dhchap_host_key on controller level + * Regenerate all documentation + * Update json config schema for missing dhchap host key + * build: Add support to build against LibreSSL + * build: Drop -nostdinc for LibreSSL header checks + * fabrics: Add new TP8010 definitions + * fabrics: Add nvmf_get_discovery_wargs() + * fabrics: Duplicate strings when merging configs + * fabrics: Filter out empty strings in add_argument() + * fabrics: Fix build_options() return values + * fabrics: Use fallthrough statement + * fabrics: sanitize dump-config output + * ioctl: Honor rae in nvme_get_nsid_log + * ioctl: Set log page offset for nvme_get_log_telemetry_host + * json-schema: add dhchap_key details to host section + * json: Enforce correctly formatted JSON config files + * json: Verify JSON config file starts with an array + * json: fixup dhchap_ctrl_key definitions + * libnvme-mi: Introduce NVMe Managament Interface library + * mi-mctp: Add timeout support to MCTP transport + * mi: Add Get Log Page helpers + * mi: Add Identify function for secondary controller list + * mi: Add Identify helper for ns-descs and primary-ctrl-caps + * mi: Add endpoint get/set timeout API + * mi: Add firmware download and commit commands + * mi: Add identify helper for nsid-capable Controller List + * mi: Add identify helpers for namespace lists + * mi: Add identify helpers for namespaces + * mi: Add maximum More Processing Required limit API + * mi: Allow Admin-message sized More Processing Required responses + * mi: Distinguish MI status from NVMe (CDW3) status + * mi: Fix C++ compiler errors + * mi: Implement Format NVM command + * mi: Implement Get & Set Features Admin commands + * mi: Implement NS attach command and helpers + * mi: Implement Namespace Management command and create/delete helpers + * mi: Implement Sanitize command + * mi: Init ctrl_id within xfer + * mi: Introduce a helper for response status, unify values with ioctls + * mi: Set log page offset for nvme_get_log_telemetry_host + * mi: add nvme_mi_status_to_string() + * mi: fix a memory leak in nvme_mi_open_mctp() + * mi: fix get_log_page chunked offset check + * mi: unify MI Get Log Page function with ioctl API + * nvme-tree: avoid segfault if auth keys are unavailable + * python: Use nvmf_get_discovery_wargs() + * python: add missing ctrl attrs to Python bindings + * rpmbuild: Enable 'make rpm' to build rpm pkgs #408 + * tree: rename controller 'dhchap_key' to 'dhchap_ctrl_key' + * types: Move enum nvme_data_tfr to types + * update/cleanup of documentation + * util: Add LINE_MAX define + * util: Add get feature length 2 API to support direction parameter + * util: Add simple UUID type + * util: Do not expose fallthrough defines + * various build fixes + * various fixes reported by coverity +- Drop upstream patches + * remove 0001-fabrics-Lower-log-level-in-__nvmf_add_ctrl.patch + * remove 0002-fabrics-Remove-double-connection-error-logging.patch + * remove 0003-fabrics-Introduce-connection-connect-error-mapping.patch + * remove 0004-libnvme-Export-nvme_ctrl_get_config.patch + * remove 0005-tree-Factor-lookup-code-for-controller.patch + * remove 0006-fabrics-Consider-config-from-file-when-adding-new-co.patch + * remove 0007-python-add-missing-ctrl-attrs-to-Python-bindings.patch + * remove 0008-libnvme-accessors-for-dhchap_key-variables.patch + * remove 0009-fabrics-Update-controller-authentication-in-nvmf_add.patch + * remove 0010-json-fixup-dhchap_ctrl_key-definitions.patch + * remove 0011-tree-rename-controller-dhchap_key-to-dhchap_ctrl_key.patch + * remove 0012-Parse-dhchap_host_key-on-controller-level.patch + * remove 0013-json-schema-add-dhchap_key-details-to-host-section.patch + * remove 0014-nvme-tree-avoid-segfault-if-auth-keys-are-unavailabl.patch + * remove 0015-fabrics-restructrure-nvmf_get_discovery_log.patch + * remove 0016-tree-simplifiy-nvme_subsystem_lookup_namespace.patch + * remove 0017-tree-make-nvme_subsystem_scan_namespace-idempotent.patch + * remove 0018-tree-make-nvme_ctrl_scan_namespace-idempotent.patch + * remove 0019-Fix-llx-lx-build-warnings-on-powerpc.patch + * remove 0020-fabrics-sanitize-dump-config-output.patch + * remove 0021-fabrics-Fix-build_options-return-values.patch +- Make man page build conditiional. Install man page location has been + fixed upstream. +- Mark the Python directory own by the libnvme3-python package +- Use fixed manpage build date (boo#1047218) +- Fix installation of manual pages to make them accessible + +- Fixes for controller authentication (bsc#1201501 bsc#1201700 bsc#1201701 bsc#1201717) + * add 0007-python-add-missing-ctrl-attrs-to-Python-bindings.patch + * add 0008-libnvme-accessors-for-dhchap_key-variables.patch + * add 0009-fabrics-Update-controller-authentication-in-nvmf_add.patch + * add 0010-json-fixup-dhchap_ctrl_key-definitions.patch + * add 0011-tree-rename-controller-dhchap_key-to-dhchap_ctrl_key.patch + * add 0012-Parse-dhchap_host_key-on-controller-level.patch + * add 0013-json-schema-add-dhchap_key-details-to-host-section.patch + * add 0014-nvme-tree-avoid-segfault-if-auth-keys-are-unavailabl.patch + * add 0015-fabrics-restructrure-nvmf_get_discovery_log.patch +- Subsystem scanning logic fixes + * add 0016-tree-simplifiy-nvme_subsystem_lookup_namespace.patch + * add 0017-tree-make-nvme_subsystem_scan_namespace-idempotent.patch + * add 0018-tree-make-nvme_ctrl_scan_namespace-idempotent.patch +- Fix PowerPC build warnings + * add 0019-Fix-llx-lx-build-warnings-on-powerpc.patch +- Fabrics fixes + * add 0020-fabrics-sanitize-dump-config-output.patch + * add 0021-fabrics-Fix-build_options-return-values.patch + libqmi +- update to 1.30.8: + * dms: new 'Foxconn FCC authentication v2' request/response. + +- Enable QRTR support + +- Update to 1.30.6 + * meson: fix 'export_packages' in GIR setup. + * net-port-manager: use unaligned netlink attribute length. +- Drop the unneeded rpmlintrc file + +- update to 1.30.4: + * * meson: switch to use the new python module in meson. + * * meson: added a new boolean 'man' option in the meson setup to explicitly + enable or disable building the man pages. + * * meson: removed the option to detect if rmnet is supported. + * * meson: multiple updates to use newer meson features like install_dir(), + install_mode() or summary(). + * * meson: options 'mbim_qmux' and 'qrtr' are enabled by default and must be + explicitly disabled if they're not needed, there is no attempt to + autodetect whether they can be enabled or not. + * qmi-proxy: + * * Remove assert when attempting to close ghost device. + * qmi-firmware-update: + * * Use defaults if FLASH variables not reported, enabling support to flash + the new Sierra Wireless EM9190 and EM9191 modules. + * Several other minor improvements and fixes. + libslirp -- security update - fix CVE-2021-3593 [bsc#1187365], invalid pointer initialization may lead to information disclosure (udp6) - + libslirp-CVE-2021-3593.patch + fix https://gitlab.freedesktop.org/slirp/libslirp/-/issues/64 + + libslirp-semicolon.patch -- Add patch to fix the version header (bsc#1201551): - * 0001-meson-remove-meson-dist-script.patch +- Update to version 4.7.0+44 (current git master): + * Fix vmstate regression + * msvc: use char* for pointer arithmetic + * Align outgoing packets + * Bump incoming packet alignment to 8 bytes + * msvc: fix some gcc-specific pragma warnings + * msvc: enable vmstate code on !gnuc + * vmstate: only enable when building under GNU C + * ncsitest: Fix build with msvc + * Avoid running git-version-gen when building with MS VC + * windows: export symbols + * win32: replace strcasecmp with g_ascii_strcasecmp + * Drop spurious inline + * Avoid returning void + * Fix arithmetic on void * + * Avoid using ##__VA_ARGS__ gcc extension + * Fix bitfields order for MSVC + * Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END + * Do not use ssize_t on Windows + * Do not include unistd.h on windows, it does not have it + * Accept build-aux/git-version-gen failing to run + * container_of: avoid using __extension__ + * ncsi: Add Mellanox Get Mac Address handler + * slirp: Add out-of-band ethernet address + * ncsi: Add OEM command handler + * ncsi: Add basic test for Get Version ID response + * ncsi: Use response header for payload length + * ncsi: Pass command header to response handlers + * src/slirp.h: Bump the minimum Windows version to Windows 7 + * ncsi: Add Get Version ID command + * ncsi: Pass Slirp structure to response handlers + * slirp: Add manufacturer's ID + * Add support for Haiku to meson.build + * meson: add extra warnings + * win32: declare some local functions as static + * Include and for AF_INET6 and inet_pton + * Release v4.7.0 + * bump ABI version and age + * slirp: invoke client callback before creating timers + * pingtest: port to timer_new_opaque + * introduce timer_new_opaque callback + * introduce slirp_timer_new wrapper + * icmp6: make ndp_send_ra static + * Add sanitizers CI runs + * socket: Handle ECONNABORTED from recv + * bootp: fix g_str_has_prefix warning/critical + * slirp: Don't duplicate packet in tcp_reass + * Rename insque/remque -> slirp_[ins|rem]que + * mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG + * Replace inet_ntoa() with safer inet_ntop() + * Add VMS_END marker + * bootp: add support for UEFI HTTP boot + * IPv6 DNS proxying support + * Add missing scope_id in caching + * Drop fixed TODO + * socket: Move closesocket(so->s_aux) to sofree + * socket: Check so_type instead of so_tcpcb for Unix-to-inet translation + * socket: Add s_aux field to struct socket for storing auxilliary socket + * socket: Initialize so_type in socreate + * socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0 + * Allow to disable internal DHCP server + * slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two + * CI: run integration tests with slirp4netns + * socket: Check address family for Unix-to-inet accept translation + * socket: Add debug args for tcpx_listen (inet and Unix sockets) + * socket: Restore original definition of fhost + * socket: Move include to socket.h + * Support Unix sockets in hostfwd + * resolv: fix IPv6 resolution on Darwin + * Use the exact sockaddr size in getnameinfo call + * Initialize sin6_scope_id to zero + * slirp_socketpair_with_oob: Connect pair through 127.0.0.1 + * resolv: fix memory leak when using libresolv + * pingtest: Add a trivial ping test + * icmp: Support falling back on trying a SOCK_RAW socket -- Fix a dhcp regression [bsc#1198773] - +libslirp-fix-dhcp-1.patch - +libslirp-fix-dhcp-2.patch +- Update to version 4.6.1+7: + * Haiku: proper path to resolv.conf for DNS server + * Fix for Haiku + * dhcp: Always send DHCP_OPT_LEN bytes in options +- Commit _servicedata to fix changelogs +- Don't include .git in source archive, not needed +- Run set_version together with obs_scm -- security update -- added patches - fix CVE-2021-3592 [bsc#1187364], invalid pointer initialization may lead to information disclosure (bootp) - + libslirp-CVE-2021-3592.patch - fix CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to information disclosure (udp) - + libslirp-CVE-2021-3594.patch - fix CVE-2021-3595 [bsc#1187366], invalid pointer initialization may lead to information disclosure (tftp) - + libslirp-CVE-2021-3595.patch +- Update to version 4.6.1: + * Release v4.6.1 + * Fix "DHCP broken in libslirp v4.6.0" +- fixes [bsc#1198773] + +- Update to version 4.6.0: + * build-sys: forgot to bump version to 4.6.0 + * changelog: post-release + * Release v4.6.0 + * udp: check upd_input buffer size + * tftp: introduce a header structure + * tftp: check tftp_input buffer size + * upd6: check udp6_input buffer size + * bootp: check bootp_input buffer size + * bootp: limit vendor-specific area to input packet memory buffer + * Revert "Set macOS deployment target to macOS 10.4" +- fixes CVE-2021-3592 [bsc#1187364], CVE-2021-3593 [bsc#1187365], + CVE-2021-3594 [bsc#1187367],CVE-2021-3595[bsc#1187366] + +- Update to version 4.4.0: + * Release v4.4.0 + * socket: consume empty packets + * slirp: check pkt_len before reading protocol header + * Remove the QEMU-special make build-system + * Add DNS resolving for iOS + * meson: support compiling as subproject + * meson: remove meson-dist script + * Add G_GNUC_PRINTF to local function slirp_vsnprintf + * sosendoob: better document what urgc is used for + * .gitlab-ci: add a Coverity stage + * TCPIPHDR_DELTA: Fix potential negative value + * udp, udp6, icmp, icmp6: Enable forwarding errors on Linux + * icmp, icmp6: Add icmp_forward_error and icmp6_forward_error + * udp, udp6, icmp: handle TTL value + * ip_stripoptions use memmove + * changelog: post-release +- fixes [bsc#1201551] libstorage-ng +- merge gh#openSUSE/libstorage-ng#905 +- read filters for udev links from config file +- limit allowed by-id links for NVMEs (bsc#1205352) +- make integration-tests subpackage noarch +- cleanup +- 4.5.53 + +- Translated using Weblate (Macedonian) (bsc#1149754) +- 4.5.52 + +- merge gh#openSUSE/libstorage-ng#904 +- added examples +- 4.5.51 + +- merge gh#openSUSE/libstorage-ng#903 +- fixed typo +- 4.5.50 + +- merge gh#openSUSE/libstorage-ng#902 +- ignore chunk size for RAID1 (bsc#1205172) +- 4.5.49 + libtirpc -- fix CVE-2021-46828: libtirpc: DoS vulnerability with lots of - connections (bsc#1201680) - - add 0001-Fix-DoS-vulnerability-in-libtirpc.patch - --exclude ipv6 addresses in client protocol 2 code (bsc#1200800) - - update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch - -- fix memory leak in params.r_addr assignement (bsc#1198752) - - add 0001-fix-parms.r_addr-memory-leak.patch - -- check for nullpointer in check_address (bsc#1198176) - update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch - -- add option to enforce connection via protocol version 2 first - (bsc#1196647) - add 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch - -- Update to libtirpc 1.2.6 - - Drop patches all patches backported from this release - (0001-Add-authdes_seccreate-stub.patch, - 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch) - -- Backport upstream fix daed7ee ("Avoid multiple-definiton with gcc -fno-common") - to fix build error with gcc flag -fno-common (bsc#1160875). - Tested on gcc-9 and gcc-10. - 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch - -- Skip unneeded autogen.sh run (configure is up-to-date), drop - dependencies: libtool, autoconf -- Replace krb5-mini-devel/krb5-devel with pkgconfig(krb5) - -- Update to libtirpc 1.2.5 - - A number resource leaks and other issues were fix which were identified - by a Coverity Scan. - - The AUTH_DES authentication has been deprecated. If any of those routines - are called, they will fail immediately. - - numerous bug fixes -- Package changes: - - Build without AUTH_DES authentication - - Add patch from next release 0001-Add-authdes_seccreate-stub.patch - (a86b4ff Add authdes_seccreate() stub) - - Drop rc patches (libtirpc-1-1-5-rc1.patch, libtirpc-1-1-5-rc2.patch) - - Drop patches all patches backported from this release - (0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch, - 0002-man-rpc_secure.3t-Fix-typo-in-manpage.patch, - 0003-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch) - -- Fix previous version: - - actually delete - 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch - - use 0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch - - use 0002-man-rpc_secure.3t-Fix-typo-in-manpage.patch (renamed from - 0003-man-rpc_secure.3t-Fix-typo-in-manpage.patch) - - use 0003-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch - (renamed from - 0004-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch) - -- Updated to libtirpc 1.1.5 rc2 (this includes changes in 1.1.4 release) - - add libtirpc-1-1-5-rc1.patch and libtirpc-1-1-5-rc2.patch to reflect - upstream changes after 1.1.4 release - - remove /etc/bindresvport.blacklist as it's still supported by glibc - although it's not compiled with --enable-obsolete-rpc -- Drop patches accepted in previous releases or not needed - - 000-bindresvport_blacklist.patch (accepted in 5b037cc9, libtirpc 1.1.4) - - 001-new-rpcbindsock-path.patch (not needed, rpcbind now uses /var/run directory) - - 002-revert-binddynport.patch (fixed in 2802259, libtirpc-1-0-4-rc1) - - 0001-Fix-regression-introduced-by-change-rpc-version-orde.patch - (backport of 25d38d7, libtirpc-1-0-4-rc1) - - 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch - (backport of 145272c, libtirpc-1-0-4-rc2) -- Add fixes from upcomming release - - 0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch - - 0003-man-rpc_secure.3t-Fix-typo-in-manpage.patch - - 0004-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch - -- Fix SLES 15 - yp_bind_client_create_v3: RPC: Unknown host (bsc#1126096). - - Add upstream patch - 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch - -- fix socket leak introduced by change-rpc-protocol-version-order patch - (bsc#1087925) - - add 0001-Fix-regression-introduced-by-change-rpc-version-orde.patch - -- Revert binddynport changes as they break backward compatibility - [brc#1562169]. - - add 002-revert-binddynport.patch - -- Remove ineffective --with-pic. - -- Update to libtirpc 1.0.3 - - clnt_dg_call: Fix a buffer overflow (CVE-2016-4429) - - Avoid choosing reserved ports in legacy RPC APIs - - rpcinfo: change order of version to be tried to 4, 3, 2 - - includes 003-rpc-types.patch - - includes 004-replace-bzero-with-memset.patch - - includes 005-missing-includes.patch - - includes 011-Fix-typo-in-src-libtirpc.map-which-prevents-that-key.patch - - includes decls.patch -- Drop COPYING.GPLv2, GPLv2 code was removed from library - -- Adjust include directory [bsc#1083902] - -- Use %license (boo#1082318) - -- Move /usr/include/tirpc to /usr/include - -- Add COPYING.GPLv2 and install Licenses for GPLv2 code. - -- 005-missing-includes.patch: add missing includes to make headers - compatible to sunrpc. - -- Update to version 1.0.2 - - 002-old-automake.patch: not needed anymore - - 005-libtirpc-1.0.2-rc1.patch: dropped - - 006-Remove-old-meanwhile-wrong-comment-about-FD_SETSIZE-.patch: - removed, merged upstream - - 007-Change-rtime-function-to-use-poll-instead-of-select.patch: - removed, merged upstream - - 008-Add-parameters-to-local-prototypes-to-fix-compiler-w.patch: - removed, merged upstream - - 009-makefd_xprt-checks-that-the-filedesriptor-is-lower-t.patch: - removed, merged upstream - - 010-The-goto-again-statement-was-an-left-over-from-the-p.patch: - removed, merged upstream - - 012-libtirpc-needs-rpcsvc-nis.h-for-compiling-but-does-n.patch: - removed, merged upstream - - 013-If-we-don-t-compile-in-YP-support-don-t-include-YP-h.patch: - removed, merged upstream - - 014-Add-des_crypt.c-and-des_impl.c-to-become-independent.patch: - removed, merged upstream - - 015-Fix-includes-to-compile-without-deprecated-glibc-fun.patch: - removed, merged upstream - - patch6_7.diff: obsolete - - Replace explicit_bzero.patch with - 004-replace-bzero-with-memset.patch from git - - Rename libtirpc-new-path-rpcbindsock.patch to - 001-new-rpcbindsock-path.patch - -- 003-rpc-types.patch: Add some typedefs to rpc/types.h to allow - applications be compiled with -std=iso9899:1990 - -- Rectify RPM groups and summaries, - and update old macro/variable constructs. - -- decls.patch: fix missing declarations -- explicit_bzero.patch: use explicit_bzero if available - -- Add some patches to get libtirpc compiled without needing glibc - deprecated functions: - - 015-Fix-includes-to-compile-without-deprecated-glibc-fun.patch - - 014-Add-des_crypt.c-and-des_impl.c-to-become-independent.patch - - 013-If-we-don-t-compile-in-YP-support-don-t-include-YP-h.patch -- Add 012-libtirpc-needs-rpcsvc-nis.h-for-compiling-but-does-n.patch - to allow bootstrapping of libtirpc without glibc sunrpc code or - libnsl NIS+ code. - -- Add 011-Fix-typo-in-src-libtirpc.map-which-prevents-that-key.patch - (fix export of key_secretkey_is_set) - -- Add the following patches to fix some bugs from the poll() - port and an endless loop: - - 006-Remove-old-meanwhile-wrong-comment-about-FD_SETSIZE-.patch - - 007-Change-rtime-function-to-use-poll-instead-of-select.patch - - 008-Add-parameters-to-local-prototypes-to-fix-compiler-w.patch - - 009-makefd_xprt-checks-that-the-filedesriptor-is-lower-t.patch - - 010-The-goto-again-statement-was-an-left-over-from-the-p.patch - -- Remove 004-netconfig-prefer-IPv6.patch for SLES12. -- Remove libtirpc-getnetconfig-races.patch (was backport). - [FATE#320393] - -- Split the netconfig configuration file and manual page off into - an own RPM. Else it is not possible to install the old and new - libtirpc libraries in parallel. - -- Update to libtirpc-1.0.1 - - new major soname - - Adjust auth code to match other RPC implementations - - Implement more gss auth stuff - - use poll() instead of select() in svc_run() - - Add more sunrpc compat functions - - Sync compat headers with real functions -- Drop 005-missing-symvers.patch (upstream) -- Drop 006-memleak1.patch (upstream) -- Drop 007-memleak2.patch (upstream) -- Drop 008-fix-undef-ref.patch (upstream) -- Drop 009-authdes_pk_create.patch (upstream) -- Drop 010-xdr_sizeof.patch (upstream) -- Drop 011-authdes_create.patch (upstream) -- Drop 012-xp_sock.patch (upstream) -- Drop 099-poll.patch (upstream) -- Drop libtirpc-xdr-header.patch (was backport) -- Add 005-libtirpc-1.0.2-rc1.patch (fixes deadlock) - -- Fix public xdr.h header - xdr_rpcvers() were broken (bsc#902439) - Added: libtirpc-xdr-header.patch - -- Update 099-poll.patch with newest version send upstream. - -- Add 099-poll.patch: change svc_run from select() to poll(). - -- Add 012-xp_sock.patch: add sunrpc compatibility define - -- Update 009-authdes_pk_create.patch (fix syncaddr handling) -- Add 011-authdes_create.patch (fix syncaddr handling) - -- Add 010-xdr_sizeof.patch (enable xdr_sizeof) - -- Add 009-authdes_pk_create.patch (missing SunRPC compat function) - -- Add 008-fix-undef-ref.patch to fix a undefined reference bug - -- Update to version 0.3.2 (bring authdes back) -- Remove 005-no_IPv6_for_old_code.patch (accepted upstream) -- Remove 001-tirpc-features.patch (obsolete) -- Add 005-missing-symvers.patch (fix missing, new symbols) -- Add 006-memleak1.patch (fix memory leak) -- Add 007-memleak2.patch (fix memory leak) - -- Remove krb5-devel from -devel requires, not needed anymore - -- Update to libtirpc 0.3.1, which incorporates the following - patches: - - 011-gssapi-update1.patch - - 012-gssapi-update2.patch - - 013-gssapi-update3.patch - - 014-gssapi-update4.patch - - 015-gssapi-update5.patch - - 016-gssapi-update6.patch - - 017-gssapi-update7.patch - - 018-gssapi-update8.patch - Not needed anymore: - - 007-fix-tirpc_map.patch - Adjusted: - - 001-tirpc-features.patch, merged with 006-rework-features.diff - - 002-old-automake.patch - -- 007-fix-tirpc_map.patch: fix symbol version for new global names - -- 006-rework-features.diff: Adjust for set of gssapi patches -- 003-fix-gssapi.patch replaced by 011-gssapi-update1.patch -- 012-gssapi-update2.patch: fix krb5-config usage -- 013-gssapi-update3.patch: check for gssapi.h -- 014-gssapi-update4.patch: don't include rpcsec_gss.h -- 015-gssapi-update5.patch: don't install GSSAPI files if disabled -- 016-gssapi-update6.patch: fix rpc_gss_seccreate -- 017-gssapi-update7.patch: officialy export two internal functions -- 018-gssapi-update8.patch: don't use glibc special header files - -- 003-fix-gssapi.patch: Correct fix for GSS ABI breakage -- 005-no_IPv6_for_old_code.patch: Update comment -- 006-rework-features.diff: Rework tirpc-features.h - -- 003-fix-gssapi.patch: Update, one chunk did go lost - -- 001-tirpc-features.patch: update with official git version -- 002-old-automake.patch: re-add for SLES11 -- 003-fix-gssapi.patch: try to fix the disable-gssapi option correct - -- Fix HAVE_AUTHDES/HAVE_GSSAPI in public header files - (001-tirpc-features.patch) - -- Update to official release 0.3.0. authdes was disabled by default - upstream. -- Following patches were merged: - - 001-symbol-versions-v5.patch - - 003-add-des_crypt.diff -- Remove 002-old-automake.patch, not needed anymore - -- Update 001-symbol-versions-v4.patch with - 001-symbol-versions-v5.patch: Add --disable-symvers option - -- Update 003-add-des_crypt.diff, fix unresolved des functions - -- Update to git -- Add 003-add-des_crypt.diff to fix unresolved *_crypt() functions - -- Disable gssapi for SLE11, kerberos version is too old - -- rpc/rpc.h requires now indirectly gssapi.h from krb5-devel - -- Update to current git. -- The following patches were accepted upstream: - - 003-xdr_h-fix.patch - - 005-disable-rpcent.patch - - 006-no-libnsl.patch - - patch1_7.diff - - patch2_7.diff - - patch3_7.diff -- patch7_7.diff: removed, rejected upstream -- 001-symbol-versions-v3.patch: replace with 001-symbol-versions-v4.patch - -- Add the following patches from the libtirpc-devel mailing list: - - patch1_7.diff (remove wrong config.h.in) - - patch2_7.diff (fix function name of yp_check) - - patch3_7.diff (make sure config.h is included) - - patch6_7.diff (use getaddrinfo in getrpcport) - - patch7_7.diff (remove prototypes from headers we don't supply) - -- Add following patches: - - 003-xdr_h-fix.patch (fix wrong defines using xdr_u_int32) - - 005-disable-rpcent.patch (use rpcent functions from glibc) - - 006-no-libnsl.patch (don't link against libnsl) - -- Update to 0.2.5.git from 20150423 - - following patches are accepted upstream: - - 003-rpc_broadcast_misformed_replies.patch - - libtirpc-misc-segfaults.patch - - replace 001-symbol-versions-v2.patch with - 001-symbol-versions-v3.patch - - enable symbol versioning patch - -- Fix race conditions in getnetconfig (bsc#899576, bsc#882973) - Added: libtirpc-getnetconfig-races.patch - -- 004-netconfig-prefer-IPv6.patch: Prever IPv6 over IPv4 (configured - in /etc/netconfig) - -- 002-old-automake.patch: make buildable on old systems - -- Update to 0.2.5.git from 20141217 - - following patches are accepted upstream: - - 002-clnt_broadcast_fix.patch - - 004-getpmaphandle.patch - - libtirpc-clntunix_create.patch - - libtirpc-getbroadifs-crash.patch - - libtirpc-taddr2uaddr-local.patch - -- Update to upstream 0.2.5 release -- Add symbol versioning to fix symbol conflicts - (001-symbol-versions-v2.patch), but disable until commited upstream -- Adjust libtirpc-clnt_broadcast_fix.patch and rename to - 002-clnt_broadcast_fix.patch -- Adjust libtirpc-rpc_broadcast_misformed_replies.patch and rename - to 003-rpc_broadcast_misformed_replies.patch -- Rename libtirpc-getpmaphandle.patch to 004-getpmaphandle.patch -- Adjust libtirpc-bindresvport_blacklist.patch and rename to - 000-bindresvport_blacklist.patch -- Drop libtirpc-pmap-setunset.patch, not needed anymore -- Apply libtirpc-new-path-rpcbindsock.patch only on openSUSE 13.1 - and later - libusb-1_0 +- Added 0002-gracefully-handle-buggy-config0-devices.patch + * Fix regression where some buggy devices no longer work + if they have a configuration value of 0. + * [bsc#1201590] + libuv +- Remove epoll syscall wrappers; (bsc#1199062); Add + * 0001-linux-remove-epoll-syscall-wrappers.patch + * 0002-linux-drop-code-path-for-epoll_pwait-less-kernels.patch + -- update to v0.11.29 - -- update to v0.11.28 - -- update to 0.11.24 -- install pkg-config file - -- Update to version 0.11.23 - * bug fixes - -- update to v0.11.21 - -- initial packaging of v0.11.19 - libva +- needed for jira#PED-1174 (Video decoding/encoding support + (VA-API, ...) for Intel GPUs is outside of Mesa) + +- update to 2.16.0: + * add: Add HierarchicalFlag & hierarchical_level_plus1 for AV1e. + * dep: Update README.md to remove badge links + * dep: Removed waffle-io badge from README to fix broken link + * dep: Drop mailing list, IRC and Slack + * autotools: use wayland-scanner private-code + * autotools: use the wayland-scanner.pc to locate the prog + * meson: use wayland-scanner private-code + * meson: request native wayland-scanner + * meson: use the wayland-scanner.pc to locate the prog + * meson: set HAVE_VA_X11 when applicable + * style:Correct slight coding style in several new commits + * trace: add Linux ftrace mode for va trace + * trace: Add missing pthread_mutex_destroy + * drm: remove no-longer needed X == X mappings + * drm: fallback to drm driver name == va driver name + * drm: simplify the mapping table + * x11: simplify the mapping table + +- No code changes +- Update to version 2.15.0 was part of Intel oneVPL GPU Runtime + 2022Q2 Release 22.4.4 + +- Update to 2.15.0: + * Add: new display HW attribute to report PCI ID + * Add: sample depth related parameters for AV1e + * Add: refresh_frame_flags for AV1e + * Add: missing fields in va_TraceVAEncSequenceParameterBufferHEVC. + * Add: nvidia-drm to the drm driver map + * Add: type and buffer for delta qp per block + * Deprecation: remove the va_fool support + * Fix:Correct the version of meson build on master branch + * Fix:X11 DRI2: check if device is a render node + * Build:Use also strong stack protection if supported + * Trace:print the string for profile/entrypoint/configattrib + +- Update to 2.14.0: + * add: Add av1 encode interfaces + * add: VA/X11 VAAPI driver mapping for crocus DRI driver + * doc: Add description of the fd management for surface importing + * ci: fix freebsd build + * meson: Copy public headers to build directory to support subproject + libva-gl +- needed for jira#PED-1174 (Video decoding/encoding support + (VA-API, ...) for Intel GPUs is outside of Mesa) + +- update to 2.16.0: + * add: Add HierarchicalFlag & hierarchical_level_plus1 for AV1e. + * dep: Update README.md to remove badge links + * dep: Removed waffle-io badge from README to fix broken link + * dep: Drop mailing list, IRC and Slack + * autotools: use wayland-scanner private-code + * autotools: use the wayland-scanner.pc to locate the prog + * meson: use wayland-scanner private-code + * meson: request native wayland-scanner + * meson: use the wayland-scanner.pc to locate the prog + * meson: set HAVE_VA_X11 when applicable + * style:Correct slight coding style in several new commits + * trace: add Linux ftrace mode for va trace + * trace: Add missing pthread_mutex_destroy + * drm: remove no-longer needed X == X mappings + * drm: fallback to drm driver name == va driver name + * drm: simplify the mapping table + * x11: simplify the mapping table + +- No code changes +- Update to version 2.15.0 was part of Intel oneVPL GPU Runtime + 2022Q2 Release 22.4.4 + +- Update to 2.15.0: + * Add: new display HW attribute to report PCI ID + * Add: sample depth related parameters for AV1e + * Add: refresh_frame_flags for AV1e + * Add: missing fields in va_TraceVAEncSequenceParameterBufferHEVC. + * Add: nvidia-drm to the drm driver map + * Add: type and buffer for delta qp per block + * Deprecation: remove the va_fool support + * Fix:Correct the version of meson build on master branch + * Fix:X11 DRI2: check if device is a render node + * Build:Use also strong stack protection if supported + * Trace:print the string for profile/entrypoint/configattrib + +- Update to 2.14.0: + * add: Add av1 encode interfaces + * add: VA/X11 VAAPI driver mapping for crocus DRI driver + * doc: Add description of the fd management for surface importing + * ci: fix freebsd build + * meson: Copy public headers to build directory to support subproject + libvirt +- tests: Fix libxlxml2domconfigtest + f81ee7b5-tests-Fix-libxlxml2domconfigtest.patch + bsc#1205204 + +- Update to libvirt 8.9.0 + - jsc#PED-620, jsc#PED-1540 + - Add support for modular daemons to the supportconfig plugin + - New subpackage libvirt-client-qemu providing client utilities + to interact with QEMU-specific features of libvirt + - Many incremental improvements and bug fixes, see + https://libvirt.org/news.html#v8-9-0-2022-11-01 + +- Update to libvirt 8.8.0 + - jsc#PED-620, jsc#PED-1540 + - Many incremental improvements and bug fixes, see + https://libvirt.org/news.html#v8-8-0-2022-10-03 +- spec: Switch from monolithic to modular daemons for Factory + libxcb -- u_don-t-flag-extra-reply-in-xcb_take_socket.patch - * Fix IO errors with KWin in combination with NVIDIA driver. - (bnc#1101560) - -- Update to version 1.13 - * As with xcb-proto, this release mainly enables multi-planar buffers in - DRI3 v1.2 via support for variable-sized lists of FDs, and enables - sending GenericEvents to other clients. Present v1.2 and RandR v1.6 - did not require any specific library changes. -- supersedes U_add-support-for-eventstruct.patch, - u_build_python3.patch - -- Really conditionalize the python3 option to allow us building - without any python2 present - * u_build_python3.patch -- Convert to pkgconfig style deps -- Format bit with spec-cleaner - -- Enable xinput extension. (bnc#1074249) -- U_add-support-for-eventstruct.patch - * Update xinput to the state when it was enabled by default - upstream. - -- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch - * Prevent infinite loop also in case DISPLAY is non-local. - -- Use spaces instead of tabs in the patches (as does the original - source code) to avoid confusion. -- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch - * If authentication (with *stage == 0) failed and the variable - XAUTHLOCALHOSTNAME wasn't set, we were never getting to stage 2 - in the original patch, causing calls to xcb_connect_to_display - to be stuck in an infinite loop. - Now we also go to stage 2 if the variable isn't set. - -- fixes build against python3 (package rename of - python-xcb-proto-devel to python3-xcb-proto-devel) - -- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch - * Modify this patch to do what it say - retry not only if the current hostname is - not found in the xauthority file, but also when it is rejected by X server. - (bnc#1043221) - -- Update to version 1.12 - * here is a new version of libxcb for you to enjoy. The - highlights are the same as for the new xcb-proto release: - xinput support, RandR 1.5 and an automatic alignment checker. -- removed libxcb-xevie0/libxcb-xprint0 subpackages - -- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch: - If auth with credentials for hostname fails retry with XAUTHLOCALHOSTNAME - (boo#906622). - -- Update to version 1.11.1: - This fixes some threading-related bugs with - xcb_wait_for_special_event() and adds 64-bit versions of - functions that work with sequence numbers. - libxml2 +- Add W3C conformance tests to the testsuite (bsc#1204585): + * Added file xmlts20080827.tar.gz + libxml2:python +- Add W3C conformance tests to the testsuite (bsc#1204585): + * Added file xmlts20080827.tar.gz + lvm2 +- killed lvmlockd doesn't clear/adopt locks leading to inability to start volume group (bsc#1203216) + - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch + lvm2:devicemapper +- killed lvmlockd doesn't clear/adopt locks leading to inability to start volume group (bsc#1203216) + - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch + mdadm +- mdadm.spec: add EXTRAVERSION string to make command line + (jsc#SLE-24761, bsc#1193566) + mozilla-nss +- Require libjitter only for SLE15-SP4 and greater + +- update to NSS 3.79.2 (bsc#1204729) + * bmo#1785846 - Bump minimum NSPR version to 4.34.1. + * bmo#1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity. + +- Add nss-allow-slow-tests.patch, which allows a timed test to run + longer than 1s. This avoids turning slow builds into broken + builds. + +- Update nss-fips-approved-crypto-non-ec.patch to allow the use of + DSA keys (verification only) (bsc#1201298). +- Update nss-fips-constructor-self-tests.patch to add + sftk_FIPSRepeatIntegrityCheck() to softoken's .def file + (bsc#1198980). + +- Update nss-fips-approved-crypto-non-ec.patch to allow the use of + longer symmetric keys via the service level indicator + (bsc#1191546). +- Update nss-fips-constructor-self-tests.patch to hopefully export + sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980). + +- Update nss-fips-approved-crypto-non-ec.patch to prevent sessions + from getting flagged as non-FIPS (bsc#1191546). +- Mark DSA keygen unapproved (bsc#1191546, bsc#1201298). +- Enable nss-fips-drbg-libjitter.patch now that we have a patched + libjitter to build with (bsc#1202870). + +- Update nss-fips-approved-crypto-non-ec.patch to prevent keys + from getting flagged as non-FIPS and add remaining TLS mechanisms. +- Add nss-fips-drbg-libjitter.patch to use libjitterentropy for + entropy. This is disabled until we can avoid the inline assembler + in the latter's header file that relies on GNU extensions. +- Update nss-fips-constructor-self-tests.patch to fix an abort() + when both NSS_FIPS and /proc FIPS mode are enabled. + nano +- update to 7.0: + * String binds may contain bindable function names between braces + * Unicode codes can be entered (via M-V) without leading zeroes, + by finishing short codes with or + * Word completion (^]) looks for candidates in all open buffers + * No regular expression matches the final empty line any more + net-snmp +- update to 5.9.3 (bsc#1201103, jsc#SLE-11203): + - security: + - These two CVEs can be exploited by a user with read-only credentials: + - CVE-2022-24805 A buffer overflow in the handling of the INDEX of + NET-SNMP-VACM-MIB can cause an out-of-bounds memory access. + - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable + can cause a NULL pointer dereference. + - These CVEs can be exploited by a user with read-write credentials: + - CVE-2022-24806 Improper Input Validation when SETing malformed + OIDs in master agent and subagent simultaneously + - CVE-2022-24807 A malformed OID in a SET request to + SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an + out-of-bounds memory access. + - CVE-2022-24808 A malformed OID in a SET request to + NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference + - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable + can cause a NULL pointer dereference. + - Fixed library versioning bug found in 5.9.2. + - Library version change to libsnmp40. +- Moved logrotate files from user specific directory /etc/logrotate.d + to vendor specific directory /usr/etc/logrotate.d. +- Fixed python2 backward compability. + add: + * net-snmp-5.9.3-fixed-python2-bindings.patch +- Migration to /usr/etc: Saving user changed configuration files + in /etc and restoring them while an RPM update. +- Change to use systemd service files directly from net-snmp package. + add: + * net-snmp-5.9.1-suse-systemd-service-files.patch + * net-snmp-5.9.1-harden_snmpd.service.patch + * net-snmp-5.9.1-harden_snmptrapd.service.patch + remove: + * snmpd.service + * snmptrapd.service + * harden_snmpd.service.patch + * harden_snmptrapd.service.patch +- Refactor and remove obsolete patches to work with version number 5.9.3: + add: + * net-snmp-5.9.3-pie.patch + * net-snmp-5.9.3-fix-create-v3-user-outfile.patch + * net-snmp-5.9.1-add-lustre-fs-support.patch + * net-snmp-5.9.1-fix-Makefile.PL.patch + * net-snmp-5.9.1-modern-rpm-api.patch + * net-snmp-5.9.1-net-snmp-config-headercheck.patch + * net-snmp-5.9.1-perl-tk-warning.patch + * net-snmp-5.9.1-snmpstatus-suppress-output.patch + * net-snmp-5.9.1-socket-path.patch + * net-snmp-5.9.1-subagent-set-response.patch + * net-snmp-5.9.1-testing-empty-arptable.patch + * net-snmp-5.9.1-velocity-mib.patch + remove: + * net-snmp-5.9.1-pie.patch + * net-snmp-5.9.1-fix-create-v3-user-outfile.patch + * net-snmp-5.7.3-add-lustre-fs-support.patch + * net-snmp-5.7.3-Fix-Makefile.PL.patch + * net-snmp-5.7.3-modern-rpm-api.patch + * net-snmp-5.7.3-net-snmp-config-headercheck.patch + * net-snmp-5.7.3-perl-tk-warning.patch + * net-snmp-5.7.3-snmpstatus-suppress-output.patch + * net-snmp-5.7.3-socket-path.patch + * net-snmp-5.7.3-subagent-set-response.patch + * net-snmp-5.7.3-testing-empty-arptable.patch + * net-snmp-5.7.3-velocity-mib.patch + * net-snmp-5.7.3-fix-create-v3-user-outfile.patch + * net-snmp-5.7.3-pie.patch + * net-snmp-4.7.2-systemd.patch + * net-snmp-5.7.3-build-with-openssl-1.1.patch + * net-snmp-5.7.3-fix-agentx-freezing-on-timeout.patch + * net-snmp-5.7.3-fix-missing-mib-hrStorage-indexes.patch + * net-snmp-5.7.3-fix-snmpd-crashing-when-an-agentx-disconnects.patch + * net-snmp-5.7.3-fix-snmp_pdu_parse-incomplete.patch + * net-snmp-5.7.3-fix-subagent-data-corruption.patch + * net-snmp-5.7.3-helpers-table-skip-if-next-handler-called.patch + * net-snmp-5.7.3-host-mib-skip-autofs-entries.patch + * net-snmp-5.7.3-make-extended-mib-read-only.patch + * net-snmp-5.7.3-netgroups.patch + * net-snmp-5.7.3-Remove-U64-typedef.patch + * net-snmp-5.7.3-snmptrapd-add-forwarder-info.patch + * net-snmp-5.7.3-swintst_rpm-Protect-against-unspecified-Group-name.patch + * net-snmp-5.7.3-ucd-snmp-mib-add-64-bit-mem-obj.patch + * net-snmp-python3.patch + nfs-utils +- add 0025-nfsdcltrack-getopt_long-fails-on-a-non-x86_64-archs.patch + Fix nfsdcltrack bug that affected non-x86 archs. + (bsc#1202627) + +- 0024-systemd-Apply-all-sysctl-settings-when-NFS-related-m.patch + Ensure sysctl setting work (bsc#1199856) + nfsidmap +- 0001-Removed-some-unused-and-set-but-not-used-warnings.patch + 0002-Handle-NULL-names-better.patch + 0003-Strip-newlines-out-of-IDMAP_LOG-messages.patch + 0004-onf_parse_line-Ignore-whitespace-at-the-beginning-of.patch + 0005-nss.c-wrong-check-of-return-value.patch + 0006-Fixed-a-memory-leak-nss_name_to_gid.patch + Various bugfixes and improvemes from upstream + In particular, 0001 fixes a crash that can happen when + a 'static' mapping is configured. + (bnc#1200901) + -- add libtool as buildrequire to avoid implicit dependency - -- libnfsidmap-0.24 - * Added autogen.sh which runs all the autoconfig scripts - * Added nfs4_owner interfaces which are used by the - new nfsidmap program - -- include manpage again bnc#689009 - -- revert the last change that exported only public symbols - breaks loadable modules. - -- libnfsidmap: export only public symbols nfs4_*, in particular - this avoids exporting strlcpy to calling applications.. -- openldap2-devel is not required in -devel package - -- use %_smp_mflags - -- disable the idmapd.conf manpage inclusion, it is in nfs-utils. - -- also remove .la files from the libnfsidmap subdir -- fixed missing ctype.h header include - -- updated to 0.23 - * Allows mappings to be correct "right out of the box" when DNS is - set up correctly and stops idmapper from dying when there is - no domain name set. - * Move the default processing for the "Local-Realm" config option - into the main config file processing function and adds missing - documentation for the previously added configuration option. - * Print a debug log message "when the krb5 realm can not be used since - it does not match the DNS domain name or the 'Local-Realm' variable - defined in /etc/idmad.conf" - * Move the idmapd.conf manpage from nfs-utils and update it to match - the current functionality. - * Changes to install, and look for, the plugin libraries in a separate - libnfsidmap directory. - -- move plugins .so files to main package, to make it work again - bnc#495665, bnc#497209 -- disable versioning of those plugin libs - -- remove static libraries and "la" files - -- upgraded to 0.21 - - The main library has been changed to load "plugin" libraries to - perform the mappings. This decouples the main library from any ldap - (and sasl, etc.) dependencies. - - Several translation methods (plugins) may now be specified in the - idmapd.conf file. While a plugin returns -ENOENT, the next is called - until a mapping is found, or there are no more plugins to try. - - A "static" mapping plugin from David Härdeman has - been added. - - A "gums" mapping plugin from Olga Kornievskaia - has been added. - nvme-cli +- Update to version 2.2.1 (jsc#PED-553): + * Added parsing for Solidigm telemetry observable data. + * Revert "udev: re-read the discovery log page when a discovery controller reconnected" + * add item ddr_ecc_err_cnt in smart-log-add + * build and install fixes/improvements + * build: Add minimum build requirement on libnvme + * build: Drop dependency on libuuid + * build: Extend release script to support micro version releases + * build: Fix endian check for cross build + * build: Remove unused uuid.wrap file + * build: Remove unusned uuid.h include + * build: Update release version rules + * build: Update version before regenerating docs + * completions: Add show-topology tab completion + * documentation fixes + * fabrics: Avoid nvme_scan_ctrl when disconnecting + * fabrics: Honor JSON config file in connect-all command + * fabrics: Remove dhchap-ctrl-secret from discover/connect-all + * fabrics: Trigger auto connect if config.json exists + * fabrics: fix 'persistent' handling during connect-all with JSON file + * fabrics: nvme config --modify depends on -n and -t argument + * fabrics: re-read the discovery log page when a discovery controller reconnected + * json: Support uint64 types serialization for older json-c versions + * meson: we don't need a c++ compiler + * new solidigm plugin + * nvme, plugins: fix __u64 -> unsigned long long assumptions + * nvme-print: Add missing values in id-ctrl for JSON output + * nvme-print: Handle NULL hostid in JSON output + * nvme-print: Output 128bit values as uint128 type instead of double + * nvme-print: Print fguid as a UUID + * nvme-print: Use uint128 JSON function for media_units_written + * nvme-print: decode MI status values + * nvme-print: decode status types + * nvme-print: fix wrong json key + * nvme-print: sanitize the get-feature async event config output + * nvme: Add helper function to parse 16-bit comma separated list + * nvme: Add nvme_cmd wrapper for get_features + * nvme: Add show-topology command + * nvme: Add wrapper for Format NVM + * nvme: Add wrapper for Sanitize NVM + * nvme: Add wrappers for Get Log page helpers + * nvme: Add wrappers for Identify controller lists + * nvme: Add wrappers for NS attach/detach + * nvme: Add wrappers for NS management functions + * nvme: Add wrappers for basic NS identify + * nvme: Add wrappers for firmware commands + * nvme: Do not print error message in collect_effects_log helper + * nvme: Fix set feature command to get feature identifier 0Dh length as zero + * nvme: Introduce a union in struct nvme_dev for different transport types + * nvme: Introduce nvme_cli_ wrappers, wrap identify and identify_ctrl + * nvme: Make static nvme_dev private to open_dev(), use locals elsewhere + * nvme: Masks SSTAT in sanize-log output + * nvme: Remove static nvme_dev, allocate on open instead + * nvme: Set default rae value for nvme_get_nsid_log users + * nvme: Simplify ns list identify + * nvme: Use correct print format specifier for sizeof arguments + * nvme: Use local struct nvme_dev for show_registers & map_registers + * nvme: check if cfg.metadata is NULL before passing it to strlen() + * nvme: use helpers for checking status types + * plugins/innogrit: Include timer.h + * plugins/innogrit: add smart items for smart-log-add + * plugins/micron-nvme: Use correct print format specifier for sizeof arguments + * plugins/ocp: Include timer.h + * plugins/ocp: Output 128bit values as uint128 type instead of double + * plugins/ocp: drop unused fd argument + * plugins/ocp: pass struct nvme_dev to internal functions + * plugins/seagate: Add support for OCP + * plugins/solidigm: fix return value on format parse failure + * plugins/toshiba: pass struct nvme_dev rather than fd + name + * plugins/virtium: Output 128bit values as uint128 type instead of double + * plugins/wdc: Add support for SN660 drive + * plugins/wdc: Add type case for feature id + * plugins/wdc: Output 128bit values as uint128 type instead of double + * plugins/wdc: fix memset() on the address of a pointer + * plugins/wdc: pass a struct nvme_dev around rather than a fd + * plugins/wdc: pass struct nvme_dev rather than using global nvme_dev + * plugins/wdc: prevent duplicate close on NVMe device + * plugins/wdc: remove fd argument from print functions + * plugins/ytmc: pass struct nvme_dev rather than fd + name + * plugins: Use PRIu64 format specifier for 64bit types + * print: Add Controller Ready Timeout Exceeded HW error code + * print: Fix nvme_id_uuid_list + * solidgm: fix initialization warning + * solidigm: Added parsing for telemetry customer screenable data + * solidigm: Fix printf format for size_t variable + * solidigm: Updated Telemetry parsing code to MIT license. + * subprojects/libnvme: update for MI admin command coverage + * tests: Update license to GPL-2.0-or-later + * tree: Add NVMe-MI support + * tree: Add dev_fd() helper + * tree: Change nvme_dev from global to static + * tree: Combine NVMe file descriptor into struct nvme_dev + * tree: Move global device info to a single struct + * tree: fail on non-negative return values from parse_and_open + * udev: Add HOST_IFACE to udev rule + * util/json.h: Add json_object_get_uint64 fallback implementation + * util/json: Add 128 bit JSON helpers + * util/types: Add 128 bit conversion helpers + * util: Fix le128_to_cpu on big-endian + * util: Fix le128_to_cpu on little-endian + * util: Move common type conversion helpers into util section + * utils/json: Add json_object_new_uint64 for json-c < 0.14 + * utils: Fix uint128_t usage + * various fixes reported by coverity + * version reporting includes library version + * wdc: OCP Log page updates and fixes + * wrapper: Add weak nvme_init_copy_range_f1 symbol + * wrapper: Call library version of nvme_init_copy_range_f1 + * wrapper: Update SPDIX license + * zns.c: report zones should be started after retrieved zone +- Drop upsreamp patches + * remove 0001-fabrics-Already-connected-uses-a-different-error-cod.patch + * remove 0002-fabrics-skip-connect-if-the-transport-types-don-t-ma.patch + * remove 0003-nvme-print-Show-paths-from-the-first-namespace-only.patch + * remove 0004-nvme-print-Show-ANA-state-only-for-one-namespace.patch + * remove 0005-fabrics-Honor-config-file-for-connect-all.patch + * remove 0006-fabrics-Remove-dhchap-ctrl-secret-from-discover-conn.patch + * remove 0007-fabrics-error-message-for-nvme-discover-connect-all-.patch + * remove 0008-fabrics-avoid-segfault-when-nvme-discover-fails-with.patch + * remove 0009-fabrics-avoid-segfault-if-transport-type-is-omitted.patch + * remove 0010-nvme-Return-status-error-code-for-effects-log-comman.patch + * remove 0011-nvme-fix-nvme-get-feature-with-H-option.patch + * remove 0012-fabrics-Avoid-nvme_scan_ctrl-when-disconnecting.patch + * remove 0013-nvme-Do-not-print-error-message-in-collect_effects_l.patch + * remove 0014-nvme-print-Handle-NULL-hostid-in-JSON-output.patch + * remove 0015-nvme-print-sanitize-the-get-feature-async-event-conf.patch +- Handle suse-missing-rclink lint warnings by providing the symlinks +- Support auto discovery, add %systemd_ordering to spec file (bsc#1186399) +- Mark no binaries rpms as noarch + +- Support auto discovery, add %systemd_ordering to spec file (bsc#1186399) +- fabrics: Remove dhchap-ctrl-secret from discover/connect-all (bsc#1201701) + * add 0006-fabrics-Remove-dhchap-ctrl-secret-from-discover-conn.patch +- Fabrics related bug fixes + * add 0007-fabrics-error-message-for-nvme-discover-connect-all-.patch + * add 0008-fabrics-avoid-segfault-when-nvme-discover-fails-with.patch + * add 0009-fabrics-avoid-segfault-if-transport-type-is-omitted.patch + * add 0010-nvme-Return-status-error-code-for-effects-log-comman.patch + * add 0011-nvme-fix-nvme-get-feature-with-H-option.patch + * add 0012-fabrics-Avoid-nvme_scan_ctrl-when-disconnecting.patch + * add 0013-nvme-Do-not-print-error-message-in-collect_effects_l.patch + * add 0014-nvme-print-Handle-NULL-hostid-in-JSON-output.patch + * add 0015-nvme-print-sanitize-the-get-feature-async-event-conf.patch + openjpeg + openjpeg-CVE-2018-20846.patch (CVE-2018-20846, bsc#1140205), + openjpeg-CVE-2018-21010.patch (CVE-2018-21010, bsc#1149789), + openjpeg-CVE-2020-27824.patch (CVE-2020-27824, bsc#1179821), + openjpeg-CVE-2020-27842.patch (CVE-2020-27842, bsc#1180043), + openjpeg-CVE-2020-27843.patch (CVE-2020-27843, bsc#1180044), + openjpeg-CVE-2020-27845.patch (CVE-2020-27845, bsc#1180046). + +- Add security fixes: -- fix fedora build - openssl-1_1 +- FIPS: Service-level indicator [bsc#1190651] + * Mark PBKDF2 with key shorter than 112 bits as non-approved + * Add openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch + +- FIPS: Service-level indicator [bsc#1190651] + * Consider RSA siggen/sigver with PKCS1 padding also approved + * Add openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch + +- FIPS: Service-level indicator [bsc#1190651] + * Return the correct indicator for a given EC group order bits + * Add openssl-1_1-ossl-sli-005-EC_group_order_bits.patch + ovmf +- Change the size of ovmf-x86_64 back to 2MB, and remove EFI shell to + reduce the fv image size. + - Originally the reason of changing the size of ovmf-x86_64 to 4MB is for + preventing OBS exposes the following error: + [ 266s] GenFv: ERROR 3000: Invalid + [ 266s] the required fv image size 0x1afed8 exceeds the set fv image size 0x1ac000 + The fv image size is too big. But we found that change ovmf-x86_64 to 4MB causes + live migration problem on qemu. (bsc#1204220) + - So let's change the size of ovmf_x86_64 back to 2MB and remove EFI shell + to reduce the fv image size. If user wants to use EFI shell, they should move to + ovmf-x86_64-4m image. So we add the "-D EXCLUDE_SHELL" build option to ovmf-x86_64 + flavor in ovmf.spec. (bsc#1204220) + pam -- Update pam_motd to the most current version. This fixes various issues - and adds support for mot.d directories [jsc#PED-1712]. - * Added: pam-ped1712-pam_motd-directory-feature.patch - -- Do not include obsolete libselinux header files flask.h and - av_permissions.h. - [bsc#1197794, pam-bsc1197794-do-not-include-obsolete-header-files.patch] - -- Between allocating the variable "ai" and free'ing them, there are - two "return NO" were we don't free this variable. This patch - inserts freaddrinfo() calls before the "return NO;"s. - [bsc#1197024, pam-bsc1197024-free-addrinfo-before-return.patch] - -- Define _pam_vendordir as "/%{_sysconfdir}/pam.d" - The variable is needed by systemd and others. - [bsc#1196093, macros.pam] - -- Corrected a bad directive file which resulted in - the "securetty" file to be installed as "macros.pam". - [pam.spec] - -- Added tmpfiles for pam to set up directory for pam_faillock. - [pam.conf] - -- Corrected macros.pam entry for %_pam_moduledir - Cleanup in pam.spec: - * Replaced all references to ${_lib}/security in pam.spec by - %{_pam_moduledir} - * Removed definition of (unused) "amdir". - -- Added new file macros.pam on request of systemd. - [bsc#1190052, macros.pam] - -- Added pam_faillock to the set of modules. - [jsc#sle-20638, pam-sle20638-add-pam_faillock.patch] - -- In the 32-bit compatibility package for 64-bit architectures, - require "systemd-32bit" to be also installed as it contains - pam_systemd.so for 32 bit applications. - [bsc#1185562, baselibs.conf] - -- If "LOCAL" is configured in access.conf, and a login attempt from - a remote host is made, pam_access tries to resolve "LOCAL" as - a hostname and logs a failure. - Checking explicitly for "LOCAL" and rejecting access in this case - resolves this issue. - [bsc#1184358, bsc1184358-prevent-LOCAL-from-being-resolved.patch] - -- pam_limits: "unlimited" is not a legitimate value for "nofile" - (see setrlimit(2)). So, when "nofile" is set to one of the - "unlimited" values, it is set to the contents of - "/proc/sys/fs/nr_open" instead. - Also changed the manpage of pam_limits to express this. - [bsc#1181443, pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch] - -- Add a definition for pamdir to pam.spec - So that a proper contents of macros.pam can be constructed. - [pam.spec] - -- Create macros.pam with definition of %_pamdir so packages which - are commonly shared between Factory and SLE can use this macro - [pam.spec] - -- pam_cracklib: added code to check whether the password contains - a substring of of the user's name of at least characters length - in some form. - This is enabled by the new parameter "usersubstr=" - See https://github.com/libpwquality/libpwquality/commit/bfef79dbe6aa525e9557bf4b0a61e6dde12749c4 - [jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch] - -- pam_xauth.c: do not free() a string which has been (successfully) - passed to putenv(). - [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch] - -- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft" - to avoid spurious (and misleading) - Warning: your password will expire in ... days. - fixed upstream with commit db6b293046a - [bsc#1178727, pam-bsc1178727-initialize-daysleft.patch] - -- /usr/bin/xauth chokes on the old user's $HOME being on an NFS - file system. Run /usr/bin/xauth using the old user's uid/gid - Patch courtesy of Dr. Werner Fink. - [bsc#1174593, pam-xauth_ownership.patch] - -- Moved pam_userdb to a separate package pam-extra. - [bsc#1166510, pam.spec] - -- disable libdb usage and pam_userdb again, as this causes some license - conflicts. (bsc#1166510) - -- Add libdb as build-time dependency to enable pam_userdb module. - Enable pam_userdb.so - [jsc#sle-7258, bsc#1164562, pam.spec] - -- When comparing an incoming IP address with an entry in - access.conf that only specified a single host (ie no netmask), - the incoming IP address was used rather than the IP address from - access.conf, effectively comparing the incoming address with - itself. (Also fixed a small typo while I was at it) - [bsc#1115640, use-correct-IP-address.patch, CVE-2018-17953] - -- Remove limits for nproc from /etc/security/limits.conf - ie remove pam-limit-nproc.patch - [bsc#1110700, pam-limit-nproc.patch] - -- pam_umask.8 needed to be patched as well. - [bsc#1089884, pam-fix-config-order-in-manpage.patch] - -- Changed order of configuration files to reflect actual code. - [bsc#1089884, pam-fix-config-order-in-manpage.patch] - -- Use %license (boo#1082318) - -- Prerequire group(shadow), user(root) - -- Allow symbolic hostnames in access.conf file. - [pam-hostnames-in-access_conf.patch, boo#1019866] - -- Increased nproc limits for non-privileged users to 4069/16384. - Removed limits for "root". - [pam-limit-nproc.patch, bsc#1012494, bsc#1013706] - -- pam-limit-nproc.patch: increased process limit to help - Chrome/Chromuim users with really lots of tabs. New limit gets - closer to UserTasksMax parameter in logind.conf - -- Add doc directory to filelist. - -- Remove obsolete README.pam_tally [bsc#977973] - -- Update Linux-PAM to version 1.3.0 -- Rediff encryption_method_nis.diff -- Link pam_unix against libtirpc and external libnsl to enable - IPv6 support. - -- Add /sbin/unix2_chkpwd (moved from pam-modules) - -- Remove (since accepted upstream): - - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch - - 0002-Remove-enable-static-modules-option-and-support-from.patch - - 0003-fix-nis-checks.patch - - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch - - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch - -- Add 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch - - Replace IPv4 only functions - -- Fix typo in common-account.pamd [bnc#959439] - -- Add 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch - - readd PAM_EXTERN for external PAM modules - -- Add 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch -- Add 0002-Remove-enable-static-modules-option-and-support-from.patch -- Add 0003-fix-nis-checks.patch - -- Add folder /etc/security/limits.d as mentioned in 'man pam_limits' - -- Update to version 1.2.1 - - security update for CVE-2015-3238 - -- Update to version 1.2.0 - - obsoletes Linux-PAM-git-20150109.diff - -- Re-add lost patch encryption_method_nis.diff [bnc#906660] - -- Update to current git: - - Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff - - obsoletes pam_loginuid-log_write_errors.diff - - obsoletes pam_xauth-sigpipe.diff - - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch - -- increase process limit to 1200 to help chromium users with many tabs - perl-Cpanel-JSON-XS +- updated to 4.32 + see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes + 4.32 2022-08-13 (rurban) + - fix new JSON::PP::Boolean overload redefinition warnings. GH #200 + 4.31 2022-08-10 (rurban) + - adjust t/20_unknown.t pp bool tests for native bool when supported. + GH #198 PR by Graham Knop. + +- updated to 4.30 + see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes + 4.30 2022-06-14 (rurban) + - Fix perl 5.37 utf8n_to_uvuni deprecation. GH #196 + +- updated to 4.29 + see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes + 4.29 2022-05-27 (rurban) + - Hack: Revert native bool (unblessed) overloads via JSON::PP 4.08. + JSON::PP ignores unblessed bools for now. GH #194 + +- updated to 4.28 + see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes + 4.28 2022-05-05 (rurban) + - Validate the JSON struct which might get corrupted by wrong FREEZE/THAW + methods, or other serializers, or corrupting our magic object. (GH #192) + - Improve our DESTROY and END methods to avoid NULL dereferences. + Fixes perl-compiler/#438 + - Fix 3 tests in t/20_unknown.t with the latest 5.35.10 bool enhancements + and JSON::PP (GH #194) + - Fix t/118_type.t with Windows ivtype long long. (GH #178) + - Added github actions + +- updated to 4.27 + see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes + 4.27 2021-10-13 (rurban) + - Only add -Werror=declaration-after-statement for 5.035004 and earlier (PR #186 nwc) + - Fix 125_shared_boolean.t for threads (PR #184 Sinan Unur) + perl-Image-ExifTool +- Update to 12.50: + * Added a new XMP-GCreations tag + * Added a few new Sony lenses (thanks Jos Roost) + * Added new SonyModelID and Olympus CameraType values (thanks LibRaw and Herb) + * Added a couple of new XMP tags (thanks Jose Oliver-Didier) + * Added a new Nikon Z lens (thanks LibRaw) + * Added a new Canon LensType and CanonModelID (thanks Norbert Wasser and + LibRaw) + * Added some new Pentax lenses (thanks LibRaw) + * Added experimental support for timed GPS in TS videos from Jomise T860S-GM + dashcam (more samples are needed for this to be finalized) + * Decode information written in "skip" atom of 70mai Pro Plus+ MP4 videos + * Decode timed accelerometer data from Kenwood dashcam MP4 videos + * Decode a few new Nikon Z9 tags (thanks Stefan Grussen) + * Decode ColorData for some newer Canon models (thanks LibRaw) + * Decode a number of new tags for the Sony ILCE-7RM5 (thanks Jos Roost) + * Updated IPTC XMP tags to correspond with new Photo Metadata 2022.1 standard + * Extract JPEG previews from FujiFilm HIF images + * Changed -if option so multiple -if options are evaluated at the lowest + specified -fast level + * Changed MIMEType for ICO and CUR files + * Enhanced -fast2 so it stops processing QuickTime files at mdat atom + * Enhanced -listx output so -f also indicates the ID of the parent structure + for Flattened tags + * Improved conversion of IPTC date-only and time-only tags to allow formatting + with the -d option + * Improved Canon and Nikon TimeZone tags to accept a wider variety of input + formats when writing + * Disabled extraction of Nikon Z9 MenuSettings for firmware 3.0 until they can + be properly decoded (thanks Warren Hatch) + * Fixed decoding of AF points for some newer Nikon models + * Fixed inconsistent year and time zone for Kenwood dashcam timed GPS in MP4 + videos + php7 +- version update to 7.4.33 [bsc#1204577][bsc#1204979] + 03 Nov 2022 + GD: + Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630) + Hash: + Fixed bug #81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454) + +- version update to 7.4.32 [jsc#SLE-23639] + Version 7.4.32 + 29 Sep 2022 + Core: + Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628) + Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629) + Version 7.4.30 + 09 Jun 2022 + mysqlnd: + Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626) + pgsql: + Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625) + Version 7.4.29 + 14 Apr 2022 + Core: + No source changes to this release. This update allows for re-building the Windows binaries against upgraded dependencies which have received security updates. + Date: + Updated to latest IANA timezone database (2022a). + Version 7.4.28 + 17 Feb 2022 + Filter: + Fix #81708: UAF due to php_filter_float() failing for ints (CVE-2021-21708) + Version 7.4.27 + 16 Dec 2021 + Core: + Fixed bug #81626 (Error on use static:: in __сallStatic() wrapped to Closure::fromCallable()). + FPM: + Fixed bug #81513 (Future possibility for heap overflow in FPM zlog). + GD: + Fixed bug #71316 (libpng warning from imagecreatefromstring). + OpenSSL: + Fixed bug #75725 (./configure: detecting RAND_egd). + PCRE: + Fixed bug #74604 (Out of bounds in php_pcre_replace_impl). + Standard: + Fixed bug #81618 (dns_get_record fails on FreeBSD for missing type). + Fixed bug #81659 (stream_get_contents() may unnecessarily overallocate). + Version 7.4.26 + 18 Nov 2021 + Core: + Fixed bug #81518 (Header injection via default_mimetype / default_charset). + Date: + Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2). + MBString: + Fixed bug #76167 (mbstring may use pointer from some previous request). + MySQLi: + Fixed bug #81494 (Stopped unbuffered query does not throw error). + PCRE: + Fixed bug #81424 (PCRE2 10.35 JIT performance regression). + Streams: + Fixed bug #54340 (Memory corruption with user_filter). + XML: + Fixed bug #79971 (special character is breaking the path in xml function). (CVE-2021-21707) +- fixes [bsc#1203867] and [bsc#1203870] +- deleted patches + - php7-CVE-2021-21707.patch (upstreamed) + - php7-CVE-2021-21708.patch (upstreamed) + - php7-CVE-2022-31625.patch (upstreamed) + - php7-CVE-2022-31626.patch (upstreamed) + pixman +- Add pixman-CVE-2022-44638.patch: avoid an integer overflow + (boo#1205033 CVE-2022-44638). + plymouth +- Update plymouth-install-label-library-and-font-file-to-initrd.patch: + avoid invalid script commands failure(bsc#1203147). + -- Do not own /usr/share/locale (owned by filesystem): +- Update plymouth.spec: Do not own /usr/share/locale (owned by filesystem): postfix +- use correct source signature file (gpg2) + +- update to 3.7.2 + https://de.postfix.org/ftpmirror/official/postfix-3.7.2.RELEASE_NOTES +- rebase patches + * pointer_to_literals.patch + * postfix-linux45.patch + * postfix-main.cf.patch + * postfix-master.cf.patch + * postfix-no-md5.patch + * postfix-ssl-release-buffers.patch + * postfix-vda-v14-3.0.3.patch + * set-default-db-type.patch +- build against libpcre2 + +- remove *.swp from postfix-SUSE.tar.gz + +- fix config.postfix 'hash' leftover with relay_recipients +- update postfix-main.cf.patch about + * smtp_tls_security_level (obsoletes smtp_use_tls, smtp_enforce_tls) + * smtpd_tls_security_level (obsoletes smtpd_use_tls, smtpd_enforce_tls) +- rebase/refresh patches + * harden_postfix.service.patch + * postfix-avoid-infinit-loop-if-no-permission.patch + * postfix-master.cf.patch + * postfix-vda-v14-3.0.3.patch + * set-default-db-type.patch + +- Change ed requires to /usr/bin/ed: allow busybox-ed to be used + inside containers. + +- add missing requires for config.postfix and the postfix + postinstall script: perl and ed + +- update to 3.6.6 + * (problem introduced: Postfix 2.7) The milter_header_checks maps + are now opened before the cleanup(8) server enters the chroot + jail. + * In an internal client module, "host or service not found" was + a fatal error, causing the milter_default_action setting to be + ignored. It is now a non-fatal error, just like a failure to + connect. + * The proxy_read_maps default value was missing up to 27 parameter + names. The corresponding lookup tables were not automatically + authorized for use with the proxymap(8) service. The parameter + names were ending in _checks, _reply_footer, _reply_filter, + _command_filter, and _delivery_status_filter. + * (problem introduced: Postfix 3.0) With dynamic map loading + enabled, an attempt to create a map with "postmap regexp:path" + would result in a bogus error message "Is the postfix-regexp + package installed?" instead of "unsupported map type for this + operation". This happened with all non-dynamic map types (static, + cidr, etc.) that have no 'bulk create' support. + +- config.postfix fails to set smtp_tls_security_level + (bsc#1192314) + +- Refreshed spec-file via spec-cleaner and manual optimizated. + * Added -p flag to all install commands. + * Removed -f flag from all ln commands. +- Changed file harden_postfix.service.patch (boo#1191988). + +- update to 3.6.5 + * Glibc 2.34 implements closefrom(). This was causing a conflict + with Postfix's implementation for systems that have no closefrom() + implementation. + * Support for Berkeley DB version 18. +- removed obsolete postfix-3.6.2-glibc-234-build-fix.patch + +- Postfix on start don't run postalias /etc/postfix/aliases + (error open database /etc/postfix/aliases.lmdb). (bsc#1197041) + Apply proposed patch + +- config.postfix can't handle symlink'd /etc/resolv.cof + (bsc#1195019) + Adapt proposed change: using "cp -afL" by copying. + +- Update to 3.6.4 + * Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient + entries in postconf output. This was caused by an incomplete + fix to send SMTP session transcripts to $bounce_notice_recipient. + * Bug introduced in Postfix 3.0: the proxymap daemon did not + automatically authorize proxied maps inside pipemap (example: + pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. + * Bug introduced in Postfix 2.5: off-by-one error while writing + a string terminator. This code passed all memory corruption + tests, presumably because it wrote over an alignment padding + byte, or over an adjacent character byte that was never read. + * The proxymap daemon did not automatically authorize map features + added after Postfix 3.3, caused by missing *_maps parameter + names in the proxy_read_maps default value. Found during code + maintenance. + +- Update to 3.6.3 + * (problem introduced in Postfix 2.4, released in 2007): queue + file corruption after a Milter (for example, MIMEDefang) made + a request to replace the message body with a copy of that message + body plus additional text (for example, a SpamAssassin report). + * (problem introduced in Postfix 2.10, released in 2012): The + postconf "-x" option could produce incorrect output, because + multiple functions were implicitly sharing a buffer for + intermediate results. Problem report by raf, root cause analysis + by Viktor Dukhovni. + * (problem introduced in Postfix 2.11, released in 2013): The + check_ccert_access feature worked as expected, but produced a + spurious warning when Postfix was built without SASL support. + Fix by Brad Barden. + * Fix for a compiler warning due to a missing 'const' qualifier + when compiling Postfix with OpenSSL 3. Depending on compiler + settings this could cause the build to fail. + * The known_tcp_ports settings had no effect. It also wasn't fully + implemented. Problem report by Peter. + * Fix for missing space between a hostname and warning text. + +- Ensure postfix can write to home directory or server side + filtering wont work (sieve) + +- Ensure service can write to /etc/postfix + +- Added hardening to systemd service (bsc#1181400). Added + harden_postfix.service.patch + +- postfix fails with glibc 2.34 + Define HAS_CLOSEFROM + (bsc#1189101) + add patch + - postfix-3.6.2-glibc-234-build-fix.patch + +- fix config.postfix (follow up of bsc#1188477) + +- Syntax error in config.postfix + (bsc#1188477) + +- Update to 3.6.2 + * In Postfix 3.6, fixed a false "Result too large" (ERANGE) fatal + error in the compatibility_level parser, because there was no + 'errno = 0' statement before an strtol() call. + * (problem introduced in Postfix 3.3) "Null pointer read" error + in the cleanup daemon when "header_from_format = standard" (the + default as of Postfix 3.3), and email was submitted with + /usr/sbin/sendmail without From: header, and an all-space full + name was specified in 1) the password file, 2) with "sendmail + - F", or 3) with the NAME environment variable. Found by Renaud + Metrich. + * (problem introduced in Postfix 2.4) False "too many reverse + jump" warnings in the showq daemon, because loop detection code + was comparing memory addresses instead of queue file names. + Reported by Mehmet Avcioglu. + * (problem introduced in 1999) The Postfix SMTP server was sending + all session transcripts to the error_notice_recipient (default: + postmaster), instead of sending transcripts of bounced mail to + the bounce_notice_recipient (default: postmaster). Reported by + Hans van Zijst. + * The texthash: map implementation broke tls_server_sni_maps, + because it did not support multi-file inputs. Reported by + Christopher Gurnee, who also found an instance of the missing + code in the "postmap -F" source code. File: util/dict_thash.c. + +- spamd wants to start before mail-transfer-agent.target, but that target doesn't exist + (bsc#1066854) + +- postfix-SUSE + * rework sysconfig.postfix, add + - POSTFIX_WITH_DKIM + - POSTFIX_DKIM_CONN + * rework config.postfix for main.cf + - with_dkim +- update postfix-main.cf.patch + * add OpenDKIM settings + +- postfix-mysql + * add mysql_relay_recipient_maps.cf +- postfix-SUSE + * rework sysconfig.postfix, add + - POSTFIX_RELAY_RECIPIENTS + - POSTFIX_BACKUPMX + * add relay_recipients + * rework config.postfix for main.cf + - is_backupmx + - relay_recipient_maps + +- Add now working CONFIG parameter to sysusers generator +- Remove unnecessary group line from postfix-vmail-user.conf + +- Update to 3.6.1 + * Bugfix (introduced: Postfix 2.11): the command "postmap + lmdb:/file/name" (create LMDB database from textfile) handled + duplicate input keys ungracefully, discarding entries stored + up to and including the duplicate key, and causing a double + free() call with lmdb versions 0.9.17 and later. Reported by + Adi Prasaja; double free() root cause analysis by Howard Chu. + * Typo (introduced: Postfix 3.4): silent_discard should be + silent-discard in BDAT_README. + +- fix postfix-master.cf.patch + * set correct indentation (again) for options of + - submission (needs 3 spaces) + - smtps (needs 4 spaces) + to make config.postfix work nicely again + +- Update to 3.6.0 + - Major changes - internal protocol identification + Internal protocols have changed. You need to "postfix stop" + before updating, or before backing out to an earlier release, + otherwise long-running daemons (pickup, qmgr, verify, tlsproxy, + postscreen) may fail to communicate with the rest of Postfix, + causing mail delivery delays until Postfix is restarted. + For more see /usr/share/doc/packages/postfix/RELEASE_NOTES +- refreshed patches to apply cleanly again: + fix-postfix-script.patch + ipv6_disabled.patch + pointer_to_literals.patch + postfix-linux45.patch + postfix-main.cf.patch + postfix-master.cf.patch + postfix-no-md5.patch + postfix-ssl-release-buffers.patch + postfix-vda-v14-3.0.3.patch + set-default-db-type.patch + +- Update to 3.5.10 with security fixes: + * Missing null pointer checks (introduced in Postfix 3.4) after + an internal I/O error during the smtp(8) to tlsproxy(8) handshake. + Found by Coverity, reported by Jaroslav Skarvada. Based on a + fix by Viktor Dukhovni. + * Null pointer bug (introduced in Postfix 3.0) and memory leak + (introduced in Postfix 3.4) after an inline: table syntax error + in main.cf or master.cf. Found by Coverity, reported by Jaroslav + Skarvada. Based on a fix by Viktor Dukhovni. + * Incomplete null pointer check (introduced: Postfix 2.10) after + truncated HaProxy version 1 handshake message. Found by Coverity, + reported by Jaroslav Skarvada. Fix by Viktor Dukhovni. + * Missing null pointer check (introduced: Postfix alpha) after + null argv[0] value. + publicsuffix +- Update to version 20220903: + * util: gTLD data autopull updates for 2022-09-03T15:15:24 UTC (#1606) + * Update public_suffix_list.dat (#1594) + * Add streamlitapp.com (#1591) + * Update public_suffix_list.dat (#1573) + * Add Framer Sites domains to PSL (#1570) + * new TLD .ישראל and SLDs for Israel by ISOC-IL (#1595) + +- Update to version 20220805: + * Updates to NIXI `.in` subspace in ICANN section of PSL (#1588) + * util: gTLD data autopull updates for 2022-07-28T15:14:54 UTC (#1592) + * util: gTLD data autopull updates for 2022-07-03T15:13:52 UTC (#1587) + * Add messerli.app (#1535) + * Add iservschule.de, schulplattform.de, update IServ GmbH contact information (#1580) + * Add `lolipopmc.jp` (#1555) + * Add ibxos.it and iliadboxos.it domains (#1549) + * Simplify the instance and endpoint domains using wildcard syntax (#1584) + * util: gTLD data autopull updates for 2022-06-14T15:15:19 UTC (#1581) + * doc (.in): update ref uri to registry policies (#1577) + * util: gTLD data autopull updates for 2022-06-02T15:16:31 UTC (#1579) + +- Update to version 20220518: + * util: gTLD data autopull updates for 2022-05-18T15:16:02 UTC (#1567) + * fixed wordwrap; added # of users q + * Add builder.code.com, stg-builder.code.com, and dev-builder.code.com (#1566) + * UPDATE HOSTBIP RECORDS (`name.pm` `sch.tf` `biz.wf` `sch.wf` `org.yt`) (#1473) + * Fix comments delete space and deprecation of io/ioutil (#1557) + +- Update to version 20220510: + * Cleaned up the wording and formatting + * Clarified 3rd party workaround stuff; fixed #1559 + * Add gov.nl (#1558) + * util: gTLD data autopull updates for 2022-04-30T15:14:45 UTC (#1564) + +- Update to version 20220415: + * util: gTLD data autopull updates for 2022-04-14T15:15:34 UTC (#1554) + * Add `1.azurestaticapps.net` DNS suffix (#1514) + * add support for scaleway subdomains (#1507) + python-libvirt-python +- Update to 8.9.0 + - Add all new APIs and constants in libvirt 8.9.0 + - jsc#PED-620, jsc#PED-1540 + +- Update to 8.8.0 + - Add all new APIs and constants in libvirt 8.8.0 + - jsc#PED-620, jsc#PED-1540 + python3 +- Add bsc1188607-pythreadstate_clear-decref.patch to fix crash in + the garbage collection (bsc#1188607). + +- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix + bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer + overflow in hashlib.sha3_* implementations (originally from the + XKCP library). + +- Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix + CVE-2020-10735 (bsc#1203125) to limit amount of digits + converting text to int and vice vera (potential for DoS). + Originally by Victor Stinner of Red Hat. + -- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch and - CRLF_injection_via_host_part.patch. +- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch, + CRLF_injection_via_host_part.patch, and + CVE-2019-18348-CRLF_injection_via_host_part.patch. qca:qt5 +- BR ca-certificates-mozilla for the testsuite +- Have the devel package require the library +- Drop qca-2.3.0-fixDSA.patch, that was fixed in 2014 already by + just disabling DSA +- Add upstream change: + * 0001-hashunittest-run-sha384longtest-only-for-providers-t.patch + +- Update to 2.3.5 + * find dependencies of Qca when the cmake package is used by a + project + * Handle openssl without case5 support + * Update rootcerts.pem + * SafeSocketNotifier: fix socket FD type and remove signal + argument +- Drop patch, merged upstream: + * 0001-Make-filewatchunittest-much-quicker.patch + rpm +- Strip critical bit in signature subpackage parsing + * modified patch: pgpharden.diff +- Add workaround to make newer dnf versions no longer deadlock + after it imported a pubkey [bnc#1202750] + * new patch: keyimportdeadlock.diff + rubygem-nokogiri +- add 003-CVE-2022-24836.patch (CVE-2022-24836, bsc#1198408) + fixes possibility to DoS because of inefficient RE in HTML encoding +- add 004_CVE-2022-29181.patch (CVE-2022-29181, bsc#1199782) + fixes Improper Handling of Unexpected Data Types + solid +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * Add Windows Qt 6 CI + * Disambiguate expression for MSVC + * .gitlab-ci.yml: enable static builds + * FstabStorageAccess: Trim output from (u)mount + * udisks2: Handle NotAuthorizedCanObtain and NotAuthorizedDismissed + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + * Add explanation for enum value 'Smb3'. + * Improve SMB3 filesystem integration. + * Add Samba's SMB3 filesystem to Solid. + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * [UDisksDeviceBackend] Port introspect to QXmlStreamReader + * [UDisksDeviceBackend] Remove pointless QDBusInterface + * udev/cpuinfo_arm: add more Apple part IDs + * udev/cpuinfo_arm: change Apple part formatting + * Drop lib prefix when building for Windows (MinGW) + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Require passing tests for the CI to pass + * avoid segfault if qobject_cast fails + * upower: Allow displaying Apple Magic Trackpad charge level + * skip non-FileSystem StorageVolumes in storageAccessFromPath + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- No code change since 5.94.0 + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * udev/cpuinfo_arm: Add missing CPU ID + * Mark as supported on Android + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Recognize fuse.gocryptfs mounts as devices like we do for cryfs + and encfs (kde#452070) + * Add git blame ignore file + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * Use enum in switch instead of raw int + * Add Qt6 Android CI + * udisks backend: Add UD2_DBUS_PATH_BLOCKDEVICES and use more constants + * udev: Do not ignore joysticks + * Check executables exist in PATH before passing them to QProcess + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Convert some connect to new signature style + * [UDisks2 Backend] Don't do media check for loop devices + * Fix enum predicate comparison with Qt6 + * [upower] Properly round up battery's capacity (kde#448372) + * Add CI qt6 support + * [UPower Backend] Check for Bluez for any unknown battery type + * [UDisks2] Ignore file systems mounted with x-gdu.hide option + sonnet +- Update to 5.100.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.100.0 +- Changes since 5.99.0: + * Add Windows Qt 6 CI + * Fix the translation folder name + +- Update to 5.99.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.99.0 +- Changes since 5.98.0: + * .gitlab-ci.yml: enable static builds + +- Update to 5.98.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.98.0 +- Changes since 5.97.0: + * Add FreeBSD Qt6 CI support + +- Update to 5.97.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.97.0 +- Changes since 5.96.0: + * Port to ECMQmlModule + * Drop lib prefix when building for Windows (MinGW) + * improve documentation + * fix obsolete string + * fix typo + * add new test + +- Update to 5.96.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.96.0 +- Changes since 5.95.0: + * Require passing unit tests for the CI to pass + +- Update to 5.95.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.95.0 +- Changes since 5.94.0: + * Fix unused parameter warning + * Try to load en_US for LANG=C (kde#410113) + * Fix bookkeeping about loaded plugins + * Don't load already loaded plugin + * Don't warn, just debug about not loadable plugin + * Unload skipped/already loaded plugin + +- Update to 5.94.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.94.0 +- Changes since 5.93.0: + * Fix license identifier + * Add windows CI + +- Update to 5.93.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.93.0 +- Changes since 5.92.0: + * Enable Windows spellchecker with mingw + * Add Android to supported platforms in repo metadata + * hunspell: resolve symlinks with canonicalFilePath() + +- Update to 5.92.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.92.0 +- Changes since 5.91.0: + * settings: Emit `autodetectLanguageChanged` + * Add Qt6 Android CI + * Make the BUILD_DESIGNERPLUGIN option dependent on not cross-compiling + * QMake pri files: fix missing new path to version header + +- Update to 5.91.0 + * New feature release + * For more details please see: + * https://kde.org/announcements/frameworks/5/5.91.0 +- Changes since 5.90.0: + * Missing "/" + * Allow to install plugin in kf5 or kf6 directory + * Add CI qt6 support + * Support building hspelldict backend with Qt6 + systemd +- Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428 + ae2067b062 time-util: fix buffer-over-run (bsc#1204968 CVE-2022-3821) + 0469b9f2bc pstore: do not try to load all known pstore modules + ad05f54439 pstore: Run after modules are loaded + ccad817445 core: Add trigger limit for path units + 281d818fe3 core/mount: also add default before dependency for automount mount units + ffe5b4afa8 logind: fix crash in logind on user-specified message string + +- Add 1012-man-describe-the-net-naming-schemes-specific-to-SLE.patch (bsc#1204179) +- Make "sle15-sp3" net naming scheme still available for backward compatibility + reason + tar +- Fix unexpected inconsistency when making directory, bsc#1203600 + * tar-avoid-overflow-in-symlinks-tests.patch + * tar-fix-extract-unlink.patch +- Update race condition fix, bsc#1200657 + * tar-fix-race-condition.patch +- Refresh bsc1200657.patch + tiff + * CVE-2022-3597 [bsc#1204641] + * CVE-2022-3626 [bsc#1204644] + * CVE-2022-3627 [bsc#1204645] + + tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch + * CVE-2022-3599 [bsc#1204643] + + tiff-CVE-2022-3599.patch + * CVE-2022-3970 [bsc#1205392] + + tiff-CVE-2022-3970.patch + +- security update: tigervnc -- U_Handle-pending-data-in-TLS-buffers.patch - * Vncclient wasn't refreshing screen correctly due to an issue on - TLS stream buffers. - * bsc#1199477 - -- U_0003-Update-Surface_X11.cxx.patch - * Fix to render properly considering endianness. - * bsc#1197119 +- Release 1.12.0 covers bugfixes for bsc#1197119,bsc#1199477 + +- Release 1.12.0 supersedes the following patches still used with + tigervnc 1.10.1 on sle15-sp4/Leap 15.4: + * U_0003-Update-Surface_X11.cxx.patch + * U_Handle-pending-data-in-TLS-buffers.patch + +- Use %_pam_vendordir + +- fix homepage url +- move license to licensedir +- a few of the trivial spec-cleaner cleanups + +- nasm is not needed for build, remove from buildrequires +- Remove patch: tigervnc-clean-pressed-key-on-exit.patch + * fixed bsc#670448 wich can no longer be reproduced + * removing the patch fixes bsc#1196214 + * related: https://github.com/TigerVNC/tigervnc/pull/14 + +- n_vncserver.patch + * fix location of Xsession script +- vncserver usage has radically changed; please check this: + https://github.com/TigerVNC/tigervnc/blob/master/unix/vncserver/HOWTO.md + +- Update to tigervnc 1.12.0 + * The native viewer now supports full screen over a subset of monitors (e.g. 2 out of 3), and reacts properly to monitors being added or removed + * Recent server history in the native viewer + * The native viewer now has an option to reconnect if the connection is dropped + * Translations are now enabled on Windows and macOS for the native viewer + * The native viewer now respects the system security policy + * Better handling of accented keys in the Java viewer + * The Unix servers can now listen to both a Unix socket and a TCP port at the same time + * The network code in both the servers and the native viewer has been restructured to give a more responsive experience + * The vncserver service now correctly handles settings set to "0" + * Fixed the clipboard Unicode handling in both the native viewer and the servers + * Support for pointer "warping" in Xvnc and the native viewer, enabling e.g. FPS games +- Update to tigervnc 1.11.0 + * A security issue has been fixed in how the viewers handle TLS certificate exceptions + * vncserver has gotten a major redesign to be compatible with modern distributions + * The native viewer now has touch gestures to handle certain mouse actions (e.g. scroll wheel) + * Middle mouse button emulation in the native viewer, for devices with only two mouse buttons + * The Java viewer now supports Java 9+, but also now requires Java 8+ + * Support for alpha cursors in the Java viewer (a feature already supported in the native viewer) + * The password and username can now be specified via the environment for the native viewer + * Support for building Xvnc/libvnc.so with Xorg 1.20.7+ and deprecate support for Xorg older than 1.16 + * The official builds have been fixed to work on the upcoming macOS 11 + * The Windows server (WinVNC) is now packaged separately as it is unmaintained and buggy +- Removed patches (included in 1.12.0): + * U_viewer-reset-ctrl-alt-to-menu-state-on-focus.patch + * tigervnc-fix-saving-of-bad-server-certs.patch + * u_xorg-server-1.20.7-ddxInputThreadInit.patch + * U_0001-Properly-store-certificate-exceptions.patch + * U_0002-Properly-store-certificate-exceptions-in-Java-viewer.patch + * tigervnc-FIPS-use-RFC7919.patch + * u_Fix-non-functional-MaxDisconnectionTime.patch +- Removed patches (no longer needed): + * u_tigervnc-cve-2014-8240.patch (https://github.com/TigerVNC/tigervnc/pull/1258) + * u_tigervnc_update_default_vncxstartup.patch +- Refreshed patches: + * n_correct_path_in_desktop_file.patch + * n_tigervnc-date-time.patch + * n_utilize-system-crypto-policies.patch + * tigervnc-clean-pressed-key-on-exit.patch + * tigervnc-newfbsize.patch + * u_build_libXvnc_as_separate_library.patch + * u_change-button-layout-in-ServerDialog.patch + * u_tigervnc-add-autoaccept-parameter.patch + * u_tigervnc-211.patch + +- buildrequire xorg-x11-server-sdk/xorg-x11-server-source >= 21.1.0 + +- Change to systemd-sysusers + +- u_tigervnc-211.patch, xserver211.patch + * fixes build against xorg-server 21.1 sources + timezone +- timezone update 2022f (bsc#1177460): + * Mexico will no longer observe DST except near the US border + * Chihuahua moves to year-round -06 on 2022-10-30 + * Fiji no longer observes DST + * Move links to 'backward' + * In vanguard form, GMT is now a Zone and Etc/GMT a link + * zic now supports links to links, and vanguard form uses this + * Simplify four Ontario zones + * Fix a Y2438 bug when reading TZif data + * Enable 64-bit time_t on 32-bit glibc platforms + * Omit large-file support when no longer needed + * In C code, use some C23 features if available + * Remove no-longer-needed workaround for Qt bug 53071 +- Refreshed patches: + * fat.patch + * tzdata-china.diff + +- timezone update 2022e (bsc#1177460): + * Jordan and Syria switch from +02/+03 with DST to year-round +03 +- timezone update 2022d: + * Palestine transitions are now Saturdays at 02:00 + * Simplify three Ukraine zones into one +- timezone update 2022c: + * Work around awk bug + * Improve tzselect on intercontinental Zones +- timezone update 2022b: + * Chile's DST is delayed by a week in September 2022 boo#1202324 + * Iran no longer observes DST after 2022 + * Rename Europe/Kiev to Europe/Kyiv + * New zic -R option + * Vanguard form now uses %z + * Finish moving duplicate-since-1970 zones to 'backzone' +- Refresh tzdata-china.diff +- Remove upstreamed bsc1202310.patch + timezone-java +- timezone update 2022f (bsc#1177460): + * Mexico will no longer observe DST except near the US border + * Chihuahua moves to year-round -06 on 2022-10-30 + * Fiji no longer observes DST + * Move links to 'backward' + * In vanguard form, GMT is now a Zone and Etc/GMT a link + * zic now supports links to links, and vanguard form uses this + * Simplify four Ontario zones + * Fix a Y2438 bug when reading TZif data + * Enable 64-bit time_t on 32-bit glibc platforms + * Omit large-file support when no longer needed + * In C code, use some C23 features if available + * Remove no-longer-needed workaround for Qt bug 53071 +- Refreshed patches: + * fat.patch + * tzdata-china.diff + +- timezone update 2022e (bsc#1177460): + * Jordan and Syria switch from +02/+03 with DST to year-round +03 +- timezone update 2022d: + * Palestine transitions are now Saturdays at 02:00 + * Simplify three Ukraine zones into one +- timezone update 2022c: + * Work around awk bug + * Improve tzselect on intercontinental Zones +- timezone update 2022b: + * Chile's DST is delayed by a week in September 2022 boo#1202324 + * Iran no longer observes DST after 2022 + * Rename Europe/Kiev to Europe/Kyiv + * New zic -R option + * Vanguard form now uses %z + * Finish moving duplicate-since-1970 zones to 'backzone' +- Refresh tzdata-china.diff +- Remove upstreamed bsc1202310.patch + vim +- Updated to version 9.0 with patch level 0814, fixes the following problems + * Fixing bsc#1192478 VUL-1: CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow + * Fixing bsc#1203508 VUL-0: CVE-2022-3234: vim: Heap-based Buffer Overflow prior to 9.0.0483. + * Fixing bsc#1203509 VUL-1: CVE-2022-3235: vim: Use After Free in GitHub prior to 9.0.0490. + * Fixing bsc#1203820 VUL-0: CVE-2022-3324: vim: Stack-based Buffer Overflow in prior to 9.0.0598. + * Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c + * Fixing bsc#1203152 VUL-1: CVE-2022-2982: vim: use after free in qf_fill_buffer() + * Fixing bsc#1203796 VUL-1: CVE-2022-3296: vim: stack out of bounds read in ex_finally() in ex_eval.c + * Fixing bsc#1203797 VUL-1: CVE-2022-3297: vim: use-after-free in process_next_cpt_value() at insexpand.c + * Fixing bsc#1203110 VUL-1: CVE-2022-3099: vim: Use After Free in ex_docmd.c + * Fixing bsc#1203194 VUL-1: CVE-2022-3134: vim: use after free in do_tag() + * Fixing bsc#1203272 VUL-1: CVE-2022-3153: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404. + * Fixing bsc#1203799 VUL-1: CVE-2022-3278: vim: NULL pointer dereference in eval_next_non_blank() in eval.c + * Fixing bsc#1203924 VUL-1: CVE-2022-3352: vim: vim: use after free + * Fixing bsc#1203155 VUL-1: CVE-2022-2980: vim: null pointer dereference in do_mouse() + * Fixing bsc#1202962 VUL-1: CVE-2022-3037: vim: Use After Free in vim prior to 9.0.0321 +- ignore-flaky-test-failure.patch: Ignore failure of flaky tests +- disable-unreliable-tests-arch.patch: Removed +- for the complete list of changes see + https://github.com/vim/vim/compare/v9.0.0313...v9.0.0814 + virt-v2v +- bsc#1201064 - Libguestfs: Buffer overflow in get_keys leads + to DOS - CVE-2022-2211 + CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch + virtualbox +Removed file "fixes_for_leap15.4.patch" - fixed upstream. + Added file "fix_kmp_build.patch' +- VirtualBox 7.0.4 (released November 18 2022) + This is a maintenance release. The following items were fixed and/or added: + VMM: Added nested paging support for nested virtualization (Intel hosts only) + VMM: Fixed rare guru meditations with certain guests on macOS 10.15 (Catalina) (bug #21237) + VMM: Fixed possible VM process crash on Windows hosts when Hyper-V is used with certain guests (bug #21174) + VMM: Fixed Windows XP guest hang or BSOD on AMD CPUs under certain circumstances (bug #21256) + GUI: Various bugfixes for the Guest Control file manager + GUI: Added more informative file operations in the Guest Control file manager + GUI: Added an option to the global settings (the display page) to resize user interface font + GUI: Fixed a regression in new vm wizard. Selected virtual disks are no longer deleted when the wizard is cancelled (bug #21244) + GUI: Added a new menu item to the devices menu to optionally upgrade the guest additions. + VirtioSCSI: Fixed recognition of the virtio SCSI controller by the EFI firmware (bug #21200) + VirtioSCSI: Fixed hang when shutting down the VM if the virtio SCSI controller is used (bug #21144) + virtio-net: Workaround a bug in the virtio-net driver included in FreeBSD version up to 12.3 which renders the device non functional (bug #21201) + Storage: Fixed I/O errors with the VirtioSCSI controller when the host I/O cache is enabled (bug #19717) + VBoxManage: Fixed regression when 'createmedium disk --variant RawDisk' command resulted in invalid .vmdk file (bug #21125) + Main: Restored input pointing device behavior in multi-monitor VM configuration (bug #21137) + Main: Fixed progress indication during automatic Linux Guest Additions installation + Guest Control: Fixed path handling issues (bug #21095) + 3D: Fixed VM process crash on macOS with 3D enabled (bug #21232) + Linux Host and Guest: General improvements in startup scripts + Linux Guest Additions: Introduced initial support for RHEL 8.7 and 9.2 kernels (bug #21272, #21258) + Linux Guest Additions: Introduced initial support for SLES 15.4 kernels + Linux Guest Additions: Fixed kernel modules rebuild behavior on system shutdown + +added file "set_noexec_stack.patch" to remove executable stack in yasm-compiled routines + added file "fix_v7_build.patch" + added file "fixes_for_leap15.4.patch" + added file "VBoxDDR0.r0" + deleted file "/vb-6.1.16-modal-dialog-parent.patch" + VirtualBox 7.0.2 (released October 20 2022) + This is a maintenance release. The following items were fixed and/or added: + Known issue: VMs having more than one vCPU configured will not work properly on macOS Catalina due to an unknown memory corruption issue. Either lower the number of vCPUs to 1 or upgrade to BigSur or later where the issue does not occur + Main: Fixed issue when VBoxSVC could become unresponsive if Extension Pack was not installed (bug #21167) + Linux Guest Additions: Introduced initial support for kernel 6.1 + Linux Guest Additions: Fixed issue when VBoxClient seamless service caused a crash of some X11 applications (bug #21132) + GUI: Fixed a glitch in the log viewer which was causing wrong log file to be saved (bug #21156) + VirtualBox 7.0.0 (released October 10 2022) + This is a major update. The following major new features were added: + Virtual machines can be fully encrypted now, including the VM config logs and saved states (CLI only for now) + OCI: Cloud virtual machines can be added to Virtual Machine Manager and controlled as local VMs + OCI: Cloud networks can now be configured via Network Manager tool same way as it is done for Host-only and NAT networks + GUI: Added a new utility similar to "top" or "resource monitor" which lists peformance statistics (CPU usage, RAM usage, disk I/O rate, etc.) of running guests + GUI: Reworked the new vm wizard to integrate the unattended guest OS installation and to have a more streamlined work flow + GUI: Added a new help viewer widget which enables the user manual to be navigated and searched + GUI: Adding new notification center unifying most of running progresses and error reporting around the GUI + GUI: Improved theme support on all platforms. Linux and macOS use native engine while for Windows host it is separately implemented. + GUI: Large icon update. + Audio recording: Now using Vorbis as the default audio format for WebM containers. Opus is no longer being used. + Audio: Added "default" host driver type to make it possible to move VMs (appliances) between different platforms without the need of changing the audio driver explicitly. When the "default" driver is selected, the best audio backend option for a platform will be used. This is the default for newly created VMs. + Guest Control: Implemented initial support for automatic updating of Guest Additions for Linux guests + Guest Control: Implemented ability to wait for and/or reboot the guest when updating Guest Additions via VBoxManage + VBoxManage: Added Guest Control "waitrunlevel" sub-command to make it possible to wait for a guest to reach a certain run level + Linux Guest Additions: Reworked guest screen re-size functionality, added basic integration with some of guest Desktop Environments + Devices: Implemented new 3D support based on DirectX 11 (and DXVK on non Windows hosts) + Devices: Added virtual IOMMU devices (Intel and AMD variant) + Devices: Added virtual TPM 1.2 and 2.0 devices + Devices: The EHCI and XHCI USB controller devices are now part of the open source base package + EFI: Added support for Secure Boot + Debugging: Added experimental support for guest debugging through GDB and highly experimental support for guest debugging through KD/WinDbg + In addition, the following items were fixed and/or added: + OCI: Cloud networking functionality is enhanced for local VMs, now local VMs could be connected to cloud networking + GUI: Improved behavior of the virtual machine list and various VM related tools in case multiple items are selected + GUI: On available platforms, added a new option to disable the host's screensaver + GUI: Reworked global preferences, machine settings and the wizards to improve stability and usability + GUI: Improving mouse handling in multi-monitor case on X11 platform + GUI: Medium enumeration engine was reworked to improve permormance + GUI: NAT Network stuff was moved from global preferences to global Network Manager tool + GUI: Extension Pack Manager was moved from global preferences to global tools + GUI: Improved overall accessibility + GUI: Migrating to recent Qt versions. + +This is a maintenance release. The following items were fixed and/or added: + GUI: Fixed missed machine-items state translation on language change + USB: Fixed possible crash when the device got detached while the controller is resetting the port + Main: Provide guest's absolute pointing mouse device with buttons state when mouse integration is ON + Linux Host and Guest Additions: Prevented build failure on 5.8+ 32-bit kernels + Linux Host and Guest Additions: Introduced additional fixes for kernel 6.0 + Linux Host and Guest Additions: Introduced additional fixes for Debian specific kernels + Solaris and Linux Guest Additions: Added better handling of negative screen sizes which some X11 desktop environments are reporting + Windows Guest Additions: Added fixes related to VBoxTray IPC +- Fix boo#1204233 boo#1204331 boo#1202851 +- Remove file fix_error_in_USB_header.patch - fixed upstream + +- Fix build breakage with kernel 6.0 due to variable-length array in middle of a struct. boo#1204151 + File "fix_error_in_USB_header.patch" is added. + +- Fix boo#1204019 VBoxClient: VbglR3InitUser failed: VERR_ACCESS_DENIED + +- Add a "Provides: virtualbox-guest-x11" to virtualbox-guest-tools. boo#1203735 + virtualbox:kmp +Removed file "fixes_for_leap15.4.patch" - fixed upstream. + Added file "fix_kmp_build.patch' +- VirtualBox 7.0.4 (released November 18 2022) + This is a maintenance release. The following items were fixed and/or added: + VMM: Added nested paging support for nested virtualization (Intel hosts only) + VMM: Fixed rare guru meditations with certain guests on macOS 10.15 (Catalina) (bug #21237) + VMM: Fixed possible VM process crash on Windows hosts when Hyper-V is used with certain guests (bug #21174) + VMM: Fixed Windows XP guest hang or BSOD on AMD CPUs under certain circumstances (bug #21256) + GUI: Various bugfixes for the Guest Control file manager + GUI: Added more informative file operations in the Guest Control file manager + GUI: Added an option to the global settings (the display page) to resize user interface font + GUI: Fixed a regression in new vm wizard. Selected virtual disks are no longer deleted when the wizard is cancelled (bug #21244) + GUI: Added a new menu item to the devices menu to optionally upgrade the guest additions. + VirtioSCSI: Fixed recognition of the virtio SCSI controller by the EFI firmware (bug #21200) + VirtioSCSI: Fixed hang when shutting down the VM if the virtio SCSI controller is used (bug #21144) + virtio-net: Workaround a bug in the virtio-net driver included in FreeBSD version up to 12.3 which renders the device non functional (bug #21201) + Storage: Fixed I/O errors with the VirtioSCSI controller when the host I/O cache is enabled (bug #19717) + VBoxManage: Fixed regression when 'createmedium disk --variant RawDisk' command resulted in invalid .vmdk file (bug #21125) + Main: Restored input pointing device behavior in multi-monitor VM configuration (bug #21137) + Main: Fixed progress indication during automatic Linux Guest Additions installation + Guest Control: Fixed path handling issues (bug #21095) + 3D: Fixed VM process crash on macOS with 3D enabled (bug #21232) + Linux Host and Guest: General improvements in startup scripts + Linux Guest Additions: Introduced initial support for RHEL 8.7 and 9.2 kernels (bug #21272, #21258) + Linux Guest Additions: Introduced initial support for SLES 15.4 kernels + Linux Guest Additions: Fixed kernel modules rebuild behavior on system shutdown + +added file "set_noexec_stack.patch" to remove executable stack in yasm-compiled routines + added file "fix_v7_build.patch" + added file "fixes_for_leap15.4.patch" + added file "VBoxDDR0.r0" + deleted file "/vb-6.1.16-modal-dialog-parent.patch" + VirtualBox 7.0.2 (released October 20 2022) + This is a maintenance release. The following items were fixed and/or added: + Known issue: VMs having more than one vCPU configured will not work properly on macOS Catalina due to an unknown memory corruption issue. Either lower the number of vCPUs to 1 or upgrade to BigSur or later where the issue does not occur + Main: Fixed issue when VBoxSVC could become unresponsive if Extension Pack was not installed (bug #21167) + Linux Guest Additions: Introduced initial support for kernel 6.1 + Linux Guest Additions: Fixed issue when VBoxClient seamless service caused a crash of some X11 applications (bug #21132) + GUI: Fixed a glitch in the log viewer which was causing wrong log file to be saved (bug #21156) + VirtualBox 7.0.0 (released October 10 2022) + This is a major update. The following major new features were added: + Virtual machines can be fully encrypted now, including the VM config logs and saved states (CLI only for now) + OCI: Cloud virtual machines can be added to Virtual Machine Manager and controlled as local VMs + OCI: Cloud networks can now be configured via Network Manager tool same way as it is done for Host-only and NAT networks + GUI: Added a new utility similar to "top" or "resource monitor" which lists peformance statistics (CPU usage, RAM usage, disk I/O rate, etc.) of running guests + GUI: Reworked the new vm wizard to integrate the unattended guest OS installation and to have a more streamlined work flow + GUI: Added a new help viewer widget which enables the user manual to be navigated and searched + GUI: Adding new notification center unifying most of running progresses and error reporting around the GUI + GUI: Improved theme support on all platforms. Linux and macOS use native engine while for Windows host it is separately implemented. + GUI: Large icon update. + Audio recording: Now using Vorbis as the default audio format for WebM containers. Opus is no longer being used. + Audio: Added "default" host driver type to make it possible to move VMs (appliances) between different platforms without the need of changing the audio driver explicitly. When the "default" driver is selected, the best audio backend option for a platform will be used. This is the default for newly created VMs. + Guest Control: Implemented initial support for automatic updating of Guest Additions for Linux guests + Guest Control: Implemented ability to wait for and/or reboot the guest when updating Guest Additions via VBoxManage + VBoxManage: Added Guest Control "waitrunlevel" sub-command to make it possible to wait for a guest to reach a certain run level + Linux Guest Additions: Reworked guest screen re-size functionality, added basic integration with some of guest Desktop Environments + Devices: Implemented new 3D support based on DirectX 11 (and DXVK on non Windows hosts) + Devices: Added virtual IOMMU devices (Intel and AMD variant) + Devices: Added virtual TPM 1.2 and 2.0 devices + Devices: The EHCI and XHCI USB controller devices are now part of the open source base package + EFI: Added support for Secure Boot + Debugging: Added experimental support for guest debugging through GDB and highly experimental support for guest debugging through KD/WinDbg + In addition, the following items were fixed and/or added: + OCI: Cloud networking functionality is enhanced for local VMs, now local VMs could be connected to cloud networking + GUI: Improved behavior of the virtual machine list and various VM related tools in case multiple items are selected + GUI: On available platforms, added a new option to disable the host's screensaver + GUI: Reworked global preferences, machine settings and the wizards to improve stability and usability + GUI: Improving mouse handling in multi-monitor case on X11 platform + GUI: Medium enumeration engine was reworked to improve permormance + GUI: NAT Network stuff was moved from global preferences to global Network Manager tool + GUI: Extension Pack Manager was moved from global preferences to global tools + GUI: Improved overall accessibility + GUI: Migrating to recent Qt versions. + +This is a maintenance release. The following items were fixed and/or added: + GUI: Fixed missed machine-items state translation on language change + USB: Fixed possible crash when the device got detached while the controller is resetting the port + Main: Provide guest's absolute pointing mouse device with buttons state when mouse integration is ON + Linux Host and Guest Additions: Prevented build failure on 5.8+ 32-bit kernels + Linux Host and Guest Additions: Introduced additional fixes for kernel 6.0 + Linux Host and Guest Additions: Introduced additional fixes for Debian specific kernels + Solaris and Linux Guest Additions: Added better handling of negative screen sizes which some X11 desktop environments are reporting + Windows Guest Additions: Added fixes related to VBoxTray IPC +- Fix boo#1204233 boo#1204331 boo#1202851 +- Remove file fix_error_in_USB_header.patch - fixed upstream + +- Fix build breakage with kernel 6.0 due to variable-length array in middle of a struct. boo#1204151 + File "fix_error_in_USB_header.patch" is added. + +- Fix boo#1204019 VBoxClient: VbglR3InitUser failed: VERR_ACCESS_DENIED + +- Add a "Provides: virtualbox-guest-x11" to virtualbox-guest-tools. boo#1203735 + webkit2gtk3 +- Update to version 2.38.2 (boo#1205120 boo#1205123 boo#1205124): + + Fix scrolling issues in some sites having fixed background. + + Fix prolonged buffering during progressive live playback. + + Fix the build with accessibility disabled. + + Fix several crashes and rendering issues. + + Security fixes: CVE-2022-42799, CVE-2022-42823, CVE-2022-42824. +- Update no-forced-sse.patch with quilt. +- Pass -DENABLE_DOCUMENTATION=OFF to configure, we did not build + the API docs in the past, and I see no reason to start now. +- Drop pkgconfig(libnotify) BuildRequires: No longer needed, nor + used if available. +- Pass -DUSE_SYSTEM_MALLOC=ON on all architectures, to work + around webkit#243535. + +- Update to version 2.38.1: + + Make xdg-dbus-proxy work if host session bus address is an + abstract socket. + + Use a single xdg-dbus-proxy process when sandbox is enabled. + + Fix high resolution video playback due to unimplemented + changeType operation. + + Ensure GSubprocess uses posix_spawn() again and inherit file + descriptors. + + Fix player stucking in buffering (paused) state for progressive + streaming. + + Do not try to preconnect on link click when link preconnect + setting is disabled. + + Fix close status code returned when the client closes a + WebSocket in some cases. + + Fix media player duration calculation. + + Fix several crashes and rendering issues. + +- Update to version 2.38.0 boo#1205121 boo#1205122): + + New media controls UI style. + + Add new API to set WebView’s Content-Security-Policy for web + extensions support. + + Make it possible to use the remote inspector from other + browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var. + + MediaSession is enabled by default, allowing remote media + control using MPRIS. + + Add support for PDF documents using PDF.js. + + Security fixes: CVE-2022-32888, CVE-2022-32923. + wget +- Update 0001-possibly-truncate-pathname-components.patch + * Truncate file name even if no directory structure + * [bsc#1204720] + wicked +- version 0.6.70 +- build: Link as Position Independent Executable (bsc#1184124) +- dhcp4: Fix issues in reuse of last lease (bsc#1187655) +- dhcp6: Add option to refresh lease (jsc#SLE-9492,jsc#SLE-24307) +- dhcp6: Remove address before release (USGv6 DHCPv6_1_2_07b) +- dhcp6: Ignore lease release status (USGv6 DHCPv6_1_2_07e,1_3_03) +- dhcp6: Consider ppp interfaces supported (gh#openSUSE/wicked#924) +- team: Fix to configure port priority in teamd (bsc#1200505) +- firewall-ext: No config change on ifdown (bsc#1201053,bsc#118950) +- wireless: Fix SEGV on supplicant restart (gh#openSUSE/wicked#931) +- wireless: Add support for WPA3 and PMF (bsc#1198894) +- wireless: Remove libiw dependencies (gh#openSUSE/wicked#910) +- client: Fix SEGV on empty xpath results (gh#openSUSE/wicked#919) +- client: Add release options to ifdown/ifreload (jsc#SLE-10249) +- dbus: Clear string array before append (gh#openSUSE/wicked#913) +- socket: Fix SEGV on heavy socket restart errors (bsc#1192508) +- systemd: Remove systemd-udev-settle dependency (bsc#1186787) + -- dbus: cleanup the dbus-service.h file and unused property makros +- dbus: cleanup the dbus-service.h file and unused property macros - e.g. tso has been splitted into several features and the + e.g. tso has been split into several features and the -- cleanup: add mising/explicit designated field initializers +- cleanup: add missing/explicit designated field initializers -- dhcp: suport to define and request custom options (bsc#988954), +- dhcp: support to define and request custom options (bsc#988954), -- utils: fixed last byte formating in ni_format_hex +- utils: fixed last byte formatting in ni_format_hex -- ifconfig: readd broadcast calculation (bcs#971629). +- ifconfig: re-add broadcast calculation (bcs#971629). -- vesion 0.6.27 +- version 0.6.27 wireplumber +- Work around the bug in systemd scripts that didn't set the + default enable state for the wireplumber user service when + installing wireplumber. The bug (boo#1200485) was fixed but + that's only for new installations while this workaround will + fix current installations (boo#1202008). + xen +- bsc#1193923 - VUL-1: xen: Frontends vulnerable to backends + (XSA-376) + 61dd5f64-limit-support-statement-for-Linux-and-Windows-frontends.patch + +- bsc#1203806 - VUL-0: CVE-2022-33746: xen: P2M pool freeing may + take excessively long (XSA-410) + 63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch + 63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch + 63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch + 63455fe4-x86-HAP-monitor-table-error-handling.patch + 63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch + 6345601d-x86-tolerate-shadow_prealloc-failure.patch + 6345603a-x86-P2M-refuse-new-alloc-for-dying.patch + 63456057-x86-P2M-truly-free-paging-pool-for-dying.patch + 63456075-x86-P2M-free-paging-pool-preemptively.patch + 63456090-x86-p2m_teardown-preemption.patch +- bcs#1203804 - VUL-0: CVE-2022-33747: xen: unbounded memory consumption + for 2nd-level page tables on ARM systems (XSA-409) + 63456175-libxl-per-arch-extra-default-paging-memory.patch + 63456177-Arm-construct-P2M-pool-for-guests.patch + 6345617a-Arm-XEN_DOMCTL_shadow_op.patch + 6345617c-Arm-take-P2M-pages-P2M-pool.patch +- bsc#1203807 - VUL-0: CVE-2022-33748: xen: lock order inversion in + transitive grant copy handling (XSA-411) + 634561aa-gnttab-locking-on-transitive-copy-error-path.patch +- Upstream bug fixes (bsc#1027519) + 6306185f-x86-XSTATE-CPUID-subleaf-1-EBX.patch + 631b5ba6-gnttab-acquire-resource-vaddrs.patch + 634561f1-x86emul-respect-NSCB.patch + 6346e404-VMX-correct-error-handling-in-vmx_create_vmcs.patch + 6351095c-Arm-rework-p2m_init.patch + 6351096a-Arm-P2M-populate-pages-for-GICv2-mapping.patch + 635274c0-EFI-dont-convert-runtime-mem-to-RAM.patch + 635665fb-sched-fix-restore_vcpu_affinity.patch + 63569723-x86-shadow-replace-bogus-assertions.patch +- Drop patches replaced by upstream versions: + xsa410-01.patch + xsa410-02.patch + xsa410-03.patch + xsa410-04.patch + xsa410-05.patch + xsa410-06.patch + xsa410-07.patch + xsa410-08.patch + xsa410-09.patch + xsa410-10.patch + xsa411.patch + +- bsc#1204482 - VUL-0: CVE-2022-42311, CVE-2022-42312, + CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316, + CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let + xenstored run out of memory (XSA-326) + xsa326-01.patch + xsa326-02.patch + xsa326-03.patch + xsa326-04.patch + xsa326-05.patch + xsa326-06.patch + xsa326-07.patch + xsa326-08.patch + xsa326-09.patch + xsa326-10.patch + xsa326-11.patch + xsa326-12.patch + xsa326-13.patch + xsa326-14.patch + xsa326-15.patch + xsa326-16.patch +- bsc#1204485 - VUL-0: CVE-2022-42309: xen: Xenstore: Guests can + crash xenstored (XSA-414) + xsa414.patch +- bsc#1204487 - VUL-0: CVE-2022-42310: xen: Xenstore: Guests can + create orphaned Xenstore nodes (XSA-415) + xsa415.patch +- bsc#1204488 - VUL-0: CVE-2022-42319: xen: Xenstore: Guests can + cause Xenstore to not free temporary memory (XSA-416) + xsa416.patch +- bsc#1204489 - VUL-0: CVE-2022-42320: xen: Xenstore: Guests can + get access to Xenstore nodes of deleted domains (XSA-417) + xsa417.patch +- bsc#1204490 - VUL-0: CVE-2022-42321: xen: Xenstore: Guests can + crash xenstored via exhausting the stack (XSA-418) + xsa418-01.patch + xsa418-02.patch + xsa418-03.patch + xsa418-04.patch + xsa418-05.patch + xsa418-06.patch + xsa418-07.patch +- bsc#1204494 - VUL-0: CVE-2022-42322,CVE-2022-42323: xen: + Xenstore: cooperating guests can create arbitrary numbers of + nodes (XSA-419) + xsa419-01.patch + xsa419-02.patch + xsa419-03.patch +- bsc#1204496 - VUL-0: CVE-2022-42325,CVE-2022-42326: xen: + Xenstore: Guests can create arbitray number of nodes via + transactions (XSA-421) + xsa421-01.patch + xsa421-02.patch + +- bsc#1204483 - VUL-0: CVE-2022-42327: xen: x86: unintended memory + sharing between guests (XSA-412) + xsa412.patch + xf86-input-evdev +- refresh spec file (move licenes) + +- move all xorg.conf.d snippets from /etc/X11/xorg.conf.d to + /usr/share/X11/xorg.conf.d (boo#1139692) + xf86-input-libinput +- Enable tarball sig url too, verify tarball via keyring. + +- Update to version 1.2.1 + * few typos and misc minor fixes + * property added to turn off new high-resolution wheel scrolling + API + +- reverted previous change; the issue was broken ckb-next, not + the usage of libinput v120 API (boo#1190646) + +- switch to libinput v120 API broke the driver, so disable it for + now via patching config.h in specfile after running configure + (boo#1190646) + +- Update to version 1.2.0 + * This release introduces support for touchpad gestures that will + be available as part of X server 21.1. Additionally high-resolution + scrolling data is now acquired from libinput if available and sent + downstream to X server. The default scroll distance has been bumped + to 120 in the process, but this should not affect correctly written + clients. + +- Update to version 1.1.0 + * This release adds a new driver-specific option: + ScrollPixelDistance. This option converts movement "pixels" + from libinput into the server's "scroll unit" definition and + can thus help speeding up or slowing down two-finger/edge scrolling. + +- Update to version 1.0.1 + * Only one fix, the code to set the tap button mapping property + didn't correctly check for a valid device, causing memory + corruption and a crash if called after a device was disabled. + Or, in more user-friendly terms: if your X session crashed + after calling `xinput disable $touchpad-device`, this release + has the fix for it. + +- Update to version 1.0.0 + * The biggest change here is the license change to MIT. Due to an unfortunate + copy/paste error, the actual license text used was the Historical Permission + Notice and Disclaimer license. With the ack of the various contributors, the + driver is now using the MIT license text as intended. The actual impact is + low, the HPND is virtually identical to the MIT license anyway (ianal, + consult your legal dept if you have one). + * The only other notable change: cancelled touch points are now lifted + correctly. Where libinput cancels a touch, e.g. in response to a palm being + detected, the touch point previously got stuck in the down state. This is + fixed now. + +- refresh spec file (move licenses to licensedir) + +- Update to version 0.30.0 + * Only one noticeable change: the scroll button lock + configuration option available in recent libinput versions + is now exposed as the usual set of properties by this driver. + +- Update to version 0.29.0 + * Only one real fix: we now check for the tool type as well as + the serial when we create subdevices for tablet tools. + Previously there were some cases where the eraser device + wasn't created correctly. + +- move xorg.conf.d snippet from /etc/X11/xorg.conf.d to + /usr/share/X11/xorg.conf.d (boo#1139692) + +- Update to version 0.28.2 + * This release contains a bugfix that will likely trigger in future releases + of libinput. The driver assumed wrongly that any wheel event has a nonzero + discrete event and used the discrete as a divisor. Which is obviously a bad + idea, mathematically speaking, because you never know what the future will + bring. Hint: it will bring wheel events with a discrete of zero. + xf86-input-wacom +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_wacom-inputattach@.service.patch + +- Update to version 0.40.0: + * Add support for "Wacom One Pen Display 13" + * Recognize pad devices which only have softkeys + * Support the keycodes sent by the hardware buttons + * Support new Cintiqs for older kernels + * Stop pointer movement when panscrolling in relative mode + * Better explanation of the "ToolSerials" option + * Minor other improvements + +- reenabled + * %{?systemd_ordering} + * %{x11_abi_xinput_req} + which has mistakely been disabled by the previous update ... + +- update to version 0.39.0: + * Recognize new MobileStudio Pro PID + * Ignore ABS_MISC as a source of device type information for AES pens + * tools: Fix potential buffer overflow when reading from serial tablet + * Handle multitouch mode up at the very start wcmGestureFilter + * Perform a few cleanups in wcmTouchFilter.c + * Change default gesture mode: touchpad=on, touchscreen=off + * Support new MobileStudio Pro for older kernels + * Trigger scroll and zoom gestures immediately after they are detected + * Revert "Reset wcmGestureState to current device state upon gesture start" + * Do not start scroll gesture if fingers are moving opposite directions + * Minor cleanups for wcmFingerScroll and wcmFingerZoom + * Use wcmScrollDistance as scroll threshold; recognize scrolling more consistently + * Overhaul calculation of default scroll, zoom, and spread distances + * Prevent spurious right-clicks at the end of very short scroll and zoom gestures + * Do not wait wcmTapTime to enter scroll or zoom mode + * Use a proxout height of 30 for all stylus devices + * Allow CursorProximity to take effect even if distance == 0 on tablet surface + * Allow use of proxout feature for any relative tablet tool (stylus, eraser, cursor) + * Change wcmCursorProxoutDist from a common to a private property + * Add support for Surface Go and Nuvision Solo 10 Draw + * Fix panscroll when using non-default tablet area +- remove U_Change-default-gesture-mode-touchpad-on-touchscreen-.patch (upstream) + +- n_disable-touchscreen.patch + * don't use wacom driver for various touchscreens; let it fall + back to libinput driver instead (boo#1172669) + +- U_Change-default-gesture-mode-touchpad-on-touchscreen-.patch + * disable gesture mode on Touchscreens by default (boo#1172669) + +- Version update to 0.37.0 (boo#1146181) + * bug fixes and performance improvements +- adjusted n_01-Add-option-to-enable-logging.patch +- refreshed n_02-Log-PROXIMITY-LOW-LEVEL-events.patch, + n_03-Log-PRESSURE-low-level-events.patch, + n_04-Log-BUTTON-HIGH-LEVEL-events.patch + +- move xorg.conf.d snippet from /etc/X11/xorg.conf.d to + /usr/share/X11/xorg.conf.d (boo#1139692) + +- Remove FIRST_ARG logic (following systemd-rpm-macros rev 28). +- Avoid em dashes in summary. +- Add %systemd_ordering as there are service files to process. + -- readd isdv4-serial-inputattach and isdv4-serial-debugger - (bnc#895547) - -- remove 65-xorg-wacom.rules wacom-inputattach@.service: - package now ships udev rules and systemd files - -- Udate to xf86-input-wacom-0.24.0.tar.bz2 -- Remove old set of patches (partly upstreamed) - * u_01-Fix-message-if-the-detected-pressure-falls-below-the-initially-detected-pressure.patch - * u_02-Log-when-the-pen-device-appears-to-be-too-worn-out.patch - * u_03-Add-more-detailed-messaging-in-code-that-handles-abnormal-situations.patch - * u_04-Avoid-division-by-zero-in-xf86ScaleAxis.patch - * u_05-Improve-usbInitToolType-tool-type-detection.patch - * u_06-Add-an-option-to-disable-pressure-recalibration.patch - * u_07-Add-option-to-enable-logging.patch - * u_08-Log-PROXIMITY-events.patch - * u_09-Log-PRESSURE-events.patch - * u_10-Log-BUTTON-events.patch -- Add upstream patches: - * U_01-Remove-unused-code.patch - * U_02-Zero-is-not-a-valid-device-ID-don-t-derive-a-type-from-it.patch - * U_03-Fix-initial-device-type-detection.patch - * U_04-Store-the-last-used-channel-rather-than-blindly-taking-channel-0.patch - * U_05-Remove-duplicate-tool-type-detection.patch - * U_06-Attempt-to-derive-the-tool-type-from-a-known-button-key-event.patch -- Add logging patches: - * n_01-Add-option-to-enable-logging.patch - * n_02-Log-PROXIMITY-LOW-LEVEL-events.patch - * n_03-Log-PRESSURE-low-level-events.patch - * n_04-Log-BUTTON-HIGH-LEVEL-events.patch - -- fix udev checking to also work if build service throws udev-mini - at the build - -- u_07-Add-option-to-enable-logging.patch: - updated patch. - -- Add patches to improve logging: - * u_01-Fix-message-if-the-detected-pressure-falls-below-the-initially-detected-pressure.patch - * u_02-Log-when-the-pen-device-appears-to-be-too-worn-out.patch - * u_03-Add-more-detailed-messaging-in-code-that-handles-abnormal-situations.patch - * u_05-Improve-usbInitToolType-tool-type-detection.patch - * u_07-Add-option-to-enable-logging.patch - * u_08-Log-PROXIMITY-events.patch - * u_09-Log-PRESSURE-events.patch - * u_10-Log-BUTTON-events.patch -- Fix division-by-zero error message: - u_04-Avoid-division-by-zero-in-xf86ScaleAxis.patch -- Allow user to disable pressure recalibration - u_06-Add-an-option-to-disable-pressure-recalibration.patch - -- Resync udev rules with Fedora one, add wacom-inputattach@.service - to attach tablet when plugged (additional dependency on - input-utils package for inputattach tool). -- Add systemd-rpm-macros (or systemd on old openSUSE release) to - BuildRequires for systemd service path macro. -- Notify udev to reload its rules on package install/upgrade. - -- Update to version 0.23.0: - + Correct return value of special_map_button. - + Fix buffer overflows in 'special_map_*'. - + Add support for Intuos Pro series. - + strdup the option key/values in our input_option_new. - + Print list of supported models on wcmPlug. - -- Update to version 0.22.1: - + Fix build on ABI < 16 - touch_mask isn't defined. -- Changes from version 0.22.0: - + Unify wcmFingerMultitouch and wcmSendTouchEvent. - + Transform touch events just like all other events. - + Add support for 0xEC. -- Changes from version 0.21.99.1: - + Add xf86OptionListFree for distcheck. - + Don't emulate a mouse when multitouch is enabled. - + Add support for Cintiq 22HDT and 13HD, DTK2241 and DTH2242. - + Don't init abswheel2 valuator (7th val) if we don't have one. - + Free the device name after reassigning. - + Free the touch mask on shutdown. - + Free input attribute's product. - + Free duplicated option list after conversion to InputOption. - + Plug memory leaks left by xf86SetStrOption. - + Purge TILT_REQUEST_FLAG - + man: clarify how to configure keys on higher shift levels in - xsetwacom. - + xsetwacom: - - Map a bunch of special symbols. - - If we fail to map a string, try as special key or warn. - - Add special mappings for Home, End, Delete. - -- Update to version 0.21.0: - + Handle DEVICE_ABORT on input ABI 19.1 - + Add support for touchscreens direct touch devices - + Add support for Fujitsu Lifebook T902 -- Remove U_Consolidate-calls-to-wcmEvent-into-one-statement.patch - and U_Consolidate-calls-to-wcmEvent-into-one-statement.patch - (merged). -- Simplify wacom udev rules (based on Fedora) - -- update to release 0.20.0 -- U_Resume-button-events-for-pucks.patch - * Resume button events for pucks (bnc#809182) -- U_Consolidate-calls-to-wcmEvent-into-one-statement.patch - * required for previous patch - -- xf86-input-wacom 0.19.0 - A new year, a new release of xf86-input-wacom. The RC for 0.19.0 - went quite smoothly, with only one additional bug popping up on - the radar. - * Properly map 2nd abswheel of Cintiq 24HD touch - -- Fix build with new udev rules directory location. - -- Update to version 0.17.0: - + Add support for Cintiq 22HD - + Log debug messages in signal-safe manner - + Use signal-safe logging patches where necessary - + Set WCM_LCD on the Cintiq 24HD - + release.sh: support other modules (i.e. libwacom and - input-wacom) - + Don't init the rotation property on the pad -- Changes since version 0.15.0: - + Find mouse buttons on pad devices if no generic buttons found. - + Re-enable relative wheel scrolling from pad devices - + Fix a bunch of warnings - + Add Intuos4 WL (PTK-540WL) to fdi file - -- Update to version 0.15.0: - + No changes compared to 0.14.99.1. - -- license update: GPL-2.0+ - src/xf86Wacom.c and other files are GPL-2.0+ licensed - -- Update to version 0.14.99.1: - + Add support for the Intuos5 and DTI-520. - + Don't share names of action atoms across properties to prevent - accidental aliasing. - + Fix configuration to only match Waltop event devices classified - as tablets. - + Several small bug fixes. - -- Update to version 0.14.0: - + wcmXCommand: Fix invalid array size for serial values. - + Build system fixes - + Other bugs fixed: fdo#43221, fdo#45557. -- Use %x11_abi_xinput_req instead of statio ABI Requires. - -- Split xf86-input-wacom from xorg-x11-driver-input. - Initial version: 0.12.0. - xf86-video-amdgpu +- remove hardware supplements for AMD GPUs; i.e. no longer install + by default on AMD hardware; instead use "modeset" driver + +- set SUSE_ZNOW to 0 +- very tarball gpg signature + +- Update to version 22.0.0 + * "AsyncFlipSecondaries" To Deal With Crappy Multi-Monitor Experience + * Glamor Fixes + +- Update to version 21.0.0 + * bugfixes and minor improvements +- supersedes u_fno-common.patch + +- modernize spec file (move license to licensedir) + +- N_amdgpu-present-Check-tiling-for-newer-versions-too.patch: + * fix crash with external HDMI and DPMS change (bsc#1169222) + +- u_fno-common.patch + * fix build with gcc's -fno-common option (boo#1160421) + +- Update to version 19.1.0 + * bugfixes and minor improvements + +- move xorg.conf.d snippet from /etc/X11/xorg.conf.d to + /usr/share/X11/xorg.conf.d (boo#1139692) + +- Update to version 19.0.1 + * Add support for RandR output tile properties, allowing + monitors using DisplayPort Multi Stream Transport tiling + to work better out of the box. + +- Update to version 19.0.0 + * Support for FreeSync variable refresh rate (this also requires the + amdgpu driver from kernel 5.0 or newer, and radeonsi from Mesa 19.0 or + newer). + * Various TearFree related fixes and robustness improvements. + * Support for scanout buffers using DCC colour compression. + * Up to six independent instances per GPU are now supported in "Zaphod" + style multi-head configurations. + * Other improvements and fixes + xf86-video-ati +- remove hardware supplements for AMD GPUs; i.e. no longer install + by default on AMD hardware; instead use "modeset" driver + +- set SUSE_ZNOW to 0 (boo#1197994) + +- Added patch u_kscreen-rotation-fix.patch (boo#1193145). + +- U_ati-cleanup-terminology-to-use-primary-secondary.patch + * fixes build aginst xorg-server 21.1 + +- modernize spec (move license to licensedir) + +- u_fno-common.patch + * fix build with gcc's -fno-common option (boo#1160422) + +- Update to release 19.1.0 + * bug fixes and minor improvements + +- Update to release 19.0.1 + * Fixes for two regressions which crept into the 19.0.0 release. + * Add support for RandR output tile properties, allowing monitors + using DisplayPort Multi Stream Transport tiling to work better + out of the box. (Note that DP MST support in the radeon kernel + driver is still experimental and disabled by default) + +- Update to release 19.0.0 + * Various TearFree related fixes and robustness improvements. + * Up to six independent instances per GPU are now supported in + "Zaphod" style multi-head configurations. + * Other improvements and fixes + xf86-video-intel +- set SUSE_ZNOW to 0 (boo#1197994) + +- no longer require libXfont(1) + +- Update to 2.99.917.916_g31486f40 + * latest fixes from git +- supersedes U_i810-multidef-fix.patch, n_fix-build-on-i686.patch + +- Add U_i810-multidef-fix.patch in order to fix boo#1169744. + +- Guard valgrind BuildRequires with a bcond, defaulting to disabled + (upstream default), and actually enable it when requested. + +- Disable LTO (boo#1133292). + xf86-video-nouveau +- set SUSE_ZNOW to 0 (boo#1197994) + +- U_nouveau-fixup-driver-for-new-X-server-ABI.patch + * fixes build aginst xorg-server 21.1 + +- no longer autoinstall the package depending on PCI ID; we have + modesetting driver for X since a long time now (boo#1186721) + +- no longer set CFLAGS, because "%optflags" is already included in + %configure macro + +- update to 1.0.17: + * present: fix handling of drmWaitVBlank failures + * drmmode: make event handler leave a note that there are stuck events + * present: don't enable if there's no acceleration + * drmmode: fix screen resize without acceleration + * make error when failing to allocate surface more descriptive + * dri2,present: move in pixmap before getting addresses + * nv4/exa: tiling is unsupported pre-nv10, reduce alignment requirements + * Don't advertise any PRIME offloading capabilities without acceleration +- spec-cleaner cleanups + +- Update to version 1.0.16: + * Many updates since 1.0.15 in 2017 + xf86-video-qxl +- remove "hardware" supplements; modeset is used now with KMS driver + +- u_fix-build-against-xserver-21_1.patch + * fixes build aginst xorg-server 21.1; reson: + commit 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 + Author: Adam Jackson + Date: Mon Jul 22 13:51:06 2019 -0400 + hw: Rename boolean config value field from bool to boolean + +- Remove unneeded Requires on python >= 2.6 +- Add Xspice-python3.patch: + * Add support for Python 3, and run it under Python 3. + +- no longer ship xorg.conf sample file in /etc/X11; it's available + as %doc (boo#1173058) + -- fix the use of build conditionals - -- n_disable-surfaces-on-kms.patch - Disable the broken offscreen surfaces on KMS (bnc#894022) - xf86-video-vmware +- set SUSE_ZNOW to 0 (boo#1197994) + +- Update to version 13.3.0+12: + * vmwgfx: + - Change header inclusion order to avoid xorg headers catching + stdbool.h + - Unify style in scanout_update and present functions + - Limit the number of cliprects in a drm present_readback + command v3 + - Limit the number of cliprects in a drm present command v3 + - Limit the number of cliprects in a drm dirtyfb command v3 + - Don't exceed the device command size limit v3 + - Fix invalid memory accesses in CloseScreen + - Use libdrm to obtain the drm device node name v2 + - Fix a memory leak + - Fix XVideo memory leaks + * saa: Make sure damage destruction happens at the correct + location + * Remove obsolete B16 & B32 tags in struct definitions +- Switch to git checkout via source service. +- Add u_Fix-build-gcc-12.patch: Still needs a patch to build with + gcc 12. +- Modernize spec, add libtool BuildRequires and bootstrap build. + -- U_0001-vmwgfx-update-for-XA-API-changes.patch -- U_0002-vmwgfx-Avoid-HW-operations-when-not-master.patch - * Note that for DRI2, a dri2_copy_region becomes a NOP when not master. - Additionally, all dri2 operations that lead to a potential kernel - access will return FALSE. -- U_0003-vmwgfx-Implement-textured-video-completely-on-top-of.patch - * Remove device-specific hacks. This may increase resource usage a little - on old hardware revisions, but we don't need separate code paths on - different hardware revisions. -- U_0004-vmwgfx-Get-rid-of-device-specific-DMA-code.patch - * It's rarely used and things seem to work well enough on top of XA. -- U_0005-vmwgfx-handle-changes-of-DamageUnregister-API-in-1.1.patch - * Fix is inspired from the intel driver. - -- xf86-video-vmware 13.0.1 - * vmwgfx: Use myGlyphs to fix crashes (fdo#61780) - * Kill mibstore -- obsoletes U_mibstore.patch - xfce4-settings +- Update to version 4.16.4 + * Escape characters which do not belong into an URI/URL (gxo#xfce/xfce4-settings#390) + * Prefer full command when basic command is env (gxo#xfce/xfce4-settings#358) + xorg-x11-server +- Release 21.1 covers bugfixes and JIRA tickets for bsc#1176015,bsc#1182510,bsc#1182884,bsc#1184072,bsc#1184543,bsc#1184906,bsc#1186092,bsc#1188970,bsc#1194159,bsc#1196577,bsc#1197046,bsc#1197269,bsc#1200076,fdo#574,jsc#SLE-18653,jsc#SLE-8470 + +- Release 21.1 supersedes the following patches still used with + xorg-x11-server 1.20.3 on sle15-sp4/Leap 15.4: + * U_0002-DRI2-Add-another-Coffeelake-PCI-ID.patch + * U_0002-Fix-crash-on-XkbSetMap.patch + * U_0003-Fix-crash-on-XkbSetMap.patch + * U_0003-dri2-Sync-i965_pci_ids.h-from-mesa.patch + * U_0004-dri2-Set-fallback-driver-names-for-Intel-and-AMD-chi.patch + * U_0005-dri2-Sync-i965_pci_ids.h-from-mesa-iris_pci_ids.h.patch + * U_build-glx-Lower-gl-version-to-work-with-libglvnd.patch + * U_glamor-Make-pixmap-exportable-from-gbm_bo_from_pixma.patch + * U_hw_do-not-include-sys-io-with-glibc.patch + * U_meson-Fix-another-reference-to-gl-9.2.0.patch + * U_modesetting-Fix-broken-manpage-in-autoconf-build.patch + * U_present-wnmd-Fix-use-after-free-on-CRTC-removal.patch + * U_present-wnmd-Relax-assertion-on-CRTC-on-abort_vblank.patch + * U_xfree86-Change-displays-array-to-pointers-array-to-f.patch + * U_xfree86-Fix-NULL-pointer-dereference-crash.patch + * U_xkbsetdeviceinfo.patch + * u_sync-pci-ids-with-Mesa-21.2.4.patch + * u_xf86-Accept-devices-with-the-simpledrm-driver.patch + * u_xichangehierarchy-CVE-2020-14346.patch + * u_xkb-CVE-2020-14345.patch + * u_xkb-CVE-2020-14360.patch + +- removed N_Disable-HW-Cursor-for-cirrus-and-mgag200-kernel-modules.patch + * meanwhile cirrus and mgag200 Kernel drivers have been rewritten + multiple times and no longer have (broken) hardware cursor + +- u_xf86-Accept-devices-with-the-kernels-ofdrm-driver.patch + * Add workaround to support ofdrm + +- rename u_sync-pci-ids-with-Mesa-22.0.0.patch to + u_sync-pci-ids-with-Mesa.patch (currently synced with Mesa 22.1.3) + +- u_sync-pci-ids-with-Mesa-22.0.0.patch + * synced with Mesa 22.1.3; just adding a PCI ID for vmware was + needed + +- Update to version 21.1 + * This release fixes 2 recently reported security vulnerabilities + in xkb, several regressions since 1.20.x and a number of + miscellaneous bugs. +- supersedes the following security patches + * U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch + * U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch + * U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch +- supersedes U_Fix-build-with-gcc-12.patch + -- U_0002-Fix-crash-on-XkbSetMap.patch - U_0003-Fix-crash-on-XkbSetMap.patch - * fixes Xserver crash on keyboard remapping (boo#1200076, fdo#574) - -- U_glamor-Make-pixmap-exportable-from-gbm_bo_from_pixma.patch - * avoid consequently failing page flip (boo#1197269) - -- u_sync-pci-ids-with-Mesa-21.2.4.patch - * sync pci ids with Mesa 21.2.4 (related to boo#1197046) - -- U_0002-DRI2-Add-another-Coffeelake-PCI-ID.patch - U_0003-dri2-Sync-i965_pci_ids.h-from-mesa.patch - U_0004-dri2-Set-fallback-driver-names-for-Intel-and-AMD-chi.patch - U_0005-dri2-Sync-i965_pci_ids.h-from-mesa-iris_pci_ids.h.patch - * sync GL driver PCI IDs with Mesa (boo#1197046) - -- U_xfree86-Fix-NULL-pointer-dereference-crash.patch - * Fix a regression in - u_xfree86-Change-displays-array-to-pointers-array-to-f.patch - (boo#1196577) - * Credits go to Simon Lees for finding the fix! -- renamed u_xfree86-Change-displays-array-to-pointers-array-to-f.patch - to U_xfree86-Change-displays-array-to-pointers-array-to-f.patch - since it's a backport from an upstream patch - -- u_xfree86-Change-displays-array-to-pointers-array-to-f.patch - Fix segmentation fault during terminal switches with multiple attached - displays (bsc#1188970) +- add n_raise_default_clients.patch -- Fix typo in %post: xbb.conf -> xkb.conf (boo#1194159) +- disable -z now linking for now, as there are some missing symbol + issues. (boo#1197994) -- u_xf86-Accept-devices-with-the-simpledrm-driver.patch - * Add workaround to support simpledrm kernel driver -- u_xf86-Accept-devices-with-the-hyperv_drm-driver.patch - * Add workaround to support hyperv_drm kernel driver +- u_sync-pci-ids-with-Mesa-22.0.0.patch + * sync pci ids with Mesa 22.0.0 + +- U_Fix-build-with-gcc-12.patch + * render: Fix build with gcc 12 (glfdo#xorg/xserver!853). + +- U_xephyr-Don-t-check-for-SeatId-anymore.patch + * fix mouse/keyboard focus in Xephyr (boo#1194658, + github issue#1289) + +- fix bashisms in pre_checkins.sh (bsc#1195391) + +- u_xfree86-activate-GPU-screens-on-autobind.patch + * Part of the original patch by Dave Airlie has landed + 078277e4d92f05a90c4715d61b89b9d9d38d68ea, this contains the + remainder of what was in SUSE before Xorg 21.1. + (github issue#1254, boo#1192751) + +- Update to version 21.1.3 + * This release fixes several regressions since 1.20.x and 21.1.1 + + glx/dri: Filter out fbconfigs that don't have a supported pixmap format + + xf86/logind: Fix compilation error when built without logind/platform bus + + xf86/logind: fix missing call to vtenter if the platform device is not paused + + Convert more funcs to use InternalEvent. + + os: Try to discover the current seat with the XDG_SEAT var first + +- Update to version 21.1.2 + * This release fixes 4 recently reported security vulnerabilities and + several regressions. + * In particular, the real physical dimensions are no longer reported + by the X server anymore as it was deemed to be a too disruptive + change. X server will continue to report DPI as 96. +- supersedes U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch +- supersedes U_rendercompositeglyphs.patch +- supersedes U_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch +- supersedes U_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch +- supersedes U_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch -- u_Support-configuration-files-under-run-X11-xorg.conf..patch -- u_Add-udev-scripts-for-configuration-of-platform-devic.patch -- u_Add-udev-rule-for-HyperV-devices.patch - * Remove udev-based configuration again (not working) -- u_pci-primary-Fix-up-primary-PCI-device-detection-for-the-platfrom-bus.patch - * Fix possible SEGFAULT when parsing busid +- u_Support-configuration-files-under-run-X11-xorg.conf..patch +- u_Add-udev-scripts-for-configuration-of-platform-devic.patch +- u_Add-udev-rule-for-HyperV-devices.patch + * Remove udev-based configuration +- u_Revert-xf86-Accept-devices-with-the-simpledrm-driver.patch + * Restore simpledrm workaround +- u_xf86-Accept-devices-with-the-hyperv_drm-driver.patch + * Add workaround to support hyperv_drm +- u_pci-primary-Fix-up-primary-PCI-device-detection-for-the-platfrom-bus.patch + * Fix SEGFAULT when parsing bus IDs of NULL (boo#1193250) - * Support configuration files under /run + * Support configuration files under /run. Required for generating + configuration files via udev. (boo#1193250) - * Add udev rules for configuration of platform (e.g., - simple-framebuffer) devices + * Generate configuration files for platform devices (boo#1193250) +- u_Revert-xf86-Accept-devices-with-the-simpledrm-driver.patch + * Code has been obsoleted by udev patchset (boo#1193250) - * Add udev rules for configuration of HyperV graphics devices + * Same as for platform devices, but on HyperV (boo#1193250) -- disable build of Xwayland, which is now being built in separate - xwayland package with more recent sources (jira#SLE/SLE-18653, - boo#1182677) -- no longer needed patches: - * U_xwayland-Avoid-a-crash-on-pointer-enter-with-a-grab.patch - * U_xwayland-Check-status-in-GBM-pixmap-creation.patch - * U_xwayland-Do-not-free-a-NULL-GBM-bo.patch - * U_xwayland-Update-screen-pixmap-on-output-resize.patch - * U_xwayland-Do-not-crash-if-gbm_bo_create-fails.patch - * U_xwayland-glamor-gbm-Handle-DRM_FORMAT_MOD_INVALID-gracefully.patch +- U_hw-xfree86-Propagate-physical-dimensions-from-DRM-co.patch + * reverse apply this one to go back to fixed 96 dpi (gitlab + fdo/xserver issue#1241) +- N_fix-dpi-values.diff + * back to version for xserver < 21.1.0 + +- Update to version 21.1.1 + * s/__/@/ in inputtestdrv manpage + * Make xf86CompatOutput() return NULL when there are no privates + * Makefile.am: Add missing meson build files to release tarball + +- Update to version 21.1.0 + * The meson support is now fully mature. While autotools support + will still be kept for this release series, it will be dropped + afterwards. + * Glamor support for Xvfb. + * Variable refresh rate support in the modesetting driver. + * XInput 2.4 support which adds touchpad gestures. + * DMX DDX has been removed. + * X server now correctly reports display DPI in more cases. This + may affect rendering of client applications that have their own + workarounds for hi-DPI screens. + * A large number of small features and various bug fixes. +- updated xorg-server-provides +- supersedes patches + * U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch + * U_dix-window-Use-ConfigureWindow-instead-of-MoveWindow.patch + * U_glamor_egl-Reject-OpenGL-2.1-early-on.patch + * u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch +- refreshed patches + * N_fix-dpi-values.diff + * N_zap_warning_xserver.diff + * u_modesetting-Fix-dirty-updates-for-sw-rotation.patch + * u_randr-Do-not-crash-if-slave-screen-does-not-have-pro.patch + * u_vesa-Add-VBEDPMSGetCapabilities-VBEDPMSGet.patch +- disabled n_xserver-optimus-autoconfig-hack.patch, which I believe is + superseded by: + commit 078277e4d92f05a90c4715d61b89b9d9d38d68ea + Author: Dave Airlie + Date: Fri Aug 17 09:49:24 2012 +1000 + xf86: autobind GPUs to the screen +- added pkgconfig(libxcvt) +- cvt binary moved to libxcvt0 package + +- Update to version 1.20.13 + * bugfix release +- supersedes U_present-get_crtc-should-not-return-crtc-when-its-scr.patch, + U_modesetting-unflip-not-possible-when-glamor-is-not-s.patch + +- U_modesetting-unflip-not-possible-when-glamor-is-not-s.patch + * this should fixes crashes of xfce when running under qemu + (boo#1188559) + +- add U_present-get_crtc-should-not-return-crtc-when-its-scr.patch (bsc#1188559) + https://gitlab.freedesktop.org/xorg/xserver/-/issues/1195 + +- Update to version 1.20.12 + * bugfix release + +- Drop U_xwayland-Allow-passing-a-fd.patch: We build xwayland in a + separate package now, so no need to keep this patch here. + +- Fix typo in %post: xbb.conf -> xkb.conf -- U_xwayland-glamor-gbm-Handle-DRM_FORMAT_MOD_INVALID-gracefully.patch - * xwayland: Fix invisible window produced by Xwayland - (boo#1186092, boo#1184906) - -- U_build-glx-Lower-gl-version-to-work-with-libglvnd.patch, - U_meson-Fix-another-reference-to-gl-9.2.0.patch - * fix build on sle15-sp3 with updated libglvnd/Mesa and their - new pkgconfig files - (https://gitlab.freedesktop.org/xorg/xserver/-/issues/893) +- disable build of Xwayland, which is now being built in separate + xwayland package with more recent sources (boo#1182677) -- U_xwayland-Do-not-crash-if-gbm_bo_create-fails.patch - * xwayland: Do not crash if gbm_bo_create() fails (boo#1184072) (boo#1184543) +- Update to version 1.20.11 + * bugfix release +- supersedes U_Fix-XChangeFeedbackControl-request-underflow.patch, + U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch -- U_modesetting-Fix-broken-manpage-in-autoconf-build.patch - * modesetting: Fix broken manpage in autoconf build (boo#1182510) - -- add U_hw_do-not-include-sys-io-with-glibc.patch (bsc#1182884) +- reenabled LTO (boo#1133294) + * u_no-lto-for-tests.patch + disables LTO in test/ subtree, since "-Wl,-wrap" is not supported by LTO + * added "%global _lto_cflags %{?_lto_cflags} -ffat-lto-objects" + +- Update to version 1.20.10: + * Check SetMap request length carefully. + * Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows + * present/wnmd: Translate update region to screen space + * modesetting: keep going if a modeset fails on EnterVT + * modesetting: check the kms state on EnterVT + * configure: Build hashtable for Xres and glvnd + * xwayland: Create an xwl_window for toplevel only + * xwayland: non-rootless requires the wl_shell protocol + * glamor: Update pixmap's devKind when making it exportable + * os: Fix instruction pointer written in xorg_backtrace + * present/wnmd: Execute copies at target_msc-1 already + * present/wnmd: Move up present_wnmd_queue_vblank + * present: Add present_vblank::exec_msc field + * present: Move flip target_msc adjustment out of present_vblank_create + * xwayland: Remove pending stream reference when freeing + * xwayland: use drmGetNodeTypeFromFd for checking if a node is a render one + * xwayland: Do not discard frame callbacks on allow commits + * present/wnmd: Remove dead check from present_wnmd_check_flip + * xwayland: Check window pixmap in xwl_present_check_flip2 + * present/wnmd: Can't use page flipping for windows clipped by children + * xfree86: Take second reference for SavedCursor in xf86CursorSetCursor + * glamor: Fix glamor_poly_fill_rect_gl xRectangle::width/height handling + * include: Increase the number of max. input devices to 256. + * Revert "linux: Make platform device probe less fragile" + * Revert "linux: Fix platform device PCI detection for complex bus topologies" + * Revert "linux: Fix platform device probe for DT-based PCI" +- Remove included pachtes + * U_xfree86_take_second_ref_for_xcursor.patch + * U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch + * U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch + * U_Revert-linux-Make-platform-device-probe-less-fragile.patch + * U_Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch + * U_Check-SetMap-request-length-carefully.patch + +- remove unneeded python2 script 'fdi2iclass.py' from + xorg-x11-server-sources subpackage (boo#1179591) + +- U_Check-SetMap-request-length-carefully.patch + * XkbSetMap Out-Of-Bounds Access: Insufficient checks on the + lengths of the XkbSetMap request can lead to out of bounds + memory accesses in the X server. (ZDI-CAN 11572, + CVE-2020-14360, bsc#1174908) +- U_Fix-XkbSetDeviceInfo-and-SetDeviceIndicators-heap-ov.patch + * XkbSetDeviceInfo Heap-based Buffer Overflow: Insufficient + checks on input of the XkbSetDeviceInfo request can lead to a + buffer overflow on the head in the X server. (ZDI-CAN 11389, + CVE-2020-25712, bsc#1177596) + +- n_xorg-wrapper-anybody.patch + * replace default config /etc/X11/Xwrapper, which allows + anybody to use the wrapper, by a patch for the code, i.e. + [#] rootonly, console, anybody + allowed_users=anybody + [#] yes, no, auto + needs_root_rights=auto + is now the default without any Xwrapper config + (needs_root_rights=auto was already the default before) + +- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch + * replaced by improved version written by Matthias Gerstner of + our security team + + simplified the option parsing code a bit + + changed the "ignore forbidden argument" logic into an "abort + on forbidden argument" logic. This is safer and avoids + surprises on the user's end that could occur if the desired + command line arguments aren't effective but the Xorg server is + still started. + + tried to adjust to the coding style present in the file + (mostly the function name) + + added some logic to apply the option filtering only to + non-root users when Xorg is actually started as root. This + should allow for full flexibility if root calls the wrapper or + if the Xorg server only runs with user privileges. + +- U_Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch, + U_Revert-linux-Fix-platform-device-PCI-detection-for-c.patch, + U_Revert-linux-Fix-platform-device-probe-for-DT-based-.patch, + U_Revert-linux-Make-platform-device-probe-less-fragile.patch + * fix Xserver startup on Raspberry Pi 3 (boo#1176203) + +- n_xorg-wrapper-rename-Xorg.patch + * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867) +- change default for needs_root_rights to auto in Xwrapper.config + (boo#1175867) + +- reenabled SUID wrapper for TW (boo#1175867) +- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch + * Xserver option whitelist filter (boo#1175867) -- u_xkb-CVE-2020-14360.patch - * Avoid out of bounds memory accesses on too short request - (ZDI-CAN-11572/CVE-2020-14360, bsc#1174908) - -- update U_xkbsetdeviceinfo.patch - * fixed broken patch (bsc#1177596, comment#18, ZDI-CAN-11839/CVE-2020-25712) - -- U_xkbsetdeviceinfo.patch (bsc#1177596, ZDI-CAN-11839/CVE-2020-25712) - * fix for Heap-based Buffer Overflow Privilege Escalation - Vulnerability - -- U_present-wnmd-Fix-use-after-free-on-CRTC-removal.patch - * fix crash in XWayland when undocking laptop (bsc#1176015) -- U_present-wnmd-Relax-assertion-on-CRTC-on-abort_vblank.patch - * fix for Xwayland abort in Present code (bsc#1176015) -- U_xwayland-Avoid-a-crash-on-pointer-enter-with-a-grab.patch, - U_xwayland-Check-status-in-GBM-pixmap-creation.patch, - U_xwayland-Do-not-free-a-NULL-GBM-bo.patch, - U_xwayland-Update-screen-pixmap-on-output-resize.patch - * various xwayland crashes fixes from 1.20 branch (bsc#1176015) +-Add U_xfree86_take_second_ref_for_xcursor.patch: fix + use-after-free when switching VTs. +- Update to version 1.20.9: + * Fix XRecordRegisterClients() Integer underflow + * Fix XkbSelectEvents() integer underflow + * Fix XIChangeHierarchy() integer underflow + * Correct bounds checking in XkbSetNames() + * linux: Fix platform device probe for DT-based PCI + * linux: Fix platform device PCI detection for complex bus topologies + * linux: Make platform device probe less fragile + * fix for ZDI-11426 + * xfree86: add drm modes on non-GTF panels + * present: Check valid region in window mode flips + * xwayland: Handle NULL xwl_seat in xwl_seat_can_emulate_pointer_warp + * xwayland: Propagate damage x1/y1 coordinates in xwl_present_flip + * doc: Update URLs in Xserver-DTrace.xml + * xwayland: Use a fixed DPI value for core protocol + * xwayland: only use linux-dmabuf if format/modifier was advertised + * hw/xfree86: Avoid cursor use after free + * Update URL's in man pages + * xwayland: Disable the MIT-SCREEN-SAVER extension when rootless + * xwayland: Hold a pixmap reference in struct xwl_present_event + * randr: Check rrPrivKey in RRHasScanoutPixmap() + * modesetting: Fix front_bo leak at drmmode_xf86crtc_resize on XRandR rotation + * xwayland: Store xwl_tablet_pad in its own private key + * xwayland: Initialise values in xwlVidModeGetGamma() + * xwayland: Fix crashes when there is no pointer + * xwayland: Clear private on device removal + * xwayland: Free all remaining events in xwl_present_cleanup + * xwayland: Always use xwl_present_free_event for freeing Present events + * present/wnmd: Free flip_queue entries in present_wnmd_clear_window_flip + * present/wnmd: Keep pixmap pointer in present_wnmd_clear_window_flip + * xwayland: import DMA-BUFs with GBM_BO_USE_RENDERING only + * xwayland: Fix infinite loop at startup + * modesetting: Disable pageflipping when using a swcursor + * dix: do not send focus event when grab actually does not change +- Drop patches fixed upstream: + * U_0001-Correct-bounds-checking-in-XkbSetNames.patch + * U_0002-Fix-XIChangeHierarchy-integer-underflow.patch + * U_0003-Fix-XkbSelectEvents-integer-underflow.patch + * U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch + * U_FixForZDI-11426.patch + +- U_0001-Correct-bounds-checking-in-XkbSetNames.patch + * Correct bounds checking in XkbSetNames() + [CVE-2020-14345 / ZDI 11428, boo#1174635] +- U_0002-Fix-XIChangeHierarchy-integer-underflow.patch + * Fix XIChangeHierarchy() integer underflow + [CVE-2020-14346 / ZDI-CAN-11429, boo#1174638] -- u_xkb-CVE-2020-14345.patch: - * Fix XKB out-of-bounds access privilege escalation vulnerability - (CVE-2020-14345, bsc#1174635, ZDI-CAN-11428) -- u_xichangehierarchy-CVE-2020-14346.patch: - * Fix XIChangeHierarchy integer underflow privilege escalation - vulnerability (CVE-2020-14346, bsc#1174638, ZDI-CAN-11429) - +- move xorg_pci_ids dir from /etc/X11 to /usr/share/X11 and + xorg-x11-server.macros from /etc/rpm to /usr/lib/rpm/macros.d; + no longer package /etc/X11/xorg.conf.d (boo#1173056) + +- U_glamor_egl-Reject-OpenGL-2.1-early-on.patch + * GLAMOR: no longer bail out for OpenGL drivers < 2.1 (boo#1172321) + +- Update to version 1.20.8+0: + * Revert "dri2: Don't make reference to noClientException" + * dix: Check for NULL spriteInfo in GetPairedDevice + * os: Ignore dying client in ResetCurrentRequest + * modesetting: remove unnecessary error message, fix zaphod leases + * Fix building with `-fno-common` + * xwayland: clear pixmaps after creation in rootless mode + * glamor: Fix a compiler warning since the recent OOM fixes. + * Restrict 1x1 pixmap filling optimization to GXcopy + * Add xf86OSInputThreadInit to stub os-support as well + * Fix old-style definition warning for xf86OSInputThreadInit() + * xwayland/glamor-gbm: Handle DRM_FORMAT_MOD_INVALID gracefully + * configure: Define GLAMOR_HAS_EGL_QUERY_DRIVER when available + * modesetting: Disable atomic support by default + * modesetting: Explicitly #include "mi.h" + * xfree86/modes: Bail from xf86RotateRedisplay if pScreen->root is NULL + * xwayland: Split up xwl_screen_post_damage into two phases + * xwayland: Call glamor_block_handler from xwl_screen_post_damage + * xwayland: Add xwl_window_create_frame_callback helper + * xwayland: Use single frame callback for Present flips and normal updates + * xwayland: Use frame callbacks for Present vblank events + * xwayland: Delete all frame_callback_list nodes in xwl_unrealize_window + * glamor: Propagate FBO allocation failure for picture to texture upload + * glamor: Error out on out-of-memory when allocating PBO for FBO access + * glamor: Propagate glamor_prepare_access failures in copy helpers + * glamor: Fallback to system memory for RW PBO buffer allocation +- supersedes u_fno-common.patch + +- u_fno-common.patch + * fix build with gcc's -fno-common option (boo#1160423) + +- Update to version 1.20.7+0: + * xserver 1.20.7 + * ospoll: Fix Solaris ports implementation to build on Solaris 11.4 + * os-support/solaris: Set IOPL for input thread too + * Add xf86OSInputThreadInit call from common layer into os-support layer + * Add ddxInputThread call from os layer into ddx layer + * os-support/solaris: Drop ExtendedEnabled global variable + * glamor: Only use dual blending with GLSL >= 1.30 + * modesetting: Check whether RandR was initialized before calling rrGetScrPriv + * Xi: return AlreadyGrabbed for key grabs > 255 + * xwayland: Do flush GPU work in xwl_present_flush + * modesetting: Clear new screen pixmap storage on RandR resize + * xfree86/modes: Call xf86RotateRedisplay from xf86CrtcRotate + * modesetting: Call glamor_finish from drmmode_crtc_set_mode + * modesetting: Use EGL_MESA_query_driver to select DRI driver if possible + * glamor: Add a function to get the driver name via EGL_MESA_query_driver + +- Update to version 1.20.6+0: + * xfree86: Test presence of isastream() + * present/wnmd: Relax assertion on CRTC on abort_vblank() + * os: Don't crash in AttendClient if the client is gone + * dix: Call SourceValidate before GetImage + * mi: Add a default no-op miSourceValidate + * compiler.h: Do not include sys/io.h on ARM with glibc + * xfree86: Call ScreenInit for protocol screens before GPU + screens + * modesetting: + - Implement ms_covering_randr_crtc() for ms_present_get_crtc() + - Fix ms_covering_crtc() segfault with non-xf86Crtc slave + +- Update to version 1.20.5+24: + * Fix crash on XkbSetMap +- Drop unneeded obsinfo file and tweak _service. + +- Update to version 1.20.5+22: + * miext/sync: + - Make struct _SyncObject::initialized fully ABI compatible + - Fix needless ABI change + * xf86: Disable unused crtc functions when a lease is revoked + * xwayland: + - Handle the case of windows being realized before redirection + - Refactor surface creation into a separate function + - Separate DamagePtr into separate window data + - Do not free a NULL GBM bo + - Expand the RANDR screen size limits + - Update screen pixmap on output resize + - Reset scheduled frames after hiding tablet cursor + - Check status in GBM pixmap creation + - Avoid a crash on pointer enter with a grab + * GLX: + - Fix previous context validation in xorgGlxMakeCurrent + - Set GlxServerExports::{major,minor}Version + - Add a function to change a clients vendor list + - Use the sending client for looking up XID's + - Add a per-client vendor mapping + * xsync: Add resource inside of SyncCreate, export SyncCreate + * dri2: Sync i965_pci_ids.h from mesa + * Xi: Use current device active grab to deliver touch events if + any + * Revert "present/scmd: Check that the flip and screen pixmap + pitches match" + * glamor: Make pixmap exportable from `gbm_bo_from_pixmap()` +- Drop patches fixed upstream: + * U_xwayland-Separate-DamagePtr-into-separate-window-data.patch + * 0001-xsync-Add-resource-inside-of-SyncCreate-export-SyncC.patch + * 0002-GLX-Add-a-per-client-vendor-mapping.patch + * 0003-GLX-Use-the-sending-client-for-looking-up-XID-s.patch + * 0004-GLX-Add-a-function-to-change-a-clients-vendor-list.patch + * 0005-GLX-Set-GlxServerExports-major-minor-Version.patch +- Switch to gitcheckout via source service, use the stable released + branch but set explicit commit used in _service. + +- reintroduce Xvfb subpackage (boo#1151457) + +- Add U_xwayland-Separate-DamagePtr-into-separate-window-data.patch + and U_xwayland-Allow-passing-a-fd.patch: Needed for gnome 3.34 + new and experimental xwayland on demand feature. +- Rebase patches with quilt. + - which is available since release 435.xx (jira#SLE-8470) + which is available since release 435.xx: +- move xorg.conf.d snippets from /etc/X11/xorg.conf.d to + /usr/share/X11/xorg.conf.d (boo#1139692) + +- Update to version 1.20.5: + Minor bugfix release to fix some input, Xwayland, glamor, and Present issues. + Thanks to all who contributed fixes and testing. + +- Disable LTO (boo#1133294). + +- Add systemd-rpm-macros BuildRequire for %tmpfiles_*. + +- xorg-server 1.20.4 + * A variety of bugfixes across the board, but primarily in + Xwayland. Thanks to all who contributed with testing and + fixes! + +- get rid of meta packages still requiring/recommending obsolete + drivers packages (boo#1121525) + xterm +- xterm-CVE-2022-24130.patch: Fixed buffer overflow in set_sixel + when Sixel support is enabled (bsc#1195387) + xwayland +- Update to version 22.1.5 + * This is a follow-up release to address a couple of regressions + which found their way into the recent xwayland-22.1.4 release, + namely: + + Double scroll wheel events with some Wayland compositors + https://gitlab.freedesktop.org/xorg/xserver/-/issues/1392 + + Key keeps repeating when a window is closed while a key is pressed + https://gitlab.freedesktop.org/xorg/xserver/-/issues/1395 +- supersedes U_Do-not-ignore-leave-events.patch + +- U_Do-not-ignore-leave-events.patch + * fixes xwayland issue#1397, issue#1395 + +- Update to version 22.1.4 + * xwayland: Aggregate scroll axis events to fix kinetic scrolling + * Forbid server grabs by non-WM on *rootless* XWayland + * xkb: Avoid length-check failure on empty strings. + * ci: remove redundant slash in libxcvt repository url + * dix: Skip more code in SetRootClip for ROOT_CLIP_INPUT_ONLY + * dix: Fix overzealous caching of ResourceClientBits() + * xwayland: Prevent Xserver grabs with rootless + * xwayland: Delay wl_surface destruction + * build: Bump wayland requirement to 1.18 + * xwayland: set tag on our surfaces + * xwayland: Clear the "xwl-window" tag on unrealize + * xwayland: correct the type for the discrete scroll events + * xkb: fix some possible memleaks in XkbGetKbdByName + * xkb: length-check XkbGetKbdByName before accessing the fields + * xkb: length-check XkbListComponents before accessing the fields + * xkb: proof GetCountedString against request length attacks +- supersedes security patches: + * U_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch + * U_xkb-proof-GetCountedString-against-request-length-at.patch + +- Update to version 22.1.3 + * os: print if unw_is_signal_frame() + * os: print registers in the libunwind version of xorg_backtrace() + * xwayland/present: Do not send two idle notify events for flip pixmaps + * xwayland: Fix check logic in sprite_check_lost_focus() + * xwayland: Change randr_output status when call xwl_output_remove() + * xkb: switch to array index loops to moving pointers + * xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck + * xkb: add request length validation for XkbSetGeometry + +- Update to version 22.1.2 + * randr: Add "RANDR Emulation" property + * xwayland/output: Set the "RANDR Emulation" property + * xwayland: Fix invalid pointer access in drm_lease_device_handle_released. + +- Update to version 22.1.1 + * xwayland: Clear timer_armed in xwl_present_unrealize_window + * xwayland: Always hook up frame_callback_list in xwl_present_queue_vblank + * Xwayland: Do not map the COW by default when rootless + * xwayland/present: Fix use-after-free in xwl_unrealize_window() + +- Update to version 22.1.0 + * xwayland: Fix cursor color + +- Update to version 22.0.99.902 + * render: Fix build with gcc 12 + +- Update to version 22.0.99.901 + * DRM lease support + * Enables sRGB fbconfigs in GLX + * Requires libxcvt + * Refactoring of the present code in Xwayland + * Implements support for touchpad gestures + * Support for xfixes's ClientDisconnectMode and optional + terminate delay +- Add pkgconfig(libxcvt) BuildRequires: New dependency. +- Add xwayland.keyring, use url for sources, validate sig. +- Move man pages from devel to main binary package. +- Enable LTO, no longer disable LTO via macro. + yast2-country +- Update language cache when selecting new language to ensure that + always the correct language translations are used in the license + translations selection combo box on the next wizard page + (bsc#1204845, bsc#1193009) +- 4.5.3 + yast2-installation +- Fix hash vs keyword arguments in RSpec expectations (bsc#1204871) +- 4.5.10 + +- Fixed the help in the installation summary to include the texts + from the corresponding proposals (related to jsc#SLE-24764). +- 4.5.9 + +- Write config for ssg-apply script according to the enabled + security policy (part of jsc#SLE-24764). + Tue Nov 15 13:41:41 UTC 2022 - Knut Anderssen +- Fix copy of entropy pool during installation (bsc#1204559). + +- Do not use "xrdb" for setting the "Xft.dpi" value, use a specific + YaST tool from the yast2-x11 package (bsc#1201532) + (xrdb depends on the C pre-processor increasing the dependencies + about of 22MB) +- Install yast2-x11 only when GUI (libyui-qt) is installed, + avoid installing the dependent X libraries in minimal (text mode) + installation (bsc#1201966) + --4.5.3 +- 4.5.3 yast2-network +- Fix hash vs keyword arguments in RSpec expectations (bsc#1204871) +- 4.5.10 + yast2-ntp-client +- Fix the netconfig executable path using /sbin/netconfig instead + of /usr/sbin/netconfig which is not available in SLE-15-SP5 + (bsc#1205401) +- 4.5.2 + yast2-online-update +- bsc#1204907 + - Dropped old workaround from 2.13.15 with unconditional refresh + of all repositories. +- 4.5.2 + yast2-pkg-bindings +- Allow querying orphaned packages (related to bsc#1202007) +- 4.5.1 + yast2-schema-default +- Add support for security policies validation (jsc#SLE-24764). +- Synchronize SP4 and master branches (related to bsc#1199165). +- 4.5.6 + +- Add KDUMP_AUTO_RESIZE element in kdump section + (related to jsc#SLE-18441 and gh#yast/yast-kdump#123). +- 4.5.5 + -- 4.4.14 +- 4.5.4 -- 4.4.13 +- 4.5.3 + +- Fix up for the previous change (related to bsc#1183893) +- 4.5.2 + +- Remove dependency of YaST NIS packages from TW (bsc#1183893). +- 4.5.1 -- Fix rules validation when using a dialog (bsc#1199165). -- 4.4.12 +- Bump version to 4.5.0 (bsc#1198109) yast2-security +- Add support for DISA STIG security policy validation + (jsc#SLE-24764). +- Disable the ssg-apply service if the selected SCAP action is + "do nothing" (related to jsc#SLE-24764). +- 4.5.3 + yast2-storage-ng +- GuidedProposal: support for LUKS2 encryption with a configurable + PBKDF to be used by D-Installer (related to jsc#PED-2182). +- 4.5.14 + +- Validate security policies in both guided proposal and + partitioner (part of jsc#SLE-24764). +- 4.5.13 + +- New functionality for D-Installer: MinGuidedProposal and ability + to disable size adjustments (related to gh#yast/d-installer#264). +- 4.5.12 + yast2-update +- Display a warning in the upgrade summary when removing orphaned + 3rd party packages (bsc#1202007) +- 4.5.2 +