Packages changed: audit (3.0.3 -> 3.0.5) audit-secondary (3.0.3 -> 3.0.5) btrfsprogs (5.14 -> 5.14.1) crypto-policies (20210225.05203d2 -> 20210917.c9d86d1) diffutils dracut (055+suse.117.ge5fc2048 -> 055+suse.119.g6c4187af) fuse-overlayfs (1.4.0 -> 1.7.1) kernel-firmware (20210901 -> 20210928) libnss_usrfiles mozjs78 (78.13.0 -> 78.14.0) open-iscsi openSUSE-build-key salt (3002.2 -> 3003.3) selinux-policy systemd tdb (1.4.3 -> 1.4.4) tevent (0.10.2 -> 0.11.0) === Details === ==== audit ==== Version update (3.0.3 -> 3.0.5) Subpackages: libaudit1 libauparse0 - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs ==== audit-secondary ==== Version update (3.0.3 -> 3.0.5) Subpackages: audit python3-audit system-group-audit - Fix hardened auditd.service (bsc#1181400) * add fix-hardened-service.patch Make /etc/audit read-write from the service. Remove PrivateDevices=true to expose /dev/* to auditd.service. - Enable stop rules for audit.service (cf. bsc#1190227) * add enable-stop-rules.patch - Change default log_format from ENRICHED to RAW (bsc#1190500): * add change-default-log_format.patch (SUSE-specific patch) - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs ==== btrfsprogs ==== Version update (5.14 -> 5.14.1) Subpackages: btrfsprogs-udev-rules libbtrfs0 - Update to 5.14.1 * fixes: * defrag: fix parsing of compression (option -c) * add workaround for old kernels when reading zone sizes * let only check and restore open the fs with transid failures, namely preventing btrfstune to do so * convert: --uuid copy does not fail on duplicate uuids ==== crypto-policies ==== Version update (20210225.05203d2 -> 20210917.c9d86d1) - Remove the scripts and documentation regarding fips-finish-install and test-fips-setup * Add crypto-policies-FIPS.patch - Update to version 20210917.c9d86d1: * openssl: fix disabling ChaCha20 * pacify pylint 2.11: use format strings * pacify pylint 2.11: specify explicit encoding * fix minor things found by new pylint * update-crypto-policies: --check against regenerated * update-crypto-policies: fix --check's walking order * policygenerators/gnutls: revert disabling DTLS0.9... * policygenerators/java: add javasystem backend * LEGACY: bump 1023 key size to 1024 * cryptopolicies: fix 'and' in deprecation warnings * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 * nss: hopefully the last fix for nss sigalgs check * cryptopolicies: Python 3.10 compatibility * nss: postponing check + testing at least something * Rename 'policy modules' to 'subpolicies' * validation.rules: fix a missing word in error * cryptopolicies: raise errors right after warnings * update-crypto-policies: capitalize warnings * cryptopolicies: syntax-precheck scope errors * .gitlab-ci.yml, Makefile: enable codespell * all: fix several typos * docs: don't leave zero TLS/DTLS protocols on * openssl: separate TLS/DTLS MinProtocol/MaxProtocol * alg_lists: order protocols new-to-old for consistency * alg_lists: max_{d,}tls_version * update-crypto-policies: fix pregenerated + local.d * openssh: allow validation with pre-8.5 * .gitlab-ci.yml: run commit-range against upstream * openssh: Use the new name for PubkeyAcceptedKeyTypes * sha1_in_dnssec: deprecate * .gitlab-ci.yml: test commit ranges * FIPS:OSPP: sign = -*-SHA2-224 * scoped policies: documentation update * scoped policies: use new features to the fullest... * scoped policies: rewrite + minimal policy changes * scoped policies: rewrite preparations * nss: postponing the version check again, to 3.64 - Remove patches fixed upstream: crypto-policies-typos.patch - Rebase: crypto-policies-test_supported_modules_only.patch - Merge crypto-policies-asciidoc.patch into crypto-policies-no-build-manpages.patch ==== diffutils ==== - Skip stack overflow tests under qemu emulation (bsc#1190046) ==== dracut ==== Version update (055+suse.117.ge5fc2048 -> 055+suse.119.g6c4187af) Subpackages: dracut-ima dracut-mkinitrd-deprecated - Update to version 055+suse.119.g6c4187af: * fix(suse-initrd): handle cases with zero modprobe.d files (bsc#1189895) ==== fuse-overlayfs ==== Version update (1.4.0 -> 1.7.1) - Update to version 1.7.1 * set FUSE_CAP_POSIX_ACL only when it is supported by FUSE. * treat statx failure with EINVAL as ENOSYS, so that the fallback is attempted. - Update to version 1.7.0 * fix read xattrs for device files * don't create whiteout files in opaque dirs. * fix reading files when running with euid != 0. * enable POSIX ACLs. - Update to version 1.6.0 * fix an invalid access when filtering internal xattrs that could deal to a segfault. - Update to version 1.5.0 * honor FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT also for renames * use strncpy instead of strcpy * fix renameat2(RENAME_NOREPLACE) on older kernels that lack device whiteouts for unprivileged users. * fix creating a symlink on top of a removed file. * fix copyup of xattrs longer than 256 bytes. ==== kernel-firmware ==== Version update (20210901 -> 20210928) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network - Update to version 20210928 (git commit 7a30050592e2): * brcm: Add 43455 based AP6255 NVRAM for the ACEPC T8 Mini PC * linux-firmware: Update firmware file for Intel Bluetooth 9462 * amdgpu: update VCN firmware for dimgrey cavefish * amdgpu: update VCN firmware for navy flounder * amdgpu: update VCN firmware for sienna cichlid * amdgpu: update VCN firmware for vangogh * amdgpu: update VCN firmware for renoir * amdgpu: update VCN firmware for picasso * amdgpu: update VCN firmware for raven2 * amdgpu: update VCN firmware for raven * amdgpu: Add initial firmware for Beige Goby * cxgb4: Update firmware to revision 1.26.2.0 * linux-firmware: update frimware for mediatek bluetooth chip (MT7921) * linux-firmware: Update firmware file for Intel Bluetooth AX211 * linux-firmware: Update firmware file for Intel Bluetooth AX201 * linux-firmware: Update firmware file for Intel Bluetooth 9560 * qed: Add firmware 8.59.1.0 * linux-firmware: Update firmware file for Intel Bluetooth AX211 * linux-firmware: Update firmware file for Intel Bluetooth AX210 * linux-firmware: Update firmware file for Intel Bluetooth AX200 * linux-firmware: Update firmware file for Intel Bluetooth AX201 * linux-firmware: Update firmware file for Intel Bluetooth 9560 * linux-firmware: Update firmware file for Intel Bluetooth 9260 * linux-firmware: Update firmware file for Intel Bluetooth 8265 * iwlwifi: add FWs for new So device types with multiple RF modules * amdgpu: add initial firmware for Yellow Carp * i915: Update ADLP DMC v2.12 * linux-firmware: add frimware for mediatek bluetooth chip (MT7922) * linux-firmware: Update AMD SEV firmware (bsc#1186938) * Revert "iwlwifi: add FW for new So/Gf device type" - Update aliases ==== libnss_usrfiles ==== - Install into _libdir [bsc#1191070] ==== mozjs78 ==== Version update (78.13.0 -> 78.14.0) - Update to version 78.14.0esr. ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Update to latest from upstream, fixing: * Moving the executables from /sbin to /usr/sbin (bsc#1191054) * Remove default dependencies from iscsi-init.service (bsc#1187190) ==== openSUSE-build-key ==== - Only add openSUSE Backports key when building for a Leap system (sle_version > 0). Tumbleweed does not use Backports. ==== salt ==== Version update (3002.2 -> 3003.3) Subpackages: python3-salt salt-master salt-minion salt-standalone-formulas-configuration salt-transactional-update - Do not break master_tops for minion with version lower to 3003 - Added: * do-not-break-master_tops-for-minion-with-version-low.patch - Support querying for JSON data in external sql pillar - Added: * 3003.3-postgresql-json-support-in-pillar-423.patch - Update to Salt release version 3003.3 - See release notes: https://docs.saltstack.com/en/latest/topics/releases/3003.3.html - Added: * allow-vendor-change-option-with-zypper.patch * support-transactional-systems-microos.patch * virt-enhancements.patch - Modified: * adds-explicit-type-cast-for-port.patch * use-adler32-algorithm-to-compute-string-checksums.patch * do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch * fixes-56144-to-enable-hotadd-profile-support.patch * include-aliases-in-the-fqdns-grains.patch * implementation-of-held-unheld-functions-for-state-pk.patch * add-alibaba-cloud-linux-2-by-backporting-upstream-s-.patch * debian-info_installed-compatibility-50453.patch * fix-wrong-test_mod_del_repo_multiline_values-test-af.patch * update-target-fix-for-salt-ssh-to-process-targets-li.patch * x509-fixes-111.patch * prevent-logging-deadlock-on-salt-api-subprocesses-bs.patch * restore-default-behaviour-of-pkg-list-return.patch * adding-preliminary-support-for-rocky.-59682-391.patch * add-astra-linux-common-edition-to-the-os-family-list.patch * templates-move-the-globals-up-to-the-environment-jin.patch * fix-bsc-1065792.patch * add-migrated-state-and-gpg-key-management-functions-.patch * zypperpkg-ignore-retcode-104-for-search-bsc-1176697-.patch * improvements-on-ansiblegate-module-354.patch * add-custom-suse-capabilities-as-grains.patch * return-the-expected-powerpc-os-arch-bsc-1117995.patch * revert-fixing-a-use-case-when-multiple-inotify-beaco.patch * enhance-openscap-module-add-xccdf_eval-call-386.patch * implementation-of-suse_ip-execution-module-bsc-10999.patch * add-missing-aarch64-to-rpm-package-architectures-405.patch * async-batch-implementation.patch * temporary-fix-extend-the-whitelist-of-allowed-comman.patch * do-not-crash-when-unexpected-cmd-output-at-listing-p.patch * figure-out-python-interpreter-to-use-inside-containe.patch * better-handling-of-bad-public-keys-from-minions-bsc-.patch * early-feature-support-config.patch * do-not-monkey-patch-yaml-bsc-1177474.patch - Removed: * fix-memory-leak-produced-by-batch-async-find_jobs-me.patch * fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch * fix-for-log-checking-in-x509-test.patch * do-not-make-ansiblegate-to-crash-on-python3-minions.patch * prevent-race-condition-on-sigterm-for-the-minion-bsc.patch * remove-msgpack-1.0.0-requirement-in-the-installed-me.patch * move-server_id-deprecation-warning-to-reduce-log-spa.patch * re-adding-function-to-test-for-root.patch * make-profiles-a-package.patch * handle-master-tops-data-when-states-are-applied-by-t.patch * fix-unit-tests-for-batch-async-after-refactor.patch * prevent-test_mod_del_repo_multiline_values-to-fail.patch * prevent-import-errors-when-running-test_btrfs-unit-t.patch * fix-failing-unit-tests-for-batch-async.patch * remove-unnecessary-yield-causing-badyielderror-bsc-1.patch * virt-use-dev-kvm-to-detect-kvm-383.patch * 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch * add-docker-logout-237.patch * drop-wrong-mock-from-chroot-unit-test.patch * fix-async-batch-multiple-done-events.patch * fix-unit-test-for-grains-core.patch * remove-arch-from-name-when-pkg.list_pkgs-is-called-w.patch * pkgrepo-support-python-2.7-function-call-295.patch * opensuse-3000-virt-defined-states-222.patch * open-suse-3002.2-xen-grub-316.patch * add-patch-support-for-allow-vendor-change-option-wit.patch * fix-the-removed-six.itermitems-and-six.-_type-262.patch * fix-aptpkg-systemd-call-bsc-1143301.patch * add-almalinux-and-alibaba-cloud-linux-to-the-os-fami.patch * fix-cve-2020-25592-and-add-tests-bsc-1178319.patch * regression-fix-of-salt-ssh-on-processing-targets-353.patch * do-not-break-repo-files-with-multiple-line-values-on.patch * 3002-set-distro-requirement-to-oldest-supported-vers.patch * integration-of-msi-authentication-with-azurearm-clou.patch * zypperpkg-filter-patterns-that-start-with-dot-244.patch * fix-for-temp-folder-definition-in-loader-unit-test.patch * fix-novendorchange-option-284.patch * backport-virt-patches-from-3001-256.patch * allow-passing-kwargs-to-pkg.list_downloaded-bsc-1140.patch * path-replace-functools.wraps-with-six.wraps-bsc-1177.patch * virt-uefi-fix-backport-312.patch * add-all_versions-parameter-to-include-all-installed-.patch * add-pkg.services_need_restart-302.patch * add-batch_presence_ping_timeout-and-batch_presence_p.patch * allow-vendor-change-option-with-zypper-313.patch * avoid-traceback-when-http.query-request-cannot-be-pe.patch * changed-imports-to-vendored-tornado.patch * fix-issue-parsing-errors-in-ansiblegate-state-module.patch * sanitize-grains-loaded-from-roster_grains.json.patch * handle-volumes-on-stopped-pools-in-virt.vm_info-373.patch * add-multi-file-support-and-globbing-to-the-filetree-.patch * loosen-azure-sdk-dependencies-in-azurearm-cloud-driv.patch * backport-thread.is_alive-fix-390.patch * get-os_arch-also-without-rpm-package-installed.patch * python3.8-compatibility-pr-s-235.patch * fixed-bug-lvm-has-no-parttion-type.-the-scipt-later-.patch * ensure-virt.update-stop_on_reboot-is-updated-with-it.patch * xfs-do-not-fails-if-type-is-not-present.patch * grains-master-can-read-grains.patch * invalidate-file-list-cache-when-cache-file-modified-.patch * move-vendor-change-logic-to-zypper-class-355.patch * implement-network.fqdns-module-function-bsc-1134860-.patch * opensuse-3000.2-virt-backports-236-257.patch * prevent-ansiblegate-unit-tests-to-fail-on-ubuntu.patch * batch_async-avoid-using-fnmatch-to-match-event-217.patch * provide-the-missing-features-required-for-yomi-yet-o.patch * fix-__mount_device-wrapper-254.patch * fix-ipv6-scope-bsc-1108557.patch * fix-failing-unit-tests-for-systemd.patch * use-current-ioloop-for-the-localclient-instance-of-b.patch * revert-add-patch-support-for-allow-vendor-change-opt.patch * remove-deprecated-warning-that-breaks-miniion-execut.patch * prevent-systemd-run-description-issue-when-running-a.patch * fix-grains.test_core-unit-test-277.patch * prevent-command-injection-in-the-snapper-module-bsc-.patch * backport-of-upstream-pr59492-to-3002.2-404.patch * use-threadpool-from-multiprocessing.pool-to-avoid-le.patch * reintroducing-reverted-changes.patch * add-cpe_name-for-osversion-grain-parsing-u-49946.patch * add-hold-unhold-functions.patch * virt._get_domain-don-t-raise-an-exception-if-there-i.patch * fix-error-handling-in-openscap-module-bsc-1188647-40.patch * apply-patch-from-upstream-to-support-python-3.8.patch * remove-deprecated-usage-of-no_mock-and-no_mock_reaso.patch * add-supportconfig-module-for-remote-calls-and-saltss.patch * allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch * fall-back-to-pymysql.patch * fixes-cve-2018-15750-cve-2018-15751.patch * do-not-crash-when-there-are-ipv6-established-connect.patch * improve-batch_async-to-release-consumed-memory-bsc-1.patch * support-config-non-root-permission-issues-fixes-u-50.patch * transactional_update-detect-recursion-in-the-executo.patch * open-suse-3002.2-virt-network-311.patch * option-to-en-disable-force-refresh-in-zypper-215.patch * do-noop-for-services-states-when-running-systemd-in-.patch * exclude-the-full-path-of-a-download-url-to-prevent-i.patch * fix-a-wrong-rebase-in-test_core.py-180.patch * add-new-custom-suse-capability-for-saltutil-state-mo.patch * opensuse-3000-libvirt-engine-fixes-251.patch * accumulated-changes-from-yomi-167.patch * fix-async-batch-race-conditions.patch * fix-onlyif-unless-when-multiple-conditions-bsc-11808.patch * loop-fix-variable-names-for-until_no_eval.patch * batch-async-catch-exceptions-and-safety-unregister-a.patch * grains.extra-support-old-non-intel-kernels-bsc-11806.patch * backport-a-few-virt-prs-272.patch * fix-git_pillar-merging-across-multiple-__env__-repos.patch * drop-wrong-virt-capabilities-code-after-rebasing-pat.patch * virt-adding-kernel-boot-parameters-to-libvirt-xml-55.patch * async-batch-implementation-fix-320.patch * support-for-btrfs-and-xfs-in-parted-and-mkfs.patch * support-transactional-systems-microos-271.patch * strip-trailing-from-repo.uri-when-comparing-repos-in.patch * opensuse-3000.3-spacewalk-runner-parse-command-250.patch * calculate-fqdns-in-parallel-to-avoid-blockings-bsc-1.patch * add-virt.all_capabilities.patch * ansiblegate-take-care-of-failed-skipped-and-unreacha.patch * virt-pass-emulator-when-getting-domain-capabilities-.patch * fixing-streamclosed-issue.patch * fix-for-some-cves-bsc1181550.patch * transactional_update-unify-with-chroot.call.patch * do-not-raise-streamclosederror-traceback-but-only-lo.patch * fix-batch_async-obsolete-test.patch * fix-zypper-pkg.list_pkgs-expectation-and-dpkg-mockin.patch * fix-zypper.list_pkgs-to-be-aligned-with-pkg-state.patch * accumulated-changes-required-for-yomi-165.patch * fix-virt.update-with-cpu-defined-263.patch * remove-vendored-backports-abc-from-requirements.patch * open-suse-3002.2-bigvm-310.patch * xen-disk-fixes-264.patch * virt.network_update-handle-missing-ipv4-netmask-attr.patch * add-saltssh-multi-version-support-across-python-inte.patch ==== selinux-policy ==== Subpackages: selinux-policy-targeted - Fix auditd service start with systemd hardening directives (boo#1190918) * add fix_auditd.patch ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-sysvinit udev - Work around rpmlint complaining about /var/log/journal shipped with setgid bit This setgid bit has been already reviewed in the past and wasn't a concern. However we want the mode/ownership adjusted by tmpfiles and avoid the duplication of these info in rpm. - Don't ghost own any directories created dynamically by tmpfiles Again rpmlint complains but it doesn't seem to make sense to try to track all paths (including theirs perms, ownerships...) created dynamically. And 'rpm -V' is likely to report issues later with these paths anyway. This effectively partially reverts the two previous commits. - Make sure the build process won't create /var/log/journal - /var/log/journal/remote is owned by systemd-journal-remote - systemd.spec: fix a bunch of rpmlint errors/warnings - Drop systemd-logger This sub package was introduced in order to configure persistent journal and also to make sure that another syslog provider (such as rsyslog) couldn't be installed at the same time: each syslog provider conflicts with each others. However this mechanism didn't work since uninstalling systemd-logger wasn't magically turning off persistent logging because /var/log/journal is likely to be populated hence not removed. Moreover using a subpackage to configure the mode of journald was overkill and the usual ways (main conf file or drop-ins) should be preferred. - Import commit 7a5801342fe2f53e5c2a8578d6db132c0eca2d97 8d65ec4a66 test: wc is needed by test/units/testsuite-50.sh 1527bcc5dd test: make the installation of the debug tools optional in the image f4e6bf0b37 journalctl: never fail at flushing when the flushed flag is set (bsc#1188588) - Update the dependencies of the testsuite package The debug tools are optional thus no more required. OTOH strip(1) is needed when building the test image and nc(1) is needed by some tests. - Drop git internal files from the testsuite sub-package - Adjust pam macros ==== tdb ==== Version update (1.4.3 -> 1.4.4) - Update to version 1.4.4 + Fix a memory leak on error + python: remove all 'from __future__ import print_function' + Fix CID 1471761 String not null terminated + Use hex_byte() in parse_hex() + Use hex_byte() in read_data() + fix studio compiler build + Fix some signed/unsigned comparisons + also use __has_attribute macro to check for attribute support + Fix clang 9 missing-field-initializer warnings + pytdb tests: add test for storev() + pytdb: add python binding for storev() + tdbtorture: Use ARRAY_DEL_ELEMENT() + py3: Remove #define PyInt_FromLong PyLong_FromLong + py3: Remove #define PyInt_AsLong PyLong_AsLong + py3: Remove #define PyInt_Check PyLong_Check + tdb: Align integer types - Drop obsolete patch ignore-tdb1-run-transaction-expand.diff - Fix header file using undefined function visibility macro; Add patch 0001-tdb-Fix-invalid-syntax-in-tdb.h.patch; (bso#14762); ==== tevent ==== Version update (0.10.2 -> 0.11.0) - Update to version 0.11.0 + Other minor build fixes; (bso#14526); + Add custom tag to events + Add event trace api