Packages changed: curl (7.80.0 -> 7.81.0) dnf kernel-source (5.15.12 -> 5.16.0) keylime (6.2.0 -> 6.2.1) kuberlr (0.3.1 -> 0.4.1) logrotate (3.18.1 -> 3.19.0) python-attrs (21.2.0 -> 21.4.0) python-charset-normalizer (2.0.9 -> 2.0.10) python-msgpack (1.0.2 -> 1.0.3) python-psutil (5.8.0 -> 5.9.0) python-zipp (3.6.0 -> 3.7.0) systemd wpa_supplicant === Details === ==== curl ==== Version update (7.80.0 -> 7.81.0) Subpackages: libcurl4 - update to 7.81.0: * mime: use percent-escaping for multipart form field and file names * asyn-ares: ares_getaddrinfo needs no happy eyeballs timer * azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper * BINDINGS: add cURL client for PostgreSQL * BINDINGS: add one from Everything curl and update a link * checksrc: detect more kinds of NULL comparisons we avoid * CI: build examples for additional code verification * CI: bump job to use mbedtls 3.1.0 * cmake: don't set _USRDLL on a static Windows build * cmake: prevent dev warning due to mismatched arg * cmake: private identifiers use CURL_ instead of CMAKE_ prefix * config.d: update documentation to match the path search * configure: add -lm to configure for rustls build. * configure: better diagnostics if hyper is built wrong * configure: don't enable TLS when --without-* flags are used * configure: fix runtime-lib detection on macOS * curl.1: require "see also" for every documented option * curl: improve error message for --head with -J * curl_easy_cleanup.3: remove from multi handle first * curl_easy_escape.3: call curl_easy_cleanup in example * curl_easy_unescape.3: call curl_easy_cleanup in example * curl_multi_init.3: fix EXAMPLE formatting * curl_multi_perform/socket_action.3: clarify what errors mean * curl_share_setopt.3: split out options into their own manpages * CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL * digest: compute user:realm:pass digest w/o userhash * docs/checksrc: Add documentation for STRERROR * docs/cmdline-opts: do not say "protocols: all" * docs/examples: workaround broken -Wno-pedantic-ms-format * docs/HTTP3: describe how to setup a h3 reverse-proxy for testing * docs/INSTALL.md: typo fix : added missing "get" verb * docs/URL-SYNTAX.md: space is not fine in a given URL * docs: add known bugs list to HTTP3.md * docs: address proselint nits * docs: consistent manpage SYNOPSIS * docs: fix dead links, remove ECH.md * docs: fix typo in OpenSSL 3 build instructions * docs: Update the Reducing Size section * example/progressfunc: remove code for old libcurls * examples/multi-single.c: remove WAITMS() * FAQ: typo fix : "yout" ? "your" * ftp: disable warning 4706 in MSVC * gen.pl: improve example output format * github workflow: add wolfssl (removed from zuul) * github/workflows: add mbedtls and mbedtls-clang (removed from zuul) * gtls: check return code for gnutls_alpn_set_protocols * hash: lazy-alloc the table in Curl_hash_add() * http2:set_transfer_url() return early on OOM * HTTP3: update quiche build instructions * http: enable haproxy support for hyper backend * http: Fix CURLOPT_HTTP200ALIASES * http_proxy: don't close the socket (too early) * insecure.d: detail its use for SFTP and SCP as well * insecure.d: expand and clarify * libcurl-multi.3: "SOCKS proxy handshakes" are not blocking * libcurl-security.3: mention address and URL mitigations * libssh2: fix error message for sha256 mismatch * libtest: avoid "assignment within conditional expression" * lift: ignore is a deprecated config option, use ignoreRules * linkcheck.yml: add CI job that checks markdown links * m4/curl-compilers: tell clang -Wno-pointer-bool-conversion * Makefile.m32: rename -winssl option to -schannel and tidy up * mbedTLS: add support for CURLOPT_CAINFO_BLOB * mbedtls: fix CURLOPT_SSLCERT_BLOB * mbedtls: fix private member designations for v3.1.0 * misc: remove unused doh flags when CURL_DISABLE_DOH is defined * misc: s/e-mail/email * multi: cleanup the socket hash when destroying it * multi: handle errors returned from socket/timer callbacks * multi: shut down CONNECT in Curl_detach_connnection * netrc.d: edit the .netrc example to look nicer * ngtcp2: verify the server cert on connect (quictls) * ngtcp2: verify the server certificate for the gnutls case * nss:set_cipher don't clobber the cipher list * openldap: implement STARTTLS * openldap: process search query response messages one by one * openldap: several minor improvements * openldap: simplify ldif generation code * openssl: check the return value of BIO_new() * openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+ * openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable * openssl: remove usage of deprecated `SSL_get_peer_certificate` * openssl: use non-deprecated API to read key parameters * page-footer: add a mention of how to report bugs to the man page * page-footer: document more environment variables * request.d: refer to 'method' rather than 'command' * retry-all-errors.d: make the example complete * runtests: make the SSH library a testable feature * rustls: read of zero bytes might be okay * rustls: remove comment about checking handshaking * rustls: remove incorrect EOF check * sha256/md5: return errors when init fails * socks5: use appropriate ATYP for numerical IP address host names * test1156: enable for hyper * test1156: fixup the stdout check for Windows * test1525: tweaked for hyper * test1526: enable for hyper * test1527: enable for hyper * test1528: enable for hyper * test1554: adjust for hyper * test1556: adjust for hyper * test302[12]: run only with the libssh2 backend * test661: enable for hyper * tests/CI.md: add more information on CI environments * tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256 * tftp: mark protocol as not possible to do over CONNECT * tool_findfile: updated search for a file in the homedir * tool_operate: only set SSH related libcurl options for SSH URLs * tool_operate: warn if too many output arguments were found * url.c: fix the SIGPIPE comment for Curl_close * url: check ssl_config when re-use proxy connection * url: reduce ssl backend count for CURL_DISABLE_PROXY builds * urlapi: accept port number zero * urlapi: if possible, shorten given numerical IPv6 addresses * urlapi: provide more detailed return codes * urlapi: reject short file URLs * version_win32: Check build number and platform id * vtls/rustls: adapt to the updated rustls_version proto * writeout: fix %{http_version} for HTTP/3 * x509asn1: return early on errors * zuul.d: update rustls-ffi to version 0.8.2 * zuul: fix quiche build pointing to wrong Cargo ==== dnf ==== - Add /etc/dnf/modules.d directory to -data subpackage (boo#1193706) ==== kernel-source ==== Version update (5.15.12 -> 5.16.0) - Refresh patches.suse/random-fix-crash-on-multiple-early-calls-to-add_bootloader_randomness.patch. * Update upstream status * Update to the latest (upstream) version * Move it within series to upstream-soon patches - commit c4ca5fd - Refresh patches.suse/rtw89-update-partition-size-of-firmware-header-on-sk.patch. Update upstream status. - commit a6f5d1b - Update to 5.16 final - refresh configs (headers only) - commit b8251b4 - Refresh BT workaround patch (bsc#1193124) Fix yet another broken device 8086:0aa7 - commit 163b552 - Linux 5.15.13 (bsc#1012628). - Input: i8042 - enable deferred probe quirk for ASUS UM325UA (bsc#1012628). - tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok() (bsc#1012628). - tomoyo: use hwight16() in tomoyo_domain_quota_is_ok() (bsc#1012628). - net/sched: Extend qdisc control block with tc control block (bsc#1012628). - parisc: Clear stale IIR value on instruction access rights trap (bsc#1012628). - platform/mellanox: mlxbf-pmc: Fix an IS_ERR() vs NULL bug in mlxbf_pmc_map_counters (bsc#1012628). - platform/x86: apple-gmux: use resource_size() with res (bsc#1012628). - memblock: fix memblock_phys_alloc() section mismatch error (bsc#1012628). - ALSA: hda: intel-sdw-acpi: harden detection of controller (bsc#1012628). - ALSA: hda: intel-sdw-acpi: go through HDAS ACPI at max depth of 2 (bsc#1012628). - recordmcount.pl: fix typo in s390 mcount regex (bsc#1012628). - powerpc/ptdump: Fix DEBUG_WX since generic ptdump conversion (bsc#1012628). - efi: Move efifb_setup_from_dmi() prototype from arch headers (bsc#1012628). - selinux: initialize proto variable in selinux_ip_postroute_compat() (bsc#1012628). - scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() (bsc#1012628). - net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources (bsc#1012628). - net/mlx5: Fix error print in case of IRQ request failed (bsc#1012628). - net/mlx5: Fix SF health recovery flow (bsc#1012628). - net/mlx5: Fix tc max supported prio for nic mode (bsc#1012628). - net/mlx5e: Wrap the tx reporter dump callback to extract the sq (bsc#1012628). - net/mlx5e: Fix interoperability between XSK and ICOSQ recovery flow (bsc#1012628). - net/mlx5e: Fix ICOSQ recovery flow for XSK (bsc#1012628). - net/mlx5e: Use tc sample stubs instead of ifdefs in source file (bsc#1012628). - net/mlx5e: Delete forward rule for ct or sample action (bsc#1012628). - udp: using datalen to cap ipv6 udp max gso segments (bsc#1012628). - selftests: Calculate udpgso segment count without header adjustment (bsc#1012628). - sctp: use call_rcu to free endpoint (bsc#1012628). - net/smc: fix using of uninitialized completions (bsc#1012628). - net: usb: pegasus: Do not drop long Ethernet frames (bsc#1012628). - net: ag71xx: Fix a potential double free in error handling paths (bsc#1012628). - net: lantiq_xrx200: fix statistics of received bytes (bsc#1012628). - NFC: st21nfca: Fix memory leak in device probe and remove (bsc#1012628). - net/smc: don't send CDC/LLC message if link not ready (bsc#1012628). - net/smc: fix kernel panic caused by race of smc_sock (bsc#1012628). - igc: Fix TX timestamp support for non-MSI-X platforms (bsc#1012628). - drm/amd/display: Send s0i2_rdy in stream_count == 0 optimization (bsc#1012628). - drm/amd/display: Set optimize_pwr_state for DCN31 (bsc#1012628). - ionic: Initialize the 'lif->dbid_inuse' bitmap (bsc#1012628). - net/mlx5e: Fix wrong features assignment in case of error (bsc#1012628). - net: bridge: mcast: add and enforce query interval minimum (bsc#1012628). - net: bridge: mcast: add and enforce startup query interval minimum (bsc#1012628). - selftests/net: udpgso_bench_tx: fix dst ip argument (bsc#1012628). - selftests: net: Fix a typo in udpgro_fwd.sh (bsc#1012628). - net: bridge: mcast: fix br_multicast_ctx_vlan_global_disabled helper (bsc#1012628). - net/ncsi: check for error return from call to nla_put_u32 (bsc#1012628). - selftests: net: using ping6 for IPv6 in udpgro_fwd.sh (bsc#1012628). - fsl/fman: Fix missing put_device() call in fman_port_probe (bsc#1012628). - i2c: validate user data in compat ioctl (bsc#1012628). - nfc: uapi: use kernel size_t to fix user-space builds (bsc#1012628). - uapi: fix linux/nfc.h userspace compilation errors (bsc#1012628). - drm/nouveau: wait for the exclusive fence after the shared ones v2 (bsc#1012628). - drm/amdgpu: When the VCN(1.0) block is suspended, powergating is explicitly enabled (bsc#1012628). - drm/amdgpu: add support for IP discovery gc_info table v2 (bsc#1012628). - drm/amd/display: Changed pipe split policy to allow for multi-display pipe split (bsc#1012628). - xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set (bsc#1012628). - usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear (bsc#1012628). - usb: mtu3: add memory barrier before set GPD's HWO (bsc#1012628). - usb: mtu3: fix list_head check warning (bsc#1012628). - usb: mtu3: set interval of FS intr and isoc endpoint (bsc#1012628). - nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert (bsc#1012628). - binder: fix async_free_space accounting for empty parcels (bsc#1012628). - scsi: vmw_pvscsi: Set residual data length conditionally (bsc#1012628). - Input: appletouch - initialize work before device registration (bsc#1012628). - Input: spaceball - fix parsing of movement data packets (bsc#1012628). - mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()' (bsc#1012628). - net: fix use-after-free in tw_timer_handler (bsc#1012628). - fs/mount_setattr: always cleanup mount_kattr (bsc#1012628). - perf intel-pt: Fix parsing of VM time correlation arguments (bsc#1012628). - perf script: Fix CPU filtering of a script's switch events (bsc#1012628). - perf scripts python: intel-pt-events.py: Fix printing of switch events (bsc#1012628). - commit 01786ae - Revert "config: disable BTRFS_ASSERT in default kernels" This was pushed without enough review, reverting. - commit e86c2a0 - Revert "config: disable BTRFS_ASSERT in default kernels" This was pushed without enough review, reverting. - commit 4fb1cfd - Revert "config: disable BTRFS_ASSERT in default kernels" This reverts commit 81985a674cf03fa1ef7c290050be04e57f8490dc. This is a change affecting correctness, trading it for some performance. This was done without prior discussion with btrfs people, so revert it to previous state. - commit 55f2c08 - media: Revert "media: uvcvideo: Set unique vdev name based in type" (bsc#1193255). - commit b3f1eb0 - Update to 5.16-rc8 - commit b59b474 - config: Enable CONFIG_CMA on riscv64 Non-default dependent config changes: - DMA_CMA=y - commit c0aa71e - igc: Do not enable crosstimestamping for i225-V models (bsc#1193039). - commit a77f415 ==== keylime ==== Version update (6.2.0 -> 6.2.1) Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime - Update to version v6.2.1: * Another addition to gitignore * Update .gitignore with more Keylime-specific files * json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy * ima_ast: check if the PCR is the same as in the config * Fix permissions issue on volume mount in run_local.sh * Make run_local.sh use a local copy of the repo * Small updates to GOVERNANCE.md * Move cargo-tarpaulin install to separate command * config: drop registrar_* TLS options in [registrar] section * Fix missing && in Dockerfile * Remove simplejson from scripts and docs * Replace simplejson with built-in json module * Add rust-keylime container dependencies * config: fix getboolean with fallback * Clean up CI scripts and rewrite run_local.sh * ima: for ToMToU errors skip template content validation * ima: Use a set of entry numbers and file offsets to remember multiple positions * Rename CONTRIBUTORS.md to CONTRIBUTING.md * Update GOVERNANCE.md to match MAINTAINERS.md rename * Update MAINTAINERS * Update README: remove Gitter, Travis CI * ca: Use UTC when setting certificate validity * Tenant commands return json * scripts: Allow passing a base policy to create_policy tool * ima: Handle the case of ima-sig with a path with spaces in them * add length to string object * scripts: Implement create_policy to create the JSON allowlist from files * ima: Also add a sha256 default boot_aggregate hash with 64 '0's * ima: Use seek() to get to the last known last entry * ima: Extend allowlist to be able to handle generic ima-buf entries * ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings' * ima: Populate verifier keyrings with keys taken from ima-buf log line * ima: Remove methods from ImaKeyring that are now in ImaKeyrings * ima: Start passing ima_keyrings through APIs replacing ima_keyring * Extend AgentAttestState with ima_keyrings field and use it * ima: Implement ImaKeyrings class to support multiple keyrings * verifier: Extend verifier DB to persist learned keyrings * Fix a couple of pylint errors * ima: Fix spurious attestation failures * ima: make ToMToU errors not a failure by default * Simple fix for tenant error message printout. * pylint: Fix errors related to R1714 * pylint: Suppress C0201, C0209 and W0602 newly reported errors * installer: do not install tpm2-abrmd * tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd * verifier: add option to send revocation messages via webhook ==== kuberlr ==== Version update (0.3.1 -> 0.4.1) - Update to version 0.4.1: * Tag release 0.4.1 * Fixing issue of process holding on to file during rename - Update to version 0.4.0: * Release version 0.4.0 * Fix error reporting inside of downloader * Add `get` command * Update github.com/blang/semver dependency * Don't parse kubectl commandline with flag.Parse() - Update to version 0.3.2: * Tag version v0.3.2 * Act on linter directives * Copy the temp file to dest only if rename fails * style improvements - no functional change * download the hash before the document * ioutil.TempFile returns an open file object * Convert the sha mismatch error msg into a custom error * When downloading versions of kubectl, verify their contents against known SHA256 hashes * Remove vendored tree * Allow to override build date with SOURCE_DATE_EPOCH - BuildRequire go 1.16 or higher - major overhaul of the package to adhere to common go build commands - use 'buildmode=pie' - strip binary - do not use the Makefile, instead directly run the few commands ==== logrotate ==== Version update (3.18.1 -> 3.19.0) - update to 3.19.0: * continue on EINTR in compressLogFile() (#430) * enforce stricter parsing of configuration files (#427, #431) * avoid confusing error message in debug mode (#426) * fix full_write() on incomplete write (#415) * do not use alloca() any more (#412) * do not rotate hard links unless allowhardlink is used (#407) * change directory after dropping privileges (#397) * add defence in depth when dropping privileges (#400) * remove invalid configuration on error (#408) * do not open symbolic link log files by accident (#399) * do not write state if state file is /dev/null (#395) - rebased logrotate-3.13.0-systemd_add_home_env.patch and renamed to logrotate-3.19.0-systemd_add_home_env.patch - removed obsolete logrotate-dont_warn_on_size=_syntax.patch ==== python-attrs ==== Version update (21.2.0 -> 21.4.0) - update to 21.4.0: * Fixed the test suite on PyPy3.8 where ``cloudpickle`` does not work. * Fixed ``coverage report`` for projects that use ``attrs`` and don't set a ``--source``. * When using ``@define``, converters are now run by default when setting an attribute on an instance -- additionally to validators. * ``import attrs`` has finally landed! * ``attr.asdict(retain_collection_types=False)`` (default) dumps collection-esque keys as tuples. * ``__match_args__`` are now generated to support Python 3.10's * If the class-level *on_setattr* is set to ``attrs.setters.validate`` (default in ``@define`` and ``@mutable``) but no field defines a validator, pretend that it's not set. * The generated ``__repr__`` is significantly faster on Pythons with f-strings. * Attributes transformed via ``field_transformer`` are wrapped with ``AttrsClass`` again. * Generated source code is now cached more efficiently for identical classes. * Added ``attrs.converters.to_bool()``. * ``attrs.resolve_types()`` now resolves types of subclasses after the parents are resolved. * Added new validators: ``lt(val)`` (< val), ``le(va)`` (? val), ``ge(val)`` (? val), ``gt(val)`` (> val), and ``maxlen(n)``. * ``attrs`` classes are now fully compatible with cloudpickle * Added new context manager ``attrs.validators.disabled()`` and functions ``attrs.validators.(set|get)_disabled()``. They deprecate ``attrs.(set|get)_run_validators()``. All functions are interoperable and modify the same internal state. They are not ? and never were ? thread-safe, though. ==== python-charset-normalizer ==== Version update (2.0.9 -> 2.0.10) - update to 2.0.10: * Fallback match entries might lead to UnicodeDecodeError for large bytes sequence * Skipping the language-detection (CD) on ASCII ==== python-msgpack ==== Version update (1.0.2 -> 1.0.3) - update to 1.0.3: * add python 3.10 support * bugfixes ==== python-psutil ==== Version update (5.8.0 -> 5.9.0) - update to 5.9.0: * [Linux]: `cpu_freq()`_ is slow on systems with many CPUs. Read current frequency values for all CPUs from ``/proc/cpuinfo`` instead of opening many files in ``/sys`` fs. (patch by marxin) * `NoSuchProcess`_ message now specifies if the PID has been reused. * error classes (`NoSuchProcess`_, `AccessDenied`_, etc.) now have a better formatted and separated ``__repr__`` and ``__str__`` implementations. * [Linux]: `disk_partitions()`_: convert ``/dev/root`` device (an alias used on some Linux distros) to real root device path. * ``PSUTIL_DEBUG`` mode now prints file name and line number of the debug messages coming from C extension modules. * rewrite HISTORY.rst to use hyperlinks pointing to psutil API doc. * [Linux]: `wait_procs()`_ should catch ``subprocess.TimeoutExpired`` exception. * [Linux]: `sensors_battery()`_ can raise ``TypeError`` on PureOS. * [Linux]: psutil does not handle ``ENAMETOOLONG`` when accessing process file descriptors in procfs. (patch by Nikita Radchenko) * **[critical]**: ``memoize_when_activated`` decorator is not thread-safe. * **[critical]**: `process_iter()`_ is not thread safe and can raise ``TypeError`` if invoked from multiple threads. * [Linux]: `cpu_freq()`_ return order is wrong on systems with more than 9 CPUs. ==== python-zipp ==== Version update (3.6.0 -> 3.7.0) - update to 3.7.0: * Require Python 3.7 or later. - add python-rpm-macros buildrequires ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-sysvinit udev - Added patches to fix CVE-2021-3997 (bsc#1194178) 5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch 5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch 5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch These patches will be dropped and cherry-picked from upstream once upstream will commit them in their main branch. - Import commit a54f80116ccf105dff11aef5d18dd110ebd3e8ee 30cbebc56f tmpfiles: 'st' may have been used uninitialized 5443654ec0 macro: add new helper RET_NERRNO() 8d90ecc435 rm-rf: optionally fsync() after removing directory tree 591344010d rm-rf: refactor rm_rf_children(), split out body of directory iteration loop 8c7762c4f1 Bump the max number of inodes for /dev to a million (bsc#1192858) dc9476c881 journal: don't remove the flushed flag when journald is stopped 29efc29efd TEST-10: don't attempt to write a byte to the socket 773fb785b6 Bump the max number of inodes for /dev to 128k (bsc#1192858) ==== wpa_supplicant ==== - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service