Packages changed: cloud-init cockpit (307 -> 309) cockpit-podman (82 -> 83) cups (2.4.2 -> 2.4.7) curl (8.5.0 -> 8.6.0) fillup kexec-tools keylime (7.7.0 -> 7.9.0) libbs2b libssh (0.10.5 -> 0.10.6) patterns-base permissions python-jsonschema (4.20.0 -> 4.21.1) python-referencing (0.32.1 -> 0.33.0) rpm (4.18.0 -> 4.19.1) rust-keylime (0.2.3+git.1701075380.a5dc985 -> 0.2.4~0) suse-module-tools (16.0.42 -> 16.0.43) vala-panel-appmenu xz (5.4.5 -> 5.4.6) === Details === ==== cloud-init ==== - Add cloud-init-skip-empty-conf.patch + Skip tests with empty config - Add cloud-init-pckg-reboot.patch (boo#1198533, bsc#1218952, jsc#SMO-326) + Support reboot on package update/upgrade via the cloud-init config ==== cockpit ==== Version update (307 -> 309) Subpackages: cockpit-bridge cockpit-packagekit cockpit-system - new version 309: * storage redesign * initial btrfs support https://cockpit-project.org/blog/cockpit-309.html ==== cockpit-podman ==== Version update (82 -> 83) - New version 83: * bug fixes and library updates ==== cups ==== Version update (2.4.2 -> 2.4.7) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.7: See https://github.com/openprinting/cups/releases CUPS 2.4.7 is released to ship the fix for CVE-2023-4504 and several other changes, among them it is adding OpenSSL support for cupsHashData function and bug fixes. Detailed list: * CVE-2023-4504 - Fixed Heap-based buffer overflow when reading Postscript in PPD files * Added OpenSSL support for cupsHashData (Issue #762) * Fixed delays in lpd backend (Issue #741) * Fixed extensive logging in scheduler (Issue #604) * Fixed hanging of lpstat on IBM AIX (Issue #773) * Fixed hanging of lpstat on Solaris (Issue #156) * Fixed printing to stderr if we can't open cups-files.conf (Issue #777) * Fixed purging job files via cancel -x (Issue #742) * Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743) * Fixed a bug in the PPD command interpretation code (Issue #768) Issues are those at https://github.com/OpenPrinting/cups/issues - Version upgrade to 2.4.6: See https://github.com/openprinting/cups/releases CUPS 2.4.6 is released to ship the fix for CVE-2023-34241 and two other bug fixes. Detailed list: * Fix linking error on old MacOS (Issue #715) * Fix printing multiple files on specific printers (Issue #643) * Fix use-after-free when logging warnings in case of failures in cupsdAcceptClient() (fixes CVE-2023-34241) Issues are those at https://github.com/OpenPrinting/cups/issues - Version upgrade to 2.4.5: See https://github.com/openprinting/cups/releases CUPS 2.4.5 is a hotfix release for a bug which corrupted locally saved certificates, which broke secured printing via TLS after the first print job. - Version upgrade to 2.4.4: See https://github.com/openprinting/cups/releases CUPS 2.4.4 release is created as a hotfix for segfault in cupsGetNamedDest(), when caller tries to find the default destination and the default destination is not set on the machine. - Version upgrade to 2.4.3: See https://github.com/openprinting/cups/releases CUPS 2.4.3 brings fix for CVE-2023-32324, several improvements and many bug fixes. CUPS now implements fallback for printers with broken firmware, which is not capable of answering to IPP request get-printer-attributes with all, media-col-database - this enables driverless support for bunch of printers which don't follow IPP Everywhere standard. Aside from the CVE fix the most important fixes are around color settings, printer application support fixes and OpenSSL support. Detailed list of changes: * Added a title with device uri for found network printers (Issues #402, #393) * Added new media sizes defined by IANA (Issues #501) * Added quirk for GoDEX label printers (Issue #440) * Fixed --enable-libtool-unsupported (Issue #394) * Fixed configuration on RISC-V machines (Issue #404) * Fixed the device_uri invalid pointer for driverless printers with .local hostname (Issue #419) * Fixed an OpenSSL crash bug (Issue #409) * Fixed a potential SNMP OID value overflow issue (Issue #431) * Fixed an OpenSSL certificate loading issue (Issue #465) * Fixed Brazilian Portuguese translations (Issue #288) * Fixed cupsd default keychain location when building with OpenSSL (Issue #529) * Fixed default color settings for CMYK printers as well (Issue #500) * Fixed duplicate PPD2IPP media-type names (Issue #688) * Fixed possible heap buffer overflow in _cups_strlcpy() (fixes CVE-2023-32324) * Fixed InputSlot heuristic for photo sizes smaller than 5x7" if there is no media-source in the request (Issue #569) * Fixed invalid memory access during generating IPP Everywhere queue (Issue #466) * Fixed lprm if no destination is provided (Issue #457) * Fixed memory leaks in create_local_bg_thread() (Issue #466) * Fixed media size tolerance in ippeveprinter (Issue #487) * Fixed passing command name without path into ippeveprinter (Issue #629) * Fixed saving strings file path in printers.conf (Issue #710) * Fixed TLS certificate generation bugs (Issue #652) * ippDeleteValues would not delete the last value (Issue #556) * Ignore some of IPP defaults if the application sends its PPD alternative (Issue #484) * Make Letter the default size in ippevepcl (Issue #543) * Now accessing Admin page in Web UI requires authentication (Issue #518) * Now look for default printer on network if needed (Issue #452) * Now we poll media-col-database separately if we fail at first (Issue #599) * Now report fax attributes and values as needed (Issue #459) * Now localize HTTP responses using the Content-Language value (Issue #426) * Raised file size limit for importing PPD via Web UI (Issue #433) * Raised maximum listen backlog size to INT MAX (Issue #626) * Update print-color-mode if the printer is modified ... changelog too long, skipping 14 lines ... see the above CUPS 2.4.3 changes ==== curl ==== Version update (8.5.0 -> 8.6.0) Subpackages: libcurl4 - Update to 8.6.0: [bsc#1219149, CVE-2024-0853] * Security fixes: - CVE-2024-0853: OCSP verification bypass with TLS session reuse * Changes: - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T * Bugfixes: - altsvc: free 'as' when returning error - asyn-ares: with modern c-ares, use its default timeout - cf-socket: show errno in tcpkeepalive error messages - cmdline-opts: update availability for the *-ca-native options - configure: when enabling QUIC, check that TLS supports QUIC - content_encoding: change return code to typedef'ed enum - curl: show ipfs and ipns as supported "protocols" - CURLINFO_REFERER.3: clarify that it is the *request* header - dist: add tests/errorcodes.pl to the tarball - gen.pl: support ## for doing .IP in table-like lists - GHA: bump ngtcp2, gnutls, mod_h2, quiche - hostip: return error immediately when Curl_ip2addr() fails - http3/quiche: fix result code on a stream reset - http3: initial support for OpenSSL 3.2 QUIC stack - http: check for "Host:" case insensitively - http: fix off-by-one error in request method length check - http: only act on 101 responses when they are HTTP/1.1 - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT - lib: error out on multissl + http3 - lib: fix variable undeclared error caused by `infof` changes - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding - lib: strndup/memdup instead of malloc, memcpy and null-terminate - libssh2: use `libssh2_session_callback_set2()` with v1.11.1 - ngtcp2: put h3 at the front of alpn - openldap: fix an LDAP crash - openldap: fix STARTTLS - openssl: re-match LibreSSL deinit with init - rtsp: deal with borked server responses - sasl: make login option string override http auth - tool: prepend output_dir in header callback - tool_getparam: stop supporting `@filename` style for --cookie - transfer: fix upload rate limiting, add test cases - url: don't set default CA paths for Secure Transport backend - url: for disabled protocols, mention if found in redirect - vquic: extract TLS setup into own source - websockets: check for negative payload lengths * Remove patches fixed upstream: - curl-adjust-pollset-fix.patch - curl-tests-errorcodes.patch * Rebase dont-mess-with-rpmoptflags.patch ==== fillup ==== - remove bin symlink for non-suse distributions ==== kexec-tools ==== - add kexec-dont-use-kexec_file_load-on-xen.patch: kexec: don't use kexec_file_load on xen (bsc#1218590) ==== keylime ==== Version update (7.7.0 -> 7.9.0) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python311-keylime - Update to version v7.9.0: * templates: Add version 2.2, with event log location options * Monthly release (7.9.0) * update roadmap for 2024 * Extended the length of `verifier_ip` column to String(255) * mba/e/elchecking: add workaround for non spec compliant firmware * mba/e/example: ignore EV_CPU_MICROCODE, EV_EFI_HANDOFF_TABLES2 and MokListRT * mba/e/example: Allow db entries to be also hashes * mba/elchecking: load imports first * codestyle: Have pyright ignore ffi.NULL * codestyle: Use cast() to set type after splitlines() * codestyle: Replace _ with variable name in abstract method (pyright) * codestyle: Address some issues detected by pyright * codestyle: Remove a 'type: ignore' comment (mypy) * detect template changes - docs * detect template changes - mappings * Tests: Switch code coverage measurement to Fedora 39 * Correcting paths in userguide documentation * docs: fix conf.py * Add build os and python version to readthedocs * Fix readthedocs config file location * docs: add additional reading section - Update to version v7.8.0: * Monthly release (7.8.0) * address marcio and stefan comments * Add documentation for IAK and IDevID * templates/2.1: Fix enable_iak_idevid in agent template * support for user mode in run-test.sh * docs: fix small typo in threat model * ca_impl_openssl: support CRL distribution point from config * ca_util: add import functions for private keys * Enable test functional/iak-idevid-register-with-certificates * Replace mailing list address with Slack channel * docs: Add configuration documentation * tests: Add tests for exception cases in configuration update * tests: Add test for update mapping corner cases * convert_config: Add support for update mappings * convert_config: Do not require keylime modules * convert_config: Make the config upgrade less verbose * ima: Report an error if no quote forward-progress was made * codestyle: Modify list generator to avoid annotation issue (pyright) * codestyle: Remove unnecessary type check ignore statement (mypy) * codestyle: Add missing type parameter to generic type 'Pattern' (mypy) * Update packit plan with new tests * Fix typo in Secure Payloads docs * incorrect boolean expression causing ECs to be disallowed * codestyle: Create explicit sighandler with type annotation (pyright) * cert_utils: Ignore malformed certificate files * unit test for cert utils * Add certificates and certificate checking for IDevID and IAK keys ==== libbs2b ==== - Add libbs2b-clipping.patch to remove clipping of overloaded samples. Patch is taken from: https://github.com/alexmarsev/libbs2b For more details see: https://github.com/strawberrymusicplayer/strawberry/issues/1320 ==== libssh ==== Version update (0.10.5 -> 0.10.6) Subpackages: libssh-config libssh4 - Fix regression parsing IPv6 addresses provided as hostname * Added libssh-fix-ipv6-hostname-regression.patch - Update to version 0.10.6 https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/ - Fix CVE-2023-6004: ProxyCommand/ProxyJump features allow injection of malicious code through hostname (bsc#1218209) - Fix CVE-2023-48795: prefix truncation breaking ssh channel integrity (bsc#1218126) - Fix CVE-2023-6918: Added Missing checks for return values for digests (bsc#1218186) ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-documentation patterns-base-enhanced_base patterns-base-minimal_base patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - patterns-base-fips: Require openssl-fips-provider when libopenssl is installed (meta package and libopenssl3) (boo#1219384). ==== permissions ==== Subpackages: chkstat permissions-config - Create directory /usr/share/permissions/permissions.d for packages to place their drop-ins. ==== python-jsonschema ==== Version update (4.20.0 -> 4.21.1) - update to 4.21.1: * Slightly speed up the contains keyword by removing some unnecessary validator (re-)creation. - update to 4.21.0: * Wrong behaviour for enum keyword by @otto-ifak in https://github.com/python-jsonschema/jsonschema/pull/1208 ==== python-referencing ==== Version update (0.32.1 -> 0.33.0) - Update to version 0.33.0: * Add a referencing.jsonschema.SchemaResource type alias to go along with the other JSON Schema specialized types. ==== rpm ==== Version update (4.18.0 -> 4.19.1) - fix Source url to match what is listed on https://rpm.org/download.html - disable sysusers handling for now - update to rpm-4.19.1 * new spec snippet support for dynamic spec generation * new sysusers.d integration for automated user and group handling * new CMake build system * removal of various deprecated and/or unused APIs * various internal code cleanups - refreshed patches: * brp-compress-no-img.patch * brp.diff * brpcompress.diff * build.diff * enable-postin-scripts-error.diff * fileattrs.diff * findlang.diff * findsupplements.diff * langnoc.diff * macrosin.diff * platformin.diff * posttrans.diff * refreshtestarch.diff * rpm-findlang-inject-metainfo.patch * rpmqpack.diff * rpmrc.diff * selinux_transactional_update.patch * localetag.diff * weakdepscompat.diff * zstdpool.diff - deleted patches: * cpuid_lzcnt.patch * libmagic-exceptions.patch * remove-awk-dependency.patch * whatrequires-doc.diff * x86_64-microarchitectures.patch - new patches: * python_setup.diff * rpmsort_reverse.diff * canongnu.diff - new file: * build-aux.tar.bz2 (taken from rpm-4.18) - fix --runposttrans not working correctly with the --root option [bnc#1216091] ==== rust-keylime ==== Version update (0.2.3+git.1701075380.a5dc985 -> 0.2.4~0) Subpackages: keylime-ima-policy - Update to version 0.2.4+git.1706692574.a744517: * Bump version to 0.2.4 * build(deps): bump uuid from 1.4.1 to 1.7.0 * keylime-agent.conf: Allow setting event logs paths * Mutable log paths: allow IMA and MBA log paths to be overridden by keylime configuration. * workflows: Update checkout action to version 4 * build(deps): bump serde from 1.0.188 to 1.0.195 * build(deps): bump pest_derive from 2.7.0 to 2.7.6 * build(deps): bump openssl from 0.10.62 to 0.10.63 * build(deps): bump config from 0.13.3 to 0.13.4 * build(deps): bump base64 from 0.21.4 to 0.21.7 * build(deps): bump tempfile from 3.8.0 to 3.9.0 * build(deps): bump pest from 2.7.0 to 2.7.6 * build(deps): bump actix-web from 4.4.0 to 4.4.1 * build(deps): bump reqwest from 0.11.22 to 0.11.23 * build(deps): bump h2 from 0.3.17 to 0.3.24 * build(deps): bump shlex from 1.1.0 to 1.3.0 * cargo: Bump tss-esapi to version 7.4.0 * workflows: Fix keylime-bot token usage * tpm: Add error context for every possible error * tpm: Add AlgorithmError to TpmError * detect idevid template from certificates * build(deps): bump wiremock from 0.5.18 to 0.5.22 * build(deps): bump thiserror from 1.0.48 to 1.0.56 * Make use of workspace dependencies * build(deps): bump openssl from 0.10.57 to 0.10.62 * packit: Bump Fedora version used for code coverage ==== suse-module-tools ==== Version update (16.0.42 -> 16.0.43) Subpackages: suse-module-tools-scriptlets - Update to version 16.0.43: * macros.initrd: %regenerate_initrd_post: don't fail if mkdir is unavailable (boo#1217979) * Don't rebuild existing initramfs imagees if the environment variable SKIP_REGENERATE_ALL=1 is set (boo#1192014) * README: Update blacklist description (gh#openSUSE/suse-module-tools#71) ==== vala-panel-appmenu ==== Subpackages: appmenu-gtk-module-common appmenu-gtk2-module appmenu-gtk3-module libappmenu-gtk2-parser0 libappmenu-gtk3-parser0 - Fix CFLAGS and CXXFLAGS to use distro flags ==== xz ==== Version update (5.4.5 -> 5.4.6) Subpackages: liblzma5 - Build static library on SLE - update to 5.4.6: * Fixed a bug involving internal function pointers in liblzma not being initialized to NULL. The bug can only be triggered if lzma_filters_update() is called on a LZMA1 encoder, so it does not affect xz or any application known to us that uses liblzma. * Fixed a regression introduced in 5.4.2 that caused encoding in the raw format to unnecessarily fail if --suffix was not used. For instance, the following command no longer reports that --suffix must be used: echo foo | xz --format=raw --lzma2 | wc -c * Fixed an issue on MinGW-w64 builds that prevented reading from or writing to non-terminal character devices like NUL. * Added a new test.