Removed rpms
============
- SUSEConnect
- edict
- krb5-32bit
- libdevmapper1_03-32bit
- libf2fs1
- rollback-helper
- wqy-zenhei-fonts
- zypper-migration-plugin
- zypper-search-packages-plugin
Added rpms
==========
- krb5-32bit
- libdevmapper1_03-32bit
- libf2fs8
Package Source Changes
======================
autofs
+- Update pidfile path to /run from /var/run (bsc#1185155)
+
-- add autofs-debuginfo-fix.patch to fix building of debuginfo
- package
-
-- Do not depend on insserv if the system use systemd; it's useless
-- Update to version 5.1.0
- + fix mistake in assignment.
- + add amd map format parser.
- + check for non existent negative entries in lookup_ghost().
- + fix reset flex scan buffer on init.
- + fix fix negative status being reset on map read.
- + amd lookup update lookup ldap to handle amd keys.
- - inadvertantly dropped from initial series.
- + amd lookup update lookup hesiod to handle amd keys.
- - inadvertantly dropped from initial series.
- + fix wildcard key lookup.
- + fix out of order amd timestamp lookup.
- + fix ldap default schema config.
- + fix ldap default master map name config.
- + fix map format init in lookup_init().
- + fix incorrect max key length in defaults get_hash().
- + fix xfn sets incorrect lexer state.
- + fix old style key lookup.
- + fix expire when server not responding.
- + fix ldap_uri config update.
- + fix typo in conf_load_autofs_defaults().
- + fix hash on confg option add and delete.
- + add plus to path match pattern.
- + fix multi entry ldap option handling.
- + cleanup options in amd_parse.c
- + allow empty value for some map options.
- + allow empty value in macro selectors.
-- Adapt autofs-5.0.9-dbus-udisks-monitor.patch to upstream changes,
- rename to autofs-5.1.0-dbus-udisks-monitor.patch
-
-- autofs.init: drop when systemd is enabled (bnc#863970)
-
-- update to version 5.0.9:
- * fixes for samples/auto.master
- * fix variable substitution description
- * fix incorrect append options description in README.v5-release
-- rebase, refresh and rename all patches on top of 5.0.9
-- switch to .xz compressed tarball instead of bzip2
-- autofs-5.0.8-upstream-patches-20140324.bz2: remove
-
-- Avoid bad timings and timeouts if a shutdown was done by a remote
- user via su and with autofs based home directory
-
-- autofs-5.0.8-upstream-patches-20140324.bz2: update 5.0.8 upstream
- patches up to 2014-03-24, fixing the following bugs:
- * fix fix options compare
- * use open(2) instead of access(2) to trigger dependent mounts
- * fix fix map source with type lookup (bnc#869377)
-
-- autofs-5.0.8-upstream-patches-20140224.bz2: update 5.0.8 upstream
- patches up to 2014-02-24, fixing the following bugs:
- * fix ipv6 link local address handling
- * fix fix ipv6 libtirpc getport
- * get_nfs_info() should query portmapper if port is not given
- * fix rpc_portmap_getport() proto not set
- * fix protmap not trying proto v2
- * fix rpc_getport() when libtirpc is disabled
- * fix rpc_getrpcbport() when libtirpc is disabled
- * don't reset errno (former autofs-5.0.8-eaccess.patch)
- * extend fix for crash due to thread unsafe use of libldap (bnc#853469)
- * fix deadlock in init_ldap_connection (bnc#859969)
- * fix options compare
- * fix negative status being reset on map read
- * check for existing offset mount before mounting
- * fix max() declaration
- * fix symlink fail message in mount_bind.c
- * fix cache readlock not taken on lookup
- * pass map_source as function paramter where possible
- * check for bind onto self in mount_bind.c
- * fix symlink expire
- * dont clobber mapent for negative cache
- * fix macro_addvar() and move init to main thread
- * change walk_tree() to take ap
- * add negative cache lookup to hesiod lookup
- * fix external env configure
- * make autofs(5) consistent with auto.master(5)
- * fix map source with type lookup
- * fix lookup_nss_mount() map lookup
- * dont ignore null cache entries on multi mount umount
- * fix inconsistent error returns in handle_packet_missing_direct()
- * simple coverity fixes
-- autofs-5.0.8-eaccess.patch: removed (merged upstream)
-- autofs-5.0.8-dbus-udisks-monitor.patch: refresh
-
-- autofs-5.0.8-revert-fix-libtirpc-name-clash.patch: no longer
- needed after libtirpc was updated to 0.2.4-rc2, remove
-
-- autofs-5.0.8-upstream-patches-20131124.bz2: update 5.0.8 upstream
- patches up to 2013-11-24, fixing the following bugs:
- * fix undefined authtype_requires_creds err if ldap enabled but
- without sasl
- * fix master map type check
- * fix task manager not getting signaled
- * allow --with-systemd to take a path arg
- * fix WITH_LIBTIRPC function name
- * fix ipv6 libtirpc getport
-- autofs-5.0.8-dbus-udisks-monitor.patch: rebase on top of 5.0.8
-
-- update to version 5.0.8: no code changes as all patches were
- already present in autofs-5.0.7-upstream-patches-20131001.bz2
-- autofs-5.0.7-upstream-patches-20131001.bz2: removed
-
-- autofs-suse-build.patch: removed, no longer needed.
-
-- autofs-5.0.7-upstream-patches-20131001.bz2: update 5.0.7 upstream
- patches up to 2013-10-01, fixing many bugs:
- * fix add null check in parse_server_string()
- * check for protocol option
- * use ulimit max open files if greater than internal maximum
- * don't override LDFLAGS in make rules
- * fix a couple of compiler warnings
- * add after sssd dependency to unit file
- * dont start readmap unless ready
- * fix crash due to thread unsafe use of libldap (bnc#820585)
- * fix compile error with heimdal support enabled
- * fix typo forced-shutdown should be force-shutdown
- * fix hesiod check error and use correct $(LIBS) setting
- * fix dead LDAP symbolic link when LDAP support is disabled
- * add missing libtirpc lib to mount_nfs.so when TIRPC enabled
- * use compiler determined by configure instead of hard-coded ones
- * remove hard-coded STRIP variable
- * use LIBS for link libraries
- * unbundle NOTSTRIP from DEBUG so they dont depend on each other
- * fix occasional build error when enable parallel compiling
- * fix compilation of lookup_ldap.c without sasl
- * fix dumpmaps multi output
- * try and cleanup after dumpmaps
- * teach dumpmaps to output simple key value pairs
- * fix syncronize handle_mounts() shutdown
- * fix fix wildcard multi map regression
- * improve timeout option description
- * only probe specific nfs version when requested
- * fix bad mkdir permission on create
- * setup program map env from macro table
- * add short host name standard marco variable
- * allow use of hosts map in maps
- * fix get_nfs_info() probe
- * fix portmap lookup
- * add std vars to program map invocation
- * samples/auto.smb: add logic to obtain credentials
-
-- autofs-5.0.7-upstream-patches-20130619.bz2: update 5.0.7 upstream
- patches up to 2013-06-19, fixing some bugs:
- * make dump maps check for duplicate indirect mounts
- * document allowed map sources in auto.master
- * add enable sloppy mount option to configure
- * fix interface address null check
- * don't probe rdma mounts
- * fix master map mount options matching
- * fix master map bogus keywork match
- * fix fix map entry duplicate offset detection
- * probe each nfs version in turn for singleton mounts
- * fix probe each nfs version in turn for singleton mounts
- * misc man page fixes
-
-- Explicitly specify cyrus-sasl-devel and openssl-devel
- which were implicit before
-
-- autofs-5.0.7-upstream-patches-20130428.bz2: update 5.0.7 upstream
- patches up to 2013-04-28, fixing some bugs:
- * fix some automount(8) typos
- * syncronize handle_mounts() shutdown
- * fix submount tree not all expiring (bnc#801808)
-- remove patches that are now upstream:
- * autofs-5.0.7-fix-submount-tree-not-all-expiring.patch
-
-- autofs-5.0.7-fix-submount-tree-not-all-expiring.patch: expire
- multiple levels of recursive mounts correctly (bnc#801808)
-
-- autofs-5.0.7-upstream-patches-20130311.bz2: update 5.0.7 upstream
- patches to 20130311, fixing some bugs:
- * dont fail on master map self include (bnc#799873)
- * fix wildcard multi map regression
- * fix file descriptor leak when reloading the daemon (bnc#772698)
- * deprecate nosymlink pseudo option
- * add symlink pseudo option
- * document browse option in man page
-
-- autofs-5.0.6-invalid-ghost-dirs.patch: delete. the problem's
- root cause was fixed in the kernel
-
-- rpm spec: enable sssd support if available
-
-- autofs-5.0.7-upstream-patches-20130121.bz2: update 5.0.7 upstream
- patches to 20130121, fixing some bugs:
- * fix nobind man page description
- * fix submount offset delete
- * fix init script status return
- * fix use get_proximity() without libtirpc
- * don't use dirent d_type to filter out files in scandir()
- * don't schedule new alarms after readmap
- * use numeric protocol ids instead of protoent structs
- * lib/defaults.c: use WITH_LDAP conditional around LDAP types
- * make yellow pages support optional
- * modules/replicated.c: use sin6_addr.s6_addr32
- * workaround missing GNU versionsort extension
-- remove patches that are now upstream:
- * autofs-5.0.7-fix-scandir-filter.patch
- * autofs-5.0.7-use-protocol-id-instead-of-protoent.patch
- * autofs-5.0.7-dont-reschedule-alarm-after-signals.patch
-
-- fix build on older versions of the distribution, do not install
- org.freedesktop.AutoMount.conf
-
-- autofs-5.0.7-fix-scandir-filter.patch: fix lookup_dir when the
- included directory is on an XFS file system (bnc#798158)
-
-- autofs-5.0.7-upstream-patches-20121120.bz2: update 5.0.7 upstream
- patches to 20121120, fixing some bugs:
- * fix map entry duplicate offset detection
- * allow nsswitch.conf to not contain "automount:" lines
-
-- revert systemd initialization type from "simple" to "forking"
- and drop the patch that partially implemented "new style systemd"
- daemon (bnc#798162)
-- autofs-5.0.7-new-style-systemd-daemon.patch: delete
-
-- UDisks dbus module support: use private connection, do not refer
- to a reply if already handled, install dbus AutoMount.conf in
- direct way
-
-- autofs-5.0.7-use-protocol-id-instead-of-protoent.patch: use
- protocol id directly instead of calling the non-reentrant
- function getprotobyname() (bnc#787410)
-
-- autofs-5.0.7-dont-reschedule-alarm-after-signals.patch: don't
- schedule new alarms after handling SIGHUP and SIGUSR1 (bnc#783651)
-
-- autofs-5.0.7-new-style-systemd-daemon.patch: add new command
- line parameter --systemd, which instructs automount to skip
- daemonization completely, leaving the task to systemd
-- autofs.service: use new --systemd option when starting up
-
-- autofs.service: use service type simple with no forking
-
-- autofs-5.0.7-upstream-patches-20121018.bz2: update 5.0.7 upstream
- patches to 20121018, fixing some bugs:
- * fix recursive mount deadlock
- * increase file map read buffer size
- * handle new location of systemd
-- remove patches that are now upstream:
- * autofs-5.0.7-handle-new-location-of-systemd.patch
-
-- rpm spec: don't try to build with udisks support on old versions
- of the distribution
-
-- autofs-5.0.7-upstream-patches-20121016.bz2: update 5.0.7 upstream
- patches to 20121016, fixing some bugs:
- * add timeout option description to man page
- * fix null map entry order handling
- * make description of default MOUNT_WAIT setting clear
- * configure.in: allow cross compilation
- * README: update mailing list subscription info
-
-- autofs-systemd-path.patch: handle new location of systemd
-
-- Make it possible to use tmpfs based parents for autofs mount points
-
-- autofs-5.0.7-upstream-patches-20120911.bz2: update 5.0.7 upstream
- patches to 20120911, fixing some bugs:
- * fix nobind sun escaped map entries
- * fix use cache entry after free in lookup_prune_one_cache()
- * fix ipv6 proximity calculation
- * fix parse buffer initialization
- * fix typo in automount(8)
-- remove patches that are now upstream:
- * autofs-5.0.7-fix-parse-buffer-initialization.patch
- * autofs-5.0.7-fix-use-devid-after-free.patch
-
-- autofs-5.0.7-fix-use-devid-after-free.patch: fix use cache entry
- after free in lookup_prune_one_cache() (bnc#774241)
-
-- autofs-5.0.7-fix-parse-buffer-initialization.patch: fix parse
- buffer initialization to avoid corruption in the map file name
- string (bnc#777709)
-
-- Udisk: Check for unknown key word `eavesdrop' for dbus matching
- rules and if not supported retry without
-- Udisk: Do not crash if map file is not found
-
-- First initial udisks support, that is listen over dbus the udisks
- daemon and the events for USB and optical devices. Also ask at
- startup the udisks daemon for all devices and its properties as
- well as manage the removals and plugins of devices.
- TODO:
- + With parsing the map configuration file apply the rules
- to the map entry, like special options for file systems types
- and/or devices. Also make keys unique, that is compare with
- existing keys and add an counter or similar.
- + Also with parsing the map configuration file apply the rules
- to the key of map entry, like using more than one dict entry
- for the key.
- + Security management: who is allowed to access the devices?
- + How to trigger sync and unmount before any timeout?
- + What is about UTF-8 and Latin to UTF-8?
-
-- adjust the NetworkManager dispatcher script to check if the
- AutoFS service is enabled in SysV or systemd (bnc#773440)
-
-- update to version 5.0.7:
- * check negative cache much earlier
- * dont use pthread_rwlock_tryrdlock()
- * mount_nfs.so to honor explicit NFSv4 requests
- * mount_nfs.so fix port=0 option behavior v3
- * documentation fix some typos and misleading comments
-
-- add reload action to systemd service file (bnc#772487)
-
-- update 5.0.6 upstream patches to 20120716, fixing some bugs:
- * fix systemd argument passing
- * fix get_nfs_info() can incorrectly fail
- * fix offset directory removal
-
-- update 5.0.6 upstream patches to 20120629, fixing some bugs:
- * check if /etc/mtab is a link to /proc/self/mounts
- * fix nfs4 contacts portmap
- * fix sss map age not updated
- * fix remount deadlock (bnc#733479)
- * fix umount recovery of busy direct mount (bnc#734924)
- * fix offset mount point directory removal
- * remove move mount code and configure option
- * fix remount of multi mount
- * fix device ioctl alloc path check
- * refactor hosts lookup module
- * remove cache update from parse_mount()
- * add function to delete offset cache entry
- * allow update of multi mount offset entries
- * add hup signal handling to hosts map
-- remove patches that are now upstream:
- * autofs-5.0.6-fix-remount-deadlock.patch
- * autofs-5.0.6-fix-umount-recovery-of-busy-direct-mount.patch
-
-- fix umount recovery of busy direct mounts (bnc#734924)
-- fix remount deadlock that can happen on a restart when there are
- nested direct mounts busy (bnc#733479)
-
-- revert "fix libtirpc name clash": auth_put() is not yet available
- in our version of tirpc
-
-- update 5.0.6 upstream patches to 20120525, fixing some bugs:
- * fix sss wildcard match
- * fix dlopen() error handling in sss module
- * fix configure string length tests
- * report "map not read" when debug logging
- * duplicate parent options for included maps (bnc#753693)
- * update ->timeout() function to not return timeout
- * move timeout to map_source
- * fix kernel verion check of version components
- * dont retry ldap connect if not required
- * fix initialization in rpc create_client()
- * fix libtirpc name clash
-- remove patches that are now upstream:
- * autofs-5.0.6-duplicate-parent-options-for-included-maps.patch
-
-- duplicate parent options for included maps (bnc#753693)
-
-- update 5.0.6 upstream patches to 20120402, fixing some bugs:
- * use strtok_r() in linux_version_code()
- * improve UDP RPC timeout handling
- * allow MOUNT_WAIT to override probe
- * fix rework error return handling in rpc code
- * fix typo in libtirpc file name
- * fix function to check mount.nfs version
- * fix segmentation fault in get_query_dn() (bnc#752044)
-- remove patches that are now upstream:
- * autofs-5.0.6-fix-libtirpc-name-typo.patch
-
-- update 5.0.6 upstream patches to 20120228, fixing some bugs and
- implementing new features (bnc#749098):
- * fix improve mount location error reporting
- * fix fix wait for master source mutex
- * add sss lookup module
- * teach automount about sss source
- * fix init script usage message
- * ignore duplicate exports in auto.net
- * add kernel version check function
- * add function to check mount.nfs version
- * reinstate singleton mount probe
- * rework error return handling in rpc code
- * catch EHOSTUNREACH and bail out early
- * systemd support fixes
- * check scandir() return value (bnc#748588)
- * allow for kernel packet size change (in kernel 3.3.0+)
- * fix function to check mount.nfs version
-- get-upstream-patches: make it work again after kernel.org FTP
- server reorganization
-
-- fix segfault caused by an use after free in st_queue_handler()
- (bnc#727392)
-
-- comment out /etc/auto.master.d from the shipped auto.master file
-
-- configure with --disable-mount-move only when systemd is enabled
-
-- rpm spec: simplify some commands in the install section and
- use more rpm macros (from Cristian Rodriguez)
-
-- enable systemd support by default on openSUSE 12.2 (bnc#741879):
- * enable disable-mount-move and with-systemd configure options
- * install systemd service file
-
-- disable "--as-needed" to make sure automount will be linked
- against libtirpc (bnc#742846)
-
-- fix typo in libtirpc file name
-- rpm spec: use the %configure macro
-
-- update 5.0.6 upstream patches to 20111210, fixing some bugs and
- implementing new features (bnc#741878):
- * add systemd unit support (not enabled yet)
- * add disable move mount configure option
- * implement 'dir' map type
- * improve mount location error reporting
- * fix rpc build error
- * fix ipv6 configure check
- * fix ipv6 rpc calls
- * fix ipv6 name lookup check
- * fix map source check in file lookup
- * fix submount shutdown race
- * fix wait for master source mutex
- * fix not bind mounting local filesystem
- * fix LDAP result leaks on error paths
- * fix result null check in read_one_map()
- * fix dumpmaps not reading maps
- * fix paged query more results check
-
-- add autoconf as buildrequire to avoid implicit dependency
-
-- fix initialization of LDAP results (bnc#730245)
-
-- init script: remove SUSE-specific actions that systemd doesn't
- support (force-expire and force-stop) (bnc#725199)
-
-- rpm spec: remove redundant tags/sections
-- rpm spec: use %_smp_mflags for parallel build
-
-- fix LDAP result leaks on error paths
-- fix result null check in read_one_map() (bnc#707715)
-- fix paged query more results check
-
-- update 5.0.6 upstream patches to 20110703, removing one patch
- that is now upstream:
- * autofs-5.0.6-fix-ipv6-name-for-lookup-fix.patch
-
-- fix an error in the recent ipv6 name for lookup patch
-
-- update to version 5.0.6 (bnc#702791):
- * add nobind option
- * add base64 password encode
- * fix ipv6 name for lookup
- * fix libtirpc ipv6 check
- * dont bind nfs mount if nobind is set
-- remove patches that are now upstream:
- * autofs-5.0.5-fix-null-cache-deadlock.patch
-
-- rpm spec: install the rcautofs(8) man page as a symbolic link
- to autofs(8)
-- rpm spec: restart the automount daemon after updates
-- init script: update Free Software Foundation address
-
-- fix null cache deadlock (bnc#696596)
-
-- update 5.0.5 upstream patches to 20110613 (bnc#699767):
- * remove master_mutex_unlock() leftover
- * fix sanity checks for brackets in server name
- * fix lsb service name in init script
- * fix map source check in file lookup
- * fix simple bind without SASL support
- * fix sasl bind host name selection
-
-- build against libtirpc since glibc's rpc code is deprecated
-
-- modify the NetworkManager dispatcher script to prevent it from
- restarting AutoFS when the network goes down (bnc#693402)
-
-- init script: remove references to the obsolete autofs.ko (v3)
- kernel module (bnc#696708)
-- init script: don't wait one second if the misc device is already
- available (bnc#696708)
-
-- documentation: add the following (commented out) options to
- the default sysconfig file (bnc#695487, bnc#691617):
- * DEFAULT_NEGATIVE_TIMEOUT
- * DEFAULT_MOUNT_WAIT and DEFAULT_UMOUNT_WAIT
- * MOUNT_NFS_DEFAULT_PROTOCOL
- * LDAP_URI, LDAP_TIMEOUT, LDAP_NETWORK_TIMEOUT and SEARCH_BASE
-
-- update 5.0.5 upstream patches to 20110427 (bnc#692104):
- * fix paged ldap map read
- * fix next task list update
- * fix stale map read
- * fix null cache clean
- * automount(8) man page correction
- * fix out of order locking in readmap
- * include ip address in debug logging
- * mount using address for DNS round robin host names
- * reset negative status on cache prune
-- remove patches that are now upstream:
- * autofs-5.0.5-fix-next-task-list-update.patch
- * autofs-5.0.5-fix-stale-map-read.patch
- * autofs-5.0.5-fix-out-of-order-locking-in-readmap.patch
-
-- init script: use misc device (/dev/autofs) by default, unless it
- is explicitly disabled in sysconfig (bnc#684997)
-
-- fix out of order locking in readmap (bnc#667967)
-
-- add upstream fixes for the "non-expiring mounts" problem and
- put the "fix direct map not updating on reread" patch back in
- (bnc#677143)
-
-- ship init script as a source file and not as a patch against the
- upstream sample
-
-- update 5.0.5 upstream patches to 20110318, fixing one bug:
- * replace GPLv3 code (bnc#682268)
-
-- revert "fix direct map not updating on reread" due to expiration
- problems (bnc#677143)
-
-- update 5.0.5 upstream patches to 20110302 (bnc#676690):
- * use weight only for server selection
- * fix isspace() wild card substitution
- * auto adjust ldap page size
- * fix prune cache valid check
- * fix mountd vers retry
- * fix expire race
-
-- init script: remove "gssd" from Should-Start/Stop lists, there
- is no service with this name (bnc#626516)
-
-- when ghosting is enabled, don't create mount points for cached
- entries that don't have a valid mapent (bnc#658734)
-
-- update 5.0.5 upstream patches to 20101021 (bnc#650177):
- * remove ERR_remove_state() openssl call
- * always read file maps mount lookup map read fix
- * fix direct map not updating on reread
- * fix add simple bind auth
- * fix submount shutdown wait
- * add external bind method
- * add dump maps option
-
-- add MAP_HASH_TABLE_SIZE option to sysconfig
-
-- update 5.0.5 upstream patches to 20100810 (bnc#630736):
- * remove extra read master map call
- * fix "fix cache_init() on source re-read"
- * fix error handing in do_mount_indirect()
- * expire thread use pending mutex
- * link against krb5 library by default
- * make "verbose" mode a little less verbose (bnc#630719)
-- merge patches autofs-5.0.2-use_local_cflags.patch and
- autofs-5.0.5-as_needed.patch into autofs-suse-build.patch
-- remove autofs-5.0.4-link_kerberos.patch (now upstream)
-
-- update 5.0.5 upstream patches to 20100524 (bnc#608284):
- * add support to LDAP simple bind authentication
- * fix master map source server unavailable handling
- * add autofs_ldap_auth.conf man page
- * fix random selection for host on different network
- * don't hold lock for simple mounts
- * fix remount locking
- * fix wildcard map entry match (bnc#585201)
- * fix parse_sun() module init
- * don't check null cache on expire
- * fix null cache race
- * fix cache_init() on source re-read
- * mapent becomes negative during lookup
- * check each dc server
- * fix negative cache included map lookup
- * remove state machine timed wait
-
-- init script: improve stop routine to avoid problems on restart
- (bnc#604497)
-
-- update 5.0.5 upstream patches to 20100326:
- * fix reconnect get base dn
- * add missing sasl mutex callbacks
- * fix get query dn failure
- * fix ampersand escape in auto.smb
- * add locality as valid ldap master map attribute
- * add locality as valid ldap master map attribute fix
-
-- add "network-remotefs" to Should-Start: and Should-Stop: in the
- init script (bnc#522224)
-
-- remove configure to make sure it will be recreated by autoconf.
- fixes a build problem that sometimes prevented lookup_ldap.so to
- be linked against krb5 (bnc#572934, bnc#578655)
-
-- update 5.0.5 upstream patches to 20100201:
- * check for path mount location in generic module
- * don't fail mount on access fail
- * fix rpc fail on large export list
- * fix memory leak on reload
- * don't connect at ldap lookup module init
- * fix random selection option
- * fix disable timeout
- * fix strdup() return value check
-- include README file about active restart feature (bnc#565151)
-
-- fix build on releases that do not support ext4
-
-- add new sysconfig parameter USE_MISC_DEVICE and enable it by
- default (bnc#565151)
-- update initscript bringing it closer to what we have upstream:
- * remove the deprecated force-stop logic and handle it like a
- regular stop
- * remove force-reload from usage and handle it like a regular
- reload
-
-- update to version 5.0.5. lots of bug fixes including:
- * fix nested submount expire deadlock
- * fix negative caching for non-existent map keys
- * make hash table scale to thousands of entries
- * fix uri list locking (again)
- * add nfs mount protocol default configuration option
- * fix bad token declaration in master map parser
- * fix double free in expire_proc()
- * fix file map lookup when reading included or nsswitch sources
- * fix memory leak reading master map
- * fix st_remove_tasks() locking
- * dont umount existing direct mount on master re-read
- * fix incorrect shutdown introduced by library relaod fixes
- * fix not releasing resources when using submounts
- * fix double free in sasl_bind()
- * fix map type info parse error
- * fix an RPC fd leak
- * fix pthread push order in expire_proc_direct()
- * fix libxml2 non-thread-safe calls
- * fix direct map cache locking
- * fix dont umount existing direct mount on reread.
-- update 5.0.5 upstream patches to 20091124:
- * add mount wait parameter
- * don't use master_lex_destroy() to clear parse buffer
- * fix backwards #ifndef INET6
- * fix ext4 fsck at mount
- * fix included map read fail handling
- * fix libxml2 workaround configure
- * fix pidof init script usage
- * fix stale initialization for file map instance
- * fix timeout in connect_nb()
- * make documentation for set-log-priority clearer
- * refactor ldap sasl bind
- * special case cifs escapes.
-
-- fixed build with --as-needed
-
-- Add nfsserver to should start/stop in rc script (bnc#467906)
-
-- make sure that submounts are not busy anymore (bnc#467906)
-
chromium
+- Chromium 90.0.4430.212 (boo#1185908)
+ * CVE-2021-30506: Incorrect security UI in Web App Installs
+ * CVE-2021-30507: Inappropriate implementation in Offline
+ * CVE-2021-30508: Heap buffer overflow in Media Feeds
+ * CVE-2021-30509: Out of bounds write in Tab Strip
+ * CVE-2021-30510: Race in Aura
+ * CVE-2021-30511: Out of bounds read in Tab Group
+ * CVE-2021-30512: Use after free in Notifications
+ * CVE-2021-30513: Type Confusion in V8
+ * CVE-2021-30514: Use after free in Autofill
+ * CVE-2021-30515: Use after free in File API
+ * CVE-2021-30516: Heap buffer overflow in History
+ * CVE-2021-30517: Type Confusion in V8
+ * CVE-2021-30518: Heap buffer overflow in Reader Mode
+ * CVE-2021-30519: Use after free in Payments
+ * CVE-2021-30520: Use after free in Tab Strip
+- FTP support disabled at runtime by default since release 88.
+ Chromium 91 will remove support for ftp altogether
+ (boo#1185496)
+
+* Patch change *
+- Fix build with GCC 11 again (bsc#1185716)
+- Remove chromium-88-compiler.patch
+- Remove chromium-90-cstdint.patch
+- Remove chromium-90-gslang-linkage-fixup.patch
+- Added chromium-90-compiler.patch
+- Added chromium-90-angle-constexpr.patch
+- Added chromium-90-TokenizedOutput-include.patch
+- Added chromium-90-ruy-include.patch
+- Added chromium-90-CrossThreadCopier-qualification.patch
+- Added chromium-90-quantization_utils-include.patch
+
chrony
+- boo#1162964, clknetsim-glibc-2.31.patch:
+ Fix build with glibc-2.31
+- bsc#1184400, chrony-pidfile.patch:
+ Use /run instead of /var/run for PIDFile in chronyd.service.
+
dracut
+- Update to version 049.1+suse.188.gbf445638:
+ * 90kernel-modules-extra: don't resolve symlinks before instmod (bsc#1185277)
+
dtc
+- explicitly pass -pie in CFLAGS, since the build system explicitly passes
+ - fPIC, which breaks our gcc-PIE profile. This makes all packaged binaries
+ PIE-executables (bsc#1184122).
+
enblend-enfuse
+- Add enblend-enfuse-4.2-gcc-10.patch: Fix build with GCC 10
+ (picked from Gentoo, https://bugs.gentoo.org/723306).
+
+- Add reproducibledate.patch to override build date (boo#1047218)
+- Add reproducible.patch to override build hostname (boo#1084909)
+
+- Update RPM groups.
+
+- Switched to cmake build
+ * Removed patch for autotools: enblend-latex-optional.patch
+- Added enblend-enfuse-4.2-add-missing-cmakelists.patch
+- Enabled support for OpenMP
+- Enabled support for SSE2
+- Turn on optimizations again
+- Info pages are no longer available
+- Added PDF documentation for enblend and enfuse
+
-- Update to patchlevel 3 of version 4.1:
- + Bug Fixes:
- [Enblend only] Fix problem of multiple, almost-identical
- seamlines that produce inexplicable black areas in the output
- panorama.
- + LCMS 2.5 is now required to build.
-
-- update to patchlevel 2 of version 4.1:
- [Enblend and Enfuse] Fix a bug in the highlight-recovery that caused
- Enfuse to bail out with the uncaught exception
- "Minimizer1D::set_bracket: minimum not bracketed".
- This addresses LaunchPad Bug #1214004.
- [Enfuse] Clean up seemingly random, bright-colored pixels that
- sometimes show up when fusing images with high contrast and "large"
- color profiles.
- [Enblend only] Fix a race condition in the seam-line optimizer that
- can cause wrongly placed seams.
- [Enblend and Enfuse] Use a per-thread storage of all OpenMP
- Vigra-functors. This avoids data races.
- [Enblend and Enfuse] The Boost implementation of the `Mersenne
- Twister' random number generator caused segmentation faults when
- used in the OpenMP-enabled versions of Enblend and Enfuse. The new
- implementation is based on the GNU Scientific Library (GSL), which
- plays nicely with concurrent accesses.
- [Enblend only] Correct a mistake that causes overlapping images with
- multiple seams to be blended incorrectly.
- [Enblend only] Require the OpenGL extension
- `GL_ARB_texture_rectangle' for the `--gpu' option to work. This
- does away with a pesky warning of OpenGL drivers that do support
- this extension and avoids crashes with drivers that don't.
- The GPU performance improvement of Enblend via `--gpu' now is only
- available with drivers that feature `GL_ARB_texture_rectangle'
- (among many other required OpenGL extensions).
- The OpenGL warning about odd texture sizes is unaffected by this
- change.
- [Enblend and Enfuse] Fix a longstanding quirk, which allowed to load
- masks that were unsuitable for processing.
-- no more signed tar balls, droping gpg verification :/
-- modified patches:
- * use-default-gcc-inlining.diff
-
-- Added BuildRequire help2man to fix build with new automake
-
-- Update to version 4.1 (bnc#800803):
- * All deprecated options since version 4.0 have been removed.
- * New primary seam-line generator.
- * Default to perceptual model of the difference image.
- * Parallelize CIECAM02 color conversion.
- * Enblend and Enfuse integrate seamlessly in color-managed
- workflow.
- * Require LittleCMS Version 2.x Unbounded CMM feature.
- * Option to assign different profiles to profile-free input images.
- * New gray-scale projector called "anti-value".
- * Enblend and Enfuse stop after saving all generated masks to
- files, if option "--save-masks" is given, but option "--output"
- is not.
- * Enblend and Enfuse can write output JPEG files with arithmetic
- JPEG compression and TIFF files with JPEG compression.
- * Enblend and Enfuse warn on images that alternate between with
- color profile and without.
- * Several new Commandline options: "--primary-seam-generator",
- "--image-difference", "--ciecam" (for -c) and --no-ciecam",
- "--fallback-profile=PROFILE", "--exposure-cutoff",
- "--load-masks", "--layer-selector", "--levels=auto".
- * Deprecated: "--smooth-difference", user-(re)sizable image-cache.
- * External Vigra version 1.8 or later is required.
- * Enblend no longer relies on libXMI.
-- Verify GPG signature.
-
f2fs-tools
+- Remove /usr/sbin/sg_write_buffer. This file is already provided
+ by sg3_utils as /usr/bin/sg_write_buffer.
+
+- prepare usrmerge (boo#1029961)
+
+- Update to release 1.14
+ * f2fs_io: add copy command
+ * fsck: Check fsync data always for zoned block devices
+ * fsck: Check write pointer consistency of open zones
+ * fsck: Check write pointer consistency of non-open zones
+ * fsck.f2fs: Enable user-space cache
+ * f2fs-tools: support data compression
+ * dump.f2fs: print more info of inode layout
+ * resize.f2fs: add option for large_nat_bitmap feature
+ * f2fs-tools: Casefolded Encryption support
+ * mkfs.f2fs: allow setting volume UUID manually
+ * f2fs-tools: zns zone-capacity support
+ * mkfs.f2fs: add -T flag
+ * mkfs.f2fs: add -r (fake_seed) flag
+
+- Update to release 1.13
+ * introduce some preen mode in fsck.f2fs
+ * add f2fs_io tool
+ * add casefolding support
+
+- Update to new upstream release 1.12
+ * resize.f2fs: fix access out-of memory boundary
+ * mkfs.f2fs: support fsverity feature
+ * fsck.f2fs: fix stack overflow when reading out nat block
+ * mkfs.f2fs: avoid selinux denial for unnecessary sysfs node
+ * fsck.f2fs: allow -p without value
+ * mkfs.f2fs: support multiple features with one "-O"
+ * f2fs-tools: add -g to give default options
+
+- Update to version 1.10.0
+ * f2fs-tools: support inode creation time
+ * fsck.f2fs: add -y for generic fsck
+ * fsck.f2fs: support quota
+ * mkfs.f2fs: support quota option in mkfs
+ * f2fs-tools: support flexible inline xattr size
+ * add sparse support for f2fs
+ * f2fscrypt: add a tool for encryption management in f2fs
+
-- Replace 0001-build-provide-definitions-for-byteswapping-on-big-en.patch
- with official upstream version.
-
-- Update to new upstream release 1.4.0
- * fsck: add the -a option (auto-fix errors) [bnc#856645]
- * fsck: remove corrupted xattr blocks and corrupted orphan inodes;
- remove dentry if inode block is corrupted
-- Add 0001-build-provide-definitions-for-byteswapping-on-big-en.patch
-
-- Update to new snapshot 1.3.0.g22
- * add "f2fstat" program to print f2fs's status in sec
- * mkfs: support large directories
- * mkfs.f2fs, fsck.f2fs: large volume support
-
-- Update to new upstream release 1.2.0
- * f2fs-tools: add stat information into fibmap
- * fibmap.f2fs: change fibmap to fibmap.f2fs
- * fsck, lib: support inline xattr
- * fsck: skip to check block addresses in device files
- * fsck: fix to handle file types correctly
- * fsck: fix checking orphan inodes
-
-- Update to new snapshot v1.1.0-40-g6e8f2d5
- * Correct endianess conversions for CRC calculations, checkpoint
- flags and in f2fs_update_nat_root.
- * Fix the total_zones calculation in f2fs_prepare_super_block
- * Add the fsck.f2fs and dump.f2fs utilities
-
-- Update to new snapshot v1.1.0-24-gfef98eb
- * mkfs: add option to disable trim at format
- * mkfs: handle labels longer than 16 characters
-
gdm
+- Add gdm-Remove-deprecated-StandardOutput-syslog.patch: Remove
+ deprecated StandardOutput=syslog in gdm.service file
+ (bsc#1185146, glgo#GNOME/gdm!623).
+
java-11-openjdk
-- Update to upstream tag jdk-11.0.10-9 (January 2021 CPU,
+- Update to upstream tag jdk-11.0.11+9 (April 2021, CPU)
+ * Security fixes
+ + JDK-8244473: Contextualize registration for JNDI
+ + JDK-8244543: Enhanced handling of abstract classes
+ + JDK-8249906, CVE-2021-2163, bsc#1185055: Enhance opening JARs
+ + JDK-8250568, CVE-2021-2161, bsc#1185056: Less ambiguous
+ processing
+ + JDK-8253799: Make lists of normal filenames
+ + JDK-8257001: Improve Http Client Support
+ * Other changes
+ + JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream
+ readDouble() conversion to long mishandled
+ + JDK-7146776: deadlock between URLStreamHandler.getHostAddress
+ and file.Handler.openconnection
+ + JDK-8086003: Test fails on OSX with java.lang.RuntimeException
+ 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3'
+ missing
+ + JDK-8168869: jdeps: localized messages don't use proper line
+ breaks
+ + JDK-8180837: SunPKCS11-NSS tests failing with
+ CKR_ATTRIBUTE_READ_ONLY and CKR_MECHANISM_PARAM_INVALID
+ + JDK-8202343: Disable TLS 1.0 and 1.1
+ + JDK-8205992: jhsdb cannot attach to Java processes running in
+ Docker containers
+ + JDK-8209193: Fix aarch64-linux compilation after -Wreorder
+ changes
+ + JDK-8210413: AArch64: Optimize div/rem by constant in C1
+ + JDK-8210578: AArch64: Invalid encoding for fmlsvs instruction
+ + JDK-8211051: jdeps usage of --dot-output doesn't provide
+ valid output for modular jar
+ + JDK-8211057: Gensrc step CompileProperties generates unstable
+ CompilerProperties output
+ + JDK-8211150: G1 Full GC not purging code root memory and
+ hence causing memory leak
+ + JDK-8211825: ModuleLayer.defineModulesWithXXX does not setup
+ delegation when module reads automatic module
+ + JDK-8212043: Add floating-point Math.min/max intrinsics
+ + JDK-8212218: [TESTBUG] runtime/ErrorHandling/
+ /TestHeapDumpOnOutOfMemoryErrorInMetaspace.java timed out
+ + JDK-8213116: javax/swing/JComboBox/WindowsComboBoxSize/
+ /WindowsComboBoxSizeTest.java fails in Windows
+ + JDK-8213909: jdeps --print-module-deps should report missing
+ dependences
+ + JDK-8214180: Need better granularity for sleeping
+ + JDK-8214223: tools/jdeps/listdeps/ListModuleDeps.java failed
+ due to missing Lib2 file
+ + JDK-8214230: Classes generated by SystemModulesPlugin.java
+ are not reproducable
+ + JDK-8214741: docs/index.html has no title or copyright
+ + JDK-8215687: [Graal] unit test CheckGraalIntrinsics failed
+ after 8212043
+ + JDK-8217848: [Graal] vmTestbase/nsk/jvmti/ResourceExhausted/
+ /resexhausted003/TestDescription.java fails
+ + JDK-8218482: sun/security/krb5/auto/ReplayCachePrecise.java
+ failed - no KrbException thrown
+ + JDK-8218550: Add test omitted from JDK-8212043
+ + JDK-8221584: SIGSEGV in os::PlatformEvent::unpark() in
+ JvmtiRawMonitor::raw_exit while posting method exit event
+ + JDK-8221995: AARCH64: problems with CAS instructions encoding
+ + JDK-8222518: Remove unnecessary caching of Parker object in
+ java.lang.Thread
+ + JDK-8222785: aarch64: add necessary masking for immediate
+ shift counts
+ + JDK-8223186: HotSpot compile warnings from GCC 9
+ + JDK-8225773: jdeps --check produces NPE if there are missing
+ module dependences
+ + JDK-8225805: Java Access Bridge does not close the logger
+ + JDK-8226810: Failed to launch JVM because of
+ NullPointerException occured on System.props
+ + JDK-8229396: jdeps ignores multi-release when
+ generate-module-info used on command line
+ + JDK-8229474: Shenandoah: Cleanup CM::update_roots()
+ + JDK-8232225: Rework the fix for JDK-8071483
+ + JDK-8232905: JFR fails with assertion:
+ assert(t->unflushed_size() == 0) failed: invariant
+ + JDK-8233164: C2 fails with assert(phase->C->get_alias_index(t)
+ == phase->C->get_alias_index(t_adr)) failed: correct memory
+ chain
+ + JDK-8233910: java/awt/ColorClass/AlphaColorTest.java is
+ failing intermittently in nightly lnux-x64 system
+ + JDK-8233912: aarch64: minor improvements of atomic operations
+ + JDK-8234508: VM_HeapWalkOperation::iterate_over_object reads
+ non-strong fields with an on-strong load barrier
+ + JDK-8234742: Improve handshake logging
+ + JDK-8234796: Refactor Handshake::execute to take a more
+ complex type than ThreadClosure
+ + JDK-8235324: Dying objects are published from users of
+ CollectedHeap::object_iterate
+ + JDK-8235351: Lookup::unreflect should bind with the original
+ caller independent of Method's accessible flag
+ + JDK-8237369: Shenandoah: failed vmTestbase/nsk/jvmti/
+ /AttachOnDemand/attach021/TestDescription.java test
+ + JDK-8237392: Shenandoah: Remove unreliable assertion
+ + JDK-8237483: AArch64 C1 OopMap inserted twice fatal error
+ + JDK-8237495: Java MIDI fails with a dereferenced memory error
+ when asked to send a raw 0xF7
+ + JDK-8239355: (dc) Initial value of SO_SNDBUF should allow
+ sending large datagrams (macOS)
+ + JDK-8240353: AArch64: missing support for
+ - XX:+ExtendedDTraceProbes in C1
+ + JDK-8240704: CheckHandles.java failed "AssertionError: Handle
+ use increased by more than 10 percent."
+ + JDK-8240751: Shenandoah: fold ShenandoahTracer definition
+ + JDK-8240795: [REDO] 8238384 CTW: C2 compilation fails with
+ "assert(store != load->find_exact_control(load->in(0)))
+ failed: dependence cycle found"
+ + JDK-8241598: Upgrade JLine to 3.14.0
+ + JDK-8241649: Optimize Character.toString
+ + JDK-8241770: Module xxxAnnotation() methods throw NCDFE if
+ module-info.class found as resource in unnamed module
+ + JDK-8241911: AArch64: Fix a potential register clash issue in
+ reduce_add2I
+ + JDK-8242030: Wrong package declarations in jline classes after
+ JDK-8241598
+ + JDK-8242565: Policy initialization issues when the denyAfter
+ constraint is enabled
+ + JDK-8243618: compiler/rtm/cli tests can be run w/o WhiteBox
+ + JDK-8243670: Unexpected test result caused by C2
+ MergeMemNode::Ideal
+ + JDK-8244088: [Regression] Switch of Gnome theme ends up in
+ deadlocked UI
+ + JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header
+ files
+ + JDK-8244340: Handshake processing thread lacks yielding
+ + JDK-8244573: java.lang.ArrayIndexOutOfBoundsException thrown
+ for malformed class file
+ + JDK-8244683: A TSA server used by tests
+ + JDK-8245005: javax/net/ssl/compatibility/BasicConnectTest.java
+ failed with No enum constant
+ + JDK-8245026: PsAdaptiveSizePolicy::_old_gen_policy_is_ready is
+ unused
+ + JDK-8245283: JFR: Can't handle constant dynamic used by Jacoco
+ agent
+ + JDK-8245512: CRC32 optimization using AVX512 instructions
+ + JDK-8245527: LDAP Channel Binding support for Java
+ GSS/Kerberos
+ + JDK-8246707: (sc) SocketChannel.read/write throws
+ AsynchronousCloseException on closed channel
+ + JDK-8246709: sun/security/tools/jarsigner/
+ /TsacertOptionTest.java compilation failed after JDK-8244683
+ + JDK-8247200: assert((unsigned)fpargs < 32)
+ + JDK-8247766: [aarch64] guarantee(val < (1U << nbits))
+ failed: Field too big for insn.
+ + JDK-8248336: AArch64: C2: offset overflow in
+ BoxLockNode::emit
+ + JDK-8248865: Document JNDI/LDAP timeout properties
+ + JDK-8248901: Signed immediate support in
+ .../share/assembler.hpp is broken.
+ + JDK-8249543: Force DirectBufferAllocTest to run with
+ - ExplicitGCInvokesConcurrent
+ + JDK-8249588: libwindowsaccessbridge issues on 64bit Windows
+ + JDK-8249749: modify a primitive array through a stream and a
+ for cycle causes jre crash
+ + JDK-8249787: Make TestGCLocker more resilient with concurrent
+ GCs
+ + JDK-8249867: xml declaration is not followed by a newline
+ + JDK-8250911: [windows] os::pd_map_memory() error detection
+ broken
+ + JDK-8251255: [linux] Add process-memory information to hs-err
+ and VM.info
+ + JDK-8251359: Shenandoah: filter null oops before calling
+ enqueue/SATB barrier
+ + JDK-8251925: C2: RenaissanceStressTest fails with
+ assert(!had_error): bad dominance
+ + JDK-8251944: Add Shenandoah test config to
+ compiler/gcbarriers/UnsafeIntrinsicsTest.java
+ + JDK-8251992: VM crashed running TestComplexAddrExpr.java test
+ with -XX:UseAVX=X
+ + JDK-8253220: Epsilon: clean up unused code/declarations
+ + JDK-8253274: The CycleDMImagetest brokes the system
+ + JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node
+ + JDK-8253368: TLS connection always receives close_notify
+ exception
+ + JDK-8253404: C2: assert(C->live_nodes() <=
+ C->max_node_limit()) failed: Live Node limit exceeded limit
+ + JDK-8253409: Double-rounding possibility in float fma
+ + JDK-8253476: TestUseContainerSupport.java fails on some Linux
+ kernels w/o swap limit capabilities
+ + JDK-8253524: C2: Refactor code that clones predicates during
+ loop unswitching
+ + JDK-8253644: C2: assert(skeleton_predicate_has_opaque(iff))
+ failed: unexpected
+ + JDK-8253681: closed java/awt/dnd/MouseEventAfterStartDragTest/
+ /MouseEventAfterStartDragTest.html test failed
+ + JDK-8253702: BigSur version number reported as 10.16, should
+ be 11.nn
+ + JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*)
+ + JDK-8254104: MethodCounters must exist before nmethod is
+ installed
+ + JDK-8254734: "dead loop detected" assert failure with patch
+ from 8223051
+ + JDK-8254748: Bad Copyright header format after JDK-8212218
+ + JDK-8254799: runtime/ErrorHandling/
+ /TestHeapDumpOnOutOfMemoryError.java fails with release VMs
+ + JDK-8255058: C1: assert(is_virtual()) failed: type check
+ + JDK-8255351: Add detection for Graviton 2 CPUs
+ + JDK-8255368: Math.exp() gives wrong result for large values on
+ x86 32-bit platforms
+ + JDK-8255387: Japanese characters were printed upside down on
+ AIX
+ + JDK-8255401: Shenandoah: Allow oldval and newval registers to
+ overlap in cmpxchg_oop()
+ + JDK-8255479: [aarch64] assert(src->section_index_of(target) ==
+ CodeBuffer::SECT_NONE) failed: sanity
+ + JDK-8255544: Create a checked cast
+ + JDK-8255559: Leak File Descriptors Because of
+ ResolverLocalFilesystem#engineResolveURI()
+ + JDK-8255681: print callstack in error case in
+ runAWTLoopWithApp
+ + JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too
+ + JDK-8255742: PrintInlining as compiler directive doesn't print
+ virtual calls
+ + JDK-8255845: Memory leak in imageFile.cpp
+ + JDK-8255880: UI of Swing components is not redrawn after their
+ internal state changed
+ + JDK-8255908: ExceptionInInitializerError due to
+ UncheckedIOException while initializing cgroupv1 subsystem
+ + JDK-8256025: AArch64: MachCallRuntimeNode::ret_addr_offset()
+ is incorrect for stub calls
+ + JDK-8256056: Deoptimization stub doesn't save vector registers
+ on x86
+ + JDK-8256061: RegisterSaver::save_live_registers() omits upper
+ halves of ZMM0-15 registers
+ + JDK-8256187: [TEST_BUG] Automate bug4275046.java test
+ + JDK-8256220: C1: x86_32 fails with -XX:UseSSE=1 after
+ JDK-8210764 due to mishandled lir_neg
+ + JDK-8256258: some missing NULL checks or asserts after
+ CodeCache::find_blob_unsafe
+ + JDK-8256264: Printed GlyphVector outline with low DPI has bad
+ quality on Windows
+ + JDK-8256290: javac/lambda/T8031967.java fails with
+ StackOverflowError on x86_32
+ + JDK-8256359: AArch64: runtime/ReservedStack/
+ /ReservedStackTestCompiler.java fails
+ + JDK-8256387: Unexpected result if patching an entire
+ instruction on AArch64
+ + JDK-8256421: Add 2 HARICA roots to cacerts truststore
+ + JDK-8256488: [aarch64] Use ldpq/stpq instead of ld4/st4 for
+ small copies in StubGenerator::copy_memory
+ + JDK-8256489: Make gtest for long path names on Windows more
+ resilient in the presence of virus scanners
+ + JDK-8256501: libTestMainKeyWindow fails to build with Xcode
+ 12.2
+ + JDK-8256633: Fix product build on Windows+Arm64
+ + JDK-8256682: JDK-8202343 is incomplete
+ + JDK-8256751: Incremental rebuild with precompiled header fails
+ when touching a header file
+ + JDK-8256757: Incorrect MachCallRuntimeNode::ret_addr_offset()
+ for CallLeafNoFP on x86_32
+ + JDK-8256806: Shenandoah: optimize shenandoah/jni/
+ /TestPinnedGarbage.java test
+ + JDK-8256807: C2: Not marking stores correctly as mismatched
+ in string opts
+ + JDK-8256810: Incremental rebuild broken on Macosx
+ + JDK-8256818: SSLSocket that is never bound or connected leaks
+ socket resources
+ + JDK-8256888: Client manual test problem list update
+ + JDK-8257083: Security infra test failures caused by
+ JDK-8202343
+ + JDK-8257408: Bump update version for OpenJDK: jdk-11.0.11
+ + JDK-8257423: [PPC64] Support -XX:-UseInlineCaches
+ + JDK-8257436: [aarch64] Regressions in ArrayCopyUnalignedDst
+ .testByte/testChar for 65-78 bytes when UseSIMDForMemoryOps
+ is on
+ + JDK-8257513: C2: assert((constant_addr -
+ _masm.code()->consts()->start()) == con.offset())
+ + JDK-8257547: Handle multiple prereqs on the same line in deps
+ files
+ + JDK-8257561: Some code is not vectorized after 8251925 and
+ 8250607
+ + JDK-8257565: epsilonBarrierSet.hpp should not include
+ barrierSetAssembler
+ + JDK-8257575: C2: "failed: only phis" assert failure in loop
+ strip mining verification
+ + JDK-8257594: C2 compiled checkcast of non-null object triggers
+ endless deoptimization/recompilation cycle
+ + JDK-8257633: Missing -mmacosx-version-min=X flag when linking
+ libjvm
+ + JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java
+ reports leaks
+ + JDK-8257707: Fix incorrect format string in Http1HeaderParser
+ + JDK-8257746: Regression introduced with JDK-8250984 - memory
+ might be null in some machines
+ + JDK-8257798: [PPC64] undefined reference to
+ Klass::vtable_start_offset()
+ + JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/
+ /SSLSocketLeak.java as automatic test
+ + JDK-8257910: [JVMCI] Set exception_seen accordingly in the
+ runtime.
+ + JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java
+ again reports leaks after JDK-8257884
+ + JDK-8257999: Parallel GC crash in gc/parallel/
+ /TestDynShrinkHeap.java: new region is not in covered_region
+ + JDK-8258077: Using -Xcheck:jni can lead to a double-free after
+ JDK-8193234
+ + JDK-8258247: Couple of issues in fix for JDK-8249906
+ + JDK-8258373: Update the text handling in the JPasswordField
+ + JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder
+ .rotateDisk()
+ + JDK-8258419: RSA cipher buffer cleanup
+ + JDK-8258471: "search codecache" clhsdb command does not work
+ + JDK-8258534: Epsilon: clean up unused includes
+ + JDK-8258805: Japanese characters not entered by mouse click
+ on Windows 10
+ + JDK-8258833: Cancel multi-part cipher operations in SunPKCS11
+ after failures
+ + JDK-8258836: JNI local refs exceed capacity
+ getDiagnosticCommandInfo
+ + JDK-8258884: [TEST_BUG] Convert applet-based test
+ open/test/jdk/javax/swing/JMenuItem/8031573/bug8031573.java
+ to a regular java test
+ + JDK-8259007: This test printed a blank page
+ + JDK-8259048: (tz) Upgrade time-zone data to tzdata2020f
+ + JDK-8259049: Uninitialized variable after JDK-8257513
+ + JDK-8259231: Epsilon: improve performance under contention
+ during virtual space expansion
+ + JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails
+ "assert(covered_region.contains(new_memregion)) failed: new
+ region is not in covered_region"
+ + JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert
+ will expire in 90 days
+ + JDK-8259319: Illegal package access when SunPKCS11 requires
+ SunJCE's classes
+ + JDK-8259339: AllocateUninitializedArray C2 intrinsic fails
+ with void.class input
+ + JDK-8259428: AlgorithmId.getEncodedParams() should return copy
+ + JDK-8259446: runtime/jni/checked/
+ /TestCheckedReleaseArrayElements.java fails with stderr not
+ empty
+ + JDK-8259451: Zero: skip serviceability/sa tests, set vm.hasSA
+ to false
+ + JDK-8259580: Shenandoah: uninitialized label in
+ VerifyThreadGCState
+ + JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use
+ condition is incorrect
+ + JDK-8259633: compiler/graalunit/CoreTest.java fails with NPE
+ after JDK-8244543
+ + JDK-8259706: C2 compilation fails with assert(vtable_index ==
+ Method::invalid_vtable_index) failed: correct sentinel value
+ + JDK-8259707: LDAP channel binding does not work with StartTLS
+ extension
+ + JDK-8259773: Incorrect encoding of AVX-512 kmovq instruction
+ + JDK-8259849: Shenandoah: Rename store-val to IU-barrier
+ + JDK-8259949: x86 32-bit build fails when -fcf-protection is
+ passed in the compiler flags
+ + JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp
+ + JDK-8260029: aarch64: fix typo in verify_oop_array
+ + JDK-8260308: Update LogCompilation junit to 4.13.1
+ + JDK-8260338: Some fields in HaltNode is not cloned
+ + JDK-8260349: Cannot programmatically retrieve Metaspace max
+ set via JAVA_TOOL_OPTIONS
+ + JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a
+ + JDK-8260378: [TESTBUG] DcmdMBeanTestCheckJni.java reports
+ false positive
+ + JDK-8260497: Shenandoah: Improve SATB flushing
+ + JDK-8260502: [s390] NativeMovRegMem::verify() fails because
+ it's too strict
+ + JDK-8260632: Build failures after JDK-8253353
+ + JDK-8260704: ParallelGC: oldgen expansion needs release-store
+ for _end
+ + JDK-8261022: Fix incorrect result of Math.abs() with char type
+ + JDK-8261089: [TESTBUG] native library of test
+ TestCheckedReleaseCriticalArray.java fails to compile with
+ gcc 4.x
+ + JDK-8261183: Follow on to Make lists of normal filenames
+ + JDK-8261209: isStandalone property: remove dependency on
+ pretty-print
+ + JDK-8261231: Windows IME was disabled after DnD operation
+ + JDK-8261251: Shenandoah: Use object size for full GC
+ humongous compaction
+ + JDK-8261310: PPC64 Zero build fails with
+ 'VMError::controlled_crash(int)::FunctionDescriptor
+ functionDescriptor' has incomplete type and cannot be defined
+ + JDK-8261334: NMT: tuning statistic shows incorrect hash
+ distribution
+ + JDK-8261413: Shenandoah: Disable class-unloading in I-U mode
+ + JDK-8261522: [PPC64] AES intrinsics write beyond the
+ destination array
+ + JDK-8261534: Test sun/security/pkcs11/KeyAgreement/
+ /IllegalPackageAccess.java fails on platforms where no nsslib
+ artifacts are defined
+ + JDK-8261585: Restore HandleArea used in
+ Deoptimization::uncommon_trap
+ + JDK-8261753: Test java/lang/System/OsVersionTest.java still
+ failing on BigSur patch versions after JDK-8253702
+ + JDK-8261829: Exclude tools/jlink/JLinkReproducibleTest.java
+ in 11u
+ + JDK-8261912: Code IfNode::fold_compares_helper more
+ defensively
+ + JDK-8261920: [AIX] jshell command throws java.io.IOError on
+ non English locales
+ + JDK-8262018: Wrong format in SAP copyright header of
+ OsVersionTest
+ + JDK-8263069: Exclude some failing tests from
+ security/infra/java/security/cert/CertPathValidator
+
+- moved mozilla-nss dependency to java-11-openjdk-headless package
+ This is necessary to be able to do crypto with just
+ java-11-openjdk-headless installed. Fixes boo#1184606
+
+- Added patches:
+ * system-crypto-policy.patch
+ + Let OpenJDK use system crypto policies unless explicitely told
+ not to
+ * nss-security-provider.patch
+ + Add the NSS security provider with configuration in generated
+ nss.cfg file
+ * keytool-default-rsa.patch
+ + Make keytool generate RSA keys by default, since only the
+ LEGACY system crypto policy allows DSA
+
+- Update to upstream tag jdk-11.0.10+9 (January 2021 CPU,
krb5
+- Use /run instead of /var/run for daemon PID files; (bsc#1185163);
+
+- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196);
+ (bsc#1178512);
+- Added patches:
+ * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
+
+- Fix prefix reported by krb5-config, libraries and headers are not
+ installed under /usr/lib/mit prefix. (bsc#1174079)
+
+- Update logrotate script, call systemd to reload the services
+ instead of init-scripts. (boo#1169357)
+
+- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947);
+ (bsc#1144047);
+
+- Move LDAP schema files from /usr/share/doc/packages/krb5 to
+ /usr/share/kerberos/ldap; (bsc#1134217);
+
+- Upgrade to 1.16.3
+ * Fix a regression in the MEMORY credential cache type which could cause
+ client programs to crash.
+ * MEMORY credential caches will not be listed in the global collection,
+ with the exception of the default credential cache if it is of type MEMORY.
+ * Remove an incorrect assertion in the KDC which could be used to cause
+ a crash [CVE-2018-20217].
+ * Fix bugs with concurrent use of MEMORY ccache handles.
+ * Fix a KDC crash when falling back between multiple OTP tokens configured
+ for a principal entry.
+ * Fix memory bugs when gss_add_cred() is used to create a new credential,
+ and fix a bug where it ignores the desired_name.
+ * Fix the behavior of gss_inquire_cred_by_mech() when the credential does
+ not contain an element of the requested mechanism.
+ * Make cross-realm S4U2Self requests work on the client when no
+ default_realm is configured.
+ * Add a kerberos(7) man page containing documentation of the environment
+ variables that affect Kerberos programs.
+- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
+ by transactional updates; (bsc#1100126);
+- Rename patches:
+ * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
+ * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
+ * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
+ * krb5-1.6.3-gssapi_improve_errormessages.dif to
+ 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
+ * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
+ * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
+ * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
+ * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
+ * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
+
+- Upgrade to 1.16.1
+ * kdc client cert matching on client principal entry
+ * Allow ktutil addent command to ignore key version and use
+ non-default salt string.
+ * add kpropd pidfile support
+ * enable "encrypted_challenge_indicator" realm option on tickets
+ obtained using FAST encrypted challenge pre-authentication.
+ * dates through 2106 accepted
+ * KDC support for trivially renewable tickets
+ * stop caching referral and alternate cross-realm TGTs to prevent
+ duplicate credential cache entries
+
+- BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package
+ so it is avaiable for krb5-client as well.
+
+- Upgrade to 1.15.3
+ * Fix flaws in LDAP DN checking, including a null dereference KDC
+ crash which could be triggered by kadmin clients with administrative
+ privileges [CVE-2018-5729, CVE-2018-5730].
+ * Fix a KDC PKINIT memory leak.
+ * Fix a small KDC memory leak on transited or authdata errors when
+ processing TGS requests.
+ * Fix a null dereference when the KDC sends a large TGS reply.
+ * Fix "kdestroy -A" with the KCM credential cache type.
+ * Fix the handling of capaths "." values.
+ * Fix handling of repeated subsection specifications in profile files
+ (such as when multiple included files specify relations in the same
+ subsection).
+
+- Added support for /etc/krb5.conf.d/ for configuration snippets
+
+- Replace references to /var/adm/fillup-templates with new
+ %_fillupdir macro (boo#1069468)
+
+- Remove build dependency doxygen, python-Cheetah, python-Sphinx,
+ python-libxml2, python-lxml, most of which are python 2 programs.
+ Consequently remove -doc subpackage. Users are encouraged to use
+ online documentation. (bsc#1066461)
+
+- Update package descriptions.
+
+- Upgrade to 1.15.2
+ * Fix a KDC denial of service vulnerability caused by unset status
+ strings [CVE-2017-11368]
+ * Preserve GSS contexts on init/accept failure [CVE-2017-11462]
+ * Fix kadm5 setkey operation with LDAP KDB module
+ * Use a ten-second timeout after successful connection for HTTPS KDC
+ requests, as we do for TCP requests
+ * Fix client null dereference when KDC offers encrypted challenge
+ without FAST
+ * Ignore dotfiles when processing profile includedir directive
+ * Improve documentation
+
+- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf
+ in order to improve client security in handling service principle
+ names. (bsc#1054028)
+
+- Prevent kadmind.service startup failure caused by absence of
+ LDAP service. (bsc#903543)
+
+- There is no change made about the package itself, this is only
+ copying over some changelog texts from SLE package:
+- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355
+ krb5: denial of service in krb5_read_message
+- bug#912002 owned by varkoly@suse.com: VUL-0
+ CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423:
+ krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
+- bug#910458 owned by varkoly@suse.com: VUL-1
+ CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries
+- bug#928978 owned by varkoly@suse.com: VUL-0
+ CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading
+ to requires_preauth bypass
+- bug#910457 owned by varkoly@suse.com: VUL-1
+ CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy
+ name as a password policy name
+- bug#991088 owned by hguo@suse.com: VUL-1
+ CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted
+- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires
+- [fate#320326](https://fate.suse.com/320326)
+- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference
+ from \cite
+
+- Remove wrong PreRequires from krb5
+
+- use HTTPS project and source URLs
+
+- use source urls.
+- krb5.keyring: Added Greg Hudson
+
+- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch
+- Upgrade to 1.15.1
+ * Allow KDB modules to determine how the e_data field of principal
+ fields is freed
+ * Fix udp_preference_limit when the KDC location is configured with
+ SRV records
+ * Fix KDC and kadmind startup on some IPv4-only systems
+ * Fix the processing of PKINIT certificate matching rules which have
+ two components and no explicit relation
+ * Improve documentation
+
+- remove useless environment.pickle to make build-compare happy
+
+- Introduce patch
+ krb5-1.15-fix_kdb_free_principal_e_data.patch
+ to fix freeing of e_data in the kdb principal
+
+- Upgrade to 1.15
+- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2
+- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since
+ file is not available in upstream source anymore
+- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15
+- Upgrade from 1.14.4 to 1.15 - major changes:
+ Administrator experience:
+ * Add support to kadmin for remote extraction of current keys without
+ changing them (requires a special kadmin permission that is excluded
+ from the wildcard permission), with the exception of highly
+ protected keys.
+ * Add a lockdown_keys principal attribute to prevent retrieval of the
+ principal's keys (old or new) via the kadmin protocol. In newly
+ created databases, this attribute is set on the krbtgt and kadmin
+ principals.
+ * Restore recursive dump capability for DB2 back end, so sites can
+ more easily recover from database corruption resulting from power
+ failure events.
+ * Add DNS auto-discovery of KDC and kpasswd servers from URI records,
+ in addition to SRV records. URI records can convey TCP and UDP
+ servers and master KDC status in a single DNS lookup, and can also
+ point to HTTPS proxy servers.
+ * Add support for password history to the LDAP back end.
+ * Add support for principal renaming to the LDAP back end.
+ * Use the getrandom system call on supported Linux kernels to avoid
+ blocking problems when getting entropy from the operating system.
+ * In the PKINIT client, use the correct DigestInfo encoding for PKCS
+ [#1] signatures, so that some especially strict smart cards will work.
+ Code quality:
+ * Clean up numerous compilation warnings.
+ * Remove various infrequently built modules, including some preauth
+ modules that were not built by default.
+ Developer experience:
+ * Add support for building with OpenSSL 1.1.
+ * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
+ authenticators in the replay cache. This helps sites that must
+ build with FIPS 140 conformant libraries that lack MD5.
+ Protocol evolution:
+ * Add support for the AES-SHA2 enctypes, which allows sites to conform
+ to Suite B crypto requirements.
+- Upgrade from 1.14.3 to 1.14.4 - major changes:
+ * Fix some rare btree data corruption bugs
+ * Fix numerous minor memory leaks
+ * Improve portability (Linux-ppc64el, FreeBSD)
+ * Improve some error messages
+ * Improve documentation
+
+- add pam configuration file required for ksu
+ just use a copy of "su" one from Tumbleweed
+
+- Upgrade from 1.14.2 to 1.14.3:
+ * Improve some error messages
+ * Improve documentation
+ * Allow a principal with nonexistent policy to bypass the minimum
+ password lifetime check, consistent with other aspects of
+ nonexistent policies
+ * Fix a rare KDC denial of service vulnerability when anonymous client
+ principals are restricted to obtaining TGTs only [CVE-2016-3120]
+
+- Remove comments breaking post scripts.
+
+- Do no use systemd_requires macros in main package, it adds
+ unneeded dependencies which pulls systemd into minimal chroot.
+- Only call %insserv_prereq when building for pre-systemd
+ distributions.
+- Optimise some %post/%postun when only /sbin/ldconfig is called.
+
+- Remove source file ccapi/common/win/OldCC/autolock.hxx
+ that is not needed and does not carry an acceptable license.
+ (bsc#968111)
+
+- removed obsolete patches:
+ * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+ * krb5-mechglue_inqure_attrs.patch
+- Upgrade from 1.14.1 to 1.14.2:
+ * Fix a moderate-severity vulnerability in the LDAP KDC back end that
+ could be exploited by a privileged kadmin user [CVE-2016-3119]
+ * Improve documentation
+ * Fix some interactions with GSSAPI interposer mechanisms
+
+- Upgrade from 1.14 to 1.14.1:
+ * Remove expired patches:
+ 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
+ 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
+ 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+ krbdev.mit.edu-8301.patch
+ * Replace source archives:
+ krb5-1.14.tar.gz ->
+ krb5-1.14.1.tar.gz
+ krb5-1.14.tar.gz.asc ->
+ krb5-1.14.1.tar.gz.asc
+ * Adjust line numbers in:
+ krb5-fix_interposer.patch
+
+- Introduce patch
+ 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch
+ to fix CVE-2016-3119 (bsc#971942)
+
+- Remove krb5-mini pieces from spec file.
+ Hence remove pre_checkin.sh
+- Remove expired macros and other minor clean-ups in spec file.
+
+- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character
+ with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
+ (bsc#963968)
+- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request
+ with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
+ (bsc#963975)
+- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
+ with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
+ (bsc#963964)
+
+- Add two patches from Fedora, fixing two crashes:
+ * krb5-fix_interposer.patch
+ * krb5-mechglue_inqure_attrs.patch
+
+- Update to 1.14
+- dropped krb5-kvno-230379.patch
+- added krbdev.mit.edu-8301.patch fixing wrong function call
+ Major changes in 1.14 (2015-11-20)
+ Administrator experience:
+ * Add a new kdb5_util tabdump command to provide reporting-friendly
+ tabular dump formats (tab-separated or CSV) for the KDC database.
+ Unlike the normal dump format, each output table has a fixed number
+ of fields. Some tables include human-readable forms of data that
+ are opaque in ordinary dump files. This format is also suitable for
+ importing into relational databases for complex queries.
+ * Add support to kadmin and kadmin.local for specifying a single
+ command line following any global options, where the command
+ arguments are split by the shell--for example, "kadmin getprinc
+ principalname". Commands issued this way do not prompt for
+ confirmation or display warning messages, and exit with non-zero
+ status if the operation fails.
+ * Accept the same principal flag names in kadmin as we do for the
+ default_principal_flags kdc.conf variable, and vice versa. Also
+ accept flag specifiers in the form that kadmin prints, as well as
+ hexadecimal numbers.
+ * Remove the triple-DES and RC4 encryption types from the default
+ value of supported_enctypes, which determines the default key and
+ salt types for new password-derived keys. By default, keys will
+ only created only for AES128 and AES256. This mitigates some types
+ of password guessing attacks.
+ * Add support for directory names in the KRB5_CONFIG and
+ KRB5_KDC_PROFILE environment variables.
+ * Add support for authentication indicators, which are ticket
+ annotations to indicate the strength of the initial authentication.
+ Add support for the "require_auth" string attribute, which can be
+ set on server principal entries to require an indicator when
+ authenticating to the server.
+ * Add support for key version numbers larger than 255 in keytab files,
+ and for version numbers up to 65535 in KDC databases.
+ * Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
+ during pre-authentication, corresponding to the client's most
+ preferred encryption type.
+ * Add support for server name identification (SNI) when proxying KDC
+ requests over HTTPS.
+ * Add support for the err_fmt profile parameter, which can be used to
+ generate custom-formatted error messages.
+ Code quality:
+ * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+ could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+ [CVE-2015-2698]
+ * Fix build_principal memory bug that could cause a KDC
+ crash. [CVE-2015-2697]
+ Developer experience:
+ * Change gss_acquire_cred_with_password() to acquire credentials into
+ a private memory credential cache. Applications can use
+ gss_store_cred() to make the resulting credentials visible to other
+ processes.
+ * Change gss_acquire_cred() and SPNEGO not to acquire credentials for
+ IAKERB or for non-standard variants of the krb5 mechanism OID unless
+ explicitly requested. (SPNEGO will still accept the Microsoft
+ variant of the krb5 mechanism OID during negotiation.)
+ * Change gss_accept_sec_context() not to accept tokens for IAKERB or
+ for non-standard variants of the krb5 mechanism OID unless an
+ acceptor credential is acquired for those mechanisms.
+ * Change gss_acquire_cred() to immediately resolve credentials if the
+ time_rec parameter is not NULL, so that a correct expiration time
+ can be returned. Normally credential resolution is delayed until
+ the target name is known.
+ * Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
+ which can be used by plugin modules or applications to add prefixes
+ to existing detailed error messages.
+ * Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
+ implement the RFC 6113 PRF+ operation and key derivation using PRF+.
+ * Add support for pre-authentication mechanisms which use multiple
+ round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
+ code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth
+ interface; these callbacks can be used to save marshalled state
+ information in an encrypted cookie for the next request.
+ * Add a client_key() callback to the kdcpreauth interface to retrieve
+ the chosen client key, corresponding to the ETYPE-INFO2 entry sent
+ by the KDC.
+ * Add an add_auth_indicator() callback to the kdcpreauth interface,
+ allowing pre-authentication modules to assert authentication
+ indicators.
+ * Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
+ suppress sending the confidentiality and integrity flags in GSS
+ initiator tokens unless they are requested by the caller. These
+ flags control the negotiated SASL security layer for the Microsoft
+ GSS-SPNEGO SASL mechanism.
+ * Make the FILE credential cache implementation less prone to
+ corruption issues in multi-threaded programs, especially on
+ platforms with support for open file description locks.
+ Performance:
+ * On slave KDCs, poll the master KDC immediately after processing a
+ full resync, and do not require two full resyncs after the master
+ KDC's log file is reset.
+ User experience:
+ * Make gss_accept_sec_context() accept tickets near their expiration
+ but within clock skew tolerances, rather than rejecting them
+ immediately after the server's view of the ticket expiration time.
+
+- Update to 1.13.3
+- removed patches for security fixes now in upstream source:
+ 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+ 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+ 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+ 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+ Major changes in 1.13.3 (2015-12-04)
+ This is a bug fix release. The krb5-1.13 release series is in
+ maintenance, and for new deployments, installers should prefer the
+ krb5-1.14 release series or later.
+ * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that
+ could cause server crashes. [CVE-2015-2695] [CVE-2015-2696]
+ [CVE-2015-2698]
+ * Fix build_principal memory bug that could cause a KDC
+ crash. [CVE-2015-2697]
+ * Allow an iprop slave to receive full resyncs from KDCs running
+ krb5-1.10 or earlier.
+
+- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch
+ to fix a memory corruption regression introduced by resolution of
+ CVE-2015-2698. bsc#954204
+
+- Make kadmin.local man page available without having to install krb5-client. bsc#948011
+- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch
+ to fix build_principal memory bug [CVE-2015-2697] bsc#952190
+- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch
+ to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189
+- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch
+ to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188
+
+- Let server depend on libev (module of libverto). This was the
+ preferred implementation before the seperation of libverto from krb.
+
+- Drop libverto and libverto-libev Requires from the -server
+ package: those package names don't exist and the shared libs
+ are pulled in automatically.
+
+- Unconditionally buildrequire libverto-devel: krb5-mini also
+ depends on it.
+
+- pre_checkin.sh aligned changes between krb5/krb5-mini
+- added krb5.keyring
+
+- update to krb5 1.13.2
+- DES transition
+ ==============
+ The Data Encryption Standard (DES) is widely recognized as weak. The
+ krb5-1.7 release contains measures to encourage sites to migrate away
+- From using single-DES cryptosystems. Among these is a configuration
+ variable that enables "weak" enctypes, which defaults to "false"
+ beginning with krb5-1.8.
+ Major changes in 1.13.2 (2015-05-08)
+ This is a bug fix release.
+ * Fix a minor vulnerability in krb5_read_message, which is primarily
+ used in the BSD-derived kcmd suite of applications. [CVE-2014-5355]
+ * Fix a bypass of requires_preauth in KDCs that have PKINIT enabled.
+ [CVE-2015-2694]
+ * Fix some issues with the LDAP KDC database back end.
+ * Fix an iteration-related memory leak in the DB2 KDC database back
+ end.
+ * Fix issues with some less-used kadm5.acl functionality.
+ * Improve documentation.
+
+- Use externally built libverto
+
+- update to krb5 1.13.1
+ Major changes in 1.13.1 (2015-02-11)
+ This is a bug fix release.
+ * Fix multiple vulnerabilities in the LDAP KDC back end.
+ [CVE-2014-5354] [CVE-2014-5353]
+ * Fix multiple kadmind vulnerabilities, some of which are based in the
+ gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421
+ CVE-2014-9422 CVE-2014-9423]
+
+- Update to krb5 1.13
+ * Add support for accessing KDCs via an HTTPS proxy server using the
+ MS-KKDCP protocol.
+ * Add support for hierarchical incremental propagation, where slaves
+ can act as intermediates between an upstream master and other downstream
+ slaves.
+ * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf
+ files in addition to /etc/gss/mech.
+ * Add support to the LDAP KDB module for binding to the LDAP server using
+ SASL.
+ * The KDC listens for TCP connections by default.
+ * Fix a minor key disclosure vulnerability where using the "keepold" option
+ to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
+ * Add client support for the Kerberos Cache Manager protocol. If the host
+ is running a Heimdal kcm daemon, caches served by the daemon can be
+ accessed with the KCM: cache type.
+ * When built on OS X 10.7 and higher, use "KCM:" as the default cache type,
+ unless overridden by command-line options or krb5-config values.
+ * Add support for doing unlocked database dumps for the DB2 KDC back end,
+ which would allow the KDC and kadmind to continue accessing the database
+ during lengthy database dumps.
+- Removed patches, useless or upstreamed
+ * krb5-1.9-kprop-mktemp.patch
+ * krb5-1.10-ksu-access.patch
+ * krb5-1.12-doxygen.patch
+ * bnc#897874-CVE-2014-5351.diff
+ * krb5-1.13-work-around-replay-cache-creation-race.patch
+ * krb5-1.10-kpasswd_tcp.patch
+- Refreshed patches
+ * krb5-1.12-pam.patch
+ * krb5-1.12-selinux-label.patch
+ * krb5-1.7-doublelog.patch
+
libqt5-qttools
+- Modify the %requires_eq of libqt5-qttools-doc to use libclang
+ instead of clang now that llvm7 moved the header files to libclang
+ in SLE-15-SP1:Update (boo#1184920, boo#1109367, QTBUG-70687)
+
libqt5-qtwebengine
-- Do not with build system_vpx on 15.3
+- Update to version 5.15.3:
+ * Fix spelling and coding style
+ * Fix new view request handling (QTBUG-87378)
+ * Fix getDefaultScreenId on X11
+ * Fix flaky tst_QWebEngineView::textSelectionOutOfInputField test
+ * Move touch input tests to separate testcase
+ * Add touch input tests for scrolling and pinch zooming
+ * Fix rare duplicate ids forming in touch point id's mapping
+ * Use the module's version number for QtWebEngineProcess
+ * Touch handling: provide id mapping without modifying TouchPoint instance
+ (QTBUG-88001)
+ * Touch handling: fix mapped ids cleanup for TouchCancel event
+ * et custom headers from QWebEngineUrlRequestInfo before triggering redirect
+ (QTBUG-88861)
+ * Forward modifier flags for lock keys (QTBUG-89001)
+ * Fix handling of more than one finger for touch event (QTBUG-86389)
+ * Stabilize load signals emitting (QTBUG-65223, QTBUG-87089)
+ * Fix building against 5.12 on most CIs
+ * Update minimum HarfBuzz version to 2.4.0 (QTBUG-88976)
+ * Fix building against Qt 5.14
+ * Migrate user script IPC to mojo
+ * Fix crashes in user resource controller when single process
+ * Minor. Fix namespace for user resource controller
+ * Minor. RenderThreadObserverQt is really a RenderConfiguration
+ * Remove RenderViewObserverHelper from UserResourceController
+ * Cache mojo interface bindings to UserResourceControllerRenderFrame
+ * Cache mojo interface bindings for WebChannelIPCTransport
+ * Migrate render_view_observer_qt to mojo
+ * Fix crash on linkedin.com (QTBUG-89740)
+ * Suppress error pages also for http errors if they are disabled
+ * Fix leak in QQuickWebEngineViewPrivate::contextMenuRequested
+ * Register PerformanceNode early enough
+ * Quiet log on webrtc usage
+ * Remove configure option that doesn't work
+ * Remove Java build dependency
+ * Fix blank popups in qml (QTBUG-86034)
+ * Fix position of popup on qml (QTBUG-86034, QTBUG-89358)
+ * Enable hangout services extension (QTBUG-85731)
+ * Allow to fallback to default locale for non existent data packs (QTBUG-90490)
+ * Support devtools close button
+ * Do not extract download file names from certain url schemes (QTBUG-90355)
+ * Leave room for the null-termination byte when checking remote drive path
+ (QTBUG-90347)
+ * Do not set open files limit for linking if not necessary
+ * Remove even more remains of non network service code
+ * Add back prefers-color-scheme support (QTBUG-89753)
+ * Start supporting chrome.resourcesPrivate API (QTBUG-90035)
+ * Enable chrome://user-actions WebUI
+ * Remove remains of chrome://flash
+ * Fix loadFinished signal if page has content but server sends HTTP error
+ (QTBUG-90517)
+ * Fix devtools page resource loading as raw data instead of html string
+ * Remove frame metadata observer (RenderWidgetHostViewQt) on destroy
+ * Resolve installed interceptors right before interception point (QTBUG-86286)
+ * Update searches faster
+ * Remove more leftovers of the old compositor
+ * Enable webrtc logging and the corresponding WebUI
+ * Support mips64el platform CPU(loongson 3A4000)
+ * Add tracing UI resources
+ * Fix crash on meet.google.com
+ * Fix mad popup qquickwindows on wayland
+ * Fix crashes on BrowserContext destruction
+ * Fix crash on exit in quicknanobrowser when popup
+ * Remove QtPdf dependency on nss at build-time
+ * Avoid accessing profileAdapter when profile is shutting down (QTBUG-91187)
+ * Do not flush messages form profile destructor
+ * Ignore QQuickWebEngineNewViewRequest if it is unhandled
+ * Fix ScopedGLContextChecker with QTWEBENGINE_DISABLE_GPU_THREAD=1
+ * Don't send duplicate load progress values
+ * Fix neon support in libpng
+ * Do not call deprecated profile interceptor on ui thread (QTBUG-86267)
+ * Add certificate error message for ERR_SSL_OBSOLETE_VERSION
+ * Fix assert in WebContentsAdapter::devToolsFrontendDestroyed
+ * Avoid to reject a certificate error twice in Quick
+ * Fix PDF viewer plugin
+ * FIXUP: Fix swap condition in DisplayGLOutputSurface::updatePaintNode
+ (QTBUG-86599)
+ * Fix favicon engine under device pixel scaling
+ * Do not pass a native keycode matching the menu key when it is remapped
+ (QTBUG-86672)
+ * Optimize WebEngineSettings::testAttribute
+ * Warn about QtWebengineProcess launching from network share (QTBUG-84632)
+ * Handle non-ascii names for pulseaudio (QTBUG-85363)
+ * Do not set audio device for desktop capture if audio loopback is unsupported
+ * Fix new view request handling (QTBUG-87378)
+ * Fix getDefaultScreenId on X11
+ * Touch handling: provide id mapping without modifying TouchPoint instance
+ (QTBUG-88001)
+ * Set custom headers from QWebEngineUrlRequestInfo before triggering redirect
+ (QTBUG-88861)
+ * Stabilize load signals emitting (QTBUG-65223)
+- CVE fixes backported in chromium updates:
+ * CVE-2020-16044: Use after free in WebRTC
+ * CVE-2021-21118: Heap buffer overflow in Blink
+ * CVE-2021-21119: Use after free in Media
+ * CVE-2021-21120: Use after free in WebSQL
+ * CVE-2021-21121: Use after free in Omnibox
+ * CVE-2021-21122: Use after free in Blink
+ * CVE-2021-21123: Insufficient data validation in File System API
+ * CVE-2021-21125: Insufficient policy enforcement in File System API
+ * CVE-2021-21126: Insufficient policy enforcement in extensions
+ * CVE-2021-21127: Insufficient policy enforcement in extensions
+ * CVE-2021-21128: Heap buffer overflow in Blink
+ * CVE-2021-21129: Insufficient policy enforcement in File System API
+ * CVE-2021-21130: Insufficient policy enforcement in File System API
+ * CVE-2021-21131: Insufficient policy enforcement in File System API
+ * CVE-2021-21132: Inappropriate implementation in DevTools
+ * CVE-2021-21135: Inappropriate implementation in Performance API
+ * CVE-2021-21137: Inappropriate implementation in DevTools
+ * CVE-2021-21140: Uninitialized Use in USB
+ * CVE-2021-21141: Insufficient policy enforcement in File System API
+ * CVE-2021-21145: Use after free in Fonts
+ * CVE-2021-21146: Use after free in Navigation
+ * CVE-2021-21147: Inappropriate implementation in Skia
+ * CVE-2021-21148: Heap buffer overflow in V8
+ * CVE-2021-21149: Stack overflow in Data Transfer
+ * CVE-2021-21150: Use after free in Downloads
+ * CVE-2021-21152: Heap buffer overflow in Media
+ * CVE-2021-21153: Stack overflow in GPU Process
+ * CVE-2021-21156: Heap buffer overflow in V8
+ * CVE-2021-21157: Use after free in Web Sockets
+- Drop obsolete patches:
+ * icu-68.patch
+ * icu-68-2.patch
+- Rebase patches:
+ * fix1163766.patch
+ * sandbox-statx-futex_time64.patch
+ * rtc-dont-use-h264.patch
+ * chromium-glibc-2.33.patch
+- Add patch to fix crash with certain locales:
+ * 0001-Fix-normalization-of-app-locales.patch
+- Clean the spec file a bit
+
+- Can't use system_vpx on Leap 15.3
+
+- Add patch to fix sandbox with glibc 2.33 on 32bit:
+ * sandbox-statx-futex_time64.patch
+
+- Relax constraints for armv6 and armv7
+
+- Add patch to fix sandbox with glibc 2.33 (boo#1182233):
+ * chromium-glibc-2.33.patch
+
+- Bump _constraints and %limit_build, hopefully avoid occasional
+ OOM and make the build quicker
+- Drop obsolete conditions
+
+- Drop baselibs.conf, not needed after libksysguard5 got adjusted
+
+- Fix build with ICU 68:
+ * Added icu-68.patch
+ * Added icu-68-2.patch
+
+- Update to 5.15.2:
+ * New bugfix release
+ * For more details please see:
+ http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.15.2/?h=5.15.2
+
+- Update to 5.15.1:
+ * New bugfix release
+ * For more details please see:
+ http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.15.1/?h=5.15.1
+- Drop patches, now upstream:
+ * icu-v67.patch
+ * 0001-fix-build-after-y2038-changes-in-glibc.patch
+- Refresh disable-gpu-when-using-nouveau-boo-1005323.diff
+- Update rtc-dont-use-h264.patch
+
+- Add patch to not require openh264 and don't build the bundled version:
+ * rtc-dont-use-h264.patch
+
+- Can't use system VPX on Leap 15.2
+
+- Update to version 5.15.0:
+ * No changelog available
+
+- Update to version 5.15.0-rc2:
+ * No changelog available
+ * Removed some-more-includes-gcc10.patch: contained in upstream
+
+- Update to 5.15.0-rc:
+ * New bugfix release
+ * For the changes between 5.14.2 and 5.15.0 please see:
+ http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.15.0/?h=5.15.0
+- Drop patches, now upstream:
+ * QTBUG-82186.patch
+
+- Add icu-v67.patch to fix compilation with icu v67, this is a backport
+ of https://github.com/v8/v8/commit/3f8dc4b2e5baf77b463334c769af85b79d8c1463
+- Rebase icu-v67.patch on 5.15.0-beta4
+
+- Update to 5.15.0-beta4:
+ * New bugfix release
+ * No changelog available
+- Refresh QTBUG-82186.patch
+
+- Update to 5.15.0-beta3:
+ * New bugfix release
+ * No changelog available
+- Refresh fix1163766.patch
+
+- Add fix1163766.patch to fix opensuse-welcome on i686 (boo#1163766)
+
+- Add patch to fix build with GCC 10 (boo#1158516):
+ * some-more-includes-gcc10.patch
+
+- Update to 5.15.0-beta2:
+ * New bugfix release
+ * No changelog available
+
+- Update to 5.15.0-beta1:
+ * New bugfix release
+ * No changelog available
+- Drop patches, now upstream:
+ * fix-missing-designerplugin.patch
+ * QTBUG-81574.patch
+
+- Fix a deadlock causing audio/video playback to fail (boo#1163744):
+ * QTBUG-82186.patch
-- Update to 5.12.7:
+- Update to 5.15.0-alpha:
+ * New feature release
+ * For more details please see:
+ https://wiki.qt.io/New_Features_in_Qt_5.15
+- Add patch to fix building the designer plugin:
+ * fix-missing-designerplugin.patch
+- Move designer plugin into -devel subpackage
+- Add packages for new Qt PDF module (which is technically separate
+ from WebEngine, but shares the source tarball)
+
+- Update to 5.14.1:
- http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.12.7/?h=v5.12.7
-- Refresh chromium-non-void-return.patch
+ http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.14.1/?h=v5.14.1
-- Update to 5.12.6:
+- Disable valgrind on %arm due to boo#1130395
+
+- Update to 5.14.0:
+ * New bugfix release
+ * For the changes between 5.13.2 and 5.14.0 please see:
+ https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.14.0?h=v5.14.0
+ * For the changes between 5.13.1 and 5.13.2 please see:
+ https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.13.2?h=v5.14.0
+
+- Update to 5.14.0-rc:
+ * No changelog available
- * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.12.6/?h=v5.12.6
+ * For more details about Qt 5.14 please see:
+ https://wiki.qt.io/New_Features_in_Qt_5.14
-- Use bundled libvpx on Leap 15.2 (for now) as well
+- Update to 5.14.0-beta3:
+ * New bugfix release
+ * No changelog available
+- Remove patches, now upstream:
+ * fix-system-icu.patch
+
+- Update to 5.14.0-beta2:
+ * New bugfix release
+ * No changelog available
+- Drop patch, not necessary anymore:
+ * harmony-fix.diff
+
+- Update to 5.14.0-beta1:
+ * New bugfix release
+ * No changelog available
+
+- Update to 5.14.0-alpha:
+ * New feature release
+ * No changelog available
+ * For more details about Qt 5.14 please see:
+ https://wiki.qt.io/New_Features_in_Qt_5.14
+- Drop chromium-non-void-return.patch, with newer post-build-checks
+ this is not necessary anymore
+- Add patch to fix build with system ICU (QTBUG-78911):
+ * fix-system-icu.patch
+- Enable kerberos support
-- Update to 5.12.5:
+- Update to 5.13.1:
- * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.12.5/?h=5.12.5
+ * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.13.1/?h=v5.13.1
+
+- Increase disk constraints to 12G, TW needs 11.7G currently
+
+- Increase assumed per-job memory use to 2.5GB
-- Update to 5.12.4:
+- add 0001-fix-build-after-y2038-changes-in-glibc.patch
+
+- Update to 5.13.0:
- * For more details please see:
- * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.12.4/?h=5.12.4
+ * No changelog available
+ * For more details about Qt 5.13 please see:
+ * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.13.0/?h=5.13
+
+- Replace open coded macro for parallel build limit by the one from the
+ memory-constraints package
+- Update to 5.13.0-rc:
+ * New bugfix release
+ * No changelog available
+
+- Fix system_vpx bcond
+
+- Update to 5.13.0-beta2:
+ * New bugfix release
+ * No changelog available
+- Refresh patches:
+ * harmony-fix.diff
+ * chromium-non-void-return.patch (sigh, again)
+- Disable using the system ICU on Leap < 16, too old
+- Update to 5.13.0-beta1:
+ * New feature release
+ * For more details about Qt 5.13 please see:
+ * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.13.0/?h=5.13
+- Refresh patches:
+ * disable-gpu-when-using-nouveau-boo-1005323.diff
+ * harmony-fix.diff
+ * chromium-non-void-return.patch (sigh)
+- Remote patches, now upstream:
+ * reproducible.patch
+
lvm2
+- Honor lvm.conf event_activation=0 on "pvscan --cache -aay" (bsc#1185190)
+ + bug-1185190_01-pvscan-support-disabled-event_activation.patch
+ + bug-1185190_02-config-improve-description-for-event_activation.patch
+
+- LVM cannot be disabled on boot (bsc#1184687)
+ + bug-1184687_Add-nolvm-for-kernel-cmdline.patch
+- Update patch for avoiding apply warning message
+ + bug-1012973_simplify-special-case-for-md-in-69-dm-lvm-metadata.patch
+
openSUSE-build-key
+- Refresh the SLE15 build@suse.de key
+ * Updated gpg-pubkey-39db7c82-5847eb1f.asc
+
-- updated keys:
- - 307E3D54 build@suse.de "SuSE Package Signing Key" (2014-05-03)
- - 7E2E3B05 novell-provo-build@novell.com "Novell Provo Build"
- (2014-05-06)
- - 9C800ACA build@suse.de "SuSE Package Signing Key" (2014-05-03)
- - 56B4177A openSUSE:Factory@build.opensuse.org
- "openSUSE:Factory OBS Project" (2014-05-04)
- - 3DBDC284 opensuse@opensuse.org "openSUSE Project Signing Key"
- (2014-05-04)
-
openvpn
+- bsc#1185279, CVE-2020-15078, openvpn-CVE-2020-15078.patch:
+ Authentication bypass with deferred authentication.
+- bsc#1169925, CVE-2020-11810, openvpn-CVE-2020-11810.patch:
+ race condition between allocating peer-id and initializing data
+ channel key
+- bsc#1085803, CVE-2018-7544, openvpn-CVE-2018-7544.patch:
+ Cross-protocol scripting issue was discovered in the management
+ interface
+
-- Update to version 2.3.4
- * Add support for client-cert-not-required for PolarSSL.
- * Introduce safety check for http proxy options.
-
-- Build with large file support in 32 bit systems.
-
-- use %_rundir for %ghost directory - leaving /var/run everywhere
- else
-
-- Updated README.SUSE, documented also the rcopenvpn compatibility
- wrapper script (bnc#848070).
-
-- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in
- some internal checking routines. This allows operation in FIPS 140-2
- mode.
-
-- Readded rcopenvpn helper script under systemd (bnc#848070)
-
-- Fixed invalid mode in exec bit removal call from doc files
-
-- Add a section about how to control all or a named configuration with the
- help of systemctl to the README.SUSE file.
-
-- Update to 2.3.2
- +Fixes since 2.3.0
-- Remove dead code path and putenv functionality
-- Remove unused function xor
-- Move static prototype definition from header into c file
-- Remove unused function no_tap_ifconfig
-- fix build with automake 1.13(.1)
-- Fix corner case in NTLM authentication (trac #172)
-- Update README.IPv6 to match what is in 2.3.0
-- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
-- Permit pool size of /64.../112 for ifconfig-ipv6-pool
-- Add MIN() compatibility macro
-- Fix directly connected routes for "topology subnet" on Solaris.
-- close more file descriptors on exec
-- Ignore UTF-8 byte order mark
-- reintroduce --no-name-remapping option
-- make --tls-remote compatible with pre 2.3 configs
-- add new option for X.509 name verification
-- add man page patch for missing options
-- Fix parameter listing in non-debug builds at verb 4
-- (updated) [PATCH] Warn when using verb levels >=7 without debug
-- Enable TCP_NODELAY configuration on FreeBSD.
-- Updated README
-- Cleaned up and updated INSTALL
-- PolarSSL-1.2 support
-- Improve PolarSSL key_state_read_{cipher, plain}text messages
-- Improve verify_callback messages
-- Config compatibility patch. Added translate_cipher_name.
-- Switch to IANA names for TLS ciphers.
-- Fixed autoconf script to properly detect missing pkcs11 with polarssl.
-- Use constant time memcmp when comparing HMACs in openvpn_decrypt.
-
-- Try to migrate openvpn.service autostart to openvpn@<CONF>.service
- instance enablement.
-
-- Fixed to enable systemd support in configure
-- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group.
-- Added openvpn.target file allowing to handle all instances at once.
-- Fixed to install the service template correctly as openvpn@.service.
- Use "systemctl enable openvpn@foo.service" to enable instance using
- /etc/openvpn/foo.conf.
-- Disabled systemd variant of restart on update rpm macro, adopted other
- macros to use openvpn.target to e.g. stop all instances on uninstall.
-
-- Remove _unitdir definition, it is provided by systemd.
-- Install service file without x permissions
-
-Update to version 2.3.0:
- * Full IPv6 support
- * SSL layer modularised, enabling easier implementation for other SSL libraries
- * PolarSSL support as a drop-in replacement for OpenSSL
- * New plug-in API providing direct certificate access, improved logging API
- and easier to extend in the future
- * Added 'dev_type' environment variable to scripts and plug-ins - which is
- set to 'TUN' or 'TAP'
- * New feature: --management-external-key - to provide access to the encryption
- keys via the management interface
- * New feature: --x509-track option, more fine grained access to X.509 fields
- in scripts and plug-ins
- * New feature: --client-nat support
- * New feature: --mark which can mark encrypted packets from the tunnel, suitable
- for more advanced routing and firewalling
- * New feature: --management-query-proxy - manage proxy settings via the management
- interface (supercedes --http-proxy-fallback)
- * New feature: --stale-routes-check, which cleans up the internal routing table
- * New feature: --x509-username-field, where other X.509v3 fields can be used for
- the authentication instead of Common Name
- * Improved client-kill management interface command
- * Improved UTF-8 support - and added --compat-names to provide backwards compatibility
- with older scripts/plug-ins
- * Improved auth-pam with COMMONNAME support, passing the certificate's common
- name in the PAM conversation
- * More options can now be used inside <connection> blocks
- * Completely new build system, enabling easier cross-compilation and Windows builds
- * Much of the code has been better documented
- * Many documentation updates
- * Plenty of bug fixes and other code clean-ups
-- Add systemd native support for OpenSUSE > 12.1
-- Adapt patchs to upstream release:
- * openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif
- * openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff
-- Remove obsolete patchs; fixed or merged on upstream release:
- * 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch
- * openvpn-2.1-plugin-build.dif
- * openvpn-2.1-systemd-passwd.patch
-- Rebase specfile to upstream changes:
- * easy-rsa is not provided anymore with main package
- * remove %clean section
- * autoreconf -fi is no needed
-- Update openvpn.keyring file for upstream release asc key
-
-- Join openvpn.service systemd cgroup in start when needed, e.g.
- when starting with further parameters. (bnc#781106)
-
-- Verify GPG signature.
-
-- fix ciaran's previous license entry. the license has a SUSE prefix
-
-- Fixed openvpn init script to not map reopen to reload so the
- reopen code is without any effect (bnc#781106).
-- Added requested OPENVPN_AUTOSTART variable allowing to provide
- an optional list of config names started by default (bnc#692440).
-
-- license update: GPL-2.0-with-openssl-exception and LGPL-2.1
- openssl has an openssl exception (also, it is GPL-2.0 only)
-
-- Fixed SLES build readding Group tags to sub-packages in spec,
- not require libselinux-devel on SLE-10 and datadir/doc cleanup.
-
-- Updated to openvpn-2.2.2:
- - Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.2
- - Pkcs11 support built into the Windows version
- - Fixed a bug in the Windows TAP-driver
-
-- Fix source URLs.
-
-- add automake as buildrequire to avoid implicit dependency
-
-- Marked /var/run/openvpn as ghost (bnc#710270), man page and
- other rpmlint warning fixes
-
-- BuildRequires libselinux-devel
-- Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent
- upstream as https://community.openvpn.net/openvpn/ticket/157
-
-- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to
- support systemd password query (bnc#675406)
-
-- Updated to openvpn-2.2.1, a new version series providing several
- new features. This version fixes build issues and provides
- updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125),
-- Adopted spec file, enabled saving password in a file and to
- specify an alternative username in x509 cert.
-- Removed X-Interactive from init script again, as systemd isn't
- able to use it correctly [any more?] (bnc#675406). We will
- address it later and probably use /bin/systemd-ask-password.
-
-- KVPNC is unable to parse openvpn version [bnc#679153]
-
-- Added X-Interactive: true LSB tag to the init script.
-
-- Updated to openvpn 2.1.4, providing several bug fixes and
- improvements, such as:
- * Fix of a problem with special case route targets
- * Try to ensure, that the tun/tap interface gets closed on
- non-graceful aborts.
- * Several AUTH_FAILED reporting fixes causing the connection
- to fail without any error indication.
- * Enable exponential backoff in reliability layer retransmits.
- * Proxy improvements
- Please review the ChangeLog file for a complete and exact list.
-
-- Do not include build date in binaries
-
-- Improved netconfig based client up and down sample scripts.
-
-- Added netconfig based client up and down scripts to samples.
-
-- Updated to openvpn 2.1.1; linux related changes since 2.1_rc20:
- * Fixed a couple issues in sample plugins auth-pam.c and
- down-root.c.
- (1) Fail gracefully rather than segfault if calloc returns NULL.
- (2) The openvpn_plugin_abort_v1 function can potentially be
- called with handle == NULL. Add code to detect this case,
- and if so, avoid dereferencing pointers derived from handle
- (Thanks to David Sommerseth for finding this bug).
- * Documented "multihome" option in the man page.
- * Added a hard failure when peer provides a certificate chain
- with depth > 16. Previously, a warning was issued.
- * Added additional session renegotiation hardening. OpenVPN has
- always required that mid-session renegotiations build up a new
- SSL/TLS session from scratch. While the client certificate
- common name is already locked against changes in mid-session
- TLS renegotiations, we now extend this locking to the
- auth-user-pass username as well as all certificate content in
- the full client certificate chain.
-- Improved openvpn init script adding messages giving a hint about
- pid write failure and to look into the log messages (bnc#559041).
-- Added -fno-strict-aliasing to compile flags in the spec file.
-
-- Updated to openvpn 2.1 2.1_rc20, fixing problems in route and
- option handling provided by the from server (bnc#552440).
- For complete list of changes, see ChangeLog file, here just
- the IMO most important:
- * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using
- the redirect-gateway option by itself, without any extra
- parameters, would cause the option to be ignored.
- * Optimized PUSH_REQUEST handshake sequence to shave several
- seconds off of a typical client connection initiation.
- * The maximum number of "route" directives (specified in the
- config file or pulled from a server) can now be configured
- via the new "max-routes" directive.
- * Eliminated the limitation on the number of options that can
- be pushed to clients, including routes. Previously, all
- pushed options needed to fit within a 1024 byte options
- string.
- * Added --server-poll-timeout option : when polling possible
- remote servers to connect to in a round-robin fashion,
- spend no more than n seconds waiting for a response before
- trying the next server.
- * Added the ability for the server to provide a custom reason
- string when an AUTH_FAILED message is returned to the client.
- This string can be set by the server-side managment interface
- and read by the client-side management interface.
- * client-kill management interface command, when issued on server,
- will now send a RESTART message to client. This feature is
- intended to make UDP clients respond the same as TCP clients
- in the case where the server issues a RESTART message in order
- to force the client to reconnect and pull a new options/route
- list.
-
-- Added network-remotefs to init script dependencies (bnc#522279).
-
-- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289).
-- Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558).
-- Adopted spec file and patches, improved init script.
-- Disabled installation of easy-rsa for Windows.
-
patterns-base
+- Do not recommending SUSEConnect and rollback-helper for openSUSE
+
procps
+- Add upstream patch procps-vmstat-1b9ea611.patch for bsc#1185417
+ * Support up to 2048 CPU as well
+
python3
+- Add CVE-2021-3426-inf-disclosure-pydoc-getfile.patch to remove
+ getfile feature from pydoc, which is a security nightmare
+ (among other things, CVE-2021-3426, allows disclosure of any
+ file on the system; bsc#1183374, bpo#42988).
+
sensors
+- change-pidfile-path-from-var-run-to-run.patch: Change PIDFile
+ path from /var/run to /run (bsc#1185183).
+- var-run-deprecated.patch: /var/run is deprecated (bsc#1185183).
+