Packages changed: automake bash binutils bluez (5.43 -> 5.44) dbus-1 (1.10.12 -> 1.10.16) dbus-1-x11 (1.10.12 -> 1.10.16) diffutils (3.5 -> 3.5.15) ed (1.14 -> 1.14.2) filesystem geoclue2 google-noto-fonts (20151215 -> 20161025) gpsd grep (2.28 -> 3.0) grub2 installation-images (14.302 -> 14.304) kdelibs4 libX11 (1.6.4 -> 1.6.5) libpcap (1.7.3 -> 1.8.1) ncurses openssh os-prober patterns-openSUSE python-cairo python-gobject2 sed (4.3 -> 4.4) sessreg (1.1.0 -> 1.1.1) shadow systemd-presets-branding-openSUSE tcl tcpdump (4.7.4 -> 4.9.0) yast2-vm (3.1.30 -> 3.2.0) === Details === ==== automake ==== - use vendor suse instead of IBM on s390x ==== bash ==== Subpackages: bash-doc libreadline7 readline-devel readline-doc - Remove bash-4.0-async-bnc523667.dif as this one is fixed (and was disabled and nobody had reported trouble) ==== binutils ==== Subpackages: binutils-devel - Add binutils-bso21193.diff to fix section alignment on .gnu_debuglink. [bso#21193] ==== bluez ==== Version update (5.43 -> 5.44) Subpackages: bluez-cups bluez-devel libbluetooth3 - make testsuite run non-parallel (obs seems to have problems with parallel checks) and quiet - update to version 5.44: Most fixes are LE (specifically GATT) related, however some other areas are affected as well. Feature-wise, there?s a new MIDI plugin and support for using single-mode (LE-only) controllers that lack a public address. E.g. any nRF5x controller running a MyNewt or Zephyr based firmware falls into this category. - packaging: add "--enable-midi", "--enable-deprecated" TODO: package deprecated tools into separate package to prepare removal some time in the future - rebase bluez-cups-libexec.patch - Set the cupsdir directly with patch instead of mv and seds: * bluez-cups-libexec.patch - Replace requirements by the pkgconfig counterparts * this should solve out the problem with builcycle on Factory - Ran over with spec-cleaner ==== dbus-1 ==== Version update (1.10.12 -> 1.10.16) Subpackages: dbus-1-devel libdbus-1-3 libdbus-1-3-32bit - Update to 1.10.16 Fixes: * Prevent symlink attacks in the nonce-tcp transport on Unix that could allow an attacker to overwrite a file named "nonce", in a directory that the user running dbus-daemon can write, with a random value known only to the user running dbus-daemon. This is unlikely to be exploitable in practice, particularly since the nonce-tcp transport is really only useful on Windows. (fd.o #99828, Simon McVittie) (bsc#1025950) * Avoid symlink attacks in the "embedded tests", which are not enabled by default and should never be enabled in production builds of dbus. (fd.o #99828, Simon McVittie) (bsc#1025951) * Work around an undesired effect of the fix for CVE-2014-3637 (fd.o #80559), in which processes that frequently send fds, such as logind during a flood of new PAM sessions, can get disconnected for continuously having at least one fd "in flight" for too long; dbus-daemon interprets that as a potential denial of service attack. The workaround is to disable that check for uid 0 process such as logind, with a message in the system log. The bug remains open while we look for a more general solution. (fd.o #95263, LP#1591411; Simon McVittie) * Don't run the test test-dbus-launch-x11.sh if X11 autolaunching was disabled at compile time. That test is not expected to work in that configuration. (fd.o #98665, Simon McVittie) Enhancements: * Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian stable and Debian testing in addition to the older Ubuntu that is the default (fd.o #98889, Simon McVittie) ==== dbus-1-x11 ==== Version update (1.10.12 -> 1.10.16) - Update to 1.10.16 Fixes: * Prevent symlink attacks in the nonce-tcp transport on Unix that could allow an attacker to overwrite a file named "nonce", in a directory that the user running dbus-daemon can write, with a random value known only to the user running dbus-daemon. This is unlikely to be exploitable in practice, particularly since the nonce-tcp transport is really only useful on Windows. (fd.o #99828, Simon McVittie) (bsc#1025950) * Avoid symlink attacks in the "embedded tests", which are not enabled by default and should never be enabled in production builds of dbus. (fd.o #99828, Simon McVittie) (bsc#1025951) * Work around an undesired effect of the fix for CVE-2014-3637 (fd.o #80559), in which processes that frequently send fds, such as logind during a flood of new PAM sessions, can get disconnected for continuously having at least one fd "in flight" for too long; dbus-daemon interprets that as a potential denial of service attack. The workaround is to disable that check for uid 0 process such as logind, with a message in the system log. The bug remains open while we look for a more general solution. (fd.o #95263, LP#1591411; Simon McVittie) * Don't run the test test-dbus-launch-x11.sh if X11 autolaunching was disabled at compile time. That test is not expected to work in that configuration. (fd.o #98665, Simon McVittie) Enhancements: * Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian stable and Debian testing in addition to the older Ubuntu that is the default (fd.o #98889, Simon McVittie) ==== diffutils ==== Version update (3.5 -> 3.5.15) - Update to a pre-release version (3.5.15): * remove big-file-performance.patch and gnulib-diffseq.patch * comment signature source as the release is not officially signed yet ==== ed ==== Version update (1.14 -> 1.14.2) - Update to version 1.14.2: * main.c (show_strerror) Revert to using '!scripted' instead of 'verbose' to suppress diagnostics. * Print counts, messages, '?' and '!' to stdout instead of stderr. * buffer.c (append_lines): Fixed current address after empty 'i'. * regex.c (set_subst_regex): Treat missing delimiters consistently. (extract_replacement): Don't replace 'a' with '%' in 's/a/%'. Fixed infinite loop with EOF in the middle of a replacement. Don't accept newlines in replacement in a global command. Last delimiter can't be omitted if not last in command list. (search_and_replace): Set current address to last line modified. * main_loop.c (extract_addresses): Fixed address offsets; '3 ---- 2' was calculated as -2 instead of 1. Accept ranges with the first address omitted. (exec_command): Fixed current address after empty replacement text in 'c' command. Don't clear the modified status after writing the buffer to a shell command. (Reported by Jérôme Frgacic). (get_command_suffix): Don't allow repeated print suffixes. (command_s): Accept suffixes in any order. Don't allow multiple count suffixes. 'sp' now toggles all print suffixes. (main_loop): Make EOF on stdin behave as a 'q' command. * ed.texi: Fixed the description of commands 'acegijkmqrsuw'. Documented that ed allows any combination of print suffixes. * testsuite: Improved most tests. Simplified bug reporting. * configure: Avoid warning on some shells when testing for gcc. * Makefile.in: Detect the existence of install-info. ==== filesystem ==== - Remove /usr/games (finally everything is moved to /usr/bin) ==== geoclue2 ==== Subpackages: typelib-1_0-Geoclue-2_0 - Add geoclue2-permit-Night-Light.patch: Add "Night Light" functionality to the whitelist (bgo#779343, fdo#100008). ==== google-noto-fonts ==== Version update (20151215 -> 20161025) Subpackages: google-noto-fonts-doc noto-sans-cjk-fonts noto-sans-fonts - update to version 20161025 - new: Mono Font - new: Naskh Arabic Font - new: Bengali Sans Serif Font - new: Devanagari Sans Serif Font - new: Gujarati Sans Serif Font - new: Gurmukhi Sans Serif Font - new: Kannada Sans Serif Font - new: Khmer Sans Serif Font - new: Lao Sans Serif Font - new: Malayalam Sans Serif Font - new: Myanmar Sans Serif Font - new: Oriya Sans Serif Font - new: Tamil Sans Serif Font - new: Telugu Sans Serif Font - new: Thai Sans Serif Font - new: Sans UI Font - new: Bengali Font - new: Devanagari Font - new: Gujarati Font - new: Kannada Font - new: Malayalam Font - new: Tamil Font - new: Telugu Font - fix generate-specfile.sh: - handle UI fonts, that do not start with Sans ot Serif - fix description of fonts, that do not start with Sans ot Serif - flag sans fonts only, that really deserve it ==== gpsd ==== - Cleanup build/spec file: * Use .desktop files and PNG icon from tarball * correct flag to disable stripping (nostrip=True) ==== grep ==== Version update (2.28 -> 3.0) - Update to version 3.0: * grep without -F no longer goes awry when given two or more patterns that contain no special characters other than '\' and also contain a subpattern like '\.' that escapes a character to make it ordinary. * grep no longer fails to build on PCRE versions before 8.20. - Cleanup spec file: * Drop support for old distributions * Create lang subpackage * Use fdupes to replace duplicate files with symlinks ==== grub2 ==== Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen - Fix for openQA UEFI USB Boot failure with upstream patch (bsc#1026344) * added 0001-efi-strip-off-final-NULL-from-File-Path-in-grub_efi_.patch * removed 0001-Revert-efi-properly-terminate-filepath-with-NULL-in-.patch ==== installation-images ==== Version update (14.302 -> 14.304) - copy the correct modprobe blacklist files to rescue system (bsc#1023023) - 14.304 - ensure lvm config files are writable - 14.303 - change tftpboot-installation subpackages to contain product in package name ==== kdelibs4 ==== Subpackages: kdelibs4-core libkde4 libkdecore4 libksuseinstall1 - Add upstream patch to fix kio security issue (boo#1027520) * kio-sanitize-url-for-proxy.patch ==== libX11 ==== Version update (1.6.4 -> 1.6.5) Subpackages: libX11-6 libX11-6-32bit libX11-data libX11-devel libX11-xcb1 libX11-xcb1-32bit - Update to version 1.6.5: + Revert "Compose sequences for rouble sign" + specs/libX11: More synopsis fixes + specs/libX11: Fix paramdef entries listing multiple parameters + specs/libX11: Make paramdef spacing more consistent + specs/libX11: Add missing parameter types for XGetWindowProperty() + specs/libX11: Fix broken synopsis for Data/Data16/Data32 + specs/libX11: Update Portability Considerations for the 21st century + autogen.sh: use quoted string variables + Plug a memory leak + Fix wrong Xfree in XListFonts failure path + Typos in "Xlib - C Language X Interface" document - Chapter 02 + autogen: add default patch prefix + Compose sequences for rouble sign + autogen.sh: use exec instead of waiting for configure to finish + Revert cs_CZ.UTF-8 XLC_LOCALE to en_US.UTF-8 - supersedes u_nls-fix-handling-of-cs_CZ.UTF8_locale.patch ==== libpcap ==== Version update (1.7.3 -> 1.8.1) Subpackages: libpcap1 libpcap1-32bit - Dropped patches not required after review * libpcap-1.0.0-pcap-bpf.patch * libpcap-1.5.2-filter-fix.patch - Reference of the pull request for the rest of the patches * https://github.com/the-tcpdump-group/libpcap/issues/196 - Changed libpcap-1.0.0-s390.patch to the git formatted one - Formatted the specs file using spec-cleaner. - Allow bluetooth monitoring support unconditionally. - update to 1.8.1 * Clean up the name-to-DLT mapping table. * Add some newer DLT_ values: IPMI_HPM_2,ZWAVE_R1_R2,ZWAVE_R3,WATTSTOPPER_DLM,ISO_14443,RDS * Fix handling of packet count in the TPACKET_V3 inner loop: GitHub issue [#493]. * Filter out duplicate looped back CAN frames. * Fix the handling of loopback filters for IPv6 packets. * Add a link-layer header type for RDS (IEC 62106) groups. * On Linux, handle all CAN captures with pcap-linux.c, in cooked mode. * Removes the need for the "host-endian" link-layer header type. * Compile with '-Wused-but-marked-unused' in devel mode if supported * Have separate DLTs for big-endian and host-endian SocketCAN headers. * Require that version.h be generated: all build procedures we support generate version.h (autoconf, CMake, MSVC)! * Properly check for sock_recv() errors. * Re-impose some of Winsock's limitations on sock_recv(). * Replace sprintf() with pcap_snprintf(). * Fix signature of pcap_stats_ex_remote(). * Have rpcap_remoteact_getsock() return a SOCKET and supply an "is active" flag. * Clean up {DAG, Septel, Myricom SNF}-only builds. * pcap_create_interface() needs the interface name on Linux. * Clean up hardware time stamp support: the "any" device does not support any time stamp types. * Recognize 802.1ad nested VLAN tag in vlan filter. - dropped libpcap-ocloexec.patch, never upstreamed. - refreshed libpcap-1.0.0-ppp.patch ==== ncurses ==== Subpackages: libncurses6 libncurses6-32bit ncurses-devel ncurses-utils tack terminfo terminfo-base - Add ncurses patch 20170218 + fix several formatting issues with manual pages. + correct read of terminfo entry in which all strings are absent or explicitly cancelled. Before this fix, the result was that all were treated as only absent. + modify infocmp to suppress mixture of absent/cancelled capabilities that would only show as "NULL, NULL", unless the -q option is used, e.g., to show "-, @" or "@, -". - Add ncurses patch 20170212 + build-fixes for PGI compilers (report by Adam J. Stewart) + accept whitespace in sed expression for generating expanded.c + modify configure check that g++ compiler warnings are not used. + add configure check for -fPIC option needed for shared libraries. + let configure --disable-ext-funcs override the default for the - -enable-sp-funcs option. + mark some structs in form/menu/panel libraries as potentially opaque without modifying API/ABI. + add configure option --enable-opaque-curses for ncurses library and similar options for the other libraries. - Add ncurses patch 20170204 + trim newlines, tabs and escaped newlines from terminfo "paths" passed to db-iterator. + ignore zero-length files in db-iterator; these are useful for instance to suppress "$HOME/.terminfo" when not wanted. + amended "b64:" encoder to work with the terminfo reader. + modify terminfo reader to accept "b64:" format using RFC-3548 in as well as RFC-4648 url/filename-safe format. + modify terminfo reader to accept "hex:" format as generated by "infocmp -0qQ1" (cf: 20150905). + adjust authors comment to reflect drop below 1% for SV. ==== openssh ==== Subpackages: openssh-helpers - sshd.service: Set TasksMax=infinity, as there should be no limit on the amount of tasks sshd can run. ==== os-prober ==== - Fix btrfs 1.74 regression in detection btrfs, the do_unmount has to be skipped for btrfs as it removes tmp mount point of which btrfs is making use (bsc#1024196) * modify os-prober-btrfs-absolute-subvol.patch * rediff os-prober-btrfs-always-detect-default.patch ==== patterns-openSUSE ==== Subpackages: patterns-openSUSE-apparmor patterns-openSUSE-apparmor_opt patterns-openSUSE-base patterns-openSUSE-books patterns-openSUSE-console patterns-openSUSE-devel_C_C++ patterns-openSUSE-devel_basis patterns-openSUSE-devel_ide patterns-openSUSE-devel_kde patterns-openSUSE-devel_kde_frameworks patterns-openSUSE-devel_kernel patterns-openSUSE-devel_osc_build patterns-openSUSE-devel_perl patterns-openSUSE-devel_python patterns-openSUSE-devel_qt5 patterns-openSUSE-devel_rpm_build patterns-openSUSE-devel_ruby patterns-openSUSE-devel_web patterns-openSUSE-dhcp_dns_server patterns-openSUSE-directory_server patterns-openSUSE-enhanced_base patterns-openSUSE-enhanced_base_opt patterns-openSUSE-file_server patterns-openSUSE-fonts patterns-openSUSE-fonts_opt patterns-openSUSE-games patterns-openSUSE-gateway_server patterns-openSUSE-generic_server patterns-openSUSE-gnome patterns-openSUSE-gnome_admin patterns-openSUSE-gnome_basis patterns-openSUSE-gnome_basis_opt patterns-openSUSE-gnome_games patterns-openSUSE-gnome_ide patterns-openSUSE-gnome_imaging patterns-openSUSE-gnome_imaging_opt patterns-openSUSE-gnome_internet patterns-openSUSE-gnome_laptop patterns-openSUSE-gnome_multimedia patterns-openSUSE-gnome_multimedia_opt patterns-openSUSE-gnome_office patterns-openSUSE-gnome_office_opt patterns-openSUSE-gnome_utilities patterns-openSUSE-gnome_yast patterns-openSUSE-imaging patterns-openSUSE-imaging_opt patterns-openSUSE-kde patterns-openSUSE-kde_edutainment patterns-openSUSE-kde_games patterns-openSUSE-kde_ide patterns-openSUSE-kde_imaging patterns-openSUSE-kde_internet patterns-openSUSE-kde_multimedia patterns-openSUSE-kde_office patterns-openSUSE-kde_plasma patterns-openSUSE-kde_telepathy patterns-openSUSE-kde_utilities patterns-openSUSE-kde_utilities_opt patterns-openSUSE-kde_yast patterns-openSUSE-kvm_server patterns-openSUSE-lamp_server patterns-openSUSE-laptop patterns-openSUSE-lxde patterns-openSUSE-lxde_laptop patterns-openSUSE-lxde_office patterns-openSUSE-mail_server patterns-openSUSE-minimal_base patterns-openSUSE-minimal_base-conflicts patterns-openSUSE-misc_server patterns-openSUSE-multimedia patterns-openSUSE-multimedia_opt patterns-openSUSE-network_admin patterns-openSUSE-non_oss patterns-openSUSE-non_oss_opt patterns-openSUSE-office patterns-openSUSE-office_opt patterns-openSUSE-print_server patterns-openSUSE-remote_desktop patterns-openSUSE-rest_dvd patterns-openSUSE-sw_management patterns-openSUSE-sw_management_gnome patterns-openSUSE-sw_management_kde patterns-openSUSE-tabletpc patterns-openSUSE-technical_writing patterns-openSUSE-x11 patterns-openSUSE-x11_opt patterns-openSUSE-x11_yast patterns-openSUSE-xen_server patterns-openSUSE-xfce patterns-openSUSE-xfce_basis patterns-openSUSE-xfce_laptop patterns-openSUSE-xfce_office patterns-openSUSE-yast2_basis patterns-openSUSE-yast2_install_wf - Replace kwrite with kate - Replace mozilla-kde4-integration with kmozillahelper ==== python-cairo ==== Subpackages: python-cairo-devel - Add python2-cairo and python2-cairo-devel provides for compatibility with the new multipython spec file macros. ==== python-gobject2 ==== Subpackages: python-gobject2-devel - Add python2-gobject2 and python2-gobject2-devel provides for compatibility with multipython packages. ==== sed ==== Version update (4.3 -> 4.4) - Update to version 4.4: * sed could segfault when invoked with specific combination of newlines in the input and regex pattern. ==== sessreg ==== Version update (1.1.0 -> 1.1.1) - Update to version 1.1.1: + Use off_t instead of long to make largefile support work + autogen.sh: use quoted string variables + autogen: add default patch prefix + autogen.sh: use exec instead of waiting for configure to finish + Pass -P to the preprocessor when generating filenames for the manpage. - supersedes patches: + U_Pass-P-to-the-preprocessor-when-generating-filenames.patch + u_use-off_t-instead-of-long-to-make-largefile-support-work.patch ==== shadow ==== - useradd: call external program "/sbin/pam_tally2" to reset failed login counter in "/var/log/tallylog" (bsc#980486, useradd-clear-tallylog.patch) ==== systemd-presets-branding-openSUSE ==== - Enable socket/service(s) for lvm2 (bsc#1011053) ==== tcl ==== - Reenable testsuite on %arm - Disable check for s390x for now ==== tcpdump ==== Version update (4.7.4 -> 4.9.0) - version update to 4.9.0 bsc#1020940 * CVE-2016-7922 The AH parser in tcpdump before 4.9.0 has a buffer overflow in print-ah.c:ah_print(). * CVE-2016-7923 The ARP parser in tcpdump before 4.9.0 has a buffer overflow in print-arp.c:arp_print(). * CVE-2016-7924 The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:oam_print(). * CVE-2016-7925 The compressed SLIP parser in tcpdump before 4.9.0 has a buffer overflow in print-sl.c:sl_if_print(). * CVE-2016-7926 The Ethernet parser in tcpdump before 4.9.0 has a buffer overflow in print-ether.c:ethertype_print(). * CVE-2016-7927 The IEEE 802.11 parser in tcpdump before 4.9.0 has a buffer overflow in print-802_11.c:ieee802_11_radio_print(). * CVE-2016-7928 The IPComp parser in tcpdump before 4.9.0 has a buffer overflow in print-ipcomp.c:ipcomp_print(). * CVE-2016-7929 The Juniper PPPoE ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-juniper.c:juniper_parse_header(). * CVE-2016-7930 The LLC parser in tcpdump before 4.9.0 has a buffer overflow in print-llc.c:llc_print(). * CVE-2016-7931 The MPLS parser in tcpdump before 4.9.0 has a buffer overflow in print-mpls.c:mpls_print(). * CVE-2016-7932 The PIM parser in tcpdump before 4.9.0 has a buffer overflow in print-pim.c:pimv2_check_checksum(). * CVE-2016-7933 The PPP parser in tcpdump before 4.9.0 has a buffer overflow in print-ppp.c:ppp_hdlc_if_print(). * CVE-2016-7934 The RTCP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtcp_print(). * CVE-2016-7935 The RTP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtp_print(). * CVE-2016-7936 The UDP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:udp_print(). * CVE-2016-7937 The VAT parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:vat_print(). * CVE-2016-7938 The ZeroMQ parser in tcpdump before 4.9.0 has an integer overflow in print-zeromq.c:zmtp1_print_frame(). * CVE-2016-7939 The GRE parser in tcpdump before 4.9.0 has a buffer overflow in print-gre.c, multiple functions. * CVE-2016-7940 The STP parser in tcpdump before 4.9.0 has a buffer overflow in print-stp.c, multiple functions. * CVE-2016-7973 The AppleTalk parser in tcpdump before 4.9.0 has a buffer overflow in print-atalk.c, multiple functions. * CVE-2016-7974 The IP parser in tcpdump before 4.9.0 has a buffer overflow in print-ip.c, multiple functions. * CVE-2016-7975 The TCP parser in tcpdump before 4.9.0 has a buffer overflow in print-tcp.c:tcp_print(). * CVE-2016-7983 The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). * CVE-2016-7984 The TFTP parser in tcpdump before 4.9.0 has a buffer overflow in print-tftp.c:tftp_print(). * CVE-2016-7985 The CALM FAST parser in tcpdump before 4.9.0 has a buffer overflow in print-calm-fast.c:calm_fast_print(). * CVE-2016-7986 The GeoNetworking parser in tcpdump before 4.9.0 has a buffer overflow in print-geonet.c, multiple functions. * CVE-2016-7992 The Classical IP over ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-cip.c:cip_if_print(). * CVE-2016-7993 A bug in util-print.c:relts_print() could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). * CVE-2016-8574 The FRF.15 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:frf15_print(). * CVE-2016-8575 The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print(). * CVE-2017-5202 The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). * CVE-2017-5203 The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). * CVE-2017-5204 The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print(). * CVE-2017-5205 The ISAKMP parser in tcpdump before 4.9.0 has a buffer overflow in print-isakmp.c:ikev2_e_print(). * CVE-2017-5341 The OTV parser in tcpdump before 4.9.0 has a buffer overflow in print-otv.c:otv_print(). * CVE-2017-5342 In tcpdump before 4.9.0 a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). * CVE-2017-5482 The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print(). * CVE-2017-5483 The SNMP parser in tcpdump before 4.9.0 has a buffer overflow in print-snmp.c:asn1_parse(). * CVE-2017-5484 The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:sig_print(). * CVE-2017-5485 The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in addrtoname.c:lookup_nsap(). * CVE-2017-5486 The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). - fix filelist to fix build on s390/s390x - correctly reference SOURCE1 during installation for s390x - tcpdump 4.7.4: * PPKI to Router Protocol: Fix Segmentation Faults and other problems * RPKI to Router Protocol: print strings with fn_printn() * wb: fix some bounds checks (previously patched in, removed CVE-2015-3138.patch) - fix a DoS vulnerability in print-wb.c CVE-2015-3138 [boo#927637] adding CVE-2015-3138.patch - update to 4.7.3 - fixes four security bugs: * CVE-2015-0261 - IPv6 mobility printer (bnc#922220) * CVE-2015-2153 - tcp printer (bnc#922221) * CVE-2015-2154 - ethernet printer (bnc#922222) * CVE-2015-2155 - force printer (bnc#922223) - drop patches with security fixes (upstream): * tcpdump-CVE-2014-8767.patch * tcpdump-CVE-2014-8768.patch * tcpdump-CVE-2014-8769.patch * 0001-Clean-up-error-message-printing.patch - fix CVE-2014-8767 (bnc#905870) * denial of service in verbose mode using malformed OLSR payload * added tcpdump-CVE-2014-8767.patch - fix CVE-2014-8768 (bnc#905871) * denial of service in verbose mode using malformed Geonet payload * added tcpdump-CVE-2014-8768.patch - fix CVE-2014-8769 (bnc#905872) * unreliable output using malformed AOVD payload * added tcpdump-CVE-2014-8769.patch * added 0001-Clean-up-error-message-printing.patch - tcpdump 4.6.2: * fix out-of-source-tree builds: find libpcap that is out of source * better configure check for libsmi - tcpdump 4.6.1: * add a short option '#', same as long option '--number' - includes changes from 4.6.0: * all of tcpdump is now using the new "NDO" code base * nflog, mobile, forces, pptp, AODV, AHCP, IPv6, OSPFv4, RPL, DHCPv6 enhancements/fixes * M3UA decode added. * many new test cases: 82 in 4.5.1 to 133 in 4.6.0 * cleaned up some unnecessary header files * Added bittok2str(). * a number of unaligned access faults fixed * -A flag does not consider CR to be printable anymore * fx.lebail took over coverity baby sitting * default snapshot size increased to 256K for accomodate USB captures - includes changes from 4.5.2: * man page fix - add build and runtime libpcap minimum version - remove old patches, thus making package patchless: tcpdump-4.0.0-prototypes.patch tcpdump-4.0.0-aliasing.patch - run spec cleaner on spec file - remove gpg-offline, now part of source validator - remove versioned binary - run regression tests - update to 4.5.1 Version 4.5.0 revised for non-code related edits - some NFSv4 fixes for printing - fix printing of unknown TCP options, and tcp fast-open - fixes for syslog parser - some gcc-version-specific flag tuning - improvements to babel printing - add OpenFlow 1.0 (no SSL) and test cases - GeoNet printer. - added STBC Rx support - improvements to DHCPv6 decoder - clarify which autoconf is needed - Point users to the the-tcpdump-group repository on GitHub rather than the mcr repository - Add MSDP printer. - Fixed IPv6 check on Solaris and other OSes requiring extra networking libraries. - Add support for VXLAN (draft-mahalingam-dutt-dcops-vxlan-03), and add "vxlan" as an option for -T. - Add support for OTV (draft-hasmit-otv-04). fixes for DLT_IEEE802_11_RADIO datalink types - added MPTCP decoder - verify source signature - update to 4.4.0 - RPKI-RTR (RFC6810) is now official (TCP Port 323) - Fix detection of OpenSSL libcrypto. - Add DNSSL (RFC6106) support. - Add "radius" as an option for -T. - Update Action codes for handle_action function according to 802.11s amendment. - Decode DHCPv6 AFTR-Name option (RFC6334). - Updates for Babel. - Fix printing of infinite lifetime in ICMPv6. - Added support for SPB, SPBM Service Identifier, and Unicast Address sub-TLV in ISIS. - Decode RIPv2 authentication up to RFC4822. - Fix RIP Request/full table decoding issues. - On Linux systems with cap-ng.h, drop root privileges using Linux Capabilities. - Add support for reading multiple files. - remove tcpdump-4.0.0-uninitialized.patch, it's solved differently - update to 4.3.0 - fixes for forces: SPARSE data (per RFC 5810) - some more test cases added - updates to documentation on -l, -U and -w flags. - Fix printing of BGP optional headers. - Tried to include DLT_PFSYNC support, failed due to headers required. - added TIPC support. - Fix LLDP Network Policy bit definitions. - fixes for IGMPv3's Max Response Time: it is in units of 0.1 second. - SIGUSR1 can be used rather than SIGINFO for stats - permit -n flag to affect print-ip for protocol numbers - ND_OPT_ADVINTERVAL is in milliseconds, not seconds - Teach PPPoE parser about RFC 4638 - update to 4.2.1 - Only build the Babel printer if IPv6 is enabled. - Support Babel on port 6696 as well as 6697. - Include ppi.h in release tarball. - Include all the test files in the release tarball, and don't "include" test files that no longer exist. - Don't assume we have - check for it. - Support "-T carp" as a way of dissecting IP protocol 112 as CARP rather than VRRP. - Support Hilscher NetAnalyzer link-layer header format. - Constify some pointers and fix compiler warnings. - Get rid of never-true test. - Fix an unintended fall-through in a case statement in the ARP printer. - Fix several cases where sizeof(sizeof(XXX)) was used when just sizeof(XXX) was intended. - Make stricter sanity checks in the ES-IS printer. - Get rid of some GCCisms that caused builds to fail with compilers that don't support them. - Fix typo in man page. - Added length checks to Babel printer. - drop tcpdump-4.2.0-ppi.patch (upstream) - update to 4.2.0 * patch that adds missing ppi.h * Summary for 4.2.0 - merged 802.15.4 decoder from Dmitry Eremin-Solenikov - updates to forces for new port numbers - Use "-H", not "-h", for the 802.11s option. (-h always help) - Better ICMPv6 checksum handling. - add support for the RPKI/Router Protocol, per -ietf-sidr-rpki-rtr-12 - get rid of uuencoded pcap test files, git can do binary. - sFlow changes for 64-bit counters. - fixes for PPI packet header handling and printing. - Add DCB Exchange protocol (DCBX) version 1.01. - Babel dissector, from Juliusz Chroboczek and Grégoire Henry. - improvements to radiotap for rate values > 127. - Many improvements to ForCES decode, including fix SCTP TML port - updated RPL type code to RPL-17 draft - Improve printout of DHCPv6 options. - added support and test case for QinQ (802.1q VLAN) packets - Handle DLT_IEEE802_15_4_NOFCS like DLT_IEEE802_15_4. - Build fixes for Sparc and other machines with alignment restrictions. - Merged changes from Debian package. - PGM: Add ACK decoding and add PGMCC DATA and FEEDBACK options. - Build fixes for OSX (Snow Leopard and others) - Add support for IEEE 802.15.4 packets * Summary for 4.1.2 tcpdump release - If -U is specified, flush the file after creating it, so it's not zero-length - Fix TCP flags output description, and some typoes, in the man page - Add a -h flag, and only attempt to recognize 802.11s mesh headers if it's set - When printing the link-layer type list, send *all* output to stderr - Include the CFLAGS setting when configure was run in the compiler flags - update to tcpdump-4.1.1 * Don't blow up if a zero-length link-layer address is passed to linkaddr_string() * Fix printing of MAC addresses for VLAN frames with a length field * Add some additional bounds checks and use the EXTRACT_ macros more * Add a -b flag to print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation * Add ICMPv6 RFC 5006 support * Decode the access flags in NFS access requests * Handle the new DLT_ for memory-mapped USB captures on Linux * Make the default snapshot (-s) the maximum * Print name of device (when -L is used) * Print new TCP flags * Add support for RPL DIO * Add support for TCP User Timeout (UTO) * Add support for non-standard Ethertypes used by 3com PPPoE gear * Add support for 802.11n and 802.11s * Add support for Transparent Ethernet Bridge ethertype in GRE * Add 4 byte AS support for BGP printer * Add support for the MDT SAFI 66 BG printer * Add basic IPv6 support to print-olsr * Add USB printer * Add printer for ForCES * Handle frames with an FCS * Handle 802.11n Control Wrapper, Block Acq Req and Block Ack frames * Fix TCP sequence number printing * Report 802.2 packets as 802.2 instead of 802.3 - drop tcpdump-4.0.0-autoconf.patch (not needed with new autoconf) - compile with -fno-strict-aliasing ==== yast2-vm ==== Version update (3.1.30 -> 3.2.0) - bsc#978225 - yast virtualization menu not updated after install KVM and KVM tools - 3.2.0