Packages changed: bash chrony (3.4 -> 3.5) cloud-init dhcp file ncurses openssh (7.9p1 -> 8.1p1) slirp4netns (0.4.1 -> 0.4.2) talloc texinfo vim zlib === Details === ==== bash ==== - Remove PILOTPORT and PILOTRATE environment variable from default ~/.bashrc (/etc/skel/.bashrc) (bsc#1123510) - Move definitions of environment variables from ~/.bashrc to ~/.profile (/etc/skel/.profile) ==== chrony ==== Version update (3.4 -> 3.5) - Fix asciidoc in Tumbleweed - Revert clknetsim to version 58c5e8b - Fix incorrect download link for package signature - Temporarily disable signature usage as its expired - Update clknetsim to version ac3c832 - fix chrony-service-helper.patch - Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems ==== cloud-init ==== - Add cloud-init-renderer-detect.patch (bsc#1154092, boo#1142988) + Short curcuit the conditional for identifying the sysconfig renderer. If we find ifup/ifdown accept the renderer as available. - Add cloud-init-break-resolv-symlink.patch (bsc#1151488) + If /etc/resolv.conf is a symlink break it. This will avoid netconfig from clobbering the changes cloud-init applied. ==== dhcp ==== Subpackages: dhcp-client - bsc#1134078, CVE-2019-6470, dhcp-CVE-2019-6470.patch: DHCPv6 server crashes regularly. - Add compile option --enable-secs-byteorder to avoid duplicate lease warnings [bsc#1089524]. - Make systemd a weak dependency as we don't want that in a container - bsc#1136572: Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (0021-dhcp-ip-family-symlinks.patch). ==== file ==== Subpackages: file-magic libmagic1 - Add temporary patch CVE-2019-18218-46a8443f.patch from upstream to fix bsc#1154661 -- heap-based buffer overflow in cdf_read_property_info in cdf.c - Let python-magic build with latest rpm ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo terminfo-base - Add ncurses patch 20191019 + modify make_hash to not require --disable-leaks, to simplify building with address-sanitizer. + modify tic to exit if it cannot remove a conflicting name, because treating that as a partial success can cause an infinite loop in use-resolution (report/testcase by Hongxu Chen, cf: 20111001). - Add ncurses patch 20191015 + improve buffer-checks in captoinfo.c, for some cases when the input string is shorter than expected. > fix two errata in tic (report/testcases by Hongxu Chen): + check for missing character after backslash in write_it + check for missing characters after "%>" when converting from termcap syntax (cf: 980530). - Avoid recursion trouble in spec file cause by undefined _lto_cflags - Add ncurses patch 20191012 + amend recent changes to ncurses*-config and pc-files to filter out Debian linker-flags (report by Sven Joachim, cf: 20150516). + clarify relationship between tic, infocmp and captoinfo in manpage. + check for invalid hashcode in _nc_find_type_entry and _nc_find_name_entry. > fix several errata in tic (reports/testcases by "zjuchenyuan"): + check for invalid hashcode in _nc_find_entry. + check for missing character after backslash in fmt_entry + check for acsc with odd length in dump_entry in check for one-one mapping (cf: 20060415); + check length when converting from old AIX box_chars_1 capability, overlooked in changes to eliminate strcpy (cf: 20001007). - Add ncurses patch 20191005 + modify the ncurse*-config and pc-files to more closely match for the - I and -l options. ==== openssh ==== Version update (7.9p1 -> 8.1p1) - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch - Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes" in /etc/sysconfig/ssh. This is set to "yes" by default, but can be changed by the system administrator (bsc#1139089). - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). * ssh-keygen(1): print key comment when extracting public key from a private key. * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - Additional changes from 8.0p1 release: * scp(1): Add "-T" flag to disable client-side filtering of server file list. * sshd(8): Remove support for obsolete "host/port" syntax. * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config, * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect. * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands. * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. - Rebased patches: * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-X_forward_with_disabled_ipv6.patch * openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-disable_openssl_abi_check.patch * openssh-7.7p1-fips.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-seed-prng.patch * openssh-7.7p1-sftp_force_permissions.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-8.0p1-gssapi-keyex.patch (formerly openssh-7.7p1-gssapi_key_exchange.patch) * openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch) - Removed patches (integrated upstream): * 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch * openssh-7.7p1-seccomp_ioctl_s390_EP11.patch * openssh-7.9p1-CVE-2018-20685.patch * openssh-7.9p1-brace-expansion.patch * openssh-CVE-2019-6109-force-progressmeter-update.patch * openssh-CVE-2019-6109-sanitize-scp-filenames.patch * openssh-CVE-2019-6111-scp-client-wildcard.patch - Removed patches (obsolete): * openssh-openssl-1_0_0-compatibility.patch ==== slirp4netns ==== Version update (0.4.1 -> 0.4.2) - Update to 0.4.2 * Do not propagate mounts to the parent ns in sandbox ==== talloc ==== - Add two patches making build compatible with Python 3.8.0: - waf_upgrade.patch - waf_use_native_waf_timer.patch ==== texinfo ==== - Delete info-dir as not required anymore - Mark /usr/share/info/dir as %ghost - Add a rpmlintrc file to silent useless warnings ==== vim ==== Subpackages: vim-data-common - Add python38-config.patch to make vim buildable with new Python 3.8. (gh#vim/vim#4080) ==== zlib ==== - Add SUSE specific patch to fix bsc#1138793, we simply don't want to test if the app was linked with exactly same version of zlib like the one that is present on the runtime: * zlib-no-version-check.patch