Packages changed: gnutls (3.6.15 -> 3.7.0) kernel-default-base (5.10.16 -> 5.11.2) kernel-source (5.10.16 -> 5.11.2) openssl (1.1.1h -> 1.1.1j) openssl-1_1 (1.1.1h -> 1.1.1j) python-importlib-metadata (3.4.0 -> 3.7.0) === Details === ==== gnutls ==== Version update (3.6.15 -> 3.7.0) - Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565] * Don't unset system priority settings in gnutls-cli-debug.sh * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387 - Add gnutls-gnutls-cli-debug.patch - Fix: Test certificates in tests/testpkcs11-certs have expired * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 - Add gnutls-test-fixes.patch - gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131 - Add gnutls-ignore-duplicate-certificates.patch - Update to 3.7.0 * Depend on nettle 3.6 * Added a new API that provides a callback function to retrieve missing certificates from incomplete certificate chains * Added a new API that provides a callback function to output the complete path to the trusted root during certificate chain verification * OIDs exposed as gnutls_datum_t no longer account for the terminating null bytes, while the data field is null terminated. The affected API functions are: gnutls_ocsp_req_get_extension, gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension * Added a new set of API to enable QUIC implementation * The crypto implementation override APIs deprecated in 3.6.9 are now no-op * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support * Support for padlock has been fixed to make it work with Zhaoxin CPU * The maximum PIN length for PKCS #11 has been increased from 31 bytes to 255 bytes - Remove patch fixed upstream: * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - Add version guards for the crypto-policies package - Fix threading bug in libgnutls [bsc#1173434] * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044 - Require the crypto-policies package [bsc#1180051] - Use the centralized crypto policy profile (jsc#SLE-15832) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - FIPS: Add TLS KDF selftest (bsc#1176671) * add gnutls-FIPS-TLS_KDF_selftest.patch ==== kernel-default-base ==== Version update (5.10.16 -> 5.11.2) - Add squashfs for kiwi installiso support (bsc#1182341) - Add fuse (boo#1182507) ==== kernel-source ==== Version update (5.10.16 -> 5.11.2) - Linux 5.11.2 (bsc#1012628). - KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped() (bsc#1012628). - mm: provide a saner PTE walking API for modules (bsc#1012628). - KVM: do not assume PTE is writable after follow_pfn (bsc#1012628). - KVM: x86: Zap the oldest MMU pages, not the newest (bsc#1012628). - hwmon: (dell-smm) Add XPS 15 L502X to fan control blacklist (bsc#1012628). - arm64: tegra: Add power-domain for Tegra210 HDA (bsc#1012628). - Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working (bsc#1012628). - ntfs: check for valid standard information attribute (bsc#1012628). - usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (bsc#1012628). - USB: quirks: sort quirk entries (bsc#1012628). - HID: make arrays usage and value to be the same (bsc#1012628). - bpf: Fix truncation handling for mod32 dst reg wrt zero (bsc#1012628). - commit 6fd6105 - config: refresh - fix misspelled USB gadget debugging options - commit 20be8e3 - Update config files. Update config files. Enable USB_GADGET(jsc#SLE-14042) - supported.conf: After discussion what the feature request implied, it was decided that gadget mode is also needed on x86_64 - commit 4adcbc0 - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - commit d0b887e - update mainline references - update mainline references: patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch patches.suse/floppy-reintroduce-O_NDELAY-fix.patch patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch - commit 4eacbc9 - Linux 5.11.1 (bsc#1012628). - Xen/x86: don't bail early from clear_foreign_p2m_mapping() (bsc#1012628). - Xen/x86: also check kernel mapping in set_foreign_p2m_mapping() (bsc#1012628). - Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages() (bsc#1012628). - Xen/gntdev: correct error checking in gntdev_map_grant_pages() (bsc#1012628). - xen/arm: don't ignore return errors from set_phys_to_machine (bsc#1012628). - xen-blkback: don't "handle" error by BUG() (bsc#1012628). - xen-netback: don't "handle" error by BUG() (bsc#1012628). - xen-scsiback: don't "handle" error by BUG() (bsc#1012628). - xen-blkback: fix error handling in xen_blkbk_map() (bsc#1012628). - tty: protect tty_write from odd low-level tty disciplines (bsc#1012628). - Bluetooth: btusb: Always fallback to alt 1 for WBS (bsc#1012628). - commit 3652ea1 - arm: Update config files. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - commit 702d1a3 - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - commit b74d860 - Update config files: Set reset-raspberrypi as builtin (bsc#1180336) This driver is needed in order to boot through USB. Ideally the kernel module should be selected by dracut, but it's not. So make it builtin until the relevant dracut fixes are available. - commit 8186eab - series.conf: cleanup - move patches on the way to mainline into respective section patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch patches.suse/media-dvb-usb-Fix-memory-leak-at-error-in-dvb_usb_de.patch patches.suse/media-dvb-usb-Fix-use-after-free-access.patch patches.suse/media-pwc-Use-correct-device-for-DMA.patch - commit 8309a4e - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - commit 606c9d1 - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - commit c29e77d - Refresh patches.suse/drm-bail-out-of-nouveau_channel_new-if-channel-init-.patch. - Refresh patches.suse/media-uvcvideo-Accept-invalid-bFormatIndex-and-bFram.patch. Update upstream status. - commit 1916d9d - Update to 5.11 final - refresh configs - commit 253d8c6 ==== openssl ==== Version update (1.1.1h -> 1.1.1j) - Update to 1.1.1j release - Update to 1.1.1i release ==== openssl-1_1 ==== Version update (1.1.1h -> 1.1.1j) Subpackages: libopenssl1_1 - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Removed patch because it was causing problems with other servers. * openssl-zero-pad-DHE-public-key.patch * bsc#1181796 - Zero pad the DHE public key in ClientKeyExchange for interoperability with Windows Server 2019. * openssl-zero-pad-DHE-public-key.patch * bsc#1181796 * sourced from https://github.com/openssl/openssl/pull/12331/files - Add version guards for the crypto-policies - Disable test_srp subsection from 90-test_sslapi.t test - Use SECLEVEL 2 in 80-test_ssl_new.t - Add patches: * openssl-1_1-use-seclevel2-in-tests.patch * openssl-1_1-disable-test_srp-sslapi.patch - Allow SHA1 in SECLEVEL 2 in non-FIPS mode - Add openssl-1_1-seclevel.patch - Require the crypto-policies package [bsc#1180051] - Update to 1.1.1i (bsc#1179491) * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) - Refresh openssl-1.1.1-fips-post-rand.patch ==== python-importlib-metadata ==== Version update (3.4.0 -> 3.7.0) - update to 3.7.0: * #131: Added ``packages_distributions`` to conveniently resolve a top-level package or module to its distribution(s). * #284: Introduces new ``EntryPoints`` object, a tuple of ``EntryPoint`` objects but with convenience properties for selecting and inspecting the results: - ``.select()`` accepts ``group`` or ``name`` keyword parameters and returns a new ``EntryPoints`` tuple with only those that match the selection. - ``.groups`` property presents all of the group names. - ``.names`` property presents the names of the entry points. - Item access (e.g. ``eps[name]``) retrieves a single entry point by name. ``entry_points`` now accepts "selection parameters", same as ``EntryPoint.select()``. ``entry_points()`` now provides a future-compatible ``SelectableGroups`` object that supplies the above interface but remains a dict for compatibility. In the future, ``entry_points()`` will return an ``EntryPoints`` object, but provide for backward compatibility with a deprecated ``__getitem__`` accessor by group and a ``get()`` method. If passing selection parameters to ``entry_points``, the future behavior is invoked and an ``EntryPoints`` is the result. Construction of entry points using ``dict([EntryPoint, ...])`` is now deprecated and raises an appropriate DeprecationWarning and will be removed in a future version. * #280: ``entry_points`` now only returns entry points for unique distributions (by name).