Packages changed: autofs btrfsprogs (5.13.1 -> 5.14) catatonit (0.1.5 -> 0.1.6) curl (7.78.0 -> 7.79.0) ethtool (5.13 -> 5.14) glibc (2.33 -> 2.34) helm (3.6.2 -> 3.6.3) kbd kernel-source (5.14.2 -> 5.14.5) keylime (6.1.1 -> 6.2.0) kmod kubernetes (1.22.1 -> 1.22.2) kubernetes1.21 (1.21.4 -> 1.21.5) kubernetes1.22 (1.22.1 -> 1.22.2) kubic-control (0.12 -> 0.12.1) less libgudev (234 -> 237) libhugetlbfs ncurses (6.2.20210814 -> 6.2.20210911) pam (1.5.1 -> 1.5.2) pmdk (1.9 -> 1.11.0) salt suse-module-tools (16.0.9 -> 16.0.10+7) vim (8.2.3360 -> 8.2.3408) yast2 (4.4.17 -> 4.4.20) === Details === ==== autofs ==== - autofs-5.1.7-use-default-stack-size-for-threads.patch: Use default stack size for threads (bsc#1189199) ==== btrfsprogs ==== Version update (5.13.1 -> 5.14) Subpackages: btrfsprogs-udev-rules libbtrfs0 - Update to 5.14 * convert: * new option --uuid to copy, generate or set a given uuid * improve output * mkfs: * allow to create degenerate raid0 (on 1 device) and raid10 (on 2 devices) * image: * improved error messages * fix some alignment of restored image * subvol delete: allow to delete by id when path is not resolvable * check: * require alignment of nodesize for 64k page systems * detect and fix invalid block groups * libbtrfs (deprecated): * remove most exported symbols, leave only a few that are used by snapper * no version change (still 0.1) * remove btrfs-list.h, btrfsck.h * fixes: * reset generation of space v1 if v2 is used * fi us: don't wrongly report missing device size when partition is not readable * other: * build: experimental features * build: better detection of 64bit timestamp support for ext4 * corrupt-block: block group items * new and updated tests * refactoring * experimental features: * new image dump format, with data ==== catatonit ==== Version update (0.1.5 -> 0.1.6) - Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors). - Update catatonit-rpmlintrc in order to cover that static binaries are now an error not a warning. ==== curl ==== Version update (7.78.0 -> 7.79.0) Subpackages: libcurl4 - Temporarily disable flaky test 1184 * See https://github.com/curl/curl/issues/7725 - Update to 7.79.0: [bsc#1190213, CVE-2021-22945] [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947] * Changes: - bearssl: support CURLOPT_CAINFO_BLOB - http: consider cookies over localhost to be secure - secure transport: support CURLINFO_CERTINFO * Bugfixes: - CVE-2021-22945: clear the leftovers pointer when sending succeeds - CVE-2021-22946: do not ignore --ssl-reqd - CVE-2021-22947: reject STARTTLS server response pipelining - auth: do not append zero-terminator to authorisation id in kerberos - auth: properly handle byte order in kerberos security message - auth: use sasl authzid option in kerberos - auth: we do not support a security layer after kerberos authentication - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection - c-hyper: initial step for 100-continue support - c-hyper: initial support for "dumping" 1xx HTTP responses - curl-openssl.m4: show correct output for OpenSSL v3 - docs/MQTT: update state of username/password support - docs: the security list is reached at security at curl.se now - getparameter: fix the --local-port number parser - hostip: Make Curl_ipv6works function independent of getaddrinfo - http_proxy: fix the User-Agent inclusion in CONNECT - http_proxy: fix user-agent and custom headers for CONNECT with hyper - http_proxy: only wait for writable socket while sending request - mailing lists: move from cool.haxx.se to lists.haxx.se - mbedtls: avoid using a large buffer on the stack - mbedTLS: initial 3.0.0 support - ngtcp2: remove the acked_crypto_offset struct field init - ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read - ngtcp2: reset the oustanding send buffer again when drained - ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream - ngtcp2: stop buffering crypto data - ngtcp2: utilize crypto API functions to simplify - openssl: when creating a new context, there cannot be an old one - scripts: invoke interpreters through /usr/bin/env - tests/runtests.pl: cleanup copy&paste mistakes and unused code - tests: be explicit about using 'python3' instead of 'python' - tool/tests: fix potential year 2038 issues - tool_operate: Fix --fail-early with parallel transfers - x509asn1: fix heap over-read when parsing x509 certificates * Rebase libcurl-ocloexec.patch ==== ethtool ==== Version update (5.13 -> 5.14) - update to new upstream release 5.14 * Feature: do not silently ignore --json if unsupported * Feature: support new message types in pretty print ==== glibc ==== Version update (2.33 -> 2.34) Subpackages: glibc-locale-base - Don't create separate debuginfo packages for cross packages - ldconfig-leak-empty-paths.patch: ldconfig: avoid leak on empty paths in config file - gconv-parseconfdir-memory-leak.patch: gconv_parseconfdir: Fix memory leak - gaiconf-init-double-free.patch: gaiconf_init: Avoid double-free in label and precedence lists - copy-and-spawn-sgid-double-close.patch: copy_and_spawn_sgid: Avoid double calls to close() - icon-charmap-close-output.patch: iconv_charmap: Close output file when done - fcntl-time-bits-64-redirect.patch: Linux: Fix fcntl, ioctl, prctl redirects for _TIME_BITS=64 (BZ #28182) - librt-null-pointer.patch: librt: fix NULL pointer dereference (BZ [#28213]) - Add cross development packages for aarch64 and riscv64. - Update to glibc 2.34 Major new features: * When _DYNAMIC_STACK_SIZE_SOURCE or _GNU_SOURCE are defined, PTHREAD_STACK_MIN is no longer constant and is redefined to sysconf(_SC_THREAD_STACK_MIN) * Add _SC_MINSIGSTKSZ and _SC_SIGSTKSZ * The dynamic linker implements the --list-diagnostics option, printing a dump of information related to IFUNC resolver operation and glibc-hwcaps subdirectory selection * On Linux, the function execveat has been added * The ISO C2X function timespec_getres has been added * The feature test macro __STDC_WANT_IEC_60559_EXT__, from draft ISO C2X, is supported to enable declarations of functions defined in Annex F of C2X * Add support for 64-bit time_t on configurations like x86 where time_t is traditionally 32-bit * The main gconv-modules file in glibc now contains only a small set of essential converter modules and the rest have been moved into a supplementary configuration file gconv-modules-extra.conf in the gconv-modules.d directory in the same GCONV_PATH * On Linux, a new tunable, glibc.pthread.stack_cache_size, can be used to configure the size of the thread stack cache * The function _Fork has been added as an async-signal-safe fork replacement since Austin Group issue 62 droped the async-signal-safe requirement for fork (and it will be included in the future POSIX standard) * On Linux, the close_range function has been added * The function closefrom has been added * The posix_spawn_file_actions_closefrom_np function has been added, enabling posix_spawn and posix_spawnp to close all file descriptors great than or equal to a giver integer Deprecated and removed features, and other changes affecting compatibility: * The function pthread_mutex_consistent_np has been deprecated * The function pthread_mutexattr_getrobust_np has been deprecated * The function pthread_mutexattr_setrobust_np has been deprecated * The function pthread_yield has been deprecated * The function inet_neta declared in has been deprecated * Various rarely-used functions declared in and have been deprecated * The pthread cancellation handler is now installed with SA_RESTART and pthread_cancel will always send the internal SIGCANCEL on a cancellation request * The symbols mallwatch and tr_break are now deprecated and no longer used in mtrace * The __morecore and __after_morecore_hook malloc hooks and the default implementation __default_morecore have been removed from the API * Debugging features in malloc such as the MALLOC_CHECK_ environment variable (or the glibc.malloc.check tunable), mtrace() and mcheck() have now been disabled by default in the main C library * The deprecated functions malloc_get_state and malloc_set_state have been moved from the core C library into libc_malloc_debug.so * The deprecated memory allocation hooks __malloc_hook, __realloc_hook, __memalign_hook and __free_hook are now removed from the API Changes to build and runtime requirements: * On Linux, the shm_open, sem_open, and related functions now expect the file shared memory file system to be mounted at /dev/shm Security related changes: CVE-2021-27645: The nameserver caching daemon (nscd), when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system CVE-2021-33574: The mq_notify function has a potential use-after-free issue when using a notification type of SIGEV_THREAD and a thread attribute with a non-default affinity mask - nss-database-check-reload.patch, nss-load-chroot.patch, x86-isa-level.patch, nscd-netgroupcache.patch, nss-database-lookup.patch, select-modify-timeout.patch, nptl-db-libpthread-load-order.patch, rawmemchr-warning.patch, tst-cpu-features-amx.patch, mq-notify-use-after-free.patch: Removed ==== helm ==== Version update (3.6.2 -> 3.6.3) - Update to version 3.6.3: * Ensure RawPath match Path when resolving reference * Set Helm as manager for managedFields * fix(dep update): helm dep update is not respecting the "version" stipulated in the requirements * fix(doc): fix kube client interface doc. (#9882) * use TLS client information from repo config when downloading a chart * Adding test for user/pass without repo on Helm install * Fix the url being set by WithURL on the getters * tweak basic handling * keep existing behavior of returning ErrReleaseNotFound when release(s) failed to decode * fix(sql storage): Query() should return ErrReleaseNotFound immediately when no records are found * Add Test cases for repository-config without file extension * Correctly determine repository-config lockfile path * Fixed Test * Added test for lint mode * Fail message is now the same as the required message. Fixed #8973 Helm function 'fail' should not fail when doing 'helm lint' * fix helm dep build/update doesn't inherit --insecure-skip-tls-verify from helm repo add ==== kbd ==== Subpackages: kbd-legacy - Only run kbdsettings.service if /etc/sysconfig/keyboard exists. Necessary for image based installations without admin made changes. ==== kernel-source ==== Version update (5.14.2 -> 5.14.5) - Linux 5.14.5 (bsc#1012628). - Revert "posix-cpu-timers: Force next expiration recalc after itimer reset" (bsc#1012628). - Revert "time: Handle negative seconds correctly in timespec64_to_ns()" (bsc#1012628). - Delete patches.suse/posix-cpu-timers-Fix-spuriously-armed-0-value-itimer.patch. - commit 048e6c0 - crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() (bsc#1189884 CVE-2021-3744 bsc#1190534 CVE-2021-3764). - commit e7a1776 - posix-cpu-timers: Fix spuriously armed 0-value itimer (timer breakage). - commit c8203f6 - Revert "rpm: Abolish scritplet templating (bsc#1189841)." This reverts commit e98096d5cf85dbe90f74a930eb1f0e3fe4a70c7f. "nothing provides suse-kernel-rpm-scriptlets". This is provided by suse-module-tools which are not in TW quite yet. See: https://build.opensuse.org/request/show/919012 So revert this temporarily. - commit f924054 - Linux 5.14.4 (bsc#1012628). - locking/mutex: Fix HANDOFF condition (bsc#1012628). - regmap: fix the offset of register error log (bsc#1012628). - regulator: tps65910: Silence deferred probe error (bsc#1012628). - crypto: mxs-dcp - Check for DMA mapping errors (bsc#1012628). - sched/deadline: Fix reset_on_fork reporting of DL tasks (bsc#1012628). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (bsc#1012628). - crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() (bsc#1012628). - sched/deadline: Fix missing clock update in migrate_task_rq_dl() (bsc#1012628). - rcu/tree: Handle VM stoppage in stall detection (bsc#1012628). - EDAC/mce_amd: Do not load edac_mce_amd module on guests (bsc#1012628). - posix-cpu-timers: Force next expiration recalc after itimer reset (bsc#1012628). - hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() (bsc#1012628). - hrtimer: Ensure timerfd notification for HIGHRES=n (bsc#1012628). - udf: Check LVID earlier (bsc#1012628). - udf: Fix iocharset=utf8 mount option (bsc#1012628). - isofs: joliet: Fix iocharset=utf8 mount option (bsc#1012628). - bcache: add proper error unwinding in bcache_device_init (bsc#1012628). - nbd: add the check to prevent overflow in __nbd_ioctl() (bsc#1012628). - blk-throtl: optimize IOPS throttle for large IO scenarios (bsc#1012628). - nvme-tcp: don't update queue count when failing to set io queues (bsc#1012628). - nvme-rdma: don't update queue count when failing to set io queues (bsc#1012628). - nvmet: pass back cntlid on successful completion (bsc#1012628). - power: supply: smb347-charger: Add missing pin control activation (bsc#1012628). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (bsc#1012628). - s390/cio: add dev_busid sysfs entry for each subchannel (bsc#1012628). - s390/zcrypt: fix wrong offset index for APKA master key valid state (bsc#1012628). - libata: fix ata_host_start() (bsc#1012628). - sched/topology: Skip updating masks for non-online nodes (bsc#1012628). - crypto: omap - Fix inconsistent locking of device lists (bsc#1012628). - crypto: qat - do not ignore errors from enable_vf2pf_comms() (bsc#1012628). - crypto: qat - handle both source of interrupt in VF ISR (bsc#1012628). - crypto: qat - fix reuse of completion variable (bsc#1012628). - crypto: qat - fix naming for init/shutdown VF to PF notifications (bsc#1012628). - crypto: qat - do not export adf_iov_putmsg() (bsc#1012628). - crypto: hisilicon/sec - fix the abnormal exiting process (bsc#1012628). - crypto: hisilicon/sec - modify the hardware endian configuration (bsc#1012628). - crypto: tcrypt - Fix missing return value check (bsc#1012628). - fcntl: fix potential deadlocks for &fown_struct.lock (bsc#1012628). - fcntl: fix potential deadlock for &fasync_struct.fa_lock (bsc#1012628). - udf_get_extendedattr() had no boundary checks (bsc#1012628). - io-wq: remove GFP_ATOMIC allocation off schedule out path (bsc#1012628). - s390/kasan: fix large PMD pages address alignment check (bsc#1012628). - s390/pci: fix misleading rc in clp_set_pci_fn() (bsc#1012628). - s390/debug: keep debug data on resize (bsc#1012628). - s390/debug: fix debug area life cycle (bsc#1012628). - s390/ap: fix state machine hang after failure to enable irq (bsc#1012628). - s390/smp: enable DAT before CPU restart callback is called (bsc#1012628). - sched/debug: Don't update sched_domain debug directories before sched_debug_init() (bsc#1012628). - power: supply: cw2015: use dev_err_probe to allow deferred probe (bsc#1012628). - m68k: emu: Fix invalid free in nfeth_cleanup() (bsc#1012628). - crypto: x86/aes-ni - add missing error checks in XTS code (bsc#1012628). - sched/numa: Fix is_core_idle() (bsc#1012628). - sched: Fix UCLAMP_FLAG_IDLE setting (bsc#1012628). - rcu: Fix to include first blocked task in stall warning (bsc#1012628). - rcu: Fix stall-warning deadlock due to non-release of rcu_node - >lock (bsc#1012628). - m68k: Fix invalid RMW_INSNS on CPUs that lack CAS (bsc#1012628). - block: return ELEVATOR_DISCARD_MERGE if possible (bsc#1012628). - spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config (bsc#1012628). - spi: spi-pic32: Fix issue with uninitialized dma_slave_config (bsc#1012628). - genirq/timings: Fix error return code in irq_timings_test_irqs() (bsc#1012628). - irqchip/loongson-pch-pic: Improve edge triggered interrupt support (bsc#1012628). - lib/mpi: use kcalloc in mpi_resize (bsc#1012628). - clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel (bsc#1012628). - nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT (bsc#1012628). - block: nbd: add sanity check for first_minor (bsc#1012628). - spi: coldfire-qspi: Use clk_disable_unprepare in the remove function (bsc#1012628). - irqchip/apple-aic: Fix irq_disable from within irq handlers (bsc#1012628). - irqchip/gic-v3: Fix priority comparison when non-secure priorities are used (bsc#1012628). - crypto: qat - use proper type for vf_mask (bsc#1012628). - m68k: Fix asm register constraints for atomic ops (bsc#1012628). - certs: Trigger creation of RSA module signing key if it's not an RSA key (bsc#1012628). - tpm: ibmvtpm: Avoid error message when process gets signal while waiting (bsc#1012628). - EDAC/i10nm: Fix NVDIMM detection (bsc#1012628). - x86/mce: Defer processing of early errors (bsc#1012628). - spi: davinci: invoke chipselect callback (bsc#1012628). - blk-crypto: fix check for too-large dun_bytes (bsc#1012628). - regulator: vctrl: Use locked regulator_get_voltage in probe path (bsc#1012628). - regulator: vctrl: Avoid lockdep warning in enable/disable ops (bsc#1012628). - spi: sprd: Fix the wrong WDG_LOAD_VAL (bsc#1012628). - spi: spi-zynq-qspi: use wait_for_completion_timeout to make zynq_qspi_exec_mem_op not interruptible (bsc#1012628). - drm/panfrost: Fix missing clk_disable_unprepare() on error in panfrost_clk_init() (bsc#1012628). - drm/gma500: Fix end of loop tests for list_for_each_entry (bsc#1012628). - ASoC: mediatek: mt8192:Fix Unbalanced pm_runtime_enable in mt8192_afe_pcm_dev_probe (bsc#1012628). - ASoC: mediatek: mt8183: Fix Unbalanced pm_runtime_enable in mt8183_afe_pcm_dev_probe (bsc#1012628). - ASoC: tlv320aic32x4: Fix TAS2505/TAS2521 channel count (bsc#1012628). - media: atmel: atmel-sama5d2-isc: fix YUYV format (bsc#1012628). - media: TDA1997x: enable EDID support (bsc#1012628). - leds: is31fl32xx: Fix missing error code in is31fl32xx_parse_dt() (bsc#1012628). - soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally (bsc#1012628). - media: cxd2880-spi: Fix an error handling path (bsc#1012628). - drm/of: free the right object (bsc#1012628). - bpf: Fix a typo of reuseport map in bpf.h (bsc#1012628). - bpf: Fix potential memleak and UAF in the verifier (bsc#1012628). - drm/of: free the iterator object on failure (bsc#1012628). - gve: fix the wrong AdminQ buffer overflow check (bsc#1012628). - libbpf: Fix the possible memory leak on error (bsc#1012628). - ARM: dts: aspeed-g6: Fix HVI3C function-group in pinctrl dtsi (bsc#1012628). - ARM: dts: everest: Add phase corrections for eMMC (bsc#1012628). - arm64: dts: renesas: r8a77995: draak: Remove bogus adv7511w properties (bsc#1012628). - i40e: improve locking of mac_filter_hash (bsc#1012628). - arm64: dts: qcom: sc7180: Set adau wakeup delay to 80 ms (bsc#1012628). - soc: qcom: rpmhpd: Use corner in power_off (bsc#1012628). - libbpf: Fix removal of inner map in bpf_object__create_map (bsc#1012628). - gfs2: Fix memory leak of object lsi on error return path (bsc#1012628). - arm64: dts: qcom: sm8250: fix usb2 qmp phy node (bsc#1012628). - bpf, selftests: Fix test_maps now that sockmap supports UDP (bsc#1012628). - firmware: fix theoretical UAF race with firmware cache and resume (bsc#1012628). - driver core: Fix error return code in really_probe() (bsc#1012628). - ionic: cleanly release devlink instance (bsc#1012628). - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init (bsc#1012628). - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr (bsc#1012628). - media: dvb-usb: Fix error handling in dvb_usb_i2c_init (bsc#1012628). - net: usb: asix: ax88772: add missing stop (bsc#1012628). - media: go7007: fix memory leak in go7007_usb_probe (bsc#1012628). - media: go7007: remove redundant initialization (bsc#1012628). - media: v4l2-subdev: fix some NULL vs IS_ERR() checks (bsc#1012628). - media: rockchip/rga: fix error handling in probe (bsc#1012628). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (bsc#1012628). - media: atomisp: fix the uninitialized use and rename "retvalue" (bsc#1012628). - Bluetooth: sco: prevent information leak in sco_conn_defer_accept() (bsc#1012628). - Bluetooth: btusb: Fix a unspported condition to set available debug features (bsc#1012628). - 6lowpan: iphc: Fix an off-by-one check of array index (bsc#1012628). - drm/amdgpu/acp: Make PM domain really work (bsc#1012628). - drm/amd/pm: Fix a bug communicating with the SMU (v5) (bsc#1012628). - tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos (bsc#1012628). - ARM: dts: meson8: Use a higher default GPU clock frequency (bsc#1012628). - ARM: dts: meson8b: odroidc1: Fix the pwm regulator supply properties (bsc#1012628). - ARM: dts: meson8b: mxq: Fix the pwm regulator supply properties (bsc#1012628). - ARM: dts: meson8b: ec100: Fix the pwm regulator supply properties (bsc#1012628). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (bsc#1012628). - net/mlx5e: Block LRO if firmware asks for tunneled LRO (bsc#1012628). - cgroup/cpuset: Fix a partition bug with hotplug (bsc#1012628). - drm: mxsfb: Enable recovery on underflow (bsc#1012628). - drm: mxsfb: Increase number of outstanding requests on V4 and newer HW (bsc#1012628). - drm: mxsfb: Clear FIFO_CLEAR bit (bsc#1012628). - net: cipso: fix warnings in netlbl_cipsov4_add_std (bsc#1012628). - net: ti: am65-cpsw-nuss: fix wrong devlink release order (bsc#1012628). - drm: rcar-du: Don't put reference to drm_device in rcar_du_remove() (bsc#1012628). - Bluetooth: mgmt: Fix wrong opcode in the response for add_adv cmd (bsc#1012628). - drm/amd/pm: Fix a bug in semaphore double-lock (bsc#1012628). - lib/test_scanf: Handle n_bits == 0 in random tests (bsc#1012628). - libbpf: Return non-null error on failures in libbpf_find_prog_btf_id() (bsc#1012628). - tools: Free BTF objects at various locations (bsc#1012628). - arm64: dts: renesas: hihope-rzg2-ex: Add EtherAVB internal rx delay (bsc#1012628). - net/mlx5: Fix missing return value in mlx5_devlink_eswitch_inline_mode_set() (bsc#1012628). - i2c: highlander: add IRQ check (bsc#1012628). - leds: lgm-sso: Put fwnode in any case during ->probe() (bsc#1012628). - leds: lgm-sso: Don't spam logs when probe is deferred (bsc#1012628). - leds: lt3593: Put fwnode in any case during ->probe() (bsc#1012628). - leds: rt8515: Put fwnode in any case during ->probe() (bsc#1012628). - leds: trigger: audio: Add an activate callback to ensure the initial brightness is set (bsc#1012628). - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect (bsc#1012628). - media: omap3isp: Fix missing unlock in isp_subdev_notifier_complete() (bsc#1012628). - media: venus: hfi: fix return value check in sys_get_prop_image_version() (bsc#1012628). - media: venus: venc: Fix potential null pointer dereference on pointer fmt (bsc#1012628). - media: venus: helper: do not set constrained parameters for UBWC (bsc#1012628). - soc: mmsys: mediatek: add mask to mmsys routes (bsc#1012628). - PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently (bsc#1012628). - PCI: PM: Enable PME if it can be signaled from D3cold (bsc#1012628). - bpf, samples: Add missing mprog-disable to xdp_redirect_cpu's optstring (bsc#1012628). - soc: qcom: smsm: Fix missed interrupts if state changes while masked (bsc#1012628). - net: dsa: build tag_8021q.c as part of DSA core (bsc#1012628). - net: dsa: tag_sja1105: optionally build as module when switch driver is module if PTP is enabled (bsc#1012628). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1012628). - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (bsc#1012628). - arm64: dts: qcom: sc7280: Fixup the cpufreq node (bsc#1012628). - arm64: dts: qcom: sm8350: fix IPA interconnects (bsc#1012628). - drm: bridge: it66121: Check drm_bridge_attach retval (bsc#1012628). - net: ti: am65-cpsw-nuss: fix RX IRQ state after .ndo_stop() (bsc#1012628). - net: dsa: stop syncing the bridge mcast_router attribute at join time (bsc#1012628). - net: dsa: mt7530: remove the .port_set_mrouter implementation (bsc#1012628). - net: dsa: don't disable multicast flooding to the CPU even without an IGMP querier (bsc#1012628). - PM: EM: Increase energy calculation precision (bsc#1012628). - selftests/bpf: Fix bpf-iter-tcp4 test to print correctly the dest IP (bsc#1012628). - leds: lgm-sso: Propagate error codes from callee to caller (bsc#1012628). - drm/msm: Fix error return code in msm_drm_init() (bsc#1012628). - drm/msm/mdp4: refactor HW revision detection into read_mdp_hw_revision (bsc#1012628). - drm/msm/mdp4: move HW revision detection to earlier phase (bsc#1012628). - drm/msm/dp: update is_connected status base on sink count at dp_pm_resume() (bsc#1012628). - drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs (bsc#1012628). - arm64: dts: exynos: correct GIC CPU interfaces address range on Exynos7 (bsc#1012628). - counter: 104-quad-8: Return error when invalid mode during ceiling_write (bsc#1012628). - cgroup/cpuset: Miscellaneous code cleanup (bsc#1012628). - cgroup/cpuset: Fix violation of cpuset locking rule (bsc#1012628). - ASoC: Intel: Fix platform ID matching (bsc#1012628). - Bluetooth: fix repeated calls to sco_sock_kill (bsc#1012628). - drm/msm/dsi: Fix some reference counted resource leaks (bsc#1012628). - drm/msm/dp: replug event is converted into an unplug followed by an plug events (bsc#1012628). - net/mlx5: Fix unpublish devlink parameters (bsc#1012628). - ASoC: rt5682: Properly turn off regulators if wrong device ID (bsc#1012628). - usb: dwc3: meson-g12a: add IRQ check (bsc#1012628). - usb: dwc3: qcom: add IRQ check (bsc#1012628). - usb: gadget: udc: at91: add IRQ check (bsc#1012628). - usb: gadget: udc: s3c2410: add IRQ check (bsc#1012628). - mac80211: remove unnecessary NULL check in ieee80211_register_hw() (bsc#1012628). - usb: misc: brcmstb-usb-pinmap: add IRQ check (bsc#1012628). - usb: phy: fsl-usb: add IRQ check (bsc#1012628). - usb: phy: twl6030: add IRQ checks (bsc#1012628). - usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse (bsc#1012628). - selftests/bpf: Fix test_core_autosize on big-endian machines (bsc#1012628). - devlink: Clear whole devlink_flash_notify struct (bsc#1012628). - samples: pktgen: add missing IPv6 option to pktgen scripts (bsc#1012628). - net: stmmac: fix INTR TBU status affecting irq count statistic (bsc#1012628). - PM: cpu: Make notifier chain use a raw_spinlock_t (bsc#1012628). - usb: host: ohci-tmio: add IRQ check (bsc#1012628). - usb: phy: tahvo: add IRQ check (bsc#1012628). - libbpf: Re-build libbpf.so when libbpf.map changes (bsc#1012628). - mac80211: Fix insufficient headroom issue for AMSDU (bsc#1012628). - locking/local_lock: Add missing owner initialization (bsc#1012628). - lockd: Fix invalid lockowner cast after vfs_test_lock (bsc#1012628). - SUNRPC: Fix a NULL pointer deref in trace_svc_stats_latency() (bsc#1012628). - nfsd4: Fix forced-expiry locking (bsc#1012628). - arm64: dts: marvell: armada-37xx: Extend PCIe MEM space (bsc#1012628). - clk: staging: correct reference to config IOMEM to config HAS_IOMEM (bsc#1012628). - i2c: synquacer: fix deferred probing (bsc#1012628). - hwmon: (pmbus/bpa-rs600) Don't use rated limits as warn limits (bsc#1012628). - hwmon: remove amd_energy driver in Makefile (bsc#1012628). - ASoC: fsl_rpmsg: Check -EPROBE_DEFER for getting clocks (bsc#1012628). - firmware: raspberrypi: Fix a leak in 'rpi_firmware_get()' (bsc#1012628). - usb: gadget: mv_u3d: request_irq() after initializing UDC (bsc#1012628). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1012628). - lkdtm: replace SCSI_DISPATCH_CMD with SCSI_QUEUE_RQ (bsc#1012628). - Bluetooth: add timeout sanity check to hci_inquiry (bsc#1012628). - i2c: iop3xx: fix deferred probing (bsc#1012628). - i2c: s3c2410: fix IRQ check (bsc#1012628). - i2c: hix5hd2: fix IRQ check (bsc#1012628). - gfs2: init system threads before freeze lock (bsc#1012628). - drm/exynos: g2d: fix missing unlock on error in g2d_runqueue_worker() (bsc#1012628). - rsi: fix error code in rsi_load_9116_firmware() (bsc#1012628). - rsi: fix an error code in rsi_probe() (bsc#1012628). - octeontx2-af: cn10k: Fix SDP base channel number (bsc#1012628). - octeontx2-pf: send correct vlan priority mask to npc_install_flow_req (bsc#1012628). - octeontx2-af: Check capability flag while freeing ipolicer memory (bsc#1012628). - octeontx2-pf: Don't install VLAN offload rule if netdev is down (bsc#1012628). - octeontx2-pf: Fix algorithm index in MCAM rules with RSS action (bsc#1012628). - octeontx2-af: cn10k: Use FLIT0 register instead of FLIT1 (bsc#1012628). - m68k: coldfire: return success for clk_enable(NULL) (bsc#1012628). - ASoC: Intel: kbl_da7219_max98927: Fix format selection for max98373 (bsc#1012628). - ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs (bsc#1012628). - ASoC: Intel: Skylake: Fix module resource and format selection (bsc#1012628). - mmc: sdhci: Fix issue with uninitialized dma_slave_config (bsc#1012628). - mmc: dw_mmc: Fix issue with uninitialized dma_slave_config (bsc#1012628). - mmc: moxart: Fix issue with uninitialized dma_slave_config (bsc#1012628). - ASoC: wm_adsp: Put debugfs_remove_recursive back in (bsc#1012628). - bpf: Fix possible out of bound write in narrow load handling (bsc#1012628). - hv_utils: Set the maximum packet size for VSS driver to the length of the receive buffer (bsc#1012628). - CIFS: Fix a potencially linear read overflow (bsc#1012628). - i2c: mt65xx: fix IRQ check (bsc#1012628). - i2c: xlp9xx: fix main IRQ check (bsc#1012628). - octeontx2-pf: cn10k: Fix error return code in otx2_set_flowkey_cfg() (bsc#1012628). - usb: ehci-orion: Handle errors of clk_prepare_enable() in probe (bsc#1012628). - usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available (bsc#1012628). - usb: bdc: Fix a resource leak in the error handling path of 'bdc_probe()' (bsc#1012628). - tty: serial: fsl_lpuart: fix the wrong mapbase value (bsc#1012628). - ASoC: wcd9335: Fix a double irq free in the remove function (bsc#1012628). - ASoC: wcd9335: Fix a memory leak in the error handling path of the probe function (bsc#1012628). - ASoC: wcd9335: Disable irq on slave ports in the remove function (bsc#1012628). - iwlwifi: skip first element in the WTAS ACPI table (bsc#1012628). - net/mlx5: Lag, fix multipath lag activation (bsc#1012628). - net/mlx5: Remove all auxiliary devices at the unregister event (bsc#1012628). - net/mlx5e: Fix possible use-after-free deleting fdb rule (bsc#1012628). - net/mlx5: E-Switch, Set vhca id valid flag when creating indir fwd group (bsc#1012628). - net/mlx5e: Use correct eswitch for stack devices with lag (bsc#1012628). - misc/pvpanic: fix set driver data (bsc#1012628). - ice: fix Tx queue iteration for Tx timestamp enablement (bsc#1012628). - ice: add lock around Tx timestamp tracker flush (bsc#1012628). - ice: restart periodic outputs around time changes (bsc#1012628). - ice: Only lock to update netdev dev_addr (bsc#1012628). - net: phy: marvell10g: fix broken PHY interrupts for anyone after us in the driver probe list (bsc#1012628). - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() (bsc#1012628). - ALSA: usb-audio: Add lowlatency module option (bsc#1012628). - atlantic: Fix driver resume flow (bsc#1012628). - bcma: Fix memory leak for internally-handled cores (bsc#1012628). - brcmfmac: pcie: fix oops on failure to resume and reprobe (bsc#1012628). - ipv6: make exception cache less predictible (bsc#1012628). - ipv4: make exception cache less predictible (bsc#1012628). - net: qrtr: make checks in qrtr_endpoint_post() stricter (bsc#1012628). - sch_htb: Fix inconsistency when leaf qdisc creation fails (bsc#1012628). - net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed (bsc#1012628). - net: qualcomm: fix QCA7000 checksum handling (bsc#1012628). - octeontx2-af: Fix loop in free and unmap counter (bsc#1012628). - octeontx2-af: Fix mailbox errors in nix_rss_flowkey_cfg (bsc#1012628). - octeontx2-af: Fix static code analyzer reported issues (bsc#1012628). - octeontx2-af: Set proper errorcode for IPv4 checksum errors (bsc#1012628). - ipv4: fix endianness issue in inet_rtm_getroute_build_skb() (bsc#1012628). - ASoC: rt5682: Remove unused variable in rt5682_i2c_remove() (bsc#1012628). - iwlwifi Add support for ax201 in Samsung Galaxy Book Flex2 Alpha (bsc#1012628). - f2fs: guarantee to write dirty data when enabling checkpoint back (bsc#1012628). - time: Handle negative seconds correctly in timespec64_to_ns() (bsc#1012628). - auxdisplay: hd44780: Fix oops on module unloading (bsc#1012628). - io_uring: limit fixed table size by RLIMIT_NOFILE (bsc#1012628). - io_uring: IORING_OP_WRITE needs hash_reg_file set (bsc#1012628). - io_uring: io_uring_complete() trace should take an integer (bsc#1012628). - io_uring: fail links of cancelled timeouts (bsc#1012628). - bio: fix page leak bio_add_hw_page failure (bsc#1012628). - raid1: ensure write behind bio has less than BIO_MAX_VECS sectors (bsc#1012628). - cifs: Do not leak EDEADLK to dgetents64 for STATUS_USER_SESSION_DELETED (bsc#1012628). - smb3: fix posix extensions mount option (bsc#1012628). - tty: Fix data race between tiocsti() and flush_to_ldisc() (bsc#1012628). - perf/x86/intel/uncore: Fix IIO cleanup mapping procedure for SNR/ICX (bsc#1012628). - Revert "KVM: x86: mmu: Add guest physical address check in translate_gpa()" (bsc#1012628). - KVM: s390: index kvm->arch.idle_mask by vcpu_idx (bsc#1012628). - KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted (bsc#1012628). - KVM: x86: clamp host mapping level to max_level in kvm_mmu_max_mapping_level (bsc#1012628). - KVM: x86/mmu: Avoid collision with !PRESENT SPTEs in TDP MMU lpage stats (bsc#1012628). - KVM: VMX: avoid running vmx_handle_exit_irqoff in case of emulation (bsc#1012628). - KVM: nVMX: Unconditionally clear nested.pi_pending on nested VM-Enter (bsc#1012628). - KVM: arm64: Unregister HYP sections from kmemleak in protected mode (bsc#1012628). - KVM: arm64: vgic: Resample HW pending state on deactivation (bsc#1012628). - ARM: dts: at91: add pinctrl-{names, 0} for all gpios (bsc#1012628). - io-wq: check max_worker limits if a worker transitions bound state (bsc#1012628). - md/raid10: Remove unnecessary rcu_dereference in raid10_handle_discard (bsc#1012628). - char: tpm: Kconfig: remove bad i2c cr50 select (bsc#1012628). - fuse: truncate pagecache on atomic_o_trunc (bsc#1012628). - fuse: flush extending writes (bsc#1012628). - fuse: wait for writepages in syncfs (bsc#1012628). - IMA: remove -Wmissing-prototypes warning (bsc#1012628). - IMA: remove the dependency on CRYPTO_MD5 (bsc#1012628). - fbmem: don't allow too huge resolutions (bsc#1012628). - ACPI: PRM: Find PRMT table before parsing it (bsc#1012628). - RDMA/mlx5: Fix number of allocated XLT entries (bsc#1012628). - bootconfig: Fix missing return check of xbc_node_compose_key function (bsc#1012628). - backlight: pwm_bl: Improve bootloader/kernel device handover (bsc#1012628). - parisc: Fix unaligned-access crash in bootloader (bsc#1012628). - clk: kirkwood: Fix a clocking boot regression (bsc#1012628). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1012628). - Refresh patches.suse/Bluetooth-schedule-SCO-timeouts-with-delayed_work.patch. - Refresh patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch. - Update config files. - commit 8706151 - Bluetooth: Move shutdown callback before flushing tx and rx queue (bsc#1190424). - commit 40ccc64 - fixup "rpm: support gz and zst compression methods" once more (bsc#1190428, bsc#1190358) Fixes: 3b8c4d9bcc24 ("rpm: support gz and zst compression methods") Fixes: 23510fce36ec ("fixup "rpm: support gz and zst compression methods"") - commit 165378a - Linux 5.14.3 (bsc#1012628). - cxl/acpi: Do not add DSDT disabled ACPI0016 host bridge ports (bsc#1012628). - cxl/pci: Fix lockdown level (bsc#1012628). - cxl/pci: Fix debug message in cxl_probe_regs() (bsc#1012628). - PCI: Call Max Payload Size-related fixup quirks early (bsc#1012628). - x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions (bsc#1012628). - staging: mt7621-pci: fix hang when nothing is connected to pcie ports (bsc#1012628). - xhci: Fix failure to give back some cached cancelled URBs (bsc#1012628). - xhci: fix unsafe memory usage in xhci tracing (bsc#1012628). - xhci: fix even more unsafe memory usage in xhci tracing (bsc#1012628). - usb: mtu3: fix the wrong HS mult value (bsc#1012628). - usb: mtu3: use @mult for HS isoc or intr (bsc#1012628). - usb: mtu3: restore HS function when set SS/SSP (bsc#1012628). - usb: gadget: tegra-xudc: fix the wrong mult value for HS isoc or intr (bsc#1012628). - usb: cdnsp: fix the wrong mult value for HS isoc or intr (bsc#1012628). - usb: xhci-mtk: fix issue of out-of-bounds array access (bsc#1012628). - usb: host: xhci-rcar: Don't reload firmware after the completion (bsc#1012628). - Bluetooth: btusb: Make the CSR clone chip force-suspend workaround more generic (bsc#1012628). - Bluetooth: Add additional Bluetooth part for Realtek 8852AE (bsc#1012628). - ALSA: usb-audio: Add registration quirk for JBL Quantum 800 (bsc#1012628). - Revert "r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM" (bsc#1012628). - igmp: Add ip_mc_list lock in ip_check_mc_rcu (bsc#1012628). - can: c_can: fix null-ptr-deref on ioctl() (bsc#1012628). - firmware: dmi: Move product_sku info to the end of the modalias (bsc#1012628). - commit 87c3051 - fixup "rpm: support gz and zst compression methods" once more Fixes: 3b8c4d9bcc24 ("rpm: support gz and zst compression methods") Fixes: 23510fce36ec ("fixup "rpm: support gz and zst compression methods"") - commit 34e68f4 - Avoid double printing SUSE specific flags in mod->taint (bsc#1190413). - commit 3b944fc - fixup "rpm: support gz and zst compression methods" Fixes: 3b8c4d9bcc24 ("rpm: support gz and zst compression methods") - commit 23510fc - kernel-cert-subpackage: Fix certificate location in scriptlets (bsc#1189841). Fixes: d9a1357edd73 ("rpm: Define $certs as rpm macro (bsc#1189841).") - commit 8684de8 - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - commit 5d1f677 - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - commit d7d2e6e - Document suse-hv-guest-os-id.patch (bsc#814005, bsc#1189965). - commit 6205661 ==== keylime ==== Version update (6.1.1 -> 6.2.0) Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime - Update to version 6.2.0: * Fix bug #757 where revoc cert was treated as text * Code improvement: removal of extra dependencies in measured boot attestation (#755) * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines. * tenant: show severity level and last event id in status * verifier: move to new failure architecture * pcr validation: move to new failure architecture * measured boot: move to new failure architecture * ima: move to new failure architecture * failure: add infrastructure to tag and collect revocation events in Keylime * Simulating use of SSLContext.minimum_version on ssl v3.6 * verifier: fix minor typos * Add tests for ca_impl_cfssl and ca_util * Replace M2Crypto with python-cryptography * tenant: status now shows if a agent was added to the registrar * tenant: open file to send utf-8 encoded * Correct some comments about and remove vestige in MB policy * fixing a small bug that resulted in malformed refstates not failing MBA * agent: ensure that EK is in PEM format when used as uuid * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734) * ci: build and publish container images * codestyle: fix W0612 and R1735 pylint errors * codestyle: fix W1514 pylint error * systemd: Add KillSignal=SIGINT to keylime_agent.service * One-liner to set the minimum version of TLS to v1.2 * pylint fix * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py * Refactor keylime_logging module * ima: Implement ima-buf validator and validate keys on keyrings (#725) * Remove Python 2 leftovers * Additional fix for the processing of "tpm_policy" * ima: Return an empty allowlist rather than a plain empty list * verifier: convert (v)tpm_policy in DB from string to JSONPickleType * verifier: Create AgentAttestState objects from entries in the db * verifier: Persist the IMA attestation state after running the log verification * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries * verifier: Skip attestation one time if agent's boottime changed * test: Add test case simulating iterative attestation * verifier: Delete an AgentAttestState when deleting an agent * ima: Remember the number of lines successfully processed and last IMA PCR value(s) * ima: Reset the attestation if processing the measurement list fails * debug: Show line number when PCR match occurs * verifier: Extend AgentAttestState with state of the IMA PCR * Consult the AgentAttestState for the next measurement list entry * Introduce an AgentAttestState class for passing state through the APIs * verifier: Request IMA log at entry 0 for now * agent: Get boottime and transfer to verifier * agent: Add support for optional IMA log offset parameter * tests: Add a unit test for the IMA function and run it * agent: Move IMA measurement list reading function to ima.py * Add default verifier-check value * Use tox for pylint * Use Fedora 34 as base image for CI container * Run ci jobs only when needed * config: merge convert and list_convert into the same function * Versioned APIs * Refacator of check_pcrs to parse then validate (#716) * Automatically calculates the boot_aggregate from the measured boot log. (#713) * Set default UUID as lowercase (#699) * tenant: do_cvdelete wait until 404 * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON * ima: Convert pcrval to bytes to increase efficiency * tests: extend ima tests for signature validation and exclude lists * Allow agents to specify a contact ip address and port for the tenant and CV (#690) * verifer: Fix signature and allowlist evaluation bahavior change * ima: Fix runtime error due to wrong datatype * tenant: add the option to specify the registrar ip and port * measured_boot: drop process_refstate * check_pcrs: match PCR if no mb_refstate is provided * ci: make run_local.sh work with newer docker versions * Fixing pylint errors (#698) * tests: add IMA test where validation should be ignored * ima: Use ima_ast for parsing and validation * tests: Add test for ima AST parser * ima: Introducing a AST for parsing and validation * Make stalebot a bit nicer * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier * Flush all sessions from TPM device (#682) * multiple named verifiers sharing a single database * webapp: fix tls certs paths (#659) * Corrects markdown to have proper rendering (#673) * ima_file_signatures: Extract keyidv2 from x509 certs * installer: Add '-r' option to cp to copy directory (issue #671) * config: Add optional fallback parameter to get() * agent: Fix the usage of dmidecode during the agent startup (issue #664) * agent: Rename allowlist to ima_allowlist in keylime.conf * Fix decoding error in user_data_encrypt * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list * Addresses issue #660 (database path while running local tests) (#665) * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string * tests: Move unittests into files with suffix _test.py * Fixes and improvements for database configuration (#654) * Add signature verification support for local and remote IMA signature verification keys (#597) * install: Remove TPM 1.2 support from installer and bundeling scripts * CI/CD: Remove tpm1.2 testing support * Remove duplicated calls to verifier * Remove adding entropy to system rng * Cleanup and fix error case in encryptAIK (#648) * Move measured boot related code into functions to make check_pcrs readable (#642) * Move code related to tpm2_checkquote into its own function (#639) * scripts: Cleanup shell script formatting * installer.sh: Do not delete the local copy of the certificates. * Fix user_data_encrypt to UTF8 decode before print * tpm_abstract: Fix adding of entropy * codestyle: Ignore R1732 implemented by pylint >=2.8.0 * a fix for letting JSON encoding bytes correctly * Adding back reglist to the list of commands that don't need a -t argument * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624) * Addresses #436 (#611) * Fixes #620 * Include PCR16 in the quote only when needed * Close leaking file descriptors (#622) * installer.sh: Add missing spaces when efivar is added * More ima_emulator_adapter cleanups (#616) * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build * Remove more commented code in ca_util.py * installer: Only install efi library on x86_64 systems * Create allowlist table and basic API support * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build * WIP: Some cleanups (#612) * Remove _cLime.c * config: Document the measured boot PCRs and what is using them * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies" * ima_emulator_adapater: Remove unnecessary global statement * webapp: Fix private key and certificate path (issue #604) * Add support for keylime_webapp service to read intervals from keylime.conf ==== kmod ==== Subpackages: libkmod2 - Use docbook 4 rather than docbook 5 for building man pages (bsc#1190190). * Refres no-stylesheet-download.patch ==== kubernetes ==== Version update (1.22.1 -> 1.22.2) Subpackages: kubernetes-client kubernetes-kubeadm kubernetes-kubelet - Bump kubernetes-* to 1.22.2 and *-minus1 to 1.21.5 ==== kubernetes1.21 ==== Version update (1.21.4 -> 1.21.5) - Update to version 1.21.5: * Update to go1.16.8 * legacy-cloud-providers: aws: Add support for consuming web identity credentials * e2e iperf2 change threshold to 10MBps = 80 Mbps * Fix NodeAuthenticator tests in dual stack * Fix the key missing issue for structured log * Fix a small regression in Service updates * Service: Fix semantics for Update wrt allocations * Don't prematurely close reflectors in case of slow initialization in watch based manager * Fix storage class setup in regional_pd.go * backport 104410 to release-1.21 * pkg/kubelet/cm: use SkipFreezeOnSet * vendor: bump runc to 1.0.2 * Switch to non-deprecated timestamppb.Now() * Fix buckets initialization * fix: ensure InstanceShutdownByProviderID return false for creating Azure VMs * fix: skip case sensitivity when checking Azure NSG rules * Keep MakeMountArgSensitive and add a new signature that receives flags * Update the unit tests to handle mountFlags * Add missing interface method in mount_unsupported.go * Pass additional flags to subpath mount to avoid flakes in certain conditions * Update CHANGELOG/CHANGELOG-1.21.md for v1.21.4 * Copy golang license to staging copies * delete stale UDP conntrack entries for loadbalancer IPs * Set idle and readheader timeouts ==== kubernetes1.22 ==== Version update (1.22.1 -> 1.22.2) Subpackages: kubernetes1.22-client kubernetes1.22-client-common kubernetes1.22-kubeadm kubernetes1.22-kubelet kubernetes1.22-kubelet-common - Update to version 1.22.2: * [go1.16] Update to go1.16.8 * Fix Job tracking with finalizers for more than 500 pods * e2e iperf2 change threshold to 10MBps = 80 Mbps * legacy-cloud-providers: aws: Add support for consuming web identity credentials * Fix the key missing issue for structured log * add a test for jsonpath template parsing to prevent regressions * revert "fix wrong output when using jsonpath" * Fix a small regression in Service updates * kubelet: Admission must exclude completed pods and avoid races * Don't prematurely close reflectors in case of slow initialization in watch based manager * backport 104410 to release-1.22 * Fix storage class setup in regional_pd.go * pkg/kubelet/cm: use SkipFreezeOnSet * vendor: bump runc to 1.0.2 * vendor: bump k8s.io/util to get fix for LRU cache * Update CHANGELOG/CHANGELOG-1.22.md for v1.22.1 * fix: ensure InstanceShutdownByProviderID return false for creating Azure VMs * fix: skip case sensitivity when checking Azure NSG rules * Copy golang license to staging copies ==== kubic-control ==== Version update (0.12 -> 0.12.1) Subpackages: kubic-haproxycfg kubicctl kubicd - Update to version 0.12.1 - Fix cluster upgrade ==== less ==== - Add missing runtime dependency on which, which it is used by lessopen.sh. Fix bsc#1190552. ==== libgudev ==== Version update (234 -> 237) - Update to version 237: + Fix reading double precision floats from sysfs attributes in locales that use comma as a separator + Fix compilation warning + Fix headers to help with build reproducibility + Clarify licensing information - Changes from version 236: + Fix meson project name to match autotools. - Changes from version 235: + Port build system to meson and remove autotools + Fix conversion of sysfs attributes to boolean. - Add meson BuildRequires and macros following upstreams port. - Enable pkgconfig(umockdev-1.0) BuildRequires and test macro. - Update Licence tag to LGPL-2.1-or-later. ==== libhugetlbfs ==== - Add glibc-2.34-fix.patch as a fix for upstream issue gh#52: https://github.com/libhugetlbfs/libhugetlbfs/pull/63/commits (boo#1189094). - Update to version 2.23.0.g6b126a4: * Update NEWS for 2.23 release * Wait child with os.wait() * Makefile: add MANDIR variable * Makefile: skip LIB resolve check if NATIVEONLY * Introduce basic riscv64 support * ld.hugetlbfs: fix -Ttext-segment argument on AArch64 * tests: add explicit permissions to open() call * Update NEWS for 2.22 release * Convert setup script to python3 * Clean up error checking in dump_proc_pid_maps() ==== ncurses ==== Version update (6.2.20210814 -> 6.2.20210911) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20210911 + adjust ifdef in test_opaque.c to fix build with ncurses 5.7 + add testing note for xterm-{hp|sco|sun} -TD + corrected description for ansi.sys-old -TD + add xterm+nopcfkeys, to fill in keys for xterm-hp, xterm-sun -TD + use hp+arrows in a few places -TD + use hp+pfk-cr in a few places -TD - Correct offsets of patch ncurses-6.2.dif - Add ncurses patch 20210905 + correct logic in filtering of redefinitions (report by Sven Joachim, cf: 20210828). - Add ncurses patch 20210904 + modify linux3.0 entry to reflect default mapping of shift-tab by kbd 1.14 (report by Jan Engelhardt) -TD + add historical note to tput, curses-terminfo and curses-color manpages based on source-code for SVr2, SVr3 and SVr4. + minor grammatical fixes for "it's" vs "its" (report by Nick Black). + amend fix for --disable-root-environ (report by Arnav Singh). + build-fix for compiling link_test + drop symbols GCC_PRINTF and GCC_SCANF from curses.h.in, to simplify use (Debian #993179). - Add ncurses patch 20210828 + correct reversed check for --disable-root-environ (report/analysis by Arnav Singh, cf: 20210626). + apply gcc format attribute to prototypes which use a va_list parameter rather than a "..." variable-length parameter list (prompted by discussion in a tmux pull-request). + modify configure scripts to filter out redefinitions of _XOPEN_SOURCE, e.g., for NetBSD which generally supports 500, but 600 is needed for ncursesw. + improve documentation for tparm and static/dynamic variables. + improve typography in terminfo.5 (patch by Branden Robinson). - Add ncurses patch 20210821 + improve tparm implementation of %P and %g, more closely matching SVr4 terminfo. + move internals of TERMINAL structure to new header term.priv.h + add "check" rule for ncurses/Makefile + corrected tsl capability for terminator -TD + add check in tic to report instances where tparm would detect an error in an expression (cf: 20201010). + correct a few places where SP->_pair_limit was used rather than SP->_pair_alloc (cf: 20170812). + fix missing "%d" for setaf/setab code 8-15 in xterm+direct16 (report by Florian Weimer) -TD + fix some documentation errata from OpenBSD changes. + update config.sub - Correct offsets and dates of patch ncurses-6.2.dif ==== pam ==== Version update (1.5.1 -> 1.5.2) Subpackages: pam_unix - Rename motd.tmpfiles to pam.tmpfiles - Add /run/faillock directory - pam-login_defs-check.sh: adjust for new login.defs variable usages - Update to 1.5.2 Noteworthy changes in Linux-PAM 1.5.2: * pam_exec: implemented quiet_log option. * pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs. * pam_timestamp: changed hmac algorithm to call openssl instead of the bundled sha1 implementation if selected, added option to select the hash algorithm to use with HMAC. * Added pkgconfig files for provided libraries. * Added --with-systemdunitdir configure option to specify systemd unit directory. * Added --with-misc-conv-bufsize configure option to specify the buffer size in libpam_misc's misc_conv() function, raised the default value for this parameter from 512 to 4096. * Multiple minor bug fixes, portability fixes, documentation improvements, and translation updates. pam_tally2 has been removed upstream, remove pam_tally2-removal.patch pam_cracklib has been removed from the upstream sources. This obsoletes pam-pam_cracklib-add-usersubstr.patch and pam_cracklib-removal.patch. The following patches have been accepted upstream and, so, are obsolete: - pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch - pam_securetty-don-t-complain-about-missing-config.patch - bsc1184358-prevent-LOCAL-from-being-resolved.patch - revert-check_shadow_expiry.diff [Linux-PAM-1.5.2-docs.tar.xz, Linux-PAM-1.5.2-docs.tar.xz.asc, Linux-PAM-1.5.2.tar.xz, Linux-PAM-1.5.2.tar.xz.asc, pam-pam_cracklib-add-usersubstr.patch, pam_cracklib-removal.patch, pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch, pam_securetty-don-t-complain-about-missing-config.patch, bsc1184358-prevent-LOCAL-from-being-resolved.patch, revert-check_shadow_expiry.diff] ==== pmdk ==== Version update (1.9 -> 1.11.0) Subpackages: libpmem1 libpmemobj1 - Renamed libpmem2-1-devel to libpmem2-devel - Update to PMDK 1.11.0 * Version 1.11.0 - Adds new APIs for libpmem2, most notably there are new functions to shrink and extend an existing reservation and a new iterator API for mappings contained within an existing reservation. There's also a new function to retrieve a numa node for a source. - Makes the pmemobj_open() and pmemobj_close() functions from libpmemobj thread-safe. It's now easier to correctly manage persistent memory pools in a parallel environment. - Introduces a new API in libpmemobj to globally change the method of assigning arenas to threads. The default is to rely on a OS per-thread key to store arena information. This release introduces an option to avoid the use of thread-local keys by simply using one global arena for all threads in a pool. - pmem2: don't force smaller alignment for fsdax mappings - rpmem: various fixes for powerpc64le - doc: fix documentation of pmem_is_pmem() - common: fix various minor problems found by static analysis - pmem2: arm64: fix possible data loss on ARMv8.2+ (improper flushing) This release introduces no changes to the on-media layout and is fully compatible with the previous version of PMDK. * Version 1.10 - This release introduces a new stable PMDK library, libpmem2, which is the next major release of libpmem. This library has an entirely new, but familiar, API that addresses many shortcomings of the previous version, while retaining all of its functionality. To learn more, see https://pmem.io/pmdk/libpmem2/ or libpmem2(7). The old library, libpmem, is still going to be maintained for the foreseeable future, but we'd like to encourage any new applications to leverage libpmem2. - Update to PMDK 1.9.2 * Version 1.9.2 - This release reverts an incorrect change in SDS handling "pool: disable SDS check if not supported", and introduces a proper fix for the issues that patch attempted to correct. * Version 1.9.1 - common: fix LIBFABRIC flags - common: Add runtime SDS check and disable - pool: disable SDS check if not supported - obj: fix failure atomicity bug in huge allocs - obj: add missing drain after ulog processing - Drop common-fix-LIBFABRIC-flags.patch (now in upstream) - Add a comment to gen-doc.sh ==== salt ==== Subpackages: python3-salt salt-master salt-minion salt-standalone-formulas-configuration - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265) (CVE-2021-21996) - Added: * exclude-the-full-path-of-a-download-url-to-prevent-i.patch - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories - Added: * templates-move-the-globals-up-to-the-environment-jin.patch - Don't pass shell="/sbin/nologin" to onlyif/unless checks (bsc#1188259) - Add missing aarch64 to rpm package architectures - Backport of upstream PR#59492 - Added: * backport-of-upstream-pr59492-to-3002.2-404.patch * don-t-use-shell-sbin-nologin-in-requisites.patch * add-missing-aarch64-to-rpm-package-architectures-405.patch - Fix failing unit test for systemd - Fix error handling in openscap module (bsc#1188647) - Better handling of bad public keys from minions (bsc#1189040) - Added: * better-handling-of-bad-public-keys-from-minions-bsc-.patch * fix-error-handling-in-openscap-module-bsc-1188647-40.patch * fix-failing-unit-tests-for-systemd.patch - Define license macro as doc in spec file if not existing - Add standalone formulas configuration for salt minion and remove salt-master requirement (bsc#1168327) - Do noop for services states when running systemd in offline mode (bsc#1187787) - transactional_updates: do not execute states in parallel but use a queue (bsc#1188170) - Added: * do-noop-for-services-states-when-running-systemd-in-.patch - Handle "master tops" data when states are applied by "transactional_update" (bsc#1187787) - Enhance openscap module: add "xccdf_eval" call - Added: * enhance-openscap-module-add-xccdf_eval-call-386.patch * handle-master-tops-data-when-states-are-applied-by-t.patch - virt: pass emulator when getting domain capabilities from libvirt - Adding preliminary support for Rocky Linux - Implementation of held/unheld functions for state pkg (bsc#1187813) - Added: * implementation-of-held-unheld-functions-for-state-pk.patch * adding-preliminary-support-for-rocky.-59682-391.patch * virt-pass-emulator-when-getting-domain-capabilities-.patch - Replace deprecated Thread.isAlive() with Thread.is_alive() - Added: * backport-thread.is_alive-fix-390.patch - Fix exception in yumpkg.remove for not installed package - Fix save for iptables state module (bsc#1185131) - Added: * fix-exception-in-yumpkg.remove-for-not-installed-pac.patch * fix-save-for-iptables-state-module-bsc-1185131-372.patch - virt: use /dev/kvm to detect KVM - Added: * virt-use-dev-kvm-to-detect-kvm-383.patch - zypperpkg: improve logic for handling vendorchange flags - Added: * move-vendor-change-logic-to-zypper-class-355.patch - Add bundled provides for tornado to the spec file - Enhance logging when inotify beacon is missing pyinotify (bsc#1186310) - Add "python3-pyinotify" as a recommended package for Salt in SUSE/OpenSUSE distros - Added: * enhance-logging-when-inotify-beacon-is-missing-pyino.patch - Fix tmpfiles.d configuration for salt to not use legacy paths (bsc#1173103) - Check if dpkgnotify is executable (bsc#1186674) - Added: * check-if-dpkgnotify-is-executable-bsc-1186674-376.patch - Detect Python version to use inside container (bsc#1167586) (bsc#1164192) - Handle volumes on stopped pools in virt.vm_info (bsc#1186287) - Drop support for Python2. Obsoletes "python2-salt" package - Added: * handle-volumes-on-stopped-pools-in-virt.vm_info-373.patch * figure-out-python-interpreter-to-use-inside-containe.patch - grains.extra: support old non-intel kernels (bsc#1180650) - Fix missing minion returns in batch mode (bsc#1184659) - Added: * fix-missing-minion-returns-in-batch-mode-360.patch * grains.extra-support-old-non-intel-kernels-bsc-11806.patch - Parsing Epoch out of version provided during pkg remove (bsc#1173692) - Added: * parsing-epoch-out-of-version-provided-during-pkg-rem.patch - Fix issue parsing errors in ansiblegate state module - Added: * fix-issue-parsing-errors-in-ansiblegate-state-module.patch - Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18028) - Remove duplicate directories from specfile - Added: * transactional_update-detect-recursion-in-the-executo.patch * prevent-command-injection-in-the-snapper-module-bsc-.patch ==== suse-module-tools ==== Version update (16.0.9 -> 16.0.10+7) - Update to version 16.0.10+7: * rpm-script: link config also into /boot (boo#1189879) * weak-modules2: accept modules under /usr/lib/modules on stdin (for support of usr-merged KMPs) * fix scriptlet path (bsc#1189441) - Update to version 16.0.10: * Import kernel scriptlets from kernel-source (bsc#1189441) * README.md: document environment variables for weak-modules2 ==== vim ==== Version update (8.2.3360 -> 8.2.3408) Subpackages: vim-data-common vim-small - Changed used terminal description in %check scriptlet from "linux" to "xterm" as the former does not map to [Z found by a fix in terminfo database of ncurses 6.2 patch 20210904 - Updated to version 8.2.3408, fixes the following problems * User function completion fails with dict function. * Vim9: crash with nested :while. * Buffer overflow when completing long tag name. * When :edit reuses the current buffer the alternate file is set to the same buffer. * Vim9: crash when :for is skipped. * Vim9: cannot use option for all operations. * Vim9: debugging elseif does not stop before condition. * Vim9: :@r executing a register is inconsistent. * Not all Racket files are recognized. * Auto formatting after "cw" leaves cursor in wrong spot. * Vim9: no check for white space before type in declaration. (Naohiro Ono) * Vim9: :$ENV cannot be followed by ->func() in next line. * line2byte() value wrong when adding a text property. (Yuto Kimura) * text property test fails on MS-Windows. * Pyret files are not recognized. * Using uninitialized memory. * Vim9: no warning that "@r" does not do anything. * Vim9: :disass completion does not understand "s:". * Crash when using NULL job. * Crash when using NULL string for funcref(). * Crash when using NULL list with sign functions. * Crash when getting the type of a NULL partial. * Vim9: completion for :disassemble adds parenthesis. * Cannot disable modeline for an individual file. * Escaping for fish shell does not work properly. * Using uninitialized memory. * Compiler warning for non-static function. * fnamemodify('path/..', ':p') differs from using 'path/../'. * Cannot stop insert mode completion without side effects. * Included xdiff code is outdated. * Crash with combination of 'linebreak' and other options. * augroup completion escapes regexp pattern characters. * Escaping for fish shell is skipping some characters. * Filler lines are wrong when changing text in diff mode. * Vim9: expression breakpoint not checked in :def function. * When libcall() fails invalid pointer may be used. * No test for what 8.2.3391 fixes. * Html text objects are not fully tested. * Octave files are not recognized. * ":z!" is not supported. * Vim9: cannot use a negative count with finddir() and findfile(). * Invalid memory access when using :retab with large value. * Memory leak for :retab with invalid argument. * Vim9: no error for white space before "(". * Cannot have a comment line in a {} block of a user command. * On some systems tests fail without _REENTRANT. (Elimar Riesebieter) * Using uninitialized memory with "let g:['bar'] = 2". * Can delete a numbered function. (Naohiro Ono) ==== yast2 ==== Version update (4.4.17 -> 4.4.20) - Fixed losing the current product and package selection during installation, caused by unnecessary reloading of repositories (bsc#1190228) - 4.4.20 - Added infrastructure for installing missing UI extension plug-ins (jsc#SLE-20346, jsc#SLE-20462) - 4.4.19 - Add Y2Issues::WithIssues mixin to make easier to work with a list of issues (needed for jsc#SLE-20563). - 4.4.18