Packages changed: Mesa Mesa-drivers apparmor hwinfo (21.80 -> 21.81) icu (70.1 -> 71.1) installation-images-MicroOS (17.47 -> 17.48) kexec-tools keylime (6.3.1 -> 6.3.2) libapparmor libusb-1_0 (1.0.25 -> 1.0.26) osinfo-db patterns-microos perl-HTML-Parser (3.77 -> 3.78) perl-libwww-perl (6.61 -> 6.62) samba (4.16.0+git.224.70319beb8f8 -> 4.16.0+git.227.931848a12ab) vim (8.2.4602 -> 8.2.4745) wicked (0.6.68 -> 0.6.69) xen (4.16.0_08 -> 4.16.1_02) zchunk (1.1.16 -> 1.2.1) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - use _multibuild ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium - use _multibuild ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - Add samba-new-dcerpcd.patch, samba-4.16 has a new dcerpcd daemon which now will spawn new additional services on demand. We need to modify the existing smbd/winbind profiles and additionally add a new set of profiles to cater for the new functionality; (bnc#1198309); - Add samba_deny_net_admin.patch to add new rule to deny noisy setsockopt calls from systemd; (bnc#1196850). ==== hwinfo ==== Version update (21.80 -> 21.81) - merge gh#openSUSE/hwinfo#112 - fix bug in determining serial console device name (bsc#1198043) - 21.81 ==== icu ==== Version update (70.1 -> 71.1) - update to 71.1: * updates to CLDR 41 locale data with various additions and corrections. * phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for body text but do not work well for short Japanese text, such as in titles and headings. This new feature is optimized for these use cases. * support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount of English, and can also be referred to as ?Hinglish?. * time zone data updated to version 2022a. Note that pre-1970 data for a number of time zones has been removed, as has been the case in the upstream tzdata release since 2021b. - drop fix-ucptrietest-golden-diff.patch (upstream) ==== installation-images-MicroOS ==== Version update (17.47 -> 17.48) - merge gh#openSUSE/installation-images#586 - add xrdb to inst-sys (bsc#1198294) - 17.48 ==== kexec-tools ==== - kexec-tools-print-error-if-kexec_file_load-fails.patch: print error if kexec_file_load fails (bsc#1197176). ==== keylime ==== Version update (6.3.1 -> 6.3.2) Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime - Update to version v6.3.2: * general: bump Keylime version to 6.3.2 * tpm_main: flush transient objects * pypi: add notice that the Python API is unstable * installer: use OpenSSL by default * Avoid mounting secdir while unmounting it * remove TPM, VTPM and IMA stubbing support * archive: remove all archive files * Change GH reviewers to be from developer group * added suse / opensuse support with zypper * Fix tpm import in test_tpm.py * Fix cfssl configuration in run_tests.sh * tpm_emulator: improve TPM emulator installation * config: Add option to enable DB debugging via DEBUG_DB env var * Enable SQL query cache for JSONPickleType * tpm_emulator: move everything into systemd services * Implement broader key support for Keylime's signing mechanisms * tenant: Use exponential backoff on key verification retries * tenant: Move JSON parsing to capture possible exceptions * tenant: Move verifier stop from do_quote to do_verify * pylint: Fix issues related to W0602 global-variable-not-assigned * tenant: Handle 404 error from registrar gracefully * pylint: Fix remaining code with issue R1732 consider-using-with * pylint: Fix R1732 consider-using-with * pylint: Fix issue detected by pylint-2.13.0 * pylint: Fix issue detected by pylint-2.13.0 * tenant: verify agent quote before adding to verifier * README: remove tpm2-abrmd and OSX sections * pylint: Fix issues related to W0102 dangerous-default-value * pylint: Fix R0201 no-self-use * pylint: remove W1203 logging-format-interpolation from ignore list * pylint: remove R1729 use-a-generator from ignore list * pylint: remove E1120 no-value-for-parameter from ignore list * pylint: remove W1201 logging-not-lazy from ignore list * pylint: fix C0209 consider-using-f-string * pylint: fix C0201 consider-iterating-dictionary * pylint: fix W1509 subprocess-popen-preexec-fn * keylime_tenant non-zero exit code on error * Fix prepare step adjustments in packit-ci.fmf plan * failure: fix Pattern type hint * mypy: add initial Mypy configuration * ima_ast: add type hints * failure: add type hints * logging, config: add type hints for logging module * algorithms: add type hints * json: add type hints and add JSONType as custom type * Full allowlist processing when not adding host * provider, vTPM: remove vTPM manager and provider code * tpm: fix that the set of missing PCRs is not serializable in failure * Restores the option to use keylime agents without mTLS * services: make the services run as keylime user instead of root * State in --help that SHA-256 is used for --allowlist-checksum * config: change cacert.pem to cacert.crt * registrar_client: validate connections against registrar ca certificate * tenant: validate connections against verifier ca certificate * request_client: only add custom adapter if TLS is enabled * setup: add static assets for webapp * Add TESTING.md describing testing details * Fix some remaining log format strings * Fix for database_url parameter with sqlite * Enable test basic-attestation-with-unpriviledged-agent in Packit CI * Use lazy string formatting when logging (#535) * Make Packit CI plan more resource-saving * keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime) * agent: Make sure tmpfs is empty even if not mounted or cannot unmount * agent: Drop privileges by switching to normal user and group * agent: Move mounting of tmpfs towards beginning of main() * agent: Read measured boot log near process start * agent: Open file for IMA log file near process start * ima: Refactor read_measurement_list() to take file as argument * Add the policy name to failure event * tpm_main: Check if tpm_cert_store exists (#553) * Remove tag input from container build workflow * Push container images to quay.io/keylime org * Enable code coverage measurement for e2e tests in Packit CI * config: fix config search order * Add defaults for ephemeral keys for agent records * Update outdated greetings Github messages * services: add keylime_agent_secure.mount service * installer.sh: updated tpm2-{tools, tss}, use system packages if possible * revocation_notifier: convert the data to str in the notifiers * revocation_notifier: mark webhook threads as daemon and add timeout * Fix Packit CI test plan Summary * Enable Packit CI testing on CentOS Stream 8 * Enable Packit CI testing on Fedora Rawhide * Remove last trace of TPM 1.2 (hopefully) * verifier: remove start_tornado() function * verifier: wait for connections to be closed before stopping ioloop * revocation_notifier: kill ZeroMQ broker if it blocks more than 5s * Add more e2e tests to Packit CI * Enable EPEL repo on CentOS Stream in packit.yaml - Drop already merged patches * drop_privileges_of_agent_process_after_startup.patch * config_fix_config_search_order.patch * services_add_keylime_agent_secure_mount_service.patch ==== libapparmor ==== - Add samba-new-dcerpcd.patch, samba-4.16 has a new dcerpcd daemon which now will spawn new additional services on demand. We need to modify the existing smbd/winbind profiles and additionally add a new set of profiles to cater for the new functionality; (bnc#1198309); - Add samba_deny_net_admin.patch to add new rule to deny noisy setsockopt calls from systemd; (bnc#1196850). ==== libusb-1_0 ==== Version update (1.0.25 -> 1.0.26) - Update to version 1.0.26 * Fix regression with transfer free's after closing device * Fix regression with destroyed context if API is misused * Workaround for applications using missing default context * Fix hotplog enumeration regression * Build fixes for various platforms and configurations * Add interface bound checking for broken devices * Add umockdev tests on Linux ==== osinfo-db ==== - bsc#1197958 - request support for SLE15-SP4 in the osinfo database - Add support for SUSE linux Enterprise Micro 5.2 add-slem5.2-support.patch ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-desktop-common patterns-microos-desktop-gnome patterns-microos-desktop-kde patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap - Revert "Remove requirement of pattern-bootloader". Containers should not be using pattern-microos-base. MicroOS needs pattern for having a branded bootloader - Ensure bluez-auto-enable-devices is required for GNOME desktop (glgo#GNOME/gnome-bluetooth#110). ==== perl-HTML-Parser ==== Version update (3.77 -> 3.78) - updated to 3.78 see /usr/share/doc/packages/perl-HTML-Parser/Changes 3.78 2022-03-28 * Remove unused variable (GH#26) (Michal Josef ?pa?ek) ==== perl-libwww-perl ==== Version update (6.61 -> 6.62) - updated to 6.62 see /usr/share/doc/packages/perl-libwww-perl/Changes 6.62 2022-04-05 01:04:17Z - Allow downloading to a filehandle (GH#400) (Andrew Fresh) ==== samba ==== Version update (4.16.0+git.224.70319beb8f8 -> 4.16.0+git.227.931848a12ab) Subpackages: samba-client samba-client-libs samba-libs - Fix update-apparmor-samba-profile script, sed doesn't like multibyte separators; (bsc#1198309). ==== vim ==== Version update (8.2.4602 -> 8.2.4745) Subpackages: vim-data-common vim-small - Updated to version 8.2.4745, fixes the following problems * Vim9: not enough test coverage for executing :def function. * Sourcing buffer lines is too complicated. * Error for redefining a script item may be confusing. * Error for arguments of remote_expr() even when the +clientserver feature is not included. * Test fails because of changed error message. * Sourcing buffer lines may lead to errors for conflicts. * getcompletion() does not work properly when 'wildoptions contains "fuzzy". * :unhide does not check for failing to close a window. * Some conditions are always true. * Typos in tests; one lua line not covered by test. * Vim9: cannot use a recursive call in a nested function. (Sergey Vlasov) * Return type of swapfile_unchanged() is wrong. * Redrawing too much when 'cursorline' is set and jumping around. * Mapping with escaped bar does not work in :def function. (Sergey Vlasov) * Vim9: Declarations in a {} block of a user command do not use Vim9 rules if defined in a legacy script. (Yegappan Lakshmanan) * No completion for :scriptnames. * Command line completion does not recognize single letter commands. * Mapping is cancelled when mouse moves and popup is visible. * Two letter substitute commands don't work. (Yegappan Lakshmanan) * Crash when using the tabline right-click menu. * Vim9: Crash with :execute and :finish. (Sergey Vlasov) * Coverity warns for using uninitialized field. * Old Coverity warning for resource leak. * Old Coverity warning for resource leak. * Visual area not fully updated when removing sign in Visual mode while scrolling. * flatten() does not use maxdepth correctly. * Not enough testing for 2/3 letter substitute commands. * flattennew() makes a deep copy unnecessarily. * 'cursorline' not always updated with 'cursorlineopt' is "screenline". * Crash when switching window in BufWipeout autocommand. * Using freed memory in flatten(). * Visual range does not work before command modifiers. * Vim9: cannot initialize a variable to null_list. * Tests using null list or dict fail. * Not using Visual range. * Warning for using uninitialized variable. (Tony Mechelynck) * Superfluous check if a redraw is needed for 'cursorline'. * Not sufficient parenthesis in preprocessor macros. * Some boolean options use "long" instead of "int". * May mark the wrong window for redrawing. * Vim9: in :def function script var cannot be null. * Vim9: variable may be locked unintentionally. * Redrawing too often when 'relativenumber' is set. * 'shortmess' changed when session does not store options. * Using buffer line after it has been freed in old regexp engine. * "source" can read past end of copied line. * Handling LSP messages is a bit slow. * Various formatting problems. * "import autoload" only works with using 'runtimepath'. * Test fails because path differs. * Leaking memory if assignment fails. * "import autoload" does not check the file name. * Missing changes for import check. * Command line completion popup menu positioned wrong when using a terminal window. * Vim9: can't use items from "import autoload" with autoload directory name. * Errors for functions are sometimes hard to read. * Org-mode files are not recognized. * Invalid memory access when using printable function name. * Cursorcolumn is sometimes not correct. * Coverity warning for using uninitialized variable. * No error for using out of range list index. * Occasional crash when running the GUI tests. * Elvish files are not recognized. * Popup with "minwidth" and scrollbar not updated properly. * Vim9: assignment not recognized in skipped block. * expandcmd() fails on an error. * Buffer allocation failures insufficiently tested. * In compiled code len('string') is not inlined. * Memory allocation failures for new tab page not tested. * 'wildignorecase' is sometimes not used for glob(). * Using :normal with Ex mode may make :substitute hang. * Redrawing a vertically split window is slow when using CTRL-F and CTRL-B. * Cannot force getting MouseMove events. * No error for missing expression after :elseif. (Ernie Rael) * Test fails with different error. * Vim9: not all code is tested. * Cannot have expandcmd() give an error message for mistakes. * Build failure without +postscript. * Build fails with a combination of features. * Vim9: can use :unlockvar for const variable. (Ernie Rael) * Verbose check with dict_find() to see if a key is present. * Cannot open a channel on a Unix domain socket. * When a swap file is found for a popup there is no dialog and the buffer is loaded anyway. * Configure doesn't find the Motif library with Cygwin. * "vimgrep /\%v/ *" may cause a crash. * New regexp engine does not give an error for "\%v". * Using in a mapping does not work for mouse keys in Insert mode. (Sergey Vlasov) * Channel tests fail on MS-Windows. * Solution for in a mapping causes trouble. * No test for what 8.2.4691 fixes. * new regexp does not accept pattern "\%>0v". * Avoidance of #elif causes more preproc nesting. * JSON encoding could be faster. * delete() with "rf" argument does not report a failure. * Vim9: crash when adding a duplicate key to a dictionary. * Vim9: script variable has no flag that it was set. * Hard to reproduce hang when reading from a channel. * Buffer remains active if a WinClosed event throws an exception. * Kuka Robot Language files not recognized. * C++ scope labels are hard-coded. * Memory leak in handling 'cinscopedecls'. * Using "else" after return or break increases indent. * Jump list marker disappears. * Buffer remains active if a WinClosed event throws an exception when there are multiple tabpages. * Redrawing could be a bit more efficient. * PHP test files are not recognized. * After :redraw the statusline highlight might be used. * Smart indenting does not work after completion. * When 'insermode' is set :edit from mapping misbehaves. * Only get profiling information after exiting. * Plugins cannot track text scrolling. * Using g:filetype_dat and g:filetype_src not tested. * Vagrantfile not recognized. * Memory allocation failure not tested when defining a function. * For TextYankPost v:event does not contain information about the operation being inclusive or not. * @@@ in the last line sometimes drawn in the wrong place. * ">" marker sometimes not displayed in the jumplist. * ABB Rapid files are not recognized properly. * Cooklang files are not recognized. * When a recording is ended with a mapped key that key is also recorded. * The ModeChanged autocmd event is inefficient. * Current instance of last search pattern not easily spotted. * Unused variable in tiny build. * Cannot use expand() to get the script name. * Unused code. * No test that v:event cannot be modified. * HEEx and Surface templates do not need a separate filetype. * The changelist index is not remembered per buffer. * Duplicate code to free fuzzy matches. * HEEx and Surface do need a separate filetype. * getcharpos() may change a mark position. * Quickfix tests can be a bit hard to read. * Build problem for Cygwin with Motif. * // in JavaScript string recognized as comment. * Esc on commandline executes command instead of abandoning it. * Accessing freed memory after WinScrolled autocmd event. * When expand() fails there is no error message. * Startup test fails. * There is no way to start logging very early in startup. * A terminal window can't use the bell. * Using wrong flag for using bell in the terminal. ==== wicked ==== Version update (0.6.68 -> 0.6.69) Subpackages: wicked-service - version 0.6.69 - redfish: decode smbios and setup host interface Add initial support to decode the SMBIOS Management Controller Host Interface (Type 42) structure and expose it as wicked `firmware:redfish` configuration to setup a Host Network Interface (to the BMC) using the `Redfish over IP` protocol allowing access to the Redfish Service (via redfish-localhost in /etc/hosts) used to manage the computer system. Tech Preview (jsc#SLE-17762). - buffer: fix size_t length downcast to uint, add guards to init functions - wireless: fix to not expect colons in 64byte long wpa-psk hex hash string - xml-schema: reference counting fix to not crash at exit on schema errors - compat-suse: match sysctl.d /etc vs. /run read order with systemd-sysctl, remove obsolete (sle11/sysconfig) lines about ifup-sysctl from ifsysctl.5. - compat-suse: fix reading of sysctl addr_gen_mode to wrong variable - auto6: fix to apply DNS from RA rdnss after ifdown/ifup (bsc#1181429) - removed obsolete patch included in the master sources (bsc#1194392) [- 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch] ==== xen ==== Version update (4.16.0_08 -> 4.16.1_02) - Update to Xen 4.16.1 bug fix release (bsc#1027519) xen-4.16.1-testing-src.tar.bz2 - Drop patches contained in new tarball 61b31d5c-x86-restrict-all-but-self-IPI.patch 61b88e78-x86-CPUID-TSXLDTRK-definition.patch 61bc429f-revert-hvmloader-PA-range-should-be-UC.patch 61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch 61d6ea2d-VT-d-split-domid-map-cleanup-check-into-a-function.patch 61d6ea7b-VT-d-dont-leak-domid-mapping-on-error-path.patch 61e0296a-x86-time-calibration-relative-counts.patch 61e029c8-x86-time-TSC-freq-calibration-accuracy.patch 61e02a1c-libxl-PCI-PV-hotplug-stubdom-coldplug.patch 61e98e88-x86-introduce-get-set-reg-infra.patch 61e98e89-x86-MSR-split-SPEC_CTRL-handling.patch 61e98e8a-x86-spec-ctrl-drop-ENTRY-EXIT-HVM.patch 61e98e8b-VT-x-SPEC_CTRL-NMI-race-condition.patch 61eaaa23-x86-get-set-reg-infra-build.patch 61efec1d-Arm-P2M-always-clear-entry-on-mapping-removal.patch 61efec4d-gnttab-only-decrement-refcounter-on-final-unmap.patch 61efec96-IOMMU-x86-stop-pirq-iteration-immediately-on-error.patch 61f2d886-x86-CPUID-disentangle-new-leaves-logic.patch 61f2d887-x86-CPUID-leaf-7-1-EBX-infra.patch 61f2dd76-x86-SPEC_CTRL-migration-compatibility.patch 61f7b2af-libxl-dont-touch-nr_vcpus_out-if-listing.patch 61f933a4-x86-cpuid-advertise-SSB_NO.patch 61f933a5-x86-drop-use_spec_ctrl-boolean.patch 61f933a6-x86-new-has_spec_ctrl-boolean.patch 61f933a7-x86-dont-use-spec_ctrl-enter-exit-for-S3.patch 61f933a8-x86-SPEC_CTRL-record-last-write.patch 61f933a9-x86-SPEC_CTRL-use-common-logic-for-AMD.patch 61f933aa-SVM-SPEC_CTRL-entry-exit-logic.patch 61f933ab-x86-AMD-SPEC_CTRL-infra.patch 61f933ac-SVM-enable-MSR_SPEC_CTRL-for-guests.patch 61f946a2-VMX-drop-SPEC_CTRL-load-on-VMEntry.patch 6202afa3-x86-clean-up-MSR_MCU_OPT_CTRL-handling.patch 6202afa4-x86-TSX-move-has_rtm_always_abort.patch 6202afa5-x86-TSX-cope-with-deprecation-on-WHL-R-CFL-R.patch 6202afa7-x86-CPUID-leaf-7-2-EDX-infra.patch 6202afa8-x86-Intel-PSFD-for-guests.patch 62278667-Arm-introduce-new-processors.patch 62278668-Arm-move-errata-CSV2-check-earlier.patch 62278669-Arm-add-ECBHB-and-CLEARBHB-ID-fields.patch 6227866a-Arm-Spectre-BHB-handling.patch 6227866b-Arm-allow-SMCCC_ARCH_WORKAROUND_3-use.patch 6227866c-x86-AMD-cease-using-thunk-lfence.patch 6229ba46-VT-d-drop-undue-address-of-from-check_cleanup_domid_map.patch 624ebcef-VT-d-dont-needlessly-look-up-DID.patch 624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch 624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch xsa397.patch xsa399.patch xsa400-01.patch xsa400-02.patch xsa400-03.patch xsa400-04.patch xsa400-05.patch xsa400-06.patch xsa400-07.patch xsa400-08.patch xsa400-09.patch xsa400-10.patch xsa400-11.patch xsa400-12.patch - bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359, CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues (XSA-400) 624ebcef-VT-d-dont-needlessly-look-up-DID.patch 624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch 624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch ==== zchunk ==== Version update (1.1.16 -> 1.2.1) - Update to version 1.2.1 * Better error detection * Add support for specifying compression-format in zck * zck: add option to select chunk hash * Fix testsuite: Add expected sha256sums for zstd 1.5.1+ * Fix memory leaks * Various bug fixes - Drop upstream merged zstd-1.5.1.patch