Packages changed: NetworkManager gnome-keyring (40.0 -> 42.1) keylime (6.3.2 -> 6.4.0) mobile-broadband-provider-info (20220315 -> 20220511) polkit-default-privs (1550+20220404.7b4bea2 -> 1550+20220524.0345bd9) python-cryptography (36.0.2 -> 37.0.2) yast2 (4.5.3 -> 4.5.4) === Details === ==== NetworkManager ==== Subpackages: NetworkManager-wwan libnm0 typelib-1_0-NM-1_0 - Fold NetworkManager-wifi back into the main package: The dep chain is not really different and it causes too many problems for users having that split. Not worth the pain (boo#1199710, boo#1199706). - As a consequence, also drop the recommends fro the main package to -wifi. ==== gnome-keyring ==== Version update (40.0 -> 42.1) Subpackages: gnome-keyring-pam libgck-modules-gnome-keyring - Update to version 42.1: + daemon: Add files to EXTRA_DIST to fix distcheck. - Changes from version 42.0: + secret-portal: Properly check the default keyring. + Build fixes. + ssh-agent: Fix crash by uninitialized GMutex. + fix looping off the end of the operations array. + readme: Mention libsecret instead of deprecated libgnome-keyring. + daemon: Make it systemd-activatable through the control socket. + Updated translations. - Add pkgcondfig(systemd) and pkgconfig(libsystemd) BuildRequires: new dependencies. ==== keylime ==== Version update (6.3.2 -> 6.4.0) Subpackages: keylime-agent keylime-config keylime-firewalld keylime-registrar keylime-tpm_cert_store keylime-verifier python38-keylime - Update to version v6.4.0 (CVE-2022-1053, boo#1199253): * general: bump Keylime version to 6.4.0 * tests: adjust tests to reflect latest API changes * api: bump version to 2.1 * config: remove unused registrar mTLS options in cloud_verifier section * tenant, verifier: let the tenant provide the AK and mTLS certificate * Fix exit call in scripts/download_packit_coverage.sh * Added codecov.io description to TESTING.md * ci: only run CodeQL on the keylime directory and disable it for the webapp * Enable GitHub workflow integrating codecov.io * README: Fix and cleanup the install instructions * ima: add backport for dataclasses support for Python 3.6 * ima: add info that device mapper validation is still experimental * add lark as a dependency * ima: integrate dm validator into gernal IMA validation * agentstates: add the option to load and store dm validator state * ima: add parser and validator for device mapper entries * ima_file_signatures: rename to file_signatures * ima_ast: rename to ast * ima: move IMA components into their own module * failure: add function to get current event ids * config: add more details for tpm_cert_store option * Deprecate API version 1.0 * config, webapp: remove tls_check_hostnames option * ci: add CodeQL analysis * agent, tpm: remove is_vtpm() check * tests: update to reflect vTPM removal * remove vTPM related helper files and documentation * config: remove vTPM related options * tenant: remove vtpm_policy * verifier: remove vtpm_policy * remove REQUIRE_ROOT environment option * Remove Testing farm tag-repository * Bump required packaging module version to 20.0 * Remove last traces of M2Crypto * Workaround for mock_open not supporting iteration in Python 3.6 - Fix "run_as" configuration parameter and set it to keylime:tss - Improve downgrade user migration during package update ==== mobile-broadband-provider-info ==== Version update (20220315 -> 20220511) - Update to version 20220511: * us: update verizon MCCMNC * us: Verizon Wirleess had been awarded 301 012 * us: Verizon Wireless MMS settings * us: declare AT&T MCC MNC * at: declare lyca mobile MMS config * al: add AMC internet APN config * af: add MMS settings for AWCC * ad: add andorra telecom MMS settings * za: mtn mms * za: cell-c MMS setting * es: Add Euskaltel MMS settings * il: youphone mms (same APN for data and mms) * il: cellcom balance test * il: Rami Levi MMS settings * serviceproviders: fix indentation * il: Partner (previously known as Orange) MMS config ==== polkit-default-privs ==== Version update (1550+20220404.7b4bea2 -> 1550+20220524.0345bd9) - Update to version 1550+20220524.0345bd9: * Add kinfocenter5 whitelisting (bsc#1199735). * gconf: cleanup rules used by dropped gconf2 package ==== python-cryptography ==== Version update (36.0.2 -> 37.0.2) - update to 37.0.2: * Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error. * Restored some legacy symbols for older ``pyOpenSSL`` users. These will be removed again in the future, so ``pyOpenSSL`` users should still upgrade to the latest version of that package when they upgrade ``cryptography``. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+. * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to ``sign`` and ``verify``. * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of ``cryptography`` will be the last to support compiling with OpenSSL 1.1.0. * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future ``cryptography`` release. * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest ``pip`` will typically get a wheel and not need Rust installed, but check :doc:`/installation` for documentation on installing a newer ``rustc`` if required. * Deprecated :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because they are legacy algorithms with extremely low usage. These will be removed in a future version of ``cryptography``. * Added limited support for distinguished names containing a bit string. * We now ship ``universal2`` wheels on macOS, which contain both ``arm64`` and ``x86_64`` architectures. Users on macOS should upgrade to the latest ``pip`` to ensure they can use this wheel, although we will continue to ship ``x86_64`` specific wheels for now to ease the transition. * This will be the final release for which we ship ``manylinux2010`` wheels. Going forward the minimum supported ``manylinux`` ABI for our wheels will be ``manylinux2014``. The vast majority of users will continue to receive ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy wheels this release already requires ``manylinux2014`` for compatibility with binaries distributed by upstream. * Added support for multiple :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a :class:`~cryptography.x509.ocsp.OCSPResponse`. * Restored support for signing certificates and other structures in :doc:`/x509/index` with SHA3 hash algorithms. * :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is disabled in FIPS mode. * Added support for serialization of PKCS#12 CA friendly names/aliases in :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates` * Added support for 12-15 byte (96 to 120 bit) nonces to :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class previously supported only 12 byte (96 bit). * Added support for :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using OpenSSL 3.0.0+. * Added support for serializing PKCS7 structures from a list of certificates with :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`. * Added support for parsing :rfc:`4514` strings with :meth:`~cryptography.x509.Name.from_rfc4514_string`. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can be used to verify a signature where the salt length is not already known. * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH` to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This constant will set the salt length to the same length as the ``PSS`` hash algorithm. * Added support for loading RSA-PSS key types with :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` and :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`. This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information. ==== yast2 ==== Version update (4.5.3 -> 4.5.4) - Added experimental infrastructure for managing system in a chroot (bsc#1199840) - 4.5.4