o Updated 389-ds (security/bugfix/feature) - bsc#1205996 - prevent segfault in cl5configtrim - Update to version 2.2.4~git25.c81ee34: * Issue 5593 - CLI - dsidm account subtree-status fails with TypeError * Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592) * Fix latest npm audit failures * Issue 5599 - CI - webui tests randomly fail * Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries - bsc#1206563 - improve pam_saslauthd migration handling from openldap - Update to version 2.2.4~git20.7eba9b9: * Issue 5526 - RFE - Improve saslauthd migration options (#5528) * Issue 5588 - Fix CI tests * Issue 5585 - lib389 password policy DN handling is incorrect (#5587) * Issue 5521 - UI - Update plugins for new split PAM and LDAP pass thru auth * Bump version to 2.2.5 * Issue 5236 - UI add specialized group edit modal * Issue 5278 - CLI - dsidm asks for the old password on password reset * Issue 5531 - CI - use universal_lines in capture_output * Issue 5505 - Fix compiler warning (#5506) * Issue 3615 - CLI - prevent virtual attribute indexing * Issue 5413 - Allow mutliple MemberOf fixup tasks with different bases/filters * Issue 5561 - Nightly tests are failing - bsc#1205974 - support pam_saslauthd for authentication pass through requirements. See also jsc#PED-2701 - Update to version 2.2.4~git8.8a6e7be: * Issue 5521 - RFE - split pass through auth cli * Issue 5521 - BUG - Pam PTA multiple issues * Issue 5544 - Increase default task TTL - Update to version 2.2.4~git5.d25f9eb: * Issue 5541 - Fix typo in `lib389.cli_conf.backend._get_backend` (#5542) * Issue 5539 - Make logger's parameter name unified (#5540) * Issue 3729 - (cont) RFE Extend log of operations statistics in access log (#5538) * Issue 5534 - Fix a rebase typo (#5537) * Issue 5534 - Add copyright text to the repository files * Bump version to 2.2.4 * Issue 5532 - Make db compaction TOD day more robust. * Issue 3729 - RFE Extend log of operations statistics in access log (#5508) * Issue 5529 - UI - Fix npm vulnerability in loader-utils * Issue 3555 - UI - fix audit issue with npm loader-utils (#5514) * Issue 5162 - Fix dsctl tls ca-certfiicate add-cert arg requirement * Issue 5510 - remove twalk_r dependency to build on RHEL8 (#5516) * Issue 5162 - RFE - CLI allow adding CA certificate bundles * Issue 5440 - memberof is slow on update/fixup if there are several 'groupattr' (#5455) * Issue 5512 - BUG - skip pwdPolicyChecker OC in migration (#5513) * Issue 5429 - healthcheck - add checks for MemberOf group attrs being indexed * Issue 5502 - RFE - Add option to display entry attributes in audit log * Issue 5495 - BUG - Minor fix to dds skip, inconsistent attrs caused errors (#5501) * Issue 5367 - RFE - store full DN in database record - Update to version 2.2.3~git20.b1ed566: * Issue 5495 - RFE - skip dds during migration. (#5496) * Issue 5491 - UI - Add rework and finish jpegPhoto functionality (#5492) * Issue 5368 - Retro Changelog trimming does not work (#5486) * Issue 5487 - Fix various issues with logconv.pl * Issue 5482 - lib389 - Can not enable replication with a mixed case suffix * Issue 5478 - Random crash in connection code during server shutdown (#5479) * Issue 3061 - RFE - Add password policy debug log level * Issue 4324 - Revert recursive pthread mutex usage in factory.c * Issue 5262 - high contention in find_entry_internal_dn on mixed load (#5264) * Issue 4324 - Revert recursive pthread mutex change (#5463) - bsc#1204493 - Improve reliability of migrations from openldap when dynamic directory services is configured. - Update to version 2.0.16~git52.76ecbe1: * Issue 5495 - RFE - skip dds during migration. (#5496) * Issue 5491 - UI - Add rework and finish jpegPhoto functionality (#5492) * Issue 5368 - Retro Changelog trimming does not work (#5486) * Issue 5487 - Fix various issues with logconv.pl * Issue 5482 - lib389 - Can not enable replication with a mixed case suffix * Issue 4776 - Fix entryuuid fixup task (#5483) * Issue 5356 - Update Cargo.lock and bootstrap PBKDF2-SHA512 (#5480) * Issue 3061 - RFE - Add password policy debug log level * Issue 5462 - RFE - add missing default indexes (#5464) * Issue 4324 - Revert recursive pthread mutex usage in factory.c - bsc#1194119 - CVE-2021-45710 - tokio data race with memory corruption - Update to version 2.0.16~git37.9a47b3d2: * Revert "Issue 5446 - Fix some covscan issues (#5451)" * Issue 5254 - dscreate create-template regression due to 5a3bdc336 (#5255) * Issue 5271 - Serialization of pam_passthrough causing high etimes (#5272) * Issue 5453 - UI/CLI - Changing Root DN breaks UI * Issue 5446 - Fix some covscan issues (#5451) * Issue 5294: Report Portal 5 is not processing an XML file with (#5358) * Issue 4588 - Gost yescrypt may fail to build on some older versions of glibc * Issue 4308 - checking if an entry is a referral is expensive * Issue 5447 - UI - add NDN max cache size to UI * Issue 5443 - UI - disable save button while saving * Issue 5077 - UI - Add retrocl exclude attribute functionality (#5078) - bsc#1202470 - CVE-2022-2850 - Resolve sync repl crash during invalid cookie handling - Update to version 2.0.16~git20.219f047ae: * Issue #5423 - Fix missing 'not' in description * Issue 5421 - CI - makes replication/acceptance_test.py::test_modify_entry more robust (#5422) * Issue 3903 - fix repl keep alive event interval * Issue 5418 - Sync_repl may crash while managing invalid cookie (#5420) * Issue 5415 - Hostname when set to localhost causing failures in other tests * Issue 5412 - lib389 - do not set backend name to lowercase * Issue 3903 - keep alive update event starts too soon * Issue 5397 - Fix various memory leaks * Issue 5399 - UI - LDAP Editor is not updated when we switch instances (#5400) * Issue 3903 - Supplier should do periodic updates - bsc#1197998 - Update sudoers schema to support UTF-8 - Update to version 2.0.16~git9.e2a858a86: * Issue 5386 - BUG - Update sudoers schema to correctly support UTF-8 (#5387) * Issue 5383 - UI - Various fixes and RFE's for UI * Issue 4656 - Remove problematic language from source code * Issue 5380 - Separate cleanAllRUV code into new file * Issue 5322 - optime & wtime on rejected connections is not properly set * Issue 5375 - CI - disable TLS hostname checking * Issue 5373 - dsidm user get_dn fails with search_ext() argument 1 must be str, not function * Issue 5371 - Update npm and cargo packages * Issue 3069 - Support ECDSA private keys for TLS (#5365) * Bump version to 2.0.16 - Changelog fix - bsc#1195324 - CVE-2021-4091 - double free in psearch - bsc#1199889 - CVE-2022-1949 - full access control bypass with simple crafted query, resolved by Issue 5170. - Update to version 2.0.15~git26.1ea6a6803: * Issue 5302 - Release tarballs don't contain cockpit webapp * Issue 5237 - audit-ci: Cannot convert undefined or null to object * Issue 5170 - BUG - ldapsubentries were incorrectly returned (#5285) * Issue 4970 - Add support for recursively deleting subentries * Issue 5284 - Replication broken after password change (#5286) * Issue 5291 - Harden ReplicationManager.wait_for_replication (#5292) * Issue 5279 - dscontainer: TypeError: unsupported operand type(s) for /: 'str' and 'int' * Issue 5170 - RFE - Filter optimiser (#5171) * Issue 5276 - CLI - improve task handling * Issue 5273 - CLI - add arg completer for instance name ----------------------------------------------------------------------------- o Updated aaa_base (security/bugfix/feature) - Add patch git-46-78b2a0b29381c16bec6b2a8fc7eabaa9925782d7.patch * The wrapper rootsh is not a restricted shell (bsc#1199492) ----------------------------------------------------------------------------- o Added abseil-cpp (feature) [x86_64] ## WARNING - the following diff is a head -20 proposal * Tue Sep 13 2022 brunopitrus@hotmail.com - Add options-old.patch * Make the headers always tell the truth about the ABI to fix linker error when using new compilers (boo#1203378) - Add Fix-maes-msse41-leaking-into-pkgconfig.patch * Do not make programs compiled with abseil require new-ish CPUs (boo#1203379) * Fri Mar 04 2022 danilo.spinella@suse.com - Fix build on SLE-12-SP5 * Tue Jan 04 2022 dmueller@suse.com - update to 20211102.0: * absl::Cord is now implemented as a b-tree. The new implementation offers improved performance in most workloads. * absl::SimpleHexAtoi() has been added to strings library for parsing hexadecimal strings ----------------------------------------------------------------------------- o Updated accel-config (security/bugfix/feature) [x86_64] - Update to version 3.4.7: * No relevant changes - Update to version 3.4.6.5: * Add Zcompress32, Zdecompress32, Compress and Decompress test * Add Zcompress16 and Zdecompress16 to IAA test * Add operation CRC64 into IAA test * Bug fixes - Update to version 3.4.6.4: * Init IAA test and add No-op operation * Separate common codes from DSA source code file * Bug fixes - Update to version 3.4.6.3: * Allow use of config files with driver_name attr with older drivers - Update to version 3.4.6.2: * Allow driver_name to be configured in guest * Disable mdev tests * Update driver_name in unit test configs * Improve error message in config attr failures - Update to version 3.4.6.1: * Bug fix in wq driver name configuration * Test configs add driver name attr - Update to version 3.4.6: * Support new "read_buffer" attributes that replace "token" attributes * Deprecate attributes with "token" names * Add support for driver_name attr to get wq driver name * Fix a read buffer length related bug * Add opcode operation support - Build exclusively on x86_64, as kernel module idxd.ko cannot be found on i586 - Update to version 3.4.4: * Add -e/--enable and -f/--force features to load-config command * Add more sample configuration files for different usages * Add multi-descriptor support - Update to version 3.4.3: * Remove redundant dependencies (kmod and udev) * Bug fixes and code cleanup * DSA test adds device and wq selection * DSA test adds no opcode operation support ----------------------------------------------------------------------------- o Updated acpica (security/bugfix/feature) [x86_64,aarch64] - This version includes CEDT table support as requested in feature (SLE 15 SP5): jsc#PED-201 - Update bundled wmidump to latest upstream 2021-10-11: * Add support for '//' comments * Print object_id or notify_id based on ACPI_WMI_EVENT flag object_id and notify_id member are in one union. It depends on ACPI_WMI_EVENT flag which member is stored in this union. So print only one member based on ACPI_WMI_EVENT flag. - Add comment about origin of the wmidump sources - update to 20220331: For the ASL Sleep() operator, issue a warning if the sleep value is greater than 10 Milliseconds. Quick boottime is important, so warn about sleeps greater than 10 ms. Distribution Linux kernels reach initrd in 350 ms, so excessive delays should be called out. 10 ms is chosen randomly, but three of such delays would already make up ten percent of the boottime. Namespace: Avoid attempting to walk the Namespace if the Namespace does not exist. AML interpreter/iASL compiler: Add new Acpi 6.4 semantics for the LoadTable and Load operators. DDB_HANDLE is gone, now loadtable returns a pass/fail integer. Now load returns a pass/fail integer, as well as storing the return value in an optional 2nd argument. Headers: Use uintptr_t and offsetof() in Linux kernel builds. To avoid "performing pointer subtraction with a null pointer has undefined behavior" compiler warnings, use uintptr_t and offsetof() that are always available during Linux kernel builds to define ACPI_UINTPTR_T and the ACPI_TO_INTEGER() and ACPI_OFFSET() macros when building the ACPICA code in the Linux kernel. Added support for the Windows 11 _OSI string ("Windows 2021"). Submitted by superm1. executer/exsystem: Inform users about ACPI spec violation for the Stall() operator. Values greater than 100 microseconds violate the ACPI specification, so warn users about it. From the ACPI Specification version 6.2 Errata A, 19.6.128 *Stall (Stall for a Short Time)*: The implementation of Stall is OS-specific, but must not relinquish control of the processor. Because of this, delays longer than 100 microseconds must use Sleep instead of Stall. Data Table Compiler/Disassembler: Add support for the APMT table - ARM Performance Monitoring Unit table. Submitted by @bwicaksononv. Data Table Compiler/Disassembler: For MADT, add support for the OEM- defined subtables (Types 0x80-0x7F). Data Table Compiler: Fixed a problem with support for the SDEV table, where a subtable Length was not computed correctly. Data Table Compiler/Disassembler: Add/fix the CFMWS subtable to the CEDT Acpi table support. Data Table Compiler/Disassembler: Fix a compile issue with the CEDT and add template. Submitted by MasterDrogo. Data Table Compiler/Disassembler: NHLT Changes provided by Piotr Maziarz: iASL/NHLT: Rename linux specific structures to DeviceInfo to improve readability of the code. iASL/NHLT: Fix parsing undocumented bytes at the end of Endpoint. Undocumented bytes at the end of Endpoint Descriptor can be present independently of Linux-specific structures. Their size can also vary. iASL/NHLT: Treat TableTerminator as SpecificConfig. SpecificConfig has 4 bytes of size and then an amount of bytes specified by size. All of the terminators that I've seen had a size equal to 4, but theoretically it can vary. iASL/AcpiExec: Use _exit instead of exit in signal handers (ctrl-C). iASL: Remove a remark due to excessive output. Removed a remark for duplicate Offset() operators, due to a user complaint. - The package build fine on arches different than x86 and ARM. Drop the ExclusiveArch. - Update to version 20210930 * ACPICA kernel-resident subsystem: * Avoid evaluating methods too early during system resume. * Added a new _OSI string, "Windows 2020". * iASL Compiler/Disassembler and ACPICA tools: * iASL compiler: Updated the check for usage of _CRS, _DIS, _PRS, and _SRSobjects * iASL table disassembler: Added disassembly support for the NHLT ACPI table. * Added a new subtable type for ACPI 6.4 SRAT Generic Port Affinity * Added the flag for online capable in the MADT, introduced in ACPI 6.3. - Update to version 20210730: * iASL Compiler/Disassembler and ACPICA tools: * iasl: Check usage of _CRS, _DIS, _PRS, and _SRS objects * iASL Table Disassembler/Table compiler: Fix for WPBT table with no command-line arguments. * Handle the case where the Command-line Arguments table field does not exist (zero). * Headers: Add new DBG2 Serial Port Subtypes * iASL: Add full support for the AEST table (data compiler) * Add PRMT module header to facilitate parsing. * Table disassembler: Add missing strings to decode subtable types. - Update to version 20210604: * ACPICA kernel-resident subsystem * Cleaned up (delete) the context mutex during local address handler object deletion. * Fixed a memory leak caused by the _CID repair function. * Add support for PlatformRtMechanism OperationRegion handler. * Add a new utility function, AcpiUtConvertUuidToString. * iASL Compiler/Disassembler and ACPICA tools: * Added full support for the PRMT ACPI table * Added full support for the BDAT ACPI table. * Added full support for the RGRT ACPI table. * Added full support for the SVKL ACPI table. * Completed full support for the IVRS ACPI table. * Added compiler support for IVRS, updated disassembler support * Added a new utility, UtIsIdInteger, to determine if a HID/CID is an integer or a string. * Headers: Added more structs to the CEDT table * ACPI 6.4: MADT: added Multiprocessor Wakeup Mailbox Structure. - Update to version 20210331 * ACPI 6.4 is now supported! ACPICA kernel-resident subsystem: * Always create namespace nodes. * Fixed a race condition in generic serial bus operation region handler. iASL Compiler/Disassembler and ACPICA tools: * Add disassembly support for the IVRS table. * Fixed a potential infinite loop due to type mismatch. iASL/TableCompiler: * update it with IORT table E.b revision changes. * Add compilation support for the VIOT table. * Add compilation support for CEDT table. * Update of the CEDT template. - Update to version 20210105 ACPICA kernel-resident subsystem: * Updated all copyrights to 2021. This affects all ACPICA source code modules. iASL Compiler/Disassembler and ACPICA tools: * ASL test suite (ASLTS): Updated all copyrights to 2021. * Tools and utilities: Updated all signon copyrights to 2021. * iASL Table Compiler: Removed support for obsolete ACPI tables: VRTC, MTMR. Al Stone. - Update to version 20200717 ACPICA kernel-resident subsystem: * Do not increment OperationRegion reference counts for field units. Recent server firmware has revealed that this reference count can overflow on large servers that declare many field units (thousands) under the same OperationRegion. This occurs because each field unit declaration will add a reference count to the source OperationRegion. This release solves the reference count overflow for OperationRegion objects by preventing fieldUnits from incrementing their parent OperationRegion's reference count. * Replaced one-element arrays with flexible-arrays, which were introduced in C99. * Restored the readme file containing the directions for generation of ACPICA from source on MSVC 2017. Updated the file for MSVC 2017. File is located at: generate/msvc2017/readme.txt iASL Compiler/Disassembler and ACPICA tools: * iASL: Fixed a regression found in version 20200214. Prevent iASL from emitting an extra byte of garbage data when control methods declared a single parameter type without using braces. This extra byte is known to cause a blue screen on the Windows AML interpreter. * iASL: Made a change to allow external declarations to specify the type of a named object even when some name segments are not defined. This change allows the following ASL code to compile (When DEV0 is not defined or not defined yet): External (\_SB.DEV0.OBJ1, IntObj) External (\_SB.DEV0, DeviceObj) * iASL: Fixed a problem where method names in "Alias ()" statement could be misinterpreted. They are now interpreted correctly as method invocations. * iASL: capture a method parameter count (Within the Method info segment, as well as the argument node) when using parameter type lists. - Update to version 20200528 ACPICA kernel-resident subsystem: Removed old/obsolete Visual Studio files which were used to build the Windows versions of the ACPICA tools. Since we have moved to Visual Studio 2017, we are no longer supporting Visual Studio 2006 and 2009 project files. The new subdirectory and solution file are located at: acpica/generate/msvc2017/AcpiComponents.sln iASL Compiler/Disassembler and ACPICA tools: * iASL: added support for a new OperationRegion Address Space (subtype): PlatformRtMechanism. Support for this new keyword is being released for early prototyping. It will appear in the next release of the ACPI specification. * iASL: do not optimize the NameString parameter of the CondRefOf operator. In the previous iASL compiler release, the NameString parameter of the CondRefOf was optimized. There is evidence that some implementations of the AML interpreter do not perform the recursive search-to-parent search during the execution of the CondRefOf operator. Therefore, the CondRefOf operator behaves differently when the NameString parameter is a single name segment (a NameSeg) as opposed to a full NamePath (starting at the root scope) or a NameString containing parent prefixes. * iASL: Prevent an inadvertent remark message. This change prevents a remark if within a control method the following exist: 1) An Operation Region is defined, and 2) A Field operator is defined that refers to the region. This happens because at the top level, the Field operator does not actually create a new named object, it simply references the operation region. * Removed support for the acpinames utility. The acpinames was a simple utility used to populate and display the ACPI namespace without executing any AML code. However, ACPICA now supports executable opcodes outside of control methods. This means that executable AML opcodes such as If and Store opcodes need to be executed during table load. Therefore, acpinames would need to be updated to match the same behavior as the acpiexec utility and since acpiexec can already dump the entire namespace (via the 'namespace' command), we no longer have the need to maintain acpinames. * In order to dump the contents of the ACPI namepsace using acpiexec, execute the following command from the command line: acpiexec -b "n" [aml files] - Refresh parches - Enable -fcommon in CFLAGS and CXXFLAGS in order to fix boo#1160383. - Add -fcommon as there are a lot re-definitions which lead to errors and compile failures with gcc10 which enables -fno-common by default bsc#1160383 - acpica fails with -fno-common - Update to version 20200110 - Use noun phrase in summary - Update to version 20190509 Includes a fix that breaks VirtualBox https://github.com/acpica/acpica/issues/462 - Update to version 20190405 iASL: Implemented an enhanced multiple file compilation that combines named objects from all input files to a single namespace. With this feature, any unresolved external declarations as well as duplicate named object declarations can be detected during compilation rather than generating errors much later at runtime. The following commands are examples that utilize this feature: iasl dsdt.asl ssdt.asl iasl dsdt.asl ssdt1.asl ssdt2.asl iasl dsdt.asl ssdt*.asl - Adjusted patch: M acpica-no-compiletime.patch - Update to version 20190215 Support for ACPI specification version 6.3: * Add PCC operation region support for the AML interpreter. This adds PCC operation region support in the AML interpreter and a default handler for acpiexec. The change also renames the PCC region address space keyword to PlatformCommChannel. * Support for new predefined methods _NBS, _NCH, _NIC, _NIH, and _NIG. These methods provide OSPM with health information and device boot status. * PDTT: Add TriggerOrder to the PCC Identifier structure. The field value defines if the trigger needs to be invoked by OSPM before or at the end of kernel crash dump processing/handling operation. * SRAT: Add Generic Affinity Structure subtable. This subtable in the SRAT is used for describing devices such as heterogeneous processors, accelerators, GPUs, and IO devices with integrated compute or DMA engines. * MADT: Add support for statistical profiling in GICC. Statistical profiling extension (SPE) is an architecture-specific feature for ARM. * MADT: Add online capable flag. If this bit is set, system hardware supports enabling this processor during OS runtime. * New Error Disconnect Recover Notification value. There are a number of scenarios where system Firmware in collaboration with hardware may disconnect one or more devices from the rest of the system for purposes of error containment. Firmware can use this new notification value to alert OSPM of such a removal. * PPTT: New additional fields in Processor Structure Flags. These flags provide more information about processor topology. * NFIT/Disassembler: Change a field name from "Address Range" to "Region Type". * HMAT updates: make several existing fields to be reserved as well as rename subtable 0 to "memory proximity domain attributes". * GTDT: Add support for new GTDT Revision 3. This revision adds information for the EL2 timer. * iASL: Update the HMAT example template for new fields. * iASL: Add support for the new revision of the GTDT (Rev 3). ACPICA kernel-resident subsystem: * AML Parser: fix the main AML parse loop to correctly skip erroneous extended opcodes. AML opcodes come in two lengths: 1-byte opcodes and 2- byte extended opcodes. If an error occurs during an AML table load, the AML parser will continue loading the table by skipping the offending opcode. This implements a "load table at any cost" philosophy. iASL Compiler/Disassembler and Tools: * iASL: Add checks for illegal object references, such as a reference outside of method to an object within a method. Such an object is only temporary. * iASL: Emit error for creation of a zero-length operation region. Such a region is rather pointless. If encountered, a runtime error is also implemented in the interpeter. * Debugger: Fix a possible fault with the "test objects" command. * iASL: Makefile: support parent directory filenames containing embedded spaces. * iASL: Update the TPM2 template to revision 4. * iASL: Add the ability to report specific warnings or remarks as errors. * Disassembler: Disassemble OEMx tables as actual AML byte code. Previously, these tables were treated as "unknown table". * iASL: Add definition and disassembly for TPM2 revision 3. * iASL: Add support for TPM2 rev 3 compilation. - Refresh patches - Run spec-cleaner - Update to 20180629 Added changelog from mainline, installed into documentation path - Update to version 20180508 ACPICA kernel-resident subsystem: * Completed the new (recently deployed) package resolution mechanism for the Load and LoadTable ASL/AML operators. This fixes a regression that was introduced in version 20180209 that could result in an AE_AML_INTERNAL exception during the loading of a dynamic ACPI/AML table (SSDT) that contains package objects. iASL Compiler/Disassembler and Tools: * AcpiDump and AcpiXtract: Implemented support for ACPI tables larger than 1 MB. This change allows for table offsets within the acpidump file to be up to 8 characters. These changes are backwards compatible with existing acpidump files. version 20180427 ACPICA kernel-resident subsystem: * Debugger: Added support for Package objects in the "Test Objects" command. This command walks the entire namespace and evaluates all named data objects (Integers, Strings, Buffers, and now Packages). * Improved error messages for the namespace root node. Originally, the root was referred to by the confusing string "\___". This has been replaced by "Namespace Root" for clarification. * Fixed a potential infinite loop in the AcpiRsDumpByteList function. Colin Ian King . iASL Compiler/Disassembler and Tools: * iASL: Implemented support to detect and flag illegal forward references. For compatibility with other ACPI implementations, these references are now illegal at the root level of the DSDT or SSDTs. Forward references have always been illegal within control methods. This change should not affect existing ASL/AML code because of the fact that these references have always been illegal in the other ACPI implementation. * iASL: Added error messages for the case where a table OEM ID and OEM TABLE ID strings are longer than the ACPI-defined length. Previously, these strings were simply silently truncated. * iASL: Enhanced the -tc option (which creates an AML hex file in C, suitable for import into a firmware project): 1) Create a unique name for the table, to simplify use of multiple SSDTs. 2) Add a protection #ifdef in the file, similar to a .h header file. With assistance from Sami Mujawar, sami.mujawar@arm.com and Evan Lloyd, evan.lloyd@arm.com * AcpiExec: Added a new option, -df, to disable the local fault handler. This is useful during debugging, where it may be desired to drop into a debugger on a fault. - Upgrade to latest version 20180313 - Update patches: * acpica-no-compiletime.patch * do_not_use_build_date_and_time.patch ----------------------------------------------------------------------------- o Updated adcli (security/bugfix/feature) - Remove errx() calls on error conditions to execute the cleanup function and delete the krb5 snippets created in /tmp; (bsc#1202647); * Add 0038-Remove-errx-from-tools.patch - Set umask before calling mkdtemp; (bsc#1202647); * Add 0039-Set-umask-before-calling-mkdtemp.patch ----------------------------------------------------------------------------- o Added adwaita-qt6-src (feature) ## WARNING - the following diff is a head -20 proposal * Thu Mar 02 2023 alarrosa@suse.com - Use the qt6 %cmake macros when building the qt6 flavor which uses the right compiler in SLE/Leap instead of gcc7 (which fails to build since it doesn't support C++17 headers used by Qt6). * Tue Sep 27 2022 luc14n0@opensuse.org - Update to version 1.4.2: + Fixed plugin path for Qt6. + Switch between dark/light variant on runtime on QEvent::PaletteChange. + Qt5X11Extras is an optional dependency. + UI: QMenu improvements. + Fixed placeholder text color for Qt6. * Thu Feb 24 2022 bjorn.lie@gmail.com - Add hard cmake(Qt6Core) and cmake(Qt6Widgets) Requires to libadwaita-qt6-devel sub-package. ----------------------------------------------------------------------------- o Removed adwaita-qt (XXX) ----------------------------------------------------------------------------- o Updated alsa-plugins (security/bugfix/feature) - Add keyring - Fix dependency of pulse plugin; now pulseaudio-daemon is required (bsc#1201409) - Update to version 1.2.7.1 (jsc#jsc#PED-850): jack plugin fix/enhancement ----------------------------------------------------------------------------- o Updated alsa (security/bugfix/feature) - Update to version 1.2.8 (jsc#PED-850): add FreeBSD/NetBD/OpenBSD build support, fixes in control namehint, various PCM plugins and UCM. For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.7.2_v1.2.8 - Add keyring - Update to version 1.2.7.2: minor updates, including fixes for PCM share plugin, rawmidi and UCM - Update to version 1.2.7.1: minor bug fixes, including the previous patches. For details, see https://www.alsa-project.org/wiki/Changes_v1.2.7_v1.2.7.1#alsa-lib - Drop obsoleted patches: 0001-conf-Use-ino64_t-to-save-and-compare-inode-numbers.patch 0002-control-eld-fix-the-decoding-for-older-hw.patch - Backport upstream fixes for 32bit inode and ELD parsing: 0001-conf-Use-ino64_t-to-save-and-compare-inode-numbers.patch 0002-control-eld-fix-the-decoding-for-older-hw.patch - Update to version 1.2.7: more extended UCM API, PCM rate,multi,direct plugin fixes and enhancements, compilation fixes, etc. For details see: https://www.alsa-project.org/wiki/Changes_v1.2.6.3_v1.2.7#alsa-lib ----------------------------------------------------------------------------- o Updated alsa-ucm-conf (security/bugfix/feature) - Update to version 1.2.8 (jsc#PED-850): lots of new profiles for USB-audio, SOF and others: https://www.alsa-project.org/wiki/Changes_v1.2.7.2_v1.2.8 - Add keyring - Update to version 1.2.7.2: updates of various device-specific profiles. For details, see https://www.alsa-project.org/wiki/Changes_v1.2.7.1_v1.2.7.2#alsa-ucm-conf - Update to version 1.2.7.1: updates of various device-specific profiles. For details, see https://www.alsa-project.org/wiki/Changes_v1.2.7_v1.2.7.1#alsa-ucm-conf - Drop obsoleted patches: 0001-Steinberg-UR44-fix-the-Line2-channel-mapping.patch 0002-Steinberg-UR44-fix-the-Line2-channel-mapping-2nd.patch 0003-Steinberg-UR44-fix-the-direction-for-steinberg_ur44_.patch - Backport upstream fixes for Steinberg UR44: 0001-Steinberg-UR44-fix-the-Line2-channel-mapping.patch 0002-Steinberg-UR44-fix-the-Line2-channel-mapping-2nd.patch 0003-Steinberg-UR44-fix-the-direction-for-steinberg_ur44_.patch - Update to version 1.2.7: Various profile updates for USB-audio, HD-audio, etc. For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.6.3_v1.2.7#alsa-ucm-conf - Drop obsoleted patches: 0001-HDA-DualCodecs-fix-typo-in-Speaker-condition.patch 0002-HDA-acp-avoid-to-create-Mic-ACP-LED-control-for-the-.patch ----------------------------------------------------------------------------- o Updated alsa-utils (security/bugfix/feature) - Update to alsa-utils 1.2.8 (jsc#PED-850): automake update, minor alsactl, amixer and aplay fixes. https://www.alsa-project.org/wiki/Changes_v1.2.7.2_v1.2.8 - Add keyring - Update to alsa-utils 1.2.7: Enhancement and fixes of alsactl, speaker-test cleanup, alsatplg enhancements, arecord ghost data fix, etc. For details see: https://www.alsa-project.org/wiki/Changes_v1.2.6.3_v1.2.7#alsa-utils - Drop obsoleted patches: 0001-alsamixer-Fix-regression-in-color-setup.patch 0002-alsamixer-Revert-has_mouse-check.patch - Fix the broken mouse support on alsamixer: 0002-alsamixer-Revert-has_mouse-check.patch ----------------------------------------------------------------------------- o Added amavisd-milter (feature) ## WARNING - the following diff is a head -20 proposal * Tue Jan 04 2022 suse+build@de-korte.org - Update to version 1.7.2 * The SMTP_AUTH* attributes are missing in policy_bank. * Wed Jul 28 2021 jsegitz@suse.com - Added hardening to systemd service(s). Modified: * amavisd-milter.service * Wed Feb 24 2021 suse+build@de-korte.org - Initial release of amavisd-milter (unbundled from amavisd-new) - Update to version 1.7.1 * An empty sender must always be enclosed in angle brackets. - Update to version 1.7.0 * Fork after initializing milter socket. * Use client_name if available instead of hostname passed to xxfi_connect. * Generate amamvisd-milter.8 from AMAVISD-MILTER.md. * Fixed compiler warnings. ----------------------------------------------------------------------------- o Updated apache2-mod_auth_openidc (security/bugfix/feature) - Fix CVE-2022-23527, Open Redirect in oidc_validate_redirect_url() using tab character (CVE-2022-23527, bsc#1206441) * fix-CVE-2022-23527-0.patch * fix-CVE-2022-23527-1.patch * fix-CVE-2022-23527-3.patch * fix-CVE-2022-23527-2.patch - Harden oidc_handle_refresh_token_request function * harden-refresh-token-request.patch - Fixes bsc#1199868, mod_auth_openidc not loading - Fix CVE-2021-39191 open redirect issue in target_link_uri parameter (CVE-2021-39191, bsc#1190223) * fix-CVE-2021-39191.patch ----------------------------------------------------------------------------- o Updated apache2-mod_php7 (security/bugfix/feature) - security update - added patches fix CVE-2023-0568 [bsc#1208366], NULL byte off-by-one in php_check_specific_open_basedir + php7-CVE-2023-0568.patch fix CVE-2023-0662 [bsc#1208367], DoS vulnerability when parsing multipart request body + php7-CVE-2023-0662.patch https://github.com/php/php-src/commit/a92acbad873a05470af1a47cb785a18eadd827b5, relates to CVE-2023-0567 [bsc#1208388] + php7-crypt-possible-buffer-overread.patch - security update - added patches fix CVE-2022-31631 [bsc#1206958], Due to an integer overflow PDO:quote() may return unquoted string + php7-CVE-2022-31631.patch - version update to 7.4.33 [bsc#1204577][bsc#1204979] 03 Nov 2022 GD: Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630) Hash: Fixed bug #81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454) - version update to 7.4.32 [jsc#SLE-23639] Version 7.4.32 29 Sep 2022 Core: Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628) Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629) Version 7.4.30 09 Jun 2022 mysqlnd: Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626) pgsql: Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625) Version 7.4.29 14 Apr 2022 Core: No source changes to this release. This update allows for re-building the Windows binaries against upgraded dependencies which have received security updates. Date: Updated to latest IANA timezone database (2022a). Version 7.4.28 17 Feb 2022 Filter: Fix #81708: UAF due to php_filter_float() failing for ints (CVE-2021-21708) Version 7.4.27 16 Dec 2021 Core: Fixed bug #81626 (Error on use static:: in __сallStatic() wrapped to Closure::fromCallable()). FPM: Fixed bug #81513 (Future possibility for heap overflow in FPM zlog). GD: Fixed bug #71316 (libpng warning from imagecreatefromstring). OpenSSL: Fixed bug #75725 (./configure: detecting RAND_egd). PCRE: Fixed bug #74604 (Out of bounds in php_pcre_replace_impl). Standard: Fixed bug #81618 (dns_get_record fails on FreeBSD for missing type). Fixed bug #81659 (stream_get_contents() may unnecessarily overallocate). Version 7.4.26 18 Nov 2021 Core: Fixed bug #81518 (Header injection via default_mimetype / default_charset). Date: Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2). MBString: Fixed bug #76167 (mbstring may use pointer from some previous request). MySQLi: Fixed bug #81494 (Stopped unbuffered query does not throw error). PCRE: Fixed bug #81424 (PCRE2 10.35 JIT performance regression). Streams: Fixed bug #54340 (Memory corruption with user_filter). XML: Fixed bug #79971 (special character is breaking the path in xml function). (CVE-2021-21707) - fixes [bsc#1203867] and [bsc#1203870] - deleted patches - php7-CVE-2021-21707.patch (upstreamed) - php7-CVE-2021-21708.patch (upstreamed) - php7-CVE-2022-31625.patch (upstreamed) - php7-CVE-2022-31626.patch (upstreamed) - security update - added patches fix CVE-2022-31625 [bsc#1200645], uninitialized pointers free in Postgres extension + php7-CVE-2022-31625.patch - security update - added patches fix CVE-2022-31626 [bsc#1200628], buffer overflow via user-supplied password when using pdo_mysql extension with mysqlnd driver + php7-CVE-2022-31626.patch - security update - added patches fix CVE-2021-21707 [bsc#1193041], special character breaks path in xml parsing + php7-CVE-2021-21707.patch - security update [bsc#1197644] - added patches fix https://github.com/php/php-src/commit/771dbdb319fa7f90584f6b2cc2c54ccff570492d + php7-signedness-php_filter_validate_domain.patch ----------------------------------------------------------------------------- o Updated apache2-mod_php8 (security/bugfix/feature) - version update to 8.0.28 14 Feb 2023 Core: Fixed bug #81744 (Password_verify() always return true with some hash). Fixed bug #81746 (1-byte array overrun in common path resolve code). SAPI: Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662) This is a security release that addresses CVE-2023-0567, CVE-2023-0568, and CVE-2023-0662. - We are not affected by CVE-2023-0567 (https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4) as we build against system libcrypt. - See [bsc#1208388], [bsc#1208366], [bsc#1208367]. - version update to 8.0.27 [bsc#1206958] 05 Jan 2023 PDO/SQLite: Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631) - version update to 8.0.26 24 Nov 2022 CLI: Fixed bug GH-9709 (Null pointer dereference with -w/-s options). Core: Fixed bug GH-9752 (Generator crashes when interrupted during argument evaluation with extra named params). Fixed bug GH-9801 (Generator crashes when memory limit is exceeded during initialization). Fixed potential NULL pointer dereference in Windows shm*() functions. Fixed bug GH-9750 (Generator memory leak when interrupted during argument evaluation. Date: Fixed bug GH-9763 (DateTimeZone ctr mishandles input and adds null byte if the argument is an offset larger than 100*60 minutes). FPM: Fixed bug GH-9754 (SaltStack (using Python subprocess) hangs when running php-fpm 8.1.11). mysqli: Fixed bug GH-9841 (mysqli_query throws warning despite using silenced error mode). OpenSSL: Fixed bug GH-8430 (OpenSSL compiled with no-md2, no-md4 or no-rmd160 does not build). SOAP: Fixed GH-9720 (Null pointer dereference while serializing the response). - amend %preun to fix [bsc#1205782] - version update to 8.0.25 [bsc#1204577][bsc#1204979] 27 Oct 2022 GD: Fixed bug #81739: OOB read due to insufficient input validation in imageloadfont(). (CVE-2022-31630) Hash: Fixed bug #81738: buffer overflow in hash_update() on long parameter. (CVE-2022-37454) Session: Fixed bug GH-9583 (session_create_id() fails with user defined save handler that doesn't have a validateId() method). Streams: Fixed bug GH-9590 (stream_select does not abort upon exception or empty valid fd set). - version update to 8.0.24 29 Sep 2022 Core: Fixed bug #81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628) Fixed bug #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629) Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling) Fixed bug GH-9361 (Segmentation fault on script exit #9379). Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class constants in constant expressions). DOM: Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free). FPM: Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload). Fixed bug #77780 ("Headers already sent..." when previous connection was aborted). GMP: Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()). Intl: Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter). PCRE: Fixed pcre.jit on Apple Silicon. PDO_PGSQL: Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed). Reflection: Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure). Streams: Fixed bug GH-9316 ($http_response_header is wrong for long status line). - fixes [bsc#1203867] and [bsc#1203870] - version update to 8.0.23 [jsc#SLE-23639] Version 8.0.23 01 Sep 2022 Core: Fixed incorrect double to long casting in latest clang. DBA: Fixed LMDB driver memory leak on DB creation failure. Fixed bug GH-9155 (dba_open("non-existing", "c-", "flatfile") segfaults). Intl: Fixed IntlDateFormatter::formatObject() parameter type. OPcache: Fixed bug GH-9033 (Loading blacklist file can fail due to negative length). PDO_SQLite: Fixed bug GH-9032 (SQLite3 authorizer crashes on NULL values). SQLite3: Fixed bug GH-9032 (SQLite3 authorizer crashes on NULL values). Standard: Fixed bug GH-9017 (php_stream_sock_open_from_socket could return NULL). Streams: Fixed bug GH-8472 (The resource returned by stream_socket_accept may have incorrect metadata). Fixed bug GH-8409 (SSL handshake timeout leaves persistent connections hanging). Version 8.0.22 04 Aug 2022 CLI: Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable. Core: Fixed bug GH-8923 (error_log on Windows can hold the file write lock). Fixed bug GH-8995 (WeakMap object reference offset causing TypeError). Date: Fixed bug #80047 (DatePeriod doesn't warn with custom DateTimeImmutable). DBA: Fixed LMDB driver hanging when attempting to delete a non-existing key. FPM: Fixed zlog message prepend, free on incorrect address. Fixed possible double free on configuration loading failure. GD: Fixed bug GH-8848 (imagecopyresized() error refers to the wrong argument). Intl: Fixed build for ICU 69.x and onwards. OPcache: Fixed bug GH-8847 (PHP hanging infinitly at 100% cpu when check php syntaxe of a valid file). Standard: Fixed the crypt_sha256/512 api build with clang > 12. Uses CCRandomGenerateBytes instead of arc4random_buf on macOs. Version 8.0.21 07 Jul 2022 Core: Fixed potential use after free in php_binary_init(). CLI: Fixed GH-8827 (Intentionally closing std handles no longer possible). COM: Fixed bug GH-8778 (Integer arithmethic with large number variants fails). Curl: Fixed CURLOPT_TLSAUTH_TYPE is not treated as a string option. Date: Fixed bug #74671 (DST timezone abbreviation has incorrect offset). Fixed bug #77243 (Weekdays are calculated incorrectly for negative years). Fixed bug #78139 (timezone_open accepts invalid timezone string argument). FPM: Fixed bug #67764 (fpm: syslog.ident don't work). MBString: Fixed bug GH-8685 (pcre not ready at mbstring startup). ODBC: Fixed handling of single-key connection strings. OpenSSL: Fixed bug #50293 (Several openssl functions ignore the VCWD). Fixed bug #81713 (NULL byte injection in several OpenSSL functions working with certificates). PDO_ODBC: Fixed errorInfo() result on successful PDOStatement->execute(). Fixed handling of single-key connection strings. Zip: Fixed bug GH-8781 (ZipArchive::close deletes zip file without updating stat cache). Version 8.0.20 09 Jun 2022 CLI: Fixed bug GH-8575 (CLI closes standard streams too early). Core: Fixed Haiku ZTS builds. Date: Fixed bug GH-8471 (Segmentation fault when converting immutable and mutable DateTime instances created using reflection). FPM: Fixed ACL build check on MacOS. Fixed bug #72185: php-fpm writes empty fcgi record causing nginx 502. Mysqlnd: Fixed bug #81719: mysqlnd/pdo password buffer overflow. (CVE-2022-31626) OPcache: Fixed bug GH-8466 (ini_get() is optimized out when the option does not exist). Pcntl: Fixed Haiku build. Pgsql: Fixed bug #81720: Uninitialized array in pg_query_params(). (CVE-2022-31625) Soap: Fixed bug GH-8578 (Error on wrong parameter on SoapHeader constructor). Fixed bug GH-8538 (SoapClient may strip parts of nmtokens). SPL: Fixed bug GH-8235 (iterator_count() may run indefinitely). Zip: Fixed type for index in ZipArchive::replaceFile. Version 8.0.19 12 May 2022 Core: Fixed bug GH-8289 (Exceptions thrown within a yielded from iterator are not rethrown into the generator). Date: Fixed bug GH-7979 (DatePeriod iterator advances when checking if valid). FFI: Fixed bug GH-8433 (Assigning function pointers to structs in FFI leaks). FPM: Fixed bug #76003 (FPM /status reports wrong number of active processe). Fixed bug #77023 (FPM cannot shutdown processes). Fixed comment in kqueue remove callback log message. Iconv: Fixed bug GH-8218 (ob_end_clean does not reset Content-Encoding header). Intl: Fixed bug GH-8364 (msgfmt_format $values may not support references). MySQLi: Fixed bug GH-8267 (MySQLi uses unsupported format specifier on Windows). SPL: Fixed bug GH-8366 (ArrayIterator may leak when calling __construct()). Fixed bug GH-8273 (SplFileObject: key() returns wrong value). Streams: Fixed php://temp does not preserve file-position when switched to temporary file. zlib: Fixed bug GH-8218 (ob_end_clean does not reset Content-Encoding header). Version 8.0.18 14 Apr 2022 Core: Fixed freeing of internal attribute arguments. Fixed bug GH-8070 (memory leak of internal function attribute hash). Fixed bug GH-8160 (ZTS support on Alpine is broken). Filter: Fixed signedness confusion in php_filter_validate_domain(). Intl: Fixed bug GH-8142 (Compilation error on cygwin). MBString: Fixed bug GH-8208 (mb_encode_mimeheader: $indent functionality broken). MySQLi: Fixed bug GH-8068 (mysqli_fetch_object creates inaccessible properties). Pcntl: Fixed bug GH-8142 (Compilation error on cygwin). PgSQL: Fixed result_type related stack corruption on LLP64 architectures. Fixed bug GH-8253 (pg_insert() fails for references). Sockets: Fixed Solaris builds. SPL: Fixed bug GH-8121 (SplFileObject - seek and key with csv file inconsistent). Standard: Fixed bug GH-8048 (Force macOS to use statfs). Version 8.0.17 17 Mar 2022 Core: Fixed Haiku ZTS build. GD: Fixed libpng warning when loading interlaced images. FPM: Fixed bug #76109 (Unsafe access to fpm scoreboard). Iconv: Fixed bug GH-7953 (ob_clean() only does not set Content-Encoding). Fixed bug GH-7980 (Unexpected result for iconv_mime_decode). MySQLnd: Fixed bug GH-8058 (NULL pointer dereference in mysqlnd package). OPcache: Fixed bug GH-8074 (Wrong type inference of range() result). Reflection: Fixed bug GH-8080 (ReflectionClass::getConstants() depends on def. order). Zlib: Fixed bug GH-7953 (ob_clean() only does not set Content-Encoding). Version 8.0.16 17 Feb 2022 Core: Fixed bug #81430 (Attribute instantiation leaves dangling pointer). Fixed bug GH-7896 (Environment vars may be mangled on Windows). FFI: Fixed bug GH-7867 (FFI::cast() from pointer to array is broken). Filter: Fix #81708: UAF due to php_filter_float() failing for ints. (CVE-2021-21708) FPM: Fixed memory leak on invalid port. MBString: Fixed bug GH-7902 (mb_send_mail may delimit headers with LF only). MySQLnd: Fixed bug GH-7972 (MariaDB version prefix 5.5.5- is not stripped). Sockets: Fixed ext/sockets build on Haiku. Fixed bug GH-7978 (sockets extension compilation errors). Standard: Fixed bug GH-7875 (mails are sent even if failure to log throws exception). Version 8.0.15 20 Jan 2022 Core: Fixed bug #81656 (GCC-11 silently ignores -R). Fixed bug #81585 (cached_chunks are not counted to real_size on shutdown). Filter: Fixed FILTER_FLAG_NO_RES_RANGE flag. Hash: Fixed bug GH-7759 (Incorrect return types for hash() and hash_hmac()). Fixed bug GH-7826 (Inconsistent argument name in hash_hmac_file and hash_file). MySQLnd: Fixed bug where large bigints may be truncated. OCI8: Fixed bug GH-7765 (php_oci_cleanup_global_handles segfaults at second call). OPcache: Fixed bug #81679 (Tracing JIT crashes on reattaching). PDO_PGSQL: Fixed error message allocation of PDO PgSQL. Sockets: Avoid void* arithmetic in sockets/multicast.c on NetBSD. Spl: Fixed bug #75917 (SplFileObject::seek broken with CSV flags). Version 8.0.14 16 Dec 2021 Core: Fixed bug #81582 (Stringable not implicitly declared if __toString() came from a trait). Fixed bug #81591 (Fatal Error not properly logged in particular cases). Fixed bug #81626 (Error on use static:: in __сallStatic() wrapped to Closure::fromCallable()). Fixed bug #81631 (::class with dynamic class name may yield wrong line number). FPM: Fixed bug #81513 (Future possibility for heap overflow in FPM zlog). GD: Fixed bug #71316 (libpng warning from imagecreatefromstring). IMAP: Fixed bug #81649 (imap_(un)delete accept sequences, not single numbers). OpenSSL: Fixed bug #75725 (./configure: detecting RAND_egd). PCRE: Fixed bug #74604 (Out of bounds in php_pcre_replace_impl). SPL: Fixed bug #81587 (MultipleIterator Segmentation fault w/ SimpleXMLElement attached). Standard: Fixed bug #81618 (dns_get_record fails on FreeBSD for missing type). Fixed bug #81659 (stream_get_contents() may unnecessarily overallocate). Version 8.0.13 18 Nov 2021 Core: Fixed bug #81518 (Header injection via default_mimetype / default_charset). Date: Fixed bug #81500 (Interval serialization regression since 7.3.14 / 7.4.2). DBA: Fixed bug #81588 (TokyoCabinet driver leaks memory). MBString: Fixed bug #76167 (mbstring may use pointer from some previous request). Opcache: Fixed bug #81512 (Unexpected behavior with arrays and JIT). PCRE: Fixed bug #81424 (PCRE2 10.35 JIT performance regression). XML: Fixed bug #79971 (special character is breaking the path in xml function). (CVE-2021-21707) XMLReader: Fixed bug #81521 (XMLReader::getParserProperty may throw with a valid property). Version 8.0.12 21 Oct 2021 CLI: Fixed bug #81496 (Server logs incorrect request method). Core: Fixed bug #81435 (Observer current_observed_frame may point to an old (overwritten) frame). Fixed bug #81380 (Observer may not be initialized properly). DOM: Fixed bug #81433 (DOMElement::setIdAttribute() called twice may remove ID). FFI: Fixed bug #79576 ("TYPE *" shows unhelpful message when type is not defined). FPM: Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege escalation) (CVE-2021-21703, bsc#1192050). Fileinfo: Fixed bug #78987 (High memory usage during encoding detection). Filter: Fixed bug #61700 (FILTER_FLAG_IPV6/FILTER_FLAG_NO_PRIV|RES_RANGE failing). Opcache: Fixed bug #81472 (Cannot support large linux major/minor device number when read /proc/self/maps). Reflection: ReflectionAttribute is no longer final. SPL: Fixed bug #80663 (Recursive SplFixedArray::setSize() may cause double-free). Fixed bug #81477 (LimitIterator + SplFileObject regression in 8.0.1). Standard: Fixed bug #69751 (Change Error message of sprintf/printf for missing/typo position specifier). Streams: Fixed bug #81475 (stream_isatty emits warning with attached stream wrapper). XML: Fixed bug #70962 (XML_OPTION_SKIP_WHITE strips embedded whitespace). Zip: Fixed bug #81490 (ZipArchive::extractTo() may leak memory). Fixed bug #77978 (Dirname ending in colon unzips to wrong dir). Version 8.0.11 23 Sep 2021 Core: Fixed bug #81302 (Stream position after stream filter removed). Fixed bug #81346 (Non-seekable streams don't update position after write). Fixed bug #73122 (Integer Overflow when concatenating strings). GD: Fixed bug #53580 (During resize gdImageCopyResampled cause colors change). Opcache: Fixed bug #81353 (segfault with preloading and statically bound closure). Shmop: Fixed bug #81407 (shmop_open won't attach and causes php to crash). Standard: Fixed bug #71542 (disk_total_space does not work with relative paths). Fixed bug #81400 (Unterminated string in dns_get_record() results). SysVMsg: Fixed bug #78819 (Heap Overflow in msg_send). XML: Fixed bug #81351 (xml_parse may fail, but has no error code). Zip: Fixed bug #80833 (ZipArchive::getStream doesn't use setPassword). Fixed bug #81420 (ZipArchive::extractTo extracts outside of destination). - deleted patches - php8-CVE-2021-21707.patch (upstreamed) - php8-CVE-2021-21708.patch (upstreamed) - php8-CVE-2022-31625.patch (upstreamed) - php8-CVE-2022-31626.patch (upstreamed) - devel package requires pear and pecl extensions [jsc#SLE-24723] [bsc#1200772] - security update - added patches fix CVE-2022-31625 [bsc#1200645], uninitialized pointers free in Postgres extension + php8-CVE-2022-31625.patch - security update - added patches fix CVE-2022-31626 [bsc#1200628], buffer overflow via user-supplied password when using pdo_mysql extension with mysqlnd driver + php8-CVE-2022-31626.patch - security update - added patches fix CVE-2021-21707 [bsc#1193041], special character breaks path in xml parsing + php8-CVE-2021-21707.patch - security update [bsc#1197644] - added patches fix https://github.com/php/php-src/commit/771dbdb319fa7f90584f6b2cc2c54ccff570492d + php8-signedness-php_filter_validate_domain.patch ----------------------------------------------------------------------------- o Updated apache2-mod_security2 (security/bugfix/feature) - Fix CVE-2023-24021, FILES_TMP_CONTENT sometimes lacked the complete content (CVE-2023-24021, bsc#1207379) * fix-CVE-2023-24021.patch - Fix CVE-2022-48279, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall (CVE-2022-48279, bsc#1207378) * fix-CVE-2022-48279.patch ----------------------------------------------------------------------------- o Updated apache2-mod_wsgi-python3 (security/bugfix/feature) - Add CVE-2022-2255.patch (bsc#1201634) ----------------------------------------------------------------------------- o Updated apache2-mod_wsgi (security/bugfix/feature) - Add CVE-2022-2255.patch (bsc#1201634) ----------------------------------------------------------------------------- o Updated apache2 (security/bugfix/feature) - security update - added patches: fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting + apache2-CVE-2022-37436.patch fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling + apache2-CVE-2022-36760.patch fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte + apache2-CVE-2006-20001.patch - security update - added patches: fix CVE-2022-26377 [bsc#1200338], possible request smuggling in mod_proxy_ajp + apache2-CVE-2022-26377.patch fix CVE-2022-28614 [bsc#1200340], read beyond bounds via ap_rwrite() + apache2-CVE-2022-28614.patch fix CVE-2022-28615 [bsc#1200341], read beyond bounds in ap_strcmp_match() + apache2-CVE-2022-28615.patch fix CVE-2022-29404 [bsc#1200345], denial of service in mod_lua r:parsebody + apache2-CVE-2022-29404.patch fix CVE-2022-30556 [bsc#1200350], information disclosure in mod_lua with websockets + apache2-CVE-2022-30556.patch fix CVE-2022-30522 [bsc#1200352], mod_sed denial of service + apache2-CVE-2022-30522.patch fix CVE-2022-31813 [bsc#1200348], mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism + apache2-CVE-2022-31813.patch - fix gensslcert to generate dhparams certificate using a valid FIPS method [bsc#1198913] - apply correctly patches for CVE-2021-44790 [bsc#1193942] and CVE-2021-44224 [bsc#1193943] ----------------------------------------------------------------------------- o Updated apparmor (security/bugfix/feature) - Add samba-4-17.patch to update the samba profiles for samba version 4.17 (bsc#1206626); - add profiles-permit-php-fpm-pid-files-directly-under-run.patch https://gitlab.com/apparmor/apparmor/-/merge_requests/914 (bsc#1202344) ----------------------------------------------------------------------------- o Updated AppStream (security/bugfix/feature) - Update to version 0.15.6: * Features: + qt: Add API for ContentRating descriptions and ratingIds + Add some coccinelle semantic patches for common style issues + compose: Allow building without SVG support (for bootstrap only) + validator: - Check for nodes that are text nodes even though they shouldn't be - Extend validation for custom tag - Improve Screenshot validation * Specification: + docs: Fix typos in documentation * Bugfixes: + validator: - internat: Don't allow bandwidth_mbitps when value is offline-only - Fix timestamp validation - Allow release descriptions to start with punctuation + compose: - Only add no-metainfo tag if component isn't already ignored - Show better error in AscImage if compose was build without rsvg + Add a hack to clarify proper PtrArray element ownership for language bindings + qt: - Port away from deprecated QDateTime API - Deprecate Component::requires - Fix warning - Fix stringListToCharArray and Pool::componentsByCategories - Port away from deprecated foreach + as-review: - Add a typedef for property enums - Install properties at once rather than individually - Specify G_PARAM_STATIC_STRINGS for properties - Emit GObject::notify on property value changes - Add missing property for as_review_{get,set}_priority() + ascli: fix NULL pointer dereference * Miscellaneous: + docs: Split releases specification into its own section + style: Make code easier to read by using helper macros in all places + Make some compiler warnings fatal unconditionally - Add patch to support meson 0.59 which is the only version available in SLE 15 SP5: * support-meson0.59.patch - Don't use %ldconfig_scriptlets. Leap 15.3 doesn't understand it. - Update to version 0.15.5: * Features: + validator: - Allow severity downgrade of releases-not-in-order for GNOME - Perform stricter integer validation - Check for url redefinitions - Validate the "internet" relation item - Add validation for memory relation + Implement the "replaces" tag + Add convenience function that check if component is free by license and origin + qt: Add wrappers for AsComponent isFree/supports/replaces + Always add untranslated component names to the search index + Implement internet relation item * Specification: + spec: - Specify a proper "replaces" tag - Add an kind to requires/recommends/supports * Bugfixes: + validator: - Don't permit overriding the unknown root tag issue - Distinguish translatable from not-translatable tags in duplicate checks + compose: - Don't crash if metainfo file contains an invalid stock icon - Don't synthesize components for desktop files of settings apps + spdx: Fix possible crash when NULL is passed to is_free_license + Return the correct values in as_display_length_kind_from_px() * Miscellaneous: + Silence static analyzer false-positives based on GCC version + data: use lxml to get the XDG categories - Package doc sub-package as noarch. - Use ldconfig_scriptlets macro for post(un) handling. - AppStream 0.15.4: * validator: Check timestamp validity * validator: Allow (limited) overriding of issue tag severities * validator: Add strict mode * ascli: validate: Allow simple overriding of issue tags * validator: Check for exact relation item redefinitions * Add vcs-browser URL to metainfo.xml * compose: Improve media-baseurl sanity checks for icon/screenshot policies * compose: Don't create bad data when localized screenshots exist * compose: Sanitize prefix value and verify all units for results * compose: Fail and not just warn if we couldn't open a unit * compose: Make no-result detection a bit more robust * compose: Properly handle localized screenshots * compose: Ignore current locale when analyzing screencasts - Update to version 0.15.3 * qt: Include enums for VcsBrowser and Contribute * Add vcs-browser and contribute URL type * validate: Improve validation of desktop files alongside metainfo data * its: Mark deprecated rules as deprecated * Implement l10n support for metainfo keyword tags * validator: Perform basic validation of keywords in metainfo data * compose: Prefer metainfo keywords over desktop-entry keywords * Specification: * docs: Document keywords for metainfo files as well * docs: Spell it metainfo, not meta-info if referencing metainfo.xml files * spec: Document how keywords in metainfo files should be translated * Multiple Bugfixes - Update to version 0.15.2 * Relicense remaining GPL-2.0 code to LGPL-2.1+ * compose: Allow setting a custom CAInfo file * qt: Always use C library for enum-to-string conversions * compose: Allow any amount of release entries for OS components * compose: Implement more flexible icon policy * validator: Ensure component-ID has no punctuation prefix * validator: Check existence of version and date release properties * Implement component-wide end-of-life date attribute * compose: Build API documentation * Support the new swcatalog catalog metadata location and add app-info fallback * When finding components by ID, use provided IDs if no exact matches were found * ascli: Fix install/remove commands, add Flatpak support * Implement XML & YAML read/write of the "branding" tag group * Handle embedded lists in YAML release info paragraphs * Specification: * spec: Specify a "date_eol" property for the component itself * spec: Specify the new "branding" tag * docs: Update links to API reference pages * spec: Require that branding colours start with a hash symbol * docs: Clarify license and ship license copies * docs: Document media_baseurl property of components * Multiple bugfixes - Add Appstream Requires to Appstream-devel package, a devel package should require it's own binary and config. - Don't refresh the system cache in %post. The user metadata cache works much better, rely on that instead. ----------------------------------------------------------------------------- o Updated apr-util (security/bugfix/feature) - security fix CVE-2022-25147, bsc#1207866: buffer overflow possible with specially crafted input + added patch apr-util-CVE-2022-25147.patch ----------------------------------------------------------------------------- o Updated atkmm1_6 (security/bugfix/feature) - Update to version 2.28.3: + Build: - Support building with Visual Studio 2022 (Chun-wei Fan) - Meson build: Specify 'check' option in run_command() Will be necessary with future versions of Meson. - Meson build: Perl is not required by new versions of mm-common - Meson build: Avoid unnecessary configuration warnings - Meson build: Require meson >= 0.55.0 (Kjell Ahlstedt) - Require atk >= 2.12.0 Not a new requirement, but previously it was not specified in configure.ac and meson.build. (Kjell Ahlstedt) - Rename README to README.md ----------------------------------------------------------------------------- o Updated audit-secondary (security/bugfix/feature) - Fix rules not loaded when restarting auditd.service(bsc#1204844) - Update audit-secondary.spec: create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519). ----------------------------------------------------------------------------- o Updated augeas (security/bugfix/feature) - add augeas-sysctl_parsing.patch (bsc#1197443) * backport original patch and rebase ----------------------------------------------------------------------------- o Updated autoyast2 (security/bugfix/feature) - Added XSLT transformation for easy conversion of the data types in the AutoYaST XML profiles between the old and the new format. This allows to convert a new profile to the format accepted in SLE15-SP2 or older (bsc#1206597) - 4.5.12 - Avoid a potential crash when autoinst.ycp file is empty or missing (bsc#1205732). - 4.5.11 - Fix hash vs keyword arguments in RSpec expectations (bsc#1204871) - 4.5.10 - Add needed packages for kdump even when kdump section is not defined if product enable kdump by default (bsc#1204180) - 4.5.9 - Add support for security policies validation (jsc#SLE-24764). - Log the profile/rules/classes file SHA1 sum so we can later verify that a particular file was or was not used by YaST (related to bsc#1204175) - 4.5.8 - Allow empty values in ask/default, ask/selection/label and ask/selection/value elements (bsc#1204448). - 4.5.7 - fix profile location parsing and add 'repo' URL scheme (jsc#SLE-22578, jsc#SLE-24584) - 4.5.6 - Add needed packages for the selected network backend in order to prevent it is not declared in the software section (bsc#1201235, bsc#1201435) - 4.5.5 - bsc#1203227 - Replaced egrep with grep -E. - 4.5.4 - Revert the modification done in version 4.3.97 running the initscripts before systed-user-sessions service again once systemd fixed logind (bsc#1195059, bsc#1200780) - 4.5.3 - Run the registration step early only on the Online installation medium which does not provide any packages. On the other media run the registration step later. Fixes crash in the SLE Micro when the AutoYaST profile enables the registration step. (bsc#1200803) - 4.5.2 - Fix detection disk serial and size in the "disks" ERB helper (bsc#1199000). - Fix rules validation when using a dialog (bsc#1199165). - 4.5.1 - Bump version to 4.5.0 (bsc#1198109) ----------------------------------------------------------------------------- o Updated aws-cli (security/bugfix/feature) - Update to version 1.24.4 (bsc#1199716) + For detailed changes see https://github.com/aws/aws-cli/blob/1.24.4/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.24.1 + For detailed changes see https://github.com/aws/aws-cli/blob/1.24.1/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.23.11 + For detailed changes see https://github.com/aws/aws-cli/blob/1.23.11/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.23.1 + For detailed changes see https://github.com/aws/aws-cli/blob/1.23.1/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.22.87 + For detailed changes see https://github.com/aws/aws-cli/blob/1.22.87/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.22.65 + For detailed changes see https://github.com/aws/aws-cli/blob/1.22.65/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.22.46 + For detailed changes see https://github.com/aws/aws-cli/blob/1.22.46/CHANGELOG.rst - Add missing python-rpm-macros to BuildRequires - Update Requires in spec file from setup.py - Update to version 1.22.35 + For detailed changes see https://github.com/aws/aws-cli/blob/1.22.35/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.22.28 + For detailed changes see https://github.com/aws/aws-cli/blob/1.22.28/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.22.24 + For detailed changes see https://github.com/aws/aws-cli/blob/1.22.24/CHANGELOG.rst - Update Requires in spec file from setup.py - Update to version 1.21.6 + For detailed changes see https://github.com/aws/aws-cli/blob/1.21.6/CHANGELOG.rst - Relax upper version dependency for python-docutils in Requires - Update Requires in spec file from setup.py - Update to version 1.20.32 + For detailed changes see https://github.com/aws/aws-cli/blob/1.20.32/CHANGELOG.rst - Fix rpmlint warnings + use defattr for default permissions + mark zsh completion file as a config file - Use github download url as a Source0 - Update Requires in spec file from setup.py - Update to version 1.20.7 + For detailed changes see https://github.com/aws/aws-cli/blob/1.20.7/CHANGELOG.rst - Update Requires in spec file from setup.py ----------------------------------------------------------------------------- o Updated aws-efs-utils (security/bugfix/feature) - Update to version 1.34.5 * Handle invalid entries in /proc/mounts * Detect invalid private key - Update to version 1.34.4 * Fix potential tlsport selection collision by using state file as tlsport lock file (bsc#1206737, CVE-2022-46174) - Use RPM macros for directory paths (bsc#1191055) - Update to version 1.34.3 * Fix stunnel constantly restart issue when upgrading from 1.32.1 and before version to latest version * Fix race in stunnel port selection * Disable journal entry fetch from systemctl call - from version 1.34.2 * Fix potential issue on AL2 when watchdog trying to restart stunnel for the TLS mounts that existing before upgrade - from version 1.34.1 * Update Amazon Linux 2 platform to use namespaced stunnel5 - python-six is not required for build https://trello.com/c/MO53MocR/143-remove-python3-six - Update to version 1.33.4 (bsc#1203170) * Fix the issue where watchdog sending signal to incorrect processes and add FIPS mode support * Apply additional check on awscredsuri option - from version 1.33.3 * Fix the potential stunnel hanging issue caused by full subprocess PIPE filled by stunnel log * Specify FIPS mode in configuration * Add separate env_path for macOS; Add comments * Update get-pip.py download url in README - from version 1.33.2 * Fix the incorrect path to generate read_ahead_kb config file and Bump the default tls port range from 400 to 1000 - Add patch to use unittest.mock instead of mock in testsuite * use_mock_from_unittest.patch - Use relative URL in Source field - version update to 1.33.1 * Enable mount process to retry on failed or timed out mount.nfs command * use unittest.mock instead of mock - version update to 1.32.1 * Enable watchdog to check stunnel health periodically and restart hanging stunnel process when necessary. - do not require python-mock for build https://trello.com/c/S6eADbii/64-remove-python-mock - Update in SLE-15 (bsc#1195916, bsc#1196696, jsc#PM-3356, jsc#SLE-23972) - Remove redundant python3 dependency from Requires - Update regular expression to fix python shebang - Update to version 1.31.3 (bsc#1195916) + Add skip-styletest.patch - Style is enforced upstream and triggers unnecessary build version requirements + Allow specifying fs_id in cloudwatch log group name + Includes fix for stunnel path - Added hardening to systemd service(s). Added patch(es): * harden_amazon-efs-mount-watchdog.service.patch - Update to version 1.31.2 + Handle HTTPError and other unknown exception when fetching IMDS token + Support Oracle Enterprise Linux 8 - from version 1.31.1 + Support fallback to mount with mount target ip address when DNS resolution fails + Bump py from 1.8.0 to 1.10.0 - from version 1.30.2 + Add helper message when config file on instance is not latest + Fix the throughput regression due to read_ahead configuration change on Linux distribution with kernel version 5.4.x and above - from version 1.30.1 + Support mounting to specific AZ mount target + Revert "Support mounting to specific AZ mount target" + Support mounting to specific AZ mount target + Use regional AWS STS endpoints instead of the global endpoint to reduce latency - from version 1.29.1-mac + Fix issue where state files are removed after mount on EC2 instances running on MacOS Big Sur + Add support for EC2 Mac instances running macOS Big Sur - from version 1.29.1 + Update the python dependency to python3 + Fix typo - from version 1.28.2 + Fix the issue that mounting with IAM authorization with iam role does not work with IMDSv2 - from version 1.28.1 + Support publishing mount success/failure notification via CloudWatch log + filename of .deb-package now includes architecture - from version 1.27.1 + Merge PR #60 on GitHub. Adds support for AssumeRoleWithWebIdentity. + Add support for AssumeRoleWithWebIdentity - from version 1.26.3 + Fix an issue where watchdog crashed during restart because stunnel was killed and pid key was removed from state file - from version 1.26.2 + Fixes an issue with watchdog where it sometimes fails to restart stunnels in efs-csi-driver container * Fixes an issue where fs cannot be mounted with tls using systemd.automount-units due to mountpoint check + Revert "Fixes an issue with watchdog where it sometimes fails to restart stunnels in efs-csi-driver container" + Fixes an issue with watchdog where it sometimes fails to restart stunnels in efs-csi-driver container + Remove non-ascii character in dist/efs-utils.conf - from version 1.25-3 + Check if mountpoint is already mounted beforehand for tls mount + Bug fix and enhancement, support fedora - from version 1.25-2 + Fix python3 IAM role name encoded format, add optional override for stunnel log + Encode IAM role name to UTF-8 - from version 1.25-1 + Create self-signed certificate for tls-only mount + add CentOS 8 support - from version 1.24 + Fix the malformed certificate info + bump the release id to 3 + Use IMDSv1 by default, and use IMDSv2 where required + Revert "Use IMDSv1 by default, and fall back to IMDSv2 if necessary" + Use IMDSv1 by default, and fall back to IMDSv2 if necessary + Modify rhel8-support.sh to handle Fedora as well, and rename it + Remove which from DEB package dependency + List which as dependency to search command exec path + Enable region sourcing from efs-utils configuration file and fix stunnel exec path issue in openSUSE + Update rpm changelog for v1.23-2, fix circleCI build issue - from version 1.23 + Add support for Amazon Elastic Container Service - from version 1.22 + Improvements to metadata retrieval and IAM authentication - from version 1.21 + Improvements to auth and access point support - from version 1.20 + Fixes the mount issue with full DNS name in the AWS China Regions; Upgrades unit test coverage version dependency to enable accurate python3.8 coverage test - from version 1.19 + Added region localization, Integrate repository with CircleCI to enable package build visualization, Unit tests bug fixes for python3.5 - from version 1.18 + Support IAM authentication and access points. - Add patch to disable mount_efs_test which requires networking + disable_mount_efs_test.patch - Add openssl to BuildRequires, required for testsuite - Update Requires from requirements.txt - Drop '-f' option with %service_del_preun/%service_del_postun With %service_del_preun, the option is already ignored with as support for DISABLE_STOP_ON_REMOVAL has been dropped. With %service_del_postun, this option shouldn't be needed besides very few special cases. But this package doesn't seem to belong to this category. - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut through the -mini flavors. - Update to version 1.17 + Added support for Python 3 - Enable testsuite which now passes on Python 3 - Update BuildRequires from requirements.txt - Update to version 1.16 + Support Python 3 for tests - from version 1.15 + Properly support Python3 - from version 1.14 + Tolerate EFS state directory existing during mount - from version 1.13 + Change watchdog configuration so it stops after all file systems are unmounted - from version 1.12 + Update stunnel idle timeout * The default stunnel idle timeout is many hours. By setting it to a value based on the NFS lease length we can recover from network partitions sooner. - from version 1.11 + Add support for RHEL8 * Fixes Python shebangs to work on systems without a default "python" version. * Fixes watchdog process not being properly started on systemd systems. - from version 1.10 + Update to default configuration that disables OCSP * To use OCSP, the client accessing EFS must be able to reach the Amazon Certificate Authority (CA). To maximize file system availability in the event that the CA is not reachable from your VPC, the EFS mount helper no longer enables OCSP by default. - Don't enable testsuite as it is currently failing + https://github.com/aws/efs-utils/issues/24 - Drop patches merged upstream + efs-switchparser.patch - Update BuildRequires from requirements.txt ----------------------------------------------------------------------------- o Updated aws-iam-authenticator (security/bugfix/feature) - Add patch to fix AccessKeyID validation bypass (bsc#1201395, CVE-2022-2385) * 0001-Add-query-parameter-validation-for-multiple-parameters.patch - Update in SLE-15 (bsc#1197703) - Update to version 0.5.3 * Bump Go to 1.15 in Travis (#361) * Update aws sdk go v1.37.1 (#360) * (arn): validate partition against all partitions returned by the aws sdk (#348) * Document AccessKeyId from UserInfo (#332) * Support IPv6 listen address (#352) * Added user agent to AWS SDK (#359) * Remove Chris Hein from OWNERS (#351) * Add instructions for the release process (#346) - from version 0.5.2 * Added partition flag (#341) * Update link to Kops docs site (#338) * Security Improvements on the example yaml (#335) * Fix RBAC on example file: service account requires get to ConfigMap (#334) * Add AccessKeyID as variable for username (#337) * Added server side AWS account ID log redaction (#327) - from version 0.5.1 * Update examples/README (#317) * Changelog gen (#318) * Fix CRD mapper blocking all others because caches never sync and revamp backend-mode flag (#303) * Update aws-sdk-go to version v1.30.0 (#306) * Bump k8s.io/ dependencies to 1.16.8 (#305) * chown aws-iam-authenticator to avoid permission denied (#302) * Indentation and unit test improvements (#298) * Adding Rate limiting ec2:DescribeInstances API along with Batching for high TPS (#292) * Restrict ClusterRole to readonly IAMIdentityMapping access (#287) * added selector to spec and changed from extenstions to apps/v1 (#291) * Add AWS AccessKeyID as an extra field in UserInfo (#286) * Allow server port customization (#278) - from version 0.5.0 * Remove DNS-1123 validation of usernames and groups (#260) * switch to use regional sts endpoint & imdsV2 (#283) * Add AWS Access Key ID to log (#282) * Require to pass in interface instead of the concrete type (#279) * Refactor to allow configurable backends (configmap, eks configmap, crd) (#269) * Update go version (#255) * Adding session name parameter to TokenGenerator (#272) * Rename prometheus metrics to match new project name (#249) * Remove inactive approvers, add wongma7 (#266) * Update aws-sdk-go to v1.23.11 (257) * Added go module download check (#259) * Updating goreleaser yaml to fix deprecated options (#252) * Remove deprecated language from README (#244) * Lowercase ARN inside doMapping and log about it (#239) * IAMIdentityMapping CRD Implementation (#116) * Adding micahhausler as approver (#237) * add support for passing externalID to assume role (#228) * Update README.md (#231) * Using sigs.k8s.io domain instead of github.com (#223) * Refactored EC2 API calls to be testable (#226) * Include aws request ID when logging errors (#178) - Remove global Go project variables - Set GO111MODULE=off to force use of vendored modules - Update Go build paths ----------------------------------------------------------------------------- o Updated azure-cli-core (security/bugfix/feature) - Update in SLE-15 (bsc#1189411, bsc#1191482) - Fix regression in patch to disable update check (bsc#1192671) + acc_disable-update-check.patch - New upstream release + Version 2.17.1 + For detailed information about changes see the HISTORY.rst file provided with this package ----------------------------------------------------------------------------- o Updated azure-cli (security/bugfix/feature) - Update in SLE-15 (bsc#1189411, bsc#1191482) - Add missing python-rpm-macros to BuildRequires - New upstream release + Version 2.17.1 + For detailed information about changes see the HISTORY.rst file provided with this package - Update Requires from setup.py ----------------------------------------------------------------------------- o Updated barrel (security/bugfix/feature) - support arrays on stack and use of arrays when creating volume groups and file systems - version 0.1.7 - allow to create multi-device btrfs - version 0.1.6 - show btrfs profiles - version 0.1.5 - support activation of LUKS and BitLocker - version 0.1.4 - added nilfs2 support - version 0.1.3 - added logging - version 0.1.2 - added aliases exfat and vfat - version 0.1.1 ----------------------------------------------------------------------------- o Updated bash-completion (security/bugfix/feature) - Add patch fix-curl-help-completion-bsc1200791.patch (bsc#1200791) * List all options for `curl --` - Add patch bsc1199724-modules.patch (bsc#1199724) * Enable upstream commit to list ko.zst modules as well ----------------------------------------------------------------------------- o Updated bcc (security/bugfix/feature) - Force specific versioning of LLVM in preparation of Leap 15.5/SLES 15-SP5 + Remove now duplicate dependency llvm-clang-devel, having clang-devel is enough - Update to version 0.26.0: + Support for kernel up to 6.1 + bcc tool updates for biosnoop, opensnoop, biopattern, killsnoop, runqslower, offcputime, wakeuptime, etc. + libbpf-tools updates for klockstat, sigsnoop, hardirqs, softirqs, opensnoop, statsnoop, offcputime, tcplife, cpufreq, cpudist, etc. + new libbpf-tools: tcptop, tcpstates, biotop, capable + doc update, bug fixes and other tools improvement - Update to version 0.25.0: + Support for kernel up to 5.19 + bcc tool updates for oomkill.py, biolatpcts.py, sslsniff.py, tcpaccept.py, etc. + libbpf tool updates for klockstat, opensnoop, tcpconnect, etc. + new bcc tools: tcpcong + new libbpf tools: tcpsynbl, mdflush, oomkill, sigsnoop + usdt: support xmm registers as args for x64 + bpftool as a submodule now + remove uses of libbpf deprecated APIs + use new llvm pass manager + support cgroup filtering libbpf tools + fix shared lib module offset <-> global addr conversion + riscv support + LoongArch support + doc update, bug fixes and other tools improvement - Update to version 0.24.0: + Support for kernel up to 5.16 + bcc tools: update for trace.py, sslsniff.py, tcptop.py, hardirqs.py, etc. + new libbpf tools: bashreadline + allow specify wakeup_events for perf buffer + support BPF_MAP_TYPE_{INODE, TASK}_STORAGE maps + remove all deprecated libbpf function usage + remove P4/B language support + major test infra change, using github actions now + doc update, bug fixes and other tools improvement - Changes from version 0.23.0: + Support for kernel up to 5.15 + bcc tools: update for kvmexit.py, tcpv4connect.py, cachetop.py, cachestat.py, etc. + libbpf tools: update for update for mountsnoop, ksnoop, gethostlatency, etc. + fix renaming of task_struct->state + get pid namespace properly for a number of tools + initial work for more libbpf utilization (less section names) + doc update, bug fixes and other tools improvement - Drop Do-not-export-USDT-function-when-ENABLE_USDT-is-OFF.patch: fixed upstream. - Move kernel{,-devel} requirements to libbcc0 for deduplication. - Require additionally kernel-$variant-devel for libbcc0. - Declare python3-bcc, bcc-examples and bcc-docs as noarch. ----------------------------------------------------------------------------- o Updated bcel (security/bugfix/feature) - Security fix: [bsc#1205125, CVE-2022-42920] * Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing * Add bcel-CVE-2022-42920.patch ----------------------------------------------------------------------------- o Updated bind (security/bugfix/feature) - Security Fix: * An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). [bsc#1207471, CVE-2022-3094, bind-CVE-2022-3094.patch] - Add systemd drop-in directory for named service [bsc#1201689, bind.spec] - Security Fixes: * Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of named running as a recursive resolver. This has been fixed. [bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch] * A memory leak was fixed that could be externally triggered in the DNSSEC verification code for the ECDSA algorithm. [bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch] * Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. [bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch] - Changed ownership of /var/lib/named/master from named:named to root:root. [bsc#1201247, bind.conf] ----------------------------------------------------------------------------- o Updated binutils (security/bugfix/feature) - Add binutils-maxpagesize.diff for a problem on old code streams, where we would generate too large binaries. - s390-pic-dso.diff: use %pB instead of %B - SLE toolchain update of binutils. Update to 2.39 from 2.37, which means obsoleting and hence removing these patches: binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff, binutils-add-efi-aarch64-3.diff, binutils-fix-keepdebug.diff, binutils-add-z16-name.diff. Implements [jsc#SLE-25046, jsc#PED-2029, jsc#PED-2035, jsc#PED-2033, jsc#PED-2030, jsc#PED-2038, jsc#PED-2032, jsc#PED-2034, jsc#PED-2031, jsc#SLE-25047] - This fixes these CVEs relative to 2.37: [bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648 [bsc#1193929] aka PR28694 aka CVE-2021-45078 [bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195 [bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943 [bsc#1202966] aka PR29289 aka CVE-2022-38126 [bsc#1202967] aka PR29290 aka CVE-2022-38127 [bsc#1202969] aka CVE-2021-3826 - Add binutils-pr29482.diff for PR29482, aka CVE-2022-38533 [bsc#1202816] - Rebase binutils-2.39-branch.diff.gz that contains fix for PR29451. - Add binutils-2.39-branch.diff.gz. - Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes. - Add gprofng subpackage. - Update to binutils 2.39: * The ELF linker will now generate a warning message if the stack is made executable. Similarly it will warn if the output binary contains a segment with all three of the read, write and execute permission bits set. These warnings are intended to help developers identify programs which might be vulnerable to attack via these executable memory regions. The warnings are enabled by default but can be disabled via a command line option. It is also possible to build a linker with the warnings disabled, should that be necessary. * The ELF linker now supports a --package-metadata option that allows embedding a JSON payload in accordance to the Package Metadata specification. * In linker scripts it is now possible to use TYPE= in an output section description to set the section type value. * The objdump program now supports coloured/colored syntax highlighting of its disassembler output for some architectures. (Currently: AVR, RiscV, s390, x86, x86_64). * The nm program now supports a --no-weak/-W option to make it ignore weak symbols. * The readelf and objdump programs now support a -wE option to prevent them from attempting to access debuginfod servers when following links. * The objcopy program's --weaken, --weaken-symbol, and - -weaken-symbols options now works with unique symbols as well. - Rebase binutils-compat-old-behaviour.diff, binutils-revert-hlasm-insns.diff, binutils-revert-plt32-in-branches.diff and remove binutils-2.38-branch.diff.gz. - For now use --disable-gprofng. - Includes fixes for these CVEs: bnc#1142579 aka CVE-2019-1010204 aka PR23765 (Fake entry from SLE for tracking purposes:) - For building shim 15.6~rc1 (and later versions) aarch64 image, objcopy needs to support efi-app-aarch64 target. (bsc#1198458) Adds binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff, binutils-add-efi-aarch64-3.diff . - Use https for variosu links. - Update binutils-2.38-branch.diff.gz (to 93054037f1e304e) in order to include PR29087. - Enable multitarget build on riscv64 - On SLE15 and later, use make -Oline to synchronize configure output by lines (Fake entry from SLE for tracking purposes:) - Add binutils-fix-keepdebug.diff for fix bsc#1191908, a problem in crash not accepting some of our .ko.debug files. - Renumber Sources. - Fix ExcludeArch for ppc. - Make multibuild utilize only the main binutils.spec file. - Remove not needed README.First-for.SUSE.packagers, pre_checkin.sh. - Start using _multibuild for cross binutils. - Add binutils-revert-rela.diff to revert back to old behaviour of not ignoring the in-section content of to be relocated fields on x86-64, even though that's a RELA architecture. Compatibility with buggy object files generated by old tools. [bsc#1198422] (forward port from SLE) - Update binutils-2.38-branch.diff.gz (to c210342d7f5) to include recognition of 'z16' name for 'arch14' on s390. [bsc#1198237] (Fake entry from SLE for tracking purposes:) - Add usage of a SUSE_ZNOW environment variable which allows switching on "-z now" by default using "export SUSE_ZNOW=1", similar to the SUSE_ASNEEDED variable. Adds binutils-znow.patch. - Update binutils-skip-rpaths.patch: add back fix for boo#1191473, which got lost in the update to 2.38. - Update binutils-2.38-branch.diff.gz in order to include PR28879. - From Stefan Brüns : * Install symlinks for all target specific tools on arm-eabi-none [bsc#1185712] - Do not re-generate ld/ldlex.c, ld/ldgram.c, ld/ldgram.h and verify that corresponding flex/bison files are not modified by a patch. - Use verbose mode for make for cross compilers. - Make it build on SLE-11 again. - Use verbose mode for make. - Update to binutils 2.38: * elfedit: Add --output-abiversion option to update ABIVERSION. * Add support for the LoongArch instruction set. * Tools which display symbols or strings (readelf, strings, nm, objdump) have a new command line option which controls how unicode characters are handled. By default they are treated as normal for the tool. Using - -unicode=locale will display them according to the current locale. Using --unicode=hex will display them as hex byte values, whilst - -unicode=escape will display them as escape sequences. In addition using --unicode=highlight will display them as unicode escape sequences highlighted in red (if supported by the output device). * readelf -r dumps RELR relative relocations now. * Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been added to objcopy in order to enable UEFI development using binutils. * ar: Add --thin for creating thin archives. -T is a deprecated alias without diagnostics. In many ar implementations -T has a different meaning, as specified by X/Open System Interface. * Add support for AArch64 system registers that were missing in previous releases. * Add support for the LoongArch instruction set. * Add a command-line option, -muse-unaligned-vector-move, for x86 target to encode aligned vector move as unaligned vector move. * Add support for Cortex-R52+ for Arm. * Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64. * Add support for Cortex-A710 for Arm. * Add support for Scalable Matrix Extension (SME) for AArch64. * The --multibyte-handling=[allow|warn|warn-sym-only] option tells the assembler what to when it encoutners multibyte characters in the input. The default is to allow them. Setting the option to "warn" will generate a warning message whenever any multibyte character is encountered. Using the option to "warn-sym-only" will make the assembler generate a warning whenever a symbol is defined containing multibyte characters. (References to undefined symbols will not generate warnings). * Outputs of .ds.x directive and .tfloat directive with hex input from x86 assembler have been reduced from 12 bytes to 10 bytes to match the output of .tfloat directive. * Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and 'armv9.3-a' for -march in AArch64 GAS. * Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS. * Add support for Intel AVX512_FP16 instructions. * Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF linker to pack relative relocations in the DT_RELR section. * Add support for the LoongArch architecture. * Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF linker to control canonical function pointers and copy relocation. * Add --max-cache-size=SIZE to set the the maximum cache size to SIZE bytes. - Add binutils-2.38-branch.diff.gz. - Removed deletion of man pages as they should be properly packages in tarball. - Rebased patches: aarch64-common-pagesize.patch, add-ulp-section.diff, binutils-bfd_h.patch, binutils-revert-nm-symversion.diff, binutils-revert-plt32-in-branches.diff, binutils-skip-rpaths.patch and binutils-compat-old-behaviour.diff. - Enable PRU architecture for AM335x CPU (Beagle Bone Black board) - use fdupes on datadir - remove RPM_BUILD_ROOT usage and other cleanups - Rebase binutils-2.37-branch.diff: fixes PR28494. ----------------------------------------------------------------------------- o Updated bluez (security/bugfix/feature) - For pushing bluez 5.65 to 15-SP5 (bluez-5.62), sync more change log: (jsc#PED-1407) - The hcidump-Fix-set_ext_ctrl-global-buffer-overflow.patch be merged to bluez-5.51 in 2018. (bsc#1013732)(CVE-2016-9801) - The following btmon patches are merged to bluez-5.51 and later: 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch 0004-btmon-Fix-crash-caused-by-integer-underflow.patch 0005-btmon-fix-stack-buffer-overflow.patch 0006-btmon-fix-multiple-segfaults.patch 0007-btmon-fix-segfault-caused-by-integer-underflow.patch 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch 0011-btmon-fix-segfault-caused-by-integer-underflow.patch 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch (bsc#1015173)(CVE-2016-9918)(bsc#1013893)(CVE-2016-9802) - The shared-gatt-server-Fix-not-properly-checking-for-sec.patch be merged to bluez-5.57 in 2021. (bsc#1186463 CVE-2021-0129 CVE-2020-26558) - The gatt-Fix-potential-buffer-out-of-bound.patch be merged to bluez-5.56 in 2021. (bsc#1187165 CVE-2021-3588) - The shared-gatt-db-Introduce-gatt_db_attribute_set_fixed.patch be merged to bluez-5.56 in 2021. (bsc#1187165 CVE-2021-3588) - The gatt-Make-use-of-gatt_db_attribute_set_fixed_length.patch be merged to bluez-5.56 in 2021. (bsc#1187165 CVE-2021-3588) - Add JIRA-SLE-18497 number to 5.60, 5.61 and 5.62 update log to sync with bluez.changes in SLE15-SP5. - Install modprobe.conf files to %_modprobedir This change already in bluez.sepc in openSUSE:Factory/bluez. Sync the change log here. (bsc#1196275, jsc#SLE-20639) - For pushing bluez 5.65 to 15-SP5 (bluez-5.62), sync the spec file and log: (jsc#PED-1407) - SLE15-SP5 will direct use bluez.changes for openSUSE TW. So keep the contents of SLE bluez.changes to bluez.changes.sle file. - Put to /usr/share/doc/packages/bluez/bluez.changes.sle in package. - For pushing bluez 5.65 to 15-SP5 (bluez-5.62), sync the spec file and log: (jsc#PED-1407) - SLE15-SP5 will use the bluez.spec from openSUSE TW. The following are changes in bluez.spec of SLE15-SP5: - Obsoletes: bluez-utils <= 3.36 to Obsoletes: bluez-utils < 3.36 - Obsoletes: bluez-audio <= 3.36 to Obsoletes: bluez-audio < 3.36 - In %package -n libbluetooth3: Obsoletes: bluez-libs <= 3.36 to Obsoletes: bluez-libs < 3.36 - In %package cups, add the following statements Requires: %{name} Requires: cups Supplements: (%{name} and cups) - In %package test Requires: python3-gobject2 to Requires: python3-gobject - In %package auto-enable-devices package, add Requires(post): systemd - Add %package obexd and %package zsh-completion and their %description - In %prep - Removed %setup -q - Removed [#] FIXME: Change the dbus service to be a real service, not systemd launched sed -i "s:Exec=/bin/false:Exec=%{_libexecdir}/bluetooth/obexd:g" obexd/src/org.bluez.obex.service sed -i "/SystemdService=.*/d" obexd/src/org.bluez.obex.service [#] END FIXME - In %build, add - -with-dbusconfdir=%{_datadir} \ - In %install - Removed [#] FIXME: Do not delete the systemd service once we support systemd user/session services rm %{buildroot}%{_userunitdir}/obex.service [#] end FIXME - org.bluez.mesh.service to %{_sysconfdir}/dbus-1/system-services/, to org.bluez.mesh.service to %{_datadir}/dbus-1/system-services/, - In %files - Add %{_bindir}/isotest %{_libexecdir}/bluetooth/obexd %{_mandir}/man1/isotest.1%{?ext_man} - %config %{_sysconfdir}/dbus-1/system.d/bluetooth.conf to %{_datadir}/dbus-1/system.d/bluetooth.conf - Removed %{_datadir}/dbus-1/services/org.bluez.obex.service - Removed %{_datadir}/zsh/site-functions/_bluetoothctl - Add %files zsh-completion - SLE15-SP5 will direct use bluez.changes for openSUSE TW. So keep the contents of SLE bluez.changes to bluez.changes.sle file. - Removed shared-gatt-server-Fix-heap-overflow-when-appending-.patch in SLE15-SP5 bluez because 5.65 bluez already includes it. - The code shall check if the prepare writes would append more the allowed maximum attribute length. (bsc#1194704 CVE-2022-0204) - For pushing bluez 5.65 to 15-SP5 (bluez-5.62), sync the patches and log: (jsc#PED-1407) - hcidump-fixed-hci-frame-dump-stack-buffer-overflow.patch patch be merged to 5.51 mainline. So 5.65 bluez already includes it. (PATCH-FIX-UPSTREAM)(bsc#1013721)(CVE-2016-9800) - Add the following patches from the bluez-5.62 of 15-SP5: - disable_some_obex_tests.patch - disable tests for bypass boo#1078285 - hcidump-Add-assoc-dump-function-assoc-date-length-ch.patch - bsc#1013708 CVE-2016-9797 - Al Cho has sent it to upstream but it not be merged: https://lore.kernel.org/all/20181031081508.25927-1-acho@suse.com/T/ - hcidump-Fix-memory-leak-with-malformed-packet.patch - bsc#1015171 CVE-2016-9917 - Al Cho has sent it to upstream but it not be merged: https://www.spinics.net/lists/linux-bluetooth/msg79852.html - hcidump-Fixed-malformed-segment-frame-length.patch - bsc#1013712 CVE-2016-9798 - Did not send to upstream. - 0001-rpi3-bcm43xx-The-UART-speed-must-be-reset-after-the-firmw.patch - Move 43xx firmware path for RPi3 bluetooth support bsc#1140688 bsc#995059 bsc#1094902 - From https://www.yoctoproject.org/pipermail/yocto/2016-April/029424.html - Respin the following patches - bluez-test-2to3.diff - Removed some parts of patch because those codes be included in a1939bd51e0faba9a8550eea2590d99cb63a33c1 since 5.65. - The following patches are the same between SLE15-SP5 with openSUSE TW: - bluez-5.45-disable-broken-tests.diff in 15-SP5 matchs with bluez-disable-broken-tests.diff in openSUSE TW. - 0002-rpi3-Move-the-43xx-firmware-into-lib-firmware.patch in 15-SP5 matchs with RPi-Move-the-43xx-firmware-into-lib-firmware.patch in openSUSE TW. (bsc#995059)(bsc#1094902) - update to 5.65: * Fix issue with A2DP cache invalidation handling. * Fix issue with A2DP and not initialized SEP codec. * Fix issue with A2DP and multiple SetConfiguration to same SEP * Fix issue with AVRCP and not properly initialized volume. * Fix issue with SDP records when operating in LE only mode. * Fix issue with HoG and not reading report map of instances. * Fix issue with GATT server crashing while disconnecting. * Fix issue with not removing connected devices. * Fix issue with enabling wake support without RPA Resolution. * Fix issue with pairing failed due to the error of Already Paired. * Add support for CONFIGURATION_DIRECTORY environment variable. * Add support for STATE_DIRECTORY environment variable. * Add support for "Bonded" property with Device API. * Add experimental support for ISO socket. - drop bluez-test-2to3.diff (obsolete/upstream) - Upgrade bluez-test requirement of PyGObject from ancient version 2 to current version. (bluez/test is at least able to use it since 2014) - Move the dbus-1 system.d file to /usr (bsc#1199207) - Fix self-obsoletion issues - Add supplements to cups subpackage - Split zsh completion into subpackage - Don't tell the user to write to /usr (in README-mesh.SUSE) - add Requires(post): systemd for bluez-auto-enable-devices * fixes boo#1198906 - update to version 5.64: This is another release mostly with bug fixes on HOG, GATT, A2DP, Media, AVDTP, AVRCP, and scanning failure. This release includes a fix for building with old glibc (< 2.25) and other minor issues found with the static code analyzing tool. ISO packet support is added to the emulator as a part of LE Audio development. - removed obsoleted 0002-Use-g_memdup2-everywhere.patch - Add code to restore user modifications for modprobe.d %config files after moving the files to %_modprobedir - Use %_modprobedir (jsc#SLE-20639) - update to version 5.63: * Fix issue with storing IRK causing invalid read access. * Fix issue with disconnecting due to GattCharacteristic1.MTU. * Add support for Device{Found,Lost} of advertising monitoring. - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Stop nuking the obex service, we support user systemd services just fine now. Following this, no longer hack the dbus service, leave it as a systemd service as upstream intended. - Split out obex in own package with it's needed enabledment as a systemd user service. - Add 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch: obex: Use GLib helper function to manipulate paths. Instead of trying to do it by hand. This also makes sure that relative paths aren't used by the agent. Patch from fedora. - drop obsoleted patch 0005-media-rename-local-function-conflicting-with-pause-2.patch - add fedora's patches 0002-Use-g_memdup2-everywhere.patch and 0005-media-rename-local-function-conflicting-with-pause-2.patch to fix compatibility problems with newer glib and glibc I'm not going to remove it, and another maintainer can still restart the removal process :-) - remove bluez-5.59-0388794dc5fdb73a4ea.diff (included upstream) - add bluez-5.59-0388794dc5fdb73a4ea.diff, fixes a2dp on newly paired devices, https://github.com/bluez/bluez/issues/157 - new tool: mesh-cfgtest - new manpages: btmon.1, bluetooth-meshd.8 - rebased bluez-test-2to3.diff - remove upstreamed bluez-avdtp-Fix-removing-all-remote-SEPs-when-loading-from.patch - add bluez-avdtp-Fix-removing-all-remote-SEPs-when-loading-from.patch Fix Bluetooth headphones disconnect periodically(bsc#1183821) - add bluez-test-2to3.diff to get rid of python2 dependency - Packaging: remove _service and accompanying README.md, maintenance in git did not work out as well as intended. - remove input-hog-Attempt-to-set-security-level-if-not-bonde.patch, input-Add-LEAutoSecurity-setting-to-input.conf.patch: upstream - use autopatch, spec-cleaner - Add --enable-external-ell to actually make use of pkgconfig(ell). - Pull in python3 packages, the tests are py3 based so it does not make sense to pull in py2 packages. - bluez-5.53: - remove obsolete upstreamed patches: * HOGP-must-only-accept-data-from-bonded-devices.patch * HID-accepts-bonded-device-connections-only.patch - refresh other patches - Add HOGP-must-only-accept-data-from-bonded-devices.patch HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.(bsc#1166751)(CVE-2020-0556) HID-accepts-bonded-device-connections-only.patch This change adds a configuration for platforms to choose a more secure posture for the HID profile.(bsc#1166751)(CVE-2020-0556) input-hog-Attempt-to-set-security-level-if-not-bonde.patch Attempt to set security level if not bonded. (bsc#1166751)(CVE-2020-0556) input-Add-LEAutoSecurity-setting-to-input.conf.patch Add LEAutoSecurity setting to input.conf. (bsc#1166751)(CVE-2020-0556) - Fix path to systemctl in %post script - add NoSource tag for omitting README.md from src.rpm - move all deprecated tools into bluez-deprecated package which can be disabled by prjconf in OBS. - bluez-deprecated will go away before end of 2020 in Tumbleweed! - BuildIgnore shared-mime-info, pulled in by libgio-2_0-0, not required for building, but causes a build loop. - Add bcond for mesh, also enable mesh on Leap 15.2/SLE15SP2. - Properly conditionalize all files which are only built with enabled mesh functionality, fixes build on Leap 15.1 and earlier. - fix udev directory from %_libexecdir to %_prefix/lib - remove obsolete 0001-mesh-Fix-segmentation-fault-on-Join-call.patch - disable one more segfaulting patch - add 0001-mesh-Fix-segmentation-fault-on-Join-call.patch (boo#1152672) - add _service to use github.com/seifes-obs-packages/bluez.git as source for the package - Combine multiple %service_* to reduce generated boilerplate. - disable mesh service due to security concerns, see boo#1151518 - add README-mesh.SUSE to explain the issue - remove no longer necessary temporary-rpmlintrc - removed obsoleted patches: * 0001-obexd-use-AM_LDFLAGS-for-linking.patch * 0001-policy-Add-logic-to-connect-a-Sink.patch * 0001-tools-Fix-build-after-y2038-changes-in-glibc.patch (bsc#1156544) * bluez-5.50-a2dp-backports.patch * bluez-5.50-gcc9.patch * disable_some_obex_tests.patch * bluez-5.45-disable-broken-tests.diff - add bluez-disable-broken-tests.diff - add temporary rpmlintrc until security team approves - Fix build with GCC 9 (boo#1121404, bko#202213): * Add bluez-5.50-gcc9.patch. - Fix 43xx firmware path for RPi3 bluetooth support (bsc#1140688) - Add RPi-Move-the-43xx-firmware-into-lib-firmware.patch - Add 0001-tools-Fix-build-after-y2038-changes-in-glibc.patch: Fix build after y2038 changes in glibc (bsc#1156544) - Add avinfo to bluez-test, useful for debugging. - Only BuildRequires pkgconfig(ell) on Tumbleweed. - Add bluez-5.50-a2dp-backports.patch: A2DP fixes for newer codecs (upstream backport). - Connect Sink profile which HSP profile connects (boo#1131772). - Add 0001-policy-Add-logic-to-connect-a-Sink.patch - install bluetoothd sample config file as %doc for reference - use gcc8 for now to work around boo#1121404 - add btmgmt to bluez-test - add btgatt-client to bluez-test - remove 0001-Don-t-refresh-adv_manager-for-non-LE-devices.patch, fixed upstream - Add CVE-2016-9800-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch * Fix hcidump memory leak in pin_code_reply_dump(). (bsc#1013721)(CVE-2016-9800) CVE-2016-9804-tool-hcidump-Fix-memory-leak-with-malformed-packet.patch * Fix hcidump buffer overflow in commands_dump(). (bsc#1013877)(CVE-2016-9804) - add 0001-Don-t-refresh-adv_manager-for-non-LE-devices.patch (boo#1086731) - remove 0001-core-Fixes-order-InterfaceAdded.patch (upstream) - add 0001-core-Fixes-order-InterfaceAdded.patch (boo#1076898)(boo#1101119) - fix python shebang rpmlint warning for bluez-test ----------------------------------------------------------------------------- o Updated booth (security/bugfix/feature) - Update to version 1.0+20220815.f40c2d5: * configure: Modernize configure.ac a bit - spec: BuildRequires firewall-macros (bsc#1202959) - spec: optionally BuildRequires cluster-glue-devel instead of libglue-devel - Update to version 1.0+20220724.dce51f9: * ticket: Fix compiler warning * rpm: use new package name for pacemaker devel on opensuse * Revert "Refactor: main: substitute is_auth_req macro" * doc: Describe debug config file option * handler: Use only signal-safe functions * main: Use only signal-safe functions * fix bashisms (use printf instead of echo) - fixes CVE-2022-2553 [bsc#1201946] ----------------------------------------------------------------------------- o Updated bpftrace (security/bugfix/feature) - Add Vendor-BPF_F_KPROBE_MULTI_RETURN-definition.patch to fix build on SLE15-SP5 - Set USE_SYSTEM_BPF_BCC to ON so system libraries are used - Update to 0.17.0 + Support opaque pointer (boo#1207295) + Support 32-bit ARM systems + Support BTF in kernel modules + Add %rh option to print buffer as hex without \x + Add stdbool.h to built-in headers + Raise minimum versions for libbpf and bcc and vendor them for local builds + Support comparison for integer arrays + Drop Ubuntu 19.10 lockdown detection + Fix pointer/register loads on 32-bit architectures + Fix kprobe multi-attachment + Fix attaching to multiple USDT probes using the same wildcard + Fix pointer arithmetics codegen + Fix segfault for invalid AssignVarStatement visit + Better handling of missing function trace support files + Fix unroll ID reset + Support profile and interval probes in probe matcher + Fix BTF detection macro in tools/old/mdflush.bt - Bump LLVM major version to 15 in preparation for Leap 15.5/SLES 15-SP5 - Drop Detect-new-BTF-api-btf_dump__new-btf_dump__new_v0_6_0.patch, which is incorporated since 0.16.0 - Update to 0.16.0 + Add builtin: numaid + Add helper verifier error handling + Add builtin: pton + Add builtin: debugf + Add builtin: strerror + Move from BCC to libbpf (although BCC is still a dependency) + Add non-uprobe based BEGIN/END implementation + Helper errors (-k, -kk options) are now emitted to text or json output + kprobe offset verification is now optional, without requiring --unsafe + Disallow different lhist bounds in a single map + Serialize empty histogram as an empty JSON array + Handle enum values in tracepoint format defs + Fix compound assignments with non-unary expr + Fix invalid LLVM IR in join builtin + Fix lexer buffer size check + Fix invalid LLVM IR as detected by tests + Fix builds against libbfd(binutils) >=2.39 + Fix access to ctx + Add sslsnoop and ssllatency tools + Add undump tool. - Update to 0.15.0 + Add option for unconditional hex output + Add builtin function: cgroup_path + Limit number of generated BPF programs + Support the octal format specifier (%o) in printf + Improve include paths resolution + Automatic type resolution from DWARF + Add builtin function: bswap + Print all maps to stdout on SIGUSR1 + Use auto-resolution of library paths for tools + Improve handling empty attach points + Fix precedence of multiplicative operations + Fix probe matching for uprobes with absolute address + Fix tools to work on new kernel versions + Fix uprobe target resolution + Fix using wildcards in kfunc + Improve handling of format strings + Fix codegen for buf + Update biosnoop.bt for kernel >=5.17 - do not link against the shared BFD libraries [bsc#1200630] - Update to 0.14.1 + Fix precedence of multiplicative operations - Add Detect-new-BTF-api-btf_dump__new-btf_dump__new_v0_6_0.patch to fix compilation error when building with libbpf v0.6 ----------------------------------------------------------------------------- o Updated branding-SLE (security/bugfix/feature) - Support %posttrans with macros provided by update-bootloader-rpm-macros package (bsc#997317) (bsc#1199818) ----------------------------------------------------------------------------- o Updated btrfsprogs (security/bugfix/feature) - Upstream behavior of btrfs compression=none (JSC#PED-1711) * btrfs-progs_props_dont_translate_value_of_compression_none.patch ----------------------------------------------------------------------------- o Updated bubblewrap (security/bugfix/feature) - update to v0.7.0: * --size option controls the size of a subsequent --tmpfs (#509) * Better error messages if a mount operation fails (#472) * Better error message if creating the new user namespace fails with ENOSPC (#487) * When building as a Meson subproject, a RUNPATH can be set on the executable to make it easier to bundle its libcap dependency * Fix test failures when running as uid 0 but with limited capabilities (#510) * Use POSIX command -v in preference to non-standard which (#527) * Fix a copy/paste error in --help (#531) - Update to version 0.6.2: + New features in Meson build: - Auto-detect whether the man page can be generated. - -Dbwrapdir=... changes the installation directory (useful when being used as a subproject). - -Dtests=false disables unit tests. + Bug fixes: - Add --add-seccomp-fd to shell completions - Document --add-seccomp-fd, --json-status-fd and --share-net in the man page - Add attributes to silence various compiler warnings - Allow compilation of tests with musl on mips architectures - Allow compilation with older glibc - Disable sanitizers for a test helper whose seccomp profile breaks the instrumentation - Disable AddressSanitizer leak detection where it interferes with unit testing - Update to 0.6.1: - Add a release checklist - completions: Make zsh completion non-executable The Autotools build system installed it with 0644 permissions because it's listed as DATA, but the Meson build system installs executable files as executable by default. zsh completions don't need to be executable to work, and this one doesn't have the `#!` marker that should start an executable script. - update to 0.6.0: - meson: Improve compatibility with Meson 0.49 That version doesn't allow more than two arguments for define_variable. - Disable test-specifying-pidns.sh under 'meson dist' while I investigate This test is hanging when run under 'meson dist' for some reason, but not when run under 'meson test', and not locally, only in the Github Workflow-based CI. Disable it for now. - meson: Actually build and run the tests - tests: Fix compiler warnings for unused arguments - meson: Run test scripts from $srcdir - meson: Make G_TEST_SRCDIR, G_TEST_BUILDDIR match Autotools - meson: Run the Python test script with Python, not bash The python build option can be used to swap to a different interpreter, for environments like the Steam Runtime where the python3 executable in the PATH is extremely old but there is a better interpreter available. This is treated as non-optional, because Meson is written in Python, so the situation where there is no Python interpreter at build-time shouldn't arise. - meson: Build the try-syscall helper - meson: Build tests with equivalent of -I$(top_srcdir) -I$(top_builddir) - meson.build: Remove unnecessary check for sh - Add a Meson build system This allows bwrap to be built as a subproject in larger Meson projects. When built as a subproject, we install into the --libexecdir and require a program prefix to be specified: for example, Flatpak would use program_prefix=flatpak- to get /usr/libexec/flatpak-bwrap. Verified to be backwards-compatible as far as Meson 0.49.0 (Debian 9 backports). Loosely based on previous work by Jussi Pakkanen (see #133). Differences between the Autotools and Meson builds: The Meson build requires a version of libcap that has pkg-config metadata (introduced in libcap 2.23, in 2013). The Meson build has no equivalent of --with-priv-mode=setuid. On distributions like Debian <= 10 and RHEL <= 7 that require a setuid bwrap executable, the sysadmin or distribution packaging will need to set the correct permissions on the bwrap executable; Debian already did this via packaging rather than the upstream build system. The Meson build supports being used as a subproject, and there is CI for this. It automatically disables shell completions and man pages, moves the bubblewrap executable to ${libexecdir}, and renames the bubblewrap executable according to a program_prefix option that the caller must specify (for example, Flatpak would use - Dprogram_prefix=flatpak- to get /usr/libexec/flatpak-bwrap). See the tests/use-as-subproject/ directory for an example. - Use HEAD to refer to other projects' default branches in documentation This makes the URL independent of the name they have chosen for their default branches. - workflows: Update for rename of default branch to main - tests: Exercise seccomp filters - Allow loading more than one seccomp program This will allow Flatpak to combine an allow-list (default-deny) of known system calls with a deny-list (default-allow) of system calls that are undesired. Resolves: https://github.com/containers/bubblewrap/issues/453 - Generalize linked lists of LockFile and SetupOp I'm about to add a third linked list, for seccomp programs, which would seem like too much duplication. - Handle argc == 0 better Unfortunately it's possible for argc to be 0, so error out pretty early on in that case. I don't think this is a security issue in this case. - Fix typo - Remove trailing whitespace - Fix spelling - bash: Fix shellcheck warnings - bash: Invoke bash using /usr/bin/env - bubblewrap: Avoid a -Wjump-misses-init false-positive When building with -Wjump-misses-init as part of a larger project, gcc reports that we jump past initialization of cover_proc_dirs. This is technically true, but we only use this variable in the case where it's initialized, so that's harmless. However, we can avoid this altogether by making the array static and constant, which allows it to be moved from initialized data to read-only data. - bind-mount: Be more const-correct When compiled with -Wwrite-strings as part of a larger project, gcc and clang both warn that we're assigning a string constant to a mutable struct member. There's actually no reason why it should be mutable, so make it const. - die_with_error: Save errno sooner We need to save errno immediately, otherwise it could be overwritten by a failing library call somewhere in the implementation of fprintf. - main: Warn when non-repeatable options are repeated A user might reasonably expect that `bwrap --seccomp 3 --seccomp 4 ...` would load seccomp programs from both fds 3 and 4, but in fact it only loads the program from fd 4. Helps: https://github.com/containers/bubblewrap/issues/453 Resolves: https://github.com/containers/bubblewrap/issues/454 - utils: Add warn() - Add SPDX-License-Identifier for files that already specify license This is a step towards REUSE compliance. Third-party files that we do not otherwise edit (git.mk, m4/attributes.m4) are excluded here. - tests: Use preferred spelling for SPDX license identifiers - Remove obsolete .travis.yml We no longer use Travis-CI. - Remove obsolete papr CI We no longer use this. - Update to version 0.5.0: + New features: - --chmod changes permissions - --clearenv unsets every environment variable (except PWD) - --perms sets permissions for one subsequent --bind-data, - -dir, --file, --ro-bind-data or --tmpfs + Other enhancements: - Better diagnostics when a --bind or other bind-mount fails - zsh tab-completion - Better test coverage + Bug fixes: - Use Python 3 for tests and examples - Mount points for non-directories are created with permissions - r--r--r-- instead of -rw-rw-rw- - Don't remount items in /proc read-only if already EROFS, required to run under Docker - Allow mounting an non-directory over an existing non-directory, e.g. --bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log - Silence kernel messages for our bind-mounts - Make sure pkg-config is checked for, regardless of build options - Improve ability to bind-mount directories on case-insensitive filesystems - Fix -Wshadow warnings - Fix deprecation warnings with newer SELinux - Add new subpackage bubblewrap-zsh-completion ----------------------------------------------------------------------------- o Updated buildah (security/bugfix/feature) - Update to version 1.28.2: * version: bump to 1.28.2 * Stop using ubi8 * Define and use a safe, reliable test image - Update to version 1.28.1: * version: bump to v1.28.1 * copier.Put(): clear up os/syscall mode bit confusion * retrofit, test: ubi8 changed architecture string - Only build targets that we install - Update to version 1.28.0: * Bump to v1.28.0 * No longer modify buildah.spec * Update for https://github.com/klauspost/pgzip/pull/50 * Update vendor containers/(common,image) * [CI:DOCS] Add quay-description update reminder * vendor: bump c/common to v0.49.2-0.20220929111928-2d1b45ae2423 * build(deps): bump github.com/opencontainers/selinux * Vendor in latest containers/storage * Changing shell list operators from `;` to `&&` * Fix buildahimage container.conf permissions regression * Set sysctls from containers.conf * refactor: stop using Normalize directly from containerd package * config,builder: process variant while populating image spec * Proof of concept: nightly dependency treadmill * Run codespell on code * Check for unset build args after TARGET args * pkg/cli: improve completion test * vendor in latest containers/(common,storage,image) * copier: work around freebsd bug for "mkdir /" * vendor: update c/image * test: run in the host cgroup namespace * vendor: update c/storage * vendor: update c/common * cmd: check for user UID instead of privileges * run,build: conflict --isolation=chroot and --network * Fix broken dns test (from merge collision) * Fix stutters * Fix broken command completion * buildah bud --network=none should have no network * build: support --skip-unused-stages for multi-stage builds * Prevent use of --dns* options with --net=none * buildah: make --cache-ttl=0s equivalent to --no-cache * parse: make processing flags in --mount order agnostic * Minor test fix for podman-remote * build: honor .containerignore as ignore file * Update install.md: Debian 11 (Bullseye) is stable * build(deps): bump github.com/docker/docker * Use constants from containers/common for finding seccomp.json * Don't call os.Exit(1) from manifest exist * manifest: add support for buildah manifest exists * Buildah should ignore /etc/crio/seccomp.json * chroot: Fix cross build break * chroot: Move isDevNull to run_common.go * chroot: Fix setRlimit build on FreeBSD * chroot: Move parseRLimits and setRlimits to run_common.go * chroot: Fix runUsingChrootExecMain on FreeBSD * chroot: Move runUsingChrootExecMain to run_common.go * chroot: Factor out Linux-specific unshare options from runUsingChroot * chroot: Move runUsingChroot to run_common.go * chroot: Move RunUsingChroot and runUsingChrootMain to run_common.go * chroot: Factor out /dev/ptmx pty implementation * chroot: Add FreeBSD support for run with chroot isolation * build(deps): bump github.com/docker/go-units from 0.4.0 to 0.5.0 * Replace k8s.gcr.io/pause in tests with registry.k8s.io/pause * build(deps): bump github.com/onsi/gomega from 1.20.0 to 1.20.1 * Cirrus: use image with fewer downloaded dependencies * build(deps): bump github.com/opencontainers/runc from 1.1.3 to 1.1.4 * run: add container gid to additional groups (CVE-2022-2990 / bsc#1202812) * buildah: support for --retry and --retry-delay for push/pull failures * Makefile: always call $(GO) instead of `go` * build(deps): bump github.com/fsouza/go-dockerclient from 1.8.2 to 1.8.3 * test: use `T.TempDir` to create temporary test directory * mount,cache: enable SElinux shared content label option by default * commit: use race-free RemoveNames instead of SetNames * Drop util/util.Cause() * cmd/buildah: add "manifest create --amend" * build(deps): bump github.com/fsouza/go-dockerclient from 1.8.1 to 1.8.2 * docs: specify git protocol is not supported for github hosted repo * Scrub user and group names from layer diffs * build(deps): bump github.com/containerd/containerd from 1.6.6 to 1.6.8 * version: bump to 1.28.0-dev - Update to version 1.27.2: * tag v1.27.2 * Fix broken command completion * build: support --skip-unused-stages for multi-stage builds - Update to version 1.27.1: * release: bump to v1.27.1 * run: add container gid to additional groups - Drop add-container-gid-to-additional-groups.patch (merged upstream) - Add fix for CVE-2022-2990 / bsc#1202812 add: add-container-gid-to-additional-groups.patch - Update to version 1.27.0: * release: tag v1.27.0 * make,cross: ignore loong64 from target list * Allow chflags operations inside the container * Don't try to call runLabelStdioPipes if spec.Linux is not set * build(deps): bump github.com/golangci/golangci-lint in /tests/tools * build: support filtering cache by duration using --cache-ttl * build: support building from commit when using git repo as build context * build: clean up git repos correctly when using subdirs * integration tests: quote "?" in shell scripts * Fix a copy/paste error * build(deps): bump github.com/golangci/golangci-lint in /tests/tools * vendor c/common@v0.49.1 * test: manifest inspect should have OCIv1 annotation * vendor: bump to c/common@87fab4b7019a * Failure to determine a file or directory should print an error * build(deps): bump github.com/containernetworking/cni from 1.1.1 to 1.1.2 * refactor: remove unused CommitOptions from generateBuildOutput * stage_executor: generate output for cases with no commit * stage_executor, commit: output only if last stage in build * Use errors.Is() instead of os.Is{Not,}Exist * Minor test tweak for podman-remote compatibility * Cirrus: Use the latest imgts container * imagebuildah: complain about the right Dockerfile * tests: don't try to wrap `nil` errors * cmd/buildah.commitCmd: don't shadow "err" * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig * Fix a copy/paste error message * Fix a typo in an error message * build,cache: support pulling/pushing cache layers to/from remote sources * Update vendor of containers/(common, storage, image) * Rename chroot/run.go to chroot/run_linux.go * Don't bother telling codespell to skip files that don't exist * Set user namespace defaults correctly for the library * imagebuildah: optimize cache hits for COPY and ADD instructions * Cirrus: Update VM images w/ updated bats * build(deps): bump github.com/onsi/gomega from 1.19.0 to 1.20.0 * docs, run: show SELinux label flag for cache and bind mounts * build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 * imagebuildah, build: remove undefined concurrent writes * bump github.com/opencontainers/runtime-tools * Add FreeBSD support for 'buildah info' * Vendor in latest containers/(storage, common, image) * Add freebsd cross build targets * Make the jail package build on 32bit platforms * Cirrus: Ensure the build-push VM image is labeled * GHA: Fix dynamic script filename * Vendor in containers/(common, storage, image) * Run codespell * Remove import of github.com/pkg/errors * Avoid using cgo in pkg/jail * Rename footypes to fooTypes for naming consistency * Move cleanupTempVolumes and cleanupRunMounts to run_common.go * Make the various run mounts work for FreeBSD * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go * Move runSetupRunMounts to run_common.go * Move cleanableDestinationListFromMounts to run_common.go * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD * Move setupMounts and runSetupBuiltinVolumes to run_common.go * Tidy up - runMakeStdioPipe can't be shared with linux * Move runAcceptTerminal to run_common.go * Move stdio copying utilities to run_common.go * Move runUsingRuntime and runCollectOutput to run_common.go * Move fileCloser, waitForSync and contains to run_common.go * Move checkAndOverrideIsolationOptions to run_common.go * Move DefaultNamespaceOptions to run_common.go * Move getNetworkInterface to run_common.go * Move configureEnvironment to run_common.go * Don't crash in configureUIDGID if Process.Capabilities is nil * Move configureUIDGID to run_common.go * Move runLookupPath to run_common.go * Move setupTerminal to run_common.go * Move etc file generation utilities to run_common.go * Add run support for FreeBSD * Add a simple FreeBSD jail library * Add FreeBSD support to pkg/chrootuser * Sync call signature for RunUsingChroot with chroot/run.go * test: verify feature to resolve basename with args * vendor: bump openshift/imagebuilder to master@4151e43 * GHA: Remove required reserved-name use * buildah: set XDG_RUNTIME_DIR before setting default runroot * imagebuildah: honor build output even if build container is not commited * chroot: honor DefaultErrnoRet * [CI:DOCS] improve pull-policy documentation * tests: retrofit test since --file does not supports dir * Switch to golang native error wrapping * BuildDockerfiles: error out if path to containerfile is a directory * define.downloadToDirectory: fail early if bad HTTP response * GHA: Allow re-use of Cirrus-Cron fail-mail workflow * add: fail on bad http response instead of writing to container * build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 * [CI:DOCS] Update buildahimage comment * lint: inspectable is never nil * vendor: c/common to common@7e1563b * build: support OCI hooks for ephemeral build containers * [CI:BUILD] Install latest buildah instead of compiling * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED] * build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.5 * Make sure cpp is installed in buildah images * demo: use unshare for rootless invocations * buildah.spec.rpkg: initial addition * build: fix test for subid 4 * build(deps): bump github.com/spf13/cobra from 1.4.0 to 1.5.0 * build, userns: add support for --userns=auto * Fix building upstream buildah image * Remove redundant buildahimages-are-sane validation * Docs: Update multi-arch buildah images readme * Cirrus: Migrate multiarch build off github actions * retrofit-tests: we skip unused stages so use stages * stage_executor: dont rely on stage while looking for additional-context * buildkit, multistage: skip computing unwanted stages * More test cleanup * copier: work around freebsd bug for "mkdir /" * Replace $BUILDAH_BINARY with buildah() function * Fix up buildah images * Make util and copier build on FreeBSD * Vendor in latest github.com/sirupsen/logrus * build(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.3 * Makefile: allow building without .git * run_unix: don't return an error from getNetworkInterface * run_unix: return a valid DefaultNamespaceOptions * Update vendor of containers/storage * chroot: use ActKillThread instead of ActKill * use resolvconf package from c/common/libnetwork * update c/common to latest main * copier: add `NoOverwriteNonDirDir` option * Sort buildoptions and move cli/build functions to internal * build(deps): bump github.com/fsouza/go-dockerclient from 1.8.0 to 1.8.1 * build(deps): bump github.com/docker/docker * build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 * build(deps): bump github.com/containerd/containerd from 1.6.5 to 1.6.6 * Fix TODO: de-spaghettify run mounts * Move options parsing out of build.go and into pkg/cli * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps * build, multiarch: support splitting build logs for --platform * build(deps): bump github.com/containerd/containerd from 1.6.4 to 1.6.5 * [CI:BUILD] WIP Cleanup Image Dockerfiles * build(deps): bump github.com/fsouza/go-dockerclient from 1.7.11 to 1.8.0 * cli remove stutter * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * Fix use generic/ambiguous DEBUG name * build(deps): bump github.com/containernetworking/cni from 1.1.0 to 1.1.1 * Cirrus: use Ubuntu 22.04 LTS * Fix codespell errors * Remove util.StringInSlice because it is defined in containers/common * buildah: add support for renaming a device in rootless setups * squash: never use build cache when computing last step of last stage * Update vendor of containers/(common, storage, image) * build(deps): bump github.com/golangci/golangci-lint in /tests/tools * buildkit: supports additionalBuildContext in builds via --build-context * test cleanup * buildah source pull/push: show progress bar * run: allow resuing secret twice in different RUN steps * test helpers: default to being rootless-aware * Add --cpp-flag flag to buildah build * build(deps): bump github.com/golangci/golangci-lint in /tests/tools * build: accept branch and subdirectory when context is git repo * build(deps): bump github.com/docker/docker * Vendor in latest containers/common * build(deps): bump github.com/opencontainers/runc from 1.1.1 to 1.1.2 * vendor: update c/storage and c/image * build(deps): bump github.com/golangci/golangci-lint in /tests/tools * Fix gentoo install docs * build(deps): bump github.com/docker/docker * copier: move NSS load to new process * Add test for prevention of reusing encrypted layers * Make `buildah build --label foo` create an empty "foo" label again * Bump to v1.27.0-dev - Update to version 1.26.4: * tag v1.26.4 * build, multiarch: support splitting build logs for --platform * copier: add `NoOverwriteNonDirDir` option * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * buildkit: supports additionalBuildContext in builds via --build-context * Add --cpp-flag flag to buildah build - Update to version 1.26.3: * release: bump to v1.26.3 * define.downloadToDirectory: fail early if bad HTTP response * add: fail on bad http response instead of writing to container * squash: never use build cache when computing last step of last stage * run: allow resuing secret twice in different RUN steps * integration tests: update expected error messages * integration tests: quote "?" in shell scripts * Use errors.Is() to check for storage errors * lint: inspectable is never nil * chroot: use ActKillThread instead of ActKill * chroot: honor DefaultErrnoRet * Bump dependencies * Set user namespace defaults correctly for the library * contrib/rpm/buildah.spec: fix `rpm` parser warnings - Drop requires on apparmor pattern, should be moved elsewhere for systems which want AppArmor instead of SELinux. - Drop binutils-gold workaround, no longer needed. - Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build. - Update to version 1.26.2: * Bump to v1.26.2 * Bump github.com/containers/storage from v1.40.2 to v1.40.3 * buildah: add support for renaming a device in rootless setups - Update to version 1.26.1: * Bump to v1.26.1 * Make `buildah build --label foo` create an empty "foo" label again * Bump to v1.26.0 * build(deps): bump github.com/containerd/containerd from 1.6.3 to 1.6.4 * imagebuildah,build: move deepcopy of args before we spawn goroutine * Vendor in containers/storage v1.40.2 * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated * help output: get more consistent about option usage text * Handle OS version and features flags * buildah build: --annotation and --label should remove values * buildah build: add a --env * buildah: deep copy options.Args before performing concurrent build/stage * test: inline platform and builtinargs behaviour * vendor: bump imagebuilder to master/009dbc6 * build: automatically set correct TARGETPLATFORM where expected * build(deps): bump github.com/fsouza/go-dockerclient * Vendor in containers/(common, storage, image) * imagebuildah, executor: process arg variables while populating baseMap * buildkit: add support for custom build output with --output * Cirrus: Update CI VMs to F36 * fix staticcheck linter warning for deprecated function * Fix docs build on FreeBSD * build(deps): bump github.com/containernetworking/cni from 1.0.1 to 1.1.0 * copier.unwrapError(): update for Go 1.16 * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit * copier.Put(): write to read-only directories * build(deps): bump github.com/cpuguy83/go-md2man/v2 in /tests/tools * Rename $TESTSDIR (the plural one), step 4 of 3 * Rename $TESTSDIR (the plural one), step 3 of 3 * Rename $TESTSDIR (the plural one), step 2 of 3 * Rename $TESTSDIR (the plural one), step 1 of 3 * build(deps): bump github.com/containerd/containerd from 1.6.2 to 1.6.3 * Ed's periodic test cleanup * using consistent lowercase 'invalid' word in returned err msg * Update vendor of containers/(common,storage,image) * use etchosts package from c/common * run: set actual hostname in /etc/hostname to match docker parity * update c/common to latest main * Update vendor of containers/(common,storage,image) * Stop littering * manifest-create: allow creating manifest list from local image * Update vendor of storage,common,image * Bump golang.org/x/crypto to 7b82a4e * Initialize network backend before first pull * oci spec: change special mount points for namespaces * tests/helpers.bash: assert handle corner cases correctly * buildah: actually use containers.conf settings * integration tests: learn to start a dummy registry * Fix error check to work on Podman * buildah build should accept at most one arg * tests: reduce concurrency for flaky bud-multiple-platform-no-run * vendor in latest containers/common,image,storage * manifest-add: allow override arch,variant while adding image * Remove a stray `\` from .containerenv * Vendor in latest opencontainers/selinux v1.10.1 * build, commit: allow removing default identity labels * Create shorter names for containers based on image IDs * test: skip rootless on cgroupv2 in root env * fix hang when oci runtime fails * Set permissions for GitHub actions * copier test: use correct UID/GID in test archives * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM * Bump back to v1.26.0-dev * build(deps): bump github.com/opencontainers/runc from 1.1.0 to 1.1.1 * Included the URL to check the SHA - remove obsolete check for TW, SLE 15 & Leap 15 - add workaround for https://bugzilla.opensuse.org/show_bug.cgi?id=1183043 - Update to version 1.25.1: * Bump to v1.25.1 * buildah: create WORKDIR with USER permissions * vendor: update github.com/openshift/imagebuilder * copier: attempt to open the dir before adding it * Updated dependabot to get updates for GitHub actions. * Switch most calls to filepath.Walk to filepath.WalkDir * build: allow --no-cache and --layers so build cache can be overrided * build(deps): bump github.com/onsi/gomega from 1.18.1 to 1.19.0 * Bump to v1.26.0-dev * build(deps): bump github.com/golangci/golangci-lint in /tests/tools - fixes bsc#1197870 - Update to version 1.25.0: * Bump to v1.25.0 * install: drop RHEL/CentOS 7 doc * build(deps): bump github.com/containers/common from 0.47.4 to 0.47.5 * Bump c/storage to v1.39.0 in main * Add a test for CVE-2022-27651 * build(deps): bump github.com/docker/docker * Bump github.com/prometheus/client_golang to v1.11.1 * [CI:DOCS] man pages: sort flags, and keep them that way * build(deps): bump github.com/containerd/containerd from 1.6.1 to 1.6.2 * Don't pollute * network setup: increase timeout to 4 minutes * do not set the inheritable capabilities * build(deps): bump github.com/golangci/golangci-lint in /tests/tools * build(deps): bump github.com/containers/ocicrypt from 1.1.2 to 1.1.3 * parse: convert exposed GetVolumes to internal only * buildkit: mount=type=cache support locking external cache store * .in support: improve error message when cpp is not installed * buildah image: install cpp * build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 * build(deps): bump github.com/spf13/cobra from 1.3.0 to 1.4.0 * build(deps): bump github.com/docker/docker * Add --no-hosts flag to eliminate use of /etc/hosts within containers * test: remove skips for rootless users * test: unshare mount/umount if test is_rootless * tests/copy: read correct containers.conf * build(deps): bump github.com/docker/distribution * cirrus: add seperate task and matrix for rootless * tests: skip tests for rootless which need unshare * buildah: test rootless integration * vendor: bump c/storage to main/93ce26691863 * build(deps): bump github.com/fsouza/go-dockerclient from 1.7.9 to 1.7.10 * tests/copy: initialize the network, too * [CI:DOCS] remove references to Kubic for CentOS and Ubuntu * build(deps): bump github.com/containerd/containerd from 1.6.0 to 1.6.1 * use c/image/pkg/blobcache * vendor c/image/v5@v5.20.0 * add: ensure the context directory is an absolute path * executor: docker builds must inherit healthconfig from base if any * docs: Remove Containerfile and containeringore * build(deps): bump github.com/fsouza/go-dockerclient from 1.7.8 to 1.7.9 * helpers.bash: Use correct syntax * speed up combination-namespaces test * build(deps): bump github.com/golangci/golangci-lint in /tests/tools * Bump back to 1.25.0-dev * build(deps): bump github.com/containerd/containerd from 1.5.9 to 1.6.0 - Update to version 1.24.2: * Bump to v1.24.2 * Increase subuid/subgid to 65535 * history: only add proxy vars to history if specified * run_linux: use --systemd-cgroup * buildah: new global option --cgroup-manager * Makefile: build with systemd when available * build(deps): bump github.com/fsouza/go-dockerclient from 1.7.7 to 1.7.8 * Bump c/common to v0.47.4 * Cirrus: Use updated VM images * conformance: add a few "replace-directory-with-symlink" tests * Bump back to v1.25.0-dev - Update to version 1.24.1: * overlay: always honor mountProgram by @giuseppe in https://github.com/containers/buildah/pull/3750 * build(deps): bump github.com/onsi/gomega from 1.18.0 to 1.18.1 by @dependabot in https://github.com/containers/buildah/pull/3754 * imagebuildah.BuildDockerfiles(): create the jobs semaphore by @nalind in https://github.com/containers/buildah/pull/3753 * build(deps): bump github.com/containers/storage from 1.38.1 to 1.38.2 by @dependabot in https://github.com/containers/buildah/pull/3760 * System tests: fix accidental vandalism of source dir by @edsantiago in https://github.com/containers/buildah/pull/3761 * Update vendor of containers/storage and containers/common by @rhatdan in https://github.com/containers/buildah/pull/3759 * Bump version of containers/image and containers/common by @rhatdan in https://github.com/containers/buildah/pull/3764 * Update vendor of openshift/imagebuilder by @rhatdan in https://github.com/containers/buildah/pull/3765 * caps: fix buildah run --cap-add=all by @rhatdan in https://github.com/containers/buildah/pull/3766 * stage_executor: Add support for inline `FROM --platform=` within Containerfile/Dockerfile by @flouthoc in https://github.com/containers/buildah/pull/3757 * *Full Changelog**: https://github.com/containers/buildah/compare/v1.24.0...v1.24.1 - Update to version 1.24.0: * Bump to v1.24.0 * Update vendor of containers/common * build(deps): bump github.com/golangci/golangci-lint in /tests/tools * Github-workflow: Report both failures and errors. * build(deps): bump github.com/containers/image/v5 from 5.18.0 to 5.19.0 * Update docs/buildah-build.1.md * [CI:DOCS] Fix typos and improve language * buildah bud --network add support for custom networks * Make pull commands be consistent * docs/buildah-build.1.md: don't imply that -v isn't just a RUN thing * build(deps): bump github.com/onsi/gomega from 1.17.0 to 1.18.0 * Vendor in latest containers/image * Run codespell on code * .github/dependabot.yml: add tests/tools go.mod * CI: rm git-validation, add GHA job to validate PRs * tests/tools: bump go-md2man to v2.0.1 * tests/tools/Makefile: simplify * tests/tools: bump onsi/ginkgo to v1.16.5 * vendor: bump c/common and others * mount: add support for custom upper and workdir with overlay mounts * linux: fix lookup for runtime * overlay: add MountWithOptions to API which extends support for advanced overlay * Allow processing of SystemContext from FlagSet * .golangci.yml: enable unparam linter * util/resolveName: rm bool return * tests/tools: bump golangci-lint * .gitignore: fixups * all: fix capabilities.NewPid deprecation warnings * bind/mount.go: fix linter comment * all: fix gosimple warning S1039 * tests/e2e/buildah_suite_test.go: fix gosimple warnings * imagebuildah/executor.go: fix gosimple warning * util.go: fix gosimple warning * build(deps): bump github.com/opencontainers/runc from 1.0.3 to 1.1.0 * Enable git-daemon tests * Allow processing of id options from FlagSet * Cirrus: Re-order tasks for more parallelism * Cirrus: Freshen VM images * Fix platform handling for empty os/arch values * Allow processing of network options from FlagSet * Fix permissions on secrets directory * Update containers/image and containers/common * bud.bats: use a local git daemon for the git protocol test * Allow processing of common options from FlagSet * Cirrus: Run int. tests in parallel with unit * vendor c/common * Fix default CNI paths * build(deps): bump github.com/fsouza/go-dockerclient from 1.7.6 to 1.7.7 * multi-stage: enable mounting stages across each other with selinux enabled * executor: Share selinux label of first stage with other stages in a build * buildkit: add from field to bind and cache mounts so images can be used as source * Use config.ProxyEnv from containers/common * use libnetwork from c/common for networking * setup the netns in the buildah parent process * build(deps): bump github.com/containerd/containerd from 1.5.8 to 1.5.9 * build(deps): bump github.com/fsouza/go-dockerclient from 1.7.4 to 1.7.6 * build: fix libsubid test * Allow callers to replace the ContainerSuffix * parse: allow parsing anomaly non-human value for memory control group * .cirrus: remove static_build from ci * stage_executor: re-use all possible layers from cache for squashed builds * build(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 * Allow rootless buildah to set resource limits on cgroup V2 * build(deps): bump github.com/docker/docker * tests: move buildkit mount tests files from TESTSDIR to TESTDIR before modification * build(deps): bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 * Wire logger through to config * copier.Put: check for is-not-a-directory using lstat, not stat * Turn on rootless cgroupv2 tests * Grab all of the containers.conf settings for namespaces. * image: set MediaType in OCI manifests * copier: RemoveAll possibly-directories * Simple README fix * images: accept multiple filter with logical AND * build(deps): bump github.com/containernetworking/cni from 0.8.1 to 1.0.1 * UPdate vendor of container/storage * build(deps): bump github.com/onsi/gomega from 1.16.0 to 1.17.0 * build(deps): bump github.com/containers/image/v5 from 5.16.1 to 5.17.0 * Make LocalIP public function so Podman can use it * Fix UnsetEnv for buildah bud * Tests should rely only on static/unchanging images * run: ensure that stdio pipes are labeled correctly * build(deps): bump github.com/docker/docker * Cirrus: Bump up to Fedora 35 & Ubuntu 21.10 * chroot: don't use the generate default seccomp filter for unit tests * build(deps): bump github.com/containerd/containerd from 1.5.7 to 1.5.8 * ssh-agent: Increase timeout before we explicitly close connection * docs/tutorials: update * Clarify that manifest defaults to localhost as the registry name * "config": remove a stray bit of debug output * "commit": fix a flag typo * Fix an error message: unlocking vs locking * Expand the godoc for CommonBuildOptions.Secrets * chroot: accept an "rw" option * Add --unsetenv option to buildah commit and build * define.TempDirForURL(): show CombinedOutput when a command fails * config: support the variant field * rootless: do not bind mount /sys if not needed * Fix tutorial to specify command on buildah run line * build: history should not contain ARG values * docs: Use guaranteed path for go-md2man * run: honor --network=none from builder if nothing specified * networkpolicy: Should be enabled instead of default when explictly set * Add support for env var secret sources * build(deps): bump github.com/docker/docker * fix: another non-portable shebang * Rootless containers users should use additional groups * Support overlayfs path contains colon * Report ignorefile location when no content added * Add support for host.containers.internal in the /etc/hosts * build(deps): bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5 * imagebuildah: fix nil deref * buildkit: add support for mount=type=cache * Default secret mode to 400 * [CI:DOCS] Include manifest example usage * docs: update buildah-from, buildah-pull 'platform' option compatibility notes * docs: update buildah-build 'platform' option compatibility notes * De-dockerize the man page as much as possible * [CI:DOCS] Touch up Containerfile man page to show ARG can be 1st * docs: Fix and Update Containerfile man page with supported mount types * mount: add tmpcopyup to tmpfs mount option * buildkit: Add support for --mount=type=tmpfs * build(deps): bump github.com/opencontainers/selinux from 1.8.5 to 1.9.1 * Fix command doc links in README.md * build(deps): bump github.com/containers/image/v5 from 5.16.0 to 5.16.1 * build: Add support for buildkit like --mount=type=bind * Bump containerd to v1.5.7 * build(deps): bump github.com/docker/docker * tests: stop pulling php, composer * Fix .containerignore link file * Cirrus: Fix defunct package metadata breaking cache * build(deps): bump github.com/containers/storage from 1.36.0 to 1.37.0 * buildah build: add --all-platforms * Add man page for Containerfile and .containerignore * Plumb the remote logger throughut Buildah * Replace fmt.Sprintf("%d", x) with strconv.Itoa(x) * Run: Cleanup run directory after every RUN step * build(deps): bump github.com/containers/common from 0.45.0 to 0.46.0 * Makefile: adjust -ldflags/-gcflags/-gccgoflags depending on the go implementation * Makefile: check for `-race` using `-mod=vendor` * imagebuildah: fix an attempt to write to a nil map * push: support to specify the compression format * conformance: allow test cases to specify dockerUseBuildKit * build(deps): bump github.com/containers/common from 0.44.1 to 0.45.0 * build(deps): bump github.com/containers/common from 0.44.0 to 0.44.1 * unmarshalConvertedConfig(): handle zstd compression * tests/copy/copy: wire up compression options * Update to github.com/vbauerster/mpb v7.1.5 * Add flouthoc to OWNERS * build: Add additional step nodes when labels are modified * Makefile: turn on race detection whenever it's available * conformance: add more tests for exclusion short-circuiting * Update VM Images + Drop prior-ubuntu testing * Bump to v1.24.0-dev * bump containernetworking/cni to v0.8.1 - fix for CVE-2021-20206 (bsc#1181961) * Add CVE-2020-10696 to CHANGELOG.md and changelog.txt (bsc#1167864) * bump containernetworking/cni library to v0.8.1 - fix for CVE-2021-20206 (bsc#1181961) * Add CVE-2020-10696 to CHANGELOG.md and changelog.txt (bsc#1167864) * Fix potential CVE in tarfile w/ symlink (CVE-2020-10696 / bsc#1167864) ----------------------------------------------------------------------------- o Updated build-compare (security/bugfix/feature) - Trim "PROVIDES" from source rpms (#59, bsc#1205998) - move license to licensedir - spec file cleanups - fix compatibility with older sed (#55) - handle more setuid/setgid ELF variants (#54) - fix objdump parsing for non-executable sections (#53) - fix objdump parsing (#52) - handle -a also in same-build-result.sh - Find rpmlint.log in more places - fix logic error in appstream comparison - rework exit handling in same-build-result.sh - Fix result in case no rpmlint.log exist - remove count of checks and packages from rpmlint.log - remove Check time report from rpmlint.log - ELF diffing performance improvements - unpack packages in parallel - Add zstd handling - Add extra handling for KMP versions - Fix build-compare for shadow package - Properly drop another duration from rpmlint.log - Drop another duration from rpmlint.log - Handle another Date: variant in DocBook generated man pages - Make output more diffable and readable - Fix regression in compare_archive - Fix unit tests - Remove usage of readarray to remain compatible with bash3 - Remove warning about python mtime mismatch, a republish will not help (bsc#915948) ----------------------------------------------------------------------------- o Updated build (security/bugfix/feature) - CycloneDX SBOM support added - added support for generating VCS url information into rpms - SPDX SBOM generation for container and product builds - Revert & Redo "Better filetype detection for temp changes files" - Fix typo in glibc hwcaps supplements - Implement lua string macros - configure mkbaselibs to create glibc-hwcaps baselibs as well - Better filetype detection for temp changes files - Add hook to run checks after mkbaselibs run - Delete leftover multilinedefine variable definition - Support multiline macros in the config's macro sections - Support #!BuildConstraint lines - Support #!BuildTarget in spec files to set the build target (as workaround of broken BuildArch in rpm since 2001) - Support a regexp for file renames - Set home to /root when running build time services - INCOMPATIBLE CHANGE: get rid off the power8 cpu limitation (#889) on powerpc - Add handling of non-compressed tar when creating Debian archive for DSC 3.0 - Add automatic build-in-place detection - Support dist/package subdir builds in pbuild - Skip iothreads on QEMU 7.1.0 - Fix permissions of /dev/pts/ptmx - Add license to container package list output - initial SP5 build configurations - vm-type:qemu use virtio on x86_64 - Improve installation of obs-docker-support for multi-stage builds - Tweak ARG handling in dockerfile parser - fixed Undefined subroutine &PBuild::Job::ls issue - Add missing dependencies from vc as Recommends - fix build of testsuite spec file - sync factory build config - build-recipe-livebuild: run as root - vm_kill_kvm: Use SIGKILL after 3 minutes if the kvm process is not going away - Zip: Allow extraction of symlink targets - Convert obsolete egrep/fgrep calls to grep -E/-F - Add RemoteAsset support for Dockerfile based builds - new image format: mkosi - Support stacked container builds - Revert "build-vm-kvm: enable l3-cache on i386/x86_64 builds" - handling of non-compressed tar when creating Debian archive for DSC 3.0 - kvm: exclude powerpc from io_uring, enable iothreads always (#829) - kvm: enable more performant I/O also for s390(x) (#828) - Changelog patching when building DSC format 3.0. (#831) - support for building from slsa provenance files - Revert "avod aio=io_uring for now on SLE15-SP4 workers" - deb: defer dpkg triggers until all packages are installed, and disable man-db altogether - Add support of Debian Source format 3.0 (quilt) - Stop building aarch64_ilp32 baselibs for aarch64 - avod aio=io_uring for now on SLE15-SP4 workers - Update SLE 15 SP4 and Leap 15.4 build config (bsc#1198740) - Use aio=io_uring if available (bsc#1197699) (build#814) - Add arm32 and loongarch definitions (build#808) - Add compatibility code to initvm - Use upstream way of binfmt argv0 preservation (bsc#1197298) (build#809) - Add template support for Build::SimpleJSON - minor documentation updates - docker: Add support for --root and --installroot global zypper options - debian cross build support via multi-arch (obsoleting cbinstall remnants) - Tumbleweed config synced - documentation updates - smaller bugfixes - regression fix from last release, avoid calling shutdown handler twice when building in vm Changes: * pbuild: add --debug option for building debuginfo packages * rename --debug to --debuginfo to be more exact. * docu: add buildflags:ccachtype and OBS-DoNotAppendProfileToContainername Fixes: * Avoid shutdown of host when using nspawn Features: * download_assets: add --outdir --clean --show-dir-srcmd5 parameters support multiple --arch arguments * asset support for golang modules * add support for LXC 4. * new shortcuts for rpm building: - -rpm-noprep, --rpm-build-in-place, --rpm-build-in-place-noprep for building directly from upstream git repositories without any tar ball. * mount securityfs if not mounted by kernel-obs-build * collect steal time during VM builds in statistics. * declare armv8 and armv7 compatible * support OBS Debuginfo build flag for Red Hat variants * setup rpmmacros for all build types and earlier * Kiwi builds - Always append the profile name to kiwi container names * Dockerfile build - improve registry handling - initial Dockerfile.dapper support - support 'curl' commands in docker builds - strip known domains from container name - support container alias names * introducing --verbose option, currently only showing kernel messages. * support cpio creation for special files * handle QEMU >= 6.0 on POWER9 Changes: * Use git+https instead of git-https as url schema * add oops=panic kernel parameter * Updated distribution configurations (esp. Leap 15.4 and Tumbleweed) * new preinstallimages are using zstd by default * source subdirectories are used in git managed sources Minor improvements * change sccache default size limit * speed up improvements in - vm shutdown - rpm preinstall - avoid calling external commands in a loop - using zstd for preinstallimages - no more unpacking progress indicators to avoid slowdown - virtio handling * fixed vm-type=qemu * multiple smaller bugfixes and speed improvements - renamed tumbleweed config to tumbleweed - synced tumbleweed config changes - initial config for Leap 15.4 - docker build environment * Use /.dockerenv as marker for docker environment * support privileged docker/nspawn mode * move --cap-add=SYS_ADMIN --cap-add=MKNOD to privileged mode * initvm: do not attempt to mount /proc and binfmt_misc handler if present - pbuild * rename --hide-timestamps to --no-timestamps * reuse options from older builds * revised --single build mode * support ccache - Unify ccache and sccache handling Features: - deb zstd support (for Ubuntu 21.10) - support KVM builds with enabled network - modulemd support improvements - Support a "Distmacro" directive for recipe parser-only macros Fixes: - Load selinux policy when using a preinstall image - Use the pax format for preinstall images if bsdtar is available - Add %riscv to std_macros - Fix combine_configs dropping newlines pbuild: - Implement SCC calculation - Improve --shell-after-build and --single options - initial documentation of pbuild - Bugfixes - Fix unpacking of deb/arch archives without bsdtar - fixed regression in multiline macro evaluation from 20th August release Features: - cross architecture build support (for rpm and kiwi) - modulemd meta data support - pbuild to build multiple source packages (initial release, can not be considered stable yet) - supporting external asset stores for source files - support multiple post build checks placed in the directory: /usr/lib/build/post-build-checks/ - sccache support - New --shell-after-fail option - allow to disable squashfs in SimpleImage - supporting aarch64 kernel on armv?l distributions - kiwi: Add support for OBS-RemoteAsset and OBS-CopyToImage directives - container: FROM scratch build support Improvements: - supporting kvm builds as non-root user - Extend stage selection support for rpm builds - various distribution config updates - Support "BuildFlags: cumulaterpms" (was done only via suse_version before) Fixes: - container builds * support newer podman versions * supporting multiple containers for multi-stage builds - Supporting URL's in Flatpak manifests - epoch handling in debian builds - catch more cases where a failed build is marked as host error - fixing wrong status reporting when a job got killed - hugetlbfs handling fixes - try mounting selinuxfs in VM - Also create the /sys dir when preinstalling (to satisfy dracut) - various XML parser fixes - and many minor ones ----------------------------------------------------------------------------- o Added busybox-links (feature) ## WARNING - the following diff is a head -20 proposal * Tue Mar 15 2022 dmueller@suse.com - replace copy from buildroot's gzip with a reimplementation that is not GPLv3 (jsc#PM-3301) * Thu Feb 10 2022 kukuk@suse.com - Drop update-alternatives support * Fri Oct 22 2021 schubi@suse.de - Removed libalternatives machanism. Using direct link from /usr/bin/busybox to /usr/bin/sh. The package is conflicting with the new packages bash-sh which has a link for /usr/bin/sh too. * Wed Aug 18 2021 schubi@suse.com - Use libalternatives instead of update-alternatives. * Mon Aug 02 2021 kukuk@suse.com - Add shadow as BuildRequires ----------------------------------------------------------------------------- o Updated busybox (security/bugfix/feature) - Add e63d7cdf.patch: awk: fix use after free (CVE-2022-30065, boo#1199744). - Fix build under SLE-12 - Annotate CVEs already fixed in upstream, but not mentioned in .changes: * CVE-2014-9645 (bsc#914660): strips of / in module names that can lead to loading unwanted modules - prepare spec file for rpmbuild --build-in-place --noprep - use bcond for static and ww3 subpackages - fix verbose flag - Enable switch_root With this change virtme --force-initramfs works as expected. - Enable udhcpc - BuildRequire hostname: the test suite wants to compare the output of 'hostname' against 'busybox hostname'. We should not rely hostname to be present in the build environment. - Update to 1.35.0 - awk: fix printf %%, fix read beyond end of buffer - chrt: silence analyzer warning - libarchive: remove duplicate forward declaration - mount: "mount -o rw ...." should not fall back to RO mount - ps: fix -o pid=PID,args interpreting entire "PID,args" as header - tar: prevent malicious archives with long name sizes causing OOM - udhcpc6: fix udhcp_find_option to actually find DHCP6 options - xxd: fix -p -r - support for new optoins added to basename, cpio, date, find, mktemp, wget and others - Adjust busybox.config for new features in find, date and cpio - Annotate CVEs already fixed in upstream, but not mentioned in .changes: * CVE-2017-16544 (bsc#1069412): Insufficient sanitization of filenames when autocompleting * CVE-2015-9261 (bsc#1102912): huft_build misuses a pointer, causing segfaults * CVE-2016-2147 (bsc#970663): out of bounds write (heap) due to integer underflow in udhcpc * CVE-2016-2148 (bsc#970662): heap-based buffer overflow in OPTION_6RD parsing * CVE-2016-6301 (bsc#991940): NTP server denial of service flaw * CVE-2017-15873 (bsc#1064976): The get_next_block function in archival/libarchive/decompress_bunzip2.c has an Integer Overflow * CVE-2017-15874 (bsc#1064978): archival/libarchive/decompress_unlzma.c has an Integer Underflow * CVE-2019-5747 (bsc#1121428): out of bounds read in udhcp components * CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386 (bsc#1192869) : v1.34.0 bugfixes - CVE-2021-28831 (bsc#1184522): invalid free or segmentation fault via malformed gzip data - CVE-2018-20679 (bsc#1121426): out of bounds read in udhcp - CVE-2018-1000517 (bsc#1099260): Heap-based buffer overflow in the retrieve_file_data() - CVE-2011-5325 (bsc#951562): tar directory traversal - CVE-2018-1000500 (bsc#1099263): wget: Missing SSL certificate validation ----------------------------------------------------------------------------- o Updated ca-certificates-mozilla (security/bugfix/feature) - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle "valid before nov 30 2022" and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 Patch: remove-trustcor.patch - Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868) Added: - Certainly Root E1 - Certainly Root R1 - DigiCert SMIME ECC P384 Root G5 - DigiCert SMIME RSA4096 Root G5 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 Removed: - Hellenic Academic and Research Institutions RootCA 2011 - Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079) Added: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - GlobalSign ECC Root CA R4 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - HiPKI Root CA - G1 - ISRG Root X2 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA Removed: - Cybertrust Global Root - DST Root CA X3 - DigiNotar PKIoverheid CA Organisatie - G2 - GlobalSign ECC Root CA R4 - GlobalSign Root CA R2 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006) - Added CAs: + HARICA Client ECC Root CA 2021 + HARICA Client RSA Root CA 2021 + HARICA TLS ECC Root CA 2021 + HARICA TLS RSA Root CA 2021 + TunTrust Root CA - Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994) - Added new root CAs: - NAVER Global Root Certification Authority - Removed old root CA: - GeoTrust Global CA - GeoTrust Primary Certification Authority - GeoTrust Primary Certification Authority - G3 - GeoTrust Universal CA - GeoTrust Universal CA 2 - thawte Primary Root CA - thawte Primary Root CA - G2 - thawte Primary Root CA - G3 - VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G5 ----------------------------------------------------------------------------- o Updated capnproto (security/bugfix/feature) - Add capnproto-CVE-2022-46149.patch: Backport from upstream, apply data offset for list-of-pointers at access time rather than ListReader creation time(bsc#1205968, CVE-2022-46149). ----------------------------------------------------------------------------- o Added capstone (feature) ## WARNING - the following diff is a head -20 proposal * Sun Aug 16 2020 dmueller@suse.com - update to 4.0.2 Windows kernel-mode driver support - Add armv8, ppc32 & thumbv8 modes - Print instruction ID - Support CS_OPT_UNSIGNED for ATT syntax - Fix operand size for some instructions - Fix LOCK prefixes - Recognize xacquire/xrelease prefix - Fix call/jmp access mode of mem operand - Add ENDBR32, ENDBR64 to reduce mode - Other minor fixes - Support CS_OPT_UNSIGNED - Fix register access flags for memory instructions - Fix UMOV vess - Update writeback for STR_POST_REG - Store correct register value in op.reg_pair ----------------------------------------------------------------------------- o Updated c-ares (security/bugfix/feature) - Update to version 1.19.0 Security: * Low. Stack overflow in ares_set_sortlist() which is used during c-ares initialization and typically provided by an administrator and not an end user. (bsc#1208067, CVE-2022-4904) Changes: * Add ARES_OPT_HOSTS_FILE similar to ARES_OPT_RESOLVCONF for specifying a custom hosts file location. Bug fixes: * Fix memory leak in reading /etc/hosts when using localhost fallback. * Fix chain building c-ares when libresolv is already included by another project. * File lookup should not immediately abort as there may be other tries due to search criteria. * Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains. * AutoTools build system referenced bad STDC_HEADERS macro. * Even if one address class returns a failure for ares_getaddrinfo() we should still return the results we have. * Fix ares_getaddrinfo() numerical address resolution with AF_UNSPEC * Fix tools and help information. * Various documentation fixes and cleanups. * Add include guards to ares_data.h * c-ares could try to exceed maximum number of iovec entries supported by system. * The RFC6761 6.3 states localhost subdomains must be offline too - update to 1.18.1. Changes since 1.17.2: * Allow '/' as a valid character for a returned name for CNAME in-addr.arpa delegation * no longer forwards requests for localhost resolution per RFC6761 * During a domain search, treat ARES_ENODATA as ARES_NXDOMAIN so that the search process will continue to the next domain in the search. * Provide ares_nameser.h as a public interface as needed by NodeJS * Add support for URI(Uniform Resource Identifier) records via ares_parse_uri_reply() - disable unit tests for SLE12 since GCC compiler too old to build unit tests - 5c995d5.patch: upstreamed - disable-live-tests.patch: refreshed - new upstream website - drop multibuild - tests do not require static library anymore - spec file cleanup - drop sources that were re-added to upstream distibution (c-ares-config.cmake.in ares_dns.h libcares.pc.cmake) - update to 1.17.2: Security: * When building c-ares with CMake, the RANDOM_FILE would not be set and therefore downgrade to the less secure random number generator it would cause a crash * Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing follow-up (bsc#1188881, CVE-2021-3672) * Perform validation on hostnames to prevent possible XSS due to applications not performing valiation themselves Changes: * ares_malloc(0) is now defined behavior (returns NULL) rather than system-specific to catch edge cases Bug fixes: * Building tests should not force building of static libraries except on Windows * Relative headers must use double quotes to prevent pulling in a system library for details see, https://c-ares.haxx.se/changelog.html#1_17_2 - update to 1.17.1: Travis: add iOS target built with CMake (#378) Issue #377 suggested that CMake builds for iOS with c-ares were broken. This PR adds an automatic Travis build for iOS CMake. - fix build External projects were using non-public header ares_dns.h, make public again (#376) It appears some outside projects were relying on macros in ares_dns.h, even though it doesn't appear that header was ever meant to be public. That said, we don't want to break external integrators so we should distribute this header again. - note that so versioning has moved to configure.ac - note about 1.17.1 - fix sed gone wrong autotools cleanup (#372) * buildconf: remove custom logic with autoreconf - remove missing_header.patch (upstream) ----------------------------------------------------------------------------- o Added cargo-auditable (feature) ## WARNING - the following diff is a head -20 proposal * Thu Nov 03 2022 william.brown@suse.com - Initial commit ----------------------------------------------------------------------------- o Updated catatonit (security/bugfix/feature) - Update to catatont v0.1.7 - This release adds the ability for catatonit to be used as the only process in a pause container, by passing the -P flag (in this mode no subprocess is spawned and thus no signal forwarding is done). - Add 99bb9048f.patch: configure.ac: call AM_INIT_AUTOMAKE only once. Fix build with autocnf 2.71 / automake 1.16.5. - Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors). - Update catatonit-rpmlintrc in order to cover that static binaries are now an error not a warning. ----------------------------------------------------------------------------- o Updated cepces (security/bugfix/feature) - Make the openssl security level configurable; (bsc#1204788). - Fix cepces won't compile on SLE15SP5; (bsc#1203273). ----------------------------------------------------------------------------- o Updated ceph (security/bugfix/feature) - Update to 16.2.9-536-g41a9f9a5573: + (bsc#1195359, bsc#1200553) rgw: check bucket shard init status in RGWRadosBILogTrimCR + (bsc#1194131) ceph-volume: honour osd_dmcrypt_key_size option (CVE-2021-3979) - Update to 16.2.9-158-gd93952c7eea: + cmake: check for python(\d)\.(\d+) when building boost + make-dist: patch boost source to support python 3.10 - Update to ceph-16.2.9-58-ge2e5cb80063: + (bsc#1200064, pr#480) Remove last vestiges of docker.io image paths - Update to 16.2.9.50-g7d9f12156fb: + (jsc#SES-2515) High-availability NFS export + (bsc#1196044) cephadm: prometheus: The generatorURL in alerts is only using hostname + (bsc#1196785) cephadm: avoid crashing on expected non-zero exit - Update to 16.2.7-969-g6195a460d89 + (jsc#SES-2515) High-availability NFS export ----------------------------------------------------------------------------- o Updated certmonger (security/bugfix/feature) - Use "pkgconfig(systemd)" for the BR to allow hacksaw systemd-mini package to satisfy dependencies in the openSUSE Build Service. - Add buildrequires on systemd which is required for correct installation of the .service file. - Update to 0.79.13 ----------------------------------------------------------------------------- o Updated cifs-utils (security/bugfix/feature) - Update to version 6.15 * CVE-2022-27239: mount.cifs: fix length check for ip option parsing Previous check was true whatever the length of the input string was, leading to a buffer overflow in the subsequent strcpy call (bsc#1197216). * mount.cifs: fix verbose messages on option parsing (bsc#1198976, CVE-2022-29869) * 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch * 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch * add 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch * add 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch ----------------------------------------------------------------------------- o Updated ckermit (security/bugfix/feature) - add patch ckermit-libio-removal.patch FTBFS fix build after libio removal with glibc-2.28 (bsc#1197708, also gentoo#685096) ----------------------------------------------------------------------------- o Updated clamav (security/bugfix/feature) - Update to 0.103.8 * CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. (bsc#1208363) * CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. (bsc#1208365) * Update vendored libmspack library to version 0.11alpha. - bsc#1202986: Update to 0.103.7: * Upgrade the vendored UnRAR library to version 6.1.7. * Fix logical signature "Intermediates" feature. * Relax constraints on slightly malformed zip archives that contain overlapping file entries. - Update to 0.103.6 * CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (boo#1199242) * CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. (boo#1199246) * CVE-2022-20771: Fixed a possible infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. (boo#1199244) * CVE-2022-20785: Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (boo#1199245) * CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (boo#1199274) * ClamOnAcc: Fixed a number of assorted stability issues and added niceties for debugging ClamOnAcc. * Fixed an issue causing byte-compare subsignatures to cause an alert when they match even if other conditions of the given logical signatures were not met. * Fix memleak when using multiple byte-compare subsignatures. This fix was backported from 0.104.0. * Assorted bug fixes and improvements. - Remove upstreamed clamav-ck_assert_msg.patch ----------------------------------------------------------------------------- o Updated clamsap (security/bugfix/feature) - Fix XML MIME type detection using libmagic - (bsc#1200699) L3: clamsap threat XML file like a virus - 0.104.3 (jsc#PED-805) - Update to version 0.104 (jsc#PED-805) Update clamsap to current version - and update regularly * Relax javascript check in PDF * use https source url, also https URL * Wildcard support for MIME type lists * Fix SAR file content scan * Add option for PDF active content * Remove own default settings from VsaGetConfig and rely on clamav defaults * Change default virusname in case clamav does not return any virus name. * Limit pcre calls * Increase Version because tested with latest clam engine * Support new parameter SCANHEURISTICLEVEL ----------------------------------------------------------------------------- o Updated clone-master-clean-up (security/bugfix/feature) - Bump version to 1.10 - clone-master-clean-up fails if postfix is not installed (bsc#1204835) Check if the directory does exists. - Bump version to 1.9 - [clone-master-clean-up] Cleannup initiatorname.iscsi Remove all no comment files (bsc#1203024) - Bump version to 1.8 - clone-master-clean-up fails to remove btrfs snapshots (bsc#1203651) - Bump version to 1.7 - CVE-2021-32000: fix some potentially dangerous file system operations (bsc#1181050) ----------------------------------------------------------------------------- o Updated cloud-regionsrv-client (security/bugfix/feature) - Update to version 10.0.8 (bsc#1206428) - Fix regression introduced by 10.0.7. When the hosts file was modified such that there is no empty line at the end of the file the content after removing the registration data does not match the content prior to registration. The update fixes the issue triggered by an index logic error. - Guard dmidecode dependency (bsc#1206082) - Update to version 10.0.7 (bsc#1191880, bsc#1195925, bsc#1195924) - Implement functionality to detect if an update server has a new cert. Import the new cert when it is detected. - Forward port fix-for-sles12-disable-ipv6.patch - From 10.0.6 (bsc#1205089) - Credentials are equal when username and password are the same ignore other entries in the credentials file - Handle multiple zypper names in process table, zypper and Zypp-main to properly detect the running process - Add patch to block IPv6 on SLE12 (bsc#1203382) - Follow up fix to 10.0.4 (bsc#1202706) - While the source code was updated to support SLE Micro the spec file was not updated for the new locations of the cache and the certs. Update the spec file to be consistent with the code implementation. - Update to version 10.0.5 (bsc#1201612) - Handle exception when trying to deregister a system form the server - Update to version 10.0.4 (bsc#1199668) - Store the update server certs in the /etc path instead of /usr to accomodate read only setup of SLE-Micro ----------------------------------------------------------------------------- o Updated cloud-regionsrv (security/bugfix/feature) - Update to version 8.1.3 (bsc#1195925, bsc#1195924, bsc#1191880) + In order for the client to handle cert changes properly we need to sned location information from the server. Otherwise fail over may end up in a different region. ----------------------------------------------------------------------------- o Updated cluster-glue (security/bugfix/feature) - Rename libraries in accordance to the packaging guidelines to solve a conflict in SLE with building resource-agents on 15 SP5 (bsc#1203744) - Use the project upstream name for the -devel subpackage (rename libglue-devel to cluster-glue-devel). - Rename libglue2 to cluster-glue-libs following packages like xrootd-libs et al so it does not get picked on by rpmlint [boo#1191752]. - Remove baselibs.conf as downstream packages (booth, pacemaker, et al) don't use it. - [SLPP] cluster-glue: E: shlib-policy-name-error (bsc#1191752) Add addFilter("shlib-policy-name-error") in cluster-glue.rpmlintrc - Update to version 1.0.12+v1.git.1650454062.1fbde71c: * bugfix for comment in external/ec2 (bsc#1197681) * Update external/ec2 to support IMDSv2 (jsc#SLE-23490,jsc#SLE-23491, jsc#SLE-23492, jsc#SLE-23494) * ec2: add the action parameter to the getinfo_xml function * drac3_command: check for truncated url * wti_mpc: fix metadata mib-version description * net-snmp "remote_port" is unused and deprecated since decades * fix for spurious compiler warning -Werror=stringop-overflow= * ipmilan_test: fix for -Werror=uninitialized * fix for -Werror=sizeof-pointer-memaccess * spec: drop /man1/ from file list, no longer used - Merge: * 0001-Update-external-ec2-to-support-IMDSv2.patch * 0002-bugfix-for-comment-in-external-ec2.patch - Requesting cluster-glue bugfix (bsc#1197681) * Add upstream patch: 0002-bugfix-for-comment-in-external-ec2.patch - (jsc#SLE-23490) (jsc#SLE-23491) (jsc#SLE-23492) (jsc#SLE-23494) IMDSv2 support in ec2 stonith agent * add upstream patch: 0001-Update-external-ec2-to-support-IMDSv2.patch - hb_report.in: Add a warning for hb_report command is deprecated, guide user to use "crm report" directly (jsc#SLE-22499) - Update to version 1.0.12+v1.git.1622055853.1753f5e0: * ec2: add the action parameter to the getinfo_xml function * drac3_command: check for truncated url * wti_mpc: fix metadata mib-version description * net-snmp "remote_port" is unused and deprecated since decades * fix for spurious compiler warning -Werror=stringop-overflow= * ipmilan_test: fix for -Werror=uninitialized * fix for -Werror=sizeof-pointer-memaccess * spec: drop /man1/ from file list, no longer used * use git describe to generate ./.tarball-version * fix config.status: QUIET_MAKE_OPTS: command not found * automake: use AM_CPPFLAGS; INCLUDES was deprecated years ago * reflect python3 in configure.ac and shebangs * Fix Werror: format-overflow, format-truncation, stringop-truncation * Stop using glib2 "deprecated symbols" * Fix typo: bounary -> boundary * Current Pacemaker does not use ha_logd * Use pkgconfig to configure libxml-2.0 xml2-config to be removed from Debian packaging * Move ha_logger manpage to section 8 Fixes lintian warning for /usr/sbin binaries. * Adjust file paths for Debian Fix --with-rundir option for configure * Fix interpreter for perl scripts Policy 10.4 states that Perl scripts must use /usr/bin/perl directly and not via /usr/bin/env * Fix FTBFS with openipmi 2.0.25 selector_t deprecated in new openipmi version * Add manpage to systemd service documentation * Fix spelling errors reported by lintian * Convert scripts to python3 * Fix cl_times on x32 * Fix build on hurd #650820 * Fix build on FreeBSD #650820 * Remove .hgsigs from source * Remove .hgignore from source * Remove .hgtags from source * Fix spelling of output and improve grammar * libtoolize_check - Remove applied patch: 0001-Port-scripts-to-Python-3.patch - Enhance BuildRequires: asciidoc is required to build man pages. ----------------------------------------------------------------------------- o Updated cni-plugins (security/bugfix/feature) - Update to version 1.1.1: * ipam/dhcp: Fix client id in renew/release * call ipam.ExceDel after clean up device in netns fix #666 * portmap: fix checkPorts result when chain does not exist * portmap: fix bug that new udp connection deletes all existing conntrack entries * Enhanced dad set to 1 * Add boolean to enable/disable dad * Disable DAD for container side veth * firewall: support ingressPolicy=(open|same-bridge) for isolating bridges as in Docker * Fix host-device gofmt * host-device: Bring interfaces up after moving into container * pkg/ns: use file system magic numbers from golang.org/x/sys/unix * gofmt * go mod tidy * build: bump to go 1.17 * Remove arp notify setting per comment * plugins: replace arping package with arp_notify * fix #685 * Ran go fmt so tests would pass * Fixed DHCP problem that broke when fast retry was added. * dhcp ipam: adjust retry mechanism * add ipam tests for dpdk device * add ipam support for dpdk device * ipvlan: Send Gratuitous ARP after IPs are set * dhcp ipam: fix client id * dhcp ipam: rename inconsistent options among files * dhcp ipam: add more options capable for sending * dhcp ipam: add fast retry * dhcp ipam: support customizing dhcp options * dhcp ipam: truncate client id to 254 bytes * dhcp ipam: print error correctly without format string * dhcp ipam: using full config to regular the code * Allow setting sysctls on a particular interface * dhcp: remove implemented TODO * Don't redundantly filepath.Clean the output of filepath.Join * Use crypto/rand.Read, not crypto.Reader.Read * bridge: Add macspoofchk support * plugins: fix bug where support for CNI version 0.4.0 or 1.0.0 was dropped * vendor: bump to libcni v1.0.1 * static ipam: do not parse the CIDR twice * static ipam: improve error msgs when provisioning invalid CIDR * bump go to 1.16, other misc fixes * vendor: bump all direct dependencies * vendor: bump to libcni v1.0 * docs: Update the CI badge from Travis CI to GitHub Actions * bridge: Fix typo in error message for promiscuous mode * ip: place veth peer in host namspace directly * bridge: Add mac field to specify container iface mac * static ipam: decide wrong cidr error msg * static ipam: stop wrapping net.ParseCIDR errors * static ipam: show confusing error msg * utils, hwaddr: Remove unused package * ip, link_linux: Remove unused SetHWAddrByIP function * plugins: remove flannel * refactor(win-bridge): netconf * refactor(win-bridge): hcn api processing * refactor(win-bridge): hns api processing * chore(win-bridge): location related * chore(win-bridge): text related * Remove Bryan Boreham as maintainer * host-local: support ip/prefix in env args and CNI args * [sbr]: Use different tableID for every ipCfg Check tableID not in use for every ipCfg * Small typo improves in README.md * Allow multiple routes to be added for the same prefix. Enables ECMP * Update to lastest vendor/github.com/vishvananda/netlink * tuning: always update MAC in CNI result * vendor: bump to libcni v1.0-rc1 * tuning: Add support of altering the allmulticast flag * [sbr]: Use different tableID for every ipCfg Move default table routes which match the ipCfg config * Fix nil-pointer check * host-local: support custom IPs allocation through runtime configuration * pkg/ip: introduce a new type `IP` to support formated [/] * go.mod: github.com/j-keck/arping v1.0.1 * go.mod: github.com/buger/jsonparser v1.1.1 * go.mod: github.com/alexflint/go-filemutex v1.1.0 * go.mod github.com/Microsoft/hcsshim v0.8.16 * go.mod: godbus/dbus/v5 v5.0.3, coreos/go-systemd v22.2.0 * go.mod: github.com/mattn/go-shellwords v1.0.11 * go.mod: github.com/sirupsen/logrus v1.8.1 * CI: Install linux-modules-extra for VRF module * Fix broken links to online docs in plugin READMEs * gha: update actions/setup-go@v2 * remove redundant startRange in RangeIter due to overlap check on multi ranges * fix(win-bridge): panic while calling HNS api * portmap: use slashes in sysctl template to support interface names which separated by dots * pkg/ipam: use slash as sysctl separator so interface name can have dot * [macvlan] Stop setting proxy-arp on macvlan interface * tuning: increase test coverage to 1.0.0 and older spec versions * portmap: increase test coverage to 1.0.0 and older spec versions * flannel: increase test coverage to 1.0.0 and older spec versions * firewall: increase test coverage to 1.0.0 and older spec versions * bandwidth: increase test coverage to 1.0.0 and older spec versions * host-local: increase test coverage to 1.0.0 and older spec versions * static: increase test coverage to 1.0.0 and older spec versions * dhcp: increase test coverage to 1.0.0 and older spec versions * dhcp: add -resendmax option to limit lease acquisition time for testcases * vlan: increase test coverage to 1.0.0 and older spec versions * ptp: increase test coverage to 1.0.0 and older spec versions * macvlan: increase test coverage to 1.0.0 and older spec versions * loopback: increase test coverage to 1.0.0 and older spec versions * ipvlan: increase test coverage to 1.0.0 and older spec versions * host-device: increase test coverage to 1.0.0 and older spec versions * bridge: increase test coverage to 1.0.0 and older spec versions * bridge: simplify version-based testcase code * testutils: add test utilities for spec version features * plugins: update to spec version 1.0.0 * vendor: bump CNI to 1.0.0-pre @ 62e54113 (fixes bsc#1181961 aka CVE-2021-20206) - Drop %go_nostrip - Update to version 0.9.1: * ipam/dhcp: Add broadcast flag * add flannel to support dual stack ip * bandwidth: fix panic in tests * host-device: Add support for DPDK device * [main/vlan] Fix error handling for delegate IPAM plugin * dhcp: default dhcp clien timeout is 10s * vlan: fix error message text by removing ptp references * dhcp: daemon dhcp client timeout is configurable * dhcp: timeout value is set in DHCP daemon * remove unused function * deps: go mod tidy coreos/go-iptables * deps: bump coreos/go-iptables - Update to version 0.9.0: * tuning: revert values on delete (#540) * go mod tidy * bump to go 1.15 * Add ability to trigger retests via comments * pkg/ns: fix test case to tolerate pids going away. * Add github build & test actions * bridge: fix testcase to check addresses we care about * Remove travis. * vendor: bump ginkgo, gover * portmap plugin should flush previous udp connections * Updating plugin README.md files (#549) * update netlink dependencies * Xdhcp: fix example configuration * VRF: extend supported version to 0.3.1 too. * VRF CNI: Add an optional table parameter. * Add more tests for the vrf cni plugin. * Update github.com/vishvananda/netlink to v1.1.0 * Introduce a new VRF CNI meta plugin. * Travis: run tests on arm64 * Replace nc with the local echo client. * Add an echo client to be used instead of nc. * Bump up the ubuntu version used in CI to bionic. * flannel: allow input ipam parameters as basis for delegate * ipvlan: make master config as optional * Remove extraneous test file in Windows plugin - Update to version 0.8.7: * Fix race condition in GetCurrentNS * lo: CNI_IFNAME is no longer ignored * cni: bump to 0.8.0 * Bump Go version to 1.13 and 1.14 * Add contact info * Update firewall README.md CNI-ADMIN * firewall: fix some typos in docs * portmap DEL noop if no portMappings present * flannel: remove net conf file after DEL succeed ----------------------------------------------------------------------------- o Updated cni (security/bugfix/feature) - Update to version 1.1.2: * spec: fix format * libcni: handle empty version when parsing version * [exec-plugins]: support plugin lists This is a minor update to the CNI libraries and tooling. This does not bump the protocol / spec version, which remains at v1.0.0 - Update to version v1.0.1: * Rewritten spec + non-List configurations are removed + the version field in the interfaces array was redundant and is removed * libcni improvements - Employ RPM macros.go where feasible - Use vendor tarball - Remove ./build.sh - Update to version 0.8.1: * This is a security release that fixes a single bug: bsc#1181961 aka CVE-2021-20206 - Tighten up plugin-finding logic (#811). - use buildmode=pie (cnitool is installed into sbindir) - Set GO111MODULE=auto to build with go1.16+ * Default changed to GO111MODULE=on in go1.16 * Set temporarily until using upstream release with go.mod * Drop BuildRequires: golang-packaging not currently using macros * Add BuildRequires: golang(API) >= 1.13 recommended dependency expression - Update to version 0.8.0: * Specification and Conventions changes + docs: add ips and mac to well-known capabilities + add interface name validation + Add GUID to well known Capabilities + Add DeviceID attribute to RuntimeConfig + Typo fixes for infiniband GUID + Fix linting issues in docs, add headers to json example, update errors into table * Documentation changes + Update cnitool docs + Remove extra ',' chars which makes conflist examples invalid. * libcni changes + Remove Result.String method + libcni: add config caching [v2] + clean up : fix staticcheck warnings + libcni: add InitCNIConfigWithCacheDir() and deprecate RuntimeConfig.CacheDir + skel: clean up errors in skel and add some well-known error codes + libcni: find plugin in exec + validate containerID and networkName + skel: remove needless functions and types + libcni: also cache IfName + libcni: fix cache file 'result' key name + Bump Go version to 1.13 + When CNI version isn't supplied in config, use default. + intercept netplugin std error + invoke: capture and return stderr if plugin exits unexpectedly + Retry exec commands on text file busy ----------------------------------------------------------------------------- o Updated colord (security/bugfix/feature) - Add colord-CVE-2021-42523.patch: fix a small memory leak in sqlite3_exec (boo#1202802 CVE-2021-42523). ----------------------------------------------------------------------------- o Updated conman (security/bugfix/feature) [x86_64,aarch64] - update to version 0.3.1: * Fixed username/password use in libipmiconsole.conf. (e59f5e4) * Added more console logfile conversion specifiers. (96ede96, 5a189f6) * Added conmen '-T' cmdline opt to specify terminal emulator. (a11c6f4) * Added rpm source file verification. (f86c123) * Revamped autotools config. (547db3c) * Added configure opts for systemd/sysvinit. (3e303e6) * Added configure runstatedir support. (bb415e0) * Fixed installation directory variable substitution. (7642609) * Removed autotools-generated files from version control. (44168a4) * general move of files from /usr/lib/conman to /usr/share/conman ----------------------------------------------------------------------------- o Updated conmon (security/bugfix/feature) - Update to version 2.1.5: * don't leak syslog_identifier * logging: do not read more that the buf size * logging: fix error handling * Makefile: Fix install for FreeBSD * signal: Track changes to get_signal_descriptor in the FreeBSD version * Packit: initial enablement - Update to version 2.1.4: * Fix a bug where conmon crashed when it got a SIGCHLD - Add patch to fix build with make >= 4.4: * 0001-Fix-tools-Makefile-with-GNU-make-4.4.patch - update to 2.1.3: * Port conmon to FreeBSD * Stop using g_unix_signal_add() to avoid threads * Rename CLI optionlog-size-global-max to log-global-size-max - Update to version 2.1.2: * add log-global-size-max option to limit the total output conmon processes (CVE-2022-1708 boo#1200285) * journald: print tag and name if both are specified * drop some logs to debug level - Update to version 2.1.0 * logging: buffer partial messages to journald * exit: close all fds >= 3 * fix: cgroup: Free memory_cgroup_file_path if open fails. Call g_free instead of free. - Update to version 2.0.32 * Fix: Avoid mainfd_std{in,out} sharing the same file descriptor. * exit_command: Fix: unset subreaper attribute before running exit command - Update to version 2.0.31 * logging: new mode -l passthrough * ctr_logs: use container name or ID as SYSLOG_IDENTIFIER for journald * conmon: Fix: free userdata files before exec cleanup ----------------------------------------------------------------------------- o Updated containerd (security/bugfix/feature) - Update to containerd v1.6.12 to fix CVE-2022-23471 bsc#1206235. Upstream release notes: - Update to containerd v1.6.11. Upstream release notes: - Update to containerd v1.6.9 for Docker v20.10.21-ce. Also includes a fix for CVE-2022-27191. boo#1206065 bsc#1197284 Upstream release notes: - add devel subpackage, which is needed by open-vm-tools - Update to containerd v1.6.6 to fix CVE-2022-31030 and meet the requirements of Docker v20.10.17-ce. bsc#1200145 - Remove upstreamed patches: - bsc1200145-Limit-the-response-size-of-ExecSync.patch [ This patch was only released in SLES and Leap. ] - Backport patch to fix GHSA-5ffw-gxpp-mxpf CVE-2022-31030. bsc#1200145 + bsc1200145-Limit-the-response-size-of-ExecSync.patch - Update to containerd v1.5.12. Upstream release notes: - Update to containerd v1.5.11 to fix CVE-2022-24769. bsc#1197517 - Update to containerd v1.4.13 to fix CVE-2022-23648. bsc#1196441 - Remove upstreamed patch: - CVE-2022-23648.patch [ This patch was only released in SLES and Leap. ] ----------------------------------------------------------------------------- o Updated containerized-data-importer (security/bugfix/feature) [x86_64] - Ensure RPMs and containers are built against the same distro - Be more strict when discovering the registry path: error out if the distro is unknown, instead of falling through to 'opensuse' by default - Build tools/cdi-containerimage-server with CGO_ENABLED=0 - Update to version 1.55.0 Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.55.0 - Drop upstreamed patches: 0001-Update-go-restful-to-2.16.0.patch - Include additional tools used by cdi-importer: cdi-containerimage-server cdi-image-size-detection cdi-source-update-poller - Update SP5 kubevirt registry path (bsc#1204140) - Update to version 1.51.0 Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.51.0 - Fix CVE-2022-1996 go-restful: CORS bypass (bsc#1200528) 0001-Update-go-restful-to-2.16.0.patch - Include additional tools used by cdi-importer: cdi-containerimage-server cdi-image-size-detection cdi-source-update-poller - Pack only cdi-operator and cdi-cr release manifests ----------------------------------------------------------------------------- o Updated container-suseconnect (security/bugfix/feature) - update to 2.4.0 (jsc#PED-1710): * Fix docker build example for non-SLE hosts * Minor fixes to --help and README * Improve documentation when building with podman on non-SLE host * Add flag --log-credentials-errors * Add GitHub actions * Remove vendor/ dir * Cleanup tests * Update capture to the 1.0.0 release * Bump cli to 2.34.4 * Update cli to 2.23.5 * Add dependabot * Use URL.Redacted() to avoid security scanner warning * Regcode fix - strip binaries (removes 4MB/25% of the uncompressed size) (bsc#1186827) ----------------------------------------------------------------------------- o Updated corosync (security/bugfix/feature) Deleted: bsc#1189680-cancel_hold_on_retransmit-option.patch bsc#1192467_dont-block-local-socket-pair.patch bug-1163460-totemip-Add-support-for-sin6_scope_id.patch bug-1166899-quorumtool-Fix-exit-status-codes.patch - Update to version 2.4.6: * totemsrp: More informative messages * icmap: fix the icmap_get_*_r functions * stats: Add basic schedule-miss stats to needle * icmap: icmap_init_r() leaks if trie_create() fails * test: Fix cpgtest * pkgconfig: Add libqb dependency * man: votequorum.5: use proper single quotes * cpg: Change downlist log level * totem: Increase ring_id seq after load * totempg: Check sanity (length) of received message * totemsrp: Reduce MTU to left room second mcast * qnetd: Rename qnetd-log.c to log.c * qnetd: Fix double -d description * qnetd: Check log initialization error * qnetd: Add function to set log target * qdevice: Use log instead of libqb log * qdevice: Import log instead of qdevice-log * qdevice: Merge msg_decode_error functions * qnetd: Use log-common for nodelist debug dump * qdevice: Configurable log priority bump * tests: Add utils_parse_bool_str test * qdevice: Free memory used by log * qdevice: Add log test * qdevice: Add header files to list of test sources * qdevice: Add chk variant of vsyslog to test-log * qdevice: Add prototype of __vsyslog_chk * votequorum: Ignore the icmap_get_* return value * logconfig: Remove double free of value * cmap: Assert copied string length * sync: Assert sync_callbacks.name length * votequorum: Assert copied strings length * cpghum: Remove unused time variables and functions * cfgtool: Remove unused callbacks * cmapctl: Free bin_value on error * quorumtool: Assert copied string length * votequorum: Reflect runtime change of 2Node to WFA * main: Add schedmiss timestamp into message * votequorum: Change check of expected_votes * quorumtool: Fix exit status codes * quorumtool: exit on invalid expected votes * votequorum: set wfa status only on startup * Revert "totemip: Add support for sin6_scope_id" * Revert "totemip: compare sin6_scope_id and interface_num" * main: Make schedmiss in cmap and log equal * totemip: Add support for sin6_scope_id * qnetd: Do not call ffsplit_do on shutdown * qdevice: Fix connect heuristics result callback * qdevice: Fix connect heuristics result callback * qdevice: Log adds newline automatically * qnetd: Fix dpd timer * qnetd: Add support for keep active partition vote * common_lib: Remove trailing spaces in cs_strerror * totemsrp: Move token received callback * tests: Use CS_DISPATCH_BLOCKING instead of cycle * qnetd: Fix NULL dereference of client * qnetd: Simplify KAP Tie-breaker logic * totem: Add cancel_hold_on_retransmit config option * logsys: Unlock config mutex on error * totemsrp: Switch totempg buffers at the right time * totemudpu: Don't block local socketpair * configure.ac: fix pkgconfig issue of rdma * totemip: Add support for sin6_scope_id * totemip: compare sin6_scope_id and interface_num * qdevice: Change log level to NOTICE on PASS * cfgtool: output error messages to stderr * tools: use util_strtonum for options checking * cmapctl: return EXIT_FAILURE on failure * quorumtool: Help shouldn't require running service * quorumtool: strict check for -o option * cmapctl: check NULL for key type and value for -p * man: adjust description about interface section * qnetd: sort by node_id when add new client * man: replace votequorum_poll for actually used fn ----------------------------------------------------------------------------- o Updated cosign (security/bugfix/feature) - updated to 1.12.0 (jsc#SLE-23879) - CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430) - Support non-ECDSA key types for verify-blob by @haydentherapper in #2203 - feat: integrate Alibaba Cloud Container Registry cred helper by @mozillazg in #2008 - remove double quotes, looks like it is passing as a single string to cosign and not as an array by @cpanato in #2205 - Clarify error when KMS provider fails to load by @znewman01 in #2220 - feat: set annotations to generate additional bash completion information by @dirien in #2221 - Add deprecation warning for sget CLI and packages by @imjasonh in #2019 - upgrade setup-ko to point to new repo by @imjasonh in #2225 - Temp fix for e2e test by @haydentherapper in #2247 - update kind to use release v0.15.0 and some version comments by @cpanato in #2246 - Fix e2e test failure, add test for local bundle without rekor bundle by @haydentherapper in #2248 - fix: fix secret test, non-experimental bundle should pass by @asraa in #2249 - updated to 1.11.1 - add stale workflow using the workflow template by @cpanato in #2175 - Update Scorecard action to v2:alpha by @azeemshaikh38 in #2177 - add release cadence section in the readme by @cpanato in #2179 - feat: Rework fig autocomplete command by @dirien in #2187 - fix: fix typo that caused attestation verification failure by @asraa in #2199 - updated to 1.11.0 - Verify the certificate chain against the Fulcio root trust by default by @wata727 in #2139 - Add notes to clarify registry use. by @bendory in #2145 - Use TUF from scaffolding for validating cosign. by @vaikas in #2146 - docs: clarify wording in spec about usage of certificate chain by @asraa in #2152 - fix: fix blob verification output with sharded rekor tlogs by @asraa in #2157 - fix: adds envelope hash to in-toto entries in tlog entry creation by @nkreiger in #2118 - fix handling of verify-attestation types for URIs by @otms61 in #2159 - fix oidc post-merge job by @cpanato in #2164 - Remove third_party by @imjasonh in #2166 - use updated device flow logic with PKCE by @bobcallaway in #2163 - fix: rekor get tlog entry with uuid by @asraa in #2058 - update e2e job to run only when push to main by @cpanato in #2169 - fix: add env cmd to root by @developer-guy in #2171 - fix panic when os.Stat returns an error besides ErrNotExists by @dsa0x in #2162 - updated to 1.10.1 (jsc#SLE-23879) - CVE-2022-35929: Fixed that cosign verify-attestaton --type can report a false positive if any attestation exists (GHSA-vjxv-45g9-9296 (bsc#1202157) - What else changed: - add flag to allow skipping upload to transparency log by @k4leung4 in #2089 - Improve error message when no sigs/atts are found for an image by @imjasonh in #2101 - Change Result in Vulnerability Attestation to interface{} by @knqyf263 in #2096 - Fix field names in the vulnerability attestation by @otms61 in #2099 - remove style jobs and cleanup makefile gofmt and goimports are running already with golangci-lint by @cpanato in #2105 - sparkles Enable Scorecard badge by @azeemshaikh38 in #2109 - Resolves #522 set Created date to time of execution by @Lerentis in #2108 - Introduce a custom error type to classify errors. by @mattmoor in #2114 - feat: attach: attestation: allow passing multiple payloads by @Dentrax in #2085 - update cross-builder to go1.18.5 and cosign image to 1.10.0 by @cpanato in #2119 - chore: fix documentation and warning on using untrusted rekor key by @asraa in #2124 - Correct the type used for attest by @mattmoor in #2128 - updated to 1.10.0 - replace gcr.io/distroless/ to use ghcr.io/distroless/ by @cpanato in #1961 - Separate RegExp matching of issuer/subject from strict by @vaikas in #1956 - tuf: improve TUF client concurrency and caching by @asraa in #1953 - Add Cloudsmith Container Registry to tested registry list by @ciaracarey in #1966 - feat(fulcioroots): singleton error pattern by @developer-guy in #1965 - Drop tuf client dependency on GCS client library by @imjasonh in #1967 - Add spdxjson predicate type for attestations by @jdolitsky in #1974 - Remove policy-controller now that it lives in sigstore/policy-controller by @vaikas in #1976 - cleanup: unexport kubernetes.Client method by @imjasonh in #1973 - cleanup ci job and remove policy-controller references by @cpanato in #1981 - fix/update post build job by @cpanato in #1983 - docs: updated Azure kms commands. by @JBrejnholt in #1972 - Add cyclonedx predicate type for attestations by @jdolitsky in #1977 - Route deprecated -version to version subcommand by @puerco in #1854 - docs(readme): add installation steps for container image for cosign binary by @developer-guy in #1986 - Add --platform flag to cosign sbom download by @puerco in #1975 - Use pkg/fulcioroots and pkg/tuf from sigstore/sigstore by @imjasonh in #1866 - Add --oidc-provider flag to specify which provider to use for ambient credentials by @priyawadhwa in #1998 - encrypt values to create the github action secret by @cpanato in #1990 - sign-blob: bundle should work independently and respect --output-certificate and --output-signature by @Dentrax in #2016 - Attempt to clean up pkg/cosign by @imjasonh in #2018 - public-key: fix command description by @Dentrax in #2024 - [NFC] specs: fix list formatting on SIGNATURE_SPEC by @woodruffw in #2030 - feat: cert-extensions verify by @developer-guy in #1626 - Fix #1378 create new attestation signature in replace mode if not existent by @Syquel in #2014 - Use cosign.ConfirmPrompt more consistently by @imjasonh in #2039 - chore: add a note about SIGSTORE_REKOR_PUBLIC_KEY var by @hectorj2f in #2040 - Fix OIDC test by @cpanato in #2050 - Add env subcommand. by @wlynch in #2051 - remove tests with 1.21 k8s cluster because it is deprecated and add v1.23/24 by @cpanato in #2055 - update ct/otel and etcd by @cpanato in #2054 - chore(deps): CycloneDX PredicateType changed to use in-toto-golang by @masahiro331 in #2067 - Remove replace directives in go.mod. by @wlynch in #2070 - update design doc link by @bobcallaway in #2077 - Remove hack/tools.go by @imjasonh in #2080 - fix missing quote by @cpanato in #2090 - removed cosigned and webhook - updated to 1.9.0 - Check failure message of policy that fails with issuer mismatch by @vaikas in #1815 - [Cosigned] Add signature pull secrets by @DennyHoang in #1805 - feat: add rego policy support by @hectorj2f in #1817 - Refactor fulcio signer to take in KeyOpts (take 2) by @wlynch in #1818 - cosigned: Test unsupported KMS providers by @imjasonh in #1820 - chore(deps): Included dependency review by @naveensrinivasan in #1792 - Add auth flow option to KeyOpts. by @wlynch in #1827 - Document Staging instance usage with Keyless by @k4leung4 in #1824 - New flag --oidc-providers-disable to disable OIDC providers by @puerco in #1832 - Validate tlog entry when verifying signature via public key. by @wlynch in #1833 - Add function to explicitly request a certain provider by @priyawadhwa in #1837 - cosigned: Fix podAntiAffinity labels by @elfotografo007 in #1841 - remove exclude from go.mod by @cpanato in #1846 - [Cosigned] Glob matching improvement by @DennyHoang in #1842 - sget: Enable KMS providers for sget by @imjasonh in #1852 - Fix piv-tool generate-key command in TOKENS doc by @nealmcb in #1850 - Add IBM Cloud Container Registry to tested registry list by @bainsy88 in #1856 - If SBOM ref has .json suffix, assume JSON mediatype by @jdolitsky in #1859 - Add rekor.0.pub TUF target to unit tests by @priyawadhwa in #1860 - Normalize certificate flag names by @haydentherapper in #1868 - Check certificate policy flags with only a certificate by @haydentherapper in #1869 - Update go to 1.17.10 / cosign image to 1.18.0 and actions setup go by @cpanato in #1861 - Point git commmit FUN.md to gitsign! by @wlynch in #1874 - [cosigned] remove regex from the image pattern fields by @hectorj2f in #1873 - go.mod: format go.mod by @zchee in #1879 - Remove dependency on deprecated github.com/pkg/errors by @zchee in #1887 - tree: only report artifacts that are present by @ribbybibby in #1872 - update README with ebpf modules by @EItanya in #1888 - Update github.com/google/go-containerregistry/pkg/authn/k8schain module to f1b065c6cb3d by @vpnachev in #1889 - v1beta1 API for cosigned by @vaikas in #1890 - tree: support --attachment-tag-prefix by @ribbybibby in #1900 - [cosigned] Remove undefined apiGroups from policy clusterrole by @vpnachev in #1896 - GHSA-66x3-6cw3-v5gj: Update go-tuf to v0.3.0 by @janisz in #1894 - The timeout arg in golangci-lint has been moved to the generic args p… by @dlorenc in #1901 - [cosigned] Rename cosigned references to policy-controller by @hectorj2f in #1893 - Move deprecated dependency: google/trillian/merkle to transparency-dev by @cpanato in #1910 - Add support for "**" in image glob matching by @imjasonh in #1914 - Add privacy statement for PII storage by @haydentherapper in #1909 - Do not push to public rekor. by @vaikas in #1931 - fix: fix fetching updated targets from TUF root by @asraa in #1921 - fix: fix #1930 for AWS KMS formats by @vaikas in #1946 - update cross-builder image to use go1.17.11 by @cpanato in #1950 - remove deprecation from goreleaser, go-fish is not supported anymore by @cpanato in #1952 - add changelog for v1.9.0 by @cpanato in #1955 - add parallelism for goreleaser by @cpanato in #1957 - updated to 1.8.0 - Move the KMS integration imports into the binary entrypoints by @mattmoor in #1744 - [Cosigned] Convert functions for webhookCIP from v1alpha1 by @DennyHoang in #1736 - Refactor policy related code, add support for vuln verify by @vaikas in #1747 - Use bundle log ID to find verification key by @haydentherapper in #1748 - [cosigned] The webhook name is now configurable via --webhook-name flag by @vpnachev in #1726 - Add intermediate CA certificate pool for Fulcio by @haydentherapper in #1749 - test: create fake TUF test root and create test SETs for verification by @asraa in #1750 - Implement identities, fix bug in webhook validation. by @vaikas in #1759 - Validate issuer/subject regexp in validate webhook. by @vaikas in #1761 - chore: add warning when attaching sBOMs by @hectorj2f in #1756 - Verify embedded SCTs by @haydentherapper in #1731 - chore: add warning when downloading a sBOM by @hectorj2f in #1763 - [policy-webhook] The webhooks name is now configurable via --(validating|mutating)-webhook-name flags by @vpnachev in #1757 - Break the CIP action tests into a sh script. by @vaikas in #1767 - tuf: add debug info if tuf update fails by @asraa in #1766 - cosigned: add support for rsa keys by @hectorj2f in #1768 - Cosigned validate against remote sig src by @DennyHoang in #1754 - Add Fulcio intermediate CA certificate to intermediate pool by @haydentherapper in #1774 - fix: more informative error by @ybelMekk in #1778 - Run update-codegen. by @wlynch in #1789 - Remove the dependency on v1alpha1.Identity which brings in unnecessary k8s deps. by @vaikas in #1790 - Refactor fulcio signer to take in KeyOpts. by @wlynch in #1788 - test: add cue unit tests by @hectorj2f in #1791 - Attestations + policy in cip. by @vaikas in #1772 - chore: add rego function to consume modules and evaluate them by @hectorj2f in #1787 - Add parallelization for processing policies / authorities. by @vaikas in #1795 - Allow passing keys via environment variables (env:// refs) by @znewman01 in #1794 - Handle context cancelled properly + tests. by @vaikas in #1796 - Fix a bug where an error would send duplicate results. by @vaikas in #1797 - Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" by @wlynch in #1798 - cosigned: Unify cue data and policy before evaluating it by @hectorj2f in #1793 - Don't fail open in VerifyBundle by @mtrmac in #1648 - Load in intermediate cert pool from TUF by @haydentherapper in #1804 - Support PKCS1 encoded and non-ECDSA CT log public keys by @haydentherapper in #1806 - updated to 1.7.2 - [Cosigned] Fix publicKey unmarshal by @DennyHoang in #1719 - fix: add permissions to patch events by @hectorj2f in #1722 - Make public all types required to use ValidatePolicy by @jdolitsky in #1727 - Add unit tests for IntotoAttestation verifier. by @vaikas in #1728 - Remove newline from download sbom output by @ribbybibby in #1732 - Fix packages name and binary in the packages by @cpanato in #1734 - Fix fulcioroots test and linter error by @haydentherapper in #1741 - Support non-ECDSA public keys in certificates by @haydentherapper in #1740 - bug: remove old fulcio root and fix fallback target code by @asraa in #1738 - updated to 1.7.1 - pkcs11: fix build instructions by @rgerganov in #1550 - add definition for artifact hub to verify the ownership by @cpanato in #1563 - Add example using AWS Key Management Service (KMS) by @davivcgarcia in #1564 - Start of the necessary pieces to get #1418 and #1419 implemented by @vaikas in #1562 - Support deletion of ClusterImagePolicy by @vaikas in #1580 - 1417 policy validations by @kkavitha in #1548 - Don't lowercase input image refs, just fail by @imjasonh in #1586 - Fix #1583 #1582. Disallow regex now until implemented. by @vaikas in #1584 - Fix piping 'cosign verify' using fulcio/rekor by @marcofranssen in #1590 - Fix #1592 move authorities as siblings of images. by @vaikas in #1593 - Add ability to inline secrets from SecretRef to configmap. by @vaikas in #1595 - Fix copy/paste mistake in repo name. by @k4leung4 in #1600 - Use reusuable release workflow in sigstore/sigstore by @k4leung4 in #1599 - Add public key validation by @kkavitha in #1598 - Validate a public key in a secret is valid. by @vaikas in #1602 - Ensure entry is removed from CM on secret error. by @vaikas in #1605 - Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server by @vaikas in #1610 - Init entity from ociremote when signing a digest ref by @puerco in #1616 - rename ca-key to ca-cert. Fix 1608, 1613 by @vaikas in #1617 - improve cosigned validation error messages by @cpanato in #1618 - Use latest knative/pkg's configmap informer by @tcnghia in #1615 - Included OpenSSF Best Practices Badge by @naveensrinivasan in #1628 - FUN.md broke when RecordObj changed to HashedRecordObj by @MitchellJThomas in #1633 - update crane to v0.8.0 release by @cpanato in #1635 - push latest tag when building a release by @cpanato in #1636 - Add extra label and change the latest tag to unstable for non tagged releases by @cpanato in #1637 - Document Elastic container registry support by @mgreau in #1641 - Validate authority keys by @coyote240 in #1623 - feat: tree command utility by @developer-guy in #1603 - fix build date format for version command by @cpanato in #1644 - Add support for intermediate certificates when verifiying by @haydentherapper in #1631 - Prompt user before running cosign clean by @priyawadhwa in #1649 - Use ClusterImagePolicy with Keyless + e2e tests for CIP with kind by @vaikas in #1650 - KEYLESS.md: Shorten example OAuth URL by @tstromberg in #1661 - Use syscall.Stdin for input handle. Fixes #1153 by @mdp in #1657 - Add support for certificate chain to verify certificate by @haydentherapper in #1659 - First batch of followups to #1650 by @vaikas in #1664 - Add certificate chain flag for signing by @haydentherapper in #1656 - [attach]: Add specific suffixes mediaTypes to sboms by @hectorj2f in #1663 - update font when output the cosign version by @cpanato in #1668 - feat: add ability to override registry keychain by @noamichael in #1666 - remove replace directive by @cpanato in #1669 - Refactor based on discussions in #1650 by @vaikas in #1674 - Find all valid entries in verify-blob by @priyawadhwa in #1673 - Fix relative paths in Gitub OIDC blob test by @priyawadhwa in #1677 - Add support for cert and cert chain flags with PKCS11 tokens by @haydentherapper in #1671 - Use cosign @ HEAD for Github OIDC sign blob test by @priyawadhwa in #1678 - Make cosign copy copy metadata attached to child images. by @mattmoor in #1682 - change file_name_template to PackageName by @strongjz in #1683 - Update error message for verify/verify attestation by @haydentherapper in #1686 - cosign clean: Don't log failure if the registry responds with 404 by @imjasonh in #1687 - verify: add leaf hash verification for tlog entries by @asraa in #1688 - Fix handling of policy in verify-attestation by @lcarva in #1672 - Add e2e test for attest / verify-attestation by @vaikas in #1685 - verify: remove extra calls to rekor for verify and verify-blob by @asraa in #1694 - Remove the hardcoded sigstore audience by @mattmoor in #1698 - Use ValidatePubKey from sigstore/sigstore by @haydentherapper in #1676 - Use the github actions from sigstore/scaffolding. by @vaikas in #1699 - sign: set the oidc redirect uri by @hectorj2f in #1675 - add back the go mod proxy by @cpanato in #1701 - enable 1.23 tests (Test cosigned with ClusterImagePolicy) by @cpanato in #1702 - Fix incorrect unmarshalling of SCT response by @haydentherapper in #1704 - Make CLI flag for OIDC client secret take a path by @znewman01 in #1705 - cosigned: read the public key from the kms authority by @hectorj2f in #1706 - fix latest tag when running a release job by @cpanato in #1707 - [Cosigned] Parse and store publicKey data earlier by @DennyHoang in #1681 - Dont overwrite token set in keyOpts by @puerco in #1709 - refactor release job by @cpanato in #1710 - updated to 1.6.0 - Fix double time import in e2e tests by @saschagrunert in #1388 - Add --timeout support to sign command by @saschagrunert in #1379 - Fix comparison in replace option for attestation by @bburky in #1366 - Add Cosign logo to README by @nsmith5 in #1395 - Minor refactor to verify SCT and Rekor entry with multiple keys by @haydentherapper in #1396 - Fix a link of SECURITY.md by @knqyf263 in #1399 - update cosign and cross-build image for the release job by @cpanato in #1400 - feat: login command by @developer-guy in #1398 - TUF: Add root status output by @asraa in #1404 - Add a newline after password input by @knqyf263 in #1407 - make imageRef lowercase before parsing by @bobcallaway in #1409 - Improve error message when image is not found in registry by @imjasonh in #1410 - Add ability to override the Spiffe socket via environmental variable: by @vaikas in #1421 - Fix incorrect error check when verifying SCT by @haydentherapper in #1422 - Skip the ReadWrite test that flakes on Windows. by @dlorenc in #1415 - Allow PassFunc to be nil by @saschagrunert in #1426 - Update the cosign keyless documentation to point to the GA release. by @dlorenc in #1427 - Remove TUF timestamp from OCI signature bundle by @haydentherapper in #1428 - Add docs on API stability and deprecation table by @priyawadhwa in #1429 - update cross-build image which adds goimports by @cpanato in #1435 - feat: enhance clean cmd capability by @developer-guy in #1430 - use the upstream kubernetes version lib and ldflags by @n3wscott in #1413 - Improve log lines to match with implementation by @marcofranssen in #1432 - feat: fig autocomplete feature by @developer-guy in #1360 - update cross-build to use go 1.17.7 by @cpanato in #1446 - Fetch verification targets by TUF custom metadata by @haydentherapper in #1423 - feat: add -buildid= to ldflags by @developer-guy in #1451 - Streamline SignBlobCmd API with SignCmd by @saschagrunert in #1454 - convert release cosigned to also generate yaml artifact. by @k4leung4 in #1453 - Fix tkn link in readme by @Yongxuanzhang in #1459 - Print message when verifying with old TUF targets by @haydentherapper in #1468 - fix(sign): refactor unsupported provider log by @Dentrax in #1464 - tests: /bin/bash -> /usr/bin/env bash by @znewman01 in #1470 - Double goreleaser timeout by @znewman01 in #1472 - increase timeout for goreleaser snapshot by @cpanato in #1473 - fix(sign): kms unspported message by @Dentrax in #1475 - refactor release cloudbuild job by @cpanato in #1476 - Fix wording on attach attestation help by @luhring in #1480 - update go-tuf and simplify TUF client code by @asraa in #1455 - add initial changelog for 1.5.2 by @cpanato in #1483 - Fix linter error on main by @priyawadhwa in #1484 - Update Changelog for Security Advisory by @cpanato in #1485 - chore(makefile): use kocache, convert publish to build by @developer-guy in #1488 - Pick up a change to quiet ECR-login logging. by @mattmoor in #1491 - feat: support other types in copy cmd by @developer-guy in #1493 - Pick up some of the shared workflows by @mattmoor in #1490 - feat: nominate Dentrax as codeowner by @developer-guy in #1492 - add correct layer media type to cosign attach attestation by @spiffcs in #1503 - This sets up the scaffolding for the cosigned CRD types. by @mattmoor in #1504 - use v6 api calls in GH action for updating release milestones by @bobcallaway in #1511 - Add skeleton reconciler for cosigned API CRD. by @mattmoor in #1513 - bug fix: import ed25519 keys and fix error handling by @asraa in #1518 - optimize codeql speed by using caching and tracing by @bobcallaway in #1519 - Add a dummy.go file to allow vendoring config by @jdolitsky in #1520 - Add CertExtensions func to extract all extensions by @ckotzbauer in #1515 - chore(ci): add artifact hub support by @Dentrax in #1522 - Change Fulcio URL default to be fulcio.sigstore.dev by @haydentherapper in #1529 - Add codecov as github action, set permissions to read content only by @k4leung4 in #1530 - images: remove --bare flags that conflict with --base-import-paths by @cpanato in #1533 - Quay OCI Support in README by @sabre1041 in #1539 - add rpm,deb and apks for cosign packages by @strongjz in #1537 - Consistent parenthesis use in Makefile by @k4leung4 in #1541 - add changelog for 1.6.0 by @cpanato in #1535 - update golang cross image by @cpanato in #1543 - Add fields in policy CRD by @kkavitha in #1540 - Disable for now due some issues when downloading the knative module by @cpanato in #1546 ----------------------------------------------------------------------------- o Updated cpuid (security/bugfix/feature) [x86_64] - Update to release 20221201 * Clarified synth decoding for Intel Xeon D-1700. * Added uarch & synth decoding for AMD 4800S Desktop Kit, based on instlatx64 sample. * Added uarch decoding for AMD Genoa A1, based on instlatx64 sample * Added uarch decoding for (0,6),(12,15) Emerald Rapids, from LX*. * Added synth & uarch decoding for (10,15),(10,1) Bergamo. * Added 0x8000000a/edx bits: ROGPT, VNMI, IBS virtualization. * Added 0x8000001b/eax bit: IBS L3 miss filtering support. * Added 0x8000001f/eax bits: RMPQUERY instruction support, VMPL supervisor shadow stack support, VMGEXIT parameter support, virtual TOM MSR support, IBS virtual support for SEV-ES guests, SMT protection support, SVSM communication page MSR support, VIRT_RMPUPDATE & VIRT_PSMASH MSR support. * Added 0x80000020/0/ecx bit: L3 range reservation support. * Added 0x80000021/eax bits: automatic IBRS, CPUID disable for non-privileged. * Added 0x80000022/eax bit: AMD LBR & PMC freezing. * Added 0x80000022/ebx field: number of LBR stack entries. * Added 0x80000023 leaf: Multi-Key Encrypted Memory Capabilities. * Added 0x80000026 leaf: AMD Extended CPU Topology. * cpuid.c: use lseek64 and cpuset_setaffinity, Added 0x80000022/eax AMD LBR V2 flag, from LX*. - Update to release 20221003 * Added synth decoding for AMD Ryzen (Phoenix E0, Storm Peak A1) * Added synth & uarch synth decoding for * (0,6),(11,5) Intel Meteor Lake * (0,6),(11,6) Intel Grand Ridge (Crestmont) * (0,6),(11,14) Intel Granite Rapids * Renamed 7/0/eax enh hardware feedback to just "Thread Director". * Added 7/1/eax instructions. * Added 0x12/0/eax SGX ENCLU EDECCSA flag. * Added 0x23 Architecture Performance Monitoring Extended leaf decoding. * Corrected AVX512IFMA description: integer FMA, not just FMA. - Release 20220927 * Added synth decoding for (10,15),(6,1) Raphael * Fixed title for AMD 0x8000001a leaf: Performance Optimization identifiers. - Update to release 20220812 * Corrected (synth) decoding for (0,6),(8,6) Intel Snow Ridge/Parker Ridge. * Added 8000000a/edx X2AVIC flag * Generalized (0,6),(8,14),9,YP stepping case to include Pentium 4425Y, from instlatx64 sample. * Added support for hypervisor+3/ecx (Microsoft) flags. - update to 20220224: * Support for AMD Rembrandt E1 * Add hypervisor+4/eax (Xen) expanded destination id bit * Correction for Alder Lake, Rocket Lake decoding * Multiple detection and decodings updated - update to 20211114: * Many updated and added identified CPU models and variants * Updated hypervisor support ----------------------------------------------------------------------------- o Updated cpupower (security/bugfix/feature) - Update to latest intel-speed-select package version from 1.10 to 1.13 (jsc#PED-2137): 1.13: * Fix build failure when using gcc options -Wl,--as-needed * Fix warning for perf_cap.cpu may be uninitialized * Fix off by one check for MAX_DIE_PER_PACKAGE * Fix issue with use of get_physical_die_id instead of get_physical_die_id * Warn if turbo is disabled and SST turbo-freq feature is requested 1.12: * Allows out of band SST support, where some remote agent changes SST profiles via some Board Management Controller. * HFI support to process config level changes in oob mode 1.11: * Update max performance when BIOS disabled turbo - Update to latest turbostat version 2022.07.28 jsc#PED-1028 Includes: Add ADL-N platform to Turbostat jsc#PED-1027 Add RPL-P platform to Turbostat jsc#PED-1029 Add RPL-S platform to Turbostat jsc#PED-1026 - Explicitly add patch to support Raptorlake-S jsc#PED-2066 A tools-power-turbostat-add-support-for-RPL-S.diff ----------------------------------------------------------------------------- o Updated crash (security/bugfix/feature) - Fix the problem about crash-kmp-rt is being pulled out from sle_module_rt on SP5 after crash SR#289192 and kernels-source SR#288863 [2] are being accepted. - Enable kmp-rt for SLERT15 SP5 - Added crash-trace-2021-02-08.tar.bz2 and modified project to create the crash-trace package. If installed with crash installed the extension can be used for diagnosing kernel trace data. - BuildRequire %kernel_module_package_buildreqs (boo#1205149) - Require zlib-devel for crash-devel. - make of crash extensions was failing due to extension shared objects depending on extension source file plus defs.h. defs.h is hardlinked from the crash base source directory before the .so make rule but make reports it doesn't know how to make requirement defs.h. I added a rule for defs.h in the extensions Makefile that creates defs.h the same way as was previously used but satisfies the dependency resolution on demand then the make succeeded. * crash-extensions-rule-for-defs.patch (bsc#1204587) - Update to crash 7.3.1 - Refresh * eppic-switch-to-system-lib.patch - Remove patches present in version upgrade * 0001-Fix-for-kmem-s-S-option-on-Linux-5.7-and-later-kerne.patch * 0002-memory-Add-support-for-SECTION_TAINT_ZONE_DEVICE-fla.patch * 0003-memory-Fix-for-kmem-n-option-to-display-NID-correctl.patch * 0004-defs.h-Fix-the-value-of-TIF_SIGPENDING-macro.patch * 0005-Fix-waitq-command-for-Linux-4.13-and-later-kernels.patch * 0006-Handle-task_struct-state-member-changes-for-kernels-.patch * 0007-arm64-rename-ARM64_PAGE_OFFSET_ACTUAL-to-ARM64_FLIP_.patch * 0008-arm64-assign-page_offset-with-VA_BITS-kernel-configu.patch * 0009-arm64-use-dedicated-bits-to-record-the-VA-space-layo.patch * 0010-arm64-implement-switchable-PTOV-VTOP-for-kernels-5.1.patch * 0011-diskdump-Fail-readmem-early-if-dump-is-incomplete.patch * 0012-netdump-Permit-zero_excluded-for-incomplete-ELF-dump.patch * 0013-diskdump-Print-total-number-of-dumpable-pages.patch * 0014-diskdump-Introduce-read_pd.patch * 0015-x86_64-Fix-check-for-__per_cpu_offset-initialization.patch * 0016-arm64-Get-CPU-registers-from-ELF-notes-even-without-.patch * 0017-ppc64-Add-MMU-type-info-in-machdep-command.patch * 0018-diskdump-Add-support-for-reading-dumpfiles-compresse.patch * 0020-arm64-Use-VA_BITS-for-page_offset-calculation.patch * crash-mod-fix-module-object-file-lookup.patch * crash-xen-pvops.patch - UsrMerge: debug info is in /usr/lib/debug/usr/lib/modules (boo#1190434, crash-usrmerge.patch) ----------------------------------------------------------------------------- o Updated crmsh (security/bugfix/feature) - Update to version 4.5.0+20230309.a4c4192d: * Dev: version: Bump crmsh version to 4.5.0 * Fix: report: Fix crm report issue under non-root user * Fix: log: Redirect debug messages into stderr (bsc#1208991) - Update to version 4.4.1+20230302.2b5310b9: * Fix: qdevice: Unable to setup qdevice under non-root user (bsc#1208770) - Update to version 4.4.1+20230224.498677ab: * Dev: upgradeutil: do upgrade silently (bsc#1208327, bsc#1206183) * Fix: bootstrap: `crm cluster join ssh` raises TypeError (bsc#1208327) * Dev: utils: Change the way to get pacemaker's version (bsc#1208216) - Update to version 4.4.1+20230217.7fe11a5c: * Dev: report: Enable crm report for sudoer user * Dev: bootstrap: allow the cluster to operate with ssh session under non-root sudoer (jsc#PED-290) * Dev: utils: Add sudo for the commands in user hints * Fix: hawk fails to parse the slash (bsc#1206217) * Fix: extra logs while configuring passwordless (bsc#1207720) - Update to version 4.4.1+20230117.fb8b3c2b: * Dev: healthcheck: allow using non-root sudoer for remote access (jsc#PED-290) * Dev: bootstrap: implement swapping hacluster's ssh key using non-root sudoer remote access (jsc#PED-290) * Dev: utils: Check current user's privilege and give hints to user (jsc#PED-290) * Feature: replace root by a custom user with root privileges (jsc#PED-290) - Update to version 4.4.1+20221228.326c28fd: * Dev: ui_configure: Deprecate 'crm configure erase' sub-command * Fix: report: Catch read exception (bsc#1206606) * Fix: bootstrap: Unset SBD_DELAY_START when running 'crm cluster start' (bsc#1202177) * Dev: ui_node: Redirect `node delete` to `cluster remove` * Dev: bootstrap: Add option -x to skip csync2 initialization stage during the whole cluster bootstrap * Dev: ui_context: redirect `foo -h`/`foo --help` to `help foo` (bsc#1205735) * Fix: qdevice: Adjust SBD_WATCHDOG_TIMEOUT when configuring qdevice not using stage (bsc#1205727) * Fix: cibconfig: Complete promotable=true and interlave=true for Promoted/Unpromoted resource (bsc#1205522) * Fix: corosync: show corosync ring status if has fault (bsc#1205615) - Update to version 4.4.1+20221122.102a8e1: * Dev: bootstrap: fix passwordless ssh authentication for hacluster automatically when a new node is joining the cluster (bsc#1201785) * Dev: upgradeutil: automated init ssh passwordless auth for hacluster after upgrading (bsc#1201785) * Dev: report: collect ra trace files from specified directories (jsc#PED-121) * Dev: ui_resource: trace directory in log info should be changed dynamically (jsc#PED-121) * Dev: parse: cli_to_xml: populate advised monitor/start/stop operations values * fix: log: fail to open log file even if user is in haclient group (bsc#1204670) * Fix: sbd: Ask if overwrite when given sbd device on interactive mode(bsc#1201428) - Update to version 4.4.1+20220928.ded85d0a: * Dev: bootstrap: Adjust cluster properties including priority-fencing-delay * Fix: ui_cluster: 'crm cluster stop' failed to stop services (bsc#1203601) * Dev: bootstrap: Adjust pcmk_delay_max and stonith-timeout for all configured fence agents * Dev: cibconfig: "crm config show related:xxx" provides partial search among class, provider, type fields * Dev: bootstrap: Adjust sbd related timeout when add/remove qdevice * Fix: crash_test: do not use firewalld to isolate a cluster node (bsc#1192467) - Update to version 4.4.1+20220913.57fa9d96: * Dev: add remote_auth to known stages of cluster init * Dev: refactor timeout caculation for sbd * Dev: Initial version of cryptctl setup script. * Dev: utils: Refactor class ServiceManager, to show all nodes' status when running in parallel * Dev: bootstrap: Add delay to start corosync when node list larger than 5 (bsc#1188653) * Dev: bootstrap: Show remote node name when stopping service remotely * Dev: log: print a full-width progress bar in status_progress to prevent interleaving with log messages * Dev: log: print begin and end marker in different lines in status_long * Dev: parallax: Add LogLevel=error ssh option to filter out warnings (bsc#1196726) * Revert "Fix: utils: Only raise exception when return code of systemctl command over ssh larger than 4 (bsc#1196726)" (bsc#1202655) * fix: configure: refresh cib before showing or modifying if no pending changes has been made (bsc#1202465) * Fix: bootstrap: Use crmsh.parallax instead of parallax module directly (bsc#1202006) * Dev: bootstrap: Generate public key from private key - Update to version 4.4.1+20220809.4f90c4ef: * Dev: bootstrap: Don't open mgmt port since it's deprecated * Dev: bootstrap: Don't sync csync2 when peer node's csync2 service not ready * Dev: bootstrap: remove cluster add sub-command * Fix: bootstrap: -N option setup the current node and peers all together (bsc#1175863, jsc#PED-103, jsc#PED-779) * Dev: parallax: Add strict option to avoid raise exception when set to False - Update to version 4.4.0+20220708.6ed6b56f: * Fix: utils: use -o and -n to compare files instead of strings for crm_diff (bsc#1201312) * Dev: ui_cluster: Add examples for 'cluster init' and 'cluster join' * Dev: cibconfig: enable "related:" prefix to show the objects by given ra type * Fix: crm report: use sudo when under non root and hacluster user (bsc#1199634) * Fix: utils: wait4dc: Make change since output of 'crmadmin -S' changed(bsc#1199412) * Fix: bootstrap: stop and disable csync2.socket on removed node (bsc#1199325) * Fix: crm report: Read data in a save way, to avoid UnicodeDecodeError(bsc#1198180) ----------------------------------------------------------------------------- o Updated cross-nvptx-gcc11 (security/bugfix/feature) [x86_64] - Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] - Update to gcc-11 branch head (691af15031e00227ba6d5935c), git1635 * includes gcc11-pr104931.patch * includes fix for Firefox ICE [gcc#105256] - Add provides/conflicts to glibc crosses since only one GCC version for the same target can be installed at the same time. - Add provides/conflicts to libgccjit. - Update to gcc-11 branch head (6a1150d1524aeda3381b21717), git1406 * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] - Add gcc11-pr104931.patch to fix miscompile of embedded premake in 0ad on i586. [bsc#1197065] - drop armv5tel, merge arm and armv6hl - use --with-cpu rather than specifying --with-arch/--with-tune to Recoomends. - Remove sys/rseq.h from include-fixed - Update to gcc-11 branch head (d4a1d3c4b377f1d4acb), git1173 * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [boo#1193659] - Enable the cross compilers also on i586 - Enable some cross compilers also in rings - Remove cross compilers for i386 target - Update to gcc-11 branch head (7510c23c1ec53aa4a62705f03), git1018 * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [boo#1192951] - Package mwaitintrin.h - Remove spurious exit from change_spec. - Enable the full cross compiler, cross-aarch64-gcc11 and cross-riscv64-gcc11 now provide a fully hosted C (and C++) cross compiler, not just a freestanding one. I.e. with a cross glibc. They don't yet support the sanitizer libraries. Part of [jsc#OBS-124]. ----------------------------------------------------------------------------- o Added cross-nvptx-gcc12 (feature) [x86_64] ## WARNING - the following diff is a head -20 proposal * Wed Aug 31 2022 rguenther@suse.com - Prune invalid-license rpmlint warnings, the SLE12 codestream doesn't get fixed but FF applies there, too. [bsc#1185337] * Tue Aug 30 2022 rguenther@suse.com - Update to gcc-12 branch head, e927d1cf141f221c5a32574bde0, git416 * includes GCC 12.2 release * includes recent fixes backported from trunk * Mon Aug 29 2022 mliska@suse.cz - Add gcc12-fifo-jobserver-support.patch that adds support for FIFO jobserver for make. * Sun Aug 21 2022 matwey.kornilov@gmail.com - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for ----------------------------------------------------------------------------- o Updated csync (security/bugfix/feature) [x86_64] - Add csync-libssh.patch: Detect libssh version in libssh_version.h in case this file exists. ----------------------------------------------------------------------------- o Updated ctags (security/bugfix/feature) - CVE-2022-4515.patch: fixes arbitrary command execution via a tag file with a crafted filename (bsc#1206543, CVE-2022-4515) - Stop resetting ctags update-alternative priority back to auto. These are admin settings. ----------------------------------------------------------------------------- o Updated cups (security/bugfix/feature) - cups-branch-2.2-commit-3e4dd41459dabc5d18edbe06eb5b81291885204b.diff is 'git show 3e4dd41459dabc5d18edbe06eb5b81291885204b' for https://github.com/apple/cups/commit/3e4dd41459dabc5d18edbe06eb5b81291885204b (except the not needed hunk for patching CHANGES.md which fails) that fixes handling of MaxJobTime 0 (Issue #5438) in the CUPS 2.2 branch bsc#1201511: Stuck print jobs being cancelled immediately, despite MaxJobTime being set to 0 - cups-2.2.7-CVE-2022-26691.patch fixes CVE-2022-26691 cups: authentication bypass and code execution (bsc#1199474) - SUSE_bsc_1189517.patch is https://github.com/apple/cups/commit/821b3cc956d46b811facd50986acc9f24f0e1c79 which belongs to https://github.com/apple/cups/issues/5288 that fixes bsc#1189517 "cups printservice takes much longer than before with a big number of printers" see in particular https://github.com/apple/cups/issues/5288#issuecomment-921626381 - SUSE_bsc_1195115.patch is https://github.com/apple/cups/commit/ba9d68cc7467a7a47ef219071902b9e9eb6dbc44 which belongs to https://github.com/apple/cups/issues/5538 that fixes bsc#1195115 "CUPS PreserveJobHistory doesn't work with seconds" ----------------------------------------------------------------------------- o Updated curl (security/bugfix/feature) - Security Fix: [bsc#1207992, CVE-2023-23916] * HTTP multi-header compression denial of service * Add curl-CVE-2023-23916.patch - Security Fixes: * HSTS ignored on multiple requests [bsc#1207990, CVE-2023-23914] * HSTS amnesia with --parallel [bsc#1207991, CVE-2023-23915] * Add curl-CVE-2023-23914-23915.patch - Security Fix: [bsc#1206309, CVE-2022-43552] * HTTP Proxy deny use-after-free * Add curl-CVE-2022-43552.patch - Security Fix: [bsc#1206308, CVE-2022-43551] * Fix Another HSTS bypass via IDN * Add curl-CVE-2022-43551.patch - Security Fix: [bsc#1204383, CVE-2022-32221] * POST following PUT confusion * Add curl-CVE-2022-32221.patch - Security Fix: [bsc#1204386, CVE-2022-42916] * HSTS bypass via IDN * Add curl-CVE-2022-42916.patch - Security fix: [bsc#1202593, CVE-2022-35252] * Control codes in cookie denial of service * Add curl-CVE-2022-35252.patch - Security fix: [bsc#1200734, CVE-2022-32205] * Set-Cookie denial of service * Add curl-CVE-2022-32205.patch - Security fix: [bsc#1200735, CVE-2022-32206] * HTTP compression denial of service * Add curl-CVE-2022-32206.patch - Security fix: [bsc#1200736, CVE-2022-32207] * Unpreserved file permissions * Add curl-CVE-2022-32207.patch - Security fix: [bsc#1200737, CVE-2022-32208] * FTP-KRB bad message verification * Add curl-CVE-2022-32208.patch ----------------------------------------------------------------------------- o Updated cyrus-sasl-bdb (security/bugfix/feature) - Do not set directories inside doc/ mode 644; otherwise the directories are set 644 as well, which means no files inside are accessible. This resulted in the past in doc/ actually not being added to the devel package. - update to 2.1.28 (bsc#1196036, CVE-2022-24407): * https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 - drop cyrus-sasl-bug587.patch (upstream) - cyrus-sasl: prevent fail of %pre when berkely db utils are not installed (seems like we want to use this only for upgrade so no Prereq added) - move license to licensedir - remove use of RPM_BUILD_ROOT - minimal spec cleanups - avoid bashisms - postfix: sasl authentication with password fails (bsc#1194265) Add config parameter --with-dblib=gdbm - Avoid converting of /etc/sasldb2 by every update. Convert /etc/sasldb2 only if it is a Berkeley DB - CVE-2020-8032: cyrus-sasl: Local privilege escalation to root due to insecure tmp file usage. (bsc#1180669) Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary files. ----------------------------------------------------------------------------- o Updated cyrus-sasl-saslauthd-bdb (security/bugfix/feature) - update to 2.1.28 (bsc#1196036, CVE-2022-24407): * https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 - drop cyrus-sasl-bug587.patch (upstream) - cyrus-sasl: prevent fail of %pre when berkely db utils are not installed (seems like we want to use this only for upgrade so no Prereq added) - move license to licensedir - remove use of RPM_BUILD_ROOT - minimal spec cleanups - avoid bashisms - postfix: sasl authentication with password fails (bsc#1194265) Add config parameter --with-dblib=gdbm - Avoid converting of /etc/sasldb2 by every update. Convert /etc/sasldb2 only if it is a Berkeley DB - Fix build: Do not build libsasl2-3 in the bdb package. This will not be linked to berkely db. libsasl2-3 is now defined as %BuildRequires and %Requires - CVE-2020-8032: cyrus-sasl: Local privilege escalation to root due to insecure tmp file usage. (bsc#1180669) Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary files. ----------------------------------------------------------------------------- o Updated cyrus-sasl-saslauthd (security/bugfix/feature) - update to 2.1.28 (bsc#1196036, CVE-2022-24407): * https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 - drop cyrus-sasl-bug587.patch (upstream) - cyrus-sasl: prevent fail of %pre when berkely db utils are not installed (seems like we want to use this only for upgrade so no Prereq added) - move license to licensedir - remove use of RPM_BUILD_ROOT - minimal spec cleanups - avoid bashisms - Avoid converting of /etc/sasldb2 by every update. Convert /etc/sasldb2 only if it is a Berkeley DB - Fix build: Do not build libsasl2-3 in the bdb package. This will not be linked to berkely db. libsasl2-3 is now defined as %BuildRequires and %Requires - CVE-2020-8032: cyrus-sasl: Local privilege escalation to root due to insecure tmp file usage. (bsc#1180669) Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary files. The packages cyrus-sasl and cyrus-sasl-saslauthd are built The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built ----------------------------------------------------------------------------- o Updated cyrus-sasl (security/bugfix/feature) - drop optional opie dependency - Do not set directories inside doc/ mode 644; otherwise the directories are set 644 as well, which means no files inside are accessible. This resulted in the past in doc/ actually not being added to the devel package. - update to 2.1.28 (bsc#1196036, CVE-2022-24407): * https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 - drop cyrus-sasl-bug587.patch (upstream) - cyrus-sasl: prevent fail of %pre when berkely db utils are not installed (seems like we want to use this only for upgrade so no Prereq added) - move license to licensedir - remove use of RPM_BUILD_ROOT - minimal spec cleanups - avoid bashisms - Fix build: Do not build libsasl2-3 in the bdb package. This will not be linked to berkely db. libsasl2-3 is now defined as %BuildRequires and %Requires ----------------------------------------------------------------------------- o Updated dav1d (security/bugfix/feature) - Drop _lto_cflags define, current version supports lto build. - Drop unneeded rpm BuildRequires. - Add pkgconfig(libxxhash) BuildRequires and stop passing xhash_muxer=disabled to meson, build hash_muxer support. - Add check section and meson_test macro, run tests during build. - Update to version 1.0.0 * Automatic thread management. * Add support for AVX-512 acceleration. * x86 code speedup (from SSE2 to AVX2). * New grain API to ease acceleration on the GPU. * New API call to get information of which frame failed to decode, in error cases. * Numerous small bug fixes. - Bump soversion to 6 ----------------------------------------------------------------------------- o Updated dbus-1 (security/bugfix/feature) - Fix a potential crash that could be triggered by an invalid signature. (CVE-2022-42010, bsc#1204111) * fix-upstream-CVE-2022-42010.patch - Fix an out of bounds read caused by a fixed length array (CVE-2022-42011, bsc#1204112) * fix-upstream-CVE-2022-42011.patch - A message in non-native endianness with out-of-band Unix file descriptors would cause a use-after-free and possible memory corruption CVE-2022-42012, bsc#1204113) * fix-upstream-CVE-2022-42012.patch - Disable asserts (bsc#1087072) - Refreshed patches * fix-upstream-CVE-2020-35512.patch ----------------------------------------------------------------------------- o Updated dconf (security/bugfix/feature) - Bring back 0001-gvdb-Restore-permissions-on-changed-files.patch since the useful fix was never merged to upstream (bsc#971074 bgo#758066 bsc#1203344). ----------------------------------------------------------------------------- o Updated desktop-translations (security/bugfix/feature) - Update to version 84.87.20230128.350400f: * Translated using Weblate (Macedonian) * Translated using Weblate (German) * Translated using Weblate (Georgian) * Translated using Weblate (Georgian) * Translated using Weblate (Finnish) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Italian) * Translated using Weblate (Italian) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (German) * Translated using Weblate (German) * Translated using Weblate (German) * Translated using Weblate (Czech) * Translated using Weblate (Czech) * Translated using Weblate (Czech) * Translated using Weblate (Czech) * Translated using Weblate (Spanish) * Translated using Weblate (Spanish) * Translated using Weblate (Swedish) * Translated using Weblate (Swedish) * Translated using Weblate (Swedish) * Translated using Weblate (Macedonian) * Translated using Weblate (Russian) * Translated using Weblate (Swedish) * Translated using Weblate (Swedish) * Translated using Weblate (Swedish) * Translated using Weblate (Russian) ----------------------------------------------------------------------------- o Updated dhcp (security/bugfix/feature) - bsc#1203988, CVE-2022-2928, dhcp-CVE-2022-2928.patch: An option refcount overflow exists in dhcpd - bsc#1203989, CVE-2022-2929, dhcp-CVE-2022-2929.patch: DHCP memory leak - bsc#1198657: properly handle DHCRELAY(6)_OPTIONS. ----------------------------------------------------------------------------- o Added DirectX-Headers (feature) [x86_64] ## WARNING - the following diff is a head -20 proposal * Tue Aug 30 2022 scott.bradnick@suse.com - Update to 1.606.4: * Update D3DX12.H to support new ABI for MinGW (#73) * dxguids: Add new GUIDs from the last several releases * Tue Aug 16 2022 gmbr3@opensuse.org - Update to 1.606.3: * Support Shader Model 6.7 * Wed May 25 2022 gmbr3@opensuse.org - Clean spec file * Fix description * Use %autosetup * Use meson macros * Use fdupes for duplicate files * Use a better URL ----------------------------------------------------------------------------- o Added distribution (feature) ## WARNING - the following diff is a head -20 proposal * Fri Sep 09 2022 fcrozat@suse.com - Explicitly require nologin shell which is needed for registry system user (bsc#1203324) * Wed Jun 08 2022 dmueller@suse.com - switch to go 1.16 for 2.8.1 (jsc#SLE-24963) - build the additional commands as well - rename to follow upstream renaming - cleanups - switch to systemd for user generation * Mon May 02 2022 dcermak@suse.com - Update to version 2.8.1: * FIx typo * Update 2.8.1. release notes * go 1.16.15 ----------------------------------------------------------------------------- o Updated dmidecode (security/bugfix/feature) [x86_64,aarch64] 2 recommended fixes from upstream: - news-fix-typo.patch: We ship the NEWS file so avoid including a typo in it. - dmioem-fix-segmentation-fault-in-dmi_hp_240_attr.patch: Passing NULL to a %s printf conversion specifier is illegal, and can result in a segmentation fault. Current version of glibc doesn't mind, but alternative, past or future libc implementations could crash, so let's fix it. - Update to upstream version 3.4: * This update implements jsc#SLE-24502 and jsc#PED-1466. * [COMPATIBILITY] Document how the UUID fields are interpreted. * [PORTABILITY] Don't use memcpy on /dev/mem on arm64. * Support for SMBIOS 3.4.0. This includes new memory device types, new processor upgrades, new slot types and characteristics, decoding of memory module extended speed, new system slot types, new processor characteristics and new format of Processor ID. * Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS characteristics, new slot characteristics, new on-board device types, new pointing device interface types, and a new record type (type 45 - Firmware Inventory Information). * Decode HPE OEM records 194, 199, 203, 236, 237, 238 ans 240. * Bug fixes: Fix OEM vendor name matching * Minor improvements: Add bios-revision, firmware-revision and system-sku-number to -s option Use the most appropriate unit for cache size Decode system slot base bus width and peers Skip details of uninstalled memory modules Don't display the raw CPU ID in quiet mode Improve the formatting of the manual pages * Obsoletes dmidecode-add-enumerated-values-from-smbios-3.3.0.patch, dmidecode-add-logical-non-volatile-device.patch, dmidecode-add-memory-device-types-from-smbios-3.4.0.patch, dmidecode-add-processor-characteristics-bits-from-smbios-3.4.0.patch, dmidecode-add-processor-upgrades-from-smbios-3.4.0.patch, dmidecode-add-slot-characteristics2-from-smbios-3.4.0.patch, dmidecode-add-system-slot-types-from-smbios-3.4.0.patch, dmidecode-fix-formatting-of-tpm-table-output.patch, dmidecode-fix-redfish-hostname-print-length.patch, dmidecode-fix-system-slot-information-for-pcie-ssd.patch, dmidecode-missing-commas.patch, dmidecode-only-scan-dev-mem-for-entry-point-on-x86.patch and dmidecode-skip-details-of-uninstalled-memory-modules.patch. ----------------------------------------------------------------------------- o Updated docker (security/bugfix/feature) - Backport to fix a crash-on-start issue with dockerd. bsc#1200022 + 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch - Update to Docker 20.10.17-ce. See upstream changelog online at . bsc#1200145 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch - Add patch to update golang.org/x/crypto for CVE-2021-43565 and CVE-2022-27191. bsc#1193930 bsc#1197284 * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch - Update to Docker 20.10.14-ce. See upstream changelog online at . bsc#1197517 CVE-2022-24769 ----------------------------------------------------------------------------- o Updated dolly (security/bugfix/feature) [x86_64,aarch64] - update to dolly version 0.64.2: bugs and typo fixes, dolly is less verbose by default - updated to dolly 0.64.1 which adds dolly as a service and/or activation through a socket ----------------------------------------------------------------------------- o Updated dovecot23 (security/bugfix/feature) - VUL-0: CVE-2022-30550: dovecot22,dovecot23: Privilege escalation possible in dovecot when similar master and non-master passdbs are used (bsc#1201267). o Apply upstream patch: CVE-2022-30550.patch ----------------------------------------------------------------------------- o Updated dpdk (security/bugfix/feature) [x86_64,ppc64le,aarch64] - security update - added patches fix CVE-2022-2132 [bsc#1202903], DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs + dpdk-CVE-2022-2132.patch fix CVE-2022-28199 [bsc#1202956], buffer overflow in the vhost code + dpdk-CVE-2022-28199.patch - fix build with SLE15-SP5 kernel [bsc#1203845] - added patches + 0005-kni-use-dedicated-function-to-set-random-MAC-address.patch + 0006-kni-use-dedicated-function-to-set-MAC-address.patch - added patch to fix build issue with 15 SP5 kernel (bsc#1203845) + 0004-kni-update-kernel-API-to-set-random-MAC-address.patch - aabdallah@suse.com: Fix for SG#63176, bsc#1198873: Read PCI device name as UTF strings. - tabraham@suse.com: kni: allow configuring thread granularity (bsc#1195172) - added patches + 0001-kni-allow-configuring-thread-granularity.patch + 0001-usertools-read-PCI-device-name-as-UTF-8.patch ----------------------------------------------------------------------------- o Updated dpdk-thunderx (security/bugfix/feature) [aarch64] - security update - added patches fix CVE-2022-2132 [bsc#1202903], DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs + dpdk-CVE-2022-2132.patch fix CVE-2022-28199 [bsc#1202956], buffer overflow in the vhost code + dpdk-CVE-2022-28199.patch - fix build with SLE15-SP5 kernel [bsc#1203845] - added patches + 0005-kni-use-dedicated-function-to-set-random-MAC-address.patch + 0006-kni-use-dedicated-function-to-set-MAC-address.patch - added patch to fix build issue with 15 SP5 kernel (bsc#1203845) + 0004-kni-update-kernel-API-to-set-random-MAC-address.patch - aabdallah@suse.com: Fix for SG#63176, bsc#1198873: Read PCI device name as UTF strings. - tabraham@suse.com: kni: allow configuring thread granularity (bsc#1195172) - added patches + 0001-kni-allow-configuring-thread-granularity.patch + 0001-usertools-read-PCI-device-name-as-UTF-8.patch ----------------------------------------------------------------------------- o Updated dpkg (security/bugfix/feature) - security update - added patches fix CVE-2022-1664 [bsc#1199944], dpkg -- security update + dpkg-CVE-2022-1664.patch ----------------------------------------------------------------------------- o Updated dracut (security/bugfix/feature) - Update to version 055+suse.353.g5603b001: A series of changes for the NVMeoF boot with IPv6 (bsc#1209166): * fix(nvmf): move connect logic to initqueue script * fix(nvmf): don't assume prefix lenth 64 by default * fix(nvmf): prefix syntax for static iBFT IPv6 addresses * fix(network): IPv6: don't wait for RA for static IPv6 assignments * fix(network-legacy): always include af_packet * fix(network): don't assume prefix lenth 64 by default * fix(iscsi): prefix syntax for static iBFT IPv6 addresses - Update to version 055+suse.345.g8b8708cb: * feat(lvm): always include all drivers that LVM can use (bsc#1206195) - Update to version 055+suse.343.g0113f4b9: A series of changes for the NVMeoF boot feature (jsc#PED-1449): * fix(dracut.spec): require jq for nvmf * fix(suse/dracut.spec): require program for duplicate IP address detection * fix(iscsi): install 8021q module unconditionally * fix(nvmf): install 8021q module unconditionally * feat(nvmf): enable module if NBFT exists * feat(nvmf): add NBFT connect support, and fix configuration priority * feat(nvmf): add code for parsing the NBFT * fix(dracut.spec): require libopenssl1_1-hmac for dracut-fips (bsc#1206439) - Update to version 055+suse.333.g39325ba0: * feat(kernel-modules): exclude USB drivers in strict hostonly mode (bsc#1186056) * fix(multipath): warn if included with no multipath devices and no user conf (bsc#1069169) * fix(dracut.sh): improve detection of installed kernel versions (bsc#1205175) * fix(nfs): chown using rpc default group (bsc#1204929) - Update to version 055+suse.325.g6780025c: * fix(network-manager): always install the library plugins directory (bsc#1202014) * feat(dracut-init.sh): add inst_libdir_dir() helper (bsc#1202014) A series of fixes for NVMeoF boot (bsc#1203368): * fix(man): dracut.cmdline.7: clarify "rd.nvmf.discover=fc,auto" * fix(network): avoid double brackets around IPv6 address * feat(nvmf): set rd.neednet=1 if tcp records encountered * fix(man): dracut.cmdline(7): correct syntax for rd.nonvmf * fix(network): don't use same ifname multiple times * fix(nvmf): run cmdline hook before parse-ip-opts.sh * fix(nvmf): avoid calling "exit" in a cmdline hook * fix(nvmf): make sure "rd.nvmf.discover=fc,auto" takes precedence * fix(nvmf): don't use "finished" queue for autoconnect * fix(nvmf): don't create did-setup file * fix(nvmf): no need to load the nvme module * fix(nvmf): don't try to validate network connections in cmdline hook * fix(nvmf): nvme list-subsys prints the address using commas as separator * fix(nvmf): deprecate old nvmf cmdline options * fix(nvmf): set executable bit on nvmf-autoconnect.sh - Update to version 055+suse.306.g5b4feffc: * fix(network-legacy): misleading duplicate address detection using wicked (bsc#1201235) * fix(dmsquash-live): correct regression introduced with shellcheck changes (bsc#1203894) - Update to version 055+suse.300.ge878982d: * chore(suse): change default persistent policy (jsc#PED-1885) * fix(systemd): add missing modprobe@.service (bsc#1203749) * fix(i18n): do not fail if FONT in /etc/vconsole.conf has the file extension (bsc#1203267) - Update to version 055+suse.294.gc5bc4bb5: Missing network-manager module fixes (bsc#1201975): * fix(network-manager): avoid calling unavailable dracut-logger functions * fix(network-manager): skip non-directories in /sys/class/net * fix(network-manager): disable tty output if the console is not usable * fix(network-manager): show output on console only with rd.debug enabled * fix(network-manager): write DHCP filename option to dhcpopts file * fix(network-manager): ensure safe content of /tmp/dhclient."$ifname".dhcpopts * fix(network-manager): include nm-daemon-helper binary * fix(network-manager): don't pull in systemd-udev-settle * fix(network-manager): support teaming under NM+systemd * fix(network-manager): pull in network.target in nm-initrd.service - Update to version 055+suse.283.ge98ece25: * fix(network-manager): check for nm-initrd-generator in both /usr/{libexec,lib} (bsc#1201975) * fix(network-legacy): add auto timeout to wicked DHCP test (bsc#1198709) - Update to version 055+suse.279.g3b3c36b2: * fix(bluetooth): accept compressed firmwares in inst_multiple (bsc#1200236) * fix(network-legacy): support rd.net.timeout.dhcp (bsc#1200360) * fix(convertfs): ignore commented lines in fstab (bsc#1200251) * fix(integrity): do not display any error if there is no IMA certificate (bsc#1187654) - Update to version 055+suse.271.g70f710e4: * fix(nfs): /var is not mounted during the transactional-update run (bsc#1184970) * fix(nfs): give /run/rpcbind ownership to rpc user (bsc#1177461) * fix(dracut-install): copy files preserving ownership attributes (bsc#1197967) * fix(crypt): remove quotes from cryptsetupopts (bsc#1197635) * fix(lvm): restore setting LVM_MD_PV_ACTIVATED (bsc#1195604) * fix(iscsi): remove unneeded iscsi NOP-disable code (bsc#1196267) * fix(dracut-systemd): do not require vconsole-setup.service (bsc#1195508) * fix(bluetooth): make hostonly configuration files optional (bsc#1195047) ----------------------------------------------------------------------------- o Updated drbd (security/bugfix/feature) - drbd: add patches to follow upstream code style and remove build warning (bsc#1206917) * update bsc-1201335_06-bdi.patch commit log (no code change) + bsc-1201335_06-bdi.patch * add new patches + bsc-1206791-01-drbd-add-comments-explaining-removal-of-bdi-congesti.patch + bsc-1206791-02-drbd-fix-static-analysis-warnings.patch - update to 9.0.30 from commit 10bee2d5 to 8e9c0812 * drbd failed to build for x86_64 with new kernel (bsc#1205254) - remove files: drbd-9.0.30~1+git.10bee2d5.tar.bz2 compat_genl_maxattr_in_ops.patch convert_to_blk_alloc_disk.patch drbd-Fix-abortion-of-a-connect-2-phase-commit.patch - add files: drbd-9.0.30~1+git.8e9c0812.tar.bz2 bsc-1192929_02-move_kvmalloc_related_to_slab.patch bsc-1192929_03-polling_to_bio_base.patch bsc-1192929_07-add_disk_error_handle.patch bsc-1192929_08-have_void_drbd_submit_bio.patch bsc-1201335_03-genhd.patch bsc-1201335_04-bio_alloc_bioset.patch bsc-1201335_05-bio_alloc.patch bsc-1201335_07-write-same.patch bsc-1201335_08-bio_clone_fast.patch bsc-1202600_01-remove-QUEUE_FLAG_DISCARD.patch bsc-1202600_03-block-decouple-REQ_OP_SECURE_ERASE-from-REQ_OP_DISCA.patch bsc-1202600_04-remove-assign_p_sizes_qlim.patch - drbd failed to build for x86_64 with new kernel (bsc#1205254) + bsc-1192929_01-make_block_holder_optional.patch + bsc-1192929_04-pass_gend_to_blk_queue_update_readahead.patch + bsc-1192929_09-remove_bdgrab.patch + bsc-1201335_01-compat-test-and-cocci-patch-for-bdi-in-gendisk.patch + bsc-1201335_02-compat-only-apply-bdi-pointer-patch-if-bdi-is-in-req.patch + bsc-1201335_06-bdi.patch ----------------------------------------------------------------------------- o Updated drbd-utils (security/bugfix/feature) - drbd.service fails to load - incorrect path to executable (bsc#1206754) * use %suse_version to replace %UsrMerge * modify drbd-utils.spec for create symbolic folder "/lib/drbd" - bsc#1204276 remove crm-fence-peer.sh for drbd8 to avoid confusion with v9 - drbd-utils.spec force _localstatedir to use /var/lib in runtime (bsc#1203220) - restore drbd scripts back to /usr/lib/drbd from /lib/drbd (bsc#1203220) Update drbd-utils.spec - fix drbd-bash-completion Update rpmlint-build-error.patch - bsc#1190591, fail to start due to lack of /usr/var/run/drbd - Update to 9.18.0 (bsc#1189363) - add pie-fix.patch: explicitly pass -pie linker flag when building drbdmon. The Makefile explicitly passes -fPIC, thereby breaking our gcc-PIE profile. In addition the Makefile also ignores CXXFLAGS and LDFLAGS passed via the environment. Therefore fix it with this patch. This makes drbdmon a PIE binary (bsc#1184122, bsc#1185132). - prepare usrmerge (boo#1029961) ----------------------------------------------------------------------------- o Added duktape (feature) ## WARNING - the following diff is a head -20 proposal * Mon Nov 28 2022 meissner@suse.com - duktape-link-m.patch: link against libm for sin() and related functions, in case the compiler with -Os creates external references. bsc#1205805 * Fri Oct 30 2020 stefan.bruens@rwth-aachen.de - Update to 2.6.0: * Various fixes and portability improvements. * Tue Jul 28 2020 mrey@suse.com - Update to 2.5.0: * CBOR support, minor fixes and improvements - spec file changes * change http to https in URLs * use RPM macros * Mon Jul 29 2019 avvissu@yandex.by - Update to 2.4.0: ----------------------------------------------------------------------------- o Updated e2fsprogs (security/bugfix/feature) - libext2fs-add-sanity-check-to-extent-manipulation.patch: libext2fs: add sanity check to extent manipulation (bsc#1198446 CVE-2022-1304) ----------------------------------------------------------------------------- o Updated elfutils-debuginfod (security/bugfix/feature) - Set --enable-debuginfod-urls only for TW. - Add missing Requires for devel package. ----------------------------------------------------------------------------- o Updated emacs-apel (security/bugfix/feature) - Add emacs-apel-fix-build-error.patch: fix emacs-apel build error on SLE-15-SP4 (bsc#1197714). ----------------------------------------------------------------------------- o Updated emacs (security/bugfix/feature) - Add upstream commit/patches * 01a4035c.patch Fix etags local command injection vulnerability (CVE-2022-48337, bsc#1208515) * CVE-2022-48338.patch Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338, bsc#1208514) * CVE-2022-48339.patch Fix htmlfontify.el command injection vulnerability (CVE-2022-48339 bsc#1208512) - Add upstream commit as patch d48bb487.patch (bsc#1205822, CVE-2022-45939) * shell command injection via source code files when using ctags ----------------------------------------------------------------------------- o Updated eog (security/bugfix/feature) - Update to version 41.2: + eog-window: use correct type for display_profile. + Fix discovery of Evince for multi-page images. + Updated translations. ----------------------------------------------------------------------------- o Updated erlang (security/bugfix/feature) - Add CVE-2022-37026-client-auth-bypass.patch to fix Client Authorization Bypass (CVE-2022-37026, bsc#1205318). Patches gh#erlang/otp@cd5024867e7b and gh#erlang/otp@6a1baa36e4e6). ----------------------------------------------------------------------------- o Updated eth-ff (security/bugfix/feature) [x86_64] - Update to v11.3.0.0-130 (jsc#PED-349) - added tool ethshmcleanup.sh for obsoleted shm file clean up - added support to IMPI 2021.6 - update MpiApps OSU to v5.9 ----------------------------------------------------------------------------- o Updated evince (security/bugfix/feature) - Update to version 41.4 + shell: Fix crashes when thumbnail extraction takes too long. + Updated translations. - Add 1060b24d051607f14220f148d2f7723b29897a54.patch: Fix build with meson 0.60.0 and newer. - Tweak our Provides/Obsolete of browser-plugin. ----------------------------------------------------------------------------- o Updated evolution-data-server (security/bugfix/feature) [x86_64] - Update to version 3.42.5: + I#388 - Google OAuth out-of-band (oob) flow will be deprecated ----------------------------------------------------------------------------- o Updated evolution (security/bugfix/feature) [x86_64] - The evolution-devel should be forward compatible with evolution-data-server-devel in a same major version (jsc#PED-2235). ----------------------------------------------------------------------------- o Updated exiv2 (security/bugfix/feature) - add tracker for SLE (jsc#PED-1393) - update to 0.27.5 (bsc#1189332, CVE-2021-37620, bsc#1189333, CVE-2021-37621, bsc#1189334, CVE-2021-37622, bsc#1189338, CVE-2021-34334, bsc#1189335, CVE-2021-37623): * BMFF bug fixes including CR3 previews * Security fixes * libFuzzer target * Exiv2 monitored by oss-fuzz * Minor bugs and fixes - enable bmff format - disable docs for now: - graphviz was failing for a long time when trying to render the pngs as graphviz-gd was missing - even after adding this it still fails with missing fonts - Update to 0.27.4 (bsc#1186053, CVE-2021-29623, bsc#1185447, CVE-2021-29470, bsc#1185002, CVE-2021-29457, bsc#1188733, CVE-2021-31291, bsc#1186192, CVE-2021-32617): - Support for bmff files (HEIC, HEIF, AVIF, CR3, JXL/bmff) - Bash test scripts rewritten in python - DNG 1.6 and Exif 2.32 support - Bug and Security fixes - Updated build and test environments - Localisation support on Crowdin - Revised documentation - Other improvements - drop 1271.patch: included in update - Add 1271.patch: Fix build using GCC 11 (boo#1185218). - Drop the sed hack to remove -fcf-protection: this is properly solved with the above patch. - -fcf-protection doesn't work on i586 with gcc11 either (boo#1185218) - Fix build on non-x86 by dropping -fcf-protection flag on non-x86 architectures - Update to 0.27.3: * Bug and security fixes * UNIX suppport * Support for building with C++11 and C++14 * Revised build and test environments * Revised documentation * Improved charset handling in UserComment * Other improvements - Use C++11 for building instead of C++98. Googletest 1.10 is no longer compatible with C++98. For details, see https://github.com/Exiv2/exiv2/issues/1163 - Use FAT LTO objects in order to provide proper static library. - Update to 0.27.2 (bsc#1188645, CVE-2020-19716) * Bug and security fixes * Support for Nikon/AutoFocus and Sony/FocusPosition Metadata * Documentation and man page revisions * Updated Catalan Localisation * Using mergify to sync select PRs between 0.27-maintenance and 0.28 * Monitoring API changes for v0.27 dot releases * Prelinary Dutch Localisation * Prelinary Support for Unix (FreeBSD and NetBSD) * Better Build Bundle Dependency handling - Update exiv2-build-date.patch to new source tarball - Enable testsuite run in %check on x86_64 for Leap >= 15.0, SLE >= 15 and Tumbleweed - Use libcurl for HTTP - Enable webready (webp image support) - Add licenses to %license & add BSD 3 clause license (used for some CMake scripts) - update to 0.27.1 (CVE-2019-13108, bsc#1142675) * Bug and security fixes. * Deprecation warnings for Video, EPS and SSH support. * Branch 0.27-maintenance for "dots" to avoid confusion with tag 0.27 (== 0.27.0 code). * Support for Visual Studio 2019 using Conan and CMake - Update patch exiv2-build-date.patch - Drop exiv2-cmake-installdir.patch (included upstream) - Drop exiv2-rename-libxmp.patch (included upstream) - Drop exiv2-install-headers.patch (included upstream) - Drop exiv2-BanAllEntityUsage.patch (included upstream) - Create libexiv2-xmp-static subpackage - Updated exiv2-build-date.patch - Added exiv2-cmake-installdir.patch (exiv2 bug #623) - Added exiv2-rename-libxmp.patch (exiv2 bug #624) * This should prevent possible issues with libxmp project - Added exiv2-install-headers.patch (exiv2 bug #627) - Added exiv2-BanAllEntityUsage.patch * This prevents a denial of service attack related to XML entity expansion - Add libxmp.a to the devel package instead of deleting it, it's needed by the new exiv2Config.cmake that's installed now - Add libexpat-devel requirement to the devel package, also needed by exiv2Config.cmake - update to final 0.27.0 release - update to official RC2 tarball release: which obsoletes the following patches in previous dists as backports that have always been upstream: * obsoletes 0001-PSD-Use-Safe-add-for-preventing-overflows-in-PSD-fil.patch * obsoletes 0002-PSD-enforce-Length-of-image-resource-section-file-si.patch (CVE-2018-19108, bsc#1115364) * obsoletes 0001-Fix-561.-Use-proper-counter-for-the-idx-variable.patch (CVE-2018-19607, bsc#1117513) * obsoletes 0001-Avoid-null-pointer-exception-due-to-NULL-return-valu.patch (bsc#1142684, CVE-2019-13114) * obsoletes 0001-IptcData-printStructure-Remove-buffer-overrun.patch (bsc#1088424, CVE-2018-9305) * obsoletes 0001-Fix-SEGV-in-DataValue-Copy.patch (bsc#1109299, CVE-2018-17282) - update to current 0.27-RC2 git state to fix SONAME change issues - drop exiv2-0.27-rc2-branch.patch: built git tarball instead. - update to 0.27-RC1: * Security Fixes. * New build and test infrastructure. * Many bug fixes. * Support for MinGW/msys2. * Buildserver rewritten. * Support for Adobe XMPsdk - drop exiv2-update-to-0.26-branch.patch, parallel-build-dep.patch: obsolete - add exiv2-0.27-rc2-branch.patch: add fixes staged for RC2 * Fixes CVE-2017-1000128 (bsc#1068871) ----------------------------------------------------------------------------- o Updated expat (security/bugfix/feature) - Security fix: * (CVE-2022-43680, bsc#1204708) use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations - Added patch expat-CVE-2022-43680.patch - Security fix: * (CVE-2022-40674, bsc#1203438) use-after-free in the doContent function in xmlparse.c - Added patch expat-CVE-2022-40674.patch ----------------------------------------------------------------------------- o Updated fabtests (security/bugfix/feature) - Add prov-net-fix-error-path-in-xnet_enable_rdm.patch to fix a deadlock when no network interfaces are available (bsc#1205139) - Update to 1.16.1 - Core - Fix windows implementation to remove fd from poll set - PSM3 - Add missing files to release tarball - Util - Handle NULL address insertion to fi_av_insert - Drop prov-rxm-Disable-128-bit-atomics.patch which was merged upstream - Add prov-rxm-Disable-128-bit-atomics.patch to fix a potential segfault on misaligned buffers. - Update to 1.16.0 (jsc#PED-351, jsc#PED-190) - Core - Added HMEM IPC cache - Use exact string comparison checks for network interfaces - Restructuring of poll/epoll abstraction - Add ability to disable locks completely in debug builds - Serialize access to modifying the logging calls - Minor fixes to fi_tostr text formatting - Add hmem interface checks to memory registration - EFA - Added support of Synapse AI memory. - Improved error message - Net - Temporarily forked, optimized version of tcp provider - Focused on improved performance and scalability over tcp sockets - Fork ensures tcp provider stability while net provider is developed - Shares the tcp provider protocol and base implementation for msg endpoints - Integrates direct support for rdm endpoints, using a derivative from rxm - Implements own protocol for rdm endpoints, separate from rxm;tcp - OPX - Added initial support for SDMA - General performance enhancements - Performance improvements to reliability protocol - Improved deferred work pending complete - Added support for OPX_AV=runtime - Support iov memory registration ops - Added DAOS RPC support - Atomic ops enhancements - Improved documentation - Debug build enhancements - Fixed compiler warnings - Reduced time to compile prov/opx code - General bug fixes - Fixed PSN wrapping scaling - Added intranode fence - Addressed bugs discovered by coverity scan - PSM2 - Fix sending CQ data in some instances of fi_tsendmsg - PSM3 - Updated to match Intel Ethernet Fabric Suite (IEFS) 11.3 release - RxM - Update to read multiple completions at once from msg provider - Move RxM AV implementation to util code to share with net provider - Minor code cleanups - SHM - Implement and use ipc_cache - Add log messages for debugging and error tracking - Fix check for FI_MR_HMEM mr_mode - Move shm signal handlers initialization to EP - Added log messages for errors detected - TCP - Fix incorrect signaling of the CQ - Increase max number of poll events to retrieve - Acquire ep lock prior to flushing socket in shutdown - Verify ep state prior to progressing socket data - Read cm error data when receiving connreq response - Log error on connect failure - Fix assertion failure in CQ progress function - Util - Fix text in log of UFFD ioctl failure - Introduce cuda ipc monitor - Fix CQ memory leak handling overflow - Fix MR mode bit check for ver 1.5 and greater - Add max_array_size to track/check array overflow - Always progress transfers when reading from a CQ - Handle NULL address insertion - Try IPv4 before IPv6 addresses when starting name server - Fix IP util av default address length - Fix util IP getinfo path to read hints->addr_format - Fix debug print mismatch - Fix return code when memory allocation fails. - Fix build sign warning in ofi_bufpool_region_alloc - Minor code cleanups - Print warning if an addr is inserted into an AV again - Verbs - Fix support of FI_SOCKADDR_IB when requested by the application - Ensure all posted receives are flushed to the application - Update ofi_mr_cache_search API for hmem IPC support - Reduce logging verbosity for "no active ports" - Fix incorrect length used in memory registration - Various minor bug fixes for test failures - Fix a memory leak getting IB address - Implement verbs provider on Windows over NetworkDirect API - Set and check address format correctly - Only close qp if it was initialized - Portable detection of loopback device - Fabtests - multi_ep: Separate EP resources and fix MR registration - multi_recv: Fix possible crash and check for valid buffer - unexpected_msg: Fix printf compiler warning - dgram_pingpong.c: Use out-of-band sync - multinode: Make multinode tests platform agnostic, fix formatting - ubertest: Fix string comparison to include length, fix writedata completion check - av_test: add support for -e - New tests: - dmabuf-rdma: Component level test for dma-buf RDMA - sock_test: Component level performance test of poll, epoll, and select - rdm_stress: Multi-threaded, multi-process stress test for RDM endpoints - sighandler_test: Regression test for signal handler restoration - Drop patches fixed upstream: - prov-opx-Correctly-disable-OPX-if-unsupported.patch - disable-flatten-attr.patch - Add disable-flatten-attr.patch that drops flatten attribute. Note the flatten attribute results in huge compile time hog in inliner (same the binary size would be huge). - Use %make_build and enable LTO (boo#1133235). - Synchronize used Patches. - Update to 1.15.1 - Core - Fix fi_info indentation error in fi_tostr - hmem_ze: Add runtime option to choose specific copy engine - Cleanup of configure HMEM checks - Fixed stringop-truncation in ofi_ifaddr_get_speed - Add utility provider log suffix to make logs easier to read - Fix truncation of ipv6 addressing - hmem: add support for AWS Trainium devices - Fix potential sscanf overflows - hmem: pass through device and flags when querying memory interface - Rework locking in several areas to convert spinlocks to mutexes - Add new locking abstractions to select lock types at runtime - Add new FI_PROTO_RXM_TCP for optimized rxm over tcp path - Fix windows implementation to remove fd from poll set - EFA - Added windows support through efawin (https://github.com/aws/efawin) - Added support of AWS neuron. - Added support of using gdrcopy to copy data from host to device. - Fixed a bug that cause 0 byte read to fail. - Fixed a memory corruption issue that can caused forked process to crash. - Extended testing coverage through new pytest based testing framework. - HOOKS - Add new hooking provider dmabuf_peer_mem - Enable DL build of hooking providers - Add HMEM memory registration hook - OPX - New provider supporting Cornelis Networks Omni-path hardware - PSM3 - Updated psm3 to match IEFS 11.2.0.0 release - Added support for sockets (TCP/UDP) via a runtime selectable Hardware Abstraction Layer (HAL) - Added support for IPv6 addressing in RoCE and sockets - Added various NIC selection filtering options (wildcarded NIC name, address format, wildcarded IP subnet, link speed) - Performance tuning in conjunction with OneAPI and OneCCL - Improved PSM3_IDENTIFY output - Rename most internal symbols to psm3_ - Corrected vulnerabilities found during Coverity scans - configure options refined and help text improved - PSM3_MULTI_EP has been deprecated (recommend always enabled, default is enabled [same default as previous releases]) - Various bug fixes - RxM - Add check that atomic size is valid - Add support to passthru calls to tcp provider in specific - TCP - Add assert to verify RMA source/target msg sizes match - Wake-up threads blocked on CQ to update their poll events - Fix use of incorrect events in progress handler - Fixes for various compile warnings, mostly on Windows - Add support for FI_RMA_EVENT capability - Add support for completion counters - Fix check for CQ data in tagged messages - Add cancel support to shared rx context - Add src_addr receive buffer matching - Add provider control to assign a src_addr with an ep - Handle trecv with FI_PEEK flag - Allow binding a CQ with an SRX - Restructuring of code in source files - Handle EWOULDBLOCK returned by send call - Add hot (active) pollfd - SHM - Properly chain the original signal handlers - Avoid uninitialized variable with invalid atomic parameters - Fix 0 byte SAR read - Initialize len parameter to accept - Refactor and simplify protocol code - Remove broken support for 128-bit atomics - Fix FI_INJECT flag support - Add assert to verify RMA source/target msg sizes match - Set domain threading to thread safe - Fix possible use of uninitiated var in av_insert - Util - Fix sign warning in ofi_bufpool_region_alloc - Remove unused variable from ofi_bufpool_destroy - Fix check for valid datatype in ofi_atomic_valid - Return with error if util_coll_sched_copy fails - Fix use of uninitialized variable in ofi_ep_allreduce - Fix memory access in ip_av_insertsym - Track ep per collective operation not with multicast - Restructure collective av set creation/destruction - Change most locks from spin locks to mutexes - Allow selection of spinlocks for CQ and domain objects - Fix AV default addrlen - Update fi_getinfo checks to include hints->addr_ - Handle NULL address insertion to fi_av_insert - Verbs - Initial changes for compiling on Windows (via NetworkDirect) - Add a failover path to dma-buf based memory registration - Replace use of spin locks with mutexes - Check for valid qp prior to cleanup - Set and check for address format correct in fi_getinfo - Fabtests - hmem_cuda: used device allocated host buff to fill device buf - Add python scripts to control test execution - test_configs: include util provider in core config file - Add option "--pin-core" - Only call nrt_init once - Fix a bug in ft_neuron_cleanup - Correct help for unit test programs - Remove duplicate help prints from fi_mcast - configure.ac: fix --enable-debug=no not properly detected - msg_inject: handle the case ft_tsendmsg return -FI_EAGAIN - Add AWS Trainium device support - fi_inj_complete: Add FI_INJECT to fabtests - inj_complete.c: Make arguments align with the other tests - dgram_pingpong: handle the error return of fi_recv - recv_cancel: Remove requirement for unexpected msg handling - poll: Fix crash if unable to allocate pollset - ubertest: Add GPU testing and validation support - Add HMEM options parsing support - Update and re-enable fi_multi_ep test - Add prov-opx-Correctly-disable-OPX-if-unsupported.patch to disable OPX compilation on non x86_64 systems - Update to 1.14.1 - Core - Use non-shared memory allocations to use MADV_DONTFORK safely - Fix incorrect use of gdr_copy_from_mapping - Ensure proper timeout time for pollfds to avoid early exit - EFA - Handle read completion properly for multi_recv - Use shm's inject write when possible - Support 0 byte read - RxM - Ensure signaling the CQ fd after writing completion - Fix inject path for sending tagged messages with cq data - Negotiate credit based flow control support over CM - Add PID to CM messages to detect stale vs duplicate connections - Fix race handling unexpected messages from unknown peers - Fix possible leak of stack data in cm_accept - Restrict reported caps based on core provider - Delay starting listen until endpoint fully initialized - Verify valid atomic size - Sockets - Fix coverity reports on uninitialized data - Check for NULL pointers passed to memcpy - Add missing error return code from sock_ep_enable - TCP - Fix performance regression resulting from sparse pollfd sets - Fix assertion failure in CQ progress function - Do not generate error completions for inject msgs - Fix use of incorrect event names in progress handler - Fix check for CQ data in tagged messages - Make start_op array a static to reduce memory - Wake-up threads blocked on CQ to update their poll events - Verbs - Generate error completions for all failed transmits - Set all fields in the fi_fabric_attr for FI_CONNREQ events - Set proper completion flags for all failed transfer - Ensure that all attributes are provided when opening an endpoint - Fix error handling in vrb_eq_read - Fix memory leak in error case in vrb_get_sib - Work-around bug in verbs HW not reported correct send opcodes - Only call ibv_reg_dmabuf_mr when kernel support exists - Add a failover path to dma-buf based memory registration - Negotiate credit based flow control support over CM - Update to 1.14.0 - Add time stamps to log messages - Fix gdrcopy calculation of memory region size when aligned - Allow user to disable use of p2p transfers - Update fi_tostr print FI_SHARED_CONTEXT text instead of value - Update fi_tostr to output field names matching header file names - Fix narrow race condition in ofi_init - Add new fi_log_sparse API to rate limit repeated log output - Define memory registration for buffers used for collective operations - EFA, SHM, TCP, RXM, and verbs fixes ----------------------------------------------------------------------------- o Updated fence-agents (security/bugfix/feature) - Azure fence agent doesn’t work correctly on SLES15 SP3 - fence_azure_arm fails with error 'MSIAuthentication' object has no attribute 'get_token' - SFSC00334437 (bsc#1195891) - Apply proposed patch 0001-fix_support_for_sovereign_clouds_and_MSI-439.patch - fence-agents-4.9.0+git.1624456340.8d746be9-150300.3.8.1 broken in GCP due to missing "--zone" parameter (bsc#1198872) - Apply proposed patch 0001-fence_gce-Make-zone-optional-for-get_nodes_list-487.patch - fence-agents-4.9.0+git.1624456340.8d746be9-150300.3.8.1 broken in GCP due to missing "--zone" parameter (bsc#1198872) ----------------------------------------------------------------------------- o Updated ffmpeg-4 (security/bugfix/feature) [x86_64] - Add ffmpeg-CVE-2022-3341.patch: Backport from upstream to fix null pointer dereference in decode_main_header() in libavformat/nutdec.c (bsc#1206778). - Add ffmpeg-CVE-2022-3109.patch: Backport from upstream to fix null pointer dereference in vp3_decode_frame() (bsc#1206442). - Add ffmpeg-CVE-2022-3964.patch: Backport from upstream to fix out of bounds read in update_block_in_prev_frame() (bsc#1205388). ----------------------------------------------------------------------------- o Updated ffmpeg (security/bugfix/feature) - Add ffmpeg-CVE-2022-3341.patch: Backport from upstream to fix null pointer dereference in decode_main_header() in libavformat/nutdec.c (bsc#1206778). - Add ffmpeg-CVE-2019-13390.patch: Backport from upstream to fix division by zero at adx_write_trailer in libavformat/rawenc.c (bsc#1140754). - Add ffmpeg-CVE-2022-3109.patch: Backport from upstream to fix null pointer dereference in vp3_decode_frame() (bsc#1206442). ----------------------------------------------------------------------------- o Updated firewalld (security/bugfix/feature) - Fix regression introduced in previous patch (an api change to a function also needed backporting) (bsc#1198814) * feature-upstream-new-check-config-1.patch * feature-upstream-new-check-config-2.patch ----------------------------------------------------------------------------- o Added flashrom (feature) [x86_64,aarch64] ## WARNING - the following diff is a head -20 proposal * Sun Jul 24 2022 mgorse@suse.com - Switch to meson - Add flashrom-install-man-file.patch: install the man file when using meson. - Add flashrom-j-link-spi.patch: Add missing meson option for J-Link SPI. - Drop fix_aarch64.patch: no longer relevant. - Package the library and headers. * Thu Sep 09 2021 schwab@suse.de - Enable build on riscv64 - Drop requires on dmidecode, no longer needed * Fri Nov 27 2020 guillaume.gardet@opensuse.org - Fix build on aarch64 with upstream patch: * fix_aarch64.patch ----------------------------------------------------------------------------- o Updated flatpak (security/bugfix/feature) - Fix the "Requires" version of bubblewrap to be the same as "BuildRequires" (>= 0.5.0). - Use a macro to define the versions required of bubblewrap, ostree and xdg_dbus_proxy to avoid having the same issue in the future again. - Update to version 1.14.1: + New features: Add a httpbackend variable to flatpak.pc, allowing dependent projects like GNOME Software to detect whether they are compatible with libflatpak. + Bugs fixed: - Terminate the flatpak-session-helper and flatpak-portal services when the session ends, so that applications will not inherit outdated Wayland and X11 socket addresses. - When using fish shell, don't overwrite a previously-set XDG_DATA_DIRS. - Don't try to enable HTTP 2 if linked to a libcurl version that doesn't support it. - Stop systemd reporting the session-helper as failed when terminated by a signal. - Fix a warning when listing a document with no permissions. - Fix compilation with GLib 2.66.x (as used in Debian 11). - Fix compilation with GLib 2.58.x (as used in Debian 10). - Fix a compiler warning on 32-bit architectures. - If an app update is blocked by parental controls policies, clean up the temporary deploy directory. - Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1). - When building with Autotools, be more consistent about applying compiler warning flags. - Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR. - Treat /efi the same as /boot/efi. - Make generated files more reproducible. + Updated translations. - Add and recommend a package flatpak-remote-flathub which adds the Flathub repository (boo#1186315) - Drop pkgconfig(libsoup-2.4) BuildRequires: rely on the curl backend. Following this, pass --with-curl to configure. - Add pkgconfig(libxml-2.0) BuildRequires, exsisting dependency, previously pulled in by libsoup. - Update to version 1.14.0: + Improved support for sideloading. + Allow sub-sandboxes to own MPRIS names on the session bus. + Commands that accept "--user" will now also take "-u" as an alias for that. + The CLI now properly informs the user of which apps are (indirectly) using end-of-life runtime extensions in end-of-life info messages. + The CLI now takes into account operations in the pending transaction when printing end-of-life messages. + The uninstall command now asks for confirmation before removing in-use runtimes or runtime extensions. + A "--socket=gpg-agent" option is now recognized by "flatpak run" and related commands. + Curl supported as default HTTP backend. + Uses Fuse 3. + Implement support for rewriting dynamic launchers when an app is renamed. + Add --include-sdk/debug options to install command to install SDK/debuginfo along with a ref. + defense in depth against arbitrary file deletion by flatpak-system-helper when using very old libostree (boo#1202639). + Updated translations. - Replace pkgconfig(fuse) BuildRequires with pkgconfig(fuse3): Follow upstreams port to fuse3. - Add pkgconfig(libcurl) BuildRequires: enable the new HTTP backend. - Drop gtk-doc BuildRequires and no longer pass --enable-gtk-doc to configure: no longer supported. - Drop libtool BuildRequires: no need to bootstrap the tarball. - Replace pkgconfig(appstream-glib) BuildRequires with pkgconfig(appstream): match what configure checks for. - Add pkgconfig(gdk-pixbuf-2.0): verified dependency that was implicitly included by appstream-glib before. - variant-schema-compiler requires the Python module pyparsing - Correct Supplements for flatpak-zsh-completion boo#1201113 - package LICENSE file in every package - make flatpak-zsh-completion and system-user-flatpak noarch - add update-system-flatpaks timer that updates installed flatpaks daily if enabled - Update to version 1.12.7: + allow networked access to X11 and PulseAudio services if that is configured, and the application has network access + Absolute paths in WAYLAND_DISPLAY now work + Allow apps that were built with Flatpak 1.13.x to export AppStream metadata in share/metainfo + Most commands now work if /var/lib/flatpak exists but /var/lib/flatpak/repo does not, and will automatically populate the repo directory if possible + Consistently pass relative subpaths to libostree, working around a bug in libostree < 2021.6 when used with GLib >= 2.71 + Fix some memory leaks in GVariant data processing - Update to version 1.12.6: + Fix a bug that sometimes caused repo corruption in case downloads are interrupted or canceled, necessitating a "flatpak repair" to recover + More reliably detect the GTK theme + Fix history command unit test in some edge cases + Updated translations. ----------------------------------------------------------------------------- o Updated folks (security/bugfix/feature) [x86_64] - Update to version 0.15.5: + Bugs fixed: vapi: Add missing generic type argument. - Drop glib2_gsettings_schema_requires macro from folks-data sub-package, no longer needed. - Drop c44d8e323affd7f1043f300f3325b358cd5b5f0b.patch: Fixed upstream. - Add c44d8e323affd7f1043f300f3325b358cd5b5f0b.patch: folks-generics: Add missing generic type argument. - Update our Supplements to current standard. - Use ldconfig_scriptlets macro for post(un) handling. - Update to version 0.15.4: + Bugs fixed: - Fix docs build against newer eds version. - Fix build against newer eds version. - Remove volatile keyword from tests. ----------------------------------------------------------------------------- o Updated freeradius-server (security/bugfix/feature) - CVE-2022-41859.patch: fixes information leakage in EAP-PWD (bsc#1206204, CVE-2022-41859) - CVE-2022-41860.patch: fixes crash on unknown option in EAP-SIM (bsc#1206205, CVE-2022-41860) - CVE-2022-41861.patch: fixes crash on invalid abinary data (bsc#1206206, CVE-2022-41861) ----------------------------------------------------------------------------- o Updated freerdp (security/bugfix/feature) [x86_64] - Multiple CVE fixes (bsc#1205512) + Add freerdp-Added-missing-length-checks-in-zgfx_decompress_segme.patch * Fixes CVE-2022-39316 & CVE-2022-39317 + Add freerdp-CVE-2022-39320.patch * Added missing length check in urb_control_transfer + Add freerdp-CVE-2022-39347.patch * Fix path validation in drive channel + Add freerdp-CVE-2022-41877.patch * Fixed missing stream length check in drive_file_query_directory - Drop -DBUILTIN_CHANNELS=OFF option (bsc#1205446) * Fix missing symbols issue for builtin channels - Drop freerdp-builtin-channels-off-link-fix.diff * No longer needed as -DBUILTIN_CHANNELS=OFF has been dropped - Add freerdp-CVE-2022-39318.patch (bsc#1205563) * Fixed division by zero in urbdrc - Add freerdp-CVE-2022-39319.patch (bsc#1205564) * Fixed missing input buffer length check in urbdrc - Add freerdp-CVE-2022-39282.patch (bsc#1204258) * Fix to init data read by `/parallel` command line switch - Add freerdp-CVE-2022-39283.patch (bsc#1204257) * Fix to prevent video channel from reading uninitialized data - Add freerdp-CVE-2021-41159.patch (bsc#1191895) * Fix to validate client input - Add freerdp-CVE-2021-41160.patch (bsc#1191895) * Fix to check improper region - Add freerdp-add-winpr-assert-header.patch * Required by freerdp-CVE-2021-41160 to keep our codebase consistent with upstream - Add freerdp-CVE-2022-24882.patch * Fix NTLM not properly check parameters (bsc#1198919) - Add freerdp-CVE-2022-24883.patch * Fix authentication against invalid SAM files (bsc#1198921) ----------------------------------------------------------------------------- o Updated freetype2 (security/bugfix/feature) - disable brotli linkage / WOFF2 support for now to keep dependencies as before. - Added patches: * CVE-2022-27404.patch + fixes bsc#1198830, CVE-2022-27404: Buffer Overflow * CVE-2022-27405.patch + fixes bsc#1198832, CVE-2022-27405: Segmentation Fault * CVE-2022-27406.patch + fixes bsc#1198823, CVE-2022-27406: Segmentation violation - Update to version 2.10.4 * Fix a heap buffer overflow has been found in the handling of embedded PNG bitmaps, introduced in FreeType version 2.6 (CVE-2020-15999 bsc#1177914) * Minor improvements to the B/W rasterizer. * Auto-hinter support for Medefaidrin script. * Fix various memory leaks (mainly for CFF) and other issues that might cause crashes in rare circumstances. - Update to version 2.10.2 * Support for WOFF2 fonts, add BR on pkgconfig(libbrotlidec) * Function `FT_Get_Var_Axis_Flags' returned random data for Type 1 MM fonts. * Type 1 fonts with non-integer metrics are now supported by the new (CFF) engine introduced in FreeType 2.9. * Drop support for Python 2 in Freetype's API reference generator * Auto-hinter support for Hanifi Rohingya * Document the `FT2_KEEP_ALIVE' debugging environment variable. ----------------------------------------------------------------------------- o Updated fribidi (security/bugfix/feature) - Add fribidi-CVE-2022-25308.patch: fix a stack overflow (boo#1196147 CVE-2022-25308). - Add fribidi-CVE-2022-25309.patch: protect against garbage in the CapRTL encoder (boo#1196148 CVE-2022-25309). - Add fribidi-CVE-2022-25310.patch: fix a SEGV in fribidi_remove_bidi_marks (boo#1196150 CVE-2022-25310). ----------------------------------------------------------------------------- o Updated frr (security/bugfix/feature) - Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr file to vendor specific directory /usr/etc/logrotate.d and added saving of user changed configuration files in /etc and restoring them while an RPM update. - Declare root as sufficient also in the pam account verification; without vtysh use causes to log a pam frr:account warnings (https://github.com/FRRouting/frr/pull/12308) [+ 0005-root-ok-in-account-frr.pam.patch] - Applied fix removing a not needed backslash causing to log a warning (https://github.com/FRRouting/frr/pull/12307) [+ 0004-tools-remove-backslash-from-declare-check-regex.patch] - Applied upstream fixes for frrinit.sh to avoid a privilege escalation from frr to root in frr config creation (bsc#1204124,CVE-2022-42917, https://github.com/FRRouting/frr/pull/12157). [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch] - Removed obsolete patches provided in the 8.4 source archive: [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch, - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch, - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch, - 0006-isisd-fix-10505-using-base64-encoding.patch, - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch, - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] - Update to version 8.4, see https://frrouting.org/release/8.4/ * New BGP command (neighbor PEER soo) to configure SoO to prevent routing loops and suboptimal routing on dual-homed sites. * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop because previously we allowed using martian next-hops when debug is turned on. * Implement BGP Prefix Origin Validation State Extended Community rfc8097 * Implement Route Leak Prevention and Detection Using Roles in UPDATE and OPEN Messages rfc9234 * BMP L3VPN support * PIMv6 support * MLD support * New command to enable using reserved IPv4 ranges as normal addresses for BGP next-hops, interface addresses, etc. * As usual, lots of bugs and memory leaks were fixed \m/ such as a fix for a possible use-after-free due to a race condition related to bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets (CVE-2022-37035,bsc#1202085). - Update to version 8.3, see https://frrouting.org/release/8.3/ * Notification Message support for BGP Graceful Restart * BGP Cease Notification Subcode For BFD * Send Hold Timer for BGP * RFC5424 syslog support * PIM passive command - Update to version 8.2.2, see https://frrouting.org/release/8.2.2/ * BGP Long-lived graceful restart capability * BGP Extended Optional Parameters Length for BGP OPEN Message * BGP Extended BGP Administrative Shutdown Communication * IS-IS Link State Traffic Engineering support * OSPFv3 Support for NSSA Type-7 address ranges * PBR VLAN actions support - Apply upstream fix for out-of-bounds read in the BGP daemon that may lead to information disclosure or denial of service (bsc#1202023,CVE-2022-37032) [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch] - Apply upstream fix for a memory leak in the IS-IS daemon that may lead to server memory exhaustion (bsc#1202022,CVE-2019-25074) [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] - Make build a bit cheaper: do only BuildRequire the primary python interpreter and its modules (python3-FOO) instead of all available versions as done using %{python_module FOO} - Apply fix for a buffer overflow in isisd due to the use of strdup - Apply fix for a buffer overflow in isisd due to wrong checks on - Add ReadWritePaths=/etc/frr to harden_frr.service.patch (bsc#1181400). - Update to version 8.1 * Graceful Restart for OSPFv2 and OSPFv3 * OSPFv3 NSSA and NSSA-TSA support * OSPFv3 ASBR Summarisation Support * BGP SRv6 and Prefix-SID Type 5 improvements * BGP EVPN type-5 gateway IP overlay Index * Lua hook support * See: https://frrouting.org/release/8.1/ - Drop ProtectClock hardening, can cause issues if other device acceess is needed - Update to version 8.0.1 * refreshed patch: - 0001-disable-zmq-test.patch - harden_frr.service.patch * LDP gained SNMP support * OSPFv3 gained VRF support * EVPN Multihoming is now fully supported * TI-LFA implemented in IS-IS and OSPS * New Segment Routing daemon * See: https://frrouting.org/release/8.0/ and https://github.com/FRRouting/frr/releases/tag/frr-8.0.1 - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_frr.service.patch - Update to version 7.5.1 * Maintenance release See: https://github.com/FRRouting/frr/blob/stable/7.5/changelog-auto.in - Requires libyang 1.0.184 - Update to version 7.5 * Upstream does not provide a changelog - Make grpc support optional and don't enable it by default ----------------------------------------------------------------------------- o Updated ft2demos (security/bugfix/feature) - Update to version 2.10.4 * In `ftview', custom LCD filter values are now normalized and balanced. Unorthodox filters are still available through the `-L' command line option. * The GUI demo programs can now be resized. * Demo programs that accept command line option `-k' can now handle function keys, too. The corresponding character codes start with 0xF1. As an example, the POSIX shell syntax (accepted by bash, ksh, and zsh) -k $'\xF3q' emulates the pressing of function key `F3' followed by key `q'. - Update to version 2.10.2 * The `ftbench' demo program has a new test for testing the `FT_Glyph_Stroke' functionality. - Add BR on pkgconfig(libbrotlidec) for ftinspect ----------------------------------------------------------------------------- o Updated fwupd (security/bugfix/feature) - Change version 1.8.6: + Fix compiling error when building s390x ppc64le - add %ifnarch conditional to spec file + Recover one changelog unexpectedly removed when first pushing fwupd-1.8.6 to 15-SP5 - Thu Feb 24 06:29:53 UTC 2022 - jlee@suse.com - Add fwupd-bsc1193921-nvme-ignore-non-PCI-NVMe-devices.patch to ignore non-PCI NVMe devices (bnc#1193921) - For pushing fwupd-1.8.6 to 15-SP5 (fwupd-1.7.3), sync change log: (jsc#PED-1232) - fwupd-bsc1193921-nvme-ignore-non-PCI-NVMe-devices.patch be merged to fwupd-1.7.3 - Update to version 1.8.6: + This release adds the following features: - Reduce the installed package size by more than 30% - Translate more interactive messages + This release fixes the following bugs: - Allow disabling a DFU device when required - Fix a regression when getting the i2c bus number - Fix a small memory leak when reloading the parade-lspcon device - Fix installing the dbx update when using fwupdtool - Improve writing CoSWID and uSWID metadata - Only include the last 5 releases in the installed metainfo file - Only request the BOS descriptor for newer libgusb versions - Prevent high memory usage when loading corrupt SREC files - Try harder when trying to find the default ESP volume - Use a higher compression preset for the UEFI splash images + This release adds support for the following hardware: - Focaltech touchpads - FPC fingerprint readers - Supermicro machines using Redfish - Drop plugin_sover define, and sub-packages libfwupdplugin7 and typelib-1_0-FwupdPlugin-1_0 following upstream changes. - Update to version 1.8.5: + This release adds the following features: - Add a new android-boot plugin to update specific block devices - Add new plugin to display SMU firmware version on AMD APU/CPU - Add support for platform capability descriptors so devices can set quirks - Move the generic Intel Goshen Ridge code out to a new plugin + This release fixes the following bugs: - Allow specifying the ESP when applying the dbx update - Always check the BDP partitions when getting all the possible ESPs - Correctly update Wacom AES devices - Disable changing sleep mode on Ryzen 6000 systems - Do not show the 'may not be usable while updating' message for DBX updates - Expose Pine64 PinePhone Pro MTD as Tow-Boot - Fix a critical warning when issuing Secure Boot modem AT commands - Fix a fuzzing crash when parsing malicious FDT data - Fix aligning up addresses greater than 4GB - Fix a possible crash when dumping VBE firmware - Fix a possible critical warning when parsing cabinet archives - Fix a regression when parsing pixart-rf firmware - Fix a small memory leak when parsing UF2 files - Fix checking for invalid depth requirements - Fix parsing the coSWID firmware ID when encoded as a UUID - Fix parsing uSWID uncompressed metadata - Fix uploading to DFU-CSR devices - Limit the archive size to 25% of the RAM, or 4G - Load coSWID metadata from a uSWID MTD block device - Never save the Redfish auto-generated password to a user-readable file - Only create users using IPMI when we know it's going to work - Write all the CCGX metadata block as intended + This release adds support for the following hardware: - Corsair SABRE RGB PRO Gaming mouse - More Sonix CAM devices - More Intel Goshen Ridge USB-4 docks - Changes from version 1.8.4: + This release adds the following features: - Add a translated title and long description for HSI security attributes - Add support for loading a machine-default BIOS settings policy - Add support for reading and writing BIOS settings - Allow loading BIOS settings for host emulation - Prompt users to fix some BIOS configuration issues + This release fixes the following bugs: - Actually show provided AppStream security issues - Add Quectel secure boot status AT commands - Correctly detect CET IBT - Do not assert when running with no plugins - Do not require UEFI capsule updates for checking TPM PCR0 - Do not show HSI events where we changed the spec result value - Fix applying the latest DBX update - Include vfat in the list of possible BDP partition types - Install all devices with the same composite id in fwupdtool - Only fail the kernel HSI test for specific taint reasons - Only show changed events in fwupdmgr security - Update vulnerable CMSE versions from CSMEVDT data + This release adds support for the following hardware: - Elan non-HID touchpads - Google Prism - LabTop Mk III - ThinkPad Thunderbolt 4 Dock - ThinkPad Universal Smart Dock - Changes from version 1.8.3: + This release adds the following features: - Add resolution flags to each security attribute failures for the user - Allow loading in emulated host profiles for debugging - Check if Intel TME has been disabled by the firmware or platform - Wait for the system to acquiesce after doing each update + This release fixes the following bugs: - Do not use CoD even when advertized on non-aarch64 platforms - Fix a crash when updating the Logitech Bolt radio device - Fix a critical warning when parsing an invalid PHAT record - Fix a critical warning when parsing invalid FDT firmware - Fix fwupdmgr security when plugins are added to the blocklist - Fix parsing SMBIOS data to correct the device hardware IDs - Fix uploading signed reports by sending the correct checksum - Use the correct protocol attribute name when exporting to JSON + This release adds support for the following hardware: - Additional Startech devices - Additional Elan fingerprint readers - Changes from version 1.8.2: + This release adds the following features: - Add startup profiling which allowed us to speed up daemon startup considerably - Add support for OptionROM, CPD and FPT firmware formats for future hardware - Add the HostVendor to the D-Bus interface - Break some internal ABI and add a conversion helper for out-of-tree plugins - Optionally build the quirk files into the daemon binary to reduce installed size + This release fixes the following bugs: - Allow front-end clients to read the percentage property - Allow more quirk entries to add multiple items - Allow to force install Genesys firmware even if the public-key does not match - Allow UFS disks to define the signed status in metadata - Autoconnect the Redfish network device when rebooting the BMC - Copy the instance ID strings when incorporating devices - Do not generate a capsule header for the FMP GUID - Ensure more firmware formats can round-trip to and from XML - Fix a regression for devices using the Atmel FLIP Bootloader - Fix running fwupdtool security with a user-specified plugin allowlist - Handle ENOTTY with the correct error code for ioctl calls - Increase the self tests coverage substantially - Modernize the AMT plugin and split out common MEI functionality - Only move the logitech-bulkcontroller progressbar forwards when writing - Set the device ID on the FwupdRequest to allow better UX - Show the get-details output when the device requirements fail - Simply quirk matching for i2c devices to speed up daemon startup - Support SHA256 fastboot hashes if specified - Use force-detach to bypass the DFU streaming check for camera devices - Use the SCSI target to correctly set the physical ID - Wait for the System76 launch device to re-enumerate if already unlocked + This release adds support for the following hardware: - Corsair HARPOON RGB Wireless mouse - U-Boot devices writing simple FIT images - Genesys M27fd AIM101 - More PixArt wireless devices - More Steelseries HID, Sonic and Fizz devices - System76 launch_2 - Changes from version 1.8.1: + This release adds the following features: - Add archive writing support for devices with composite firmware - Add a way to read device composite firmware in fwupdtool - Allow clients to opt-in to showing updates with user-solvable problems - Allow the device to pause polling when writing firmware - Export the system and device battery levels on the D-Bus interface - Log errors and warnings to the win32 eventlog when required - Add X-UsbReceiver as an update category with icon usb-receiver + This release fixes the following bugs: - Accurately return the last-set status to client tools - Allow dumping flashrom firmware using fwupdtool - Allow specifying a non-file D-Bus transport - Allow to request post actions from fwupdtool - Always be arch-explicit when installing OS deps - Be more resilient when restarting the Redfish BMC - Do not mark all Redfish updates as UPDATABLE - Do not use 'dongle' to describe USB receiver hardware - Download in-process when using fwupdtool - Fix a critical warning on failed modem update - Fix regression when probing PS175 devices - Hardcode the Redfish filedata name to firmware.bin - Set the Bluetooth version if REV has been set - Switch the Windows installer from NSIS to MSI - Use StartServiceCtrlDispatcherA for the daemon on Windows - Use the native certificate store on Windows + This release adds support for the following hardware: - Corsair KATAR PRO XT, SABRE PRO and KATAR PRO Wireless - HP Thunderbolt Dock G4 - Lenovo ThinkPad Universal USB-C Dock - More PixArt wireless devices - More SunplusIT USB cameras - Some UFS devices - Steelseries Aerox 3 Wireless and Rival 3 Wireless - Changes from version 1.8.0: + This release adds the following features: - Add a new attribute for CPUs supported by HSI - Add coSWID and uSWID parsers to libfwupdplugin for initial SBoM support - Add new HSI attributes for the AMD PSP and various other system protections - Add the runtime fwupd-efi version as a firmware requirement - Allow 'fwupdmgr install' to install a specified firmware version - Allow overriding the detected machine type for debugging and development - Restart the BMC after installing BCM updates - Show the device serial number and instance IDs by default - Support dumping the MTD image to a firmware blob - Take a device inhibit when updating a device - Use the CFI manufacturer ID to set the vendor - Use the correct icon automatically for more hardware + This release fixes the following bugs: - Add signed-payload metadata for more devices - Allow Capsule-on-Disk to work in more cases - Allow quirking the detected flashrom flash size - Check for os-release on FWUPD_SYSCONFDIR - Check the alignment when parsing raw firmware - Check the update protocol exists when checking requirements - Convert the build system to use meson tristate features - Correctly probe USB-2 hubs with more than 7 ports - Do not add the Windows compatibility ID to capsule devices - Do not allow the DBX update for specific motherboards - Do not expect KernelCmdline on Windows - Do not export USB4 host controllers as updatable if they don't have unique GUIDs - Do not fallback to audio-card and use a more suitable icon for USB hubs - Do not hardcode the libexecdir to /usr/libexec - Do not leak child processes when canceling - Do not show unconnected or unreachable devices in the client tools - Do not throw away the TPM eventlog when uploading to the LVFS - Do not use /var/run for the socket - Export the version_lowest_raw value correctly - Fix build for MacOS and add to the CI matrix - Fix eventlog replay for Intel TXT machines - Fix several small memory leaks - Fix writing large mtd images than 10kb - Ignore MTD devices that report EPERM on open - Mark the ME region device locked if it is read only - Never send the DeviceChanged signal with old data - Only show the CLI time remaining for predictable status phases - Respect the NO_COLOR env variable - Return the correct error when there is no GPIO device to open - Support the new UPower PENDING device states + This release adds support for the following hardware: - CH341A SPI programmer - Corsair Sabre RGB PRO and Slipstream USB receiver - Genesys GL3521 and GL3590 hubs - Google Servo Dock - Logitech M550, M650 and K650 - More ELAN fingerprint readers - More integrated Wacom panels - More NovaCustom machines - More StaLabs StarLite machines - More Tuxedo laptops - Quectel EM05 - FlatFrog devices - System76 launch_lite_1 - Rebase patches with quilt. - Use ldconfig_scriptlets macro for post(un) handling. - Add shlib_sover define and set it to 2, ease future updates. - Add plugin_sover define and set it to 7, ease future updates, and rename libfwupdplugin5 to libfwupdplugin7 following upstream changes. - Drop gtk-doc and pkgconfig(gtk-doc) BuildRequires: No longer needed nor used. Following this, stop passing docs=gtkdoc to meson, no longer recognized. - Add pkgconfig(gi-docgen), pkgconfig(libcbor), pkgconfig(mm-glib), pkgconfig(mbim-glib), pkgconfig(qmi-glib) and pkgconfig(umockdev-1.0) BuildRequires, and conditional pkgconfig(flashrom) BuildRequires: New dependencies. - Update options passed to meson following upstream changes. - Replace false for plugin_nvme and plugin_redfish with enabled, build nvme and redfish plugins. - Split out developer/api docs in new doc sub-package, add fdupes BuildRequires and macros, remove duplicates. - Update to version 1.7.10 (CVE-2022-3287, boo#1203852): + Always check the BDP partitions when getting all the possible ESPs + Correctly detect CET IBT + Do not show HSI events where we changed the spec result value + Fix aligning up addresses greater than 4GB + Fix applying the latest DBX update on machines with 20200729.x64 installed + Fix checking for invalid depth requirements + Fix getting the new version number of the USI docking hardware + Fix HSI prefix for invalid chassis + Never save the Redfish auto-generated password to a user-readable file (CVE-2022-3287, boo#1203852). + Only create users using IPMI when we've tested the hardware + Only fail the kernel tainted HSI test for specific taint reasons + Only show changed events in the fwupdmgr security output + Recognize CSME version 16 and update vulnerable versions from CSMEVDT data + Write all the CCGX metadata block as intended - Update to version 1.7.9 (boo#1201311): + Do not generate a capsule header for the FMP GUID. + Do not use CoD even when advertized on non-aarch64 platforms. + Fix a critical warning when parsing an invalid PHAT record. + Fix a regression for devices using the Atmel FLIP Bootloader. + Fix parsing SMBIOS data. + Set the device ID on the FwupdRequest. + Use the correct protocol member when converting to JSON. + Wait for the system76-launch device to re-enumerate if unlocked and reset. - Changes from version 1.7.8: + Add the bootloader VID/PID used for the first batch of ColorHug devices. + Also check for os-release in SYSCONFDIR. + Export the version lowest raw value correctly. + Fix a Wacom timeout when parsing very corrupt firmware. + Fix Genesys device enumeration failure by not claiming the interface. + Hardcode the Redfish filedata name to firmware.bin. + Install D-Bus introspection data even if introspection is disabled. + Only set the flashrom BIOS size if not already quirked. + Read the SynapticsMST firmware size in a more safe way. + Restart the BMC after installing BCM updates. - Update to version 1.7.7: * This release adds the following features: + Add CCGX trigger code to support future hardware + Add signed and unsigned payload metadata to more devices + Allow overriding the detected machine type + Allow quirking the flashrom flash size + Do not allow the DBX update for broken firmware versions * This release fixes the following bugs: + Do not add the backup BMC device as it shares the same GUIDs + Do not hardcode the libexecdir to /usr/libexec + Do not leak child processes when canceling + Do not throw away the TPM eventlog when uploading reports to the LVFS + Don't export USB4 host controllers if they do not have unique GUIDs + Fix build for MacOS + Fix the TPM eventlog replay for Intel TXT machines + Fix writing large MTD images + Never send the DeviceChanged signal with invalid data + Return the correct error when there is no GPIO device to open + Show the update message and update image in front end tools + Support the new PENDING upower device states * This release adds support for the following hardware: + Logitech M550, M650 and K650 + More Elan fingerprint readers + More Star Labs StarLite laptops + More Wacom panels found on Lenovo laptops - Split bash and fish completions to separate subpackages - Remove un-needed BRP_PESIGN_FILES - Set GNU_SOURCE so meson detects F_OFD_SETLK in fnctl.h support - Update to version 1.7.6: * This release adds the following features: + Add a flag for UEFI devices that never want a capsule header auto-added + Add a flag to indicate the device has a signed or unsigned payload + Add a plugin to set a GPIO pin for the duration of an update + Add a simple plugin to enumerate (but not update) SCSI hardware + Add two more instance IDs to the MTD devices + Add X-BaseboardManagementController as an update category + Allow assigning issues to devices for known high priority problems + Parse the MTD firmware version using the defined GType * This release fixes the following bugs: + Check the IFD sections have non-zero data length to fix a critical warning + Modify the AT retry behavior to fix getting the firmware branch + Do not run fwupd-refresh automatically in containers + Do not show a warning if the TPM eventlog does not exist + Do not show TSS2 warning messages by default + Fix a critical warning when loading an empty TPM eventlog item + Fix a logic error when adding the community warning in fwupdmgr + Fix loading flashrom devices in coreboot mode + Fix the error handling when updating USB4 retimers + Show the user when devices are not updatable due to inhibits + Skip probing the Dell DA300 device to avoid a warning + Try harder to convert to a version into a correct semver + Use multiple checksums when there are no provided artifacts * This release adds support for the following hardware: + HP M2xfd monitors + Star Lite Mk III - Update to version 1.7.5: * This release adds the following features: + Add a flag to indicate the firmware is not provided by the vendor + Add support for showing dependency versions in JSON format + Allow fwupd to operate in socket mode without a D-Bus daemon + Allow marking a device as End-of-Life by the OEM vendor + Allow specifying the machine Best Known Configuration locally + Fall back to the ARM Device Tree 'compatible' data when required * This release fixes the following bugs: + Be more robust by retrying IPMI transactions on servers + Change the expired Redfish password when required + Fix a ModemManager segfault on startup for some MBIM-QDU devices + Fix a possible dell-dock segfault at startup + Fix compiling with new versions of efivar + Fix the Nordic bootloader type detection + Fix USB4 retimer enumeration + Get the SMBIOS table and host machine ID when running on Windows + Show results when calling get-details if failing requirements + Uninhibit the modem using ModemManager after upgrade * This release adds support for the following hardware: + Future Analogix devices + NovaCustom NV4x - Changes from version 1.7.4: * This release adds the following features: + Add firmware branch support for ModemManager devices + Allow firmware engineers to patch files at known offsets + Show why more devices are not marked as updatable * This release fixes the following bugs: + Allow fwupdtool to be run as the non-root user in more cases + Assign the Logitech bulkcontroller update interface correctly + Do not allow UEFI updates when the laptop lid is closed + Do not autoload ipmi-si to avoid warning on non-server hardware + Do not show a critical warning for a weird TPM event log + Fix waiting for USB devices when using Windows + Ignore non-PCI NVMe devices * This release adds support for the following hardware: + HP USB-C G2 Dock + Many UF2 devices, experimentally + More PixArt devices + Nordic HID devices using MCUBoot + Quectel EG25-G LTE Modem + ThinkPad Thunderbolt 4 Dock ----------------------------------------------------------------------------- o Updated gcc11 (security/bugfix/feature) - Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] - Update to gcc-11 branch head (691af15031e00227ba6d5935c), git1635 * includes gcc11-pr104931.patch * includes fix for Firefox ICE [gcc#105256] - Add provides/conflicts to glibc crosses since only one GCC version for the same target can be installed at the same time. - Add provides/conflicts to libgccjit. - Update to gcc-11 branch head (6a1150d1524aeda3381b21717), git1406 * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] - Add gcc11-pr104931.patch to fix miscompile of embedded premake in 0ad on i586. [bsc#1197065] - drop armv5tel, merge arm and armv6hl - use --with-cpu rather than specifying --with-arch/--with-tune to Recoomends. - Remove sys/rseq.h from include-fixed - Update to gcc-11 branch head (d4a1d3c4b377f1d4acb), git1173 * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [boo#1193659] - Enable the cross compilers also on i586 - Enable some cross compilers also in rings - Remove cross compilers for i386 target - Update to gcc-11 branch head (7510c23c1ec53aa4a62705f03), git1018 * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [boo#1192951] - Package mwaitintrin.h - Remove spurious exit from change_spec. - Enable the full cross compiler, cross-aarch64-gcc11 and cross-riscv64-gcc11 now provide a fully hosted C (and C++) cross compiler, not just a freestanding one. I.e. with a cross glibc. They don't yet support the sanitizer libraries. Part of [jsc#OBS-124]. ----------------------------------------------------------------------------- o Added gcc12 (feature) ## WARNING - the following diff is a head -20 proposal * Wed Aug 31 2022 rguenther@suse.com - Prune invalid-license rpmlint warnings, the SLE12 codestream doesn't get fixed but FF applies there, too. [bsc#1185337] * Tue Aug 30 2022 rguenther@suse.com - Update to gcc-12 branch head, e927d1cf141f221c5a32574bde0, git416 * includes GCC 12.2 release * includes recent fixes backported from trunk * Mon Aug 29 2022 mliska@suse.cz - Add gcc12-fifo-jobserver-support.patch that adds support for FIFO jobserver for make. * Sun Aug 21 2022 matwey.kornilov@gmail.com - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for ----------------------------------------------------------------------------- o Updated gcc8 (security/bugfix/feature) [x86_64] - Add gcc7-sanitizer-cyclades.patch, gcc8-pr100144.patch and gcc8-pr92154.patch to fix build against SP4. [bsc#1197716] - Remove bogus fixed include bits/statx.h from glibc 2.30. [gcc#91085, bsc#1197716] ----------------------------------------------------------------------------- o Updated gcr (security/bugfix/feature) - Update to version 3.41.1: + meson: Fix unknown kw argument in gnome.generate_gir [GNOME/gcr!68] + gcr: Add G_SPAWN_CLOEXEC_PIPES flag to all the g_spawn commands + docs: Port from gtk-doc to gi-docgen [GNOME/gcr!76] + Unbreak build without systemd [GNOME/gcr!75] + Several CI fixes + Updated translations - Add gi-docgen BuildRequires: needed by the docs - Update the doc directory - Drop patch b3ca1d02bb0148ca787ac4aead164d7c8ce2c4d8.patch: fixed upstream - Add b3ca1d02bb0148ca787ac4aead164d7c8ce2c4d8.patch: Fix build with meson 060.0 and newer. ----------------------------------------------------------------------------- o Updated gdb (security/bugfix/feature) - Reinstate debuginfod support for suse_version >= 1500 (bsc#1185605, jsc#PED-1149, jsc#PED-1138). - Don't recommend libdebuginfod1. - Patches added (backport from trunk): * gdb-testsuite-fix-gdb.base-break-idempotent.exp-on-ppc.patch * powerpc-fix-gdb.base-watchpoint.exp-on-power-9.patch - Patches removed (ok for Factory, not for SLE): * gdb-fix-watchpoints-triggered.patch - Patches added (swo#29277): * gdb-fix-assert-in-handle_jit_event.patch - Maintenance script qa.sh: * Add PR29706 and PR28617 kfails. - Add patch to fix build with readline 8.2: * gdb-add-support-for-readline-8.2.patch - Patches added: * gdb-testsuite-fix-gdb.mi-mi-sym-info.exp-on-opensuse-tumbleweed.patch - Maintenance script qa.sh: * Add PR26873 kfails. - Maintenance script qa-remote.sh: * Make rpm matching yet more precise. - Update patch: * gdb-tdep-fix-powerpc-ieee-128-bit-format-arg-passing.patch - Add patches: * gdb-handle-pending-c-after-rl_callback_read_char.patch * gdb-testsuite-fix-have_mpx-test.patch * gdb-symtab-fix-handling-of-dw_tag_unspecified_type.patch * gdb-testsuite-fix-gdb.dwarf2-dw2-unspecified-type-foo.c-with-m32.patch - use python3-xml if python is python3 - Maintenance script qa.sh: * Generalize PR29405 kfails. - Maintenance script qa-remote.sh: * Make rpm matching more precise. - Patches added: * gdb-tdep-fix-powerpc-ieee-128-bit-format-arg-passing.patch - Enable debuginfod for all archs as we index all TW RPM files. - Recommend libdebuginfod1 when one installs gdb so that it can utilize debuginfod server by default. - Fix build with gcc 13 by using -Wno-error=enum-int-mismatch. - Maintenance script qa.sh: * Add SLE-12/x86_64 to "known clean configs". * Add fail for PR29405. * Add fail for PR26915. - Patches added: * gdb-testsuite-fix-gdb.threads-killed-outside.exp-on-aarch64.patch - Maintenance script qa.sh: * Remove PR29247 internal-error. * Add SLE-15/aarch64 to "known clean configs". - Patches added: * gdb-fix-watchpoints-triggered.patch - Maintenance script qa.sh: * Add kfails for PR25038, PR29253, and PR29423. * Remove gdb.mi/mi-var-invalidate-shlib.exp kfails. - Mention qa-local.sh, qa-remote.sh and README.qa as sources. - Maintenance script qa-local.sh: * Use have_combo consistently. - Maintenance script qa.sh: * Add kfail_aarch64. * Add PR29419/PR29409 kfails. * Update PR29247 kfails. - Patches added: * make-gdb.ada-float-bits.exp-more-generic.patch * gdb-testsuite-fix-gdb.ada-literals.exp-with-aarch64.patch - Actually apply fixup-gdb-test-bt-cfi-without-die.patch and fixup-2-gdb-rhbz1553104-s390x-arch12-test.patch. - Also remove gdb-6.5-readline-long-line-crash-test.patch from patches list in gdb.spec. - Patches added: * powerpc-add-support-for-ieee-128-bit-format.patch * powerpc-correct-the-gdb-ioctl-values-for-tcgets-tcsets-tcsetsw-and-tcsetsf.patch * gdb-testsuite-remove-target-limits-in-gdb.base-catch-syscall.exp.patch * powerpc-fix-for-gdb.base-eh_return.exp.patch * fix-comparison-of-unsigned-long-int-to-int-in-record_linux_system_call.patch * gdb-testsuite-fix-gdb.reverse-test_ioctl_tcsetsw.exp-with-libc-debuginfo.patch * fixup-gdb-test-bt-cfi-without-die.patch * fix-core-file-detach-crash-corefiles-29275.patch * gdb-testsuite-fix-gdb.dwarf2-dw2-out-of-range-end-of-seq.exp-on-aarch64.patch * gdb-testsuite-fix-gdb.base-catch-syscall.exp-without-enable-targets.patch * gdb-testsuite-fix-gdb.base-catch-syscall.exp-with-with-expat-no.patch * fix-for-gdb.base-solib-search.exp-test.patch - Patch removed: * gdb-6.7-ppc-clobbered-registers-O2-test.patch * gdb-6.5-readline-long-line-crash-test.patch - Patches updated: * gdb-tdep-update-syscalls-ppc64-ppc-linux.xml.patch * gdb-testsuite-handle-pipe2-syscall-in-gdb.base-catch-syscall.exp.patch - Maintenance script qa.sh: * Add PR28504 KFAILs. * Make .sum file matching less complex. * Add fedora test-case kfail. - Maintenance script qa-local.sh: * Fix incorrect path name. - Update comments in gdb.spec. - Patches added: * powerpc-update-expected-floating-point-output-for-gdb.arch-altivec-regs.exp-and-gdb.arch-vsx-regs.exp.patch - Patches updated: * gdb-testsuite-support-recording-of-getrandom.patch (add aarch64 part) - Maintenance script qa.sh: * Add i586 to known clean configs. - Patches added: * gdb-testsuite-enable-some-test-cases-for-x86_64-m32.patch * gdb-testsuite-fix-gdb.reverse-i387-env-reverse.exp-for-pie.patch * gdb-testsuite-support-recording-of-getrandom.patch - Patches updated: * gdb-record-handle-statx-system-call.patch - Maintenance script qa.sh: * Allow only two summary files, for i586. * Add i586 KFAILs. - Maintenance script qa-local.sh: * Add i586. - Maintenance script qa-local.sh: * Fix rpm pathname. - Maintenance script qa-remote.sh: * Skip stale config openSUSE_Leap_15.2. - Maintenance script qa.sh: * Drop known clean config: Leap 15.2 x86_64. - Maintenance script qa-local.sh: * Add cleanup step. * Add "build all configs without testsuite" step. * For "build all configs with testsuite" step, redirect output to log and produce PASS/FAIL line, and make sure buildroot is removed also in case of missing rpm. * Use "--clean --trust-all-projects" for osc build commands. * Drop openSUSE_Leap_15.2. - Maintenance script qa.sh: * Rename argument 6 to -local. * Add PR29247 KFAILs. * Update internal-error regexps. - New maintenance script qa-remote.sh. - Add "build all configs without testsuite" step in README.qa. - Patches added (backport from trunk): * gdb-testsuite-remove-attach-test-from-can_spawn_for_attach.patch - README.qa: * Add remote qa entry. * Update local qa entry: * Add notes entry. * Other updates to match changes in qa-local.sh. - Fix installed but unpackaged /usr/share/info/ctf-spec.info.gz. - Rebase to 12.1 release (as in fedora 36 @ 89947a7): * DBX mode is deprecated, and will be removed in GDB 13. * GDB 12 is the last release of GDB that will support building against Python 2. From GDB 13, it will only be possible to build GDB itself with Python 3 support. * Improved C++ template support: GDB now treats functions/types involving C++ templates like it does function overloads. Users may omit parameter lists to set breakpoints on families of template functions, including types/functions composed of multiple template types: (gdb) break template_func(template_1, int) The above will set breakpoints at every function `template_func' where the first function parameter is any template type named `template_1' and the second function parameter is `int'. TAB completion also gains similar improvements. * New commands: maint set backtrace-on-fatal-signal on|off maint show backtrace-on-fatal-signal This setting is 'on' by default. When 'on' GDB will print a limited backtrace to stderr in the situation where GDB terminates with a fatal signal. This only supported on some platforms where the backtrace and backtrace_symbols_fd functions are available. set source open on|off show source open This setting, which is on by default, controls whether GDB will try to open source code files. Switching this off will stop GDB trying to open and read source code files, which can be useful if the files are located over a slow network connection. set varsize-limit show varsize-limit These are now deprecated aliases for "set max-value-size" and "show max-value-size". task apply [all | TASK-IDS...] [FLAG]... COMMAND Like "thread apply", but applies COMMAND to Ada tasks. watch [...] task ID Watchpoints can now be restricted to a specific Ada task. maint set internal-error backtrace on|off maint show internal-error backtrace maint set internal-warning backtrace on|off maint show internal-warning backtrace GDB can now print a backtrace of itself when it encounters either an internal-error, or an internal-warning. This is on by default for internal-error and off by default for internal-warning. set logging on|off Deprecated and replaced by "set logging enabled on|off". set logging enabled on|off show logging enabled These commands set or show whether logging is enabled or disabled. exit You can now exit GDB by using the new command "exit", in addition to the existing "quit" command. set debug threads on|off show debug threads Print additional debug messages about thread creation and deletion. set debug linux-nat on|off show debug linux-nat These new commands replaced the old 'set debug lin-lwp' and 'show debug lin-lwp' respectively. Turning this setting on prints debug messages relating to GDB's handling of native Linux inferiors. maint flush source-cache Flush the contents of the source code cache. maint set gnu-source-highlight enabled on|off maint show gnu-source-highlight enabled Whether GDB should use the GNU Source Highlight library for adding styling to source code. When off, the library will not be used, even when available. When GNU Source Highlight isn't used, or can't add styling to a particular source file, then the Python Pygments library will be used instead. set suppress-cli-notifications (on|off) show suppress-cli-notifications This controls whether printing the notifications is suppressed for CLI. CLI notifications occur when you change the selected context (i.e., the current inferior, thread and/or the frame), or when the program being debugged stops (e.g., because of hitting a breakpoint, completing source-stepping, an interrupt, etc.). set style disassembler enabled on|off show style disassembler enabled If GDB is compiled with Python support, and the Python Pygments package is available, then, when this setting is on, disassembler output will have styling applied. set ada source-charset show ada source-charset Set the character set encoding that is assumed for Ada symbols. Valid values for this follow the values that can be passed to the GNAT compiler via the '-gnati' option. The default is ISO-8859-1. * Changed commands: print Printing of floating-point values with base-modifying formats like /x has been changed to display the underlying bytes of the value in the desired base. This was GDB's documented behavior, but was never implemented correctly. maint packet This command can now print a reply, if the reply includes non-printable characters. Any non-printable characters are printed as escaped hex, e.g. \x?? where '??' is replaces with the value of the non-printable character. clone-inferior The clone-inferior command now ensures that the TTY, CMD and ARGS settings are copied from the original inferior to the new one. All modifications to the environment variables done using the 'set environment' or 'unset environment' commands are also copied to the new inferior. set debug lin-lwp on|off show debug lin-lwp These commands have been removed from GDB. The new command 'set debug linux-nat' and 'show debug linux-nat' should be used instead. info win This command now includes information about the width of the tui windows in its output. * GDB's Ada parser now supports an extension for specifying the exact byte contents of a floating-point literal. This can be useful for setting floating-point registers to a precise value without loss of precision. The syntax is an extension of the based literal syntax. Use, e.g., "16lf#0123abcd#" -- the number of "l"s controls the width of the floating-point type, and the "f" is the marker for floating point. * MI changes: * * The '-add-inferior' with no option flags now inherits the connection of the current inferior, this restores the behaviour of GDB as it was prior to GDB 10. * * The '-add-inferior' command now accepts a '--no-connection' option, which causes the new inferior to start without a connection. * Python API: * * New function gdb.add_history(), which takes a gdb.Value object and adds the value it represents to GDB's history list. An integer, the index of the new item in the history list, is returned. * * New function gdb.history_count(), which returns the number of values in GDB's value history. * * New gdb.events.gdb_exiting event. This event is called with a gdb.GdbExitingEvent object which has the read-only attribute 'exit_code', which contains the value of the GDB exit code. This event is triggered once GDB decides it is going to exit, but before GDB starts to clean up its internal state. * * New function gdb.architecture_names(), which returns a list containing all of the possible Architecture.name() values. Each entry is a string. * * New function gdb.Architecture.integer_type(), which returns an integer type given a size and a signed-ness. * * New gdb.TargetConnection object type that represents a connection (as displayed by the 'info connections' command). A sub-class, gdb.RemoteTargetConnection, is used to represent 'remote' and 'extended-remote' connections. * * The gdb.Inferior type now has a 'connection' property which is an instance of gdb.TargetConnection, the connection used by this inferior. This can be None if the inferior has no connection. * * New 'gdb.events.connection_removed' event registry, which emits a 'gdb.ConnectionEvent' when a connection is removed from GDB. This event has a 'connection' property, a gdb.TargetConnection object for the connection being removed. * * New gdb.connections() function that returns a list of all currently active connections. * * New gdb.RemoteTargetConnection.send_packet(PACKET) method. This is equivalent to the existing 'maint packet' CLI command; it allows a user specified packet to be sent to the remote target. * * New function gdb.host_charset(), returns a string, which is the name of the current host charset. * * New gdb.set_parameter(NAME, VALUE). This sets the gdb parameter NAME to VALUE. * * New gdb.with_parameter(NAME, VALUE). This returns a context manager that temporarily sets the gdb parameter NAME to VALUE, then resets it when the context is exited. * * The gdb.Value.format_string method now takes a 'styling' argument, which is a boolean. When true, the returned string can include escape sequences to apply styling. The styling will only be present if styling is otherwise turned on in GDB (see 'help set styling'). When false, which is the default if the argument is not given, then no styling is applied to the returned string. * * New read-only attribute gdb.InferiorThread.details, which is either a string, containing additional, target specific thread state information, or None, if there is no such additional information. * * New read-only attribute gdb.Type.is_scalar, which is True for scalar types, and False for all other types. * * New read-only attribute gdb.Type.is_signed. This attribute should only be read when Type.is_scalar is True, and will be True for signed types, and False for all other types. Attempting to read this attribute for non-scalar types will raise a ValueError. * * It is now possible to add GDB/MI commands implemented in Python. - Update libipt to v2.0.5. - Patches added: * gdb-6.3-rh-testversion-20041202.patch * gdb-6.5-BEA-testsuite.patch * gdb-6.6-buildid-locate-misleading-warning-missing-debuginfo-rhbz981154.patch * gdb-6.7-charsign-test.patch * gdb-6.8-bz466901-backtrace-full-prelinked.patch * gdb-fix-for-gdb.base-eof-exit.exp-test-failures.patch * gdb-improved-eof-handling-when-using-readline-7.patch * gdb-libexec-add-index.patch * gdb-tdep-detect-get_pc_thunk-call-in-i386-prologue.patch * gdb-testsuite-address-test-failures-in-gdb.mi-mi-multi-commands.exp.patch * gdb-testsuite-detect-change-instead-of-init-in-gdb.mi-mi-var-block.exp.patch * gdb-testsuite-fix-gdb.opt-clobbered-registers-o2.exp-with-gcc-12.patch * gdb-testsuite-fix-occasional-failure-in-gdb.mi-mi-multi-commands.exp.patch * gdb-testsuite-fix-test-failure-when-building-against-readline-v7.patch * gdb-testsuite-handle-older-python-in-gdb.python-py-send-packet.py.patch * gdb-testsuite-handle-quotes-in-gdb_py_module_available.patch * gdb-testsuite-handle-unordered-dict-in-gdb.python-py-mi-cmd.exp.patch * gdb-testsuite-skip-gdb.fortran-namelist.exp-for-gfortran-4.8.patch * gdb-testsuite-workaround-unnecessary-.s-file-with-gfortran-4.8.patch - Patches dropped: * aarch64-make-gdbserver-register-set-selection-dynamic.patch * fix-build-with-current-gcc-el_explicit-location-always-non-null.patch * fix-gdb.base-sigstep.exp-test-for-ppc.patch * fix-gdb.multi-multi-term-settings.exp-race.patch * fixup-2-gdb-6.6-buildid-locate.patch * fixup-gdb-6.6-buildid-locate.patch * gdb-6.3-inferior-notification-20050721.patch * gdb-ada-fix-assert-in-ada_is_unconstrained_packed_array_type.patch * gdb-build-add-cxx_dialect-to-cxx.patch * gdb-build-make-c-exp.y-work-with-bison-3.8.patch * gdb-doc-fix-print-inferior-events-default.patch * gdb-exp-improve-error-reading-variable-message.patch * gdb-fortran-handle-dw-at-string-length-with-loclistptr.patch * gdb-r_version-check.patch * gdb-rhbz1976887-field-location-kind.patch * gdb-rhbz2012976-paper-over-fortran-lex-problems.patch * gdb-symtab-add-call_site_eq-and-call_site_hash.patch * gdb-symtab-c-ify-call_site.patch * gdb-symtab-fix-htab_find_slot-call-in-read_call_site_scope.patch * gdb-symtab-fix-segfault-in-search_one_symtab.patch * gdb-symtab-remove-compunit_call_site_htab.patch * gdb-symtab-use-unrelocated-addresses-in-call_site.patch * gdb-tdep-fix-avx512-m32-support-in-gdbserver.patch * gdb-tdep-rs6000-don-t-skip-system-call-in-skip_prologue.patch * gdb-test-for-rhbz1976887.patch * gdb-testsuite-add-gdb.arch-ppc64-break-on-_exit.exp.patch * gdb-testsuite-add-gdb.opt-break-on-_exit.exp.patch * gdb-testsuite-add-gdb.testsuite-dump-system-info.exp.patch * gdb-testsuite-add-missing-wait-in-gdb.base-signals-state-child.exp.patch * gdb-testsuite-add-nopie-in-two-test-cases.patch * gdb-testsuite-detect-no-mpx-support.patch * gdb-testsuite-disable-inferior-output-in-gdb.base-foll-vfork.exp.patch * gdb-testsuite-don-t-error-when-trying-to-unset-last_spawn_tty_name.patch * gdb-testsuite-factor-out-dump_info-in-gdb.testsuite-dump-system-info.exp.patch * gdb-testsuite-fix-assembly-comments-in-gdb.dwarf2-clang-debug-names.exp.tcl.patch * gdb-testsuite-fix-data-alignment-in-gdb.arch-i386-avx-sse-.exp.patch * gdb-testsuite-fix-fail-in-gdb.base-annota1.exp.patch * gdb-testsuite-fix-fail-in-gdb.tui-basic.exp.patch * gdb-testsuite-fix-fail-in-gdb.tui-corefile-run.exp.patch * gdb-testsuite-fix-gdb.ada-big_packed_array.exp-xfail-for-m32.patch * gdb-testsuite-fix-gdb.arch-i386-pkru.exp-on-linux.patch * gdb-testsuite-fix-gdb.base-annota1.exp-with-pie.patch * gdb-testsuite-fix-gdb.base-dcache-flush.exp.patch * gdb-testsuite-fix-gdb.gdb-selftest.exp.patch * gdb-testsuite-fix-gdb.guile-scm-type.exp-with-gcc-4.8.patch * gdb-testsuite-fix-gdb.python-py-events.exp.patch * gdb-testsuite-fix-gdb.server-server-kill.exp-with-m32.patch * gdb-testsuite-fix-gdb.threads-check-libthread-db.exp-with-glibc-2.34.patch * gdb-testsuite-fix-gdb.threads-linux-dp.exp.patch * gdb-testsuite-fix-gdb.threads-thread-specific-bp.exp.patch * gdb-testsuite-fix-port-detection-in-gdb.debuginfod-fetch_src_and_symbols.exp.patch * gdb-testsuite-fix-regexp-in-gdb.base-foll-vfork.exp.patch * gdb-testsuite-fix-stepi-test-cases-with-unix-m32-fpie-pie.patch * gdb-testsuite-handle-recursive-internal-problem-in-gdb_internal_error_resync.patch * gdb-testsuite-handle-runto-fail-in-gdb.mi-mi-var-cp.exp.patch * gdb-testsuite-handle-sigill-in-two-gdb.arch-powerpc-test-cases.patch * gdb-testsuite-handle-supports_memtag-in-gdb.base-gdb-caching-proc.exp.patch * gdb-testsuite-make-gdb.base-annota1.exp-more-robust.patch * gdb-testsuite-refactor-regexp-in-gdb.base-annota1.exp.patch * gdb-testsuite-support-fpie-fno-pie-pie-no-pie-in-gdb_compile_rust.patch * gdb-testsuite-update-test-gdb.base-step-over-syscall.exp.patch * gdb-testsuite-use-compiler-generated-instead-of-gas-generated-stabs.patch * gdb-tui-fix-breakpoint-display-functionality.patch * ibm-z-add-another-arch14-instruction.patch * ibm-z-remove-lpswey-parameter.patch - Patched updated: * gdb-6.3-gstack-20050411.patch * gdb-6.5-bz185337-resolve-tls-without-debuginfo-v2.patch * gdb-6.6-buildid-locate-rpm-librpm-workaround.patch * gdb-6.6-buildid-locate-rpm-scl.patch * gdb-6.6-buildid-locate-rpm.patch * gdb-6.6-buildid-locate-solib-missing-ids.patch * gdb-6.6-buildid-locate.patch * gdb-cli-add-ignore-errors-command.patch * gdb-container-rh-pkg.patch * gdb-core-open-vdso-warning.patch * gdb-fedora-libncursesw.patch * gdb-gcore-bash.patch * gdb-linux_perf-bundle.patch * gdb-testsuite-handle-init-errors-in-gdb.mi-user-selected-context-sync.exp.patch - Add BuildRequires python-xml. - Maintenance script qa.sh: * Add -sle-12 and -factory options. * Handle *.-fPIE.-pie.sum files. * Add KFAILs for PRs 26292, 29238, 25059, 29240, 29241, 29244, 29245, 29160, 29196. * Move PR27539 KFAILs from kfail_factory to kfail. - New maintenance script qa-local.sh. - New file README.qa. - Patches added (trunk backport): * gdb-testsuite-detect-no-mpx-support.patch * gdb-testsuite-handle-init-errors-in-gdb.mi-user-selected-context-sync.exp.patch * gdb-add-gdb-syscalls-makefile.patch - Patches added (ml backport): * gdb-update-syscalls-amd64-i386-linux.xml.patch * gdb-record-handle-statx-system-call.patch - Patches added (to be upstreamed): * gdb-tdep-update-syscalls-ppc64-ppc-linux.xml.patch - Maintenance script qa.sh: * Add another KFAIL for PR27027. * Remove PR28461 KFAIL. - patches added (trunk backport): * gdb-testsuite-make-gdb.base-annota1.exp-more-robust.patch * gdb-testsuite-fix-gdb.base-annota1.exp-with-pie.patch - patches added (gdb-patches ml backport): * gdb-tdep-handle-pipe2-syscall-for-amd64.patch * gdb-testsuite-handle-pipe2-syscall-in-gdb.base-catch-syscall.exp.patch * gdb-tdep-support-catch-syscall-pipe2-for-i386.patch - Maintenance script qa.sh: * Add Leap 15.4 x86_64 to know good configs. - Remove dependency on binutils-gold as the package will be removed in the future. Gold linker is unmaintained by the upstream project. - Fix unresolved BuildRequires fpc for Leap 15.4/i586. - Patch added (backport from master): * fix-build-with-current-gcc-el_explicit-location-always-non-null.patch - Maintenance script qa.sh: * Add KFAILs for PR28667. - Fedora fixup patch added: * fixup-gdb-6.5-bz243845-stale-testing-zombie-test.patch - gdb-r_version-check.patch: gdb: Don't assume r_ldsomap when r_version > 1 on Linux - Patches added (swo#28323): gdb-ada-fix-assert-in-ada_is_unconstrained_packed_array_type.patch - Patches added (swo#27028, swo#27257): * gdb-testsuite-fix-gdb.arch-i386-pkru.exp-on-linux.patch * gdb-tdep-fix-avx512-m32-support-in-gdbserver.patch - Patch added (swo#28539, bsc#1192285): * gdb-symtab-fix-segfault-in-search_one_symtab.patch - Patches removed: * gdb-testsuite-debug-gdb.arch-i386-sse.exp.patch - Maintenance script qa.sh: - Drop openSUSE Leap 15.1. - Add KFAILs for PR28617. - Fix SLE-12 x86_64 unresolvable by removing BuildRequire gcc-java. - Fix openSUSE_Factory_ARM armv7l unresolvable by not doing BuildRequire babeltrace-devel. - Fix SLE-12 x86_64 unresolvable by not doing BuildRequire babeltrace-devel. - Patches added (backport from master): * gdb-testsuite-add-missing-wait-in-gdb.base-signals-state-child.exp.patch - Add BuildRequire libsource-highlight. - Maintenance script qa.sh: - Add KFAIL. - Patches updated (increase sleep time): * gdb-testsuite-fix-race-in-gdb.threads-detach-step-over.exp.patch - Patches added (debug hard to reproduce failure): * gdb-testsuite-debug-gdb.arch-i386-sse.exp.patch - Maintenance script qa.sh: - Add internal-error KFAILs. - Rewrite gdb.suse check to distinguish between: "zypper hint printed (librpm)" and "zypper hint printed (no librpm)". - Patch updated (zypper hint doesn't use librpm on SLE-11): * gdb-testsuite-add-gdb.suse-zypper-hint.exp.patch - Patches added (backports from trunk): * gdb-testsuite-add-gdb.opt-break-on-_exit.exp.patch * gdb-tdep-rs6000-don-t-skip-system-call-in-skip_prologue.patch * gdb-testsuite-fix-stepi-test-cases-with-unix-m32-fpie-pie.patch * gdb-testsuite-fix-assembly-comments-in-gdb.dwarf2-clang-debug-names.exp.tcl.patch * gdb-doc-fix-print-inferior-events-default.patch * gdb-testsuite-fix-gdb.guile-scm-type.exp-with-gcc-4.8.patch * gdb-testsuite-add-gdb.arch-ppc64-break-on-_exit.exp.patch * gdb-testsuite-don-t-error-when-trying-to-unset-last_spawn_tty_name.patch * gdb-exp-improve-error-reading-variable-message.patch * fix-gdb.base-sigstep.exp-test-for-ppc.patch * gdb-testsuite-fix-regexp-in-gdb.base-foll-vfork.exp.patch - Patches added (backports from ml): * gdb-testsuite-disable-inferior-output-in-gdb.base-foll-vfork.exp.patch - Maintenance script qa.sh: - Add -m32/-pie to known clean configs. - Add kfail for PR28467. - Fix empty patch: * gdb-testsuite-fix-fail-in-gdb.tui-basic.exp.patch - Limit SLE extra targets to SLE targets. - Add avr-elf and pru-elf to openSUSE extra targets. - Maintenance script qa.sh: * Add note. * Add KFAIL, improve KFAIL patterns. - Patch updated: * gdb-testsuite-fix-data-alignment-in-gdb.arch-i386-avx-sse-.exp.patch * gdb-testsuite-fix-race-in-gdb.threads-detach-step-over.exp.patch - Replace patch (patch from mailing list, fix SLE-11 apply failure): with (now backported from release branch): * aarch64-make-gdbserver-register-set-selection-dynamic.patch - Patches added: * gdb-testsuite-fix-data-alignment-in-gdb.arch-i386-avx-sse-.exp.patch * gdb-testsuite-fix-fail-in-gdb.tui-basic.exp.patch - Patches dropped: * gdb-testsuite-add-checks-to-gdb.arch-i386-sse.exp.patch - Replace patch: * gdb-testsuite-Fix-gdb.threads-thread-specific-bp.exp.patch with (updated version, and patchname now generated by import-patches.sh): * gdb-testsuite-fix-gdb.threads-thread-specific-bp.exp.patch - Maintenance script import-patches.sh: * Improve argument checking. * Add usage. * Use filterdiff to filter out ChangeLog entries. - Maintenance script qa.sh: * Fix usage. * Document todo. - Re-enable big endian powerpc, but keep testing disabled. - Add KFAIL for PR28553. - Patch added (move zypper hint test to testsuite): * gdb-testsuite-add-gdb.suse-zypper-hint.exp.patch - Maintenance script qa.sh: * Add PR28551 KFAIL. * Add missing quotes for some KFAILs. * Remove PR28355 KFAIL. ----------------------------------------------------------------------------- o Updated gdk-pixbuf (security/bugfix/feature) - Add 0001-jpeg-Increase-memory-limit-for-loading-image-data.patch: fix loading of larger images (glgo#GNOME/gdk-pixbuf#216). - avoid bashism in baselibs postscript (bsc#1195391) - Update to version 2.42.9: + Fix the check for maximum value of LZW initial code size (boo#1194633 CVE-2021-44648). + Use CMake for dependencies on Windows/MSVC. + Add option for building tests. + Move man pages to reStructuredText. + Disable relocation when built as a static libary on Windows. + Update wrap file for libjpeg-turbo. + Limit the memory size when loading image data. - Add docutils and pkgconfig(gi-docgen) BuildRequires: New dependencies. - Update to version 2.42.8 (boo#1201826): + Clear the pixbuf's memory buffer to avoid returning uninitialized memory. + Turn GdkPixbufModule functions into typed callbacks. + tiff: Use non-deprecated C99 integer types. + gif: Check for overflow when compositing or clearing frames. + Change png/jpeg/tiff build options from boolean to feature. + jpeg: Do not rely on UB around setjmp/longjmp. + Build fixes. + Documentation fixes. + Security fixes: CVE-2021-46829. + Updated translations. - Stop passing options to meson that just follow upstream default, just rely on upstream providing sane defaults, apart from where we want to deviate. ----------------------------------------------------------------------------- o Updated gdm (security/bugfix/feature) - Add gdm-disable-wayland-on-aspeed-chipsets.patch: Those chips do not have fast blending and Wayland performance is bad on them, so disable Wayland on aspeed chipsets (bsc#1200323). ----------------------------------------------------------------------------- o Updated gedit (security/bugfix/feature) - Add "Requires: gsettings-desktop-schemas" to alleviate schema "is not installed" error after install in WSL. (boo#1198312) ----------------------------------------------------------------------------- o Updated geocode-glib (security/bugfix/feature) - Update to version 3.26.4: + This release includes a fix to a test data file not being installed, and a bug fix for a bug in the libsoup3 port. - Update to version 3.26.3: + This release adds support for libsoup 3.x. To use the libsoup 3.x build, applications will need to be adapted to look for the"-2.0" version of the API. This allows both native and interpreted applications to select which version of libsoup they want geocode-glib to use as the backend, and for both versions to be installed in distributions. ----------------------------------------------------------------------------- o Updated gimp (security/bugfix/feature) [x86_64] - Add gimp-CVE-2022-32990.patch: fix crash in gimp_layer_invalidate_boundary (boo#1201192 CVE-2022-32990). - Add gimp-CVE_2022-30067.patch: fix out of memory when reading XCF (boo#1199653 CVE-2022-30067). - Set LD_PRELOAD=/usr/lib64/libgomp.so.1 for ppc64le and aarch64, to avoid "load error: cannot allocate memory in static TLS block" when building. ----------------------------------------------------------------------------- o Updated git (security/bugfix/feature) - Fix CVE-2023-22490, using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport (CVE-2023-22490, bsc#1208027) - Fix CVE-2023-23946, a path outside the working tree can be overwritten as the user who is running "git apply" (CVE-2023-23946, bsc#1208028) * fix-CVE-2023-22490-1.patch * fix-CVE-2023-22490-2.patch * fix-CVE-2023-22490-3.patch * fix-CVE-2023-22490-4.patch - Fix CVE-2022-41903, heap overflow in `git archive` and `git log --format` (CVE-2022-41903, bsc#1207033) * fix-CVE-2022-41903.patch - Fix CVE-2022-23521, gitattributes parsing integer overflow (CVE-2022-23521, bsc#1207032) - Fix CVE-2022-39260, overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution (CVE-2022-39260, bsc#1204456) fix-CVE-2022-39260.patch - Fix CVE-2022-39253, dereference issue with symbolic links via the `--local` clone mechanism (CVE-2022-39253, bsc#1204455) fix-CVE-2022-39253.patch - Follow up fix for CVE-2022-24765, potential command injection via git worktree. (CVE-2022-29187, bsc#1201431) * fix-CVE-2022-29187.patch ----------------------------------------------------------------------------- o Updated gjs (security/bugfix/feature) - Require xorg-x11-Xvfb on SLE-15-SP5, rather than xorg-11-server-Xvfb (bsc#1203274). - Update to version 1.70.2: + Build and compatibility fixes backported from the development branch. + Closed bugs and merge requests: package: Reverse order of running-from-source checks. ----------------------------------------------------------------------------- o Updated glib2 (security/bugfix/feature) - Update to version 2.70.5: Bugs fixed: glgo#GNOME/GLib#2620, glgo#GNOME/GLib!2537, glgo#GNOME/GLib!2555 - Split gtk-docs from -devel package, these are not needed during building projects using glib2 - Use _multibuild as the meson buildprocess is very awkward regarding the documentation - builds single-jobs only and twice (again during %install). This way the rest of distribution waiting for glib2-devel to be available is not blocked by this ----------------------------------------------------------------------------- o Updated glibc (security/bugfix/feature) - x86-shared-non-temporal-threshold.patch: Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942) - memcmp-power10.patch: powerpc: Optimized memcmp for power10 (jsc#PED-987) - disable-check-consistency.patch: i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788) - static-tls-surplus.patch: Remove tunables (bsc#1201560) - static-tls-surplus.patch: rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051) - strncpy-power9-vsx.patch: powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334, BZ #29197) - selinux-deprecated.patch: Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718) - systemtap-altmacro.patch: i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718, BZ #28771) - Add s390-add-z16-name.diff for bsc#1198751. ----------------------------------------------------------------------------- o Updated glibc-utils-src (security/bugfix/feature) - x86-shared-non-temporal-threshold.patch: Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942) - memcmp-power10.patch: powerpc: Optimized memcmp for power10 (jsc#PED-987) - disable-check-consistency.patch: i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788) - static-tls-surplus.patch: Remove tunables (bsc#1201560) - static-tls-surplus.patch: rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051) - strncpy-power9-vsx.patch: powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334, BZ #29197) - selinux-deprecated.patch: Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718) - systemtap-altmacro.patch: i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718, BZ #28771) - Add s390-add-z16-name.diff for bsc#1198751. ----------------------------------------------------------------------------- o Updated gmmlib (security/bugfix/feature) [x86_64] - update to 22.3.1: * Fix memory leak Destroy allocated resources for ULT - needed for jira#PED-1174 (Video decoding/encoding support (VA-API, ...) for Intel GPUs is outside of Mesa) - Update to version 22.3.0: * Support for default build types * Add ATS-M Device Ids * Adding more dg2 device Ids * Fixing XE_HPC macro usage for Cache Policy settings * Fix QPtich calculations for CCS * PVC PAT table implementations * Initialize NumPATRegisters * Add PVC Device IDs * Fix GetPrivatePATEntry API * Introducing MTL Support - No code changes - Update to version 22.1.4 was part of Intel oneVPL GPU Runtime 2022Q2 Release 22.4.4 - Update to version 22.1.4: * No upstream changelog available - Update to version 22.1.2: * No upstream changelog available - Update to version 22.0.1: * No upstream changelog available. - Bump somajor define to 12 and in baselibs.conf following upstream so bump. - Replace gcc-c++ with generic c++_compiler BuildRequires. - Update to version 21.3.3: * No upstream changelog available. ----------------------------------------------------------------------------- o Updated gnome-desktop (security/bugfix/feature) - Update to version 41.8: + No changes, version bump only. - Update to version 41.6: + No changes, version bump only. - Update to version 41.5: + No changes, version bump only. - Update to version 41.4: + No changes, version bump only. - Update to version 41.3: + No changes, version bump only. ----------------------------------------------------------------------------- o Updated gnome-music (security/bugfix/feature) [x86_64] - Refresh 0002-gnome-music-revert-from-future-import-annotations.patch (bsc#1206751). - Update to version 41.1: + Speed increase on first startup on larger collections + Make shuffle random + Fix time displayed in RTL languages + Bugs fixed: - Time is reversed in RTL (#500) - Improve async queue work (#472) - Fix crash on empty selection (#492) - playlistswidget: Fix incorrect import (#491) - Make random shuffle actually random (#369) - albumwidget: Ensure the correct album is played (#461) + Updated translations: - Drop d9f35b542adbf6b0e1114c7c077df04212a98fc7.patch: Fixed upstream - Rebase 0002-gnome-music-revert-from-future-import-annotations.patch - Add d9f35b542adbf6b0e1114c7c077df04212a98fc7.patch: Fix build with meson 0.61.0 and newer. ----------------------------------------------------------------------------- o Updated gnome-packagekit (security/bugfix/feature) - Modify bnc-946886-install-signatures-in-viewer.patch: Fix runtime error to make it work as before(bsc#1198801). ----------------------------------------------------------------------------- o Updated gnome-remote-desktop (security/bugfix/feature) [x86_64] - Update to version 41.3: * build: Bump version to 41.3 * Add Icelandic translation ----------------------------------------------------------------------------- o Updated gnome-session (security/bugfix/feature) - Add gnome-session-clear-error-when-running-under-GDM.patch: Also clear error when running under GDM (bsc#1204867 glgo!GNOME/gnome-session!83). - Add back gnome-session-exit-when-lost-name-on-bus.patch: gnome-session exit immediately when lost name on bus (bsc#1175622 glgo!GNOME/gnome-session!60, bsc#1188882). ----------------------------------------------------------------------------- o Updated gnome-settings-daemon (security/bugfix/feature) - Add patch to fix build with meson >0.60.0 which now fails if a positional argument is used in i18n.merge_file instead of ignoring it: * fix-meson-i18n.patch ----------------------------------------------------------------------------- o Updated gnome-shell-extension-desktop-icons (security/bugfix/feature) - Update desktop-icon-gnome-41.patch: Fix opening prefs.js fail (bsc#1199377 bsc#1203262). - Drop desktop-icon-gnome-40.patch. - Add desktop-icon-gnome-41.patch: Compatible to GNOME 41 (bsc#1199377). ----------------------------------------------------------------------------- o Updated gnome-shell (security/bugfix/feature) - Add gnome-shell-disable-offline-update-dialog.patch : Disable offline update suggestion before shutdown/reboot in SLE and openSUSE Leap (bsc#944832). - Update to version 41.9: + Fix logging in with realmd [Alessandro; !2404] + Allow extension updates with only Extension Manager installed [Matthew; !2358] + Plugged leak [Sebastian; !2367] + Misc. bug fixes and cleanups [Alessandro, Florian; !2402, !2412, !2411, !2351, !2372, !2350, !2326, !2413] - Update to version 41.8.1 + Fix regression in ibus support [Florian; !2359] + Misc. bug fixes and cleanups [Florian; !2293] - Update to version 41.8: + Fix feedback when turning on a11y features by keyboard [Olivier; !2334] + Only close messages via delete key if they can be closed [PhilProg; !2323] + Do not create systemd scope for D-Bus activated apps [msizanoen1; !2305] + Hide overview after 'Show Details' from app context menu [PhilProg; !2329] + Respect IM hint for candidates list in on-screen keyboard [Carlos; !2347] + Fix edge case where windows stay dimmed after a modal is closed [Jonas; !2349] + Improve Belgian on-screen keyboard layout [Evert; !2336] + Misc. bug fixes and cleanups [Florian, Sebastian; !2078, !2319, !2355] - Update to version 41.7: + Misc. bug fixes [Florian, Jonas; !2295, !2296, !2306] + Fix focus tracking in magnifier on wayland [Sebastian; !2301] - Update to version 41.6: + Handle monitor changes during startup animation [13r0ck; !2144] + Fix fractional timezone offsets in world clock [Raghuveer; !2255] + calendar: Fix alignment of world clocks header in RTL [Yosef; !2240] + Make sure startup animation completes [Florian; !2269] + Allow more intermediate icon sizes in app grid [Sebastian; !2289] + Plugged memory leak [Sebastian; !2256] + Misc. bug fixes and cleanups [Georges, Florian, Simon, Jonas, Sebastian; !2262, !2257, !2252, !2272, !2275, !2285, !2286] - Update to version 41.5: + Fix programatically set scrollview fade. + Disable workspace switching while in search. + Fix opening device settings for enterprise WPA networks. + Fix drag placeholder position in dash in RTL locales. + Improve CSS shadow appearance. + Fix glitches in overview transition. + Fix unresponsive top bar in overview when in fullscreen. + Fixed crash. + Misc. bug fixes and cleanups. + Updated translations. - Drop gnome-shell-fix-NMDevice-get-path.patch: Fixed upstream. - Rebase patches with quilt. - Drop 2078.patch: fixed upstream. ----------------------------------------------------------------------------- o Updated gnome-software (security/bugfix/feature) - Add gnome-software-disable-offline-update.patch: Disable offline update in SLE and openSUSE Leap(bsc#944832). - Update to version 41.5: + Disable scroll-by-mouse-wheel on featured carousel. + Ensure details page shows app provided on command line. + Added several appstream-related fixes. + Updated translations. ----------------------------------------------------------------------------- o Updated gnome-terminal (security/bugfix/feature) - Update to version 3.42.3: + Updated translations. + Revert "regex: Workaround a PCRE bug resulting in not recognizing schemeless URLs" + regex: Fix path-less URL recognition + window: Use a normal menu for the popup menu + build: Post release version bump - Add 9a168cc23962ce9fa106dc8a40407d381a3db403.patch: Fix build with meson 0.61.0 and newer. ----------------------------------------------------------------------------- o Updated gnome-user-docs (security/bugfix/feature) - Update to version 41.5: + Updated translations. - Update to version 41.2: + Added missing icon for network-wired-symbolic + Added Ubuntu note about GNOME Classic prerequisite + Updated translations. ----------------------------------------------------------------------------- o Removed gnu11-compilers-hpc (XXX) ----------------------------------------------------------------------------- o Added gnu12-compilers-hpc (feature) [x86_64,aarch64] ## WARNING - the following diff is a head -20 proposal * Mon Jan 02 2023 eich@suse.com - Fix compatibility for SLE-12: define _rpmmacrodir after hpc_init. * Tue Dec 13 2022 eich@suse.com - Add support for gcc12 (jsc#PED-2834). * Mon Dec 13 2021 aginies@suse.com - fix _multibuild with a correct list of gcc version * Wed Oct 06 2021 eich@suse.com - Use %_rpmmacrodir instead of %{_sysconfdir}/rpm (boo#1191381). * Thu Jul 15 2021 eich@suse.com - Improve setting of standard binaries (c, c++) for non-base versions. - Improve environment settings: only set CC, CXX etc when compilers are installed. Thus, if only gnu-compiler-hpc ----------------------------------------------------------------------------- o Updated gnu-compilers-hpc (security/bugfix/feature) [x86_64,aarch64] - Fix compatibility for SLE-12: define _rpmmacrodir after hpc_init. - Add support for gcc12 (jsc#PED-2834). - fix _multibuild with a correct list of gcc version - Use %_rpmmacrodir instead of %{_sysconfdir}/rpm (boo#1191381). ----------------------------------------------------------------------------- o Updated gnutls (security/bugfix/feature) - FIPS: Make the jitterentropy calls thread-safe [bsc#1208146] * Add gnutls-FIPS-jitterentropy-threadsafe.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Rebase patches with the version submitted upstream. * Avoid copying the key material: gnutls-FIPS-PCT-DH.patch * Improve logic around memory release: gnutls-FIPS-PCT-ECDH.patch - Security Fix: [bsc#1208143, CVE-2023-0361] * Bleichenbacher oracle in TLS RSA key exchange * Add gnutls-CVE-2023-0361.patch - FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346] * Add gnutls-FIPS-140-3-references.patch - FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch - Fix AVX CPU feature detection for OSXSAVE [bsc#1203299] * Fixes a SIGILL termination at the verzoupper instruction when trying to run GnuTLS on a Linux kernel with the noxsave command line parameter set. Relevant mostly for virutal systems. * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1282 * Add gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch - FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146] * Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch - FIPS: Make XTS key check failure not fatal [bsc#1203779] * Add gnutls-Make-XTS-key-check-failure-not-fatal.patch - FIPS: Zeroize the calculated hmac and new_hmac in the check_binary_integrity() function. [bsc#1191021] * Add gnutls-FIPS-Zeroize-check_binary_integrity.patch - FIPS: Additional modifications to the SLI. [bsc#1190698] * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2(). * Mark HMAC keylength less than 112 bits as non-approved in gnutls_pbkfd2(). * Adapt the pbkdf2 selftest and the regression tests accordingly. * Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch - FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941] * Add new dependency on jitterentropy * Add gnutls-FIPS-jitterentropy.patch - Security fix: [bsc#1202020, CVE-2022-2509] * Fixed double free during verification of pkcs7 signatures * Add gnutls-CVE-2022-2509.patch - FIPS: * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979] - gnutls_fips140_run_self_tests now properly releases fips_context - FIPS: * Add gnutls_ECDSA_signing.patch [bsc#1190698] - Check minimum keylength for symmetric key generation - Only allows ECDSA signature with valid set of hashes (SHA2 and SHA3) * Add gnutls-FIPS-force-self-test.patch [bsc#1198979] - Provides interface for running library self tests on-demand - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 - FIPS: Make sure zeroization is performed in all API functions * Add gnutls-zeroization-API-functions.patch [bsc#1191021] * Upsream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1573 - FIPS: Add missing requirements for the SLI [bsc#1190698] * Remove 3DES from FIPS approved algorithms: - gnutls-Remove-3DES-from-FIPS-approved-algos.patch - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1570 * DRBG service (gnutls_rnd) should be considered approved: - gnutls-Add-missing-FIPS-service-indicator-transitions.patch - gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch - gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1569 - FIPS: Mark AES-GCM as approved in the TLS context [bsc#1194907] * Add gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch * Upstream issue: https://gitlab.com/gnutls/gnutls/issues/1311 * Upstream: https://gitlab.com/gnutls/gnutls/merge_requests/1561 ----------------------------------------------------------------------------- o Removed go1.17 (XXX) ----------------------------------------------------------------------------- o Updated go1.18 (security/bugfix/feature) - go1.18.9 (released 2022-12-06) includes security fixes to the net/http and os packages, as well as bug fixes to cgo, the compiler, the runtime, and the crypto/x509 and os/exec packages. Refs boo#1193742 go1.18 release tracking CVE-2022-41717 CVE-2022-41720 * go#57008 boo#1206135 security: fix CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries * go#57005 boo#1206134 security: fix CVE-2022-41720 os, net/http: avoid escapes from os.DirFS and http.Dir on Windows * go#56751 runtime,cmd/compile: apparent memory corruption in compress/flate * go#56709 net: builders failing TestLookupDotsWithRemoteSource and TestLookupGoogleSRV due to missing host for _xmpp-server._tcp.google.com * go#56675 x/net/http2/h2c: ineffective mitigation for unsafe io.ReadAll * go#56635 runtime: traceback stuck in runtime.systemstack * go#56556 cmd/compile: some x/sys versions no longer build due to "go:linkname must refer to declared function or variable" * go#56550 os/exec: Plan 9 build has been broken by a Windows security fix (also breaks 1.19.3 and 1.18.8) * go#56437 crypto/x509: respect GODEBUG changes during program lifetime * go#56396 runtime: on linux/PPC64, usleep computes incorrect tv_nsec parameter * go#56359 cmd/compile: panic: offset too large - go1.18.8 (released 2022-11-01) includes security fixes to the os/exec and syscall packages, as well as bug fixes to the runtime. Refs boo#1193742 go1.18 release tracking CVE-2022-41716 * go#56327 boo#1204941 security: fix CVE-2022-41716 syscall, os/exec: unsanitized NUL in environment variables * go#56308 runtime: "runtime·lock: lock count" fatal error when cgo is enabled - go1.18.7 (released 2022-10-04) includes security fixes to the archive/tar, net/http/httputil, and regexp packages, as well as bug fixes to the compiler, the linker, and the go/types package. Refs boo#1193742 go1.18 release tracking CVE-2022-41715 CVE-2022-2879 CVE-2022-2880 * go#55950 boo#1204023 security: fix CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps * go#55925 boo#1204024 security: fix CVE-2022-2879 archive/tar: unbounded memory consumption when reading headers * go#55842 boo#1204025 security: fix CVE-2022-2880 net/http/httputil: ReverseProxy should not forward unparseable query parameters * go#55151 fatal error: bulkBarrierPreWrite: unaligned arguments * go#55148 go/types: no way to construct the signature of append(s, "string"...) via the API * go#55113 cmd/link: new darwin linker warning on -pagezero_size and -no_pie deprecation * go#54918 cmd/compile: Value live at entry - go1.18.6 (released 2022-09-06) includes security fixes to the net/http package, as well as bug fixes to the compiler, the go command, the pprof command, the runtime, and the crypto/tls, encoding/xml, and net packages. Refs boo#1193742 go1.18 release tracking CVE-2022-27664 * go#53977 bsc#1203185 CVE-2022-27664 net/http: handle server errors after sending GOAWAY * go#54733 cmd/go: git fetch errors dropped when producing pseudo-versions for commits * go#54725 cmd/compile: compile failed with "Value live at entry" * go#54674 runtime: morestack_noctxt missing SPWRITE, causes "traceback stuck" assert * go#54664 runtime: segfault running ppc64/linux binaries with kernel 5.18 * go#54659 cmd/go: go test -race does not set implicit race build tag * go#54642 crypto/tls: support ECDHE key exchanges when ec_point_formats is missing in ClientHello extension * go#54636 cmd/go: data race in TestScript * go#54603 cmd/compile: miscompilation of partially-overlapping array assignments * go#54502 cmd/link: Trampoline insertion breaks DWARF Line Program Table output on Darwin/ARM64 * go#54464 cmd/pprof: graphviz node names are funny with generics * go#54128 encoding/xml: crash on android/arm64 due to https://go.dev/cl/417062 * go#54074 net: WriteMsgUDPAddrPort should accept IPv4 destination addresses on IPv6 UDP sockets * go#54056 misc/cgo: TestSignalForwardingExternal sometimes fails with wrong signal SIGINT * go#53397 go/reflect: Incorrect behavior on arm64 when using MakeFunc / Call - Define go_bootstrap_version go1.16 without suse_version checks - Simplify conditional gcc_go_version 12 on Tumbleweed, 11 elsewhere - Bootstrap using go1.16 on SLE-15 and newer. go1.16 is bootstrapped using gcc-go 11 or 12. This allows dropping older versions of Go from Factory. - go1.18.5 (released 2022-08-01) includes security fixes to the encoding/gob and math/big packages, as well as bug fixes to the compiler, the go command, the runtime, and the testing package. Refs boo#1193742 go1.18 release tracking CVE-2022-32189 * boo#1202035 CVE-2022-32189 go#53871 * go#54095 math/big: index out of range in Float.GobDecode * go#53883 cmd/compile: interface conversion with generics reports "types from different scopes" * go#53875 cmd/go: livelock when computing module graph in a workspace with GOPROXY=off * go#53852 cmd/compile: internal compiler error: assertion failed * go#53847 runtime: modified timer results in extreme cpu load * go#53119 cmd/go: Build information embedded by Go 1.18 impairs build reproducibility with cgo flags * go#53112 runtime: gentraceback() dead loop on arm64 casued the process hang * go#52986 testing: TempDir RemoveAll cleanup failures with "The process cannot access the file because it is being used by another process." * go#52961 cmd/compile: miscompilation in pointer operations - go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip, encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath packages, as well as bug fixes to the compiler, the go command, the linker, the runtime, and the runtime/metrics package. Refs boo#1193742 go1.18 release tracking CVE-2022-1705 CVE-2022-32148 CVE-2022-30631 CVE-2022-30633 CVE-2022-28131 CVE-2022-30635 CVE-2022-30632 CVE-2022-30630 CVE-2022-1962 * boo#1201434 CVE-2022-1705 go#53188 * go#53433 net/http: improper sanitization of Transfer-Encoding header * boo#1201436 CVE-2022-32148 go#53423 * go#53621 net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working * boo#1201437 CVE-2022-30631 go#53168 * go#53718 compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * boo#1201440 CVE-2022-30633 go#53611 * go#53716 encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) * boo#1201443 CVE-2022-28131 go#53614 * go#53712 encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131) * boo#1201444 CVE-2022-30635 go#53615 * go#53710 encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) * boo#1201445 CVE-2022-30632 go#53416 * go#53714 path/filepath: stack exhaustion in Glob (CVE-2022-30632) * boo#1201447 CVE-2022-30630 go#53415 * go#53720 io/fs: stack exhaustion in Glob (CVE-2022-30630) * boo#1201448 CVE-2022-1962 go#53616 * go#53708 go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) * go#53723 cmd/compile: ambiguous selector with generic interface & embedded types * go#53618 cmd/compile: condition in for loop body is incorrectly optimised away * go#53613 syscall: NewCallback triggers data race on Windows when used from different goroutine * go#53590 runtime/metrics: data race detected in Read * go#53588 cmd/go: "v1.x.y is not a tag" when .gitconfig sets log.decorate to full * go#53587 cmd/compile: miscompilation of value switch involving generic interface types * go#53471 cmd/compile: internal compiler error: width not calculated: int128 * go#53357 cmd/compile: type assertion on generic type fails incorrectly * go#53159 cmd/compile: unsafe.Offsetof returns incorrect value in embedded struct with type parameters * go#53107 cmd/link: unexpected trampoline error on ppc64le musl with -buildmode=pie * go#52689 runtime: total allocation stats are managed in a uintptr which can quickly wrap around on 32-bit architectures - go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand, crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the compiler, and the crypto/tls and text/template/parse packages. Refs boo#1193742 go1.18 release tracking CVE-2022-30634 CVE-2022-30629 CVE-2022-30580 CVE-2022-29804 * boo#1200134 go#52561 CVE-2022-30634 * go#52933 crypto/rand: Read hangs when passed buffer larger than 1<<32 - 1 * boo#1200135 go#52814 CVE-2022-30629 * go#52833 crypto/tls: randomly generate ticket_age_add * boo#1200136 go#52574 CVE-2022-30580 * go#53057 os/exec: Cmd.{Run,Start} should fail if Cmd.Path is unset * boo#1200137 go#52476 CVE-2022-29804 * go#52479 path/filepath: Clean(.\c:) returns c: on Windows * go#51849 cmd/compile: crash on pointer conversion in call to mapaccess2 * go#52242 cmd/compile: compiler crash on valid code * go#52286 cmd/compile: compiler crash with "Dictionary should have already been generated" * go#52791 crypto/tls: 500% increase in allocations from (*tls.Conn).Read in go 1.17 * go#52878 text/template: break/continue require no whitespace around them * go#53043 misc/cgo/testsanitizers: occasional hangs in TestTSAN/tsan12 * go#53115 misc/cgo/testsanitizers: deadlock in TestTSAN/tsan11 - go1.18.2 (released 2022-05-10) includes security fixes to the syscall package, as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509, go/types, net/http/httptest, reflect, and sync/atomic packages. Refs boo#1193742 go1.18 release tracking CVE-2022-29526 * boo#1199413 go#52313 CVE-2022-29526 * go#52440 syscall: Faccessat checks wrong group * go#51738 runtime: wrong type assertion result when using generic types * go#51798 cmd/go: add (and default to) -buildvcs=auto * go#51859 crypto/x509: x509 certificate with issuerUniqueID and/or subjectUniqueID parse error * go#51897 net/http/httptest: race in Close * go#52028 go/types: documentation on instance de-duplication is unclear about guarantees * go#52149 syscall: TestGroupCleanupUserNamespace failure on linux-s390x-ibm * go#52244 go/types, types2: go generic assert compile escape * go#52305 runtime: doAllThreadsSyscall has an unaligned atomic load on 32-bit architectures * go#52366 cmd/compile/internal/ssa: occurred the wrong rewrite cycle detection * go#52375 runtime: executable compiled under Go 1.17.7 will occasionally wedge * go#52386 reflect: can set map elem with string key of a different string type * go#52441 cmd/compile: incorrect handling of iota in 1.18 * go#52468 cmd/go: go run -mod=mod [files...] does not update go.mod and go.sum * go#52558 cmd/compile: cannot convert v (variable of type *Bar[T]) to type *Foo[T] * go#52606 cmd/compile: internal compiler error: weird package in name: .dict0 => .dict0 from "", not "test/p" * go#52615 sync/atomic: compare and swap of inconsistently typed values with uninitialized Value * go#52691 cmd/compile: generic function appears to use incorrect type descriptor * go#52699 runtime: support debugCall on arm64 * go#52706 net: TestDialCancel is not compatible with new macOS ARM64 builders * go#52804 go/types: NewMethodSet doesn't terminate for recursively embedded generics ----------------------------------------------------------------------------- o Added go1.19 (feature) ## WARNING - the following diff is a head -20 proposal * Tue Dec 06 2022 jkowalczyk@suse.com - go1.19.4 (released 2022-12-06) includes security fixes to the net/http and os packages, as well as bug fixes to the compiler, the runtime, and the crypto/x509, os/exec, and sync/atomic packages. Refs boo#1200441 go1.19 release tracking CVE-2022-41717 CVE-2022-41720 * go#57009 boo#1206135 security: fix CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries * go#57006 boo#1206134 security: fix CVE-2022-41720 os, net/http: avoid escapes from os.DirFS and http.Dir on Windows * go#56752 runtime,cmd/compile: apparent memory corruption in compress/flate * go#56710 net: builders failing TestLookupDotsWithRemoteSource and TestLookupGoogleSRV due to missing host for _xmpp-server._tcp.google.com * go#56672 crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072 * go#56638 sync/atomic: atomic.Pointer[T] can be misused with type conversions. * go#56636 runtime: traceback stuck in runtime.systemstack * go#56557 cmd/compile: some x/sys versions no longer build due to "go:linkname must refer to declared function or variable" * go#56551 os/exec: Plan 9 build has been broken by a Windows security fix (also breaks 1.19.3 and 1.18.8) * go#56438 crypto/x509: respect GODEBUG changes during program lifetime ----------------------------------------------------------------------------- o Updated golang-github-prometheus-node_exporter (security/bugfix/feature) - Exclude s390 arch. - Update spec file in order to make --version work (bsc#1196652) - Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239, jsc#SUMA-114, CVE-2022-21698) + Added 0001-Update-prometheus-client-to-1.11.1.patch - Update to 1.3.0 * [CHANGE] Add path label to rapl collector #2146 * [CHANGE] Exclude filesystems under /run/credentials #2157 * [CHANGE] Add TCPTimeouts to netstat default filter #2189 * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771 * [FEATURE] Add darwin powersupply collector #1777 * [FEATURE] Add support for monitoring GPUs on Linux #1998 * [FEATURE] Add Darwin thermal collector #2032 * [FEATURE] Add os release collector #2094 * [FEATURE] Add netdev.address-info collector #2105 * [FEATURE] Add clocksource metrics to time collector #2197 * [ENHANCEMENT] Support glob textfile collector directories #1985 * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080 * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165 * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123 * [ENHANCEMENT] Add DMI collector #2131 * [ENHANCEMENT] Add threads metrics to processes collector #2164 * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169 * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189 * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208 * [BUGFIX] ethtool: Sanitize metric names #2093 * [BUGFIX] Fix ethtool collector for multiple interfaces #2126 * [BUGFIX] Fix possible panic on macOS #2133 * [BUGFIX] Collect flag_info and bug_info only for one core #2156 * [BUGFIX] Prevent duplicate ethtool metric names #2187 - Update to 1.2.2 * Bug fixes Fix processes collector long int parsing #2112 - Update to 1.2.1 * Removed Remove obsolete capture permission denied error patch capture-permission-denied-error-energy_uj.patch: Already included upstream * Bug fixes Fix zoneinfo parsing prometheus/procfs#386 Fix nvme collector log noise #2091 Fix rapl collector log noise #2092 - Update to 1.2.0 * Changes Rename filesystem collector flags to match other collectors #2012 Make node_exporter print usage to STDOUT #203 * Features Add conntrack statistics metrics #1155 Add ethtool stats collector #1832 Add flag to ignore network speed if it is unknown #1989 Add tapestats collector for Linux #2044 Add nvme collector #2062 * Enhancements Add ErrorLog plumbing to promhttp #1887 Add more Infiniband counters #2019 netclass: retrieve interface names and filter before parsing #2033 Add time zone offset metric #2060 * Bug fixes Handle errors from disabled PSI subsystem #1983 Fix panic when using backwards compatible flags #2000 Fix wrong value for OpenBSD memory buffer cache #2015 Only initiate collectors once #2048 Handle small backwards jumps in CPU idle #2067 - Apply patch to capture permission denied error for "energy_uj" file (bsc#1190535) * Adds patch capture-permission-denied-error-energy_uj.patch from https://github.com/prometheus/node_exporter/pull/2092 ----------------------------------------------------------------------------- o Updated google-gson (security/bugfix/feature) - Build with Java >= 9 in order to produce a modular jar by compiling the module-info.java sources with all other classes built with release 8 and still compatible with Java 8 - Removed patch: * allow-build-with-java8.patch + not needed in this setting - Upgrade to version 2.8.9 (jsc#SLE-24261) * fixes bsc#1199064, CVE-2022-25647 - Removed patch: * sun-misc.patch + integrated upstream - Build with source and target levels 8 - Upgrade to version 2.8.8 - Removed patch: * fix-test.patch + integrated upstream - Modified patches: * no-template-plugin.patch * osgi-export-internal.patch + rediff to changed context - Added patches: * allow-build-with-java8.patch + lower the unnecessary requirement of Java 9 * sun-misc.patch + make import of sun.misc optional since not all versions of jdk export it ----------------------------------------------------------------------------- o Updated google-guest-agent (security/bugfix/feature) - Bump go API version to 1.18 (bsc#1208723) + Address CVE-2021-38297 and CVE-2022-23806 - Update to version 20230221.00 * Allow a comment part of a pub ssh key to have an arbitrary format (#198) + Split GetUserKey() into two functions: get and validate + Correct the name of ValidateUser func as it validates only users + Update tests * Update OWNERS (#201) - from version 20230207.00 * Update OWNERS file (#199) - Update to version 20230112.00 * Updating logging module so cloud logs are flushed prior to exit (#196) * Windows: retry adding MDS route (#194) - Update to version 20221109.00 * Validate user key for whitespace chars (#188) - from version 20221107.00 * Fix typo with wsfc agent (#189) - from version 20221104.00 * Updates to gce-workload-cert-refresh (#186) - from version 20221025.00 * Add workload cert refresh to preset (#185) - Update to version 20221018.00 * Write workload cert status file (#184) - from version 20221017.00 * Update workload_cert permissions (#180) - Update to version 20220927.00 * Workload certificate refresh (#182) - Update to version 20220824.00 * Workload certs (#177) - from version 20220823.00 * add members to OWNERS (#178) * Expired key tests (#176) * correct expired key handling (#175) - avoid bashism in post-install scripts (bsc#1195391) - Update to version 20220713.00 (bsc#1202100, bsc#1202101) * try restoring module mode (#172) * update for golang 1.16 (#171) - from version 20220614.00 * Remove log that can break startup scripts (#170) - from version 20220603.00 * repeat fix for arm (#169) * no authorized keys on debian (#168) - from version 20220527.00 * Add authorized keys command to the Windows agent package. (#167) * Support for Windows SSH (#164) - from version 20220523.00 * restore double slash metadata url (#166) - from version 20220520.00 * Support .exe as an option for scripts and refactor runScript (#165) - Update to version 20220429.00 * Move some functionality to a utils module (#162) - Update to version 20220412.00 * enable goproxy during build (#163) - from version 20220321.00 * enable routes for ipv6 (#160) ----------------------------------------------------------------------------- o Updated google-guest-configs (security/bugfix/feature) - Add nvme-cli to Requires (bsc#1204068, bsc#1204091) - Update to version 20220211.00 (bsc#1195437, bsc#1195438) * Set NVMe-PD IO timeout to 4294967295. (#32) ----------------------------------------------------------------------------- o Updated google-guest-oslogin (security/bugfix/feature) - Update to version 20220721.00 (bsc#1202100, bsc#1202101) * prune outdated info from readme (#86) - from version 20220714.00 * strip json-c version symbol (#84) - from version 20220622.00 * pam login: split conditions for logging (#83) - use pam_moduledir (boo#1191036) * Support UsrMerge project - Update to version 20220411.00 * pam login: split conditions for logging (#83) ----------------------------------------------------------------------------- o Added go (feature) ## WARNING - the following diff is a head -20 proposal * Tue Aug 23 2022 jkowalczyk@suse.com - Update to current stable go1.19 Refs boo#1200441 go1.19 release tracking - Add define tsan_arch s390x ppc64le new in go1.19 * Fri Apr 08 2022 jkowalczyk@suse.com - Update to current stable go1.18 Refs boo#1193742 go1.18 release tracking * Tue Sep 21 2021 jkowalczyk@suse.com - Update to current stable go1.17 Refs boo#1190649 go1.17 release tracking * Fri Feb 26 2021 jkowalczyk@suse.com - Update to current stable go1.16 Refs boo#1182345 go1.16 release tracking ----------------------------------------------------------------------------- o Updated gpg2 (security/bugfix/feature) - Security fix [CVE-2022-34903, bsc#1201225] - Vulnerable to status injection - Added patch gnupg-CVE-2022-34903.patch - gnupg-detect_FIPS_mode.patch: use AES as default cipher instead of 3DES if we are in FIPS mode. (bsc#1196125) ----------------------------------------------------------------------------- o Updated graphite2 (security/bugfix/feature) - fixed license string [bsc#1207676]: LGPL-2.1-or-later OR MPL-2.0 OR GPL-2.0-or-later ----------------------------------------------------------------------------- o Updated grep (security/bugfix/feature) - Make profiling deterministic (bsc#1040589, SLE-24115) ----------------------------------------------------------------------------- o Updated grpc (security/bugfix/feature) - Update in SLE-15 (bsc#1197726) - Add conditional to build without python2 if needed ----------------------------------------------------------------------------- o Updated grub2 (security/bugfix/feature) - Make grub more robust against storage race condition causing system boot failures (bsc#1189036) * 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch - Move unsupported zfs modules into 'extras' packages (bsc#1205554) (PED-2947) - Fix out of memory error on lpar installation from virtual cdrom (bsc#1208024) * 0001-ieee1275-Further-increase-initially-allocated-heap-f.patch * 0002-tpm-Disable-tpm-verifier-if-tpm-is-not-present.patch - Fix lpar got hung at grub after inactive migration (bsc#1207684) * 0002-ieee1275-implement-vec5-for-cas-negotiation.patch - Fix nvmf boot device setup (bsc#1207811) * 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064) * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch - Make grub.cfg invariant to efi and legacy platforms (bsc#1205200) - Removed patch linuxefi * grub2-secureboot-provide-linuxefi-config.patch * grub2-secureboot-use-linuxefi-on-uefi-in-os-prober.patch * grub2-secureboot-use-linuxefi-on-uefi.patch - Rediff * grub2-btrfs-05-grub2-mkconfig.patch * grub2-efi-xen-cmdline.patch * grub2-s390x-05-grub2-mkconfig.patch * grub2-suse-remove-linux-root-param.patch - Setup multiple device paths for a nvmf boot device (bsc#1205666) * 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch - Add tpm to signed grub.elf image (PED-1990) (bsc#1205912) - Increase initial heap size from 1/4 to 1/3 * 0001-ieee1275-Increase-initially-allocated-heap-from-1-4-.patch - Support grub2-install on LUKS2 encrypted device * 0001-devmapper-getroot-Have-devmapper-recognize-LUKS2.patch * 0002-devmapper-getroot-Set-up-cheated-LUKS2-cryptodisk-mo.patch * 0003-disk-cryptodisk-When-cheatmounting-use-the-sector-in.patch - Security fixes and hardenings * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch - Fix CVE-2022-2601 (bsc#1205178) * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch * 0004-font-Remove-grub_font_dup_glyph.patch * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch * 0006-font-Fix-integer-overflow-in-BMP-index.patch * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch * 0008-fbutil-Fix-integer-overflow.patch - Fix CVE-2022-3775 (bsc#1205182) * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch - Bump upstream SBAT generation to 3 - NVMeoFC support on grub (jsc#PED-996) * 0001-ieee1275-add-support-for-NVMeoFC.patch * 0002-ieee1275-ofpath-enable-NVMeoF-logical-device-transla.patch * 0003-ieee1275-change-the-logic-of-ieee1275_get_devargs.patch * 0004-ofpath-controller-name-update.patch - TDX: Enhance grub2 measurement to TD RTMR (jsc#PED-1265) * 0001-commands-efi-tpm-Refine-the-status-of-log-event.patch * 0002-commands-efi-tpm-Use-grub_strcpy-instead-of-grub_mem.patch * 0003-efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch - Measure the kernel on POWER10 and extend TPM PCRs (PED-1990) * 0001-ibmvtpm-Add-support-for-trusted-boot-using-a-vTPM-2..patch * 0002-ieee1275-implement-vec5-for-cas-negotiation.patch - Include loopback into signed grub2 image (jsc#PED-2150) - Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668) (jsc#PED-1276) * 0001-luks2-Add-debug-message-to-align-with-luks-and-geli-.patch * 0002-cryptodisk-Refactor-to-discard-have_it-global.patch * 0003-cryptodisk-Return-failure-in-cryptomount-when-no-cry.patch * 0004-cryptodisk-Improve-error-messaging-in-cryptomount-in.patch * 0005-cryptodisk-Improve-cryptomount-u-error-message.patch * 0006-cryptodisk-Add-infrastructure-to-pass-data-from-cryp.patch * 0007-cryptodisk-Refactor-password-input-out-of-crypto-dev.patch * 0008-cryptodisk-Move-global-variables-into-grub_cryptomou.patch * 0009-cryptodisk-Improve-handling-of-partition-name-in-cry.patch * 0010-protectors-Add-key-protectors-framework.patch * 0011-tpm2-Add-TPM-Software-Stack-TSS.patch * 0012-protectors-Add-TPM2-Key-Protector.patch * 0013-cryptodisk-Support-key-protectors.patch * 0014-util-grub-protect-Add-new-tool.patch - Fix no disk unlocking happen (bsc#1196668) * 0001-crytodisk-fix-cryptodisk-module-looking-up.patch - Fix build error * fix-tpm2-build.patch - Fix installation failure due to unavailable nvram device on ppc64le (bsc#1201361) * 0001-grub-install-set-point-of-no-return-for-powerpc-ieee1275.patch - Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch - Fix CVE-2022-28734 (bsc#1198493) * 0024-net-http-Fix-OOB-write-for-split-http-headers.patch - Fix CVE-2022-28734 (bsc#1198493) * 0025-net-http-Error-out-on-headers-with-LF-without-CR.patch * 0026-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch * 0027-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch * 0028-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch * 0029-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch * 0030-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch * 0031-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch * 0032-Use-grub_loader_set_ex-for-secureboot-chainloader.patch - Update SBAT security contact (boo#1193282) - Bump grub's SBAT generation to 2 - Use boot disks in OpenFirmware, fixing regression caused by 0001-ieee1275-implement-FCP-methods-for-WWPN-and-LUNs.patch, when the root LV is completely in the boot LUN (bsc#1197948) * 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch ----------------------------------------------------------------------------- o Updated gspell (security/bugfix/feature) - Update to version 1.10.0: + Build from git: some updates, take newer version of autoconf-archive. + Build: distribute more files in tarballs. + Documentation improvements. + Translation updates. ----------------------------------------------------------------------------- o Updated gstreamer-plugins-bad (security/bugfix/feature) - Remove sys/decklink since that contains a non-standard license and disable the decklink plugin - Stop building openh264 by default even on 3'rd party buildservices, do this via bcond. Codec now available via a special repo. - Enable zxing again, now that the updated version have landed. - Temporarily disable zxing, waiting for updated version to land in Factory. - Add patch to reduce the required meson version to 0.61.0 since that's what we have in SLE 15: * reduce-required-meson.patch - Probably because of a problem in SLE's meson, the generated pkgconfig files are missing some variables that are needed by rpm to generate the pkgconfig(...) provides correctly. In order to fix this, we now check for those variables and insert them in the pc files before installation if they're missing. - Only build the microdns plugin in TW since SLE is missing the required dependencies. - Add new shared libs libgstcuda-1_0-0 and libgstwebrtcnice-1_0-0 to baselibs.conf. - Update to version 1.22.0: + Please see changes in gstreamer main package, major version bump. - Pass amfcodec=disabled and directshow=disabled to meson, not supported on linux (yet?). - Build qsv plugin only for supported targets via passing conditional qsv=disabled/enabled to meson. - Add pkgconfig(gtk+-3.0) BuildRequires: New dependency. - Package new sub-packages + libgstcuda-1_0-0 + libgstwebrtcnice-1_0-0 + typelib-1_0-CudaGst-1_0 + typelib-1_0-GstCuda-1_0 + typelib-1_0-GstVa-1_0 - Update to version 1.20.5: + aesdec: - Fix padding removal for per-buffer-padding=FALSE - Fix test failing in gst-plugins-bad + alphacombine: Add missing query handler for gaps + avfdeviceprovider: do not leak the properties + avfvideosrc: Report latency when doing screen capture + d3d11screencapturesrc: Specify PAR 1/1 to template caps + d3d11videosink: - Fixing focus lost on desktop layout change - Call ShowWindow() from window thread - Fix deadlock when parent window is busy - Always clear back buffer on resize + decklink: reset calculation of time_mapping to fix clipping HDMI video + directshow: Fix build error with glib 2.75 and newer + dvbsubenc: - Forward GAP events as-is if we wouldn't produce an end packet - Write Display Definition Segment if a non-default width/height is used + h265decoder: Do not abort when failed to prepare ref pic set + h264parser: Fix a typo in pred_weight_table parsing. + mediafoundation, d3d11: Fix memory leak and make leak tracer happy + mpegts: - Handle when iconv doesn't support ISO 6937 (e.g. musl libc) - Check continuity counter on section streams + mpegtsdemux: Always clear packetizer on DISCONT push mode + srt: various fixes - improve stats and error handling + rtmp2: Improve error messages + rtmp2sink: Correctly return GST_FLOW_ERROR on error + vulkan: Fix static linking on macOS + webrtcbin: also add rtcp-fb ccm fir for video mlines by default + webrtc/nice: fix small leak of split strings - Update to version 1.20.4: + amcvideodec: fix GstAmcSurfaceTexture segfault. + audiobuffersplit: Fix drift that was introduced by wrong calculations in gapless mode. + audiovisualizer: fix buffer mapping to not increase refcount. + avfvideosrc: Fix wrong default framerate value. + d3d11decoder: Check 16K resolution support. + d3d11videosink: Fix for force-aspect-ratio setting when rendering on shared texture. + GstPlay: missing cleanup for g_autoptr. + mxfdemux: Always calculate BlockAlign of raw audio to work around files with broken BlockAlign field in the headers. + nvdec: Fix for HEVC decoding when coded resolution is larger than display resolution. + openh264enc: Fix constrained-high encoding. + openh264: Register debug categories earlier. + openmpt: update from now deprecated api. + player/play: Fix object construction and various leaks. + player: Plug a memory leak. + proxysink: Make sure stream-start and caps events are forwarded, and fix memory leak. + tests: skip unit tests for dependency-less elements that have been disabled. + tsdemux: Don't trigger a program change when falling back to ignore-pcr behaviour. + va: - allocator: Fix translation of VADRMPRIMESurfaceDescriptor. - h265dec: Fix a crash because of missing reference frame. - vah265dec: Decoder segfaults on seek. + wasapi2: Fix initial mute/volume setting. + wasapi: Implement default audio channel mask. + webrtcbin: - Fix pointer dereference before null check. - Limit sink query to sink pads. + webrtc: Make sure to return NULL when validating TURN server fails. - Drop va-allocator-fix.patch: fixed upstream. - Build microdns support. Following this add pkgconfig(microdns) BuildRequires and pass microdns=enabled to meson. - Add va-allocator-fix.patch: va: allocator: Fix translation of VADRMPRIMESurfaceDescriptor + va: allocator: Use always lseek to get dmabuf size. https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2657 - Update to version 1.20.3: + GstPlay: Fix new error + warning parsing API (was unusuable before) + av1parse: let the parser continue on verbose OBUs + d3d11converter: Fix RGB to GRAY conversion, broken debug messages, and add missing GRAY conversion + gs: look for google_cloud_cpp_storage.pc + ipcpipeline: fix crash and error on windows with SOCKET or _pipe() + ivfparse: Don't set zero resolution on caps + mpegtsdemux: Handle PES headers bigger than a mpeg-ts packet; fix locking in error code path; handle more program updates + mpegtsmux: Start last_ts with GST_CLOCK_TIME_NONE to fix VBR muxing behaviour + mpegtsmux: Thread safety fixes: lock mux->tsmux, the programs hash table, and pad streams + mpegtsmux: Skip empty buffers + osxaudiodeviceprovider: Add initial support for duplex devices on OSX + rtpldacpay: Fix missing payload information + sdpdemux: add media attributes to caps, fixes ptp clock handling + mfaudioenc: Handle empty IMFMediaBuffer + nvdecoder: Various fixes for 4:4:4 and high-bitdepth decoding + nvenc: Fix deadlock because of too strict buffer pool size + va: fix library build issues, caps leaks in the vpp transform function, and add vaav1dec to documentation + v4l2codecs: vp9: Minor fixes + v4l2codecs: h264: Correct scaling matrix ABI check + dtlstransport: Notify ICE transport property changes + webrtc: Various fixes to the webrtc-sendrecv python example + webrtc-ice: Fix memory leaks in gst_webrtc_ice_add_candidate() + Support build against libfreeaptx in openaptx plugin + Fix linking issues on Illumos distros - removed libkms BuildRequires, since it has been dropped from libdrm - Update to version 1.20.2: + av1parse: Fix several issues about the colorimetry. + av1parse: fix up various possible logic errors + dashsink: fix missing mutex unlock in error code path when failing to get content + d3d11videosink: Fix for unhandled mouse double click events + interlace: Also handle a missing "interlace-mode" field as progressive + msdk: fix build with MSVC + mxfdemux: Fix issues at EOS + mxfdemux: Handle empty VANC packets + nvh264dec, nvh265dec: Fix broken key-unit trick and reverse playback + nvvp9sldec: Increase DPB size to cover render delay + rvsg: fix cairo include + tsdemux: Fix AC-4 detection in MPEG-TS + tsdemux: Handle "empty" PMT gracefully + va: pool: don't advertise the GST_BUFFER_POOL_OPTION_VIDEO_ALIGNMENT option any more + v4l2codecs: Fix memory leak + v4l2videodec: set frame duration according to framerate + webrtcbin: Update documentation of 'get-stats' action signal + webrtcbin: Check data channel transport for notifying 'ice-gathering-state' + webrtcbin: Avoid access of freed memory + wpe: Reintroduce persistent WebContext + Build: use CMake to find some openssl and exr deps + Fix multiple "unused-but-set variable" compiler warnings - Drop patch already included in 1.20.2: + 8440e2a373e5ce681d15f5880cb2f2562be332cf.patch - Disable ldacBT on ppc64: ldacBT is not available there. - Add spandsp3.patch: Fix build with spandsp 3.x by including private headers. ----------------------------------------------------------------------------- o Updated gstreamer-plugins-base (security/bugfix/feature) - Add patch to reduce the required meson version to 0.61.0 since that's what we have in SLE 15: * reduce-required-meson.patch - Probably because of a problem in SLE's meson, the generated pkgconfig files are missing some variables that are needed by rpm to generate the pkgconfig(...) provides correctly. In order to fix this, we now check for those variables and insert them in the pc files before installation if they're missing. - Update to version 1.22.0: + Please see changes in gstreamer main package, major version bump. - Rebase patches with quilt. - Add pkgconfig(xi) BuildRequires: New dependency. - Update to version 1.20.5: + audioconvert, audioresample, audiofilter: fix divide by 0 for input buffer without caps + cdparanoia: Ignore compiler warning coming from the cdparanoia header + oggdemux, parsebin: More leak fixes + opengl: - Fix automatic dispmanx detection for rpi4 - Fix usage of eglCreate/DestroyImage - Fix static linking on macOS + Bump core requirement in 1.20 branch to 1.20.4 + oggdemux: Don't leak incoming EOS event + opusdec: Various channel-related fixes + subparse: Fix non-closed tag handling. + textrender: - Don't blindly forward all events and don't blindly forward all events - Negotiate caps on a GAP event if none were negotiated yet + timeoverlay: fix pad leak + videodecoder: Only post latency message if it changed + videoscale: buffer meta handling fixes (NULL-terminate array of valid meta tags) + videosink: Don't return unknown end-time from get_times() - Update to version 1.20.4: + decodebin3: - Fix mutex leaks - Fix memory issues with active selection list - uridecodebin3, urisourcebin: Event handling fixes - Fix EOS event sequence + parsebin: - Avoid crash with unknown streams - SIGSEGV during HLS stream using souphttpsrc + glimagesink: - Only allow setting the GL display/context if it is a valid value - Segfault on android devices + gstgl: Fix several memory leaks in macOS + opusenc: improve inband-fec property documentation + playsink: Hold a reference to the soft volume element + pbutils: descriptions: fix gst_pb_utils_get_caps_description_flags() + rtspurl: Use gst_uri_join_strings() in gst_rtsp_url_get_request_uri_with_control() instead of a hand-crafted, wrong version + rtspconnection: protect cancellable by a mutex + sdpmessage: Don't set SDP medias from caps without media/payload/clock-rate fields + samiparse: fix handling of self-closing tags + ssaparse: include required system headers for isspace() and sscanf() functions + subparse: fix crash when parsing invalid timestamps in mpl2 + subparse fixes + textoverlay: Don't miscalculate text running times + videoaggregator: always convert when user provides converter-config + video: Fix scaling in 4x horizontal co-sited chroma (Y41B, YUV9, YVU9 and IYU9) + xmptag: register musicbrainz tags during init to fix critical in jpegparse + xvimagesink: fix image leaks in error code path + tests: skip unit tests for dependency-less elements that have been disabled - Update to version 1.20.3: + typefindfunctions: Fix WebVTT format detection for very short files + gldisplay: Reorder GST_GL_WINDOW check for egl-device + rtpbasepayload: Copy all buffer metadata instead of just GstMetas for the input meta buffer + codec-utils: Avoid out-of-bounds error + navigation: Fix Since markers for mouse scroll events + videoaggregator: Fix for unhandled negative rate + videoaggregator: Use floor() to calculate current position + video-color: Fix for missing clipping in PQ EOTF function + gst-play-1.0: Fix trick-mode handling in keyboard shortcut + audiovisualizer: shader: Fix out of bound write - Update to version 1.20.2: + appsrc: Clarify buffer ref semantics in signals documentation + appsrc: fix annotations for bindings + typefind: Skip extension parsing for data:// URIs, fixing regression with mp4 files serialised to data uris + playbin3: various fixes + playbin3: fix missing lock when unknown stream type in pad-removed cb + decodebin3: fix collection leaks + decodebin3: Don't duplicate stream selections + discoverer: chain up to parent finalize methods in all our types to fix memory leaks + glmixerbin: slightly better pad/element creation + gltransformation: let graphene alloc its structures memory aligned + ogg: fix possible buffer overrun + rtpbasepayload: Don't write header extensions if there's no corresponding... + rtpbasepayload: always store input buffer meta before negotiation + rtpbasepayload: fix transfer annotation for push and push_list + subparse: don't try to index string with -1 + riff-media: fix memory leak after usage for g_strjoin() + playbin/playbin3: Allow setting a NULL URI + playsink: Complete reconfiguration on pad release. + parsebin: Expose streams of unknown type + pbutils: Fix wmv screen description detection + subparse: don't deref a potentially NULL variable + rawvideoparse: set format from caps in gst_raw_video_parse_set_config_from_caps + videodecoder: release stream lock after handling gap events + videorate: fix assertion when pushing last and only buffer without duration + videorate: Revert "don't reset on segment update" to fix segment handling regressions + gst-play-1.0, gst-launch-1.0: Enable win32 high-resolution timer also for MinGW build - Drop patch already included in 1.20.2: + 5a074a11f90e3d70b24bf0c535ab0480fad9e701.patch ----------------------------------------------------------------------------- o Updated gstreamer-plugins-good (security/bugfix/feature) - Add patch to reduce the required meson version to 0.61.0 since that's what we have in SLE 15: * reduce-required-meson.patch - Update to version 1.22.0: + Please see changes in gstreamer main package, major version bump. - Add disabled pkgconfig(Qt6Core), pkgconfig(Qt6Gui), pkgconfig(Qt6Qml), pkgconfig(Qt6Quick) and pkgconfig(Qt6WaylandClient) BuildRequires and pass Dqt6=disabled to meson, do not build qt6 support yet. - Fixed in 1.21.1: + avoid integer overflow in WavPack header handling code (boo#1201688 CVE-2022-1920). + fix integer overflow resulting in heap corruption (boo#1201693 CVE-2022-1921). + fix integer overflows in zlib/bz2/etc. decompression (boo#1201702 boo#1201704 boo#1201706 boo#1201707 boo#1201708 CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 CVE-2022-2122). - Update to version 1.20.5: + flacparse: Fix handling of headers advertising 32bps + multiudpsink: allow binding to IPv6 address + oss4: Fix debug category initialization + qt5: - Deactivate context if fill_info fails - Initialize GError properly in gst_qt_get_gl_wrapcontext() + qtdemux: - Check return value from gst_structure_get in PIFF box - Use unsigned int types to store result of QT_UINT32 - Prefill mode fixes + rtpjitterbuffer tests: Cast drop-messages-interval type properly (fixing it on 32-bit architectures) + rtspsrc: - Don't replace 404 errors with "no auth protocol found" - Fix seek event leaks - Fix usage of IPv6 connections in SETUP - Only EOS on timeout if all streams are timed out/EOS + splitmuxsrc: don't queue data on unlinked pads + v4l2: Fix SIGSEGV on 'change state' during 'format change' + v4l2videodec: Fix activation of internal pool + wavparse: - Avoid occasional crash due to referencing freed buffer. - Fix crash that occurs in push mode when header chunks are corrupted in certain ways. - Update to version 1.20.4: + alpha: fix stride issue when out buffer has padding on right + isoff: Fix earliest pts field parse issue + matroska-mux: allow width + height changes for avc3|hev1|vp8|vp9 + qt: Fix another instance of Qt/GStreamer both defining GLsync differently + qtdemux: - Avoid crash on reconfiguring. - Guard against timestamp calculation overflow in gap event loop - Don't use invalid values from failed trex parsing - Possible endless loop + rtpjitterbuffer: - Only unschedule timers for late packets if they're not RTX packets and only once - Remove lost timer for out of order packets + rtspsrc: - SETUP generates 400 Bad Request - Retry SETUP with non-compliant URL resolution on "Bad Request" and "Not found" + rtpst2022-1-fecenc: Drain column packets on EOS + rtpvp8depay: If configured to wait for keyframes after packet loss, also do that if incomplete frames are detected + splitmuxsink: Don't crash on EOS without buffer + splitmuxsrc: - Stop pad task before cleanup - Don't consider unlinked pads when deactivating part + soup: libsoup3 makes audio streaming stop + v4l2: fix critical when unreferencign buffer with no data + v4l2bufferpool: Fix debug trace + v4l2object: Add support for Apple's full-range bt709 colorspace variant 1:3:5:1 + v4l2videocodec: workaround for failure to fully drain frames preceding MIDSTREAM renegotiation + v4l2allocator: Fix invalid imported dmabuf fd + videoflip: Fix caps negotiation when method is selected + build failure trying to build jack examples + examples: don't try and build jack examples if jack was disabled + tests: skip unit tests for dependency-less elements that have been disabled - Update to version 1.20.3: + deinterlace: various bug fixes for yadif method + deinterlace: Refactor greedyh and fix planar formats + deinterlace: Prevent race between method configuration and latency query + gtk video sink: Fix rotation not being applied when paused + jpegdec: fix RGB conversion handling + matroskademux: improved ProRes video handling + matroskamux: Handle multiview-mode/flags/pixel-aspect-ratio caps fields correctly when checking caps equality on input caps changes + rtprtx: don't access type-system per buffer (performance optimisation); code cleanups + rtpulpfecenc: fix unmatched g_slice_free() + rtpvp8depay: fix crash when making GstRTPPacketLost custom event + qtmux: Don't post an error message if pushing a sample failed with FLUSHING (e.g. on pipeline shutdown) + soup: Lookup libsoup dylib files on Apple platforms & fix Cerbero static build on Android and iOS + souphttpsrc: element not present on iOS after 1.20.0 update + v4l2tuner: return NULL if no norm set + v4l2bufferpool: Fix race condition between qbuf and pool streamoff + meson: Don't build lame plugin with -Dlame=disabled - Update to version 1.20.2: + deinterlace: silence unused-but-set werror from imported code + qtdemux: fix leak of channel_mapping + rtpopusdepay: missing sprop-stereo should not assume mono + rtpjitterbuffer: Fix invalid memory access in rtp_jitter_buffer_pop() + rtpptdemux: fix leak of caps when ignoring a pt + rtpredenc: quieten warning about ignoring header extensions + soup: Fix pre-processor macros in souploader for libsoup-3.0 + twcc: Note that twcc-stats packet loss counts reordering as loss + add some logging + video4linux2: Manual backports for RPi users + wavparse: handle URI query in any parse state, fixing audio track selection issue in GES + wavparse: Unset DISCONT buffer flag for divided into multiple buffers in push mode ----------------------------------------------------------------------------- o Updated gstreamer-plugins-ugly (security/bugfix/feature) [x86_64] - Add patch to reduce the required meson version to 0.61.0 since that's what we have in SLE 15: * reduce-required-meson.patch - Update to version 1.22.0: + Please see changes in gstreamer main package, major version bump. - Update to version 1.20.5: + No changes, version bump only. - Update to version 1.20.4: + tests: skip unit tests for dependency-less elements that have been disabled. - Update to version 1.20.3: + x264enc: fix plugin long-name and description - Update to version 1.20.2: + x264enc: Don't try to fixate ANY allowed caps ----------------------------------------------------------------------------- o Updated gstreamer (security/bugfix/feature) - Add fix using sed to find gst-plugin-scanner-%{_target_cpu} program (boo#1207908). - Add patch to reduce the required meson version to 0.61.0 since that's what we have in SLE 15: * reduce-required-meson.patch - Probably because of a problem in SLE's meson, the generated pkgconfig files are missing some variables that are needed by rpm to generate the pkgconfig(...) provides correctly. In order to fix this, we now check for those variables and insert them in the pc files before installation if they're missing. - Update to version 1.22.0: + AV1 video codec support improvements + New HLS, DASH and Microsoft Smooth Streaming adaptive streaming clients + Qt6 support for rendering video inside a QML scene + Minimal builds optimised for binary size, including only the individual elements needed + Playbin3, Decodebin3, UriDecodebin3, Parsebin enhancements and stabilisation + WebRTC simulcast support and support for Google Congestion Control + WebRTC-based media server ingestion/egress (WHIP/WHEP) support + New easy to use batteries-included WebRTC sender plugin + Easy RTP sender timestamp reconstruction for RTP and RTSP + ONVIF timed metadata support + New fragmented MP4 muxer and non-fragmented MP4 muxer + New plugins for Amazon AWS storage and audio transcription services + New gtk4paintablesink and gtkwaylandsink renderers + New videocolorscale element that can convert and scale in one go for better performance + High bit-depth video improvements + Touchscreen event support in navigation API + Rust plugins now shipped in macOS and Windows/MSVC binary packages + H.264/H.265 timestamp correction elements for PTS/DTS reconstruction before muxers + Improved design for DMA buffer sharing and modifier handling for hardware-accelerated video decoders/encoders/filters and capturing/rendering on Linux + Video4Linux2 hardware accelerated decoder improvements + CUDA integration and Direct3D11 integration and plugin improvements + New H.264 / AVC, H.265 / HEVC and AV1 hardware-accelerated video encoders for AMD GPUs using the Advanced Media Framework (AMF) SDK + applemedia: H.265 / HEVC video encoding + decoding support + androidmedia: H.265 / HEVC video encoding support + New "force-live" property for audiomixer, compositor, glvideomixer, d3d11compositor etc. + Lots of new plugins, features, performance improvements and bug fixes - Rebase patches with quilt. - update to 1.20.5: + This release only contains bugfixes and it should be safe to upgrade from 1.20.x. + systemclock waiting fixes for certain 32-bit platforms/libcs + alphacombine: robustness improvements for corner case scenarios + avfvideosrc: Report latency when doing screen capture + d3d11videosink: various thread-safety and stability fixes + decklink: fix performance issue when HDMI signal has been lost for a long time + flacparse: Fix handling of headers advertising 32 bits per sample + mpegts: Handle when iconv doesn't support ISO 6937 (e.g. musl libc) + opengl: fix automatic dispmanx detection for rpi4 and fix usage of eglCreate/DestroyImage + opusdec: Various channel-related fixes + textrender: event handling fixes, esp. for GAP event + subparse: Fix non-closed tag handling + videoscale: fix handling of unknown buffer metas + videosink: reverse playback handling fixes + qtmux: Prefill mode fixes, especially for raw audio + multiudpsink: allow binding to IPv6 address + rtspsrc: - Fix usage of IPv6 connections in SETUP - Only EOS on timeout if all streams are timed out/EOS + splitmuxsrc: fix playback stall if there are unlinked pads + v4l2: Fix SIGSEGV on state change during format changes + wavparse robustness fixes + Fix static linking on macOS (opengl, vulkan) + gstreamer-vaapi: fix headless build against mesa >= 22.3.0 + GStreamer Editing Services library: Fix build with tools disabled + webrtc example/demo fixes + unit test fixes for aesdec and rtpjitterbuffer + Cerbero: Fix ios cross-compile with cmake on M1; some recipe updates and other build fixes + Miscellaneous bug fixes, memory leak fixes, and other stability and reliability improvements + Performance improvements + Changes in gstreamer base package: - allocator: Copy allocator name in gst_allocator_register() - concat: Properly propagate EOS seqnum - fakesrc: avoid time overflow with datarate - Fix build of 1.20 branch with Meson 0.64.1 for those who have hotdoc installed on their system. - gst-inspect: Don't leak list - meson: fix check for pthread_setname_np() - miniobject: support higher refcount values - pads: Fix non-serialized sticky event push, e.g. instant change rate events - padtemplate: Fix annotations - systemclock: Use futex_time64 syscall on x32 and other platforms that always... - -Wimplicit-function-declaration in pthread_setname_np check (missing GNUSOURCE) - Update to version 1.20.4: + Highlighted bugfixes in 1.20.4: - avaudiodec: fix playback issue with WMA files, would throw an error at EOS with FFmpeg 5.x - Fix deadlock when loading gst-editing-services plugin - Fix input buffering capacity in live mode for aggregator, video/audio aggregator subclasses, muxers - glimagesink: fix crash on Android - subtitle handling and subtitle overlay fixes - matroska-mux: allow width + height changes for avc3|hev1|vp8|vp9 - rtspsrc: fix control url handling for spec compliant servers and add fallback for incompliant servers - WebRTC fixes - RTP retransmission fixes - video: fixes for formats with 4x subsampling and horizontal co-sited chroma (Y41B, YUV9, YVU9 and IYU9) - Fix consuming of the macOS package as a framework in XCode - Performance improvements - Miscellaneous bug fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - buffer: drop parent meta in deep copy/foreach_metadata - devicemonitor: Use a sync bus handler for the provider to avoid accumulating all messages until the provider is stopped - element: Fix requesting of pads with string templates - gst: . Protect initialization state with a recursive mutex . Add missing define guard for build without gstreamer debug logging support - gst_init: Initialize static plugins just before dynamic plugins - info: Parse "NONE" as a valid level name - meta: Set the parent refcount of the GstStructure correctly - pluginloader: Don't hang on short reads/writes - tracers: leaks: . Fix potentially invalid memory access when trying to detect object type . Fix object-refings.class flags - uri: When setting the same string again do nothing - value: Don't loop forever when serializing invalid flag + Base Libraries: - aggregator: . Fix input buffering in live mode (was too low before in many cases) . Fix reversed active/flushing arguments in debug log output . Reset EOS flag after receiving a stream-start event + Core Elements: queue2: - Hold the lock when modifying sinkresult - Fix deadlock when deactivate is called in pull mode - Update to version 1.20.3 + Highlighted bugfixes: - Security fixes in Matroska, MP4 and AVI demuxers - Fix scrambled video playback with hardware-accelerated VA-API decoders on certain Intel hardware - playbin3/decodebin3 regression fix for unhandled streams - Fragmented MP4 playback fixes - Android H.265 encoder mapping - Playback of MXF files produced by FFmpeg before March 2022 - Fix rtmp2sink crashes on 32-bit platforms - WebRTC improvements - D3D11 video decoder and screen recorder fixes - Performance improvements - Support for building against OpenCV 4.6 and other build fixes - Miscellaneous bug fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - clock: Avoid creating a weakref with every entry (performance improvement) - plugin: add Apache 2 license to list of known licenses to avoid warning - gst_plugin_load_file: force plugin reload if filename differs Add support for LoongArch - Enable use of libunwind on riscv64 - Update to version 1.20.2 + Highlighted bugfixes: - avviddec: Remove vc1/wmv3 override and fix crashes on WMV files with FFMPEG 5.0+ - macOS: fix plugin discovery for GStreamer installed via brew and fix loading of Rust plugins - rtpbasepayload: various header extension handling fixes - rtpopusdepay: fix regression in stereo input handling if sprop-stereo is not advertised - rtspclientsink: fix possible shutdown deadlock - mpegts: gracefully handle "empty" program maps and fix AC-4 detection - mxfdemux: Handle empty VANC packets and fix EOS handling - playbin3: various playbin3, uridecodebin3, and playsink fixes - ptpclock: fix initial sync-up with certain devices - gltransformation: let graphene alloc its structures memory aligned - webrtcbin fixes and webrtc sendrecv example improvements - video4linux2: various fixes including some fixes for Raspberry Pi users - videorate segment handling fixes and other fixes - nvh264dec, nvh265dec: Fix broken key-unit trick modes and reverse playback - wpe: Reintroduce persistent WebContext - cerbero: Make it easier to consume 1.20.1 macOS GStreamer .pkgs - build fixes and gobject annotation fixes - bug fixes, security fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - devicemonitor: clean up signal handlers and hidden providers list - Leaks tracer: fix pthread_atfork return value check leading to bogus warning in log - Rust plugins: Not picked up by the plugin loader on macOS - Failed to use plugins of latest GStreamer version 1.20.x installed by brew on macOS - ptpclock: Allow at least 100ms delay between Sync/Follow_Up and Delay_Req/Delay_Resp messages. Fixes problems acquiring initial sync with certain devices - meson: Add -Wl,-rpath,${libdir} on macOS - registry: skip Rust dep builddirs when searching for plugins recursively ----------------------------------------------------------------------------- o Updated gtk3-doc (security/bugfix/feature) - Add compatible dependency "python3-gobject-Gdk if python3-gobject" to the typelib package for SLE and Leap (boo#1200614). - Add dependency "python3x-gobject-Gdk if python3x-gobject" to the typelib package (boo#1200614). - Update to version 3.24.34: + Include legacy hicolor icons. + Fix the build with gcc 12. + X11: Trap errors when getting output properties. + Wayland: Ignore empty preedit updates. This fixes a problem with textview scrolling. + Updated translations. - Update to version 3.24.33+12: + icons: add legacy icons (boo#1197480). + Updated translations. - Update to version 3.24.33: + No changes. - Update to version 3.24.32: + GtkCellRendererProgress: Use tabular figures. + GtkFontChooser: - Fix the build with older Pango. - Fix axis name handling. + Theme: Fix border color for tiled windows. + Accessibility: Fix cell accessible leak. + Wayland: - Support new high-contrast setting. - Only update scale when on any outputs. + Updated translations. ----------------------------------------------------------------------------- o Updated gtk3 (security/bugfix/feature) - Add compatible dependency "python3-gobject-Gdk if python3-gobject" to the typelib package for SLE and Leap (boo#1200614). - Add dependency "python3x-gobject-Gdk if python3x-gobject" to the typelib package (boo#1200614). - Update to version 3.24.34: + Include legacy hicolor icons. + Fix the build with gcc 12. + X11: Trap errors when getting output properties. + Wayland: Ignore empty preedit updates. This fixes a problem with textview scrolling. + Updated translations. - Update to version 3.24.33+12: + icons: add legacy icons (boo#1197480). + Updated translations. - Update to version 3.24.33: + No changes. - Update to version 3.24.32: + GtkCellRendererProgress: Use tabular figures. + GtkFontChooser: - Fix the build with older Pango. - Fix axis name handling. + Theme: Fix border color for tiled windows. + Accessibility: Fix cell accessible leak. + Wayland: - Support new high-contrast setting. - Only update scale when on any outputs. + Updated translations. ----------------------------------------------------------------------------- o Updated gtk4 (security/bugfix/feature) - Add compatible dependency "python3-gobject-Gdk if python3-gobject" to the typelib package for SLE and Leap (boo#1200614). - Add dependency "python3x-gobject-Gdk if python3x-gobject" to the typelib package (boo#1200614). ----------------------------------------------------------------------------- o Updated gtkmm3 (security/bugfix/feature) - Update to version 3.24.6: + GTK: TreeValueProxy: Declare copy constructor = default, avoiding warnings from the claing++ compiler. + Object::_release_c_instance(): Unref orphan managed widgets. + SizeGroup demo: Set active items in the combo boxs, so something is shown. + Build with Meson: MSVC build: Support Visual Studio 2022. + Specify 'check' option in run_command(). + Check if Perl is required for building documentation. + Don't use deprecated python3.path() and execute (..., gui_app...). ----------------------------------------------------------------------------- o Updated gtk-vnc (security/bugfix/feature) - Update to version 1.3.1: + Fix invalid use of subprojects with meson + Support ZRLE encoding for zero size alpha cursors + Add 'check' arg to meson run_command() ----------------------------------------------------------------------------- o Added guestfs-tools (feature) ## WARNING - the following diff is a head -20 proposal * Tue Oct 04 2022 carnold@suse.com - jsc#PED-2104 [Virt Tools] Refresh Virtualization Tools for Xen and KVM Management * Wed Jun 29 2022 carnold@suse.com - bsc#1201064 - Libguestfs: Buffer overflow in get_keys leads to DOS - CVE-2022-2211 CVE-2022-2211-options-fix-buffer-overflow-in-get_keys.patch * Thu Jun 02 2022 carnold@suse.com - Update to version 1.48.2 * This is a bug fix release * Mon May 16 2022 carnold@suse.com - Update to version 1.48.1 * This is a bug fix release ----------------------------------------------------------------------------- o Updated gvfs (security/bugfix/feature) - Update to version 1.48.2: + smb: Rework anonymous handling to avoid EINVAL (Ondrej Holy) + smb: Ignore EINVAL for kerberos/ccache login (Ondrej Holy) + sftp: Adapt on new OpenSSH password prompts (Ondrej Holy) + build: Remove incorrect i18n.merge_file argument to fix build (Ondrej Holy) + Translation updates - Drop gvfs-smb-ignore-EINVAL-kerberos-ccache.patch: Fixed upstream. - Drop 17a067b9b823a0d54e061eae45ff8e2c7e4a88d0.patch: Fixed upstream. - Add gvfs-smb-ignore-EINVAL-kerberos-ccache.patch: ignore EINVAL for kerberos/ccache login. Fixes inability to mount smb shares with samba 4.16 (boo#1198718). - Add 17a067b9b823a0d54e061eae45ff8e2c7e4a88d0.patch: Fix build with meson 0.61 and newer. Backported to apply on stable version. - Modernize and fix our Supplements. - Package org.gtk.vfs.file-operations.rules polkit rules file as an example in docs, previously it was just nuked. ----------------------------------------------------------------------------- o Updated gzip (security/bugfix/feature) - Add support to zstd in zgrep, fixes bsc#1198922 * xz_lzma.patch -> xz_lzma_zstd.patch - Fix escaping of malicious filenames (CVE-2022-1271 bsc#1198062) * bsc1198062.patch * bsc1198062-2.patch ----------------------------------------------------------------------------- o Updated haproxy (security/bugfix/feature) - VUL-0: serious vulnerability in the HTTP/1 parser (bsc#1208132) o Apply upstream patch: 2.0-2.5-BUG-CRITICAL-http-properly-reject-empty-http-header-.patch - The output buffer is not zero-initialized. If we don't clear reserved bytes, fcgi requests sent to backend will leak sensitive data. o Apply proposed patch: 0001-output-buffer-is-not-zero-initialized.path - VUL-0: CVE-2023-0056: haproxy: segfault DoS (bsc#1207181) o Apply upstream patch: 0001-BUG-MEDIUM-mux-h2-Refuse-interim-responses-with-end-.patch - (bsc#1196408) VUL-0: CVE-2022-0711: haproxy: Denial of service via set-cookie2 header o Apply upstream patch: 0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch ----------------------------------------------------------------------------- o Updated harfbuzz (security/bugfix/feature) - Add harfbuzz-CVE-2022-33068.patch: sbix: limit glyph extents (boo#1200900 CVE-2022-33068). ----------------------------------------------------------------------------- o Updated hawk2 (security/bugfix/feature) - Update to version 2.6.4+git.1667244108.7a0cffe: * Fix detection of partial upgrade (bsc#1196673,bsc#1203367) * Improve handling of unmatched paths (bsc#1199258) * Set HttpOnly by HAWK_COOKIE_HTTP_ONLY=true (bsc#1198647) ----------------------------------------------------------------------------- o Updated hdf5_1_10_8-gnu-hpc (security/bugfix/feature) [x86_64,aarch64] - Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus input file (bsc#1207973). https://github.com/HDFGroup/hdf5/issues/2458 https://github.com/HDFGroup/hdf5/pull/2459 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch - Fix CVEs: * CVE-2021-46244 (bsc#1195215) Compound-datatypes-may-not-have-members-of-size-0.patch * CVE-2018-13867 (bsc#1101906) Validate-location-offset-of-the-accumulated-metadata-when-comparing.patch * CVE-2018-16438 (bsc#1107069) Make-sure-info-block-for-external-links-has-at-least-3-bytes.patch * CVE-2020-10812 (bsc#1167400) Hot-fix-for-CVE-2020-10812.patch * CVE-2021-45830 (bsc#1194375) H5O_fsinfo_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2019-8396 (bsc#1125882) H5O__pline_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2018-11205 (bsc#1093663) Pass-compact-chunk-size-info-to-ensure-requested-elements-are-within-bounds.patch * CVE-2021-46242 (bsc#1195212) When-evicting-driver-info-block-NULL-the-corresponding-entry.patch * CVE-2021-45833 (bsc#1194366) Report-error-if-dimensions-of-chunked-storage-in-data-layout-2.patch * CVE-2018-14031 (bsc#1101475) H5O_dtype_decode_helper-Parent-of-enum-needs-to-have-same-size-as-enum-itself.patch * CVE-2018-17439 (bsc#1111598) H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch - Fix an error message: Fix-error-message-not-the-name-but-the-link-information-is-parsed.patch ----------------------------------------------------------------------------- o Updated hdf5_1_10_8-gnu-mpich-hpc (security/bugfix/feature) [x86_64,aarch64] - Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus input file (bsc#1207973). https://github.com/HDFGroup/hdf5/issues/2458 https://github.com/HDFGroup/hdf5/pull/2459 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch - Fix CVEs: * CVE-2021-46244 (bsc#1195215) Compound-datatypes-may-not-have-members-of-size-0.patch * CVE-2018-13867 (bsc#1101906) Validate-location-offset-of-the-accumulated-metadata-when-comparing.patch * CVE-2018-16438 (bsc#1107069) Make-sure-info-block-for-external-links-has-at-least-3-bytes.patch * CVE-2020-10812 (bsc#1167400) Hot-fix-for-CVE-2020-10812.patch * CVE-2021-45830 (bsc#1194375) H5O_fsinfo_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2019-8396 (bsc#1125882) H5O__pline_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2018-11205 (bsc#1093663) Pass-compact-chunk-size-info-to-ensure-requested-elements-are-within-bounds.patch * CVE-2021-46242 (bsc#1195212) When-evicting-driver-info-block-NULL-the-corresponding-entry.patch * CVE-2021-45833 (bsc#1194366) Report-error-if-dimensions-of-chunked-storage-in-data-layout-2.patch * CVE-2018-14031 (bsc#1101475) H5O_dtype_decode_helper-Parent-of-enum-needs-to-have-same-size-as-enum-itself.patch * CVE-2018-17439 (bsc#1111598) H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch - Fix an error message: Fix-error-message-not-the-name-but-the-link-information-is-parsed.patch ----------------------------------------------------------------------------- o Updated hdf5_1_10_8-gnu-mvapich2-hpc (security/bugfix/feature) [x86_64,aarch64] - Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus input file (bsc#1207973). https://github.com/HDFGroup/hdf5/issues/2458 https://github.com/HDFGroup/hdf5/pull/2459 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch - Fix CVEs: * CVE-2021-46244 (bsc#1195215) Compound-datatypes-may-not-have-members-of-size-0.patch * CVE-2018-13867 (bsc#1101906) Validate-location-offset-of-the-accumulated-metadata-when-comparing.patch * CVE-2018-16438 (bsc#1107069) Make-sure-info-block-for-external-links-has-at-least-3-bytes.patch * CVE-2020-10812 (bsc#1167400) Hot-fix-for-CVE-2020-10812.patch * CVE-2021-45830 (bsc#1194375) H5O_fsinfo_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2019-8396 (bsc#1125882) H5O__pline_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2018-11205 (bsc#1093663) Pass-compact-chunk-size-info-to-ensure-requested-elements-are-within-bounds.patch * CVE-2021-46242 (bsc#1195212) When-evicting-driver-info-block-NULL-the-corresponding-entry.patch * CVE-2021-45833 (bsc#1194366) Report-error-if-dimensions-of-chunked-storage-in-data-layout-2.patch * CVE-2018-14031 (bsc#1101475) H5O_dtype_decode_helper-Parent-of-enum-needs-to-have-same-size-as-enum-itself.patch * CVE-2018-17439 (bsc#1111598) H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch - Fix an error message: Fix-error-message-not-the-name-but-the-link-information-is-parsed.patch ----------------------------------------------------------------------------- o Updated hdf5_1_10_8-gnu-openmpi3-hpc (security/bugfix/feature) [x86_64,aarch64] - Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus input file (bsc#1207973). https://github.com/HDFGroup/hdf5/issues/2458 https://github.com/HDFGroup/hdf5/pull/2459 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch - Fix CVEs: * CVE-2021-46244 (bsc#1195215) Compound-datatypes-may-not-have-members-of-size-0.patch * CVE-2018-13867 (bsc#1101906) Validate-location-offset-of-the-accumulated-metadata-when-comparing.patch * CVE-2018-16438 (bsc#1107069) Make-sure-info-block-for-external-links-has-at-least-3-bytes.patch * CVE-2020-10812 (bsc#1167400) Hot-fix-for-CVE-2020-10812.patch * CVE-2021-45830 (bsc#1194375) H5O_fsinfo_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2019-8396 (bsc#1125882) H5O__pline_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2018-11205 (bsc#1093663) Pass-compact-chunk-size-info-to-ensure-requested-elements-are-within-bounds.patch * CVE-2021-46242 (bsc#1195212) When-evicting-driver-info-block-NULL-the-corresponding-entry.patch * CVE-2021-45833 (bsc#1194366) Report-error-if-dimensions-of-chunked-storage-in-data-layout-2.patch * CVE-2018-14031 (bsc#1101475) H5O_dtype_decode_helper-Parent-of-enum-needs-to-have-same-size-as-enum-itself.patch * CVE-2018-17439 (bsc#1111598) H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch - Fix an error message: Fix-error-message-not-the-name-but-the-link-information-is-parsed.patch ----------------------------------------------------------------------------- o Updated hdf5_1_10_8-gnu-openmpi4-hpc (security/bugfix/feature) [x86_64,aarch64] - Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus input file (bsc#1207973). https://github.com/HDFGroup/hdf5/issues/2458 https://github.com/HDFGroup/hdf5/pull/2459 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch - Fix CVEs: * CVE-2021-46244 (bsc#1195215) Compound-datatypes-may-not-have-members-of-size-0.patch * CVE-2018-13867 (bsc#1101906) Validate-location-offset-of-the-accumulated-metadata-when-comparing.patch * CVE-2018-16438 (bsc#1107069) Make-sure-info-block-for-external-links-has-at-least-3-bytes.patch * CVE-2020-10812 (bsc#1167400) Hot-fix-for-CVE-2020-10812.patch * CVE-2021-45830 (bsc#1194375) H5O_fsinfo_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2019-8396 (bsc#1125882) H5O__pline_decode-Make-more-resilient-to-out-of-bounds-read.patch * CVE-2018-11205 (bsc#1093663) Pass-compact-chunk-size-info-to-ensure-requested-elements-are-within-bounds.patch * CVE-2021-46242 (bsc#1195212) When-evicting-driver-info-block-NULL-the-corresponding-entry.patch * CVE-2021-45833 (bsc#1194366) Report-error-if-dimensions-of-chunked-storage-in-data-layout-2.patch * CVE-2018-14031 (bsc#1101475) H5O_dtype_decode_helper-Parent-of-enum-needs-to-have-same-size-as-enum-itself.patch * CVE-2018-17439 (bsc#1111598) H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch - Fix an error message: Fix-error-message-not-the-name-but-the-link-information-is-parsed.patch ----------------------------------------------------------------------------- o Updated helm-mirror (security/bugfix/feature) - added patches fix build [bsc#1197728] + helm-mirror-go-build-mod-vendor.patch - version update to 0.3.1 [bsc#1156646]: * Update to use helm 2.16.1 to fix CVE-2019-18658 * Update to use go modules ----------------------------------------------------------------------------- o Updated helm (security/bugfix/feature) - Update to version 3.10.3 (bsc#1206467, CVE-2022-23524, bsc#1206469, CVE-2022-23525, bsc#1206471, CVE-2022-23526): * Fix backwards compatibility * Update string handling * Update repo handling * Update schema validation handling - Update to version 3.10.2: * fix a few function names on comments * redirect registry client output to stderr * Readiness & liveness probes correct port - Update to version 3.10.1: * Updating the deb location for azure cli * Updating the repo the azure cli is installed from * Updating to kubernetes 1.25.2 packages * one defer * don't change r.CachePath * avoid adding new public function * fix tests * fix: clean up temp files in FindChartInAuthAndTLSAndPassRepoURL (#11171) * Allow CGO_ENABLED to be overridden for build * update: Optimize the error message * add nil judge for dependency , maintainers validate and some testcase. * Fix URL with encoded path support for ChartDownloader * fix: add cases.NoLower option for we can get same effect to strings.Title * Tolerate temporary errors from etcdserver - Update to version 3.10.0: * bump version to v3.10.0 * Updating to Kubernetes 1.25 client libs * Updating the certificates used for testing * Updating index handling * Drop direct github.com/docker/docker dependency * fix special string in the filename * chore: add oci install description * Fixing x509 test on darwin * Bump k8s.io/kube-openapi to fix CVE-2022-1996 in github.com/emicklei/go-restful * fixes #11142 missing array length check on release * chore(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 * Upgrading to Kubernetes 1.24.2 * Bump Oras to 1.2.0 * fix: use `go install` instead of `go get` * bump Go 1.18 * fix: improve logging & safety of statefulSetReady * make token caching an opt in feature * chore(deps): bump github.com/stretchr/testify from 1.7.4 to 1.7.5 * chore(deps): bump github.com/rubenv/sql-migrate from 1.1.1 to 1.1.2 * chore(deps): bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#11075) * chore(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.4 * Upgrading to Kubernetes 1.24.1 packages * chore(deps): bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3 * feat(*): add flags/env for kube api tls overrides * Add --burst-limit option for client-side throttling limit configuration (#10842) * chore(deps): bump github.com/lib/pq from 1.10.5 to 1.10.6 * chore(deps): bump oras.land/oras-go from 1.1.0 to 1.1.1 * chore(deps): bump github.com/evanphx/json-patch * Bump github.com/lib/pq from 1.10.4 to 1.10.5 * build(deps): bump github.com/containerd/containerd from 1.6.3 to 1.6.4 * build(deps): bump github.com/docker/docker * bump version to v3.9.0 * build(deps): bump github.com/jmoiron/sqlx from 1.3.4 to 1.3.5 * Bump github.com/BurntSushi/toml from 1.0.0 to 1.1.0 * Fixed helm uninstall not deleting the resource. * Fix UT * Fix linter * Update install.go * Log error message on failed download * Add support `helm list --no-headers` * update go.mod * fix --registry-config issue * feat: add --set-json flag to set json values. * fix(helm): ignore file-not-found error for `helm repo list -o json` - Update to version 3.9.4 (bsc#1203054, CVE-2022-36055): * Updating the certificates used for testing * Updating index handling - Update to version 3.9.3 (CVE-2022-1996, bsc#1200528): * Bump k8s.io/kube-openapi to fix CVE-2022-1996 in github.com/emicklei/go-restful * fixes #11142 missing array length check on release - Update to version 3.9.2: * Updating the circleci image we use - Update to version 3.9.1: * Upgrading to Kubernetes 1.24.2 * fix: improve logging & safety of statefulSetReady * make token caching an opt in feature * chore(deps): bump github.com/lib/pq from 1.10.5 to 1.10.6 * Upgrading to Kubernetes 1.24.1 packages * chore(deps): bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3 - Update to version 3.9.0: * Added a --quiet flag to helm lint * Added a --post-renderer-args flag to support arguments being passed to the post renderer * Added more checks during the signing process * Updated to add Kubernetes 1.24 support - Update to version 3.8.2: * Bump oras.land/oras-go from 1.1.0 to 1.1.1 * Fixing downloader plugin error handling * Simplify testdata charts * Simplify testdata charts * Add tests for multi-level dependencies. * Fix value precedence * Bumping Kubernetes package versions * Updating vcs to latest version * Dont modify provided transport * Pass http getter as pointer in tests * Add docs block * Add transport option and tests * Reuse http transport * Updating Kubernetes libs to 0.23.4 (latest) * fix: remove deadcode * fix: helm package tests * fix: helm package with dependency update for charts with OCI dependencies * Fix typo Unset the env var before func return in Unit Test * add legal name check * maint: fix syntax error in deploy.sh * linting issue fixed * only apply overwrite if version is canary * overwrite flag added to az storage blob upload-batch * Avoid querying for OCI tags can explicit version provided in chart dependencies * Management of bearer tokens for tag listing * Updating Kubernetes packages to 1.23.3 * refactor: use `os.ReadDir` for lightweight directory reading * Add IngressClass to manifests to be (un)installed * feat(comp): Shell completion for OCI * Fix install memory/goroutine leak * Upgrade to oras v0.9.0 (#9269) (bsc#1181419, CVE-2021-21272) ----------------------------------------------------------------------------- o Updated hplip (security/bugfix/feature) - Add hplip-3.20.6-python-includes.patch to fix C compiler flags (boo#1198794) ----------------------------------------------------------------------------- o Updated hunspell (security/bugfix/feature) - requires english dictionary [bsc#1199209] - suggests english dictionary [bsc#1193627] ----------------------------------------------------------------------------- o Updated hwdata (security/bugfix/feature) - update to 0.365: + Updated pci, usb and vendor ids. - update to 0.364: + Updated pci, usb and vendor ids. - update to 0.363: + Updated pci, usb and vendor ids. - update to 0.362: + Updated pci, usb and vendor ids. - update to 0.361: + Updated pci, usb and vendor ids. - Update to version 0.360 (bsc#1200110): + Updated pci, usb and vendor ids. - Update to version 0.359: + Updated pci, usb and vendor ids. - Update to version 0.358 (bsc#1196332): + Updated pci, usb and vendor ids. ----------------------------------------------------------------------------- o Updated hwinfo (security/bugfix/feature) - merge gh#openSUSE/hwinfo#127 - create xen usb controller device if necessary (bsc#1204294) - 21.84 - merge gh#openSUSE/hwinfo#115 - improve treatment of NVME devices (bsc#1200975) - fix compiler warnings - 21.83 - merge gh#openSUSE/hwinfo#113 - Keep NVMe's namespace output consistency when nvme_core.multipath=1 (bsc#1199948) - 21.82 ----------------------------------------------------------------------------- o Added ibmrtpkgs (feature) [x86_64] ## WARNING - the following diff is a head -20 proposal * Sat Jul 18 2020 jcheung@suse.com - Add config-bsc1173678.diff to disable numa balancing (bsc#1173678) * Fri Sep 21 2018 jcheung@suse.com - Inital version to SLERT15 SP1 * Fri Sep 21 2018 mgalbraith@suse.de - Import final changes from defunct hardware/ibmrtpkgs. This includes sign-off of patches, and ibmrtpkgs.changes state documentation entry. - Modified files: config-redirect-setterm-errors-to-dev-null.diff ibmrtpkgs.changes irqbindall-add-systemd-service-file.diff irqbindall-rename-irq_balancer-to-irqbalance.diff irqbindall_cosmetic_fix-bnc703490.diff kthreadprio_defaults-bnc633514.diff set_kthread_prio-add-systemd-service-file.diff ----------------------------------------------------------------------------- o Updated icewm (security/bugfix/feature) - Add icewm-build-with-glib2-ver-gt-2.67.3.patch: A later glib2 update will cause icewm failed to build by including gdk-pixbuf-xlib with extern "C" annotation: https://gitlab.gnome.org/GNOME/glib/-/commit/51003d409bb4b6c9a8540f70b92f8045abc4f0c9?merge_request_iid=1715 The patch aims to remove the annotation caused the issue (bsc#1197729). ----------------------------------------------------------------------------- o Updated icu (security/bugfix/feature) - Backport icu-CVE-2020-21913.patch: backport commit 727505bdd from upstream, use LocalMemory for cmd to prevent use after free (bsc#1193951 CVE-2020-21913). ----------------------------------------------------------------------------- o Added iio-sensor-proxy (feature) ## WARNING - the following diff is a head -20 proposal * Thu Sep 30 2021 badshah400@gmail.com - Update to version 3.3: * Fix a bug left-over in one of the 3.2 bug fixes where some accelerometers would fail to initialise. - Changes from version 3.2: * Fix problems parsing numbers with decimal separator. - Require gudev >= 237 for building (for consistency with upstream). - Drop the rpmlintrc file and add back appropriate service macros in pre/post scriptlets. * Wed Jun 16 2021 badshah400@gmail.com - Update to version 3.1: * Port to meson as a build system and add a test-suite. * Fix long-standing problem with property changes being sent as a broadcast. * Fix sensor support for accelerometers with different scales on ----------------------------------------------------------------------------- o Updated ImageMagick (security/bugfix/feature) - security update - added patches fix CVE-2022-44267 [bsc#1207982], denial of service when parsing a PNG image fix CVE-2022-44268 [bsc#1207983], arbitrary file disclosure when parsing a PNG image + ImageMagick-CVE-2022-44267,44268.patch - security update - added patches fix CVE-2022-3213 [bsc#1203450], heap buffer overflow while processing a malformed TIFF file + ImageMagick-CVE-2022-3213.patch - security update - added patches fix CVE-2022-2719 [bsc#1202250], DoS due to attempted writing of NULL image list + ImageMagick-CVE-2022-2719.patch - security update - added patches fix CVE-2022-28463 [bsc#1199350], ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow. + ImageMagick-CVE-2022-28463.patch - security update - added patches fix CVE-2022-32545 [bsc#1200388], outside the range of representable values of type 'unsigned char' at coders/psd.c + ImageMagick-CVE-2022-32545.patch fix CVE-2022-32546 [bsc#1200389], outside the range of representable values of type 'unsigned long' at coders/pcl.c + ImageMagick-CVE-2022-32546.patch fix CVE-2022-32547 [bsc#1200387], load of misaligned address at MagickCore/property.c + ImageMagick-CVE-2022-32547.patch ----------------------------------------------------------------------------- o Removed imb_2021_2-gnu-mpich-hpc (XXX) ----------------------------------------------------------------------------- o Removed imb_2021_2-gnu-mvapich2-hpc (XXX) ----------------------------------------------------------------------------- o Removed imb_2021_2-gnu-openmpi3-hpc (XXX) ----------------------------------------------------------------------------- o Removed imb_2021_2-gnu-openmpi4-hpc (XXX) ----------------------------------------------------------------------------- o Added imb_2021_3-gnu-mpich-hpc (feature) [x86_64,aarch64] ## WARNING - the following diff is a head -20 proposal * Thu Sep 15 2022 nmoreychaisemartin@suse.com - Update to 2021.3: - Change default value for mem_alloc_type to device - License update - Bug fixes. * Fri Apr 09 2021 cgoll@suse.com - Update to 2021.2: * New IMB-MPI1-GPU benchmarks (Technical Preview). The benchmarks implement the GPU version of the IMB-MPI1 * Added -msg_pause option. * Changed default window_size 64 -> 256 * Added -window_size option for IMB-MPI1 * Bug fixes * Fri Jan 22 2021 eich@suse.com - Fix openmpi HPC builds. ----------------------------------------------------------------------------- o Added imb_2021_3-gnu-mvapich2-hpc (feature) [x86_64,aarch64] ## WARNING - the following diff is a head -20 proposal * Thu Sep 15 2022 nmoreychaisemartin@suse.com - Update to 2021.3: - Change default value for mem_alloc_type to device - License update - Bug fixes. * Fri Apr 09 2021 cgoll@suse.com - Update to 2021.2: * New IMB-MPI1-GPU benchmarks (Technical Preview). The benchmarks implement the GPU version of the IMB-MPI1 * Added -msg_pause option. * Changed default window_size 64 -> 256 * Added -window_size option for IMB-MPI1 * Bug fixes * Fri Jan 22 2021 eich@suse.com - Fix openmpi HPC builds. ----------------------------------------------------------------------------- o Added imb_2021_3-gnu-openmpi3-hpc (feature) [x86_64,aarch64] ## WARNING - the following diff is a head -20 proposal * Thu Sep 15 2022 nmoreychaisemartin@suse.com - Update to 2021.3: - Change default value for mem_alloc_type to device - License update - Bug fixes. * Fri Apr 09 2021 cgoll@suse.com - Update to 2021.2: * New IMB-MPI1-GPU benchmarks (Technical Preview). The benchmarks implement the GPU version of the IMB-MPI1 * Added -msg_pause option. * Changed default window_size 64 -> 256 * Added -window_size option for IMB-MPI1 * Bug fixes * Fri Jan 22 2021 eich@suse.com - Fix openmpi HPC builds. ----------------------------------------------------------------------------- o Added imb_2021_3-gnu-openmpi4-hpc (feature) [x86_64,aarch64] ## WARNING - the following diff is a head -20 proposal * Thu Sep 15 2022 nmoreychaisemartin@suse.com - Update to 2021.3: - Change default value for mem_alloc_type to device - License update - Bug fixes. * Fri Apr 09 2021 cgoll@suse.com - Update to 2021.2: * New IMB-MPI1-GPU benchmarks (Technical Preview). The benchmarks implement the GPU version of the IMB-MPI1 * Added -msg_pause option. * Changed default window_size 64 -> 256 * Added -window_size option for IMB-MPI1 * Bug fixes * Fri Jan 22 2021 eich@suse.com - Fix openmpi HPC builds. ----------------------------------------------------------------------------- o Added iniparser (feature) [x86_64,ppc64le] ## WARNING - the following diff is a head -20 proposal * Wed Aug 24 2022 msuchanek@suse.com - Add fixes since 4.1 + Fail-testrun-on-test-failure.patch + Fix-buffer-overflow-from-sprintf.patch - Fix tests failing on 32bit architectures + Fix-tests-on-32bit.patch * Sat Nov 11 2017 aavindraa@gmail.com - Update to 4.1 (stable release) + For full change set, see: https://github.com/ndevilla/iniparser/compare/b1c4ac6f...v4.1 - Cleanup with spec-cleaner - Rebase iniparser_remove_rpath.patch - so number bumped from 0 to 1 per upstream policy * Sat Jun 27 2015 lmuelle@suse.com - Update to git snapshot 20150605 b1c4ac6f ----------------------------------------------------------------------------- o Updated inkscape (security/bugfix/feature) [x86_64] - Add inkscape-pango-line-breaks.patch: fix rendering of multi-line text (boo#1200369). ----------------------------------------------------------------------------- o Updated inputproto (security/bugfix/feature) - inputproto-2.4.patch * updated to inputproto-2.4 files copied from current xorgproto-2021.5 package ----------------------------------------------------------------------------- o Updated installation-images-SLES (security/bugfix/feature) - merge gh#openSUSE/installation-images#635 - Include openssl hmac for SLE Micro (bsc#1208981) - 16.58.5 - merge gh#openSUSE/installation-images#630 - clean up Xorg config (bsc#1192678, bsc#1207516) - 16.58.4 - merge gh#openSUSE/installation-images#629 - adjust to sap-installation-wizard package changes (jsc#PED-3111) - 16.58.3 - merge gh#openSUSE/installation-images#620 - support more general wicked firmware devices interface (jsc#PED-3118, jsc#PED-967) - 16.58.2 - merge gh#openSUSE/installation-images#619 - switch from curl to osc api to avoid authentication hassle with IBS - add 'ignore_packages' environment setting to allow more control over package config - update docs - merge gh#openSUSE/installation-images#617 - always redirect udev log output to /var/log/udev.log (bsc#1204216) - include hint about how to enable udev debug output - 16.58.1 - merge gh#openSUSE/installation-images#609 - fix Bengali font issue: switch from MuktiNarrow.ttf to Mukti.ttf (bsc#1202083, bsc#1197977) - 16.57.25 - merge gh#openSUSE/installation-images#606 - fix %if-nesting typo - 16.57.24 - merge gh#openSUSE/installation-images#605 - limit LeapMicro building - 16.57.23 - merge gh#openSUSE/installation-images#602 - Leap Micro support (jsc#SMO-126) - Add LeapMicro to _multibuild (jsc#SMO-126) - Leap Micro support jsc#SMO-126 - 16.57.22 - rename the SLE Micro -release package (bsc#1199911) - 16.57.21 ----------------------------------------------------------------------------- o Updated intel-media-driver (security/bugfix/feature) [x86_64] - no longer set LIBVA_DRIVER_NAME=iHD; it's no longer needed; implemented in libva meanwhile (boo#1209134) - needed for jira#PED-1174 (Video decoding/encoding support (VA-API, ...) for Intel GPUs is outside of Mesa) - Update to version 2.6.1 * Revert "[Decode] Legacy MI interface removal" - specfile cleanup - updated Supplements - Update to version 2.6.0: * Revert "[Decode] Virtual Node Assign Policy Optimization" - Code changes from version 2.5.4: * Enabled Memory Decompression for ADLS and ADLN. * Fixed MPEG2 decode crash issue. * Fixed AV1 decode film grain hang issue. * Fixed color fill corruption issue. * Fixed first VPP operation color artifacts. * Enhanced I420 and UYVY format support in creating surface and derive image. * Fixed aux table l2 page fault - Remove u_libva-2.16.0.patch - adding _constraints in the hope to reserve enough disk space; trying with 7GB for now ... - u_libva-2.16.0.patch * fixes build against libva 2.16.0 * culprit: https://github.com/intel/libva/commit/8682f9e30f2fabf2ccc6f7609db035ed1af44703 - No code changes - Update to version 22.4.4 was part of Intel oneVPL GPU Runtime 2022Q2 Release 22.4.4 - updated supplements.inc - Update to version 22.4.4: * Enabled HDR10 and HVS support * Added RPL-P platform enabling * Added HDR10 capability report - disabling Werror from build no longer needed; therefore commented out this sed line for now ... - Update to version 22.4.2: * [Encode] AVC RC mode - Implement abs QP map (MBQP) and CQP QP - Enable abs QP map mode caps - Implement programming for abs QP map mode - removed no longer needed Werror-initialize-in-right-order.patch - Update to version 22.1.1: * New Features and Enhancement: - Enabled Alchemist/ATS-M platform decoding and video processing features - Added ADL-N platform support - Enhanced AV1 decoding robustness for error clips handling - Added vaCopy caps reporting - Enabled GPU copy for small resolution in vaMap/unMap - Optimized GetImage perf for NV12 format - Added HEVC sub-features caps reporting - Improved compatibility by disabling compression when creating surface - Improved debuggability by enabling OCA support * Bugs fixed: - Fixed multiple layer composition corruption issue - Fixed OCA stability issue in multi-thread scenario - Fixed render copy mem leak - Update to version 21.3.5: * Enabled vaCopy by GPU HW * Added 0YUV decode output format support ----------------------------------------------------------------------------- o Updated ipset (security/bugfix/feature) - Tumbleweed is not affected by the following SLE issues: bsc#1122853 - Update to release 7.15 * netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt() - Update to release 7.14 * Allow specifying protocols by number * Limit the maximum range of consecutive elements to add/delete - Update to release 7.11 * Argument parsing buffer overflow in ipset_parse_argv fixed - Update to release 7.10 * Fix shift-out-of-bounds in htable_bits() - Update to release 7.9 * Enable memory accounting for ipset allocations * Expose the initval hash parameter to userspace * Add bucketsize parameter to all hash types * Support the -exist flag with the destroy command - Update to release 7.6 * Add checking system_power_efficient_wq in the source tree. - Update to release 7.5 * netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present. * netfilter: xt_set: Do not restrict --map-set to the mangle table. - Update to release 7.4 * Wildcard support for the "hash:net,iface" type. - Update to new upstream release 7.3 * Fix rename concurrency with listing, which can result broken list/save results. * ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets. * ipset: Actually allow destination MAC address for hash:ip,mac sets too. - Update to new upstream release 7.2 * ipset: Fix memory accounting for hash types on resize - Update to new upstream release 7.1 * Correct the manpage about the sort option * Implement sorting for hash types in the ipset tool * Fix to list/save into file specified by option - Remove ipset-file.diff (merged) - Add ipset-file.diff [boo#1116432]. - Update to new upstream release 7.0 * A new internal protocol version between the kernel and userspace is used. This is required in order to support two new functions and the extendend LIST operation, which makes possible to run ipset in every case entirely over netlink, without the need to use getsockopt(). * The userspace library was reworked so it can be embedded without calling the binary. - Update to new upstream release 6.38 * Fix parsing service names for ports. ----------------------------------------------------------------------------- o Updated iputils (security/bugfix/feature) - Update to version 20221126 https://github.com/iputils/iputils/releases/tag/20221126 - Update configure variables (ninfod, rarpd and rdisc were removed from upstream in next release => remove -DBUILD_NINFOD=false -DBUILD_RARPD=false - DBUILD_RDISC=false) - Remove 2 backported fixes from this release 0001-ping-Add-SA_RESTART-to-sa_flags.patch 0002-ping-Make-ping_rts-struct-static.patch - Backport 2 fixes for bsc#1203957: 0001-ping-Add-SA_RESTART-to-sa_flags.patch 0002-ping-Make-ping_rts-struct-static.patch - rarpd and rdisc tools are now disabled again [jsc#SLE-23521] ----------------------------------------------------------------------------- o Added ipxe (feature) [x86_64,aarch64] ## WARNING - the following diff is a head -20 proposal * Mon Feb 06 2023 eich@suse.com - cross-aarch64-gcc7 is not available for SLE-15 (i586). Also, there is no Leap port for i586, so let's disable aarch64 cross-compile target on i586 (bsc#1207796). * Mon Jan 23 2023 cgoll@suse.com - enable compressed images * Fri Jan 20 2023 msuchanek@suse.com - Update to version 1.21.1+git20230120.a99e435c: * [efi] Do not rely on ProcessorBind.h when building host binaries (bsc#1207310) * multiple [ena] [efi] [tls] [intel] [intelxl] enhancements * [image] Do not clear current working URI when executing embedded image * [console] Fix definition of unreachability for remapped keys * [console] Add Swedish "se" keymap * [efi] Support keyboard remapping via the EFI console * [usb] Support keyboard remapping via the native USB keyboard driver ----------------------------------------------------------------------------- o Updated irqbalance (security/bugfix/feature) [x86_64,ppc64le,aarch64] - add irqbalance-systemd-netlink.patch (related to bsc#1205308) - update to 1.9.2: * avoid coredump on build_one_dev_entry() * avoid double free on deinit_thermal() * change the log level in thermal.c * fix a minor typo - drop Avoid-double-free-on-deinit_thermal.patch, uninitialized.patch: (upstream) - run tests - add Avoid-double-free-on-deinit_thermal.patch (bsc#1204607) - add uninitialized.patch (bsc#1204371) - build with thermald support on x86_64 (jsc#PED-1039) - update to 1.9.1: * get irq->module relationship from /sys/bus/pci/*/driver * ensure --banmod is respected * check whether savedptr is NULL before invoking strlen * add meson * support thermal events * fix irqbalance never exits * irqbalance-ui: able to scroll and show coulist and irqs' name - drop proc-interrupts.patch (upstream) D proc-interrupts.patch - Update to version 1.9.0: * correct wait time in oneshot mode * Document updates * disable irqbalance when we only have a single cpu/cache domain * fix UI to fetch full messages from UNIX socket * avoid some buffer overflows * fix UI printf style formatting * drop bounding set from irqbalance - proc-interrupts.patch: parse_proc_interrupts: fix parsing interrupt counts ----------------------------------------------------------------------------- o Updated issue-generator (security/bugfix/feature) - Update to version 1.13 - SELinux: Do not call agetty --reload [bsc#1186178] - Update to version 1.12 - Update manual page - Use python3 instead of python 2.x - Update to version 1.11 - Don't display issue.d/*.issue files, agetty will do that [bsc#1177891] - Ignore /run/issue.d in issue-generator.path, else issue-generator will be called too fast too often [bsc#1177865] - Ignore *.bak, *~ and *.rpm* files [bsc#1118862] - Handle the .path unit in scriptlets as well - Update to version 1.10 - Display wlan interfaces [bsc#1169070] - Update to version 1.9 - Fix path for systemd files - Update to version 1.8 - Handle network interface renames ----------------------------------------------------------------------------- o Updated jack (security/bugfix/feature) - Added 0001-Make-jack_control-python2-3-compatible.patch from git to fix boo#1132458. - Remove unnecessary requires for libjack0 and remove obsolete comments. - Use %license on "COPYING" - Add upstream patch to fix return value check of mmap() (boo#1108981): fix-mmap-return-value-check.patch - Update the waf code to the 2.0 series in order to work under python3.7 taken from upstream git: * jack-waf2.patch ----------------------------------------------------------------------------- o Updated jackson-annotations (security/bugfix/feature) - Build with source/target levels 8 - Update to 2.13.0 (CVE-2020-36518, bsc#1197132) * 2.13.0 (30-Sep-2021) + Add 'mvnw' wrapper * 2.12.0 (29-Nov-2020) + #171: 'JsonSubType.Type' should accept array of names + #173: Jackson version alignment with Gradle 6 + #174: Add '@JsonIncludeProperties' + #175: Add '@JsonTypeInfo(use=DEDUCTION)' + #177: Ability to use '@JsonAnyGetter' on fields + #179: Add '@JsonKey' annotation + #180: Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping + #181: Add 'namespace' property for '@JsonProperty' (for XML module) + Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' (was missing for some reason) * 2.11.0 (26-Apr-2020) + 'JsonPattern.Value.pattern' retained as "", never (accidentally) exposed as 'null' - Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven - Update to 2.10.5 - Update to 2.10.3 ----------------------------------------------------------------------------- o Updated jackson-core (security/bugfix/feature) - Build with source and target levels 8 - Update to 2.13.0 (CVE-2020-36518, bsc#1197132) * 2.13.0 (30-Sep-2021) + #652: Misleading exception for input source when processing byte buffer with start offset + #658: Escape contents of source document snippet for 'JsonLocation._appendSourceDesc()' + #664: Add 'StreamWriteException' type to eventually replace 'JsonGenerationException' + #671: Replace 'getCurrentLocation()'/'getTokenLocation()' with 'currentLocation()'/'currentTokenLocation()' in 'JsonParser' + #673: Replace 'JsonGenerator.writeObject()' (and related) with 'writePOJO()' + #674: Replace 'getCurrentValue()'/'setCurrentValue()' with 'currentValue()'/'assignCurrentValue()' in 'JsonParser'/'JsonGenerator + #677: Introduce O(n^1.5) BigDecimal parser implementation + #687: ByteQuadsCanonicalizer.addName(String, int, int) has incorrect handling for case of q2 == null + #692: UTF32Reader ArrayIndexOutOfBoundsException + #694: Improve exception/JsonLocation handling for binary content: don't show content, include byte offset + #700: Unable to ignore properties when deserializing. TokenFilter seems broken + #712: Optimize array allocation by 'JsonStringEncoder' + Add 'mvnw' wrapper * 2.12.5 (27-Aug-2021) + #712: (partial) Optimize array allocation by 'JsonStringEncoder' + #713: Add back accidentally removed 'JsonStringEncoder' related methods in 'BufferRecyclers' (like 'getJsonStringEncoder()') * 2.12.4 (06-Jul-2021) + #702: 'ArrayOutOfBoundException' at 'WriterBasedJsonGenerator.writeString(Reader, int)' * 2.12.0 (29-Nov-2020) + #500: Allow "optional-padding" for 'Base64Variant' + #573: More customizable TokenFilter inclusion (using 'Tokenfilter.Inclusion') + #618: Publish Gradle Module Metadata + #619: Add 'StreamReadCapability' for further format-based/format-agnostic handling improvements + #627: Add 'JsonParser.isExpectedNumberIntToken()' convenience method + #630: Add 'StreamWriteCapability' for further format-based/format-agnostic handling improvements + #631: Add 'JsonParser.getNumberValueExact()' to allow precision-retaining buffering + #639: Limit initial allocated block size by 'ByteArrayBuilder' to max block size + #640: Add 'JacksonException' as parent class of 'JsonProcessingException' + #653: Make 'JsonWriteContext.reset()' and 'JsonReadContext.reset()' methods public + Deprecate 'JsonParser.getCurrentTokenId()' (use '#currentTokenId()' instead) + Full "LICENSE" included in jar for easier access by compliancy tools * 2.11.4 (12-Dec-2020) + #647: Fix NPE in 'writeNumber(String)' method of 'UTF8JsonGenerator', 'WriterBasedJsonGenerator' * 2.11.0 (26-Apr-2020) + #504: Add a String Array write method in the Streaming API + #565: Synchronize variants of 'JsonGenerator#writeNumberField' with 'JsonGenerator#writeNumber' + #587: Add JsonGenerator#writeNumber(char[], int, int) method + #606: Do not clear aggregated contents of 'TextBuffer' when 'releaseBuffers()' called + #609: 'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)' + #611: Optionally allow leading decimal in float tokens - Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven - Update to 2.10.5 * #616: Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless stream of 'VALUE_NULL' tokens * #605: Handle case when system property access is restricted * #609: (partial fix) 'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)' - Update to 2.10.3 - Changes: * #592: DataFormatMatcher#getMatchedFormatName throws NPE when no match exists * #603: 'JsonParser.getCurrentLocation()' byte/char offset update incorrectly for big payloads instead of 'writeRawValue()' ----------------------------------------------------------------------------- o Updated jackson-databind (security/bugfix/feature) - Update to 2.13.4.2 * 2.13.4.2 (13-Oct-2022) + #3627: Gradle module metadata for '2.13.4.1' references non-existent jackson-bom '2.13.4.1' (instead of '2.13.4.20221012') * 2.13.4.1 (12-Oct-2022) + #3590: Add check in primitive value deserializers to avoid deep wrapper array nesting wrt 'UNWRAP_SINGLE_VALUE_ARRAYS' [bsc#1204370, CVE-2022-42003] * 2.13.4 (03-Sep-2022) + #3275: JDK 16 Illegal reflective access for 'Throwable.setCause()' with 'PropertyNamingStrategy.UPPER_CAMEL_CASE' + #3565: 'Arrays.asList()' value deserialization has changed from mutable to immutable in 2.13 + #3582: Add check in 'BeanDeserializer._deserializeFromArray()' to prevent use of deeply nested arrays [bsc#1204369, CVE-2022-42004] - Update to 2.13.3 * 2.13.3 (14-May-2022) + #3412: Version 2.13.2 uses 'Method.getParameterCount()' which is not supported on Android before API 26 + #3419: Improve performance of 'UnresolvedForwardReference' for forward reference resolution + #3446: 'java.lang.StringBuffer' cannot be deserialized + #3450: DeserializationProblemHandler is not working with wrapper type when returning null * 2.13.2.2 (28-Mar-2022) + No changes since 2.13.2.1 but fixed Gradle Module Metadata ("module.json") * 2.13.2.1 (24-Mar-2022) + #2816: Optimize UntypedObjectDeserializer wrt recursion + #3412: Version 2.13.2 uses 'Method.getParameterCount()' which is not supported on Android before API 26 * 2.13.2 (06-Mar-2022) + #3293: Use Method.getParameterCount() where possible + #3344: 'Set.of()' (Java 9) cannot be deserialized with polymorphic handling + #3368: 'SnakeCaseStrategy' causes unexpected 'MismatchedInputException' during deserialization + #3369: Deserialization ignores other Object fields when Object or Array value used for enum + #3380: 'module-info.java' is in 'META-INF/versions/11' instead of 'META-INF/versions/9' * 2.13.1 (19-Dec-2021) + #3006: Argument type mismatch for 'enum' with '@JsonCreator' that takes String, gets JSON Number + #3299: Do not automatically trim trailing whitespace from 'java.util.regex.Pattern' values + #3305: ObjectMapper serializes 'CharSequence' subtypes as POJO instead of as String (JDK 15+) + #3308: 'ObjectMapper.valueToTree()' fails when 'DeserializationFeature.FAIL_ON_TRAILING_TOKENS' is enabled + #3328: Possible DoS if using JDK serialization to serialize JsonNode - Update to 2.13.0 (CVE-2020-36518, bsc#1197132) * 2.13.0 (30-Sep-2021) + #1850: '@JsonValue' with integer for enum does not deserialize correctly + #2509: 'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception message + #2828: Add 'DatabindException' as intermediate subtype of 'JsonMappingException' + #2900: Jackson does not support deserializing new Java 9 unmodifiable collections + #2989: Allocate TokenBuffer instance via context objects (to allow format-specific buffer types) + #3001: Add mechanism for setting default 'ContextAttributes' for 'ObjectMapper' + #3002: Add 'DeserializationContext.readTreeAsValue()' methods for more convenient conversions for deserializers to use + #3011: Clean up support of typed "unmodifiable", "singleton" Maps/Sets/Collections + #3033: Extend internal bitfield of 'MapperFeature' to be 'long' + #3035: Add 'removeMixIn()' method in 'MapperBuilder' + #3036: Backport 'MapperBuilder' lambda-taking methods: 'withConfigOverride()', 'withCoercionConfig()', 'withCoercionConfigDefaults()' + #3080: configOverrides(boolean.class) silently ignored, whereas .configOverride(Boolean.class) works for both primitives and boxed boolean values + #3082: Dont track unknown props in buffer if 'ignoreAllUnknown' is true + #3091: Should allow deserialization of java.time types via opaque 'JsonToken.VALUE_EMBEDDED_OBJECT' + #3099: Optimize "AnnotatedConstructor.call()" case by passing explicit null + #3101: Add AnnotationIntrospector.XmlExtensions interface for decoupling javax dependencies + #3110: Custom SimpleModule not included in list returned by ObjectMapper.getRegisteredModuleIds() after registration + #3117: Use more limiting default visibility settings for JDK types (java.*, javax.*) + #3122: Deep merge for 'JsonNode' using 'ObjectReader.readTree()' + #3125: IllegalArgumentException: Conflicting setter definitions for property with more than 2 setters + #3130: Serializing java.lang.Thread fails on JDK 11 and above (should suppress serialization of ClassLoader) + #3143: String-based 'Map' key deserializer is not deterministic when there is no single arg constructor + #3154: Add ArrayNode#set(int index, primitive_type value) + #3160: JsonStreamContext "currentValue" wrongly references to @JsonTypeInfo annotated object + #3174: DOM 'Node' serialization omits the default namespace declaration + #3177: Support 'suppressed' property when deserializing 'Throwable' + #3187: 'AnnotatedMember.equals()' does not work reliably + #3193: Add 'MapperFeature.APPLY_DEFAULT_VALUES', initially for Scala module + #3214: For an absent property Jackson injects 'NullNode' instead of 'null' to a JsonNode-typed constructor argument of a '@ConstructorProperties'-annotated constructor + #3217: 'XMLGregorianCalendar' doesn't work with default typing + #3227: Content 'null' handling not working for root values + #3234: StdDeserializer rejects blank (all-whitespace) strings for ints + #3235: 'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with 'DefaultTypeResolverBuilder' + #3238: Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and UPPER_SNAKE_CASE constant) + #3244: StackOverflowError when serializing JsonProcessingException + #3259: Support for BCP 47 'java.util.Locale' serialization/deserialization + #3271: String property deserializes null as "null" for JsonTypeInfo.As.EXISTING_PROPERTY + #3280: Can not deserialize json to enum value with Object-/Array-valued input, '@JsonCreator' + Fix to avoid problem with 'BigDecimalNode', scale of 'Integer.MIN_VALUE' + Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover coercion from (Empty) String via 'AsNull' + Add 'mvnw' wrapper * 2.12.5 (27-Aug-2021) + #3220: (regression) Factory method generic type resolution does not use Class-bound type parameter * 2.12.4 (06-Jul-2021) + #3139: Deserialization of "empty" subtype with DEDUCTION failed + #3146: Merge findInjectableValues() results in AnnotationIntrospectorPair + #3171: READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty strings * 2.12.3 (12-Apr-2021) + #3108: 'TypeFactory' cannot convert 'Collection' sub-type without type parameters to canonical form and back + Fix for [modules-java8#207]: prevent fail on secondary Java 8 date/time types * 2.12.2 (03-Mar-2021) + #754: EXTERNAL_PROPERTY does not work well with '@JsonCreator' and 'FAIL_ON_UNKNOWN_PROPERTIES' + #3008: String property deserializes null as "null" for 'JsonTypeInfo.As.EXTERNAL_PROPERTY' + #3022: Property ignorals cause 'BeanDeserializer 'to forget how to read from arrays (not copying '_arrayDelegateDeserializer') + #3025: UntypedObjectDeserializer' mixes multiple unwrapped collections (related to #2733) + #3038: Two cases of incorrect error reporting about DeserializationFeature + #3045: Bug in polymorphic deserialization with '@JsonCreator', '@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY' + #3055: Polymorphic subtype deduction ignores 'defaultImpl' attribute + #3056: MismatchedInputException: Cannot deserialize instance of 'com.fasterxml.jackson.databind.node.ObjectNode' out of VALUE_NULL token + #3060: Missing override for 'hasAsKey()' in 'AnnotationIntrospectorPair' + #3062: Creator lookup fails with 'InvalidDefinitionException' for conflict between single-double/single-Double arg constructor + #3068: 'MapDeserializer' forcing 'JsonMappingException' wrapping even if WRAP_EXCEPTIONS set to false * 2.12.1 (08-Jan-2021) + #2962: Auto-detection of constructor-based creator method skipped if there is an annotated factory-based creator method (regression from 2.11) + #2972: 'ObjectMapper.treeToValue()' no longer invokes 'JsonDeserializer.getNullValue()' + #2973: DeserializationProblemHandler is not invoked when trying to deserialize String + #2978: Fix failing 'double' JsonCreators in jackson 2.12.0 + #2979: Conflicting in POJOPropertiesCollector when having namingStrategy + #2990: Breaking API change in 'BasicClassIntrospector' (2.12.0) + #3005: 'JsonNode.requiredAt()' does NOT fail on some path expressions + #3009: Exception thrown when 'Collections.synchronizedList()' is serialized with type info, deserialized * 2.12.0 (29-Nov-2020) + #43: Add option to resolve type from multiple existing properties, '@JsonTypeInfo(use=DEDUCTION)' + #426: '@JsonIgnoreProperties' does not prevent Exception Conflicting getter/setter definitions for property + #921: Deserialization Not Working Right with Generic Types and Builders + #1296: Add '@JsonIncludeProperties(propertyNames)' (reverse of '@JsonIgnoreProperties') + #1458: '@JsonAnyGetter' should be allowed on a field + #1498: Allow handling of single-arg constructor as property based by default + #1852: Allow case insensitive deserialization of String value into 'boolean'/'Boolean' (esp for Excel) + #1886: Allow use of '@JsonFormat(with=JsonFormat.Feature .ACCEPT_CASE_INSENSITIVE_PROPERTIES)' on Class + #1919: Abstract class included as part of known type ids for error message when using JsonSubTypes + #2066: Distinguish null from empty string for UUID deserialization + #2091: 'ReferenceType' does not expose valid containedType + #2113: Add 'CoercionConfig[s]' mechanism for configuring allowed coercions + #2118: 'JsonProperty.Access.READ_ONLY' does not work with "getter-as-setter" 'Collection's + #2215: Support 'BigInteger' and 'BigDecimal' creators in 'StdValueInstantiator' + #2283: 'JsonProperty.Access.READ_ONLY' fails with collections when a property name is specified + #2644: 'BigDecimal' precision not retained for polymorphic deserialization + #2675: Support use of 'Void' valued properties ('MapperFeature.ALLOW_VOID_VALUED_PROPERTIES') + #2683: Explicitly fail (de)serialization of 'java.time.*' types in absence of registered custom (de)serializers + #2707: Improve description included in by 'DeserializationContext.handleUnexpectedToken()' + #2709: Support for JDK 14 record types ('java.lang.Record') + #2715: 'PropertyNamingStrategy' class initialization depends on its subclass, this can lead to class loading deadlock + #2719: 'FAIL_ON_IGNORED_PROPERTIES' does not throw on 'READONLY' properties with an explicit name + #2726: Add Gradle Module Metadata for version alignment with Gradle 6 + #2732: Allow 'JsonNode' auto-convert into 'ArrayNode' if duplicates found (for XML) + #2733: Allow values of "untyped" auto-convert into 'List' if duplicates found (for XML) + #2751: Add 'ValueInstantiator.createContextual(...) + #2761: Support multiple names in 'JsonSubType.Type' + #2775: Disabling 'FAIL_ON_INVALID_SUBTYPE' breaks polymorphic deserialization of Enums + #2776: Explicitly fail (de)serialization of 'org.joda.time.*' types in absence of registered custom (de)serializers + #2784: Trailing zeros are stripped when deserializing BigDecimal values inside a @JsonUnwrapped property + #2800: Extract getter/setter/field name mangling from 'BeanUtil' into pluggable 'AccessorNamingStrategy' + #2804: Throw 'InvalidFormatException' instead of 'MismatchedInputException' for ACCEPT_FLOAT_AS_INT coercion failures + #2871: Add '@JsonKey' annotation (similar to '@JsonValue') for customizable serialization of Map keys + #2873: 'MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS' should work for enum as keys + #2879: Add support for disabling special handling of "Creator properties" wrt alphabetic property ordering + #2885: Add 'JsonNode.canConvertToExactIntegral()' to indicate whether floating-point/BigDecimal values could be converted to integers losslessly + #2895: Improve static factory method generic type resolution logic + #2903: Allow preventing "Enum from integer" coercion using new 'CoercionConfig' system + #2909: '@JsonValue' not considered when evaluating inclusion + #2910: Make some java platform modules optional + #2925: Add support for serializing 'java.sql.Blob' + #2928: 'AnnotatedCreatorCollector' should avoid processing synthetic static (factory) methods + #2931: Add errorprone static analysis profile to detect bugs at build time + #2932: Problem with implicit creator name detection for constructor detection + Add 'BeanDeserializerBase.isCaseInsensitive()' + Some refactoring of 'CollectionDeserializer' to solve CSV array handling issues + Full "LICENSE" included in jar for easier access by compliancy tools * 2.11.4 (12-Dec-2020) + #2894: Fix type resolution for static methods (regression in 2.11.3 due to #2821 fix) + #2944: '@JsonCreator' on constructor not compatible with '@JsonIdentityInfo', 'PropertyGenerator' + Add debug improvements wrt [#2807] ('ClassUtil.getClassMethods()') * 2.11.3 (02-Oct-2020) + #2795: Cannot detect creator arguments of mixins for JDK types + #2815: Add 'JsonFormat.Shape' awareness for UUID serialization ('UUIDSerializer') + #2821: Json serialization fails or a specific case that contains generics and static methods with generic parameters (2.11.1 -> 2.11.2 regression) + #2822: Using JsonValue and JsonFormat on one field does not work as expected + #2840: 'ObjectMapper.activateDefaultTypingAsProperty()' is not using parameter 'PolymorphicTypeValidator' + #2846: Problem deserialization "raw generic" fields (like 'Map') in 2.11.2 + Fix issues with 'MapLikeType.isTrueMapType()', 'CollectionLikeType.isTrueCollectionType()' * 2.11.2 (02-Aug-2020) + #2783: Parser/Generator features not set when using 'ObjectMapper.createParser()', 'createGenerator()' + #2785: Polymorphic subtypes not registering on copied ObjectMapper (2.11.1) + #2789: Failure to read AnnotatedField value in Jackson 2.11 + #2796: 'TypeFactory.constructType()' does not take 'TypeBindings' correctly * 2.11.1 (25-Jun-2020) + #2486: Builder Deserialization with JsonCreator Value vs Array + #2725: JsonCreator on static method in Enum and Enum used as key in map fails randomly + #2755: 'StdSubtypeResolver' is not thread safe (possibly due to copy not being made with 'ObjectMapper.copy()') + #2757: "Conflicting setter definitions for property" exception for 'Map' subtype during deserialization + #2758: Fail to deserialize local Records + #2759: Rearranging of props when property-based generator is in use leads to incorrect output + #2760: Jackson doesn't respect 'CAN_OVERRIDE_ACCESS_MODIFIERS=false' for deserializer properties + #2767: 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS' don't support 'Map' type field + #2770: JsonParser from MismatchedInputException cannot getText() for floating-point value * 2.11.0 (26-Apr-2020) + #953: i-I case conversion problem in Turkish locale with case-insensitive deserialization + #962: '@JsonInject' fails on trying to find deserializer even if inject-only + #1983: Polymorphic deserialization should handle case-insensitive Type Id property name if 'MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES' is enabled + #2049: TreeTraversingParser and UTF8StreamJsonParser create contexts differently + #2352: Support use of '@JsonAlias' for enum values + #2365: 'declaringClass' of "enum-as-POJO" not removed for 'ObjectMapper' with a naming strategy + #2480: Fix 'JavaType.isEnumType()' to support sub-classes + #2487: BeanDeserializerBuilder Protected Factory Method for Extension + #2503: Support '@JsonSerialize(keyUsing)' and '@JsonDeserialize(keyUsing)' on Key class + #2511: Add 'SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL' + #2515: 'ObjectMapper.registerSubtypes(NamedType...)' doesn't allow registering same POJO for two different type ids + #2522: 'DeserializationContext.handleMissingInstantiator()' throws 'MismatchedInputException' for non-static inner classes + #2525: Incorrect 'JsonStreamContext' for 'TokenBuffer' and 'TreeTraversingParser' + #2527: Add 'AnnotationIntrospector.findRenameByField()' to support Kotlin's "is-getter" naming convention + #2555: Use '@JsonProperty(index)' for sorting properties on serialization + #2565: Java 8 'Optional' not working with '@JsonUnwrapped' on unwrappable type + #2587: Add 'MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES' to allow blocking use of unsafe base type for polymorphic deserialization + #2589: 'DOMDeserializer': setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649] + #2592: 'ObjectMapper.setSerializationInclusion()' is ignored for 'JsonAnyGetter' + #2608: 'ValueInstantiationException' when deserializing using a builder and 'UNWRAP_SINGLE_VALUE_ARRAYS' + #2627: JsonIgnoreProperties(ignoreUnknown = true) does not work on field and method level + #2632: Failure to resolve generic type parameters on serialization + #2635: JsonParser cannot getText() for input stream on MismatchedInputException + #2636: ObjectReader readValue lacks Class argument + #2643: Change default textual serialization of 'java.util.Date'/'Calendar' to include colon in timezone offset + #2647: Add 'ObjectMapper.createParser()' and 'createGenerator()' methods + #2657: Allow serialization of 'Properties' with non-String values + #2663: Add new factory method for creating custom 'EnumValues' to pass to 'EnumDeserializer + #2668: 'IllegalArgumentException' thrown for mismatched subclass deserialization + #2693: Add convenience methods for creating 'List', 'Map' valued 'ObjectReader's (ObjectMapper.readerForListOf()) + Add 'SerializerProvider.findContentValueSerializer()' methods - Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven * #2589: 'DOMDeserializer': setExpandEntityReferences(false) may [#2101]: 'FAIL_ON_NULL_FOR_PRIMITIVES' failure does not indicate field name in exception message [#2556]: Contention in 'TypeNameIdResolver.idFromClass()' [#2560]: Check 'WRAP_EXCEPTIONS' in 'CollectionDeserializer.handleNonArray()' [#2564]: Fix 'IllegalArgumentException' on empty input collection for 'ArrayBlockingQueue' [#2566]: 'MissingNode.toString()' returns 'null' (4 character token) instead of empty string [#2573]: Problem with 'JsonInclude' config overrides for 'java.util.Map' [#2576]: Fail to serialize 'Enum' instance which includes a method override Fix an issue with 'ObjectReader.with(JsonParser.Feature)' (and related) not working ----------------------------------------------------------------------------- o Updated jackson-dataformats-binary (security/bugfix/feature) - Version update to 2.13.0 * 2.13.0 (30-Sep-2021) + #239: (cbor) Should validate UTF-8 multi-byte validity for short decode path too + #248: (ion) Deprecate 'CloseSafeUTF8Writer', remove use + #252: (smile) Make 'SmileFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES' + #253: (cbor) Make 'CBORFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES' + #264: (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully + #272: (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer) + #273: (cbor) Another uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer) + #276: (smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of broken Unicode surrogate pairs on writing + #283: (avro) Add 'logicalType' support for some 'java.time' types; add 'AvroJavaTimeModule' for native ser/deser + #284: Support base64 strings in 'getBinaryValue()' for CBOR and Smile + #289: (cbor) 'ArrayIndexOutOfBounds' for truncated UTF-8 name + #290: (avro) Generate logicalType switch + #291: (smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name + #295: (ion) 'jackson-dataformat-ion' does not handle null.struct deserialization correctly + 'Ion-java' dep 1.4.0 -> 1.8.0 + Minor change to Ion module registration names (fully-qualified) * 2.12.4 (06-Jul-2021) + #287: (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer) + #288: (cbor) Uncaught exception in CBORParser._findDecodedFromSymbols() (by ossfuzzer) * 2.12.3 (12-Apr-2021) + #257: (smile) Uncaught validation problem wrt Smile "BigDecimal" type + #258: (smile) ArrayIndexOutOfBoundsException for malformed Smile header + #259: (cbor) Failed to handle case of alleged String with length of Integer.MAX_VALUE + #260: (smile) Allocate byte[] lazily for longer Smile binary data payloads + #261 (cbor) CBORParser need to validate zero-length byte[] for BigInteger + #263: (smile) Handle invalid chunked-binary-format length gracefully + #265: (smile) Allocate byte[] lazily for longer Smile binary data payloads (7-bit encoded) + #266: (smile) ArrayIndexOutOfBoundsException in SmileParser._decodeShortUnicodeValue() + #268: (smile) Handle sequence of Smile header markers without recursion + #269: (cbor) CBOR loses 'Map' entries with specific 'long' Map key values (32-bit boundary) + #270: (ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of Native Type Ids when upgrading from 2.8 * 2.12.2 (03-Mar-2021) + #236: (cbor) 'ArrayIndexOutOfBoundsException' in 'CBORParser' for invalid UTF-8 String + #240: (cbor) Handle invalid CBOR content like '[0x84]' (incomplete array) + #241: (ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in 'EnumAsIonSymbolSerializer' + #242: (ion) Add support for generating IonSexps + #244: (ion) Add support for deserializing IonTimestamps and IonBlobs + #246: (ion) Add 'IonObjectMapper.builderForBinaryWriters()' / '.builderforTextualWriters()' convenience methods + #247: (ion) Enabling pretty-printing fails Ion serialization * 2.12.1 (08-Jan-2021) + #232: (ion) Allow disabling native type ids in IonMapper + #235: (smile) Small bug in byte-alignment for long field names in Smile, symbol table reuse * 2.12.0 (29-Nov-2020) + #204: (ion) Add 'IonFactory.getIonSystem()' accessor + #212: (ion) Optimize 'IonParser.getNumberType()' using 'IonReader.getIntegerSize()' + #222: (cbor) Add 'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of Unicode surrogate pairs on writing + #228: (cbor) Add support for decoding unassigned "simple values" (type 7) + Add Gradle Module Metadata (https://blog.gradle.org/alignment-with-gradle-module-metadata) * 2.11.4 (12-Dec-2020) + #186: (cbor) Eager allocation of byte buffer can cause 'java.lang.OutOfMemoryError' exception (CVE-2020-28491) * 2.11.3 (02-Oct-2020) + #219: (avro) Cache record names to avoid hitting class loader * 2.11.2 (02-Aug-2020) + #216: (avro) Avro null deserialization * 2.11.1 (25-Jun-2020) + #204: (ion) Add 'IonFactory.getIonSystem()' accessor * 2.11.0 (26-Apr-2020) + #179: (avro) Add 'AvroGenerator.canWriteBinaryNatively()' to support binary writes, fix 'java.util.UUID' representation + #192: (ion) Allow 'IonObjectMapper' with class name annotation introspector to deserialize generic subtypes + #195: Remove dependencies upon Jackson 1.X and Avro's JacksonUtils + #198: 'jackson-databind' should not be full dependency for (cbor, protobuf, smile) modules + #201: 'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most compact form for all integers + 'AvroGenerator' overrides 'getOutputContext()' properly * 2.10.5 (21-Jul-2020) + #204: (ion) Add 'IonFactory.getIonSystem()' accessor + #211: (avro) Fix schema evolution involving maps of non-scalar * 2.10.4 (03-May-2020) + #202: (protobuf) Parsing a protobuf message doesn't properly skip unknown fields * 2.10.2 (05-Jan-2020) + #189: (ion) IonObjectMapper close()s the provided IonWriter unnecessarily + ion-java dependency 1.4.0 -> 1.5.1 - Remove plugins unnecessary for RPM builds org.moditect:moditect-maven-plugin + #185: Internal parsing of tagged arrays can lead to stack overflow + #188: Unexpected 'MismatchedInputException' for 'byte[]' value bound to 'String' in collection/array + #139: (cbor) Incorrect decimal fraction representation + #148: (protobuf) Add 'ProtobufMapper.generateSchemaFor(TypeReference)' overload + #155: (cbor, smile) Inconsistent support for FLUSH_PASSED_TO_STREAM + #157: (all) Add simple module-info for JDK9+, using Moditect + #163: (ion) Update 'ion-java' dependency + #168: (avro) 'JsonMappingException' for union types with multiple Record types + #173: (avro) Improve Union type serialization performance + #177: (avro) Deserialization of "empty" Records as root values fails + #178: (cbor) Fix issue wit input offsets when parsing CBOR from 'InputStream' + #180: (protobuf) Add 'ProtobufGenerator.canWriteBinaryNatively()' to support binary writes + asm version upgrade to 6.2.1 (from 5.1) + (cbor, smile) Rewrote handling of "output context" for better field id write support + #159: (cbor) Some short UTF Strings encoded using non-canonical form + #161: (avro) Deserialize from newer version to older one throws NullPointerException + #140: (protobuf) Stack overflow when generating Protobuf schema on class with cyclic type definition + #153: (smile) Unable to set a compression input/output decorator to a 'SmileFactory' + #142: (ion) 'IonParser.getNumberType()' returns 'null' for 'IonType.FLOAT' + #150: Add 'CBORMapper' + #151: Add 'SmileMapper' + #93: (cbor) 'CBORParser' does not accept "undefined value" + #135: (protobuf) Infinite sequence of 'END_OBJECT' tokens returned at end of streaming read + #136: (avro) Fix MapWriteContext not correctly resolving union values + #128 (protobuf) Fix skip unknown WireType.FIXED_64BIT value bug + #129 (cbor) Remove "final" modifier from 'CBORParser' ----------------------------------------------------------------------------- o Updated jasper (security/bugfix/feature) - security update: * CVE-2022-2963 [bsc#1202642] + jasper-CVE-2022-2963.patch ----------------------------------------------------------------------------- o Updated java-11-openjdk (security/bugfix/feature) - Update to upstream tag jdk-11.0.17+8 (October 2022 CPU) * Security fixes: + JDK-8289366, bsc#1204480, CVE-2022-39399: Improve HTTP/2 client usage + JDK-8288508: Enhance ECDSA usage + JDK-8286918, bsc#1204472, CVE-2022-21628: Better HttpServer service + JDK-8287446, bsc#1204475, CVE-2022-21624: Enhance icon presentations + JDK-8286910: Improve JNDI lookups + JDK-8286511: Improve macro allocation + JDK-8286526, bsc#1204473, CVE-2022-21619: Improve NTLM support + JDK-8286533, bsc#1204471, CVE-2022-21626: Key X509 usages + JDK-8286077, bsc#1204468, CVE-2022-21618: Wider MultiByte conversions + JDK-8286519: Better memory handling + JDK-8285662: Better permission resolution + JDK-8282252: Improve BigInteger/Decimal validation + JDK-8289853: Update HarfBuzz to 4.4.1 + JDK-8290334: Update FreeType to 2.12.1 + JDK-8293429: [11u] minor update in attribute style * Other fixes: + JDK-6606767: resexhausted00[34] fail assert(!thread->owns_locks(), "must release all locks when leaving VM") + JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/ /SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 + JDK-7131823: bug in GIFImageReader + JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/ /bug4634626.java sometimes failed on mac + JDK-8028265: Add legacy tz tests to OpenJDK + JDK-8069343: Improve gc/g1/TestHumongousCodeCacheRoots.java to use jtreg @requires + JDK-8139348: Deprecate 3DES and RC4 in Kerberos + JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java + JDK-8164804: sun/security/ssl/SSLSocketImpl/CloseSocket.java makes not reliable time assumption + JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! + JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" + JDK-8183372: Refactor java/lang/Class shell tests to java + JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names + JDK-8193462: Fix Filer handling of package-info initial elements + JDK-8203277: preflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body + JDK-8208471: nsk/jdb/unwatch/unwatch002/unwatch002.java fails with "Prompt is not received during 300200 milliseconds" + JDK-8209052: Low contrast in docs/api/constant-values.html + JDK-8209736: runtime/RedefineTests/ModifyAnonymous.java fails with NullPointerException when running in CDS mode + JDK-8210107: vmTestbase/nsk/stress/network tests fail with Cannot assign requested address (Bind failed) + JDK-8210722: JAXP Tests: CatalogSupport2 and CatalogSupport3 generate incorrect messages upon failure + JDK-8210960: Allow --with-boot-jdk-jvmargs to work during configure + JDK-8212904: JTextArea line wrapping incorrect when using UI scale + JDK-8213695: gc/TestAllocateHeapAtMultiple.java is slow in some configs + JDK-8214078: (fs) SecureDirectoryStream not supported on arm32 + JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() + JDK-8215291: Broken links when generating from project without modules + JDK-8217170: gc/arguments/TestUseCompressedOopsErgo.java timed out + JDK-8217332: JTREG: Clean up, use generics instead of raw types + JDK-8218128: vmTestbase/nsk/jvmti/ResourceExhausted/ /resexhausted003 and 004 use wrong path to test classes + JDK-8218413: make reconfigure ignores configure-time AUTOCONF environment variable + JDK-8219074: [TESTBUG] runtime/containers/docker/ /TestCPUAwareness.java typo of printing parameters (period should be shares) + JDK-8219149: ProcessTools.ProcessBuilder should print timing info for subprocesses + JDK-8220744: [TESTBUG] Move RedefineTests from runtime to serviceability + JDK-8221871: javadoc should not set role=region on
elements + JDK-8221907: make reconfigure breaks when configured with relative paths + JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/ /DrawString/LCDTextSrcEa.java has issues + JDK-8223575: add subspace transitions to gc+metaspace=info log lines + JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. + JDK-8226976: SessionTimeOutTests uses == operator for String value check + JDK-8230708: Hotspot fails to build on linux-sparc with gcc-9 + JDK-8233712: Limit default tests jobs based on ulimit -u setting + JDK-8235870: C2 crashes in IdealLoopTree::est_loop_flow_merge_sz() + JDK-8236490: Compiler bug relating to @NonNull annotation + JDK-8236823: Ensure that API documentation uses minified libraries + JDK-8238203: Return value of GetUserDefaultUILanguage() should be handled as LANGID + JDK-8238268: Many SA tests are not running on OSX because they do not attempt to use sudo when available + JDK-8238196: tests that use SA Attach should not be allowed to run against signed binaries on Mac OS X 10.14.5 and later + JDK-8238586: [TESTBUG] vmTestbase/jit/tiered/Test.java failed when TieredCompilation is disabled + JDK-8239265: JFR: Test cleanup of jdk.jfr.api.consumer package + JDK-8239379: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java on OSX + JDK-8271512: ProblemList serviceability/sa/sadebugd/ /DebugdConnectTest.java due to 8270326 + JDK-8239423: jdk/jfr/jvm/TestJFRIntrinsic.java failed with - XX:-TieredCompilation + JDK-8239902: [macos] Remove direct usage of JSlider, JProgressBar classes in CAccessible class + JDK-8240903: Add test to check that jmod hashes are reproducible + JDK-8242188: error in jtreg test jdk/jfr/api/consumer/ /TestRecordedFrame.java on linux-aarch64 + JDK-8247546: Pattern matching does not skip correctly over supplementary characters + JDK-8247907: XMLDsig logging does not work + JDK-8247964: All log0() in com/sun/org/slf4j/internal/Logger.java should be private + JDK-8249623: test @ignore-d due to 7013634 should be returned back to execution + JDK-8251152: ARM32: jtreg c2 Test8202414 test crash + JDK-8251551: Use .md filename extension for README + JDK-8252145: Unify Info.plist files with correct version strings + JDK-8253829: Wrong length compared in SSPI bridge + JDK-8253916: ResourceExhausted/resexhausted001 crashes on Linux-x64 + JDK-8254178: Remove .hgignore + JDK-8254318: Remove .hgtags + JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline + JDK-8255729: com.sun.tools.javac.processing.JavacFiler .FilerOutputStream is inefficient + JDK-8257623: vmTestbase/nsk/jvmti/ResourceExhausted/ /resexhausted001/TestDescription.java shouldn't use timeout + JDK-8258946: Fix optimization-unstable code involving signed integer overflow + JDK-8261160: Add a deserialization JFR event + JDK-8262085: Hovering Metal HTML Tooltips in different windows cause IllegalArgExc on Linux + JDK-8264400: (fs) WindowsFileStore equality depends on how the FileStore was constructed + JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. + JDK-8265100: (fs) WindowsFileStore.hashCode() should read cached hash code once + JDK-8265531: doc/building.md should mention homebrew install freetype + JDK-8266250: WebSocketTest and WebSocketProxyTest call assertEquals(List, List) + JDK-8266254: Update to use jtreg 6 8265020: tests must be updated for new TestNG module name + JDK-8266460: java.io tests fail on null stream with upgraded jtreg/TestNG + JDK-8266461: tools/jmod/hashes/HashesTest.java fails: static @Test methods 8267180: Typo in copyright header for HashesTest + JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups + JDK-8266675: Optimize IntHashTable for encapsulation and ease of use + JDK-8266774: System property values for stdout/err on Windows UTF-8 + JDK-8266881: Enable debug log for SSLEngineExplorerMatchedSNI.java + JDK-8267271: Fix gc/arguments/TestNewRatioFlag.java expectedNewSize calculation + JDK-8267880: Upgrade the default PKCS12 MAC algorithm + JDK-8268185: Update GitHub Actions for jtreg 6 + JDK-8269039: Disable SHA-1 Signed JARs + JDK-8269517: compiler/loopopts/ /TestPartialPeelingSinkNodes.java crashes with - XX:+VerifyGraphEdges + JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections + JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java + JDK-8271010: vmTestbase/gc/lock/malloc/malloclock04/ /TestDescription.java crashes intermittently + JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest + JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 + JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + JDK-8273526: Extend the OSContainer API pids controller with pids.current + JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root + JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] + JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend + JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11 + JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test + JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled + JDK-8277893: Arraycopy stress tests + JDK-8278067: Make HttpURLConnection default keep alive timeout configurable + JDK-8278344: sun/security/pkcs12/ /KeytoolOpensslInteropTest.java test fails because of different openssl output + JDK-8278519: serviceability/jvmti/FieldAccessWatch/ /FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" + JDK-8279032: compiler/loopopts/ /TestSkeletonPredicateNegation.java times out with - XX:TieredStopAtLevel < 4 + JDK-8279385: [test] Adjust sun/security/pkcs12/ /KeytoolOpensslInteropTest.java after 8278344 + JDK-8279622: C2: miscompilation of map pattern as a vector reduction + JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method + JDK-8281181: Do not use CPU Shares to compute active processor count + JDK-8281535: Create a regression test for JDK-4670051 + JDK-8281569: Create tests for Frame.setMinimumSize() method + JDK-8281628: KeyAgreement : generateSecret intermittently not resetting + JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button + JDK-8281745: Create a regression test for JDK-4514331 + JDK-8281988: Create a regression test for JDK-4618767 + JDK-8282214: Upgrade JQuery to version 3.6.0 + JDK-8282234: Create a regression test for JDK-4532513 + JDK-8282280: Update Xerces to Version 2.12.2 + JDK-8282343: Create a regression test for JDK-4518432 + JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + JDK-8282548: Create a regression test for JDK-4330998 + JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc + JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 + JDK-8282860: Write a regression test for JDK-4164779 + JDK-8282933: Create a test for JDK-4529616 + JDK-8282947: JFR: Dump on shutdown live-locks in some conditions + JDK-8283015: Create a test for JDK-4715496 + JDK-8283017: GHA: Workflows break with update release versions + JDK-8283087: Create a test or JDK-4715503 + JDK-8283245: Create a test for JDK-4670319 + JDK-8283277: ISO 4217 Amendment 171 Update + JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) + JDK-8283493: Create an automated regression test for RFE 4231298 + JDK-8283507: Create a regression test for RFE 4287690 + JDK-8283621: Write a regression test for CCC4400728 + JDK-8283623: Create an automated regression test for JDK-4525475 + JDK-8283624: Create an automated regression test for RFE-4390885 + JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test + JDK-8284898: Enhance PassFailJFrame + JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode + JDK-8284077: Create an automated test for JDK-4170173 + JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 + JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception + JDK-8283712: Create a manual test framework class + JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset + JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice + JDK-8284754: print more interesting env variables in hs_err and VM.info + JDK-8284758: [linux] improve print_container_info + JDK-8284882: SIGSEGV in Node::verify_edges due to compilation bailout + JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization + JDK-8284950: CgroupV1 detection code should consider memory.swappiness + JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment + JDK-8285081: Improve XPath operators count accuracy + JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java + JDK-8285380: Fix typos in security + JDK-8285398: Cache the results of constraint checks + JDK-8285693: Create an automated test for JDK-4702199 + JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null + JDK-8285728: Alpine Linux build fails with busybox tar + JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 + JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java + JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure + JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 + JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache + JDK-8286582: Build fails on macos aarch64 when using - -with-zlib=bundled + JDK-8287017: Bump update version for OpenJDK: jdk-11.0.17 + JDK-8287073: NPE from CgroupV2Subsystem.getInstance() + JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller + JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event + JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver + JDK-8287336: GHA: Workflows break on patch versions + JDK-8287366: Improve test failure reporting in GHA + JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node + JDK-8287463: JFR: Disable TestDevNull.java on Windows + JDK-8287663: Add a regression test for JDK-8287073 + JDK-8287672: jtreg test com/sun/jndi/ldap/ /LdapPoolTimeoutTest.java fails intermittently in nightly run + JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete + JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes + JDK-8288467: remove memory_operand assert for spilled instructions + JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp + JDK-8288763: Pack200 extraction failure with invalid size + JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small + JDK-8288865: [aarch64] LDR instructions must use legitimized addresses + JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041) + JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java + JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc + JDK-8289486: Improve XSLT XPath operators count efficiency + JDK-8289549: ISO 4217 Amendment 172 Update + JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl + JDK-8289799: Build warning in methodData.cpp memset zero-length parameter + JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 + JDK-8290000: Bump macOS GitHub actions to macOS 11 + JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + JDK-8290198: Shenandoah: a few Shenandoah tests failure after JDK-8214799 11u backport + JDK-8290246: test fails "assert(init != __null) failed: initialization not found" + JDK-8290813: jdk/nashorn/api/scripting/test/ /ScriptObjectMirrorTest.java fails: assertEquals is ambiguous + JDK-8290886: [11u]: Backport of JDK-8266250 introduced test failures + JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u + JDK-8291713: assert(!phase->exceeding_node_budget()) failed: sanity after JDK-8223389 + JDK-8291794: [11u] Corrections after backport of JDK-8212028 + JDK-8292255: Bump update version for OpenJDK: jdk-11.0.16.1 + JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large (bsc#1204523) + JDK-8292579: (tz) Update Timezone Data to 2022c + JDK-8292852: [11u] TestMemoryWithCgroupV1 fails after JDK-8292768 + JDK-8295057: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.17 - Modified patch: * fips.patch + sync with newest RedHat version - Package the JAVA_HOME/release files in *-headless package * fixes boo#1203476 - Update to upstream tag jdk-11.0.16+8 (July 2022 CPU) * Security fixes: + JDK-8272243: Improve DER parsing + JDK-8272249: Better properties of loaded Properties + JDK-8277608: Address IP Addressing + JDK-8281859, CVE-2022-21540, bsc#1201694: Improve class compilation + JDK-8281866, CVE-2022-21541, bsc#1201692: Enhance MethodHandle invocations + JDK-8283190: Improve MIDI processing + JDK-8284370: Improve zlib usage + JDK-8285407, CVE-2022-34169, bsc#1201684: Improve Xalan supports * Other fixes: + JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException + JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders. + JDK-7124301: [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements. + JDK-8133713: [macosx] Accessible JTables always reported as empty + JDK-8139046: Compiler Control: IGVPrintLevel directive should set PrintIdealGraph + JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn + JDK-8163498: Many long-running security libs tests + JDK-8166727: javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28 + JDK-8169004: Fix redundant @requires tags in tests + JDK-8181571: printing to CUPS fails on mac sandbox app + JDK-8182404: remove jdk.testlibrary.JDKToolFinder and JDKToolLauncher + JDK-8186548: move jdk.testlibrary.JcmdBase closer to tests + JDK-8192057: com/sun/jdi/BadHandshakeTest.java fails with java.net.ConnectException + JDK-8193682: Infinite loop in ZipOutputStream.close() + JDK-8199874: [TESTBUG] runtime/Thread/ThreadPriorities.java fails with "expected 0 to equal 10" + JDK-8202886: [macos] Test java/awt/MenuBar/8007006/ /bug8007006.java fails on MacOS + JDK-8203238: [TESTBUG] rewrite MemOptions shell test in Java + JDK-8203239: [TESTBUG] remove vmTestbase/vm/gc/kind/parOld test + JDK-8206187: javax/management/remote/mandatory/connection/ /DefaultAgentFilterTest.java fails with Port already in use + JDK-8206330: Revisit com/sun/jdi/RedefineCrossEvent.java + JDK-8207364: nsk/jvmti/ResourceExhausted/resexhausted003 fails to start + JDK-8208207: Test nsk/stress/jni/gclocker/gcl001 fails after co-location + JDK-8208246: flags duplications in vmTestbase_vm_g1classunloading tests + JDK-8208249: TriggerUnloadingByFillingMetaspace generates garbage class names + JDK-8208697: vmTestbase/metaspace/stressHierarchy/ /stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace + JDK-8209150: [TESTBUG] Add logging to verify JDK-8197901 to a different test + JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test + JDK-8209883: ZGC: Compile without C1 broken + JDK-8209920: runtime/logging/RedefineClasses.java fail with OOME with ZGC + JDK-8210022: remove jdk.testlibrary.ProcessThread, TestThread and XRun + JDK-8210039: move OSInfo to top level testlibrary + JDK-8210108: sun/tools/jstatd test build failures after JDK-8210022 + JDK-8210112: remove jdk.testlibrary.ProcessTools + JDK-8210649: AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter (Modules.java:244) + JDK-8210732: remove jdk.testlibrary.Utils + JDK-8211795: ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458 + JDK-8211822: Some tests fail after JDK-8210039 + JDK-8211962: Implicit narrowing in MacOSX java.desktop jsound + JDK-8212151: jdi/ExclusiveBind.java times out due to "bind failed: Address already in use" on Solaris-X64 + JDK-8213440: Lingering INCLUDE_ALL_GCS in test_oopStorage_parperf.cpp + JDK-8214275: CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type" + JDK-8214799: Add package declaration to each JTREG test case in the gc folder + JDK-8215544: SA: Modify ClhsdbLauncher to add sudo privileges to enable MacOS tests on Mach5 + JDK-8216137: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit + JDK-8216265: [testbug] Introduce Platform.sharedLibraryPathVariableName() and adapt all tests. + JDK-8217017: [TESTBUG] Tests fail to compile after JDK-8216265 + JDK-8217233: Update build settings for AIX/xlc + JDK-8217340: Compilation failed: tools/launcher/Test7029048.java + JDK-8217473: SA: Tests using ClhsdbLauncher fail on SAP docker containers + JDK-8218136: minor hotspot adjustments for xlclang++ from xlc16 on AIX + JDK-8218751: Do not store original classfiles inside the CDS archive + JDK-8218965: aix: support xlclang++ in the compiler detection + JDK-8220658: Improve the readability of container information in the error log + JDK-8220813: update hotspot tier1_gc tests depending on GC to use @requires vm.gc.X + JDK-8222799: java.beans.Introspector uses an obsolete methods cache + JDK-8222926: Shenandoah build fails with - -with-jvm-features=-compiler1 + JDK-8223143: Restructure/clean-up for 'loopexit_or_null()'. + JDK-8223363: Bad node estimate assertion failure + JDK-8223502: Node estimate for loop unswitching is not correct: assert(delta <= 2 * required) failed: Bad node estimate + JDK-8224648: assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw + JDK-8223389: Shenandoah optimizations fail with assert(!phase->exceeding_node_budget()) + JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp + JDK-8225475: Node budget asserts on x86_32/64 + JDK-8227171: provide function names in native stack trace on aix with xlc16 + JDK-8227389: Remove unsupported xlc16 compile options on aix + JDK-8229210: [TESTBUG] Move gc stress tests from JFR directory tree to gc/stress + JDK-8229486: Replace wildcard address with loopback or local host in tests - part 21 + JDK-8229499: Node budget assert in fuzzed test + JDK-8230305: Cgroups v2: Container awareness + JDK-8229202: Docker reporting causes secondary crashes in error handling + JDK-8216366: Add rationale to PER_CPU_SHARES define + JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target + JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy + JDK-8231454: File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo + JDK-8231489: GC watermark_0_1 failed due to "metaspace.gc.Fault: GC has happened too rare" + JDK-8231565: More node budget asserts in fuzzed tests + JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS + JDK-8234382: Test tools/javac/processing/model/ /testgetallmembers/Main.java using too small heap + JDK-8234605: C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101" + JDK-8234608: [TESTBUG] Fix G1 redefineClasses tests and a memory leak + JDK-8235220: ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException + JDK-8235385: Crash on aarch64 JDK due to long offset + JDK-8237479: 8230305 causes slowdebug build failure + JDK-8239559: Cgroups: Incorrect detection logic on some systems + JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot + JDK-8240132: ProblemList com/sun/jdi/InvokeHangTest.java + JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111 + JDK-8240335: C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint + JDK-8240734: ModuleHashes attribute not reproducible between builds + JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled + JDK-8241707: introduce randomness k/w to hotspot test suite + JDK-8242310: use reproducible random in hotspot compiler tests + JDK-8242311: use reproducible random in hotspot runtime tests + JDK-8242312: use reproducible random in hotspot gc tests + JDK-8242313: use reproducible random in hotspot svc tests + JDK-8242538: java/security/SecureRandom/ThreadSafe.java failed on windows + JDK-8243429: use reproducible random in :vmTestbase_nsk_stress + JDK-8243666: ModuleHashes attribute generated for JMOD and JAR files depends on timestamps + JDK-8244500: jtreg test error in test/hotspot/jtreg/ /containers/docker/TestMemoryAwareness.java + JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test + JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible) + JDK-8245938: Remove unused print_stack(void) method from XToolkit.c + JDK-8246494: introduce vm.flagless at-requires property + JDK-8246741: NetworkInterface/UniqueMacAddressesTest: mac address uniqueness test failed + JDK-8247589: Implementation of Alpine Linux/x64 Port + JDK-8247591: Document Alpine Linux build steps in OpenJDK build guide + JDK-8247592: refactor test/jdk/tools/launcher/Test7029048.java + JDK-8247614: java/nio/channels/DatagramChannel/Connect.java timed out + JDK-8248876: LoadObject with bad base address created for exec file on linux + JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode + JDK-8252117: com/sun/jdi/BadHandshakeTest.java failed with "ConnectException: Connection refused: connect" + JDK-8252248: __SIGRTMAX is not declared in musl libc + JDK-8252250: isnanf is obsolete + JDK-8252359: HotSpot Not Identifying it is Running in a Container + JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota + JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist + JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high + JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly + JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems + JDK-8253872: ArgumentHandler must use the same delimiters as in jvmti_tools.cpp + JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code + JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection + JDK-8254887: C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop + JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes + JDK-8255266: Update Public Suffix List to 3c213aa + JDK-8255604: java/nio/channels/DatagramChannel/Connect.java fails with java.net.BindException: Cannot assign requested address: connect + JDK-8255787: Tag container tests that use cGroups with cgroups keyword + JDK-8256146: Cleanup test/jdk/java/nio/channels/ /DatagramChannel/Connect.java + JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version + JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 + JDK-8258795: Update IANA Language Subtag Registry to Version 2021-05-11 + JDK-8258956: Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result + JDK-8259517: Incorrect test path in test cases + JDK-8260518: Change default -mmacosx-version-min to 10.12 + JDK-8261169: Upgrade HarfBuzz to the latest 2.8.0 + JDK-8262379: Add regression test for JDK-8257746 + JDK-8263364: sun/net/www/http/KeepAliveStream/ /KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream + JDK-8263718: unused-result warning happens at os_linux.cpp + JDK-8263856: Github Actions for macos/aarch64 cross-build + JDK-8264179: [TESTBUG] Some compiler tests fail when running without C2 + JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + JDK-8265297: javax/net/ssl/SSLSession/ /TestEnabledProtocols.java failed with "RuntimeException: java.net.SocketException: Connection reset" + JDK-8265343: Update Debian-based cross-compilation recipes + JDK-8266251: compiler.inlining.InlineAccessors shouldn't do testing in driver VM + JDK-8266318: Switch to macos prefix for macOS bundles + JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics + JDK-8266545: 8261169 broke Harfbuzz build with gcc 7 and 8 + JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) + JDK-8269772: [macos-aarch64] test compilation failed with "SocketException: No buffer space available" + JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support + JDK-8270797: ShortECDSA.java test is not complete + JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack + JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key + JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories + JDK-8272358: Some tests may fail when executed with other locales than the US + JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 + JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security + JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + JDK-8273176: handle latest VS2019 in abstract_vm_version + JDK-8273655: content-types.properties files are missing some common types + JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches + JDK-8274233: Minor cleanup for ToolBox + JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image + JDK-8274751: Drag And Drop hangs on Windows + JDK-8275082: Update XML Security for Java to 2.3.0 + JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions + JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty + JDK-8276657: XSLT compiler tries to define a class with empty name + JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations + JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive + JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element + JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread + JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch + JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge + JDK-8278065: Refactor subclassAudits to use ClassValue + JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils .parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method + JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine + JDK-8278472: Invalid value set to CANDIDATEFORM structure + JDK-8278794: Infinite loop in DeflaterOutputStream.finish() + JDK-8278851: Correct signer logic for jars signed with multiple digestalgs + JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 + JDK-8279219: [REDO] C2 crash when allocating array of size too large + JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! + JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT + JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism + JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ /ManySourcesAndTargets.java on macosx-aarch64 + JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/ /NoInvalidateSocketException.java + JDK-8279668: x86: AVX2 versions of vpxor should be asserted + JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region + JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos + JDK-8279958: Provide configure hints for Alpine/apk package managers + JDK-8280041: Retry loop issues in java.io.ClassCache + JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 + JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang + JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. + JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination + JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs + JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly + JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info + JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths + JDK-8281615: Deadlock caused by jdwp agent + JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 + JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder + JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads + JDK-8282225: GHA: Allow one concurrent run per PR only + JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers + JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive + JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 + JDK-8282382: Report glibc malloc tunables in error reports + JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale + JDK-8282501: Bump update version for OpenJDK: jdk-11.0.16 + JDK-8282583: Update BCEL md to include the copyright notice + JDK-8282588: [11] set harfbuzz compilation flag to -std=c++11 + JDK-8282589: runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11 + JDK-8282887: Potential memory leak in sun.util.locale.provider .HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + JDK-8283018: 11u GHA: Update GCC 9 minor versions + JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c + JDK-8283323: libharfbuzz optimization level results in extreme build times + JDK-8283350: (tz) Update Timezone Data to 2022a + JDK-8283408: Fix a C2 crash when filling arrays with unsafe + JDK-8283420: [AOT] Exclude TrackedFlagTest/NotTrackedFlagTest in 11u because of intermittent java.lang.AssertionError: duplicate classes for name Ljava/lang/Boolean; + JDK-8283424: compiler/loopopts/ /LoopUnswitchingBadNodeBudget.java fails with release VMs due to lack of -XX:+UnlockDiagnosticVMOptions + JDK-8283451: C2: assert(_base == Long) failed: Not a Long + JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak + JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info + JDK-8283614: [11] Repair compiler versions handling after 8233787 + JDK-8283641: Large value for CompileThresholdScaling causes assert + JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + JDK-8284094: Memory leak in invoker_completeInvokeRequest() + JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124 + JDK-8284369: TestFailedAllocationBadGraph fails with - XX:TieredStopAtLevel < 4 + JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + JDK-8284458: CodeHeapState::aggregate() leaks blob_name + JDK-8284507: GHA: Only check test results if testing was not skipped + JDK-8284549: JFR: FieldTable leaks FieldInfoTable member + JDK-8284573: [11u] ProblemList TestBubbleUpRef.java and TestGCOldWithCMS.java because of 8272195 + JDK-8284604: [11u] Update Boot JDK used in GHA to 11.0.14.1 + JDK-8284620: CodeBuffer may leak _overflow_arena + JDK-8284622: Update versions of some Github Actions used in JDK workflow + JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem + JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode + JDK-8285397: JNI exception pending in CUPSfuncs.c:250 + JDK-8285445: cannot open file "NUL:" + JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 + JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java + JDK-8285591: [11] add signum checks in DSA.java engineVerify + JDK-8285686: Update FreeType to 2.12.0 + JDK-8285720: test/jdk/java/nio/file/Files/probeContentType/ /Basic.java fails to compile after backport of 8273655 + JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head + JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head + JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols + JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java + JDK-8286198: [linux] Fix process-memory information + JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources + JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause + JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups + JDK-8286630: [11] avoid -std=c++11 CXX harfbuzz buildflag on Windows + JDK-8286855: javac error on invalid jar should only print filename + JDK-8287109: Distrust.java failed with CertificateExpiredException + JDK-8287119: Add Distrust.java to ProblemList + JDK-8287362: FieldAccessWatch testcase failed on AIX platform + JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows + JDK-8287739: [11u] ProblemList sun/security/ssl/ /SSLSessionImpl/NoInvalidateSocketException.java ----------------------------------------------------------------------------- o Updated java-17-openjdk (security/bugfix/feature) - Modified patch: * fips.patch + avoid calling C_GetInfo() too early, before cryptoki is initialized (bsc#1205916) - Update to upstream tag jdk-17.0.6.0+10 (January 2023 CPU) * CVEs + CVE-2023-21835, bsc#1207246 + CVE-2023-21843, bsc#1207248 * Security fixes + JDK-8286070: Improve UTF8 representation + JDK-8286496: Improve Thread labels + JDK-8287411: Enhance DTLS performance + JDK-8288516: Enhance font creation + JDK-8289350: Better media supports + JDK-8293554: Enhanced DH Key Exchanges + JDK-8293598: Enhance InetAddress address handling + JDK-8293717: Objective view of ObjectView + JDK-8293734: Improve BMP image handling + JDK-8293742: Better Banking of Sounds + JDK-8295687: Better BMP bounds * Other changes + JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ /ScreenInsetsTest.java fails in Windows + JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails + JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/ /Receiver/bug6186488.java fails + JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/ /OnScreenRenderingResizeTest.java fails + JDK-8029633: Raw inner class constructor ref should not perform diamond inference + JDK-8030121: java/awt/dnd/MissingDragExitEventTest/ /MissingDragExitEventTest.java fails + JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled + JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/ /RobotWheelTest.java fails + JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ /ModalInternalFrameTest.java + JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/ /MultiresolutionIconTest.java + JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout + JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails + JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...' + JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop" + JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs + JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos + JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos + JDK-8244670: convert clhsdb "whatis" command from javascript to java + JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives. + JDK-8255439: System Tray icons get corrupted when Windows scaling changes + JDK-8256811: Delayed/missed jdwp class unloading events + JDK-8257722: Improve "keytool -printcert -jarfile" output + JDK-8262721: Add Tests to verify single iteration loops are properly optimized + JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation + JDK-8266082: AssertionError in Annotate.fromAnnotations with - Xdoclint + JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al + JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java + JDK-8268033: compiler/intrinsics/bmi/verifycode/ /BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow" + JDK-8268276: Base64 Decoding optimization for x86 using AVX-512 + JDK-8268297: jdk/jfr/api/consumer/streaming/ /TestLatestEvent.java times out + JDK-8268779: ZGC: runtime/InternalApi/ /ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" + JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs + JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512 + JDK-8269571: NMT should print total malloc bytes and invocation count + JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/ /stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m) + JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter + JDK-8270155: ARM32: Improve register dump in hs_err + JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction + JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns. + JDK-8270947: AArch64: C1: use zero_words to initialize all objects + JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts + JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah + JDK-8271956: AArch64: C1 build failed after JDK-8270947 + JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" + JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64 + JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag + JDK-8272776: NullPointerException not reported + JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947 + JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains + JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java + JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276 + JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints + JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long + JDK-8273459: Update code segment alignment to 64 bytes + JDK-8273497: building.md should link to both md and html + JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 + JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12 + JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction + JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled + JDK-8273881: Metaspace: test repeated deallocations + JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java + JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/ /PrinterJob/ImagePrinting/ImageTypes.java & show test UI + JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/ /Common.java delay is too high + JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS + JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java + JDK-8274527: Minimal VM build fails after JDK-8273459 + JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening + JDK-8274903: Zero: Support AsyncGetCallTrace + JDK-8275170: Some jtreg sound tests should be marked with sound keyword + JDK-8275234: java/awt/GraphicsDevice/DisplayModes/ /CycleDMImage.java is entered twice in ProblemList + JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked + JDK-8275569: Add linux-aarch64 to test-make profiles + JDK-8276108: Wrong instruction generation in aarch64 backend + JDK-8276904: Optional.toString() is unnecessarily expensive + JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM" + JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64 + JDK-8277351: ProblemList runtime/jni/checked/ /TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64 + JDK-8277358: Accelerate CRC32-C + JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check + JDK-8277576: ProblemList runtime/ErrorHandling/ /CreateCoredumpOnCrash.java on macosx-X64 + JDK-8277577: ProblemList compiler/onSpinWait/ /TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64 + JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64 + JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size + JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode + JDK-8277928: Fix compilation on macosx-aarch64 after 8276108 + JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/ /NoInvalidateSocketException.java fails with "tag mismatch" + JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing) + JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore + JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" + JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out + JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC + JDK-8279941: sun/security/pkcs11/Signature/ /TestDSAKeyLength.java fails when NSS version detection fails + JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines + JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes + JDK-8280234: AArch64 "core" variant does not build after JDK-8270947 + JDK-8280391: NMT: Correct NMT tag on CollectedHeap + JDK-8280511: AArch64: Combine shift and negate to a single instruction + JDK-8280554: resourcehogs/serviceability/sa/ /ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered + JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object + JDK-8280872: Reorder code cache segments to improve code density + JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR + JDK-8280948: Write a regression test for JDK-4659800 + JDK-8281296: Create a regression test for JDK-4515999 + JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points + JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores + JDK-8282276: Problem list failing two Robot Screen Capture tests + JDK-8282347: AARCH64: Untaken branch in has_negatives stub + JDK-8282398: EndingDotHostname.java test fails because SSL cert expired + JDK-8282402: Create a regression test for JDK-4666101 + JDK-8282511: Use fixed certificate validation date in SSLExampleCert template + JDK-8282528: AArch64: Incorrect replicate2L_zero rule + JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary + JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/ /LoadUnloadGC2.java fails intermittently with exit code 1 + JDK-8282730: LdapLoginModule throw NPE from logout method after login failure + JDK-8282777: Create a Regression test for JDK-4515031 + JDK-8282857: Create a regression test for JDK-4702690 + JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2 + JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup + JDK-8283298: Make CodeCacheSegmentSize a product flag + JDK-8283337: Posix signal handler modification warning triggering incorrectly + JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32 + JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name + JDK-8283999: Update JMH devkit to 1.35 + JDK-8284533: Improve InterpreterCodelet data footprint + JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction" + JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox + JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X + JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation + JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown" + JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently + JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot + JDK-8285093: Introduce UTIL_ARG_WITH + JDK-8285305: Create an automated test for JDK-4495286 + JDK-8285373: Create an automated test for JDK-4702233 + JDK-8285604: closed sun/java2d/GdiRendering/ /ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" + JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java + JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java + JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox + JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment + JDK-8285836: sun/net/www/http/KeepAliveCache/ /KeepAliveProperty.java failed with "RuntimeException: Failed in server" + JDK-8286172: Create an automated test for JDK-4516019 + JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3" + JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable + JDK-8286452: The array length of testSmallConstArray should be small and const + JDK-8286460: Remove dependence on JAR filename in CDS tests + JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2 + JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 + JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray + JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/ /DropTargetInInternalFrameTest.html times out and fails in Windows + JDK-8286872: Refactor add/modify notification icon (TrayIcon) + JDK-8287011: Improve container information + JDK-8287076: Document.normalizeDocument() produces different results + JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance + JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path + JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative + JDK-8287740: NSAccessibilityShowMenuAction not working for text editors + JDK-8287826: javax/accessibility/4702233/ /AccessiblePropertiesTest.java fails to compile + JDK-8288132: Update test artifacts in QuoVadis CA interop tests + JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces + JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable + JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding + JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name + JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support + JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output + JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented + JDK-8289301: P11Cipher should not throw out of bounds exception during padding + JDK-8289524: Add JFR JIT restart event + JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException + JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https + JDK-8290207: Missing notice in dom.md + JDK-8290209: jcup.md missing additional text + JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier() + JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 + JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure + JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes + JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS + JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" + JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize + JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses + JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false" + JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM + JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false + JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 + JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) + JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 + JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath + JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region + JDK-8292083: Detected container memory limit may exceed physical machine memory + JDK-8292158: AES-CTR cipher state corruption with AVX-512 + JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out + JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory + JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle + JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update + JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library + JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free + JDK-8292816: GPL Classpath exception missing from assemblyprefix.h + JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures + JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading + JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java + JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6 + JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform + JDK-8292903: enhance round_up_power_of_2 assertion output + JDK-8293010: JDI ObjectReference/referringObjects/ /referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking + JDK-8293044: C1: Missing access check on non-accessible class + JDK-8293232: Fix race condition in pkcs11 SessionManager + JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if + JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present + JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint + JDK-8293535: jdk/javadoc/doclet/testJavaFX/ /TestJavaFxMode.java fail with jfx + JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts + JDK-8293550: Optionally add get-task-allow entitlement to macos binaries + JDK-8293578: Duplicate ldc generated by javac + JDK-8293657: sun/management/jmxremote/bootstrap/ /RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" + JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details + JDK-8293672: Update freetype md file + JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present + JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception + JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation + JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent + JDK-8293826: Closed test fails after JDK-8276108 on aarch64 + JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening + JDK-8293834: Update CLDR data following tzdata 2022c update + JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum + JDK-8293965: Code signing warnings after JDK-8293550 + JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + JDK-8294307: ISO 4217 Amendment 173 Update + JDK-8294310: compare.sh fails on macos after JDK-8293550 + JDK-8294357: (tz) Update Timezone Data to 2022d + JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode + JDK-8294740: Add cgroups keyword to TestDockerBasic.java + JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md + JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator + JDK-8295173: (tz) Update Timezone Data to 2022e + JDK-8295288: Some vm_flags tests associate with a wrong BugID + JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests + JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp + JDK-8295419: JFR: Change name of jdk.JitRestart + JDK-8295429: Update harfbuzz md file + JDK-8295469: S390X: Optimized builds are broken + JDK-8295554: Move the "sizecalc.h" to the correct location + JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev + JDK-8295714: GHA ::set-output is deprecated and will be removed + JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error + JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor + JDK-8295952: Problemlist existing compiler/rtm tests also on x86 + JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM + JDK-8296108: (tz) Update Timezone Data to 2022f + JDK-8296239: ISO 4217 Amendment 174 Update + JDK-8296480: java/security/cert/pkix/policyChanges/ /TestPolicy.java is failing + JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException + JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation + JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent + JDK-8296715: CLDR v42 update for tzdata 2022f + JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect + JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds + JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value + JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 + JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes + JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool + JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField + JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod + JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used + JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/ /OnScreenRenderingResizeTest.java fails again + JDK-8297241: Update sun/java2d/DirectX/ /OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java + JDK-8297309: Memory leak in ShenandoahFullGC + JDK-8297481: Create a regression test for JDK-4424517 + JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation + JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run + JDK-8297656: AArch64: Enable AES/GCM Intrinsics + JDK-8297804: (tz) Update Timezone Data to 2022g + JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6 + JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + JDK-8299483: ProblemList java/text/Format/NumberFormat/ /CurrencyFormat.java - Modified patch: * fips.patch + update to newest level - Removed patch: * fix_armv6_build.patch + does not apply and at least a part of the fix is in this version - Removed patch: * system-crypto-policy.patch + folded into the fips.patch, since they are patching the same places - Modified patches: * fips.patch + revert to the version used with 17.0.4.0, since the newest changes are buggy (bsc#1205916) + fold in the system-crypto-policy.patch * nss-security-provider.patch + apply after the fips.patch and thus rediff the hunk to changed context. - Fix jconsole.desktop icon - Update to upstream tag jdk-17.0.5+8 (October 2022 CPU) * Security fixes + JDK-8282252: Improve BigInteger/Decimal validation + JDK-8285662: Better permission resolution + JDK-8286077, CVE-2022-21618, bsc#1204468: Wider MultiByte conversions + JDK-8286511: Improve macro allocation + JDK-8286519: Better memory handling + JDK-8286526, CVE-2022-21619, bsc#1204473: Improve NTLM support + JDK-8286910, CVE-2022-21624, bsc#1204475: Improve JNDI lookups + JDK-8286918, CVE-2022-21628, bsc#1204472: Better HttpServer service + JDK-8287446: Enhance icon presentations + JDK-8288508: Enhance ECDSA usage + JDK-8289366, CVE-2022-39399, bsc#1204480: Improve HTTP/2 client usage + JDK-8289853: Update HarfBuzz to 4.4.1 + JDK-8290334: Update FreeType to 2.12.1 * Other changes + JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider + JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/ /SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 + JDK-7131823: bug in GIFImageReader + JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/ /bug4634626.java sometimes failed on ac + JDK-8028265: Add legacy tz tests to OpenJDK + JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/ /DropTargetEnterExitTest/MissedDragExitTest.java failed + JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/ /RepaintTest.java fails + JDK-8159694: HiDPI, Unity, java/awt/dnd/ /DropTargetEnterExitTest/MissedDragExitTest.java + JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! + JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" + JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test. + JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values + JDK-8212096: javax/net/ssl/ServerName/ /SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch + JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/ /DrawString/LCDTextSrcEa.java has issues + JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. + JDK-8227651: Tests fail with SSLProtocolException: Input record too big + JDK-8240903: Add test to check that jmod hashes are reproducible + JDK-8254318: Remove .hgtags + JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline + JDK-8256844: Make NMT late-initializable + JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom" + JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class + JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. + JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled" + JDK-8269039: Disable SHA-1 Signed JARs + JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr + JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections + JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java + JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest + JDK-8271344: Windows product version issue + JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 + JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData + JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals + JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null] + JDK-8273040: Turning off JpAllowDowngrades (or Upgrades) + JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts + JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12 + JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms + JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] + JDK-8274597: Some of the dnd tests time out and fail intermittently + JDK-8274856: Failing jpackage tests with fastdebug/release build + JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test + JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled + JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold + JDK-8276837: [macos]: Error when signing the additional launcher + JDK-8277429: Conflicting jpackage static library name + JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged" + JDK-8278067: Make HttpURLConnection default keep alive timeout configurable + JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript + JDK-8278311: Debian packaging doesn't work + JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS + JDK-8278612: [macos] test/jdk/java/awt/dnd/ /RemoveDropTargetCrashTest crashes with VoiceOver on macOS + JDK-8279032: compiler/loopopts/ /TestSkeletonPredicateNegation.java times out with - XX:TieredStopAtLevel < 4 + JDK-8279370: jdk.jpackage/share/native/applauncher/ /JvmLauncher.cpp fails to build with GCC 6.3.0 + JDK-8279622: C2: miscompilation of map pattern as a vector reduction + JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl + JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound + JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed + JDK-8280863: Update build README to reflect that MSYS2 is supported + JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method + JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism + JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix + JDK-8281181: Do not use CPU Shares to compute active processor count + JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 + JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted) + JDK-8281535: Create a regression test for JDK-4670051 + JDK-8281569: Create tests for Frame.setMinimumSize() method + JDK-8281628: KeyAgreement : generateSecret intermittently not resetting + JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button + JDK-8281745: Create a regression test for JDK-4514331 + JDK-8281988: Create a regression test for JDK-4618767 + JDK-8282007: Assorted enhancements to jpackage testing framework + JDK-8282046: Create a regression test for JDK-8000326 + JDK-8282214: Upgrade JQuery to version 3.6.0 + JDK-8282234: Create a regression test for JDK-4532513 + JDK-8282280: Update Xerces to Version 2.12.2 + JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access + JDK-8282343: Create a regression test for JDK-4518432 + JDK-8282351: jpackage does not work if class file has `$$` in the name on windows + JDK-8282407: Missing ')' in MacResources.properties + JDK-8282467: add extra diagnostics for JDK-8268184 + JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler + JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + JDK-8282548: Create a regression test for JDK-4330998 + JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc + JDK-8282640: Create a test for JDK-4740761 + JDK-8282778: Create a regression test for JDK-4699544 + JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 + JDK-8282860: Write a regression test for JDK-4164779 + JDK-8282933: Create a test for JDK-4529616 + JDK-8282936: Write a regression test for JDK-4615365 + JDK-8282937: Write a regression test for JDK-4820080 + JDK-8282947: JFR: Dump on shutdown live-locks in some conditions + JDK-8283015: Create a test for JDK-4715496 + JDK-8283087: Create a test or JDK-4715503 + JDK-8283245: Create a test for JDK-4670319 + JDK-8283277: ISO 4217 Amendment 171 Update + JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) + JDK-8283457: [macos] libpng build failures with Xcode13.3 + JDK-8283493: Create an automated regression test for RFE 4231298 + JDK-8283507: Create a regression test for RFE 4287690 + JDK-8283562: JDK-8282306 breaks gtests on zero + JDK-8283597: [REDO] Invalid generic signature for redefined classes + JDK-8283621: Write a regression test for CCC4400728 + JDK-8283623: Create an automated regression test for JDK-4525475 + JDK-8283624: Create an automated regression test for RFE-4390885 + JDK-8283712: Create a manual test framework class + JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows + JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/ /PrinterJob/PrintGlyphVectorTest.java and fix test + JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode + JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 + JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS + JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt + JDK-8284077: Create an automated test for JDK-4170173 + JDK-8284294: Create an automated regression test for RFE 4138746 + JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph + JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 + JDK-8284521: Write an automated regression test for RFE 4371575 + JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception + JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manifest + JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset + JDK-8284686: Interval of < 1 ms disables ExecutionSample events + JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice + JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 + JDK-8284898: Enhance PassFailJFrame + JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization + JDK-8284950: CgroupV1 detection code should consider memory.swappiness + JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment + JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist + JDK-8285081: Improve XPath operators count accuracy + JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java + JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity + JDK-8285380: Fix typos in security + JDK-8285398: Cache the results of constraint checks + JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/ /PrintARGBImage.java manual test + JDK-8285693: Create an automated test for JDK-4702199 + JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null + JDK-8285730: unify _WIN32_WINNT settings + JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 + JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities + JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java + JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe + JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure + JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 + JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes + JDK-8286277: CDS VerifyError when calling clone() on object array + JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache + JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45] + JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage + JDK-8286582: Build fails on macos aarch64 when using - -with-zlib=bundled + JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect + JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis + JDK-8286869: unify os::dir_is_empty across posix platforms + JDK-8286870: Memory leak with RepeatCompilation + JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5 + JDK-8287073: NPE from CgroupV2Subsystem.getInstance() + JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn + JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller + JDK-8287113: JFR: Periodic task thread uses period for method sampling events + JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host + JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event + JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver + JDK-8287366: Improve test failure reporting in GHA + JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number + JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node + JDK-8287463: JFR: Disable TestDevNull.java on Windows + JDK-8287663: Add a regression test for JDK-8287073 + JDK-8287672: jtreg test com/sun/jndi/ldap/ /LdapPoolTimeoutTest.java fails intermittently in nightly run + JDK-8287724: Fix various issues with msys2 + JDK-8287735: Provide separate event category for dll operations + JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete + JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag + JDK-8287895: Some langtools tests fail on msys2 + JDK-8287896: PropertiesTest.sh fail on msys2 + JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows + JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests + JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier + JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs + JDK-8288003: log events for os::dll_unload + JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic + JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes + JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds + JDK-8288467: remove memory_operand assert for spilled instructions + JDK-8288499: Restore cancel-in-progress in GHA + JDK-8288599: com/sun/management/OperatingSystemMXBean/ /TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... + JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp + JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small + JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 + JDK-8288992: AArch64: CMN should be handled the same way as CMP + JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible + JDK-8289147: unify os::infinite_sleep on posix platforms + JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion + JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java + JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc + JDK-8289486: Improve XSLT XPath operators count efficiency + JDK-8289549: ISO 4217 Amendment 172 Update + JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl + JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun + JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad + JDK-8289799: Build warning in methodData.cpp memset zero-length parameter + JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 + JDK-8289910: unify os::message_box across posix platforms + JDK-8290000: Bump macOS GitHub actions to macOS 11 + JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown + JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers + JDK-8290246: test fails "assert(init != __null) failed: initialization not found" + JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle + JDK-8290456: remove os::print_statistics() + JDK-8291595: [17u] Delete files missed in backport of 8269039 + JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr + JDK-8292579: (tz) Update Timezone Data to 2022c + JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5 - Modified patch: * fips.patch + sync with newest RedHat version - Package the JAVA_HOME/release files in *-headless package * fixes boo#1203476 - Update to upstream tag jdk-17.0.4+8 (July 2022 CPU) * Security fixes: + JDK-8272243: Improve DER parsing + JDK-8272249: Better properties of loaded Properties + JDK-8277608: Address IP Addressing + JDK-8281859, CVE-2022-21540, bsc#1201694: Improve class compilation + JDK-8281866, CVE-2022-21541, bsc#1201692: Enhance MethodHandle invocations + JDK-8283190: Improve MIDI processing + JDK-8284370: Improve zlib usage + JDK-8285407, CVE-2022-34169, bsc#1201684: Improve Xalan supports * Other fixes: + JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn + JDK-8181571: printing to CUPS fails on mac sandbox app + JDK-8193682: Infinite loop in ZipOutputStream.close() + JDK-8206187:javax/management/remote/mandatory/connection/ /DefaultAgentFilterTest.java fails with Port already in use + JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test + JDK-8214733: runtime/8176717/TestInheritFD.java timed out + JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel + JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled + JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode + JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/ /btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR + JDK-8255266: Update Public Suffix List to 3c213aa + JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers + JDK-8258814: Compilation logging crashes for thread suspension / debugging tests + JDK-8263461: jdk/jfr/event/gc/detailed/ /TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure + JDK-8263538: SharedArchiveConsistency.java should test - Xshare:auto as well + JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/ /suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL" + JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL + JDK-8267163: Rename anonymous loader tests to hidden loader tests + JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo + JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped + JDK-8268595: java/io/Serializable/serialFilter/ /GlobalFilterTest.java#id1 failed in timeout + JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) + JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum + JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest + JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs + JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM + JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform + JDK-8269753: Misplaced caret in PatternSyntaxException's detail message + JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support + JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java + JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree + JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output + JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled + JDK-8270797: ShortECDSA.java test is not complete + JDK-8270837: fix typos in test TestSigParse.java + JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom + JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack + JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code + JDK-8271302: Regex Test Refresh + JDK-8272146: Disable Fibonacci test on memory constrained systems + JDK-8272168: some hotspot runtime/logging tests don't check exit code + JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty + JDK-8272358: Some tests may fail when executed with other locales than the US + JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 + JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security + JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + JDK-8273056, CVE-2022-21549, bsc#1201685: java.util.random does not correctly sample exponential or Gaussian distributions + JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/ /Test.java fails with "wrong OOME" + JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency + JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/ /protocol/http/ tests + JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302 + JDK-8273804: Platform.isTieredSupported should handle the no-compiler case + JDK-8274172: Convert JavadocTester to use NIO + JDK-8274233: Minor cleanup for ToolBox + JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun + JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines + JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend + JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image + JDK-8274751: Drag And Drop hangs on Windows + JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed + JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS + JDK-8274983: C1 optimizes the invocation of private interface methods + JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/ /btree011/btree011.java crashes with memory exhaustion on Windows + JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty + JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert + JDK-8275745: Reproducible copyright headers + JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers + JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt + JDK-8276260: (se) Remove java/nio/channels/Selector/ /Wakeup.java from ProblemList (win) + JDK-8276657: XSLT compiler tries to define a class with empty name + JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC + JDK-8276825: hotspot/runtime/SelectionResolution test errors + JDK-8276863: Remove test/jdk/sun/security/ec/ /ECDSAJavaVerify.java + JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary + JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations + JDK-8277055: Assert "missing inlining msg" with - XX:+PrintIntrinsics + JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive + JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND + JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories + JDK-8277166: Data race in jdeps VersionHelper + JDK-8277123: jdeps does not report some exceptions correctly + JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread + JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch + JDK-8277893: Arraycopy stress tests + JDK-8277906: Incorrect type for IV phi of long counted loops after CCP + JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge + JDK-8278014: [vectorapi] Remove test run script + JDK-8278065: Refactor subclassAudits to use ClassValue + JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils .parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method + JDK-8278472: Invalid value set to CANDIDATEFORM structure + JDK-8278519: serviceability/jvmti/FieldAccessWatch/ /FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" + JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15 + JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date + JDK-8278794: Infinite loop in DeflaterOutputStream.finish() + JDK-8278796: Incorrect behavior of FloatVector.withLane on X86 + JDK-8278851: Correct signer logic for jars signed with multiple digestalgs + JDK-8278948: compiler/vectorapi/reshape/ /TestVectorCastAVX1.java crashes in assembler + JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638 + JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC + JDK-8279219: [REDO] C2 crash when allocating array of size too large + JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display + JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! + JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM + JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked + JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism + JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ /ManySourcesAndTargets.java on macosx-aarch64 + JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/ /NoInvalidateSocketException.java + JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment + JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking + JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores + JDK-8279668: x86: AVX2 versions of vpxor should be asserted + JDK-8279822: CI: Constant pool entries in error state are not supported + JDK-8279834: Alpine Linux fails to build when - -with-source-date enabled + JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region + JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos + JDK-8279958: Provide configure hints for Alpine/apk package managers + JDK-8280004: DCmdArgument::parse_value() should handle NULL input + JDK-8280041: Retry loop issues in java.io.ClassCache + JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN + JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized + JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang + JDK-8280543: Update the "java" and "jcmd" tool specification for CDS + JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor + JDK-8280600: C2: assert(!had_error) failed: bad dominance + JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. + JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination + JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs + JDK-8280901: MethodHandle::linkToNative stub is missing w/ - Xint + JDK-8280940: gtest os.release_multi_mappings_vm is racy + JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range + JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y + JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly + JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64 + JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter + JDK-8281262: Windows builds in different directories are not fully reproducible + JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly + JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info + JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths + JDK-8281318: Improve jfr/event/allocation tests reliability + JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working + JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor + JDK-8281522: Rename ADLC classes which have the same name as hotspot variants + JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/ + JDK-8281615: Deadlock caused by jdwp agent + JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions + JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature + JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 + JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling + JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder + JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway + JDK-8282142: [TestCase] compiler/inlining/ /ResolvedClassTest.java will fail when - -with-jvm-features=-compiler1 + JDK-8282170: JVMTI SetBreakpoint metaspace allocation test + JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads + JDK-8282225: GHA: Allow one concurrent run per PR only + JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers + JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive + JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert + JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 + JDK-8282345: handle latest VS2022 in abstract_vm_version + JDK-8282382: Report glibc malloc tunables in error reports + JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale + JDK-8282444: Module finder incorrectly assumes default file system path-separator character + JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 + JDK-8282509: [exploded image] ResolvedClassTest fails with similar output + JDK-8282551: Properly initialize L32X64MixRandom state + JDK-8282583: Update BCEL md to include the copyright notice + JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes + JDK-8282592: C2: assert(false) failed: graph should be schedulable + JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() + JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap + JDK-8282887: Potential memory leak in sun.util.locale.provider .HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + JDK-8282929: Localized monetary symbols are not reflected in 'toLocalizedPattern' return value + JDK-8283017: GHA: Workflows break with update release versions + JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails + JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c + JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing + JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize + JDK-8283315: jrt-fs.jar not always deterministically built + JDK-8283323: libharfbuzz optimization level results in extreme build times + JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled + JDK-8283350: (tz) Update Timezone Data to 2022a + JDK-8283408: Fix a C2 crash when filling arrays with unsafe + JDK-8283422: Create a new test for JDK-8254790 + JDK-8283451: C2: assert(_base == Long) failed: Not a Long + JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak + JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info + JDK-8283641: Large value for CompileThresholdScaling causes assert + JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM + JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + JDK-8284023: java.sun.awt.X11GraphicsDevice .getDoubleBufferVisuals() leaks XdbeScreenVisualInfo + JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + JDK-8284094: Memory leak in invoker_completeInvokeRequest() + JDK-8284369: TestFailedAllocationBadGraph fails with - XX:TieredStopAtLevel < 4 + JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + JDK-8284437: Building from different users/workspace is not always deterministic + JDK-8284458: CodeHeapState::aggregate() leaks blob_name + JDK-8284507: GHA: Only check test results if testing was not skipped + JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler + JDK-8284549: JFR: FieldTable leaks FieldInfoTable member + JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 + JDK-8284620: CodeBuffer may leak _overflow_arena + JDK-8284622: Update versions of some Github Actions used in JDK workflow + JDK-8284661: Reproducible assembly builds without relative linking + JDK-8284754: print more interesting env variables in hs_err and VM.info + JDK-8284758: [linux] improve print_container_info + JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping + JDK-8284866: Add test to JDK-8273056 + JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java + JDK-8284992: Fix misleading Vector API doc for LSHR operator + JDK-8285342: Zero build failure with clang due to values not handled in switch + JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id() + JDK-8285397: JNI exception pending in CUPSfuncs.c:250 + JDK-8285445: cannot open file "NUL:" + JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 + JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java + JDK-8285686: Update FreeType to 2.12.0 + JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head + JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head + JDK-8285728: Alpine Linux build fails with busybox tar + JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols + JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/ /AttachReturnError.java fails on Alpine + JDK-8285956: (fs) Excessive default poll interval in PollingWatchService + JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java + JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc + JDK-8286198: [linux] Fix process-memory information + JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources + JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause + JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups + JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk + JDK-8286855: javac error on invalid jar should only print filename + JDK-8287109: Distrust.java failed with CertificateExpiredException + JDK-8287119: Add Distrust.java to ProblemList + JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions + JDK-8287336: GHA: Workflows break on patch versions + JDK-8287362: FieldAccessWatch testcase failed on AIX platform + JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows - Removed patch: * JDK-8282004.patch + integrated upstream as JDK-8282231 ----------------------------------------------------------------------------- o Updated java-1_8_0-ibm (security/bugfix/feature) [x86_64,s390x,ppc64le] - IBM Security Update November 2022: [bsc#1205302, bsc#1204703] * The security vulnerability CVE-2022-3676 was fixed in version 8.0.7.20, adding the reference here. - Update to Java 8.0 Service Refresh 7 Fix Pack 20 [bsc#1205302] [bsc#1204472, CVE-2022-21628] [bsc#1204471, CVE-2022-21626] [bsc#1204468, CVE-2022-21618] [bsc#1204480, CVE-2022-39399] [bsc#1204475, CVE-2022-21624] [bsc#1204473, CVE-2022-21619] * Security: - The IBM ORB Does Not Support Object-Serialisation Data Filtering - Large Allocation In CipherSuite - Avoid Evaluating Sslalgorithmconstraints Twice - Cache The Results Of Constraint Checks - An incorrect ShortBufferException is thrown by IBMJCEPlus, IBMJCEPlusFIPS during cipher update operation - Disable SHA-1 Signed Jars For Ea - JSSE Performance Improvement - Oracle Road Map Kerberos Deprecation Of 3DES And RC4 Encryption * Java 8/Orb: - Upgrade ibmcfw.jar To Version o2228.02 * Class Libraries: - Crash In Libjsor.So During An Rdma Failover - High CPU Consumption Observed In ZosEventPort$EventHandlerTask.run - Update Timezone Information To The Latest tzdata2022c * Jit Compiler: - Crash During JIT Compilation - Incorrect JIT Optimization Of Java Code - Incorrect Return From Class.isArray() - Unexpected ClassCastException - Performance Regression When Calling VM Helper Code On X86 * X/Os Extentions: - Add RSA-OAEP Cipher Function To IBMJCECCA - Update to Java 8.0 Service Refresh 7 Fix Pack 16 * Java Virtual Machine - Assertion failure at ClassLoaderRememberedSet.cpp - Assertion failure at StandardAccessBarrier.cpp when - Xgc:concurrentScavenge is set. - GC can have unflushed ownable synchronizer objects which can eventually lead to heap corruption and failure when - Xgc:concurrentScavenge is set. * JIT Compiler: - Incorrect JIT optimization of Java code - JAVA JIT Power: JIT compile time assert on AIX or LINUXPPC * Reliability and Serviceability: - javacore with "kill -3" SIGQUIT signal freezes Java process - Update to Java 8.0 Service Refresh 7 Fix Pack 15 [bsc#1202427] [bsc#1201684, CVE-2022-34169] [bsc#1201692, CVE-2022-21541] [bsc#1201685, CVE-2022-21549] [bsc#1201694, CVE-2022-21540] * Correction: These CVEs have been fixed in version 8.0-7.15 and not in 8.0-7.11 as mentioned in the previous changelog entry. - Update to Java 8.0 Service Refresh 7 Fix Pack 11 [bsc#1202427] [bsc#1201684, CVE-2022-34169] [bsc#1201692, CVE-2022-21541] [bsc#1201685, CVE-2022-21549] [bsc#1201694, CVE-2022-21540] * Defect Fixes: - Java Virtual Machine: Long dely in AttachAPI - Update to Java 8.0 Service Refresh 7 Fix Pack 10 [bsc#1201643] [bsc#1198671, CVE-2022-21476] [bsc#1198670, CVE-2022-21449] [bsc#1198673, CVE-2022-21496] [bsc#1198674, CVE-2022-21434] [bsc#1198672, CVE-2022-21426] [bsc#1198675, CVE-2022-21443] [bsc#1191912, CVE-2021-35561] [bsc#1194931, CVE-2022-21299] * Class Libraries: - BigDecimal gives incorrect arithmetic results for the add and subtract operations on the result of a divide * Java Virtual Machine: - jstacktrace sub-option of xtrace doesn't print java stack while doing method trace * Security: - 8217633: Configurable Extensions with system properties - 8241248: NullPointerException in com.ibm.jsse2.ssl.HKDF.extract - 8270344: Session resumption errors - 8277967: Validate the SSLLogger object in KeyShareExtension - JVM crashes computing Diffie-Hellman shared secrets and JNI errors while creating elliptic curve public key using IBMJCEPlus - Key Certificate Manager authority key identifier value incorrect - SSLv2Hello property value is ignored if specified in jdk.tls.disabledAlgorithms and SSLv2Hello is set by setEnabledProtocols() - There is a memory growth observed during digest operations using IBMJCEPlus as the provider. - Update to Java 8.0 Service Refresh 7 Fix Pack 6 * Java Virtual Machine: Crash while generating javacore, or javacore contains 'Unable to walk in-flight data on call stack' instead of java stack * JIT Compiler: - Java JIT, bad field reference from a tenured object into the nursery - JIT compiler crash with vmstate=0x0005ff04 * XML: Fix security vulnerability CVE-2022-21299 ----------------------------------------------------------------------------- o Updated java-1_8_0-openjdk (security/bugfix/feature) - Update to version jdk8u352 (icedtea-3.25.0) * October 2022 CPU * CVEs + CVE-2022-21619 (bsc#1204473) + CVE-2022-21626 (bsc#1204471) + CVE-2022-21624 (bsc#1204475) + CVE-2022-21628 (bsc#1204472) * Security fixes + JDK-8282252: Improve BigInteger/Decimal validation + JDK-8285662: Better permission resolution + JDK-8286511: Improve macro allocation + JDK-8286519: Better memory handling + JDK-8286526: Improve NTLM support + JDK-8286533: Key X509 usages + JDK-8286910: Improve JNDI lookups + JDK-8286918: Better HttpServer service + JDK-8288508: Enhance ECDSA usage * Import of OpenJDK 8 u352 + JDK-7131823: bug in GIFImageReader + JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate + JDK-8028265: Add legacy tz tests to OpenJDK + JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000] + JDK-8049228: Improve multithreaded scalability of InetAddress cache + JDK-8071507: (ref) Clear phantom reference as soft and weak references do + JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation + JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9 + JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script + JDK-8139668: Generate README-build.html from markdown + JDK-8143847: Remove REF_CLEANER reference category + JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl + JDK-8150669: C1 intrinsic for Class.isPrimitive + JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows + JDK-8173339: AArch64: Fix minimum stack size computations + JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load + JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing + JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored + JDK-8183107: PKCS11 regression regarding checkKeySize + JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property + JDK-8194873: right ALT key hotkeys no longer work in Swing components + JDK-8201793: (ref) Reference object should not support cloning + JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() + JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures. + JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit + JDK-8235218: Minimal VM is broken after JDK-8173361 + JDK-8235385: Crash on aarch64 JDK due to long offset + JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles + JDK-8254178: Remove .hgignore + JDK-8254318: Remove .hgtags + JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version + JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + JDK-8280963: Incorrect PrintFlags formatting on Windows + JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3 + JDK-8285497: Add system property for Java SE specification maintenance version + JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE + JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11 + JDK-8287521: Bump update version of OpenJDK: 8u352 + JDK-8288763: Pack200 extraction failure with invalid size + JDK-8288865: [aarch64] LDR instructions must use legitimized addresses + JDK-8290000: Bump macOS GitHub actions to macOS 11 + JDK-8292579: (tz) Update Timezone Data to 2022c + JDK-8292688: Support Security properties in security.testlibrary.Proc * AArch32 port + JDK-8292599: [aarch32] Crash due to missed CPU specific part of 8233019 - make-jobserver-detection.patch: Fix detection of jobserver support - Update to version jdk8u345 (icedtea-3.24.0) * July 2022 CPU * Security fixes + JDK-8272243: Improve DER parsing + JDK-8272249: Better properties of loaded Properties + JDK-8277608: Address IP Addressing + JDK-8281859, CVE-2022-21540, bsc#1201694: Improve class compilation + JDK-8281866, CVE-2022-21541, bsc#1201692: Enhance MethodHandle invocations + JDK-8283190: Improve MIDI processing + JDK-8284370: Improve zlib usage + JDK-8285407, CVE-2022-34169, bsc#1201684: Improve Xalan supports * Import of OpenJDK 8 u342 + JDK-8076190, bsc#1195163: Customizing the generation of a PKCS12 keystore + JDK-8129572: Cleanup usage of getResourceAsStream in jaxp + JDK-8132256: jaxp: Investigate removal of com/sun/org/apache/ /bcel/internal/util/ClassPath.java + JDK-8168926: C2: Bytecode escape analyzer crashes due to stack overflow + JDK-8170530: bash configure output contains a typo in a suggested library name + JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream + JDK-8194154: System property user.dir should not be changed + JDK-8202142: jfr/event/io/TestInstrumentation is unstable + JDK-8209771: jdk.test.lib.Utils::runAndCheckException error + JDK-8221988: add possibility to build with Visual Studio 2019 + JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp + JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target + JDK-8235211: serviceability/attach/ /RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file + JDK-8244973: serviceability/attach/ /RemovingUnixDomainSocketTest.java fails "stderr was not empty" + JDK-8248876: LoadObject with bad base address created for exec file on linux + JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale + JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream) + JDK-8266187: Memory leak in appendBootClassPath() + JDK-8274658: ISO 4217 Amendment 170 Update + JDK-8274751: Drag And Drop hangs on Windows + JDK-8278138: OpenJDK8 fails to start on Windows 8.1 after upgrading compiler to VS2017 + JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition + JDK-8281814: Debuginfo.diz contains redundant build path after backport JDK-8025936 + JDK-8282458: Update .jcheck/conf file for 8u move to git + JDK-8282552: Bump update version of OpenJDK: 8u342 + JDK-8283350: (tz) Update Timezone Data to 2022a + JDK-8284620: CodeBuffer may leak _overflow_arena + JDK-8285445: cannot open file "NUL:" + JDK-8285523: Improve test java/io/FileOutputStream/ /OpenNUL.java + JDK-8285591: [11] add signum checks in DSA.java engineVerify + JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head + JDK-8286989: Build failure on macOS after 8281814 + JDK-8287537: 8u JDK-8284620 backport broke AArch64 build * Import of OpenJDK 8 u345 + JDK-8290832: It is no longer possible to change "user.dir" in the JDK8 + JDK-8291568: Bump update version of OpenJDK: 8u345 - Removed patch: * JDK-8076190.patch + Included by upstream - Update to version jdk8u332 (icedtea-3.23.0) * April 2022 CPU * Security fixes + JDK-8269938: Enhance XML processing passes redux + JDK-8270504, bsc#1198672, CVE-2022-21426: Better XPath expression handling + JDK-8272255: Completely handle MIDI files + JDK-8272261: Improve JFR recording file processing + JDK-8272594: Better record of recordings + JDK-8274221: More definite BER encodings + JDK-8275151, bsc#1198675, CVE-2022-21443: Improved Object Identification + JDK-8277227: Better identification of OIDs + JDK-8277672, bsc#1198674, CVE-2022-21434: Better invocation handler handling + JDK-8278008, bsc#1198671, CVE-2022-21476: Improve Santuario processing + JDK-8278356: Improve file creation + JDK-8278449: Improve keychain support + JDK-8278805: Enhance BMP image loading + JDK-8278972, bsc#1198673, CVE-2022-21496: Improve URL supports + JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo * Import of OpenJDK 8 u332 + JDK-8033980: Xerces Update: datatype XMLGregorianCalendarImpl and DurationImpl + JDK-8035437: Xerces Update: xml/serialize/DOMSerializerImpl + JDK-8035577: Xerces Update: impl/xpath/regex/RangeToken.java + JDK-8037259: xerces update: xpointer update + JDK-8041523: Xerces Update: Serializer improvements from Xalan + JDK-8141508: java.lang.invoke.LambdaConversionException: Invalid receiver type + JDK-8162572: Update License Header for all JAXP sources + JDK-8167014: jdeps: Missing message: warn.skipped.entry + JDK-8198411: [TEST_BUG] Two java2d tests are unstable in mach5 + JDK-8202822: Add .git to .hgignore + JDK-8205540: test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/ /trace001/trace001.java fails with Debuggee did not exit after 15 commands + JDK-8209178: Proxied HttpsURLConnection doesn't send BODY when retrying POST request + JDK-8210283: Support git as an SCM alternative in the build + JDK-8218682: [TEST_BUG] DashOffset fails in mach5 + JDK-8225690: Multiple AttachListener threads can be created + JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134" + JDK-8227815: Minimal VM: set_state is not a member of AttachListener + JDK-8240633: Memory leaks in the implementations of FileChooserUI + JDK-8241768: git needs .gitattributes + JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn + JDK-8253147: The javax/swing/JPopupMenu/7154841/ /bug7154841.java fail on big screens + JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node + JDK-8266749: AArch64: Backtracing broken on PAC enabled systems + JDK-8270290: NTLM authentication fails if HEAD request is used + JDK-8273229: Update OS detection code to recognize Windows Server 2022 + JDK-8273341: Update Siphash to version 1.0 + JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated + JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake + JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE + JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 + JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler + JDK-8280060: The sun/rmi/server/Activation.java class use Thread.dumpStack() + JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 + JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character + JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException + JDK-8284920: Incorrect Token type causes XPath expression to return empty result + JDK-8284936: Fix Java 7 bootstrap breakage due to use of Arrays.stream * Backports + JDK-8031567: Better model for storing source revision information + JDK-8170385: JDK-8031567 broke source bundles + JDK-8170392: JDK-8031567 broke builds from source bundles + JDK-8253424: Add support for running pre-submit testing using GitHub Actions + JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably + JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command + JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow + JDK-8254175: Build no-pch configuration in debug mode for submit checks + JDK-8254282: Add Linux x86_32 builds to submit workflow + JDK-8255305: Add Linux x86_32 tier1 to submit workflow + JDK-8255352: Archive important test outputs in submit workflow + JDK-8255373: Submit workflow artifact name is always "test-results_.zip" + JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch + JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow + JDK-8256277: Github Action build on macOS should define OS and Xcode versions + JDK-8256354: Github Action build on Windows should define OS and MSVC versions + JDK-8256393: Github Actions build on Linux should define OS and GCC versions + JDK-8256414: add optimized build to submit workflow + JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing + JDK-8257056: Submit workflow should apt-get update to avoid package installation errors + JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386" + JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386" + JDK-8263667: Avoid running GitHub actions on branches named pr/* + JDK-8282225: GHA: Allow one concurrent run per PR only + JDK-8284772: 8u GHA: Use GCC Major Version Dependencies Only * Bug fixes + GH002: Only add -Wno-unused-parameter on gcc and clang compilers. + GH004: Fix naming of sockaddr_in6 variable (sa6->him6) in SOCKETADDRESS union on Windows + GH007: Fix NetworkInterface_winXP.c variable declarations to compile on VS2010 + GH008: Reinstate POST_STRIP_CMD empty check in Images.gmk + GH012: Building from tarball broken by bad backport of JDK-8210283 * Shenandoah + JDK-8260632: Build failures after JDK-8253353 - Add java-1_8_0-openjdk-autoconf27.patch to accept autoconf 2.71 as autoconf 2.59 or later ----------------------------------------------------------------------------- o Updated jeos-firstboot (security/bugfix/feature) - Update to version 1.2.0.5: * Support /usr/lib/os-release (#102) - Don't require wicked nor NetworkManager. Both are optional - Update to version 1.2.0.4: * Rewrite license code - Update to version 1.2.0.3: * Don't ask for licence confirmation if not needed * Deduplicate wifi list - Update to version 1.2.0: * Make use of SPDX identifiers * Read dialog output into a variable directly * Drop broken error handling for dialog * Fix dialog asking about wicked network reconfiguration * Start nmtui in jeos-firstboot if no active connection could be detected * Load network modules dynamically * Only list applicable modules in jeos-config * Convert network configuration to a module * Fix size of the "No root password set" dialog - Update to version 1.1.1.1: * Quick'n'dirty NetworkManager support - Switch git URL to https - Require NetworkManager or wicked ----------------------------------------------------------------------------- o Added jitterentropy (feature) ## WARNING - the following diff is a head -20 proposal * Thu Jan 26 2023 meissner@suse.com - jitterentropy-with-debug.patch: build with debuginfo (bsc#1207789) * Tue Sep 13 2022 meissner@suse.com - jitterentropy-split-internal-header.patch: Hide the non-GNUC constructs that are library internal from the exported header. (bsc#1202870) * Wed Aug 03 2022 meissner@suse.com - updated to 3.4.0 * enhancement: add API call jent_set_fips_failure_callback as requested by Daniel Ojalvo * fix: Change the SHA-3 integration: The entropy pool is now a SHA-3 state. It is filled with the time delta containing entropy and auxiliary data that does not contain entropy using a SHA update operation. The auxiliary data is calculated by a SHA-3 hashing of some varying state data. The time delta that contains entropy is measured about the SHA-3 hasing of the auxiliary data. This satisfies FIPS 140-3 IG D.K resolutions 4, 6, and 8. * enhancement: add CMake support by Andrew Hopkins - updated to 3.3.1 * fix: bug fix in initialization logic by Vladis Dronov * fix: use __asm__ instead of asm to suit the C11 standard ----------------------------------------------------------------------------- o Updated jsoup (security/bugfix/feature) - Fix typo in the ant *-build.xml file that caused errors while building eclipse - Upgrade to upstream version 1.15.3 - Changes of 1.15.3 * Security + Fixed bsc#1203459 (CVE-2022-36033), an issue where the jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled. See the security advisory for more details. * Improvements + The Cleaner will preserve the source position of cleaned elements, if source tracking is enabled in the original parse. + The error messages output from Validate are more descriptive. Exceptions are now ValidationExceptions (extending IllegalArgumentException). Stack traces do not include the Validate class, to make it simpler to see where the exception originated. Common validation errors including malformed URLs and empty selector results have more explicit error messages. + Build Improvement: added implementation version and related fields to the jar manifest. * Bug Fixes + The DataUtil would incorrectly read from InputStreams that emitted reads less than the requested size. This lead to incorrect results when parsing from chunked server responses, for example. - Changes of 1.15.2 * Improvements + Added the ability to track the position (line, column, index) in the original input source from where a given node was parsed. Accessible via Node.sourceRange() and Element.endSourceRange(). + Added Element.firstElementChild(), Element.lastElementChild(), Node.firstChild(), Node.lastChild(), as convenient accessors to those child nodes and elements. + Added Element.expectFirst(), which is just like Element.selectFirst(), but instead of returning a null if there is no match, will throw an IllegalArgumentException. This is useful if you want to simply abort processing if an expected match is not found, such as in test cases. + When pretty-printing HTML, doctypes are emitted on a newline if there is a preceding comment. + When pretty-printing, trim the leading and trailing spaces of textnodes in block tags when possible, so that they are indented correctly. + In Element.selectXpath(), disable namespace awareness. This makes it possible to always select elements by their simple local name, regardless of whether an xmlns attribute was set. * Bug Fixes + When using the DataUtil.readToByteBuffer() method, such as in Connection.Response.body(), if the document has not already been parsed and must be read fully, and there is any maximum buffer size being applied, only the default internal buffer size was read. + When serializing HTML, newlines in elements descending from a pre tag were incorrectly skipped. That caused what should have been preformatted output to instead be a run of text. + When pretty-print serializing HTML, newlines separating phrasing content (e.g. a tag within a

tag would be incorrectly skipped, instead of normalized to a space. Additionally, improved space normalization between other end of line occurences, and whitespace handling after a closing - Changes of 1.15.1 * Changes + Removed previously deprecated methods and classes (including org.jsoup.safety.Whitelist; use org.jsoup.safety.Safelist instead). * Improvements + When converting jsoup Documents to W3C Documents in W3CDom, preserve HTML valid attribute names if the input document is using the HTML syntax. (Previously, would always coerce using the more restrictive XML syntax.) + Added the :containsWholeText(text) selector, to match against non-normalized Element text. That can be useful when elements can only be distinguished by e.g. specific case, or leading whitespace, etc. + Added Element#wholeOwnText() to retrieve the original (non-normalized) ownText of an Element. Also added the :containsWholeOwnText(text) selector, to match against that. BR elements are now treated as newlines in the wholeText methods. + Added the :matchesWholeText(regex) and :matchesWholeOwnText(regex) selectors, to match against whole (non-normalized, case sensitive) element text and own text, respectively. + When evaluating an XPath query against a context element, the complete document is now visible to the query, vs only the context element's sub-tree. This enables support for queries outside (parent or sibling) the element, e.g. ancestor-or-self::*. + Allow a maxPaddingWidth on the indent level in OutputSettings when pretty printing. This defaults to 30 to limit the indent level for very deeply nested elements, and may be disabled by setting to -1. + When cloning a Node or an Element, the clone gets a cloned OwnerDocument containing only that clone, so as to preserve applicable settings, such as the Pretty Print settings. + Added a convenience method Jsoup.parse(File). + In the NodeTraversor, added default implementations for NodeVisitor.tail() and NodeFilter.tail(), so that code using only head() methods can be written as lambdas. + In NodeTraversor, added support for removing nodes via Node.remove() during NodeVisitor.head(). + Added Node.forEachNode(Consumer) and Element.forEach(Consumer) should not emit a parse error. + When throwing a SelectorParseException for an invalid selector, don't try to String.format the input, as that could throw an IllegalFormatException. + When serializing HTML with Pretty Print enabled, extraneous whitespace may be added on closing tags, or extra newlines may be added at the end of script blocks. + When copy-creating a Safelist from another, perform a deep-copy of the original's settings, so that changes to the original after creation do not affect the copy. + Speed improvement when parsing constructed HTML containing very deeply incorrectly stacked formatting elements with many attributes. + During parsing, a StackOverflowException was possible given crafted HTML with hundreds of nested table elements followed by invalid formatting elements. - Changes of 1.14.3 * Improvements + Added native XPath support with Element.selectXpath(String) + Added full support for the