Packages changed: clucene-core cmake ffmpeg (3.4.1 -> 3.4.2) gnome-software (3.26.5 -> 3.26.6) ilmbase (2.2.0 -> 2.2.1) libreoffice (6.0.0.3 -> 6.0.1.1) mbedtls (2.6.0 -> 2.7.0) multipath-tools ncurses openexr (2.2.0 -> 2.2.1) patterns-server perl-DBD-Pg (3.5.3 -> 3.7.4) perl-IO-Socket-SSL (2.052 -> 2.054) python-urllib3 rdesktop ripit sg3_utils skopeo speech-dispatcher (0.8.7 -> 0.8.8) === Details === ==== clucene-core ==== Subpackages: clucene-core-devel libclucene-contribs-lib1 libclucene-core1 libclucene-shared1 - Add patch clucene-new-gcc.patch to fix visibility issues - Use %cmake macros - Remove few obsolete codepaths ==== cmake ==== - c17-default.patch: Add support for C17 default in GCC 8 ==== ffmpeg ==== Version update (3.4.1 -> 3.4.2) Subpackages: libavcodec-devel libavcodec57 libavdevice57 libavfilter6 libavformat57 libavresample-devel libavresample3 libavutil-devel libavutil55 libpostproc54 libswresample-devel libswresample2 libswscale-devel libswscale4 - Update to new bugfix release 3.4.2 * Fix integer overflows, multiplication overflows, undefined shifts, and verify buffer lengths. * avfilter/vf_transpose: Fix used plane count [boo#1078488, CVE-2018-6392] * avcodec/utvideodec: Fix bytes left check in decode_frame() [boo#1079368, CVE-2018-6621] - Enable use of libzvbi for displaying teletext subtitles. - Fixed a DoS in swri_audio_convert(), added cve-2017-17555.diff [boo#1072366, CVE-2017-17555]. ==== gnome-software ==== Version update (3.26.5 -> 3.26.6) Subpackages: gnome-software-lang - Update to version 3.26.6: + Improve alignment on the updates page. + Do not show missing screenshot error for fonts that have screenshots. + Fixes for third party repository handling in the sources dialog. + Fix various issues on Ubuntu when purchasing apps. + Fix building with gtkspell support. + Fix an issue that led to duplicate categories appearing on the overview page. + Various memory leak and correctness fixes. + Show package descriptions when installing packages through the dbus API. + Revert a commit that broke repo package install. + Updated translations. - Pass enable-gtkspell=true to meson, ensure we build gtkspell support. ==== ilmbase ==== Version update (2.2.0 -> 2.2.1) - fix license of halfExport.h [bsc#774408] + ilmbase-halfExport.h-license.patch - Update keyring and set keyring URL - Update to version 2.2.1 * Bumped version to track OpenEXR - bump sonum and macroify it - cleanup with spec-cleaner ==== libreoffice ==== Version update (6.0.0.3 -> 6.0.1.1) Subpackages: libreoffice-base libreoffice-base-drivers-mysql libreoffice-branding-upstream libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-kde4 libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-writer libreofficekit - Make sure we execute everything with python3 * 0001-Use-PYTHON_FOR_BUILD-instead-of-calling-python-direc.patch - Bump version of bundled gpgme to 1.9.0 - Version update to 6.0.1.1: * various fixes all around * Fixes data exposure bsc#1080249 CVE-2018-1055 CVE-2018-6871 - Bump the version of libgpg-error - Drop the libreoffice-poppler-0.62.patch merged upstream ==== mbedtls ==== Version update (2.6.0 -> 2.7.0) Subpackages: libmbedtls10 libmbedx509-0 mbedtls-devel - Update to version 2.7.0: - Security * Fix a heap corruption issue in the implementation of the truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet could be used to selectively corrupt 6 bytes on the peer's heap, which could potentially lead to crash or remote code execution. The issue could be triggered remotely from either side in both TLS and DTLS. (CVE-2018-0488 boo#1080828) * Fix a buffer overflow in RSA-PSS verification when the hash was too large for the key size, which could potentially lead to crash or remote code execution. Found by Seth Terashima, Qualcomm Product Security Initiative, Qualcomm Technologies Inc. (CVE-2018-0487 boo#1080826) * Fix buffer overflow in RSA-PSS verification when the unmasked data is all zeros. * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding 64 KiB to the address of the SSL buffer and causing a wrap around. * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by default enabled) maximum fragment length extension is disabled in the config and the application data buffer passed to mbedtls_ssl_write is larger than the internal message buffer (16384 bytes by default), the latter overflows. * Add a provision to prevent compiler optimizations breaking the time constancy of mbedtls_ssl_safer_memcmp(). * Ensure that buffers are cleared after use if they contain sensitive data. Changes were introduced in multiple places in the library. * Set PEM buffer to zero before freeing it, to avoid decoded private keys being leaked to memory after release. * Fix dhm_check_range() failing to detect trivial subgroups and potentially leaking 1 bit of the private key. Reported by prashantkspatil. * Make mbedtls_mpi_read_binary() constant-time with respect to the input data. Previously, trailing zero bytes were detected and omitted for the sake of saving memory, but potentially leading to slight timing differences. Reported by Marco Macchetti, Kudelski Group. * Wipe stack buffer temporarily holding EC private exponent after keypair generation. * Fix a potential heap buffer over-read in ALPN extension parsing (server-side). Could result in application crash, but only if an ALPN name larger than 16 bytes had been configured on the server. * Change default choice of DHE parameters from untrustworthy RFC 5114 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve manner. - Features * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT, MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs. * Add support for alternative implementations of GCM, selected by the configuration flag MBEDTLS_GCM_ALT. * Add support for alternative implementations for ECDSA, controlled by new configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and MBEDTLS_ECDSDA_GENKEY_AT in config.h. The following functions from the ECDSA module can be replaced with alternative implementation: mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey(). * Add support for alternative implementation of ECDH, controlled by the new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h. The following functions from the ECDH module can be replaced with an alternative implementation: mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). * Add support for alternative implementation of ECJPAKE, controlled by the new configuration flag MBEDTLS_ECJPAKE_ALT. * Add mechanism to provide alternative implementation of the DHM module. - API changes * Extend RSA interface by multiple functions allowing structure- independent setup and export of RSA contexts. Most notably, mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting up RSA contexts from partial key material and having them completed to the needs of the implementation automatically. This allows to setup private RSA contexts from keys consisting of N,D,E only, even if P,Q are needed for the purpose or CRT and/or blinding. * The configuration option MBEDTLS_RSA_ALT can be used to define alternative implementations of the RSA interface declared in rsa.h. * The following functions in the message digest modules (MD2, MD4, MD5, SHA1, SHA256, SHA512) have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS__ALT. mbedtls__starts() -> mbedtls__starts_ret() mbedtls__update() -> mbedtls__update_ret() mbedtls__finish() -> mbedtls__finish_ret() mbedtls__process() -> mbedtls_internal__process() - Deprecations * Deprecate usage of RSA primitives with non-matching key-type (e.g. signing with a public key). * Direct manipulation of structure fields of RSA contexts is deprecated. Users are advised to use the extended RSA API instead. * Deprecate usage of message digest functions that return void (mbedtls__starts, mbedtls__update, mbedtls__finish and mbedtls__process where is any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions that can return an error code. * Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by parameters from RFC 3526 or the newly added parameters from RFC 7919. * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN etc. * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin() accepting DHM parameters in binary form, matching the new constants. - Several bug fixes ==== multipath-tools ==== Subpackages: kpartx multipath-tools-rbd - Fix whitespace in dracut conf file (bsc#1080562) ==== ncurses ==== Subpackages: libncurses6 ncurses-devel ncurses-utils tack terminfo terminfo-base - Add ncurses patch 6.1-20180203 + minor fixes to test/*.h to make them idempotent. + add/use test/parse_rgb.h to show how the "RGB" capability works. + add a clarification in user_caps.5 regarding "RGB" capability. + add extended_slk_color{,_sp} symbols to the appropriate package/*.{map,sym} files (report by Sven Joachim, cf: 20170401). ==== openexr ==== Version update (2.2.0 -> 2.2.1) - Update to 2.2.1 * Fix reported OpenEXR security vulnerabilities: CVE-2017-9110, CVE-2017-9111, CVE-2017-9112, CVE-2017-9113, CVE-2017-9114, CVE-2017-9115 and CVE-2017-9116 - pgajdos@suse.com: but really seem to fix only: CVE-2017-9110 [bsc#1040107], CVE-2017-9114 [bsc#1040114], CVE-2017-9116 [bsc#1040116], CVE-2017-12596 [bsc#1052522]; for the rest of issues see [bsc#1040109], [bsc#1040112], [bsc#1040113], [bsc#1040114], [bsc#1040115], and [bsc#1061305] ==== patterns-server ==== Subpackages: patterns-server-dhcp_dns_server patterns-server-directory_server patterns-server-file_server patterns-server-gateway_server patterns-server-kvm_server patterns-server-lamp_server patterns-server-mail_server patterns-server-print_server patterns-server-xen_server - Recommend php7 variants by the lamp pattern (boo#1081072). ==== perl-DBD-Pg ==== Version update (3.5.3 -> 3.7.4) - updated to 3.7.4 see /usr/share/doc/packages/perl-DBD-Pg/Changes - updated to 3.7.1 see /usr/share/doc/packages/perl-DBD-Pg/Changes Version 3.7.1 Released February 11, 2017 (git tag 3.7.1) - Fixed problem when using placeholders and escaped question marks, the recopied string was not terminated correctly. [Greg Sabino Mullane] (Github issue #33) - Make sure nulls in our self-generated arrays are not set as read-only in some Perls. [Greg Sabino Mullane] (CPAN ticket #107556) - If the server returns no error message, and an "unknown" code from libpq, supply a custom message mentioning client_min_messages may be to blame. [Greg Sabino Mullane] (CPAN ticket #109591) - Declare VERSION with 'our' in seldom-used Bundle module (CPAN ticket #123218) - updated to 3.7.0 see /usr/share/doc/packages/perl-DBD-Pg/Changes Version 3.7.0 Released September 24, 2017 (git tag 3.7.0) - If no placeholders, use PQexec instead of PQexecParams [Greg Sabino Mullane] - Fix running tests with non-UTF8 server_encoding [Dagfinn Ilmari Mannsåker] (Github issue #26) - Fix crash with missing client_encoding [David Christensen, reported by Marko Tiikkaja] (Github issue #29) - Fix crash with missing server_version [David Christensen] - Fix leak in ->state methods [Dagfinn Ilmari Mannsåker] (Github issue #30) - Add $sth->{pg_async_status} to determine async status of a statement handle. Values can be 0 (no async), 1 (async), or -1 (cancelled) [Greg Sabino Mullane, as requested by Dmytro Zagashev (ZDM)] (CPAN ticket #116172) Version 3.6.2 Released May 23, 2017 (git tag 3.6.2) - Remove errant debugging aid from test suite Version 3.6.1 Released May 22, 2017 (git tag 3.6.1) - Various fixes to support testing against Postgres 10beta [David Christensen] Version 3.6.0 Released April 17, 2017 (git tag 3.6.0) - Make sure we do not inadvertently modify the string passed to prepare() when doing the new backslash escape manipulation. [Greg Sabino Mullane] (CPAN ticket #114000) - Fix bug where $DBD::Pg::DBDPG_DEFAULT not picked up as a magic string first time it is used in a script. [Greg Sabino Mullane] (CPAN ticket #112309) - Fix UTF8 flag handling in pg_(get|put)copydata [Dagfinn Ilmari Mannsåker] - Fix UTF8 double-encoding with pg_enable_utf8 = 0 [Serge Pushkin] (CPAN ticket #103137) - Fix bug in quote_name which would fail to quote in some circumstances (Github Issue #22) - Allow clean parsing of new Postgres X.Y version format [Erik Rijkers er at xs4all.nl] - Add pg_canonical_ids() and pg_canonical_names(), which returns information about each column in the result set. [Warstone warstone at list.ru] (CPAN ticket #106858) - Map SQL_NUMERIC to PG_NUMERIC (instead of PG_FLOAT8) [Alice Maz alice at alizemaz.com] (CPAN ticket #120358) - Force real, float, and double precision into SvNVs [Greg Sabino Mullane] (CPAN ticket #113683 and other places) - Support for number of rows greater than an "int". Requires support for same from a future version of libpq before it will work completely. [Greg Sabino Mullane] (CPAN ticket #102444) - Fix skipped test counts in Win32 builds [Andy Grundman] - Allow tests to work against Postgres 8.4 by tweaking client_encoding calls. [Pavel Raiskup praiskup at redhat.com] (CPAN ticket #116179) - Silence warnings in t/02attribs.t and t/04misc.t [Dagfinn Ilmari Mannsåker] - Support binary COPY format [Dagfinn Ilmari Mannsåker] - Ensure tests do not use $ENV{PGSERVICE} or $ENV{PGDATABASE} [Erik Rijkers] - Switched canonical repo to git://github.com/bucardo/dbdpg.git ==== perl-IO-Socket-SSL ==== Version update (2.052 -> 2.054) - ignore Mozilla::CA - updated to 2.054 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.054 2018/01/22 - added missing test certificates to MANIFEST 2.053 2018/01/21 - small behavior fixes - if SSL_fingerprint is used and matches don't check for OCSP - Utils::CERT_create - small fixes to properly specific purpose, ability to use predefined complex purpose but disable some features - update PublicSuffix - updates for documentation, especially regarding pitfalls with forking or using non-blocking sockets. Spelling fixes. - test fixes and improvements - stability improvements for live tests - regenerate certificate in certs/ and make sure they are limited to the correct purpose. Checkin program used to generate certificates. - adjust tests since certificates have changed and some tests used certificates intended for client authentication as server certificates, which now no longer works ==== python-urllib3 ==== - disable more flaky tests specifically for PowerPC ==== rdesktop ==== - Added rdesktop-Fix-key-caching.patch backport of https://github.com/rdesktop/rdesktop/commit/a3dfceefc2c729243b71270e3f503fa2dd57ec8d ==== ripit ==== - use wikipedia URL, as the original domain is no longer valid - added ripit-4.0.0-undefined_variables.patch to avoid errors if the user is using an old config file which does not define some variables - added ripit-man-spellfix.patch from Debian which contains some spell fixes for the man page - rebased ripit-3.9.0-ogg.patch - use Productivity/Multimedia/CD/Grabbers as RPM group ==== sg3_utils ==== Subpackages: libsgutils2-1_43-2 - dracut.conf: add whitespace at end of line (bsc#1080562) ==== skopeo ==== - Add requirement on libcontainers-common, which now provides the /etc/containers/policy.json config. ==== speech-dispatcher ==== Version update (0.8.7 -> 0.8.8) Subpackages: libspeechd-devel libspeechd2 python3-speechd speech-dispatcher-configure speech-dispatcher-module-espeak - Update to version 0.8.8 * Add German translation, thanks to Chris Leick for the patch * Fix some spelling mistakes, thanks to Paul Gevers for the patch * Some slight code improvements