Packages changed: btrfsmaintenance (0.4.1 -> 0.4.2) cups ethtool fftw3 ghostscript (9.23 -> 9.25) gnutls haveged jack libical (3.0.3 -> 3.0.4) libmusicbrainz5 libreoffice (6.1.1.1 -> 6.1.2.1) lilv (0.24.2 -> 0.24.4) opusfile (0.10 -> 0.11) perl-Convert-UUlib (1.4 -> 1.5) perl-HTML-Format (2.11 -> 2.12) perl-LWP-Protocol-https (6.06 -> 6.07) python-cffi python-matplotlib (2.2.3 -> 3.0.0) snapper sqlite3 (3.24.0 -> 3.25.0) sssd (1.16.2 -> 2.0.0) swig unbound (1.7.3 -> 1.8.0) usbredir (0.7.1 -> 0.8.0) yast2-python-bindings (4.0.4 -> 4.0.5) === Details === ==== btrfsmaintenance ==== Version update (0.4.1 -> 0.4.2) - update to version 0.4.2 - CVE-2018-14722: expand auto mountpoints in a safe way - btrfs-defrag: fix missing function to detect btrfs filesystems (#52) - btrfs-trim: more verbose fstrim output (#60) - dist-install: print information about timer unit installation (#58) ==== cups ==== Subpackages: cups-client cups-config libcups2 libcups2-32bit libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 - Fix warning message upon update (boo#1050845): Remove template service cups-lpd@ from service_* macro in scriptlets. ==== ethtool ==== - Use noun phrase for summary. ==== fftw3 ==== Subpackages: libfftw3-3 libfftw3_threads3 - Stay with openmpi also on ppc ==== ghostscript ==== Version update (9.23 -> 9.25) Subpackages: ghostscript-x11 - Version upgrade to 9.25 For the highlights in this release see the highlights in the 9.25rc1 first release candidate for 9.25 entry below. PLEASE NOTE: We (i.e. Ghostscript upstream) strongly urge users to upgrade to this latest release to avoid these issues. For a release summary see: http://www.ghostscript.com/doc/9.25/News.htm For details see the News.htm and History9.htm files. The Ghostscript 9.25 release should fix (see below) in particular those security issues: * CVE-2018-15909: shading_param incomplete type checking https://bugs.ghostscript.com/show_bug.cgi?id=699660 https://bugzilla.suse.com/show_bug.cgi?id=1106172 bsc#1106172 * CVE-2018-15908: .tempfile file permission issues https://bugs.ghostscript.com/show_bug.cgi?id=699657 https://bugzilla.suse.com/show_bug.cgi?id=1106171 bsc#1106171 * CVE-2018-15910: LockDistillerParams type confusion https://bugs.ghostscript.com/show_bug.cgi?id=699656 https://bugzilla.suse.com/show_bug.cgi?id=1106173 bsc#1106173 * CVE-2018-15911: uninitialized memory access in the aesdecode https://bugs.ghostscript.com/show_bug.cgi?id=699665 https://bugzilla.suse.com/show_bug.cgi?id=1106195 bsc#1106195 * CVE-2018-16513: setcolor missing type check https://bugs.ghostscript.com/show_bug.cgi?id=699655 https://bugzilla.suse.com/show_bug.cgi?id=1107412 bsc#1107412 * CVE-2018-16509: /invalidaccess bypass after failed restore https://bugs.ghostscript.com/show_bug.cgi?id=699654 https://bugzilla.suse.com/show_bug.cgi?id=1107410 bsc#1107410 * CVE-2018-16510: Incorrect exec stack handling in the "CS" and "SC" PDF primitives https://bugs.ghostscript.com/show_bug.cgi?id=699671 https://bugzilla.suse.com/show_bug.cgi?id=1107411 bsc#1107411 * CVE-2018-16542: .definemodifiedfont memory corruption if /typecheck is handled https://bugs.ghostscript.com/show_bug.cgi?id=699668 https://bugzilla.suse.com/show_bug.cgi?id=1107413 bsc#1107413 * CVE-2018-16541 incorrect free logic in pagedevice replacement https://bugs.ghostscript.com/show_bug.cgi?id=699664 https://bugzilla.suse.com/show_bug.cgi?id=1107421 bsc#1107421 * CVE-2018-16540 use-after-free in copydevice handling https://bugs.ghostscript.com/show_bug.cgi?id=699661 https://bugzilla.suse.com/show_bug.cgi?id=1107420 bsc#1107420 * CVE-2018-16539: incorrect access checking in temp file handling to disclose contents of files https://bugs.ghostscript.com/show_bug.cgi?id=699658 https://bugzilla.suse.com/show_bug.cgi?id=1107422 bsc#1107422 * CVE-2018-16543: gssetresolution and gsgetresolution allow for unspecified impact https://bugs.ghostscript.com/show_bug.cgi?id=699670 https://bugzilla.suse.com/show_bug.cgi?id=1107423 bsc#1107423 * CVE-2018-16511: type confusion in "ztype" could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact https://bugs.ghostscript.com/show_bug.cgi?id=699659 https://bugzilla.suse.com/show_bug.cgi?id=1107426 bsc#1107426 * CVE-2018-16585 .setdistillerkeys PostScript command is accepted even though it is not intended for use https://bugzilla.suse.com/show_bug.cgi?id=1107581 bsc#1107581 * CVE-2018-16802: Incorrect"restoration of privilege" checking when running out of stack during exceptionhandling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix for CVE-2018-16509 https://bugs.ghostscript.com/show_bug.cgi?id=699714 https://bugs.ghostscript.com/show_bug.cgi?id=699718 https://bugzilla.suse.com/show_bug.cgi?id=1108027 bnc#1108027 Regarding what the above "should fix" means: PostScript is a general purpose Turing-complete programming language (cf. https://en.wikipedia.org/wiki/PostScript) that supports in particular file access on the system disk. When Ghostscript processes PostScript it runs a PostScript program as the user who runs Ghostscript. When Ghostscript processes an arbitrary PostScript file, the user who runs Ghostscript runs an arbitrary program which can do anything on the system where Ghostscript runs that this user is allowed to do on that system. To make it safer when Ghostscript runs a PostScript program the Ghostscript command line option '-dSAFER' disables certain file access functionality, for details see /usr/share/doc/ghostscript/9.25/Use.htm Its name 'SAFER' says everything: It makes it 'safer' to let Ghostscript run a PostScript program, but it does not make it completely safe. In theory software is safe against misuse (i.e. has no bugs). In practice there is an endless sequence of various kind of security issues (i.e. software can be misused to do more than what is intended) that get fixed issue by issue ad infinitum. In the end all that means: In practice the user who runs Ghostscript must not let it process arbitrary PostScript files from untrusted origin. In particular Ghostscript is usually run when printing documents (with the '-dSAFER' option set), see the part about "It is crucial to limit access to CUPS to trusted users" in https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings - Version upgrade to 9.25rc1 (first release candidate for 9.25). Highlights in this release include: * This release fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files), and some additional security issues over the 9.24 release. * Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits. PLEASE NOTE: We (i.e. Ghostscript upstream) strongly urge users to upgrade to this latest release to avoid these issues. * Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--' Recent changes required to harden SAFER mode mean that it is no longer possible to run ps2epsi in SAFER mode, because it relies upon unsafe Ghostscript non-standard extension operators. Removing SAFER and DELAYSAFER, and the code to reset SAFER, allow ps2epsi to run as well as it ever did (ie badly). This program (i.e. ps2epsi) should now be considered unsafe, you should not use it on untrusted PostScript programs. Likely we (i.e. Ghostscript upstream) will deprecate and remove this program in future. For details see the News.htm and History9.htm files. Regarding installing packages (in particular release candidates) from the openSUSE build service development project "Printing" see https://build.opensuse.org/project/show/Printing - Version upgrade to 9.24 Highlights in this release include: * Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits. PLEASE NOTE: We (i.e. Ghostscript upstream) strongly urge users to upgrade to this latest release to avoid these issues. * As well as Ghostscript itself, jbig2dec has had a significant amount of work improving its robustness in the face of out specification files. * IMPORTANT: We (i.e. Ghostscript upstream) are in the process of forking LittleCMS. LCMS2 is not thread safe, and cannot be made thread safe without breaking the ABI. Our fork will be thread safe, and include performance enhancements (these changes have all be been offered and rejected upstream). We will maintain compatibility between Ghostscript and LCMS2 for a time, but not in perpetuity. Our fork will be available as its own package separately from Ghostscript (and MuPDF). * The usual round of bug fixes, compatibility changes, and incremental improvements. For a release summary see: http://www.ghostscript.com/doc/9.24/News.htm For details see the News.htm and History9.htm files. - fix_ln_docdir_gsdatadir.patch is no longer needed because the issue is fixed in the upstream sources. - CVE-2018-10194.patch is no longer needed because the issue is fixed in the upstream sources. ==== gnutls ==== Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-32bit - gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch test/Makefile.in as autoreconf does not work - Backport of upstream fixes (boo#1108450) * gnutls-3.6.3-backport-upstream-fixes.patch Fixes taken from upstream commits: * * 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function") * * 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks") * * 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello") The patch was taken from https://github.com/weechat/weechat/issues/1231 ==== haveged ==== Subpackages: libhavege1 - Add patch f2193587.patch from github pull request * Fix segfault on arm machines which do not eport the cache size or say it is -1 in sysfs - Refresh patches ==== jack ==== - Remove unnecessary requires for libjack0 and remove obsolete comments. - Use %license on "COPYING" - Add upstream patch to fix return value check of mmap() (boo#1108981): fix-mmap-return-value-check.patch - Update the waf code to the 2.0 series in order to work under python3.7 taken from upstream git: * jack-waf2.patch ==== libical ==== Version update (3.0.3 -> 3.0.4) - Update to new upstream release 3.0.4 * Silently fail RSCALE recurrence clauses when RSCALE is disabled * Fixed icalcomponent_set_comment() and icalcomponent_set_uid() * fix FREQ=MONTHLY;BYMONTH * Skip UTF-8 marker when parsing * Fix parsing ? in VCF files produced by Outlook * Fix TZID on DATE-TIME value can override time specified in UTC * CMake discovery module for ICU uses pkg-config now * New publicly available function: icalparameter_kind_is_valid() * Built-in timezones updated to tzdata2018e ==== libmusicbrainz5 ==== - Switch to %cmake macros - Drop the test phase, it does nothing it just compiles file that can communicate with the musicbrainz server, which can't be validated in OBS ==== libreoffice ==== Version update (6.1.1.1 -> 6.1.2.1) Subpackages: libreoffice-branding-upstream libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-writer libreofficekit - Version update to 6.1.2.1: * 6.1.2 RC1 - Switch to serf from neon package that is quite dead - Remove sysstray configure option as the code was removed - Update to 6.1.1.2: * 6.1.1 RC2 ==== lilv ==== Version update (0.24.2 -> 0.24.4) - Version update to 0.24.4: * Fix saving state when broken links are encountered * Don't attempt to load remote or non-Turtle files * lv2apply: Activate plugin before running * lv2apply: Use default values when they are not nan * lv2bench: Improve support for plugins with sequence ports * lv2bench: Support running a single plugin given on the command line * Gracefully handle plugins with missing binary URIs * Remove use of deprecated readdir_r * Install Python bindings when configured without tests (thanks Clement Skau) ==== opusfile ==== Version update (0.10 -> 0.11) - Version update to 0.11: * Fix two potential integer overflows. (These were not security-critical unless the compiler took the opportunity provided by the undefined behavior to format your hard drive.) * Allow JPEGs in METADATA_BLOCK_PICTURE tags to include EXIF data. * A few warning fixes for gcc 8. * Make opus_tags_copy return OP_EFAULT on failure instead of returning success. * Various integration and testing environment improvements. ==== perl-Convert-UUlib ==== Version update (1.4 -> 1.5) - update to 1.4 - fix a heap overflow (testcase by Krzysztof Wojta?). - on systems that support it (posix + mmap + map_anonymous), allocate all dynamic areas via mmap and put four guard pages around them, to catch similar heap overflows safely in the future. - find a safer way to pass in CC/CFLAGS to uulib. - added stability canary support. ==== perl-HTML-Format ==== Version update (2.11 -> 2.12) - updated to 2.12 see /usr/share/doc/packages/perl-HTML-Format/Changes 2.12 2015-10-10 17:49:45+01:00 Europe/London - Minor test related fixes - Transition to using File::Slurper in place of File::Slurp Thanks to Karen Etheridge for the patch - Add Travis CI integration - Cleaned with spec-cleaner ==== perl-LWP-Protocol-https ==== Version update (6.06 -> 6.07) - 6.07 2017-02-19 - Cleaned up the Changes log - Explicitly add hostname for SNI to start_SSL (GH PR#17) - Fix the license name - Update some documentation on SSL args - Fix bug when checking for Mozilla::CA (GH PR#29) - Refreshed patch LWP-Protocol-https-6.04-systemca.diff - Cleaned spec file with spec-cleaner ==== python-cffi ==== Subpackages: python2-cffi python3-cffi - Add 3184b0a675fc425b821b528d7fdf744b2f08dadf.patch as a workardond against https://bitbucket.org/cffi/cffi/issues/378/ (possible bug in GCC, see https://bugzilla.redhat.com/1552724). - Remove ignore-tests.patch -- testing what will happen - Add e2e324a2f13e3a646de6f6ff03e90ed7d37e2636.patch from upstream to remove some warnings. - Switch off falling tests with new patch ignore-tests.patch instead of -k parameter for py.test. https://bitbucket.org/cffi/cffi/issues/384/ - update to version 1.11.5: * Issue #357: fix ffi.emit_python_code() which generated a buggy Python file if you are using a struct with an anonymous union field or vice-versa. * Windows: ffi.dlopen() should now handle unicode filenames. * ABI mode: implemented ffi.dlclose() for the in-line case (it used to be present only in the out-of-line case). * Fixed a corner case for setup.py install --record=xx --root=yy with an out-of-line ABI module. Also fixed Issue #345. * More hacks on Windows for running CFFI?s own setup.py. * Issue #358: in embedding, to protect against (the rare case of) Python initialization from several threads in parallel, we have to use a spin-lock. On CPython 3 it is worse because it might spin-lock for a long time (execution of Py_InitializeEx()). Sadly, recent changes to CPython make that solution needed on CPython 2 too. * CPython 3 on Windows: we no longer compile with Py_LIMITED_API by default because such modules cannot be used with virtualenv. Issue [#350] mentions a workaround if you still want that and are not concerned about virtualenv: pass a define_macros=[("Py_LIMITED_API", None)] to the ffibuilder.set_source() call. - specfile: * delete patch cffi-loader.patch; included upstream - update to version 1.11.4: * Windows: reverted linking with python3.dll, because virtualenv does not make this DLL available to virtual environments for now. See Issue #355. On Windows only, the C extension modules created by cffi follow for now the standard naming scheme foo.cp36-win32.pyd, to make it clear that they are regular CPython modules depending on python36.dll. - changes from version 1.11.3: * Fix on CPython 3.x: reading the attributes __loader__ or __spec__ from the cffi-generated lib modules gave a buggy SystemError. (These attributes are always None, and provided only to help compatibility with tools that expect them in all modules.) * More Windows fixes: workaround for MSVC not supporting large literal strings in C code (from ffi.embedding_init_code(large_string)); and an issue with Py_LIMITED_API linking with python35.dll/python36.dll instead of python3.dll. * Small documentation improvements. - Add patch cffi-loader.patch to fix bsc#1070737 - Sort out with spec-cleaner - update to version 1.11.2: * Fix Windows issue with managing the thread-state on CPython 3.0 to 3.5 - Update pytest in spec to add c directory tests in addition to testing directory. - Omit test_init_once_multithread tests as they rely on multiple threads finishing in a given time. Returns sporadic pass/fail within build. - Update to 1.11.1: * Fix tests, remove deprecated C API usage * Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary extensions (cpython issue #29943) * Fix for 3.7.0a1+ - Update to 1.11.0: * Support the modern standard types char16_t and char32_t. These work like wchar_t: they represent one unicode character, or when used as charN_t * or charN_t[] they represent a unicode string. The difference with wchar_t is that they have a known, fixed size. They should work at all places that used to work with wchar_t (please report an issue if I missed something). Note that with set_source(), you need to make sure that these types are actually defined by the C source you provide (if used in cdef()). * Support the C99 types float _Complex and double _Complex. Note that libffi doesn?t support them, which means that in the ABI mode you still cannot call C functions that take complex numbers directly as arguments or return type. * Fixed a rare race condition when creating multiple FFI instances from multiple threads. (Note that you aren?t meant to create many FFI instances: in inline mode, you should write ffi = cffi.FFI() at module level just after import cffi; and in out-of-line mode you don?t instantiate FFI explicitly at all.) * Windows: using callbacks can be messy because the CFFI internal error messages show up to stderr?but stderr goes nowhere in many applications. This makes it particularly hard to get started with the embedding mode. (Once you get started, you can at least use @ffi.def_extern(onerror=...) and send the error logs where it makes sense for your application, or record them in log files, and so on.) So what is new in CFFI is that now, on Windows CFFI will try to open a non-modal MessageBox (in addition to sending raw messages to stderr). The MessageBox is only visible if the process stays alive: typically, console applications that crash close immediately, but that is also the situation where stderr should be visible anyway. * Progress on support for callbacks in NetBSD. * Functions returning booleans would in some case still return 0 or 1 instead of False or True. Fixed. * ffi.gc() now takes an optional third parameter, which gives an estimate of the size (in bytes) of the object. So far, this is only used by PyPy, to make the next GC occur more quickly (issue #320). In the future, this might have an effect on CPython too (provided the CPython issue 31105 is addressed). * Add a note to the documentation: the ABI mode gives function objects that are slower to call than the API mode does. For some reason it is often thought to be faster. It is not! - Update to 1.10.1: * Fixed the line numbers reported in case of cdef() errors. Also, I just noticed, but pycparser always supported the preprocessor directive # 42 "foo.h" to mean ?from the next line, we?re in file foo.h starting from line 42?, which it puts in the error messages. - update to 1.10.0: * Issue #295: use calloc() directly instead of PyObject_Malloc()+memset() to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array) where most of the time you never touch most of the array. * Some OS/X build fixes (?only with Xcode but without CLT?). * Improve a couple of error messages: when getting mismatched versions of cffi and its backend; and when calling functions which cannot be called with libffi because an argument is a struct that is ?too complicated? (and not a struct pointer, which always works). * Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang) * Implemented the remaining cases for ffi.from_buffer. Now all buffer/memoryview objects can be passed. The one remaining check is against passing unicode strings in Python 2. (They support the buffer interface, but that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the times not what you expect. In Python 3 this has been fixed and the unicode strings don?t support the memoryview interface any more.) * The C type _Bool or bool now converts to a Python boolean when reading, instead of the content of the byte as an integer. The potential incompatibility here is what occurs if the byte contains a value different from 0 and 1. Previously, it would just return it; with this change, CFFI raises an exception in this case. But this case means ?undefined behavior? in C; if you really have to interface with a library relying on this, don?t use bool in the CFFI side. Also, it is still valid to use a byte string as initializer for a bool[], but now it must only contain \x00 or \x01. As an aside, ffi.string() no longer works on bool[] (but it never made much sense, as this function stops at the first zero). * ffi.buffer is now the name of cffi?s buffer type, and ffi.buffer() works like before but is the constructor of that type. * ffi.addressof(lib, "name") now works also in in-line mode, not only in out-of-line mode. This is useful for taking the address of global variables. * Issue #255: cdata objects of a primitive type (integers, floats, char) are now compared and ordered by value. For example, compares equal to 42 and compares equal to b'A'. Unlike C, does not compare equal to ffi.cast("unsigned int", -1): it compares smaller, because -1 < 4294967295. * PyPy: ffi.new() and ffi.new_allocator()() did not record ?memory pressure?, causing the GC to run too infrequently if you call ffi.new() very often and/or with large arrays. Fixed in PyPy 5.7. * Support in ffi.cdef() for numeric expressions with + or -. Assumes that there is no overflow; it should be fixed first before we add more general support for arbitrary arithmetic on constants. - do not generate HTML documentation for packages that are indirect dependencies of Sphinx (see docs at https://cffi.readthedocs.org/ ) - update to 1.9.1 - Structs with variable-sized arrays as their last field: now we track the length of the array after ffi.new() is called, just like we always tracked the length of ffi.new("int[]", 42). This lets us detect out-of-range accesses to array items. This also lets us display a better repr(), and have the total size returned by ffi.sizeof() and ffi.buffer(). Previously both functions would return a result based on the size of the declared structure type, with an assumed empty array. (Thanks andrew for starting this refactoring.) - Add support in cdef()/set_source() for unspecified-length arrays in typedefs: typedef int foo_t[...];. It was already supported for global variables or structure fields. - I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has no values explicitly defined: refusing to guess which integer type it is meant to be (unsigned/signed, int/long). Now I?m turning it back to a warning again; it seems that guessing that the enum has size int is a 99%-safe bet. (But not 100%, so it stays as a warning.) - Fix leaks in the code handling FILE * arguments. In CPython 3 there is a remaining issue that is hard to fix: if you pass a Python file object to a FILE * argument, then os.dup() is used and the new file descriptor is only closed when the GC reclaims the Python file object?and not at the earlier time when you call close(), which only closes the original file descriptor. If this is an issue, you should avoid this automatic convertion of Python file objects: instead, explicitly manipulate file descriptors and call fdopen() from C (...via cffi). - When passing a void * argument to a function with a different pointer type, or vice-versa, the cast occurs automatically, like in C. The same occurs for initialization with ffi.new() and a few other places. However, I thought that char * had the same property?but I was mistaken. In C you get the usual warning if you try to give a char * to a char ** argument, for example. Sorry about the confusion. This has been fixed in CFFI by giving for now a warning, too. It will turn into an error in a future version. - Issue #283: fixed ffi.new() on structures/unions with nested anonymous structures/unions, when there is at least one union in the mix. When initialized with a list or a dict, it should now behave more closely like the { } syntax does in GCC. - CPython 3.x: experimental: the generated C extension modules now use the ?limited API?, which means that, as a compiled .so/.dll, it should work directly on any version of CPython >= 3.2. The name produced by distutils is still version-specific. To get the version-independent name, you can rename it manually to NAME.abi3.so, or use the very recent setuptools 26. - Added ffi.compile(debug=...), similar to python setup.py build --debug but defaulting to True if we are running a debugging version of Python itself. - Removed the restriction that ffi.from_buffer() cannot be used on byte strings. Now you can get a char * out of a byte string, which is valid as long as the string object is kept alive. (But don?t use it to modify the string object! If you need this, use bytearray or other official techniques.) - PyPy 5.4 can now pass a byte string directly to a char * argument (in older versions, a copy would be made). This used to be a CPython-only optimization. - ffi.gc(p, None) removes the destructor on an object previously created by another call to ffi.gc() - bool(ffi.cast("primitive type", x)) now returns False if the value is zero (including -0.0), and True otherwise. Previously this would only return False for cdata objects of a pointer type when the pointer is NULL. - bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason it was not supported was that it was hard to do in PyPy, but it works since PyPy 5.3.) To call a C function with a char * argument from a buffer object?now including bytearrays?you write lib.foo(ffi.from_buffer(x)). Additionally, this is now supported: p[0:length] = bytearray-object. The problem with this was that a iterating over bytearrays gives numbers instead of characters. (Now it is implemented with just a memcpy, of course, not actually iterating over the characters.) - C++: compiling the generated C code with C++ was supposed to work, but failed if you make use the bool type (because that is rendered as the C _Bool type, which doesn?t exist in C++). - help(lib) and help(lib.myfunc) now give useful information, as well as dir(p) where p is a struct or pointer-to-struct. - drop upstreamed python-cffi-avoid-bitshifting-negative-int.patch - update for multipython build - Add python-cffi-avoid-bitshifting-negative-int.patch to actually fix the "negative left shift" warning by replacing bitshifting in appropriate places by bitwise and comparison to self; patch taken from upstream git. Drop cffi-1.5.2-wnoerror.patch: no longer required. - disable "negative left shift" warning in test suite to prevent failures with gcc6, until upstream fixes the undefined code in question (boo#981848, cffi-1.5.2-wnoerror.patch) - Update to version 1.6.0: * ffi.list_types() * ffi.unpack() * extern ?Python+C? * in API mode, lib.foo.__doc__ contains the C signature now. * Yet another attempt at robustness of ffi.def_extern() against CPython?s interpreter shutdown logic. - update to 1.5.2 * support for cffi-based embedding * more robustness for shutdown logic - update to version 1.4.2: * Nothing changed from v1.4.1. - changes from version 1.4.1: * Fix the compilation failure of cffi on CPython 3.5.0. (3.5.1 works; some detail changed that makes some underscore-starting macros disappear from view of extension modules, and I worked around it, thinking it changed in all 3.5 versions?but no: it was only in 3.5.1.) - changes from version 1.4.0: * A better way to do callbacks has been added (faster and more portable, and usually cleaner). It is a mechanism for the out-of-line API mode that replaces the dynamic creation of callback objects (i.e. C functions that invoke Python) with the static declaration in cdef() of which callbacks are needed. This is more C-like, in that you have to structure your code around the idea that you get a fixed number of function pointers, instead of creating them on-the-fly. * ffi.compile() now takes an optional verbose argument. When True, distutils prints the calls to the compiler. * ffi.compile() used to fail if given sources with a path that includes "..". Fixed. * ffi.init_once() added. See docs. * dir(lib) now works on libs returned by ffi.dlopen() too. * Cleaned up and modernized the content of the demo subdirectory in the sources (thanks matti!). * ffi.new_handle() is now guaranteed to return unique void * values, even if called twice on the same object. Previously, in that case, CPython would return two cdata objects with the same void * value. This change is useful to add and remove handles from a global dict (or set) without worrying about duplicates. It already used to work like that on PyPy. This change can break code that used to work on CPython by relying on the object to be kept alive by other means than keeping the result of ffi.new_handle() alive. (The corresponding warning in the docs of ffi.new_handle() has been here since v0.8!) - changes from version 1.3.1: * The optional typedefs (bool, FILE and all Windows types) were not always available from out-of-line FFI objects. * Opaque enums are phased out from the cdefs: they now give a warning, instead of (possibly wrongly) being assumed equal to unsigned int. Please report if you get a reasonable use case for them. * Some parsing details, notably volatile is passed along like const and restrict. Also, older versions of pycparser mis-parse some pointer-to-pointer types like char * const *: the ?const? ends up at the wrong place. Added a workaround. - changes from version 1.3.0: * Added ffi.memmove(). * Pull request #64: out-of-line API mode: we can now declare floating-point types with typedef float... foo_t;. This only works if foo_t is a float or a double, not long double. * Issue #217: fix possible unaligned pointer manipulation, which crashes on some architectures (64-bit, non-x86). * Issues #64 and #126: when using set_source() or verify(), the const and restrict keywords are copied from the cdef to the generated C code; this fixes warnings by the C compiler. It also fixes corner cases like typedef const int T; T a; which would previously not consider a as a constant. (The cdata objects themselves are never const.) * Win32: support for __stdcall. For callbacks and function pointers; regular C functions still don?t need to have their calling convention declared. * Windows: CPython 2.7 distutils doesn?t work with Microsoft?s official Visual Studio for Python, and I?m told this is not a bug. For ffi.compile(), we removed a workaround that was inside cffi but which had unwanted side-effects. Try saying import setuptools first, which patches distutils... - Update to version 1.2.1 * No changes entry for this version - Changes from version 1.2.0 * Out-of-line mode: ``int a[][...];`` can be used to declare a structure field or global variable which is, simultaneously, of total length unknown to the C compiler (the ``a[]`` part) and each element is itself an array of N integers, where the value of N *is * known to the C compiler (the ``int`` and ``[...]`` parts around it). Similarly, ``int a[5][...];`` is supported (but probably less useful: remember that in C it means ``int (a[5])[...];``). * PyPy: the ``lib.some_function`` objects were missing the attributes ``__name__``, ``__module__`` and ``__doc__`` that are expected e.g. by some decorators-management functions from ``functools``. * Out-of-line API mode: you can now do ``from _example.lib import x`` to import the name ``x`` from ``_example.lib``, even though the ``lib`` object is not a standard module object. (Also works in ``from _example.lib import *``, but this is even more of a hack and will fail if ``lib`` happens to declare a name called ``__all__``. Note that `` *`` excludes the global variables; only the functions and constants make sense to import like this.) * ``lib.__dict__`` works again and gives you a copy of the dict---assuming that ``lib`` has got no symbol called precisely ``__dict__``. (In general, it is safer to use ``dir(lib)``.) * Out-of-line API mode: global variables are now fetched on demand at every access. It fixes issue #212 (Windows DLL variables), and also allows variables that are defined as dynamic macros (like ``errno``) or ``__thread`` -local variables. (This change might also tighten the C compiler's check on the variables' type.) * Issue #209: dereferencing NULL pointers now raises RuntimeError instead of segfaulting. Meant as a debugging aid. The check is only for NULL: if you dereference random or dead pointers you might still get segfaults. * Issue #152: callbacks__: added an argument ``ffi.callback(..., onerror=...)``. If the main callback function raises an exception and ``onerror`` is provided, then ``onerror(exception, exc_value, traceback)`` is called. This is similar to writing a ``try: except:`` in the main callback function, but in some cases (e.g. a signal) an exception can occur at the very start of the callback function---before it had time to enter the ``try: except:`` block. * Issue #115: added ``ffi.new_allocator()``, which officializes support for `alternative allocators`__. .. __: using.html#callbacks .. __: using.html#alternative-allocators - update to version 1.1.0 (fate#318838): * Out-of-line API mode: we can now declare integer types with typedef int... foo_t;. The exact size and signedness of foo_t is figured out by the compiler. * Out-of-line API mode: we can now declare multidimensional arrays (as fields or as globals) with int n[...][...]. Before, only the outermost dimension would support the ... syntax. * Out-of-line ABI mode: we now support any constant declaration, instead of only integers whose value is given in the cdef. Such ?new? constants, i.e. either non-integers or without a value given in the cdef, must correspond to actual symbols in the lib. At runtime they are looked up the first time we access them. This is useful if the library defines extern const sometype somename;. * ffi.addressof(lib, "func_name") now returns a regular cdata object of type ?pointer to function?. You can use it on any function from a library in API mode (in ABI mode, all functions are already regular cdata objects). To support this, you need to recompile your cffi modules. * Issue #198: in API mode, if you declare constants of a struct type, what you saw from lib.CONSTANT was corrupted. * Issue #196: ffi.set_source("package._ffi", None) would incorrectly generate the Python source to package._ffi.py instead of package/_ffi.py. Also fixed: in some cases, if the C file was in build/foo.c, the .o file would be put in build/build/foo.o. - additional changes from version 1.0.3: * Same as 1.0.2, apart from doc and test fixes on some platforms - additional changes from version 1.0.2: * Variadic C functions (ending in a ?...? argument) were not supported in the out-of-line ABI mode. This was a bug?there was even a (non-working) example doing exactly that! - additional changes from version 1.0.1: * ffi.set_source() crashed if passed a sources=[..] argument. Fixed by chrippa on pull request #60. * Issue #193: if we use a struct between the first cdef() where it is declared and another cdef() where its fields are defined, then this definition was ignored. * Enums were buggy if you used too many ?...? in their definition - additional changes from version 1.0.0: * The main news item is out-of-line module generation: + for ABI level, with ffi.dlopen() + for API level, which used to be with ffi.verify(), now deprecated - add python-cffi-rpmlintrc: cffi specifically installs C headers in site-packages - add new test dependency gcc-c++ - skip the tests on SLE11 since they fail on i586 - Update to 0.9.2 * No upstream changelog See https://bitbucket.org/cffi/cffi/commits/all for a list of commits - Update to 0.8.6 * No upstream changelog See https://bitbucket.org/cffi/cffi/commits/all for a list of commits - update to 0.8.2 * minor bugfixes - remove cffi-pytest-integration.patch as it is no longer necessary - Require libffi43-devel on SLE_11_SP2 instead of using pkg-config to fix build - update to 0.8.1 * fixes on Python 3 on OS/X, and some FreeBSD fixes (thanks Tobias) - added a note wrt disabled tests - add cffi-pytest-integration.patch: allowinf call pytest from setup.py - update to 0.8 * integrated support for C99 variable-sized structures * multi-thread safety * ffi.getwinerror() * a number of small fixes - Require python-setuptools instead of distribute (upstreams merged) - use pkgconfig(libffi) to get the most recent ffi - Update to 0.7.2 * add implicit bool * standard names are handled as defaults in cdef declarations * enum types follow GCC rules and not just int * supports simple slices x[start:stop] * enums are handled like ints * new ffi.new_handle(python_object) * and various bugfixes - Initial version ==== python-matplotlib ==== Version update (2.2.3 -> 3.0.0) Subpackages: python3-matplotlib python3-matplotlib-cairo python3-matplotlib-gtk3 - Update to version 3.0.0 * Improved default backend selection * Cyclic colormaps * Ability to scale axis by a fixed order of magnitude * Add AnchoredDirectionArrows feature to mpl_toolkits * Add minorticks_on()/off() methods for colorbar * Colorbar ticks can now be automatic * Don't automatically rename duplicate file names * Legend now has a *title_fontsize* kwarg (and rcParam) * Support for axes.prop_cycle property *markevery* in rcParams * Multipage PDF support for pgf backend * Pie charts are now circular by default * Add ax.get_gridspec to .SubplotBase * Axes titles will no longer overlap xaxis * New convenience methods for GridSpec * Figure has an ~.figure.Figure.add_artist method * math directive renamed to mathmpl - Python 2 support was dropped upstream, so disable it in the spec file and drop python2-specific parts. - Enable wx backend for python 3, since python 3 is now supported by wxPython upstream. ==== snapper ==== Subpackages: libsnapper4 snapper-zypp-plugin - avoid setenv after fork (bsc#1107587) ==== sqlite3 ==== Version update (3.24.0 -> 3.25.0) Subpackages: libsqlite3-0 libsqlite3-0-32bit - SQLite 3.25.0: * Add support for window functions * Add support for renaming columns within a table * Query optimizer improvements * slightly better concurrency in multi-threaded environments * The ORDER BY LIMIT optimization might have caused an infinite loop in the byte code of the prepared statement under very obscure circumstances, due to a confluence of minor defects in the query optimizer ==== sssd ==== Version update (1.16.2 -> 2.0.0) Subpackages: libnfsidmap-sss libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-32bit sssd-krb5-common sssd-ldap - Update to new upstream release 2.0.0 * The Python API for managing users and groups in local domains (id_provider=local) was removed completely. The local provider (id_provider=local) and the command line tools to manage users and groups in the local domains, such as sss_useradd is not built anymore. * The LDAP provider had a special-case branch for evaluating group memberships with the RFC2307bis schema when group nesting was explicitly disabled. This codepath is removed. * The "ldap_sudo_include_regexp" option changed its default value from true to false. Wildcards in the sudoHost LDAP attribute are no longer evaluated. This was costly to evaluate on the LDAP server side and at the same time rarely used. * The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option pam_p11_allowed_services. - Update to upstream release 1.16.3 * New Features: * kdcinfo files for informing krb5 about discovered KDCs are now also generated for trusted domains in setups that use id_provider=ad and IPA masters in a trust relationship with an AD domain. * The Kerberlos locator plugin can now process multiple address if SSSD generates more than one. A * Bug fixes: * Fixed information leak due to incorrect permissions on /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377] * Cached password are now stored with a salt. Old ones will be regenerated on next authentication, and the auth server needs to be reachable for that. * The sss_ssh proces leaked file descriptors when converting more than one X.509 certificate to an SSH public key. * The PAC responder is now able to process Domain Local in case the PAC uses SID compression (Windows Server 2012+). * Address the issue that some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys when the matching key is found before the rest of the output is read. * User lookups no longer fail if user's e-mail address conflicts with another user's fully qualified name. * The override_shell and override_homedir options are no longer applied to entries from the files domain. * The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work. - Removed patches that are included upstream now: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch, 0002-intg-Do-not-hardcode-nsslibdir.patch, 0003-Fix-build-for-1-16-2-version.patch ==== swig ==== - Add patches to build with python 3.7 properly: * swig-3.0.12-Coverity-fix-issue-reported-for-SWIG_Python_ConvertF.patch * swig-3.0.12-Coverity-fix-issue-reported-for-SWIG_Python_FixMetho.patch * swig-3.0.12-Coverity-fix-issue-reported-for-wrapper-argument-che.patch * swig-3.0.12-Fix-Coverity-issue-reported-for-setslice-pycontainer.patch * swig-3.0.12-Fix-generated-code-for-constant-expressions-containi.patch * swig-3.0.12-fix-collections.patch - Use version req to check for 1500 instead for non-existing release - Move to generic requires those that are true under both conditions - Use autopatch to apply all the patches at once ==== unbound ==== Version update (1.7.3 -> 1.8.0) Subpackages: libunbound2 unbound-anchor - update to 1.8.0: Number of bug fixes, a list of features added and some defaults changed. Features - unbound-control auth_zone_reload _zone_ option rereads the zonefile. - unbound-control auth_zone_transfer _zone_ option starts the probe sequence for a master to transfer the zone from and transfers when a new zone version is available. - num.queries.tls counter for queries over TLS. - log port number with err_addr logs. - dns64-ignore-aaaa: config option to list domain names for which the existing AAAA is ignored and dns64 processing is used on the A record. - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled. New option -R allows fallback from resolv.conf to direct queries. - Note RFC8162 support. SMIMEA record type can be read in by the zone record parser. - Patches from Jim Hague (Sinodun) for EDNS KeepAlive. - Add config tcp-idle-timeout (default 30s). This applies to client connections only; the timeout on TCP connections upstream is unaffected. - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options and implement option in client responses. - Add delay parameter to streamtcp, -d secs. To be used when testing idle timeout. - Expose if a query (or a subquery) was ratelimited (not src IP ratelimiting) to libunbound under 'ub_result.was_ratelimited'. This also introduces a change to 'ub_event_callback_type' in libunbound/unbound-event.h. - Patch to implement tcp-connection-limit from Jim Hague (Sinodun). This limits the number of simultaneous TCP client connections from a nominated netblock. - Fix #4142: unbound.service.in: improvements and fixes. Add unit dependency ordering (based on systemd-resolved). Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings about missing privileges during startup). Add 'AF_INET6' to 'RestrictAddressFamilies' (without it IPV6 can't work). From Guido Shanahan. - unbound-checkconf checks if modules exist and prints if they are not compiled in the name of the wrong module. - Patch for stub-no-cache and forward-no-cache options that disable caching for the contents of that stub or forward, for when you want immediate changes visible, from Bjoern A. Zeeb. - Upgraded crosscompile script to include libunbound DLL in the zipfile. - Set libunbound to increase current, because the libunbound change to the event callback function signature. That needs programs, that use it, to recompile against the new header definition. - log-servfail: yes prints log lines that say why queries are returning SERVFAIL to clients. - log-local-actions: yes option for unbound.conf that logs all the local zone actions, a patch from Saksham Manchanda (Secure64). - #4146: num.query.subnet and num.query.subnet_cache counters. - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This gives access to reply information for the client's communication point when the callback is called before the mesh state (modules). Changes to C and Python's inplace_callback signatures were also necessary. - Set defaults to yes for a number of options to increase speed and resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file. The reuseport and minimal options increases speed of the server, and should be otherwise harmless. The harden-below-nxdomain option works well together with the recently default enabled qname minimisation, this causes more fetches to use information from the cache. - Added serve-expired-ttl and serve-expired-ttl-reset options. Bug Fixes - Windows example service.conf edited with more windows specific configuration. - #4108: systemd reload hang fix. - Fix usage printout for unbound-host, hostname has to be last argument on BSDs and Windows. - Partial fix for permission denied on IPv6 address on FreeBSD. - Fix that auth-zone master reply with current SOA serial does not stop scan of masters for an updated zone. - Fix that auth-zone does not start the wait timer without checking if the wait timer has already been started. - #4109: Fix that package config depends on python unconditionally. - Patch, do not export python from pkg-config, from Petr Men?ík. - Fix checking for libhiredis printout in configure output. - Fix typo on man page in ip-address description. - Update libunbound/python/examples/dnssec_test.py example code to also set the 20326 trust anchor for the root in the example code. - Better documentation for unblock-lan-zones and insecure-lan-zones config statements. - Fix permission denied printed for auth zone probe random port nrs. - Fix documentation ambiguity for tls-win-cert in tls-upstream and forward-tls-upstream docs. - iana port update. - Fix round robin for failed addresses with prefer-ip6: yes - Note in documentation that the cert name match code needs OpenSSL 1.1.0 or later to be enabled. - Fix to improve systemd socket activation code file descriptor assignment. - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more easily changed to adjust default rtt assumptions. - Fix #4127 unbound -h does not list -p help. - Print error if SSL name verification configured but not available in the ssl library. - Fix that ratelimit and ip-ratelimit are applied after reload of changed config file. - Resize ratelimit and ip-ratelimit caches if changed on reload. - Fix #4129 unbound-control error message with wrong cert permissions is too cryptic. - Fix #4130: print text describing -dd and unbound-checkconf on config file read error at startup, the errors may have been moved away by the startup process. - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared. - Fix use-systemd readiness signalling, only when use-systemd is yes and not in signal handler. - Fix #4135: 64-bit Windows Installer Creates Entries Under The Wrong Registry Key, reported by Brian White. - Fix man page, say that chroot is enabled by default. - Sort out test runs when the build directory isn't the project root directory. - Error if EDNS Keepalive received over UDP. - Correct and expand manual page entries for keepalive and idle timeout. - Implement progressive backoff of TCP idle/keepalive timeout. - Fix 'make depend' to work when build dir is not project root. - Fix #4139: Fix unbound-host leaks memory on ANY. - Fix to remove systemd sockaddr function check, that is not always present. Make socket activation more lenient. But not different when socket activation is not used. - Fix #4136: insufficiency from mismatch of FLEX capability between released tarball and build host. Fix to unconditionally call destroy in daemon.c. - Make capsforid fallback QNAME minimisation aware. - document --enable-subnet in doc/README. - Fix #4144: dns64 module caches wrong (negative) information. - Fix that printout of error for cycle targets is a verbosity 4 printout and does not wrongly print it is a memory error. - Fix segfault in auth-zone read and reorder of RRSIGs. - Fix contrib/fastrpz.patch. - Fix warning on compile without threads. - print servfail info to log as error. - added more servfail printout statements, to the iterator. - Fix classification for QTYPE=CNAME queries when QNAME minimisation is enabled. - Fix only misc failure from log-servfail when val-log-level is not enabled. - Fix lintflags for lint on FreeBSD. - Fix that a local-zone with a local-zone-type that is transparent in a view with view-first, makes queries check for answers from the local-zones defined outside of views. ==== usbredir ==== Version update (0.7.1 -> 0.8.0) Subpackages: libusbredirhost1 libusbredirparser1 - Update to version 0.8.0 + usbredirfilter: - Fix busy wait due endless recursion when interface_count is zero + usbredirhost: - Fix leak on error + usbredirserver: - Use 'busnum-devnum' instead of 'usbbus-usbaddr' - Add support for bind specific address -4 for ipv4, -6 for ipv6 - Reject empty vendorid from command line - Enable TCP keepalive ==== yast2-python-bindings ==== Version update (4.0.4 -> 4.0.5) - Fix Id construction for python2, use items instead of iteritems for python2/python3 compatability; (bsc#1108558). - Switched license in spec file from SPDX2 to SPDX3 format.