Packages changed: ceph (16.2.6.462+g5fefbbf8888 -> 16.2.6.463+g22e7612f9ad) cups dbus-1 gpg2 (2.2.27 -> 2.3.3) installation-images-MicroOS (17.22 -> 17.27) librsvg (2.52.3 -> 2.52.4) ncurses (6.3.20211115 -> 6.3.20211120) python-PyYAML (5.4.1 -> 6.0) python-psutil toolbox (2.2+git20210823.dd0fff8 -> 2.2+git20211124.09791b1) === Details === ==== ceph ==== Version update (16.2.6.462+g5fefbbf8888 -> 16.2.6.463+g22e7612f9ad) Subpackages: ceph-common libcephfs2 librados2 librbd1 librgw2 python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw - Update to 16.2.6-463-g22e7612f9ad: + (bsc#1178073) mgr/dashboard: fix downstream NFS doc links - Preservation of Bugzilla, Jira and CVE citations from earlier incarnations of this changes file after double-checking that none of these fixes got lost in the pacific rebase: + bsc#1163764 (--container-init feature cherry-picked to octopus) + bsc#1170200 (mgr/dashboard: Fix for CrushMap viewer items getting compressed vertically) + bsc#1172926 (mgr/orchestrator: Sort 'ceph orch device ls' by host) + bsc#1173079 (mgr/devicehealth: device_health_metrics pool gets created even without any OSDs in the cluster) + bsc#1174466 (mon: have 'mon stat' output json as well) + bsc#1174526 (mgr/dashboard: allow getting fresh inventory data from the orchestrator) + bsc#1174529 (rpm: on SUSE, podman is required for cephadm to work) + bsc#1174644 (cephadm: log to file) + bsc#1175120 (downstream branding) + bsc#1175161 (downstream branding) + bsc#1175169 (downstream branding) + bsc#1176390 (mgr/dashboard: enable different URL for users of browser to Grafana) + bsc#1176451 (Drop patch "rpm: on SUSE, podman is required for cephadm to work") + bsc#1176489 (mgr/cephadm: lock multithreaded access to OSDRemovalQueue) + bsc#1176499 (mgr/cephadm: fix RemoveUtil.load_from_store()) + bsc#1176638 (ceph-volume: batch: call the right prepare method) + bsc#1176679 (mgr/dashboard: enable different URL for users of browser to Grafana) + bsc#1176828 (cephadm: command_unit: call systemctl with verbose=True) + bsc#1177078 (mgr/dashboard: Fix bugs in a unit test and i18n translation) + bsc#1177151 (python-common: do not skip unavailable devices) + bsc#1177319 (--container-init feature cherry-picked to octopus) + bsc#1177344 (mgr/dashboard: support Orchestrator and user-defined Ganesha cluster) + bsc#1177360 (cephadm: silence "Failed to evict container" log msg) + bsc#1177450 (ceph-volume: don't exit before empty report can be printed) + bsc#1177643 (Revert "spec: Podman (temporarily) requires apparmor-abstractions on suse") + bsc#1177676 (cephadm: allow uid/gid == 0 in copy_tree, copy_files, move_files) + bsc#1177843 (CVE-2020-25660) + bsc#1177857 (mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails) + bsc#1177933 (cephadm: configure journald as the logdriver) + bsc#1178531 (cephadm: set default container_image to registry.suse.com/ses/7/ceph/ceph) + bsc#1178837 (rgw: cls/user: set from_index for reset stats calls) + bsc#1178860 (mgr/dashboard: Disable TLS 1.0 and 1.1) + bsc#1178905 (CVE-2020-25678) + bsc#1178932 (cephadm: reference the last local image by digest) + bsc#1179016 (rpm: require smartmontools on SUSE) + bsc#1179452 (mgr/insights: Test environment requires 'six') + bsc#1179526 (rgw: during GC defer, prevent new GC enqueue) + bsc#1179569 (cephadm: reference the last local image by digest) + bsc#1179802 (CVE-2020-27781) + bsc#1179997 (CVE-2020-27839) + bsc#1180107 (ceph-volume: pass --filter-for-batch from drive-group subcommand) + bsc#1180155 (CVE-2020-27781) + bsc#1181291 (mgr/cephadm: alias rgw-nfs -> nfs) + bsc#1182766 (cephadm: fix 'inspect' and 'pull') + bsc#1183074 (CVE-2021-20288) + bsc#1183561 (mgr/cephadm: on ssh connection error, advice chmod 0600) + bsc#1183899 (bluestore: fix huge reads/writes at BlueFS) + bsc#1184231 (cephadm: Allow to use paths in all <_devices> drivegroup sections) + bsc#1184517 (cls/rgw: look for plane entries in non-ascii plain namespace too) + bsc#1185246 (rgw: check object locks in multi-object delete) + bsc#1185619 (CVE-2021-3524) + bsc#1185619 (CVE-2021-3524) + bsc#1186020 (CVE-2021-3531) + bsc#1186021 (CVE-2021-3509) + bsc#1186348 (mgr/zabbix: adapt zabbix_sender default path) + bsc#1188979 ("mgr/cephadm: pass --container-init to "cephadm deploy" if specified" and "Revert "cephadm: default container_init to False") + bsc#1189173 (downstream branding) + jsc#SES-1071 (ceph-volume: major batch refactor - upstream PR#34740) + jsc#SES-185 (SES support with cache software) + jsc#SES-704 (mgr/snap_schedule) ==== cups ==== Subpackages: cups-config libcups2 - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_cups.service.patch ==== dbus-1 ==== Subpackages: libdbus-1-3 - Add CONFIG parameter to %sysusers_generate_pre - Added BuildRequires alts for libalternatives. - Fixed spec file regarding removing old update-alternatives entries. - Use libalternatives instead of update-alternatives. ==== gpg2 ==== Version update (2.2.27 -> 2.3.3) - GnuPG 2.3.3: * agent: Fix segv in GET_PASSPHRASE (regression) * dirmngr: Fix Let's Encrypt certificate chain validation * gpg: Change default and maximum AEAD chunk size to 4 MiB * gpg: Print a warning when importing a bad cv25519 secret key * gpg: Fix --list-packets for undecryptable AEAD packets * gpg: Verify backsigs for v5 keys correctly * keyboxd: Fix checksum computation for no UBID entry on disk * keyboxd: Fix "invalid object" error with cv448 keys * dirmngr: New option --ignore-cert * agent: Fix calibrate_get_time use of clock_gettime * Support a gpgconf.ctl file under Unix and use this for the regression tests - GnuPG 2.3.2: * gpg: Allow fingerprint based lookup with --locate-external-key. * gpg: Allow decryption w/o public key but with correct card inserted. * gpg: Auto import keys specified with --trusted-keys. * gpg: Do not use import-clean for LDAP keyserver imports. * gpg: Fix mailbox based search via AKL keyserver method. * gpg: Fix memory corruption with --clearsign introduced with 2.3.1. * gpg: Use a more descriptive prompt for symmetric decryption. * gpg: Improve speed of secret key listing. * gpg: Support keygrip search with traditional keyring. * gpg: Let --fetch-key return an exit code on failure. * gpg: Emit the NO_SECKEY status again for decryption. * gpgsm: Support decryption of password based encryption (pwri). * gpgsm: Support AES-GCM decryption. * gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint. * gpgsm: Fix finding of issuer in use-keyboxd mode. * gpgsm: New option --ldapserver as an alias for --keyserver. * agent: Use SHA-256 for SSH fingerprint by default. * agent: Fix calling handle_pincache_put. * agent: Fix importing protected secret key. * agent: Fix a regression in agent_get_shadow_info_type. * agent: Add translatable text for Caps Lock hint. * agent: New option --pinentry-formatted-passphrase. * agent: Add checkpin inquiry for pinentry. * agent: New option --check-sym-passphrase-pattern. * agent: Use the sysconfdir for a pattern file. * agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry. * dirmngr: LDAP search by a mailbox now ignores revoked keys. * dirmngr: For KS_SEARCH return the fingerprint also with LDAP. * dirmngr: Allow for non-URL specified ldap keyservers. * dirmngr: New option --ldapserver. * dirmngr: Fix regression in KS_GET for mail address pattern. * card: New option --shadow for the list command. * tests: Make sure the built keyboxd is used. * scd: Fix computing shared secrets for 512 bit curves. * scd: Fix unblock PIN by a Reset Code with KDF. * scd: Fix PC/SC removed card problem. * scd: Recover the partial match for PORTSTR for PC/SC. * scd: Make sure to release the PC/SC context. * scd: Fix zero-byte handling in ECC. * scd: Fix serial number detection for Yubikey 5. * scd: Add basic support for AET JCOP cards. * scd: Detect external interference when --pcsc-shared is in use. * scd: Fix access to the list of cards. * gpgconf: Do not list a disabled tpm2d. * gpgconf: Make runtime changes with different homedir work. * keyboxd: Fix searching for exact mail adddress. * keyboxd: Fix searching with multiple patterns. * tools: Extend gpg-check-pattern. * wkd: Fix client issue with leading or trailing spaces in user-ids. * Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry. * Change the default keyserver to keyserver.ubuntu.com. This is a temporary change due to the shutdown of the SKS keyserver pools. - GnuPG 2.3.1: * The new configuration file common.conf is now used to enable the use of the key database daemon with "use-keyboxd". Using this option in gpg.conf and gpgsm.conf is supported for a transitional period. See doc/example/common.conf for more. * gpg: Force version 5 key creation for ed448 and cv448 algorithms. * gpg: By default do not use the self-sigs-only option when importing from an LDAP keyserver. * gpg: Lookup a missing public key of the active card via LDAP. * gpgsm: New command --show-certs. * scd: Fix CCID driver for SCM SPR332/SPR532. * scd: Further improvements for PKCS#15 cards. * New configure option --with-tss to allow the selection of the TSS library. - Rebase patches: * gnupg-add_legacy_FIPS_mode_option.patch * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch * gnupg-dont-fail-with-seahorse-agent.patch * gnupg-set_umask_before_open_outfile.patch - GnuPG 2.3.0: * A new experimental key database daemon is provided. To enable it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored in a SQLite database and make key lookup much faster. * New tool gpg-card as a flexible frontend for all types of supported smartcards. * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and gpg-connect-agent. * The gpg-wks-client tool is now installed under bin; a wrapper for its old location at libexec is also installed. * tpm2d: New daemon to physically bind keys to the local machine. * gpg: Switch to ed25519/cv25519 as default public key algorithms. * gpg: Verification results now depend on the --sender option and the signer's UID subpacket. * gpg: Do not use any 64-bit block size cipher algorithm for encryption. Use AES as last resort cipher preference instead of 3DES. This can be reverted using --allow-old-cipher-algos. * gpg: Support AEAD encryption mode using OCB or EAX. * gpg: Support v5 keys and signatures. * gpg: Support curve X448 (ed448, cv448). * gpg: Allow use of group names in key listings. * gpg: New option --full-timestrings to print date and time. * gpg: New option --force-sign-key. * gpg: New option --no-auto-trust-new-key. * gpg: The legacy key discovery method PKA is no longer supported. The command --print-pka-records and the PKA related import and export options have been removed. * gpg: Support export of Ed448 Secure Shell keys. * gpgsm: Add basic ECC support. * gpgsm: Support creation of EdDSA certificates. [#4888] * agent: Allow the use of "Label:" in a key file to customize the pinentry prompt. * agent: Support ssh-agent extensions for environment variables. With a patched version of OpenSSH this avoids the need for the "updatestartuptty" kludge. * scd: Improve support for multiple card readers and tokens. * scd: Support PIV cards. * scd: Support for Rohde&Schwarz Cybersecurity cards. * scd: Support Telesec Signature Cards v2.0 * scd: Support multiple application on certain smartcard. * scd: New option --application-priority. * scd: New option --pcsc-shared; see man page for important notes. * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs. * The symcryptrun tool, a wrapper for the now obsolete external Chiasmus tool, has been removed. * Full Unicode support for the command line. - dropped legacy commands: gpg-zip ==== installation-images-MicroOS ==== Version update (17.22 -> 17.27) - merge gh#openSUSE/installation-images#550 - always include bash -> sh link - 17.27 - merge gh#openSUSE/installation-images#549 - use xz with threading to compress the initrd - 17.26 - merge gh#openSUSE/installation-images#546 - linuxrc handles LIBSTORAGE_* and YAST_* boot options (jsc#SLE-21308) - 17.25 - merge gh#openSUSE/installation-images#540 - add kernel modules for MPS3 USB (jsc#SLE-20148) - 17.24 - merge gh#openSUSE/installation-images#544 - xf86-input-libinput now exists on s390x - 17.23 ==== librsvg ==== Version update (2.52.3 -> 2.52.4) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 - Disable testsuite for now, let upstream figure out the issue with harfbuzz 3.1.1. - Update to version 2.52.4: + New features: - Support the isolation property from the Compositing and Blending Level 1 specification. - Support Visual Studio 2022. + Bug fixes: - The opacity and mix-blend-mode properties were not being applied when an element has a mask. - Fix panic when an empty group has a pattern fill and filters. - Fix the tests on Windows; the still only work when Fontconfig is present. - Work around a bug in the cairo-rs bindings in the test suite, that only manifests itself in s/390x due to its calling convention. See https://github.com/gtk-rs/gtk-rs-core/issues/335 ==== ncurses ==== Version update (6.3.20211115 -> 6.3.20211120) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20211120 + add dim, ecma+strikeout to st-0.6 -TD + deallocate the tparm cache when del_curterm is called for the last allocated TERMINAL structure (report/testcase by Bram Moolenaar, cf: 20200531). + modify test-package to more closely conform to Debian multi-arch. + if the --with-pkg-config-libdir option is not given, use ${libdir}/pkgconfig as a default (prompted by discussion with Ross Burton). - Correct offsets of patch ncurses-6.3.dif ==== python-PyYAML ==== Version update (5.4.1 -> 6.0) - Add patch setuptools.patch - update to 6.0 * drop Python 2.7 * always require `Loader` arg to `yaml.load()` * fix float resolver to ignore `.` and `._` * fix representation of Enum subclasses * fix libyaml extension compiler warnings * fix ResourceWarning on leaked file descriptors * remove remaining direct distutils usage ==== python-psutil ==== - Update skip-obs.patch to also skip TestProcess.test_ionice_linux ==== toolbox ==== Version update (2.2+git20210823.dd0fff8 -> 2.2+git20211124.09791b1) - Update to version 2.2+git20211124.09791b1: * Introduce -n/--nostop switch so mutiple sessions can be run inside an existing toolbox