Packages changed: aaa_base (84.87+git20191120.98f1524 -> 84.87+git20191206.1cb88e3) btrfsprogs (5.3.1 -> 5.4) dbus-1 (1.12.12 -> 1.12.16) expat (2.2.8 -> 2.2.9) gnutls (3.6.10 -> 3.6.11.1) haproxy (2.0.9+git6.26b7b800 -> 2.0.10+git14.7caf150a) iproute2 (5.3 -> 5.4) libxcrypt (4.4.3 -> 4.4.10) rebootmgr restorecond systemd === Details === ==== aaa_base ==== Version update (84.87+git20191120.98f1524 -> 84.87+git20191206.1cb88e3) - Update to version 84.87+git20191206.1cb88e3: * Add support for lesskey.bin in /usr/etc * Do last change also for tcsh * Not all XTerm based emulators do have an terminfo entry ==== btrfsprogs ==== Version update (5.3.1 -> 5.4) Subpackages: btrfsprogs-udev-rules libbtrfs0 - Update to 5.4 * support new hash algorithms (kernel 5.5): * mkfs.btrfs and btrfs-convert with --csum, crc32c, xxhash, sha256, blake2 * mkfs: support new raid1c3 and raid1c4 block group profiles (kernel 5.5) * check: * --repair delays start with a warning, can be skipped using --force * enhanced detetion of inode types from partial data, more options for repair * receive: fix quiet option * image: speed up chunk loading * fi usage: * sort devices by id * print ratio of used/total per block group type * rescue zero-log: reset the log pointers directly, avoid reading some other potentially damaged structures * new make target install-static to install only static binaries/libraries * other * docs updates * new tests * cleanups and refactoring ==== dbus-1 ==== Version update (1.12.12 -> 1.12.16) Subpackages: libdbus-1-3 - Verify signatures * dbus-1.keyring - Key for Simon McVittie (smcv) from the Debian developer keyring. - Drop dbus_at_console.ck not needed - Clean up sources * Source2 dbus-1.desktop now Source4 * baselib.conf now source 3 - Update to 1.12.16 * CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 authentication for identities that differ from the user running the DBusServer. Previously, a local attacker could manipulate symbolic links in their own home directory to bypass authentication and connect to a DBusServer with elevated privileges. The standard system and session dbus-daemons in their default configuration were immune to this attack because they did not allow DBUS_COOKIE_SHA1, but third-party users of DBusServer such as Upstart could be vulnerable. Thanks to Joe Vennix of Apple Information Security. (bsc#1137832, dbus#269, Simon McVittie) - From 1.12.14 * Raise soft fd limit to match hard limit, even if unprivileged. This makes session buses with many clients, or with clients that make heavy use of fd-passing, less likely to suffer from fd exhaustion. (dbus!103, Simon McVittie) * If a privileged dbus-daemon has a hard fd limit greater than 64K, don't reduce it to 64K, ensuring that we can put back the original fd limits when carrying out traditional (non-systemd) activation. This fixes a regression with systemd >= 240 in which system services inherited dbus-daemon's hard and soft limit of 64K fds, instead of the intended soft limit of 1K and hard limit of 512K or 1M. (dbus!103, Debian#928877; Simon McVittie) * Fix build failures caused by an AX_CODE_COVERAGE API change in newer autoconf-archive versions (dbus#249, dbus!88; Simon McVittie) * Fix build failures with newer autoconf-archive versions that include AX_-prefixed shell variable names (dbus#249, dbus!86; Simon McVittie) * Parse section/group names in .service files according to the syntax from the Desktop Entry Specification, rejecting control characters and non-ASCII in section/group names (dbus#208, David King) * Fix various -Wlogical-op issues that cause build failure with newer gcc versions (dbus#225, dbus!109; David King) * Don't assume we can set permissions on a directory, for the benefit of MSYS and Cygwin builds (dbus#216, dbus!110; Simon McVittie) * Don't overwrite PKG_CONFIG_PATH and related environment variables when the pkg-config-based version of DBus1Config is used in a CMake project (dbus#267, dbus!96; Clemens Lang) - Drop now upstream Patches * dbus-no-ax-check.patch * dbus-new-autoconf-archive.patch ==== expat ==== Version update (2.2.8 -> 2.2.9) - Version update to 2.2.9 * Other changes: - examples: Drop executable bits from elements.c [#349] Windows: Change the name of the Windows DLLs from expat*.dll to libexpat*.dll once more (regression from 2.2.8, first fixed in 1.95.3, issue #61 on SourceForge today, was issue #432456 back then); needs a fix due case-insensitive file systems on Windows and the fact that Perl's XML::Parser::Expat compiles into Expat.dll. [#347] Windows: Only define _CRT_RAND_S if not defined Version info bumped from 7:10:6 to 7:11:6 ==== gnutls ==== Version update (3.6.10 -> 3.6.11.1) - gnutls 3.6.11.1: * libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption * libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to the empty string. This is a behavioral change of the API but it conforms to the RFC4648 expectations * libgnutls: Fixed AES-CFB8 implementation, when input is shorter than the block size. Fix backported from nettle. * certtool: CRL distribution points will be set in CA certificates even when non self-signed * gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and - -rawpkfile flags. ==== haproxy ==== Version update (2.0.9+git6.26b7b800 -> 2.0.10+git14.7caf150a) - Update to version 2.0.10+git14.7caf150a: * BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive data * BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1 * BUG/MEDIUM: listener/thread: fix a race when pausing a listener * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data * DOC: move the "group" keyword at the right place * DOC: clarify matching strings on binary fetches * DOC: Clarify behavior of server maxconn in HTTP mode - Update to version 2.0.10+git4.6d9a455d: * BUG/MINOR: http-htx: Don't make http_find_header() fail if the value is empty - Update to version 2.0.10+git3.200c6215: * BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only - Update to version 2.0.10+git2.3a00e5fc: * BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy ones * BUG/MINOR: stream: init variables when the list is empty - Update to version 2.0.10+git0.ac198b92: * [RELEASE] Released version 2.0.10 * SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands * SCRIPTS: create-release: show the correct origin name in suggested commands * BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state * BUG/MAJOR: h2: make header field name filtering stronger * BUG/MAJOR: h2: reject header values containing invalid chars * MINOR: ist: add ist_find_ctl() * BUG/MINOR: ssl: fix curve setup with LibreSSL * BUG/MINOR: cli: fix out of bounds in -S parser * DOC: Add documentation about the use-service action * DOC: Add missing stats fields in the management manual * BUG/MINOR: mux-h1: Adjust header case when chunked encoding is add to a message * BUG/MINOR: mux-h1: Fix a UAF in cfg_h1_headers_case_adjust_postparser() * MEDIUM: mux-h1: Add the support of headers adjustment for bogus HTTP/1 apps * REGTEST: vtest can now enable mcli with its own flag * MINOR: stats: Report max times in addition of the averages for sessions * BUG/MINOR: stream-int: Fix si_cs_recv() return value * MINOR: contrib/prometheus-exporter: Add a param to ignore servers in maintenance * MINOR: contrib/prometheus-exporter: filter exported metrics by scope * MINOR: contrib/prometheus-exporter: report the number of idle conns per server * BUG/MINOR: contrib/prometheus-exporter: Rename some metrics * MINOR: contrib/prometheus-exporter: Report metrics about max times for sessions * MINOR: counters: Add fields to store the max observed for {q,c,d,t}_time * MINOR: stream: Remove the lock on the proxy to update time stats * MINOR: freq_ctr: Make the sliding window sums thread-safe * BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding * BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path * BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON tests * BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported * BUILD/MINOR: ssl: fix compiler warning about useless statement * BUG/MINOR: peers: "peer alive" flag not reset when deconnecting. * BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec ==== iproute2 ==== Version update (5.3 -> 5.4) - Update to new upstream release 5.4 * devlink: increase number of supported options (32 -> 64) * devlink: add trap set and show commands * devlink: add trap group set and show commands * devlink: add reset_dev_on_drv_probe param * devlink: support unknown value for fw_load_policy * devlink: support flash status monitoring * devlink: add reload failed indication * ip: netns: support dump of nsid conversion table * ip: nexthop: support filtering by protocol for flush and list * rdma: driver QP type string * tc: introduce ct action * tc: support 64-bit rate and peakrate * tc: etf: support skip_sock_check * tc: flower: add matching on conntrack info * tc: taprio: support setting flags * tc: taprio: support setting txtime_delay * documentation improvements * json output improvements * drop outdated example scripts and README files - drop (patched script dropped) examples-fix-bashisms-in-example-script.patch - ss-fix-end-of-line-printing-in-misc-ss.c.patch: fix missing end of line at the end of ss output ==== libxcrypt ==== Version update (4.4.3 -> 4.4.10) - Update to version 4.4.10 * Fix alignment problem for GOST 34.11 (Streebog) in gost-yestcrypt. * The crypt_* functions will now all fail and set errno to ERANGE if their 'phrase' argument is longer than CRYPT_MAX_PASSPHRASE_SIZE characters (this is currently 512) * The NT hashing method no longer truncates passphrases at 128 characters; Windows does not do this. - format-overflow.patch: remove ==== rebootmgr ==== - Fix %posttrans script returning an error code ==== restorecond ==== - Use %make_build and respect %optflags. ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-logger systemd-sysvinit udev - Import commit dbb1d4734daffa62e0eddecfa4f784c84a9d8e76 1439d72a72 udevd: don't use monitor after manager_exit() 99288dd778 Revert "udevd: fix crash when workers time out after exit is signal caught" 152577d6d0 udevd: fix crash when workers time out after exit is signal caught f854991504 udevd: wait for workers to finish when exiting (bsc#1106383) Changes from the v243-stable (84 commits): e51d9bf9e5 man: add entry about SpeedMeter= aa1fc791c7 udev: silence warning about PROGRAM+= or IMPORT+= rules b9a619bb67 udevadm: ignore EROFS and return earlier 1ec5b9f80c basic: add vmware hypervisor detection from device-tree 7fa7080248 umount: be happy if /proc/swaps doesn't exist [...] 47d0e23d26 udev: fix memleak caused by wrong cleanup function a6fb0542c5 parse_hwdb: fix compatibility with pyparsing 2.4.* cb1d892f17 parse_hwdb: process files in order