Packages changed:
  cockpit-podman
  dbus-1 (1.12.22 -> 1.14.0)
  dbus-1-x11 (1.12.22 -> 1.14.0)
  gnutls
  kbd
  libvdpau (1.4 -> 1.5)
  logrotate
  lua54
  mozilla-nss (3.74 -> 3.75)
  openssl-1_1
  qemu
  yast2 (4.4.45 -> 4.4.47)

=== Details ===

==== cockpit-podman ====

- Add source-offest to _service to fix build error in Leap.

==== dbus-1 ====
Version update (1.12.22 -> 1.14.0)
Subpackages: libdbus-1-3

- Update to version 1.14.0:
  + Dependencies:
  - dbus now requires at least a basic level of support for C99
    variadic macros, as implemented in gcc >= 3, all versions of
    Clang, and MSVC >= 2005. In practice this requirement has
    existed since version 1.9.2, but it is now official.
  - dbus now requires a C99-compatible va_copy() macro
    (or a __va_copy() macro with the same behaviour), except when
    building for Windows using MSVC and CMake.
  - On Unix platforms, if getpwnam_r() and getgrnam_r() are
    implemented, they must be POSIX-conformant. The non-POSIX
    signature seen in ancient Solaris versions will no longer
    work.
  - GLib >= 2.38 is required if full test coverage is enabled
    (reduced from 2.40 in dbus 1.12.x.)
  - Building using CMake now requires CMake 3.4.
  - Building documentation using CMake now requires xsltproc,
    Docbook DTDs (for example docbook-xml on Debian derivatives),
    and Docbook XSLT stylesheets (for example docbook-xsl on
    Debian derivatives). Using KDE's meinproc4 documentation
    processor is no longer supported.
  + Build-time configuration changes: Move CMake build system to
    top level, matching normal practice for CMake projects
  + Deprecations:
  - Third-party software should install default dbus policies for
    the system bus into ${datadir}/dbus-1/system.d (this has been
    supported since dbus 1.10, released in August 2015).
    Installing default dbus policies in
    ${sysconfdir}/dbus-1/system.d is now considered to be
    deprecated. Policy files in ${sysconfdir}/dbus-1/system.d
    continue to be read, but this directory should only be used
    by system administrators wishing to override the default
    policies.
  - The ${datadir} applicable to dbus is usually /usr/share and
    the ${sysconfdir} is usually /etc.
  - A similar pattern applies to the session bus policies in
    session.d.
  - The dbus-send(1) man page now documents --bus and --peer
    instead of the old --address synonym for --peer, which has
    been deprecated since the introduction of --bus and --peer in
    1.7.6
  - The dbus-daemon man page now has scarier warnings about
    <allow_anonymous/> and non-local TCP, which are insecure and
    should not be used, particularly for the standard system and
    session buses.
  - DBusServer (and hence the dbus-daemon) no longer accepts
    usernames (login names) for the recommended EXTERNAL
    authentication mechanism, only numeric user IDs or the empty
    string. See 1.13.0 release notes for full details.
  + New features:
  - On Linux 4.13 or later when built against a suitable glibc
    version, GetConnectionCredentials() now includes
    UnixGroupIDs, the effective group IDs of the initiator of the
    connection, taken from SO_PEERGROUPS.
  - On Linux 4.13 or later, <policy group="?"> now uses the
    SO_PEERGROUPS credentials-passing socket option to get the
    effective group IDs of the initiator of the connection. See
    1.13.4 release notes for details.
  - Add a --sender option to dbus-send, which requests a name and
    holds it until the signal has been sent
  - dbus-daemon <allow> and <deny> rules can now specify a
    send_destination_prefix attribute, which is like a
    combination of send_destination and the arg0namespace keyword
    in match rules. See 1.13.12 release notes for more details.
  - The dbus-daemon now filters the messages that it relays,
    removing header fields that it does not understand. Clients
    must not rely on this behaviour unless they have confirmed
    that they are connected to a suitable message bus
    implementation, for example by querying its Features
    property.
  - The dbus-daemon now emits a signal,
    ActivatableServicesChanged, when the list of activatable
    services may have changed. Support for this signal can be
    discovered by querying the Features property.
  - It is now possible to disable traditional (non-systemd)
    service activation at build-time (Autotools:
  - -disable-traditional-activation, CMake:
  - DENABLE_TRADITIONAL_ACTIVATION=OFF). See 1.13.10 release
    notes for details.
  - The API reference manual can be built as a Qt compiled help
    file if qhelpgenerator(-qt5) is available. See 1.13.16
    release notes for details.
  + Miscellaneous behaviour changes:
  - When using the "user bus" (--enable-user-session), put the
    dbus-daemon in the session slice
  - Several environment variables set by systemd are no longer
    passed on to activated services
  - If the dbus-daemon is compiled for Linux with systemd
    support, it now informs systemd that it is ready for use via
    the sd_notify() mechanism.
  - Tarball releases no longer contain pre-2007 changelogs and
    are now compressed with xz, making them around 35% smaller.
- Drop conditionals for old obsolete versions of openSUSE.
- Rebase patches with quilt.
- Use https for source and sig URL.

==== dbus-1-x11 ====
Version update (1.12.22 -> 1.14.0)

- Update to version 1.14.0:
  + Dependencies:
  - dbus now requires at least a basic level of support for C99
    variadic macros, as implemented in gcc >= 3, all versions of
    Clang, and MSVC >= 2005. In practice this requirement has
    existed since version 1.9.2, but it is now official.
  - dbus now requires a C99-compatible va_copy() macro
    (or a __va_copy() macro with the same behaviour), except when
    building for Windows using MSVC and CMake.
  - On Unix platforms, if getpwnam_r() and getgrnam_r() are
    implemented, they must be POSIX-conformant. The non-POSIX
    signature seen in ancient Solaris versions will no longer
    work.
  - GLib >= 2.38 is required if full test coverage is enabled
    (reduced from 2.40 in dbus 1.12.x.)
  - Building using CMake now requires CMake 3.4.
  - Building documentation using CMake now requires xsltproc,
    Docbook DTDs (for example docbook-xml on Debian derivatives),
    and Docbook XSLT stylesheets (for example docbook-xsl on
    Debian derivatives). Using KDE's meinproc4 documentation
    processor is no longer supported.
  + Build-time configuration changes: Move CMake build system to
    top level, matching normal practice for CMake projects
  + Deprecations:
  - Third-party software should install default dbus policies for
    the system bus into ${datadir}/dbus-1/system.d (this has been
    supported since dbus 1.10, released in August 2015).
    Installing default dbus policies in
    ${sysconfdir}/dbus-1/system.d is now considered to be
    deprecated. Policy files in ${sysconfdir}/dbus-1/system.d
    continue to be read, but this directory should only be used
    by system administrators wishing to override the default
    policies.
  - The ${datadir} applicable to dbus is usually /usr/share and
    the ${sysconfdir} is usually /etc.
  - A similar pattern applies to the session bus policies in
    session.d.
  - The dbus-send(1) man page now documents --bus and --peer
    instead of the old --address synonym for --peer, which has
    been deprecated since the introduction of --bus and --peer in
    1.7.6
  - The dbus-daemon man page now has scarier warnings about
    <allow_anonymous/> and non-local TCP, which are insecure and
    should not be used, particularly for the standard system and
    session buses.
  - DBusServer (and hence the dbus-daemon) no longer accepts
    usernames (login names) for the recommended EXTERNAL
    authentication mechanism, only numeric user IDs or the empty
    string. See 1.13.0 release notes for full details.
  + New features:
  - On Linux 4.13 or later when built against a suitable glibc
    version, GetConnectionCredentials() now includes
    UnixGroupIDs, the effective group IDs of the initiator of the
    connection, taken from SO_PEERGROUPS.
  - On Linux 4.13 or later, <policy group="?"> now uses the
    SO_PEERGROUPS credentials-passing socket option to get the
    effective group IDs of the initiator of the connection. See
    1.13.4 release notes for details.
  - Add a --sender option to dbus-send, which requests a name and
    holds it until the signal has been sent
  - dbus-daemon <allow> and <deny> rules can now specify a
    send_destination_prefix attribute, which is like a
    combination of send_destination and the arg0namespace keyword
    in match rules. See 1.13.12 release notes for more details.
  - The dbus-daemon now filters the messages that it relays,
    removing header fields that it does not understand. Clients
    must not rely on this behaviour unless they have confirmed
    that they are connected to a suitable message bus
    implementation, for example by querying its Features
    property.
  - The dbus-daemon now emits a signal,
    ActivatableServicesChanged, when the list of activatable
    services may have changed. Support for this signal can be
    discovered by querying the Features property.
  - It is now possible to disable traditional (non-systemd)
    service activation at build-time (Autotools:
  - -disable-traditional-activation, CMake:
  - DENABLE_TRADITIONAL_ACTIVATION=OFF). See 1.13.10 release
    notes for details.
  - The API reference manual can be built as a Qt compiled help
    file if qhelpgenerator(-qt5) is available. See 1.13.16
    release notes for details.
  + Miscellaneous behaviour changes:
  - When using the "user bus" (--enable-user-session), put the
    dbus-daemon in the session slice
  - Several environment variables set by systemd are no longer
    passed on to activated services
  - If the dbus-daemon is compiled for Linux with systemd
    support, it now informs systemd that it is ready for use via
    the sd_notify() mechanism.
  - Tarball releases no longer contain pre-2007 changelogs and
    are now compressed with xz, making them around 35% smaller.
- Drop conditionals for old obsolete versions of openSUSE.
- Rebase patches with quilt.
- Use https for source and sig URL.

==== gnutls ====

- build with lto
- build with -Wl,-z,now -Wl,-z,relro
- build without -fanalyzer, which cuts build time in ~ half

==== kbd ====
Subpackages: kbd-legacy

- Refresh kbdsettings-nox86.patch to fix build on non-x86*
  architectures

==== libvdpau ====
Version update (1.4 -> 1.5)

- Add U_Support-AV1.patch: Add support for AV1 in vdpauinfo.
- Minor tweaks to spec.
- Update to version 1.5:
  * Add AV1 decode support in VDPAU API
  * Addition of comma and removing the extra braces
  * Add tracing for HEVCRangeExt picture info
  * Add tracing for VP9 picture info
- Also update vdpauinfo to version 1.4
- Drop patches fixed upstream:
  * c5a8e7c6c8b4b36a0e4c9a4369404519262a3256.patch
  * e82dc4bdbb0db3ffa8c78275902738eb63aa5ca8.patch

==== logrotate ====

- Added own logrotate.service file in order to define a new order
  of parsed config files:
  /usr/etc/logrotate.conf   Default configuration file defined by
    the vendor.
  /usr/etc/logrotate.d/*    Directory for additional configuration
    files defined by the vendor.
  /etc/logrotate.conf       Default configuration file defined by
    the administrator. (optional)
  /etc/logrotate.d/*        Directory for additional configuration
    files defined by the administrator.
    (optional)
- drop logrotate-3.19.0-systemd_add_home_env.patch:
  - included in new logrotate.service
- Adapted man page: logrotate-3.19.0-man_logrotate.patch

==== lua54 ====

- Added patches from upstream:
  * luabugs1.patch
  * luabugs2.patch
- Adjust buildsystem so that it matches upstream git (testes??)
- Drop the lua_docdir define, package docs in the standard
  location. Instead just silently drop packaging the README with
  the path that does not makes sense for a rpm package, but for a
  source tarball install. Simpler solution to boo#1186233.

==== mozilla-nss ====
Version update (3.74 -> 3.75)
Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs

- update to NSS 3.75
  * bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
  * bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
  * bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
  * bmo#1748386 - Remove redundant key type check.
  * bmo#1749869 - Update ABI expectations to match ECH changes.
  * bmo#1748386 - Enable CKM_CHACHA20.
  * bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
  * bmo#1747310 - real move assignment operator.
  * bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
  * bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
  * bmo#1747772 - Allow to build using clang's integrated assembler.
  * bmo#1321398 - Allow to override python for the build.
  * bmo#1747317 - test HKDF output rather than input.
  * bmo#1747316 - Use ASSERT macros to end failed tests early.
  * bmo#1747310 - move assignment operator for DataBuffer.
  * bmo#1712879 - Add test cases for ECH compression and unexpected
    extensions in SH.
  * bmo#1725938 - Update tests for ECH-13.
  * bmo#1725938 - Tidy up error handling.
  * bmo#1728281 - Add tests for ECH HRR Changes.
  * bmo#1728281 - Server only sends GREASE HRR extension if enabled
    by preference.
  * bmo#1725938 - Update generation of the Associated Data for ECH-13.
  * bmo#1712879 - When ECH is accepted, reject extensions which were
    only advertised in the Outer Client Hello.
  * bmo#1712879 - Allow for compressed, non-contiguous, extensions.
  * bmo#1712879 - Scramble the PSK extension in CHOuter.
  * bmo#1712647 - Split custom extension handling for ECH.
  * bmo#1728281 - Add ECH-13 HRR Handling.
  * bmo#1677181 - Client side ECH padding.
  * bmo#1725938 - Stricter ClientHelloInner Decompression.
  * bmo#1725938 - Remove ECH_inner extension, use new enum format.
  * bmo#1725938 - Update the version number for ECH-13 and adjust
    the ECHConfig size.

==== openssl-1_1 ====
Subpackages: libopenssl1_1

- Security fix: [bsc#1192820, CVE-2002-20001]
  * Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows
    remote attackers (from the client side) to send arbitrary
    numbers that are actually not public keys, and trigger
    expensive server-side DHE calculation.
  * Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST
  * Rebase openssl-DEFAULT_SUSE_cipher.patch
- Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187]
  * In an INI-type file, the sections begin with a [section_name]
    and they run until the next section begins.
  * Rebase openssl-1_1-use-include-directive.patch

==== qemu ====

- Build PPC firmwares from sources on non-PPC builds as well
  (bsc#1193545)
- Build RiscV firmwares on non-RiscV builds as well
- While there, refactor (and simplify!) the firmware building
  logic and code
  * Patches added:
  Makefile-define-endianess-for-cross-buil.patch
  Makefile-fix-build-with-binutils-2.38.patch
- qemu,kvm,xen: NULL pointer dereference issue in megasas-gen2 host
  bus adapter (bsc#1180432, CVE-2020-35503)
  * Patches added:
  hw-scsi-megasas-check-for-NULL-frame-in-.patch

==== yast2 ====
Version update (4.4.45 -> 4.4.47)

- Extend the Package module to force using PackageSystem or
  PackageAI without having the mode into account.
- AutoYaST: properly detect whether firewalld, bind and
  yast2-dns-server packages are installed when cloning a system
  (bsc#1196963).
- 4.4.47
- Reverted LD_PRELOAD change (GitHub PR#1236) (bsc#1196326)
- 4.4.46
- New doc: Invoking External Commands in YaST (in doc/)