Packages changed: Mesa Mesa-drivers abseil-cpp (20220623.0 -> 20220623.1) fwupd (1.7.9 -> 1.7.10) gdb keylime (6.4.2 -> 6.5.0) libXtst (1.2.3 -> 1.2.4) libXxf86vm (1.1.4 -> 1.1.5) mozjs102 nghttp2 (1.49.0 -> 1.50.0) open-iscsi openssl-1_1 patterns-containers podman (4.2.0 -> 4.2.1) qemu (7.0.0 -> 7.1.0) rust-keylime (0.1.0+git.1659977521.0186093 -> 0.1.0+git.1663769444.6318234) vim (9.0.0500 -> 9.0.0626) yast2-journal (4.5.1 -> 4.5.2) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1 - re-disable video codecs due to possible patent issues https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/15258 - Pass -Dvideo-codecs=h264dec,h264enc,h265dec,h265enc,vc1dec to meson, keep support for hardware codecs inside vaapi, vdpau and vulkan. These were previously enabled automatically. - enabled "swrast" and "amd" Vulkan drivers on riscv64, which is upstream default anyway ... ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-gallium Mesa-libva - re-disable video codecs due to possible patent issues https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/15258 - Pass -Dvideo-codecs=h264dec,h264enc,h265dec,h265enc,vc1dec to meson, keep support for hardware codecs inside vaapi, vdpau and vulkan. These were previously enabled automatically. - enabled "swrast" and "amd" Vulkan drivers on riscv64, which is upstream default anyway ... ==== abseil-cpp ==== Version update (20220623.0 -> 20220623.1) - update to 20220623.1: * minor warning fix ==== fwupd ==== Version update (1.7.9 -> 1.7.10) Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 libfwupdplugin5 typelib-1_0-Fwupd-2_0 - Update to version 1.7.10: + Always check the BDP partitions when getting all the possible ESPs + Correctly detect CET IBT + Do not show HSI events where we changed the spec result value + Fix aligning up addresses greater than 4GB + Fix applying the latest DBX update on machines with 20200729.x64 installed + Fix checking for invalid depth requirements + Fix getting the new version number of the USI docking hardware + Fix HSI prefix for invalid chassis + Never save the Redfish auto-generated password to a user-readable file + Only create users using IPMI when we've tested the hardware + Only fail the kernel tainted HSI test for specific taint reasons + Only show changed events in the fwupdmgr security output + Recognize CSME version 16 and update vulnerable versions from CSMEVDT data + Write all the CCGX metadata block as intended ==== gdb ==== - Add patch to fix build with readline 8.2: * gdb-add-support-for-readline-8.2.patch - Patches added: * gdb-testsuite-fix-gdb.mi-mi-sym-info.exp-on-opensuse-tumbleweed.patch - Maintenance script qa.sh: * Add PR26873 kfails. - Maintenance script qa-remote.sh: * Make rpm matching yet more precise. - Update patch: * gdb-tdep-fix-powerpc-ieee-128-bit-format-arg-passing.patch - Add patches: * gdb-handle-pending-c-after-rl_callback_read_char.patch * gdb-testsuite-fix-have_mpx-test.patch * gdb-symtab-fix-handling-of-dw_tag_unspecified_type.patch * gdb-testsuite-fix-gdb.dwarf2-dw2-unspecified-type-foo.c-with-m32.patch ==== keylime ==== Version update (6.4.2 -> 6.5.0) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tpm_cert_store keylime-verifier python310-keylime - Remove keylime.conf.diff patch. Now the configuration file is generated during build time - The "config" subpackage shared only the logger configuration file - New "tenant" subpackage for the Tenant command line tool - Drop webapp service port in firewall XML service file - Update to version v6.5.0: * Bump up versions to 6.5.0 * Enable testing of Rust agent as well as Python by default * New readthedocs location for keylime * test_restful: Add test for /keys/verify endpoint to rust tests * test_restful: Fix testing with rust agent * run_tests: Install rust agent when RUST_TEST is defined * A fix for "per-agent verifier-issued epoch timestamp" * Move SQLite ref integrity pragma to keylime_db * Separate CA key store password from server key password * Generate missing key and certificates * verifier: Add a configuration option to set timeouts * config: Change default value for getfloat() to -1.0 * tenant: Add request_timeout configuration option * tpm_main: Move agent specific initialization to tpm_init() * failure: Do not read the verifier config on load * logging, verifier: Read configuration only when needed * tpm_ek_ca: Access tenant config file when needed * tpm_main: Only access agent configuration if needed * keylime_agent: Use a single tpm instance * config: Evaluate snippets in /usr/etc/keylime before /etc/keylime * Remove ignore_hostname argument from RequestsClient() calls * requests_client: Ignore hostname verification by default * web_util: Remove unneeded checks for absolute paths before joining * requests_client: remove RequestClient class variables * elchecking/policies: Use config.getlist() for measured_boot_imports * mappings: Add back missing option measured_boot_imports to verifier config * verifier: Fail earlier if mTLS cert is missing when required * crypto: Replace if block with conditional argument passing * config: Drop unused getdict() * config: Use python generator to strip strings in the list * verifier: Drop 'cloud' from 'cloudverifier_' variables * verifier: Always generate TLS context to contact the agent * ca_util: Replace if block with conditional argument * Drop broken auto-ipsec demos * tenant: Do not disable TLS when enable_agent_mtls = False * test_config: Reload configuration on tearDown * Change the meaning of trusted_client_ca=default for the agent * Install configuration files in test scripts * Add jinja2 as requirement for building and testing * tenant: Fix mention to old configuration section * tenant, verifier: Fix mTLS disablement * tenant: Do not try to verify EK cert when not required * Adjust test_restful to use the new configuration file * ima: Do not try to read excludelist if it is None * tenant: Use empty tpm_policy by default * Read measured boot configuration when needed * Add support for password encrypted keys * Change owner of config files and fix sed command in services installer * installer: Build and install split configuration files * Fix configuration unit tests * Remove trailing and leading white spaces in config.get_list() * Make changes to use the new configuration files * Add script to convert old config to new config * Ignore false positive for lints * Implement additional test to cover in-use deletion case * Enable referential integrity for foreign keys in Keylime DB * Prevent deletion of in-use allowlists via tenant + better error handling * Fixes #1046 by explicitly and carefully dealing with a corner case. * Fixes #1072 by explicitly and carefully dealing with yet another corner case. * Define context agent due to keylime-tests PR#193 * Adds two small utilities which are used by "Offline Attestation" (enhancement #73) * This commit solves #1091 by adding a per-agent verifier-issued epoch timestamp * Remove keylime-bot * Verifier log message improvements for large-scale testing. * Bump version to 6.4.3 * KEYLIME_DIR should not be clobbered in TEST_MODE * registrar: parse EK cert with pyasn1 * Reject invalid hash algorithms passed as arguments * Treat tpm_cert_store as absolute path * Fix for cloudverifier_tornado: 408 ('timeout') errors are retried instead of causing immediate attestation failure * Typo fix: the two certificates got copied over each other during the openssl process by mistake. * I downloaded the certs from here: * Remove cryptodome.py from keylime * Refactor allowlist handling on verifier to prevent premature DB writes * With this change, the `verifier` will now use the `tpm2_print` command to extract clock information from the quote. It will then uses this information to make decisions about the attestation of the agent (i.e., the quote timestamp has to monotonically grow in a TPM which wasn't restarted/reset). In order to make this comparison the clock information from the previous quote is stored on the database and then both timestamps are compared. * tpm_ek_ca: remove atmel keys * Throw an error if --exclude is used without --allowlist * Complete implementation of the Allowlists API * readme: minor fixes * Handle output file and algo validation errors * Fixes #1063 in a minimalistic way, by making log output configurable * Fix spacing * Update fmf plans to run test which checking tenant verify options * Fixes #1057 ensuring that the verifier can be restarted cleanly when mTLS for agents is disabled * Adds a per-agent counter for "successfull attestations" on Keylime. * Replace tabs with spaces * Keep original control structure, minimize change * Update installer.sh for RHEL8, PowerTools * Set swtpm context which is later used for test filtering * Update fmf plans to run tests which checking ek_certs * Minor fixes * Expand documentation for Measured Boot with additional info/examples. * Fix the project logo in the readme (#1049) * Add docs status to README ==== libXtst ==== Version update (1.2.3 -> 1.2.4) - Update to version 1.2.4 * Update README for gitlab migration * Update configure.ac bug URL for gitlab migration * Fix spelling/wording issues * gitlab CI: add a basic build test * send_axes: Mark switch statement fallthrough as intentional * Resolve -Wsign-compare warnings * Variable scope reductions as suggested by cppcheck * Remove obsolete casts from Xmalloc() and Xcalloc() calls * autogen.sh: use quoted string variables * autogen: add default patch prefix * autogen.sh: use exec instead of waiting for configure to finish ==== libXxf86vm ==== Version update (1.1.4 -> 1.1.5) - modernize spec file, add license - Update to version 1.1.5 * Update README for gitlab migration * Update configure.ac bug URL for gitlab migration * Fix spelling/wording issues * gitlab CI: add a basic build test * Fix -Wsign-compare warning * Variable scope reductions as suggested by cppcheck * Update GetOldReq to use _XGetRequest() * autogen.sh: use quoted string variables * autogen: add default patch prefix * autogen.sh: use exec instead of waiting for configure to finish ==== mozjs102 ==== - Adjust name of ICU data file to fix build on big-endian platforms ==== nghttp2 ==== Version update (1.49.0 -> 1.50.0) - update to 1.50.0: * https://nghttp2.org/blog/2022/09/21/nghttp2-v1-50-0/ This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value. - disable asio by default as it is deprecated by upstream and will be removed in the next release ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0_2_0 - Update to upstream version 2.1.8, which includes some bug fixes, and adds the ability to build using meson. The SPEC file was updated to use meson. Also, some files have moved: * the "lock" file has moved from /etc/iscsi to /var/lock/iscsi * the "database files" have moved from /etc/iscsi to /var/lib/iscsi ==== openssl-1_1 ==== Subpackages: libopenssl1_1 - Added openssl-1_1-paramgen-default_to_rfc7919.patch * bsc#1180995 * Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode. ==== patterns-containers ==== - Added Boolean operator to install distrobox if patterns-microos-desktop-common, but install toolbox if patterns-microos-desktop-common is not installed ==== podman ==== Version update (4.2.0 -> 4.2.1) Subpackages: podman-cni-config - Update to version 4.2.1: * Bump to v4.2.1 * Add release notes for v4.2.1 * remove SkipIfNotFedora() from events test * fix podman events with custom format * Drop stale config value resulting in asymmetric config * Fix list of default capabilities * Add container GID to additional groups * libpod: Ensure that generated container names are random * Fix bind-mount-option annotation in gen/play kube * Improved Windows compatibility for machine command * updated apiv2 tests to reflect hash compat fix * api: return imageID instead of imageName, for "Image" when Podman API is queried * Inhibit SIGTERM during Conmon startup * Fix example sections to follow the same format * Fix template name inconsistency * service: make move to sub-cgroup non fatal * Remove duplicate annotations in generated service yaml * Compat API image remove events now have 'delete' status * [CI:DOCS] Automatically set podman version in pkginstaller * Allow colons in windows file paths * Fixes isRootfull check using qemu machine on Windows * vendor containers/psgo@v1.7.3 * Allow podman to run in an environment with keys containing spaces * Document restrictions on transport in FROM * Improved Windows compatibility * pass environment variables to container clone * podman save: update --compress validation * sort hc.Binds returned from compat api * Cirrus: Update podman-machine comment * podman images and friends can take one image as argument * [CI:DOCS] Add .DS_Store to gitignore * podman-kube@.service.in: Remove Restart=never option with typo * Fix #15499 already connected network * [CI:DOCS] Cirrus: Update meta-task for EC2 image * fix CI: remove hardcodeded alpine version * fix CI: remove hardcodeded alpine version * Preserve all unknown PolicyRequirement fields on (podman image trust set) * Reorganize the types in policy.go a bit * Add support for showing keyPaths in (podman image trust show) * Support (image trust show) for sigstoreSigned entries * BREAKING CHANGE: Change how (podman image trust show) represents multiple requirements * Reorganize descriptionsOfPolicyRequirements a bit * Use the full descriptionsOfPolicyRequirements for the default scope * Rename haveMatchRegistry to registriesDConfigurationForScope * Rename tempTrustShowOutput to entry * Split descriptionsOfPolicyRequirements out of getPolicyShowOutput * Recognize the new lookaside names for simple signing sigstore * Add a unit test for trust.PolicyDescription * Make the output of (podman image trust show) deterministic * Make most of pkg/trust package-private * Move most of ImageEngine.ShowTrust into pkg/trust.PolicyDescription * Add support for sigstoreSigned in (podman image trust set) * Create new policy entries together with validating input * Improve validation of data in ImageEngine.SetTrust * Move most of imageEngine.SetTrust to pkg/trust.AddPolicyEntries * Add a variable for scope * Make trust.CreateTempFile private * Reorganize pkg/trust * Remove an unused trust.ShowOutput type * Remove commented out code * libpod: UpdateContainerStatus: do not wait for container * Skip / update some tests under runc * Bump to v4.2.1-dev * test: update apply-podman-deltas for new tests * build: implement --cache-to,--cache-from and --cache-ttl * vendor: bump buildah to v1.27.0 ==== qemu ==== Version update (7.0.0 -> 7.1.0) - Runs of the test-suite seem much more stable now, in this version of QEMU. (bsc#1203610) We are also fine re-enabling running them in parallel. - Switch QEMU Linux user to emulate the same CPU as the one of the host by default. This is a bit conrtoversial and tricky, when thinking about system emulation/virtualization. But for linux-user, it should be just fine. (bsc#1203684) * Patches added: linux-user-use-max-as-default-CPU-model-.patch - Be less verbose when packaging documentation. In fact, with just a couple of (minor) re-arrangements, we can get rid of having to list all the files all the time - Package /etc/qemu/bridge.conf as '%config(noreplace). Next step will probably be to move it to /usr/etc/qemu (bsc#1201944) - Switch to %autosetup for all products (this required some changes in update_git.sh) - Run check-qtest sequentially, as it's more reliable, when in OBS - Build with libbpf, fdt and capstone support - Drop the patch adding our support document, and deal with that in the spec file directly * Patches dropped: doc-add-our-support-doc-to-the-main-proj.patch - Updated to latest upstream version 7.1 * https://wiki.qemu.org/ChangeLog/7.1 Be sure to also check the following pages: * https://qemu-project.gitlab.io/qemu/about/removed-features.html * https://qemu-project.gitlab.io/qemu/about/deprecated.html Some notable changes: * [x86] Support for architectural LBRs on KVM virtual machines * [x86] The libopcode-based disassembler has been removed. Use Capstone instead * [LoongArch] Add initial support for the LoongArch64 architecture. * [ARM] The emulated SMMUv3 now advertises support for SMMUv3.2-BBML2 * [ARM] The xlnx-zynqmp SoC model now implements the 4 TTC timers * [ARM] The versal machine now models the Cortex-R5s in the Real-Time Processing Unit (RPU) subsystem * [ARM] The virt board now supports emulation of the GICv4.0 * [ARM] New emulated CPU types: Cortex-A76, Neoverse-N1 * [HPPA] Fix serial port pass-through from host to guest * [HPPA] Lots of general code improvements and tidy-ups * [RISC-V] RISC-V * [RISC-V] Add support for privileged spec version 1.12.0 * [RISC-V] Use privileged spec version 1.12.0 for virt machine by default * [RISC-V] Allow software access to MIP SEIP * [RISC-V] Add initial support for the Sdtrig extension * [RISC-V] Optimisations and improvements for the vector extension * [VFIO] Experimental support for exposing emulated PCI devices over the new vfio-user protocol (a vfio-user client is not yet available in QEMU, though) * [QMP] The on-cbw-error option for copy-before-write filter, to specify behavior on CBW (copy before write) operation failure. * [QMP] The cbw-timeout option for copy-before-write filter, to specify timeout for CBW operation. * [QMP] New commands query-stats and query-stats-schema to retrieve statistics from various QEMU subsystems (right now only from KVM). * [QMP] The PanicAction can now be configured to report an exit-failure (useful for automated testing) * [Networking] QEMU can be compiled with the system slirp library even when using CFI. This requires libslirp 4.7. * [Migration] Support for zero-copy-send on Linux, which reduces CPU usage on the source host. Note that locked memory is needed to support this * Patches added: Revert-tests-qtest-enable-more-vhost-use.patch meson-remove-pkgversion-from-CONFIG_STAM.patch * Patches dropped: AIO-Reduce-number-of-threads-for-32bit-h.patch Makefile-Don-t-check-pc-bios-as-pre-requ.patch Revert-8dcb404bff6d9147765d7dd3e9c849337.patch Revert-qht-constify-qht_statistics_init.patch XXX-dont-dump-core-on-sigabort.patch acpi_piix4-Fix-migration-from-SLE11-SP2.patch configure-only-populate-roms-if-softmmu.patch configure-remove-pkgversion-from-CONFIG_.patch coroutine-ucontext-use-QEMU_DEFINE_STATI.patch coroutine-use-QEMU_DEFINE_STATIC_CO_TLS.patch coroutine-win32-use-QEMU_DEFINE_STATIC_C.patch hostmem-default-the-amount-of-prealloc-t.patch hw-usb-hcd-ehci-fix-writeback-order.patch i8254-Fix-migration-from-SLE11-SP2.patch intc-exynos4210_gic-replace-snprintf-wit.patch modules-generates-per-target-modinfo.patch modules-introduces-module_kconfig-direct.patch pc-bios-s390-ccw-net-avoid-warning-about.patch pci-fix-overflow-in-snprintf-string-form.patch qemu-cvs-gettimeofday.patch qemu-cvs-ioctl_debug.patch qemu-cvs-ioctl_nodirection.patch qht-Revert-some-constification-in-qht.c.patch qom-handle-case-of-chardev-spice-module-.patch scsi-lsi53c895a-fix-use-after-free-in-ls.patch scsi-lsi53c895a-really-fix-use-after-fre.patch softmmu-Always-initialize-xlat-in-addres.patch sphinx-change-default-language-to-en.patch test-add-mapping-from-arch-of-i686-to-qe.patch tests-Fix-block-tests-to-be-compatible-w.patch tests-qtest-Move-the-fuzz-tests-to-x86-o.patch usb-Help-compiler-out-to-avoid-a-warning.patch ==== rust-keylime ==== Version update (0.1.0+git.1659977521.0186093 -> 0.1.0+git.1663769444.6318234) - Rebase bindgen.patch and upstream the change - Rebase keylime-agent.conf.diff - Store the configuration file in /usr/etc/keylime/agent.conf - Fix keylime user creation - Drop webapp service port in firewall XML service file - Update to version 0.1.0+git.1663769444.6318234: * Update comments in the configuration file * config: Align config locations with the python components * config: Add configuration file version * config: Add back support for KEYLIME_DIR env var * Change configuration format to TOML * Add support for using passphrase protected key * Do not try to load TPM data generated by another TPM * Allow using existing key and certificate * Remove the agent TPM data from the config struct * Rename the configuration options * Use password to generate EK when provided * Add tpm_ownerpassword option to keylime.conf * Add cargo audit to CI static tests * Add agent and faked_measured_boot_log tests context * Appease clippy ==== vim ==== Version update (9.0.0500 -> 9.0.0626) Subpackages: vim-data vim-data-common vim-small - Updated to version 9.0.0626, fixes the following problems - fix boo#1203924 - CVE-2022-3352 * Error for modifying a const is not detected at compile time. * Leaking argument type array. * Too many delete() calls in tests. * When quitting the cmdline window with CTRL-C it remains visible. * Warning for using uninitialized value in mouse test. * A closure in a nested loop in a :def function does not work. * Build failure. * Various problems with 'nosplitscroll'. * Line number argument for :badd does not work. * Command line cleared when using :redrawstatus in CmdlineChanged autocommand event. * When the channel test fails there is no clue why. * Confusing error for "saveas" command with "nofile" buffer. * Chatito files are not recognized. * Unnecessary scrolling for message of only one line. * Cannot redraw the status lines when editing a command. * May not be able to use a pattern ad the debug prompt. * Terminal test sometimes hangs. * Virtual text highlight starts too early when 'number' is set. * Virtual text "above" highlights gap after it. * When at the command line :redrawstatus does not work well. * Virtual text highlight starts too early with 'nowrap' and 'number' set. * The win_line() function is much too long. * Declaring a loop variable at the start of a block is clumsy. * Compiler warns for unused argument in small version. * Build fails on Appveyor. * more compiler warnings for arguments in small version * Manually deleting temp test files. * Long sign text may overflow buffer. * Appveyor setup contains outdated lines. * Using freed memory when autocmd changes mark. * The win_line() function is much too long. * Edit test is flaky when run under valgrind. * The win_line() function is much too long. * Line number is displayed at virtual text "above". * Closure gets wrong value in for loop with two loop variables. * The do_set() function is much too long. * Manually deleting test temp files. * Long message test can be flaky. * Assigning stack variable to argument confuses Coverity. * Terminal pwd test fails with a very long path name. * Insufficient testing for assert and test functions. * Minor issues with setting a string option. * When a test is slow and CI times out there is no time info. * Supporting Ruby 1.8 makes code complicated. * Looping over empty out_loop[] entries. * reduce() with a compiled lambda could be faster. * Duplicated code in calling a :def function. * Crash when closing a tabpage and buffer is NULL. * Mode message is delayed when :echowin was used. (Maxim Kim) * Crash when using NUL in buffer that uses :source. * No error for "|" after "{" in lamda. * Using freed memory when command follows lambda. * Scrolling with 'nosplitscroll' in callback changing curwin. * Leaking memory with nested functions. * Valgrind reports possibly leaked memory. * Coverity warns for possibly using NULL pointer. * Timer test may get stuck at hit-enter prompt. * Elapsed time since testing started is not visible. * When a test gets stuck it just hangs forever. * HSL playlist files are not recognized. * Timer_info() test fails. * Cscope test causes problems when code for test timeout timer is included (even when commented out). * Nim files are not recognized. * 'completeopt' "longest" is not used for complete(). * Autocmd code is indented more than needed. * Cannot easily get out when using "vim file | grep word". * Insert complete tests leave a mapping behind. * Outdated dependencies go unnoticed. * Timer garbage collect test hangs on Mac M1. * The getchar() function behaves strangely with bracketed paste. * Unused loop variables. * Buffer underflow with unexpected :finally. * Using freed memory when 'tagfunc' wipes out buffer that holds 'complete'. * Adding a character for incsearch fails at end of line. * Only recognizing .m3u8 files is inconsistent. * Cscope test with wrong executable name fails. * When long message test fails the error message is not visible. * Missing change in test. * Unicode tables are outdated. * After exiting Insert mode spelling is not checked in the next line. * Message window popup shows on only one tab page. (Naruhiko Nishino) * Display not cleared when scrolling back in messages, a background color is set and t_ut is empty. * Makefile error message causes a shell error. * Extra newline in messages after a verbose shell message. * Cannot close a tab page with the middle mouse button. * Using negative array index with negative width window. * Latexmkrc files are not recognized. * GYP files are not recognized. * Too much indent. * New TypeScript extensions are not recognized. * With 'nosplitscroll' folds are not handled correctly. * Luacheckrc file is not recognized. * Dump file missing. * system() opens a terminal window when using the GUI and "!" is in ... changelog too long, skipping 15 lines ... * matchaddpos() can only add up to 8 matches. ==== yast2-journal ==== Version update (4.5.1 -> 4.5.2) - Localize date range in Change Filter dialog (B S Srinidhi, bsc#1081459) - 4.5.2