Packages changed: cockpit (235 -> 238.1) cockpit-podman (26 -> 28.1) conmon (2.0.22 -> 2.0.26) container-selinux (2.154.0 -> 2.158.0) cyrus-sasl dracut (052+suse.93.g7bfaa6d9 -> 053+suse.90.gb89b6347) fuse-overlayfs (1.1.2 -> 1.4.0) krb5 (1.18.3 -> 1.19.1) libcontainers-common libxcrypt (4.4.17 -> 4.4.18) libxml2 mozilla-nss (3.60.1 -> 3.61) netcfg patterns-base pcre podman (2.2.1 -> 3.0.1) procps python-pytz python38 (3.8.7 -> 3.8.8) python38-core (3.8.7 -> 3.8.8) rdma-core (31.3 -> 33.1) selinux-policy (20210111 -> 20210223) system-users systemd toolbox (2.1+git20210203.a669e3a -> 2.1+git20210226.daeb191) xen (4.14.1_11 -> 4.14.1_12) === Details === ==== cockpit ==== Version update (235 -> 238.1) Subpackages: cockpit-bridge cockpit-system - new version 238.1 https://cockpit-project.org/blog/cockpit-238.html https://cockpit-project.org/blog/cockpit-237.html - No longer recompress tarball at buildtime - Rebuild from git leveraging local-npm-registry (needs cockpit-redhatfont.diff) ==== cockpit-podman ==== Version update (26 -> 28.1) - new version 28.1 https://github.com/cockpit-project/cockpit-podman/releases/tag/28.1 - use upstream sources without bundled and pre-built dist since we want to rebuild it - use local-npm-registry for building - fix_dependencies.patch: fix build dependencies ==== conmon ==== Version update (2.0.22 -> 2.0.26) - Update to version 2.0.26: * conn_sock: do not fail on EAGAIN * fix segfault from a double freed pointer * Fix a bug where conmon could never spawn a container, because a disagreement between the caller and itself on where the attach socket was. * improve --full-attach to ignore the socket-dir directly. that means callers don't need to specify a socket dir at all (and can remove it) * add full-attach option to allow callers to not truncate a very long path for the attach socket * close only opened FDs * set locale to inherit environment ==== container-selinux ==== Version update (2.154.0 -> 2.158.0) - Update to version 2.158.0 - Add nfs remount support - Allow containers to execmod on nfs, samba and cephs remote shares - Allow confined users to send dbus messages to container_runtime ==== cyrus-sasl ==== Subpackages: cyrus-sasl-gssapi libsasl2-3 - CVE-2020-8032: cyrus-sasl: Local privilege escalation to root due to insecure tmp file usage. (bsc#1180669) Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary files. ==== dracut ==== Version update (052+suse.93.g7bfaa6d9 -> 053+suse.90.gb89b6347) Subpackages: dracut-ima - Update to version 053+suse.90.gb89b6347: Highlights: https://github.com/dracutdevs/dracut/releases/tag/053 dracut.sh: unfreeze /boot on exit (d87ae137) proper return code for inst_multiple in dracut-init.sh (d437970c) fcoe: rename rd.nofcoe to rd.fcoe (6f7823bc) rd.nofcoe=0 should disable fcoe (805b46c2) i18n: get rid of eval calls (5387ed24), backported for 052 downstream create the keyboard symlinks again (9e1c7f3d), backported for 052 downstream network-manager: run as a service if systemd module is present (c17c5b76) rework how NM is started in debug mode (34c73b33) drm: skip empty modalias files in drm module setup (c3f24184) ==== fuse-overlayfs ==== Version update (1.1.2 -> 1.4.0) - Update to version 1.4.0 * add squash_to_uid and squash_to_gid * add squash_to_root mount option. * honor option "volatile". * when writing mode to xattr, create files with mode 0755. * support ID mapping when using xattr permissions. * allow opening not accessible but still referenced files. * invalidate directory cache on create/rename. * fix segfault if no mountpoint specified * fix file_exists_at musl compatibility * introduce extended attribute to override gid/uid/mode. * support writing uid/gid/mode to an extended attribute. * fix a memory leak, where inodes are maintained in memory even if not needed. ==== krb5 ==== Version update (1.18.3 -> 1.19.1) - Update to 1.19.1 * Fix a linking issue with Samba. * Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value. - Update to 1.19 Administrator experience * When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. * It is now harder to accidentally delete the K/M entry from a KDB. Developer experience * gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. * When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. * PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. * The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution * Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. * kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience * kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. * Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred). ==== libcontainers-common ==== - Update commonver to 0.35.1 - Update podmanver to 3.0.1 - Update storagever to 1.24.8 - Update imagever to 5.10.4 ==== libxcrypt ==== Version update (4.4.17 -> 4.4.18) - Update to version 4.4.18 * Fix conversion error in lib/alg-gost3411-core.c ==== libxml2 ==== Subpackages: libxml2-2 libxml2-tools - Fails to build against Python 3.9: * Add upstream commit that fixes the issue https://github.com/GNOME/libxml2/commit/e4fb36841800038c289997432ca547c9bfef9db1 - Add patch libxml2-python39.patch ==== mozilla-nss ==== Version update (3.60.1 -> 3.61) - Add nss-btrfs-sqlite.patch to address bmo#1690232 - update to NSS 3.61 * required for Firefox 86 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. ==== netcfg ==== - services-create.pl: Switch to https (bsc#1182395) ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-bootloader patterns-base-minimal_base - Suggest pulseaudio, so that zypp has something to base the decision on when choosing between pulseaudio and pipewire-pulseaudio (boo#1182730). ==== pcre ==== - Copy pcre_jit_test only if jit is enabled ==== podman ==== Version update (2.2.1 -> 3.0.1) Subpackages: podman-cni-config - Drop obsolete varlink.patch - Update to v3.0.1 * Changes - Several frequently-occurring WARN level log messages have been downgraded to INFO or DEBUG to not clutter terminal output. Bugfixes - Fixed a bug where the Created field of podman ps --format=json was formatted as a string instead of an Unix timestamp (integer) (#9315). - Fixed a bug where failing lookups of individual layers during the podman images command would cause the whole command to fail without printing output. - Fixed a bug where --cgroups=split did not function properly on cgroups v1 systems. - Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail (#9393). - Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume (#9415). - Fixed a bug where Podman would treat the --entrypoint=[""] option to podman run and podman create as a literal empty string in the entrypoint, when instead it should have been ignored (#9377). - Fixed a bug where Podman would set the HOME environment variable to "" when the container ran as a user without an assigned home directory (#9378). - Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause podman pod create to panic (#9374). - Fixed a bug where the --runtime option was not properly handled by the podman build command (#9365). - Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed. - Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed (#9387). - Fixed a bug where the podman generate systemd --new command would incorrectly escape %t when generating the path for the PID file (#9373). - Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in (#9191). - Fixed a bug where some options of the podman build command (including but not limited to --jobs) were nonfunctional (#9247). * API - Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 (#9351). - Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port. - Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred. - Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry (#9232). - The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-java library. * Misc - Updated Buildah to v1.19.4 - Updated the containers/storage library to v1.24.6 - Changes from v3.0.0 * Features - Podman now features initial support for Docker Compose. - Added the podman rename command, which allows containers to be renamed after they are created (#1925). - The Podman remote client now supports the podman copy command. - A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload). - Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically. - Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them. - The podman network create command now supports setting bridge MTU and VLAN through the --opt option (#8454). - The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes. - The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times. - The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails. - The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them. - The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132). - The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077). - The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID (#8443). - The podman pod create command now supports the --net=none option (#9165). - The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option. - Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver. - The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container. - The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths. - The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945. - The podman ps command can now filter containers based on what pod they are joined to via the pod filter (#8512). - The podman pod ps command can now filter pods based on what networks they are joined to via the network filter. The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option. - The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned. - The podman volume prune commands now supports filtering what volumes will be pruned. - The podman system prune command now includes information on space reclaimed (#8658). - The podman info command will now properly print information about packages in use on Gentoo and Arch systems. - The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation (#8384). - The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list. - The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d. - Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf. - The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000). * Security - A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue. * Changes - Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull. - The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman (#7387). - The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here. - The legacy Varlink API has been completely removed from Podman. - The default log level for Podman has been changed from Error to Warn. - The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year. - The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included. - The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option (#8615). - The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes (#8501). - Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected. - Error messages for the remote Podman client have been improved when it cannot connect to a Podman service. - Error messages for podman run when an invalid SELinux is specified have been improved. - Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace. - Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share. - SSH public key handling for remote Podman has been improved. * Bugfixes - Fixed a bug where the podman history --no-trunc command would truncate the Created By field (#9120). - Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect (#6618). - Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created (#9040). - Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} (#9034). - Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) (#8847). - Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) (#9176 - Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842). - Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567). - Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server (#8374). - Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable. - Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error. - Fixed a bug where the podman play kube command did not properly handle CMD and ARGS from images (#8803). - Fixed a bug where the podman play kube command did not properly handle environment variables from images (#8608). - Fixed a bug where the podman play kube command did not properly print errors that occurred when starting containers. - Fixed a bug where the podman play kube command errored when hostNetwork was used (#8790). - Fixed a bug where the podman play kube command would always pull images when the :latest tag was specified, even if the image was available locally (#7838). - Fixed a bug where the podman play kube command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable (#8710). - Fixed a bug where the podman generate kube command incorrectly populated the args and command fields of generated YAML (#9211). - Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared /etc/hosts file every time the container restarted (#8921). - Fixed a bug where the podman search --list-tags command did not support the --format option (#8740). - Fixed a bug where the http_proxy option in containers.conf was not being respected, and instead was set unconditionally to true (#8843). - Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers (#8798). - Fixed a bug where the podman images command would break and fail to display any images if an empty manifest list was present in storage (#8931). - Fixed a bug where locale environment variables were not properly passed on to Conmon. - Fixed a bug where Podman would not build on the MIPS architecture (#8782). - Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmap option that included a mapping beginning with UID 0. - Fixed a bug where the podman logs command using the k8s-file backend did not properly handle partial log lines with a length of 1 (#8879). - Fixed a bug where the podman logs command with the --follow option did not properly handle log rotation (#8733). - Fixed a bug where user-specified HOSTNAME environment variables were overwritten by Podman (#8886). - Fixed a bug where Podman would applied default sysctls from containers.conf in too many situations (e.g. applying network sysctls when the container shared its network with a pod). - Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores (#8176). - Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host (#8506). - Fixed a bug where the --privileged option to podman run and podman create would, under some circumstances, not disable Seccomp (#8849). - Fixed a bug where the podman exec command did not properly add capabilities when the container or exec session were run with --privileged. - Fixed a bug where rootless Podman would use the --enable-sandbox option to slirp4netns unconditionally, even when pivot_root was disabled, rendering slirp4netns unusable when pivot_root was disabled (#8846). - Fixed a bug where podman build --logfile did not actually write the build's log to the logfile. - Fixed a bug where the podman system service command did not close STDIN, and could display user-interactive prompts (#8700). - Fixed a bug where the podman system reset command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR directory (#8680). - Fixed a bug where the podman network create command created CNI configurations that did not include a default gateway (#8748). - Fixed a bug where the podman.service systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started (#8751). - Fixed a bug where, if the TMPDIR environment variable was set for the container engine in containers.conf, it was being ignored. - Fixed a bug where the podman events command did not properly handle future times given to the --until option (#8694). - Fixed a bug where the podman logs command wrote container STDERR logs to STDOUT instead of STDERR (#8683). - Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag (#8547). - Fixed a bug where container capabilities were not set properly when the --cap-add=all and --user options to podman create and podman run were combined. - Fixed a bug where the --layers option to podman build was nonfunctional (#8643). - Fixed a bug where the podman system prune command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune (#7990). - Fixed a bug where the --publish option to podman run and podman create did not properly handle ports specified as a range of ports with no host port specified (#8650). - Fixed a bug where --format did not support JSON output for individual fields (#8444). - Fixed a bug where the podman stats command would fail when run on root containers using the slirp4netns network mode (#7883). - Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication (#8498). - Fixed a bug where the podman stats command would fail if the system did not support one or more of the cgroup controllers Podman supports (#8588). - Fixed a bug where the --mount option to podman create and podman run did not ignore the consistency mount option. - Fixed a bug where failures during the resizing of a container's TTY would print the wrong error. - Fixed a bug where the podman network disconnect command could cause the podman inspect command to fail for a container until it was restarted (#9234). - Fixed a bug where containers created from a read-only rootfs (using the --rootfs option to podman create and podman run) would fail (#9230). - Fixed a bug where specifying Go templates to the --format option to multiple Podman commands did not support the join function (#8773). - Fixed a bug where the podman rmi command could, when run in parallel on multiple images, return layer not known errors (#6510). - Fixed a bug where the podman inspect command on containers displayed unlimited ulimits incorrectly (#9303). - Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories (#6003). API - Libpod API version has been bumped to v3.0.0. - All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error (#8865). - The Compat API for Containers now supports the Rename and Copy APIs. - Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses. - Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a "no such file" error if an invalid executable was passed) (#8281) - Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored (#8649). - Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly. - Fixed a bug where the Compat Create API for Containers did not set container name properly. - Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in containers.conf is now used). - Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker. - Fixed a bug where Podman did not properly clean up after calls to the Events API when the journald backend was in use, resulting in a leak of file descriptors (#8864). - Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of range error under certain circumstances (#8870). - Fixed a bug where the Libpod Exists endpoint for Images could panic. - Fixed a bug where the Compat List API for Containers did not support all filters (#8860). - Fixed a bug where the Compat List API for Containers did not properly populate the Status field. - Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters (#7102). - Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response (#8758). - Fixed a bug where the Compat Load API for Images did not properly clean up temporary files. - Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified. - Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope. - Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did. * Misc - Updated Buildah to v1.19.2 - Updated the containers/storage library to v1.24.5 - Updated the containers/image library to v5.10.2 - Updated the containers/common library to v0.33.4 ==== procps ==== Subpackages: libprocps8 - Remove /usr/share/man/uk dir to file list for lang sub package: It's now provided by filesystem. ==== python-pytz ==== - Bump tzdata_version ==== python38 ==== Version update (3.8.7 -> 3.8.8) - Update to 3.8.8: - bpo#42938 (bsc#1181126): Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. This issue was assigned CVE-2021-3177. - bpo#42967 (bso#1182379): Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. This issue was assigned CVE-2021-23336. - Remove bsc1167501-invalid-alignment.patch and CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch, which were included into the upstream tarball. ==== python38-core ==== Version update (3.8.7 -> 3.8.8) Subpackages: libpython3_8-1_0 python38-base - Update to 3.8.8: - bpo#42938 (bsc#1181126): Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. This issue was assigned CVE-2021-3177. - bpo#42967 (bso#1182379): Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. This issue was assigned CVE-2021-23336. - Remove bsc1167501-invalid-alignment.patch and CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch, which were included into the upstream tarball. ==== rdma-core ==== Version update (31.3 -> 33.1) Subpackages: libefa1 libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1 - Update to rdma-core v33.1 - No release notes available - Drop support for libnes - Drop support for libnes by removing patch: - Revert-libnes-Remove-libnes-from-rdma-core.patch - Refresh patches against latest sources: - Revert-libcxgb3-Remove-libcxgb3-from-rdma-core.patch - cxgb3-nes-fix-declaration-of-free_context.patch has been replaced by cxgb3-fix-declaration-of-free_context.patch - Add patches for cxgb3 support against newest API - cxgb3-fix-support-for-new-uquery-API.patch - Enable LTO support - Trigger udevadm in rdma-ndd %post (bsc#1182391) ==== selinux-policy ==== Version update (20210111 -> 20210223) Subpackages: selinux-policy-targeted - Update to version 20210223 - Change name of tar file to a more common schema to allow parallel installation of several source versions - Adjust fix_init.patch ==== system-users ==== Subpackages: system-group-hardware system-group-kvm system-user-nobody - Revert /var/lib/ntp to the ownership and permissions it had in the ntp package. It should be owned by root and not be writable by the ntp user, because it is the base of ntpd's chroot envoronment and the ntp user is not supposed to log in anyway. ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-logger systemd-sysvinit udev - systemd requires aaa_base >= 13.2 This dependency is required because 'systemctl {is-enabled,enable,disable} " ends up calling systemd-sysv-install which in its turn calls "chkconfig - -no-systemctl". aaa_base package has a weird versioning but the '--no-systemctl' option has been introduced starting from SLE12-SP2-GA, which shipped version "13.2+git20140911.61c1681". Spotted in bsc#1180083. ==== toolbox ==== Version update (2.1+git20210203.a669e3a -> 2.1+git20210226.daeb191) - Update to version 2.1+git20210226.daeb191: * Set trap only after option parsing (#22) - Update to version 2.1+git20210225.5c541c8: * Check sub{u,g}id if rootless, and fail early if they're not setup * Fix creating a container with a specific name with `-c` - Update to version 2.1+git20210208.a720b25: * Alleviate the need for zypper in the user toolbox script * Consolidate logging and help debugging of the user toolbox's script * Export machine-id and IPC inside the toolbox (IPC, user only) * Fix (more) formatting... ==== xen ==== Version update (4.14.1_11 -> 4.14.1_12) - bsc#1177204 - L3-Question: conring size for XEN HV's with huge memory to small. Inital Xen logs cut 5ffc58c4-ACPI-reduce-verbosity-by-default.patch - Upstream bug fixes (bsc#1027519) 601d4396-x86-EFI-suppress-ld-2-36-debug-info.patch 602bd768-page_alloc-only-flush-after-scrubbing.patch 602cfe3d-IOMMU-check-if-initialized-before-teardown.patch 602e5a8c-gnttab-never-permit-mapping-transitive-grants.patch 602e5abb-gnttab-bypass-IOMMU-when-mapping-own-grant.patch 6037b02e-x86-EFI-suppress-ld-2-36-base-relocs.patch - bsc#1181921 - GCC 11: xen package fails gcc11-fixes.patch - bsc#1182576 - L3: XEN domU crashed on resume when using the xl unpause command 602ffae9-tools-libs-light-fix-xl-save--c-handling.patch - Start using the %autosetup macro to simplify patch management xen.spec