Packages changed: MozillaFirefox-branding-openSUSE MozillaThunderbird (45.1.1 -> 45.2) accountsservice (0.6.40 -> 0.6.42) alsa-tools apache2 (2.4.20 -> 2.4.23) build (20160427 -> 20160629) cmake (3.5.2 -> 3.6.0) coreutils ethtool (4.5 -> 4.6) expat (2.1.1 -> 2.2.0) flex fontconfig (2.11.1 -> 2.12.0) git (2.9.0 -> 2.9.2) gnome-control-center gnome-online-accounts (3.20.1 -> 3.20.2) gnome-software (3.20.3 -> 3.20.4) gnome-sudoku (3.20.2 -> 3.20.4) gnutls (3.4.13 -> 3.4.14) gspell (1.0.2 -> 1.0.3) gstreamer-plugins-bad gvfs installation-images-openSUSE (14.254 -> 14.258) kernel-source (4.6.3 -> 4.6.4) libdiscid libmnl (1.0.3 -> 1.0.4) libselinux (2.3 -> 2.5) libsepol (2.3 -> 2.5) perl-Carp-Clan (6.04 -> 6.06) perl-DateTime-TimeZone (2.00 -> 2.01) perl-YAML (1.17 -> 1.18) pidgin-sipe (1.20.1 -> 1.21.1) python-ipaddress (1.0.14 -> 1.0.16) systemd-presets-branding-openSUSE thin-provisioning-tools (0.6.1 -> 0.6.2) tiff util-linux util-linux-systemd xiterm yast2-bootloader (3.1.197 -> 3.1.198) yast2-network (3.1.158 -> 3.1.159) === Details === ==== MozillaFirefox-branding-openSUSE ==== - Identify the different Leap versions correctly (up to Leap 42.2) (boo#987969). ==== MozillaThunderbird ==== Version update (45.1.1 -> 45.2) Subpackages: MozillaThunderbird-translations-common - update to Thunderbird 45.2 (boo#983549) Security fixes: * CVE-2016-2818, CVE-2016-2815: Memory safety bugs (MFSA2016-49) - drop mozilla-flexible-array-member-in-union.patch, upstream ==== accountsservice ==== Version update (0.6.40 -> 0.6.42) Subpackages: libaccountsservice0 typelib-1_0-AccountsService-1_0 - Remove pkgconfig(libsystemd-daemon). Nowadays pkgconfig(libsystemd) is enough and replaces all libsystemd-* libs which are obsolete. - Update to version 0.6.42: + Wtmp fixes on solaris. + Allow a user to change his own data even if he's remote. + Add way to set password hint independent of password. + Conform to modern systemd library naming scheme. + Disable GVFS support in service, since it's not needed and has bad side effects. - Replace pkgconfig(libsystemd-login) for pkgconfig(libsystemd) BuildRequires following upstream changes. ==== alsa-tools ==== - Upstream fix for gcc6 compile error on ppc: 0001-gcc6-narrowing-error.patch ==== apache2 ==== Version update (2.4.20 -> 2.4.23) Subpackages: apache2-devel apache2-doc apache2-example-pages apache2-prefork apache2-utils - add httpd-2.4.x-fate317766-config-control-two-protocol-options.diff Introduces directives to control two protocol options: * HttpContentLengthHeadZero - allow Content-Length of 0 to be returned on HEAD * HttpExpectStrict - allow admin to control whether we must see "100-continue" [bsc#894225], [fate#317766] - version 2.4.23 * Fixes CVE-2016-4979 [bsc#987365] * mod_proxy_hcheck was missing due to upstream bug. * mod_proxy_fdpass needs explicit configure line now. * Full list of changes: http://www-eu.apache.org/dist//httpd/CHANGES_2.4.23 ==== build ==== Version update (20160427 -> 20160629) Subpackages: build-mkbaselibs build-mkdrpms - adding first snapcraft support ==== cmake ==== Version update (3.5.2 -> 3.6.0) - While upstreaming cmake-version-in-generated-files.patch, the CMake developer Brad King reduced the patch - Remove PIE from macros - update to CMake 3.6.0 * The ?list()? command gained a ?FILTER? sub-command to filter list elements by regular expression. * A ?CMAKE_TRY_COMPILE_TARGET_TYPE? variable was added to optionally tell the ?try_compile()? command to build a static library instead of an executable. * A ?_CLANG_TIDY? target property and supporting ?CMAKE__CLANG_TIDY? variable were introduced to tell the Makefile Generators and the ?Ninja? generator to run ?clang-tidy? along with the compiler for ?C? and ?CXX? languages. * The ?ExternalProject? module leared the ?GIT_SHALLOW 1? option to perform a shallow clone of a Git repository. * The ?ExternalProject? module learned to initialize Git submodules recursively and also to initialize new submodules on updates. * The ?InstallRequiredSystemLibraries? module learned a new ?CMAKE_INSTALL_UCRT_LIBRARIES? option to enable app-local deployment of the Windows Universal CRT libraries with Visual Studio 2015. * The ?Compile Features? functionality is now aware of features supported by Intel C++ compilers versions 12.1 through 16.0 on UNIX platforms. * The ?CMakeForceCompiler? module and its macros are now deprecated. full changelog: https://blog.kitware.com/cmake-3-6-0-available-for-download/ - drop patch libarchive-version.patch which is included upstream - update patch cmake-version-in-generated-files.patch ==== coreutils ==== - coreutils-diagnose-fts-readdir-failure.patch: Add upstream patch to diagnose readdir() failures in fts-based utilities: rm, chmod, du, etc. (boo#984910) ==== ethtool ==== Version update (4.5 -> 4.6) - Update to new upstream release 4.6 * Feature: Support register dump on Intel X550 NICs (-d option) * Fix: Correct some reported register offsets on Intel 10GbE NICs (-d option) * Feature: Add IPv6 support to NFC (-n, -N, -u and -U options) * Feature: Add support for ETHTOOL_xLINKSETTINGS ioctls (no option and -s option) * Feature: Use netlink socket when AF_INET not available ==== expat ==== Version update (2.1.1 -> 2.2.0) Subpackages: libexpat-devel libexpat1 libexpat1-32bit - Version update to 2.2.0: * Various cmake and autotools script updates * Fix detection of utf8 character boundaries - Remove all patches merged upstream: * expat-2.1.1-avoid_relying_on_undef_behaviour.patch * expat-2.1.1-parser_crashes_on_malformed_input.patch * expat-alloc-size.patch * expat-visibility.patch ==== flex ==== - Small spec file cleanup ==== fontconfig ==== Version update (2.11.1 -> 2.12.0) Subpackages: fontconfig-32bit fontconfig-devel - Update to version 2.12.0: + Support the size specific design selection in OS/2 table version 5. + Allow the modification on 'lang' and 'charset' objects. + Increase the refcount in FcConfigSetCurrent(). + some updates in orth files. + Add --error-on-no-fonts option to fc-cache. + Use lang=und instead of lang=xx for "undetermined". + Add FC_WEIGHT_DEMILIGHT and change from 65 to 55. + Add FC_COLOR. + Treat color fonts as scalable. + no FC_LANG added with FcConfigSubstitute() when it has "und". + Hardcode blanks in library. + Support symbol fonts. + Unicode 8.0 support. + Add hintstyle templates and default hintslight. + GX font support. + Improve the footprint issue on updating caches. + Bump the cache version to 6. + more bug fixes. ==== git ==== Version update (2.9.0 -> 2.9.2) Subpackages: git-core git-cvs git-daemon git-email git-gui git-svn git-web gitk - git 2.9.2: * fix test suite failues with 64 bit timestamps - git 2.9.1: * socket-level KEEPALIVE for git daemon * Various compatible workflow and UI fixes * Various optimisations and documentation updates * Fix regression in v2.9 affecting "clone --depth" ==== gnome-control-center ==== Subpackages: gnome-control-center-color gnome-control-center-goa gnome-control-center-user-faces - Drop pkgconfig(libsystemd-login) BuildRequires: this dependency has ot been in use since version 3.7.4. ==== gnome-online-accounts ==== Version update (3.20.1 -> 3.20.2) Subpackages: gnome-online-accounts-devel libgoa-1_0-0 libgoa-backend-1_0-1 typelib-1_0-Goa-1_0 - Update to version 3.20.2: + lastfm: Don't forget to update the ret variable (bgo#760991). + Misc usability improvements to the imap-smtp provider (bgo#764283). + org.gnome.OnlineAccounts.Account:IsTemporary is not being set (bgo#765994). + Updated translations. ==== gnome-software ==== Version update (3.20.3 -> 3.20.4) - Update to version 3.20.4: + Always show the 'MyLanguage' kudo when in en_US locale. + Disable app folders feature when run outside GNOME. + Fix an issue with launching Epiphany web-apps. + Fix a number of issues with Fedora system upgrades. + Fix a possible crash when download-updates setting is changed. + Improve styling of software reviews and kudos. + Make the app folder dialog work again. + Support launching appstream://id. + Updated translations. - Drop gnome-software-fix-app-folders.patch: Fixed upstream. ==== gnome-sudoku ==== Version update (3.20.2 -> 3.20.4) - Update to version 3.20.4: + Avoid accidental use of C++ 11. - Update to version 3.20.3: + Seed the RNG so we actually get different puzzles each run. ==== gnutls ==== Version update (3.4.13 -> 3.4.14) Subpackages: libgnutls-dane0 libgnutls-devel libgnutls-openssl27 libgnutls30 libgnutls30-32bit - GnuTLS 3.4.14: * libgnutls: Address issue when utilizing the p11-kit trust store for certificate verification (GNUTLS-SA-2016-2, boo#988276) * libgnutls: Fixed DTLS handshake packet reconstruction. * libgnutls: Fixed issues with PKCS#11 reading of sensitive objects from SafeNet Network HSM * libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER - drop upstreamed 0001-tests-use-datefudge-in-name-constraints-test.patch ==== gspell ==== Version update (1.0.2 -> 1.0.3) - Update to version 1.0.3: + Inline checker: fix constant redrawing of the GtkTextView when the current word is not checked. + Updated translations. ==== gstreamer-plugins-bad ==== Subpackages: libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbadbase-1_0-0 libgstbadvideo-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstgl-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgsturidownloader-1_0-0 libgstwayland-1_0-0 - Really disable wayland support on SLE12. ==== gvfs ==== Subpackages: gvfs-backend-afc gvfs-backends gvfs-fuse - Replace pkgconfig(libsystemd-login) with pkgconfig(libsystemd): Nowadays pkgconfig(libsystemd) replaces all libsystemd-* libs, which are obsolete. - Fix "gvfs-smb timeout by message bus issue" (bsc#983992): + Add %glib2_gsettings_schema_require to preamble. + Add %glib2_gsettings_schema_post/postun to respective scripts of -backend-samba subpackage. ==== installation-images-openSUSE ==== Version update (14.254 -> 14.258) - don't include wpa_supplicant for s390x (bsc#974601) - documented common_tree script - load only an exactly matching inst-sys (bsc#974601) - reduce instsys size by removing files already in initrd - 14.258 - Adjust the OOM killers score for haveged (bsc#974601) - 14.257 - remove obsolete firmwarekit from BuildRequires - Drop some unused packages from the root image (bsc#974601) - yast2-devtools - yast2-buildtools - perl-Bootloader - perl-XML-Parser - perl-XML-Simple - 14.256 - set EGL_LOG_LEVEL=0 to stop some libELG warning (bsc#976374, bsc#970883) - 14.255 - Add missing xen-tools-domU to BuildRequires (bsc#979002) ==== kernel-source ==== Version update (4.6.3 -> 4.6.4) Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs kernel-macros kernel-syms - Linux 4.6.4 (bnc#982729). - Delete patches.drivers/0001-Subject-PATCH-USB-xhci-Add-broken-streams-quirk-for-.patch. - commit 103c936 - apparmor: fix oops, validate buffer size in apparmor_setprocattr() (CVE-2016-6187,bsc#988307). - commit fbe379c - Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570 CVE-2016-1237). - Update patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch (bsc#986570 CVE-2016-1237). - commit 789949d - Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570 CVE#2016-1237). - Update patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch (bsc#986570 CVE#2016-1237). - commit 10c8c01 - nfsd: check permissions when setting ACLs (bsc#986570). - posix_acl: Add set_posix_acl (bsc#986570). - commit 2763888 - Update patches.kernel.org/patch-4.6.2-3 (add CVE-2016-4997 bsc#986362). - commit fbd108c ==== libdiscid ==== - Remove useless --with-pic (it's for unbuilt static libs). Remove redundant %clean. - Remove nonsense provide, it is not requested by debuginfo. ==== libmnl ==== Version update (1.0.3 -> 1.0.4) - Update to new upstream release 1.0.4 * Improvements in the netlink message printing function, attribute validation for MNL_TYPE_MSEC and MNL_TYPE_U64, clang compilation fixes, the new mnl_socket_open2() and mnl_socket_fdopen() functions, missing handling for NLM_F_DUMP_INTR and documentation updates. ==== libselinux ==== Version update (2.3 -> 2.5) Subpackages: libselinux-devel libselinux1 libselinux1-32bit - Adjusted source link - add patch: python-selinux-swig-3.10.patch, fixed boo#985368 * swig-3.10 in Factory use importlib instead of imp to find _selinux.so. imp searched the same directory as __init__.py is while importlib searchs only standard paths. so we have to move _selinux.so. fixed by upstream - update version 2.5 * Add selinux_restorecon function * read_spec_entry: fail on non-ascii * Add man information about thread specific functions * Don't wrap rpm_execcon with DISABLE_RPM with SWIG * Correct line count for property and service context files * label_file: fix memory leaks and uninitialized jump * Replace selabel_digest hash function * Fix selabel_open(3) services if no digest requested * Add selabel_digest function * Flush the class/perm string mapping cache on policy reload * Fix restorecon when path has no context * Free memory when processing media and x specfiles * Fix mmap memory release for file labeling * Add policy context validation to sefcontext_compile * Do not treat an empty file_contexts(.local) as an error * Fail hard on invalid property_contexts entries * Fail hard on invalid file_contexts entries * Support context validation on file_contexts.bin * Add selabel_cmp interface and label_file backend * Support specifying file_contexts.bin file path * Support file_contexts.bin without file_contexts * Simplify procattr cache * Use /proc/thread-self when available * Add const to selinux_opt for label backends * Fix binary file labels for regexes with metachars * Fix file labels for regexes with metachars * Fix if file_contexts not '\n' terminated * Enhance file context support * Fix property processing and cleanup formatting * Add read_spec_entries function to replace sscanf * Support consistent mode size for bin files * Fix more bin file processing core dumps * add selinux_openssh_contexts_path() * setrans_client: minimize overhead when mcstransd is not present * Ensure selabel_lookup_best_match links NULL terminated * Fix core dumps with corrupt *.bin files * Add selabel partial and best match APIs * Use os.walk() instead of the deprecated os.path.walk() * Remove deprecated mudflap option * Mount procfs before checking /proc/filesystems * Fix -Wformat errors with gcc-5.0.0 * label_file: handle newlines in file names * Fix audit2why error handling if SELinux is disabled * pcre_study can return NULL without error * Only check SELinux enabled status once in selinux_check_access - changes in 2.4 * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR * Fix bugs found by hardened gcc flags * Set the system to permissive if failing to disable SELinux because policy has already been loaded * Add db_exception and db_datatype support to label_db backend * Log an error on unknown classes and permissions * Add pcre version string to the compiled file_contexts format * Deprecate use of flask.h and av_permissions.h * Compiled file_context files and the original should have the same DAC permissions - fixed selinux-ready to work with initrd files created by dracut (bsc#940006) ==== libsepol ==== Version update (2.3 -> 2.5) Subpackages: libsepol-devel libsepol1 - Cleanup spec file with spec-cleaner - Make spec file a bit more easy - Ship new supbackage (-tools) - Without bug number no submit to SLE 12 SP2 is possible, so to make sle-changelog-checker happy: bsc#988977 - Adjusted source link - update version 2.5 * Fix unused variable annotations * Fix uninitialized variable in CIL * Validate extended avrules and permissionxs in CIL * Add support in CIL for neverallowx * Fully expand neverallowxperm rules * Add support for unordered classes to CIL * Add neverallow support for ioctl extended permissions * Improve CIL block and macro call recursion detection * Fix CIL uninitialized false positive in cil_binary * Provide error in CIL if classperms are empty * Add userattribute{set} functionality to CIL * fix CIL blockinherit copying segfault and add macro restrictions * fix CIL NULL pointer dereference when copying classpermission/set * Add CIL support for ioctl whitelists * Fix memory leak when destroying avtab * Replace sscanf in module_to_cil * Improve CIL resolution error messages * Fix policydb_read for policy versions < 24 * Added CIL bounds checking and refactored CIL Neverallow checking * Refactored libsepol Neverallow and bounds (hierarchy) checking * Treat types like an attribute in the attr_type_map * Add new ebitmap function named ebitmap_match_any() * switch operations to extended perms * Write auditadm_r and secadm_r roles to base module when writing CIL * Fix module to CIL to only associate declared roleattributes with in-scope types * Don't allow categories/sensitivities inside blocks in CIL * Replace fmemopen() with internal function in libsepol * Verify users prior to evaluating users in cil * Binary modules do not support ioctl rules * Add support for ioctl command whitelisting * Don't use symbol versioning for static object files * Add sepol_module_policydb_to_cil(), sepol_module_package_to_cil(), and sepol_ppfile_to_module_package() * Move secilc out of libsepol * fix building Xen policy with devicetreecon, and add devicetreecon CIL documentation * bool_copy_callback set state on creation * Add device tree ocontext nodes to Xen policy * Widen Xen IOMEM context entries * Fix error path in mls_semantic_level_expand() * Update to latest CIL, includes new name resolution and fixes ordering issues with blockinherit statements, and bug fixes - changes in 2.4 * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR * Fix bugs found by hardened gcc flags * Build CIL into libsepol. libsepol can be built without CIL by setting the DISABLE_CIL flag to 'y' * Add an API function to set target_platform * Report all neverallow violations * Improve check_assertions performance * Allow libsepol C++ static library on device ==== perl-Carp-Clan ==== Version update (6.04 -> 6.06) - updated to 6.06 see /usr/share/doc/packages/perl-Carp-Clan/Changes Version 6.06 29.05.2016 + Avoid failure due to version self-check in 20pre560.t This test seems like a footgun for release management reasons, but apprently I wasn't quite as careful as I tried to be in keeping the last release minimal. Version 6.05 29.05.2016 + Patch tests failing due to 5.25.1+'s deprecated unquoted { } in regex. (RT #114537) ==== perl-DateTime-TimeZone ==== Version update (2.00 -> 2.01) - updated to 2.01 see /usr/share/doc/packages/perl-DateTime-TimeZone/Changes 2.01 2016-07-17 - This release is based on version 2016f of the Olson database. This release includes contemporary changes for Egypt and Russia. The changes for Egypt supersede the ones in 2016e. ==== perl-YAML ==== Version update (1.17 -> 1.18) - updated to 1.18 see /usr/share/doc/packages/perl-YAML/Changes 1.18 Fri Jul 8 14:52:26 UTC 2016 - Apply PR/161 @perlpunk++ ==== pidgin-sipe ==== Version update (1.20.1 -> 1.21.1) Subpackages: libpurple-plugin-sipe - Version update to 1.21.1: * various bug fixes in media support * configure no longer ignores CFLAGS/LDFLAGS/LIBS - Drop telepathy conditionals as we don't build on sle11 anyway - Move the docs from library to main package to allow multiple versions at once as SLP wants ==== python-ipaddress ==== Version update (1.0.14 -> 1.0.16) - Update to 1.0.16: * include license * Customize warning when bytes are passed in ==== systemd-presets-branding-openSUSE ==== - enable vmblock-fuse service for VMWare by default (bsc#986277) ==== thin-provisioning-tools ==== Version update (0.6.1 -> 0.6.2) - Update to version 0.6.2: * Fix bug in thin_delta * Fix recent regression in thin_repair. * Force g++-98 dialect * Fix bug in thin_trim ==== tiff ==== Subpackages: libtiff-devel libtiff5 libtiff5-32bit - Added patches: * tiff-4.0.6-libtiff-tif_luv.c-validate-that-for-COMPRESSION_SGIL.patch * tiff-4.0.6-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch * tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch - Upstream commits to fix CVE-2016-5314 [bsc#984831], CVE-2016-5316 [bsc#984837], CVE-2016-5317 [bsc#984842], CVE-2016-5320 [bsc#984808] and CVE-2016-5875 [bsc#987351] ==== util-linux ==== Subpackages: libblkid-devel libblkid1 libblkid1-32bit libfdisk1 libmount1 libmount1-32bit libsmartcols1 libuuid-devel libuuid1 libuuid1-32bit - BuildIgnore util-linux: it's part of VMInstall, hence part of every package build. util-linux itself can be built without its own presence though. Helps with some rare bootstrap issues (when librtas changes soname for example). - Drop usage of gpg-offline: this has long been migrated to a source service that checks signatures on checkin already (osc service lr source_validatory). ==== util-linux-systemd ==== - BuildIgnore util-linux: it's part of VMInstall, hence part of every package build. util-linux itself can be built without its own presence though. Helps with some rare bootstrap issues (when librtas changes soname for example). - Drop usage of gpg-offline: this has long been migrated to a source service that checks signatures on checkin already (osc service lr source_validatory). ==== xiterm ==== Subpackages: fbiterm gtkiterm libiterm1 - implict-ptsname-decl.patch: fix implicit declaration of ptsname with glibc >= 2.24 ==== yast2-bootloader ==== Version update (3.1.197 -> 3.1.198) - fix writing default boot entry when it is located in grub2 submenu (bnc#986005) - 3.1.198 ==== yast2-network ==== Version update (3.1.158 -> 3.1.159) - Added entry "dhclient_set_hostname" to the AutoYaST schema file. Bug similar bnc#954412. - 3.1.159