Packages changed: GraphicsMagick aaa_base (84.87+git20230329.b39efbc -> 84.87+git20230815.cab7b44) busybox-links coreutils (9.3 -> 9.4) crypto-policies drbd (9.0.30~1+git.8e9c0812 -> 9.1.16) drbd-utils (9.19.0 -> 9.25.0) grep kdump kexec-tools (2.0.26.0 -> 2.0.27) lastlog2 (1.1.0 -> 1.2.0) libei (1.0.901 -> 1.1.0) multipath-tools (0.9.5+68+suse.d1b6a1c -> 0.9.6+71+suse.f07325e) open-vm-tools (12.2.0 -> 12.3.0) pam-config (2.5 -> 2.8) perl-Bootloader (1.6 -> 1.8) python-async_timeout (4.0.2 -> 4.0.3) python-click (8.1.6 -> 8.1.7) python-lxml python-outcome python-psycopg2 (2.9.6 -> 2.9.7) python-zope.event (4.6 -> 5.0) python311 (3.11.4 -> 3.11.5) python311-core (3.11.4 -> 3.11.5) shaderc (2023.4 -> 2023.6) sssd (2.9.1 -> 2.9.2) unbound (1.17.1 -> 1.18.0) wireless-regdb (20230721 -> 20230901) === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - revert to 1.3.40 [bsc#1214831] https://sourceforge.net/p/graphicsmagick/news/2023/08/because-1341-is-discarded-i-has-been-published-2-builds-for-win32-architecture/ - modified patches % GraphicsMagick-disable-insecure-coders.patch (refreshed) - deleted patches - GraphicsMagick-fix-regression-NULL-instead-of-empty-string.patch (not needed) - GraphicsMagick-name-key-return-input-file-base-name.patch (not needed) - fix regression in 1.3.41 https://sourceforge.net/p/graphicsmagick/bugs/722/ - added patches fix 17179:91afa18a6161 + GraphicsMagick-fix-regression-NULL-instead-of-empty-string.patch fix 17180:bb42cd90ce6f + GraphicsMagick-name-key-return-input-file-base-name.patch - version update to 1.3.41 Bug fixes: * Blob: Immediately reject attempts to write blobs to formats which can not support blobs. * TranslateTextEx(): An empty string argument should return an empty string rather than a NULL string. * SetImageAttribute(): Fix bounds issue when concatenating string. * JPEG: Do not set image resolution if the values provided are outside of the valid range. * Fixes for NaN when reading formats based on floating point. * HEIF: Fix reading images with rotation/transformation. * BMP: Do not decode primaries or gamma unless colorspace is LCS_CALIBRATED_RGB. Add/correct bmp_info.size "biSize" logic which decides if header chunks are present (or invalid). * MNG: Fixes for resizing using X_method 5. * GM command (convert, montage, mogrify): Many command-line parser fixes/checks for invalid command line syntax which causes unexpected behavior, or core dumps. * TopoL: Given that a writer is now provided, issues found in the reader (and writer) due to continual fuzz-testing have been fixed, as encountered. * GetImageClippingPathAttribute(): Check for and use clipping path name (ID=2999) to get the real attribute name. * ReadIPTCProfile(): Fix malformed IPTC data parsing. New Features: * TopoL: Now provides a writer. * WPG: Now provides a writer. * gm batch: Implement simple Test Anything Protocol (TAP) test counting and "ok N"/"not ok N" messaging. * TIFF: Support '-define tiff:photometric=minisblack' and '-define tiff:photometric=miniswhite' to be able to adjust the sense used when writing bilevel TIFF images. * TIFF: Require that TIFFTAG_EXTRASAMPLES be used appropriately to indicate the intention of extra channels. * utilities/tests/gen-tiff-images/genimages: Script for writing (and then reading) thousands (5568 permutations) of TIFF format variants. * EXIF and PNG: Retrieve image orientation from EXIF (if present) and store in image. * HEIF: Retrieve image orientation from EXIF and store in image. Behavior Changes: * The ability to extend existing image attribute text by calling SetImageAttribute() multiple times with the same key is now deprecated, and will soon be removed. In the mean time, the annoying message "SetImageAttribute: Extending attribute value text is deprecated!" is printed to the standard error output to help expose code which is using this feature. - modified patches % GraphicsMagick-disable-insecure-coders.patch (refreshed) - deleted patches - strlcpy-wrong-sizing.patch (upstreamed) ==== aaa_base ==== Version update (84.87+git20230329.b39efbc -> 84.87+git20230815.cab7b44) Subpackages: aaa_base-extras - Update to version 84.87+git20230815.cab7b44: * Remove broken autocompletion overrides and restore default bash behavior * Add foot to DIR_COLORS * files/u/s/sysconf_addword: avoid bashism, fix shellcheck warnings * files/u/s/smart_agetty: replace shebang with /bin/sh * files/u/s/service: avoid bashism, fix shellcheck warnings * files/u/s/refresh_initrd: make POSIX compliant * files/u/b/safe-rm: make POSIX compliant * aaa_base.post: replace shebang with /usr/sh * files/u/b/old: make POSIX compliant ==== busybox-links ==== Subpackages: busybox-bzip2 busybox-coreutils busybox-ed busybox-findutils busybox-gawk busybox-grep busybox-gzip busybox-misc busybox-psmisc busybox-sed busybox-sendmail busybox-tar busybox-which busybox-xz - Add conflict for coreutils-systemd, package got splitted ==== coreutils ==== Version update (9.3 -> 9.4) Subpackages: coreutils-lang - Update to 9.4: Bug fixes: * b2sum --check will no longer read unallocated memory when presented with malformed checksum lines. [bug introduced in coreutils-9.2] * cp --parents again succeeds when preserving mode for absolute directories. Previously it would have failed with a "No such file or directory" error. [bug introduced in coreutils-9.1] * cp --sparse=never will avoid copy-on-write (reflinking) and copy offloading, to ensure no holes present in the destination copy. [bug introduced in coreutils-9.0] * cksum again diagnoses read errors in its default CRC32 mode. [bug introduced in coreutils-9.0] * cksum --check now ensures filenames with a leading backslash character are escaped appropriately in the status output. This also applies to the standalone checksumming utilities. [bug introduced in coreutils-8.25] * dd again supports more than two multipliers for numbers. Previously numbers of the form '1024x1024x32' gave "invalid number" errors. [bug introduced in coreutils-9.1] * factor, numfmt, and tsort now diagnose read errors on the input. [This bug was present in "the beginning".] * install --strip now supports installing to files with a leading hyphen. Previously such file names would have caused the strip process to fail. [This bug was present in "the beginning".] * ls now shows symlinks specified on the command line that can't be traversed. Previously a "Too many levels of symbolic links" diagnostic was given. [This bug was present in "the beginning".] * pr --length=1 --double-space no longer enters an infinite loop. [This bug was present in "the beginning".] * tac now handles short reads on its input. Previously it may have exited erroneously, especially with large input files with no separators. [This bug was present in "the beginning".] * uptime no longer incorrectly prints "0 users" on OpenBSD, and is being built again on FreeBSD and Haiku. [bugs introduced in coreutils-9.2] * wc -l and cksum no longer crash with an "Illegal instruction" error on x86 Linux kernels that disable XSAVE YMM. This was seen on Xen VMs. [bug introduced in coreutils-9.0] Changes in behavior: * cp -v and mv -v will no longer output a message for each file skipped due to -i, or -u. Instead they only output this information with --debug. I.e., 'cp -u -v' etc. will have the same verbosity as before coreutils-9.3. * cksum -b no longer prints base64-encoded checksums. Rather that short option is reserved to better support emulation of the standalone checksum utilities with cksum. * mv dir x now complains differently if x/dir is a nonempty directory. Previously it said "mv: cannot move 'dir' to 'x/dir': Directory not empty", where it was unclear whether 'dir' or 'x/dir' was the problem. Now it says "mv: cannot overwrite 'x/dir': Directory not empty". Similarly for other renames where the destination must be the problem. [problem introduced in coreutils-6.0] - Enable systemd-logind support - Add gnulib-readutmp.patch: Fix seg.fault of who, pinky, uptime [dgo#65617] - Create -systemd flavor with binaries linked against libsystemd - Drop coreutils-invalid-ids.patch to get consistent behavior, most tools where already removed from that patch. - coreutils-misc.patch: adjust paths - coreutils-skip-some-sort-tests-on-ppc.patch: adjust paths - coreutils-test_without_valgrind.patch: adjust paths - coreutils-i18n.patch: update from Fedora ==== crypto-policies ==== Subpackages: crypto-policies-scripts - Tests: Fix pylint versioning for TW and fix the parsing of the policygenerators to account for the commented lines correctly. * Add crypto-policies-pylint.patch * Rebase crypto-policies-policygenerators.patch - FIPS: Adapt the fips-mode-setup script to use the pbl command from the perl-Bootloader package to replace grubby. Add a note for transactional systems [jsc#PED-4578]. * Rebase crypto-policies-FIPS.patch ==== drbd ==== Version update (9.0.30~1+git.8e9c0812 -> 9.1.16) Subpackages: drbd-kmp-default - Update DRBD version from 9.0.30+ to 9.1.16 (PED-6362) * 9.1.16 (api:genl2/proto:86-121/transport:18) * shorten times DRBD keeps IRQs on one CPU disabled. Could lead to connection interruption under specific conditions * fix a corner case where resync did not start after resync-pause state flapped * fix online adding of volumes/minors to an already connected resource * fix a possible split-brain situation with quorum enabled with ping-timeout set to (unusual) high value * fix a locking problem that could lead to kernel OOPS * ensure resync can continue (bitmap-based) after interruption also when it started as a full-resync first * correctly handle meta-data when forgetting diskless peers * fix a possibility of getting a split-brain although quorum enabled * correctly propagate UUIDs after resync following a resize operation. Consequence could be a full resync instead of a bitmap-based one * fix a rare race condition that can cause a drbd device to end up with WFBitMapS/Established replication states * 9.1.15 (api:genl2/proto:86-121/transport:18) * fix how flush requests are marked when submitted to the Linux IO stack on the secondary node * when establishing a connection failed with a two-pc timeout, a receiver thread deadlocked, causing drbdsetup calls to block on that resource (difficult to trigger) * fixed a NULL-ptr deref (a OOPS) caused by a rare race condition while taking a resource down * fix a possible hard kernel-lockup, can only be triggerd when a CPU-mask is configured * updated kernel compatibility to at least Linux head and also fixed a bug in the compat checks/rules that caused OOPSes of the previous drbd releases when compiled with Linux-6.2 (or on RHEL 9.2 kernel). * fix an aspect of the data-generation (UUID) handling where DRBD failed to do a resync when a diskless node in the remaining partition promotes and demotes while a diskful node is isolated * fix an aspect of the data-generation (UUID) handling where DRBD considered a node to have unrelated data; this bug was triggered by a sequence involving removing two nodes from a cluster and readding one with the "day-0" UUIDs. * do not block specific state changes (promote, demote, attach, and detach) when only some nodes add a new minor * 9.1.14 (api:genl2/proto:86-121/transport:18) * fix a race with concurrent promotion and demotion, which can lead to an unexpected "split-brain" later on * fix a specific case where promotion was allowed where it should not * fix a race condition between auto-promote and a second two-phase commit that can lead to a DRBD thread locking up in an endless loop * fix several bugs with "resync-after": - missing resync-resume when minor numbers run in opposite direction as the resync-after dependencies - a race that might lead to an OOPS in add_timer() * fix an OOPS when reading from in_flight_summary in debugfs * fix a race that might lead to an endless loop of printing "postponing start_resync" while starting a resync * fix diskless node with a diskfull with a 4KiB backend * simplify remembering two-pc parents, maybe fixing a one-time-seen bug * derive abort_local_transaction timeout from ping-timeout * 9.1.13 (api:genl2/proto:86-121/transport:18) * when calculating if a partition has quorum, take into account if the missing nodes might have quorum * fix forget-peer for diskless peers * clear the resync_again counter upon disconnect * also call the unfence handler when no resync happens * do not set bitmap bits when attaching to an up-to-date disk (late) * work on bringing the out-of-tree DRBD9 closer to DRBD in the upstream kernel; Use lru_cahche.ko from the installed kernel whenever possible * 9.1.12 (api:genl2/proto:86-121/transport:18) * fix a race that could result in connection attempts getting aborted with the message "sock_recvmsg returned -11" * rate limit messages in case the peer can not write the backing storage and it does not finish the necessary state transitions * reduced the receive timeout during connecting to the intended 5 seconds (ten times ping-ack timeout) * losing the connection at a specific point in time during establishing a connection could cause a transition to StandAlone; fixed that, so that it keeps trying to connect * fix a race that could lead to a fence-peer handler being called unexpectedly when the fencing policy is changed at the moment before promoting * 9.1.11 (api:genl2/proto:86-121/transport:18) * The change introduced with 9.1.10 created another problem that might lead to premature request completion (kernel crash); reverted that change and fix it in another way * 9.1.10 (api:genl2/proto:86-121/transport:18) * fix a regression introduced with 9.1.9; using protocol A on SMP with heavy IO can might cause kernel crash * 9.1.9 (api:genl2/proto:86-121/transport:18) * fix a mistake in the compat generation code; it broke DRBD on partitions on kernel older than linux 5.10 (this was introduced with drbd-9.1.8; not affected: logical volumes) * fix for a bug (introduced with drbd-9.0.0), that caused possible inconsistencies in the mirror when using the 'resync-after' option * fix a bug that could cause a request to get stuck after an unlucky timing with a loss of connection * close a very small timing window between connect and promote that could lead to the new-current-uuid not being transmitted to the concurrently connecting peer, which might lead to denied connections later on * fix a recently introduced OOPS when adding new volumes to a connected resource ... changelog too long, skipping 131 lines ... - bsc-1206791-09-pmem-use-fs_dax_get_by_bdev-instead-of-dax_get_by_ho.patch ==== drbd-utils ==== Version update (9.19.0 -> 9.25.0) - Update to 9.25.0 (PED-5842) * drbdsetup,v9,show: fix meta disk format for json * drbdmeta: {hex,}dump superblock * drbdmon: major rewrite * build: gcc v12 cleanups * misc: put locks into separate dir * selinux: add fowner fsetsid, they dropped a global noaudit rule * v9: Support user-defined block-size * doc,v9: improvements all over the place * drbdadm,v9: implement drbdadm role * drbdadm,v9: pass --verbose/--statistics to drbdsetup status * drbd{adm,meta}: add repair-md subcommand * drbdadm,v9,resync-after: fix too strict check * drbdadm,v9,floating: fixup fake uname for 9.2.x strict_names=1 * drbdadm,v9,parser: fixup globs, also rm GNU libc specific extensions * drbdadm,v9,parser: allow via outside-address for NATed peers * parser,v9: deprecate named connections * drbd-selinux: add sub package, minor packaging/spec changes * drbdadm: allow files from expanded glob to vanish * drbdadm,v9: fix potential segfault in postparse * drbdadm,v9: fix sh-ip when set on connection/path * drbdmeta: fix apply-al for bitmap sizes > 4GiB * drbd-service-shim.sh: add secondary --force * ocf: fix for dropped --peer option * drbdsetup,v9: show susupend reason in json output * drbdsetup,v9: add secondary --force * drbdsetup,v9: fix *susp_str() for events2 diff mode * drdbdadm,v9: fix sh-resource * drdbdadm,v9: rm --peer=connect_to_host * ocf: deal with situation where PM node name and actual node name do not match * notify.sh: deal with unset DRBD_PEER env variable * crm-fence-peer: fix timeout with Pacemaker 2.0.5 * drbdmeta: don't wait for confirmation if not a TTY * drbdadm,v9: Pass '--force' to certain drbdmeta commands * drbdmeta: do init in chunks; allow different methods * build: various minor fixes (udev detection, POSIX, compiler flags, allow doc building with asciidoctor,...) * drbd.ocf: fix type (relevant for certain pcs versions) * crm-fence-peer: fix timeout with Pacemaker 2.1 * v9,proxy: allow multiple sharing a proxy node * v9,drbdsetup: quote resource name in "show" * build: allow building for RHEL9.0, minor cleanups * reactor/systemd: allow proper actions (e.g., reboot) if demotion fails. - introduce new systemd service: drbd-demote-or-escalate@.service - remove v83 v84 binaries (incompatible with kmp) - drop patches which are already included in latest code: - 0001-crm-fence-peer-fix-timeout-with-Pacemaker-2.1-milli-.patch - 0002-crm-fence-peer-fix-timeout-with-Pacemaker-2.0.5-mill.patch - add upstream patch: + 0001-drbdadm-v9-do-not-segfault-when-re-configuring-proxy.patch + 0002-user-drbrdmon-add-missing-stdint.h-includes.patch + 0003-Introduce-default_types.h-header.patch - change patch name: - 0001-Disable-quorum-in-default-configuration-bsc-1032142.patch + bsc-1032142_Disable-quorum-in-default-configuration.patch - rebase patch: + pie-fix.patch + rpmlint-build-error.patch ==== grep ==== Subpackages: grep-lang - export CONFIG_SHELL=/bin/sh before running configure: results in the shell script (egrep/fgrep) to receive a /bin/sh shebang instead of requiring bash (the local shell used to build). ==== kdump ==== - update calibrate values, newly added SLE15-SP6 values ==== kexec-tools ==== Version update (2.0.26.0 -> 2.0.27) - update to 2.0.27: * ppc64: add --reuse-cmdline parameter support * kexec: make -a the default * x86: add devicetree support * ppc64: document elf-ppc64 options and --dt-no-old-root * LoongArch: kdump: set up kernel image segment * arm64: zboot support - Disable Xen support in ALP ==== lastlog2 ==== Version update (1.1.0 -> 1.2.0) Subpackages: liblastlog2-1 - Version 1.2.0 - show_lastlogin: Don't read if no database - Fix -flto for clang - Documentation fixes ==== libei ==== Version update (1.0.901 -> 1.1.0) - Update to release 1.1 * Correct documentation for ei_touch_(get|set)_user_data ==== multipath-tools ==== Version update (0.9.5+68+suse.d1b6a1c -> 0.9.6+71+suse.f07325e) Subpackages: kpartx libmpath0 - Update to version 0.9.6+71+suse.f07325e: * avoid changing SCSI timeouts in "multipath -d" (bsc#1213809) - Update to version 0.9.6+70+suse.63925e8: Upstream feature additions and bug fixes: * ignore nvme devices by default if nvme native multipath is enabled * add "group_by_tpg" path_grouping_policy * add config options "detect_pgpolicy" and "detect_pgpolicy_use_tpg" * libmultipath: add ALUA tpg path wildcard "%A" * make prioritizer timeouts consistent with checker timeouts * fix dev_loss_tmo even if not set in configuration (bsc#1212440) * libmultipath: fix max_sectors_kb on adding path * fix warnings reported by udevadm verify ==== open-vm-tools ==== Version update (12.2.0 -> 12.3.0) Subpackages: libvmtools0 open-vm-tools-desktop - Update to 12.3.0 (build 22234872) (boo#1214850) - There are no new features in the open-vm-tools 12.3.0 release. This is primarily a maintenance release that addresses a few critical problems, including: - This release integrates CVE-2023-20900 without the need for a patch. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. - A tools.conf configuration setting is available to temporaily direct Linux quiesced snaphots to restore pre open-vm-tools 12.2.0 behavior of ignoring file systems already frozen. - Building of the VMware Guest Authentication Service (VGAuth) using "xml-security-c" and "xerces-c" is being deprecated. - A number of Coverity reported issues have been addressed. - A number of GitHub issues and pull requests have been handled. Please see the Resolves Issues section of the Release Notes. - For issues resolved in this release, see the Resolved Issues section of the Release Notes. - For complete details, see: https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.0 - Release Notes are available at https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/ReleaseNotes.md - The granular changes that have gone into the 12.3.0 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog - Fix (bsc#1205927) - hv_vmbus module is loaded unnecessarily in VMware guests - jsc-PED-1344 - reinable building containerinfo plugin for SLES 15 SP4. - Drop patch now contained in 12.3.0: + 0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch + 0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch + 2023-20867-Remove-some-dead-code.patch + CVE-20230-20900.patch ==== pam-config ==== Version update (2.5 -> 2.8) - Update to version 2.8 - Replace aad module with himmelblau - Update to version 2.7 - Add support for aad module - Update to version 2.6 - Remove pam_cracklib from config even if no successor is installed - Run update in %posttrans after all other PAM modules got installed/removed - Both are required for [bsc#1214885] ==== perl-Bootloader ==== Version update (1.6 -> 1.8) - merge gh#openSUSE/perl-bootloader#158 - skip warning about unsupported options when in compat mode - 1.8 - merge gh#openSUSE/perl-bootloader#156 - bootloader_entry script can have an optional 'force-default' argument (bsc#1215064) - 1.7 ==== python-async_timeout ==== Version update (4.0.2 -> 4.0.3) - update to 4.0.3: * Fixed compatibility with asyncio.timeout() on Python 3.11+. * Added support for Python 3.11. * Dropped support for Python 3.6. ==== python-click ==== Version update (8.1.6 -> 8.1.7) - update to 8.1.7: * Fix issue with regex flags in shell completion. * Bash version detection issues a warning instead of an error. * Fix issue with completion script for Fish shell. ==== python-lxml ==== - skip html5lib tests - cyclic dependency with html5lib tests - remove python 2.x from testing ==== python-outcome ==== - drop outdated depndendy on async_generator (see https://github.com/python-trio/outcome/issues/12) ==== python-psycopg2 ==== Version update (2.9.6 -> 2.9.7) - update to 2.9.7: * Fix propagation of exceptions raised during module initialization * Fix building when pg_config returns an empty string ==== python-zope.event ==== Version update (4.6 -> 5.0) - update to 5.0: * Drop support for Python 2.7, 3.5, 3.6. ==== python311 ==== Version update (3.11.4 -> 3.11.5) Subpackages: python311-curses python311-dbm - Update to 3.11.5 (bsc#1214692): - Security - gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - Core and Builtins - gh-104432: Fix potential unaligned memory access on C APIs involving returned sequences of char * pointers within the grp and socket modules. These were revealed using a - fsaniziter=alignment build on ARM macOS. Patch by Christopher Chavez. - gh-77377: Ensure that multiprocessing synchronization objects created in a fork context are not sent to a different process created in a spawn context. This changes a segfault into an actionable RuntimeError in the parent process. - gh-106092: Fix a segmentation fault caused by a use-after-free bug in frame_dealloc when the trashcan delays the deallocation of a PyFrameObject. - gh-106719: No longer suppress arbitrary errors in the __annotations__ getter and setter in the type and module types. - gh-106723: Propagate frozen_modules to multiprocessing spawned process interpreters. - gh-105979: Fix crash in _imp.get_frozen_object() due to improper exception handling. - gh-105840: Fix possible crashes when specializing function calls with too many __defaults__. - gh-105588: Fix an issue that could result in crashes when compiling malformed ast nodes. - gh-105375: Fix bugs in the builtins module where exceptions could end up being overwritten. - gh-105375: Fix bug in the compiler where an exception could end up being overwritten. - gh-105375: Improve error handling in PyUnicode_BuildEncodingMap() where an exception could end up being overwritten. - gh-105235: Prevent out-of-bounds memory access during mmap.find() calls. - gh-101006: Improve error handling when read marshal data. - Library - gh-105736: Harmonized the pure Python version of OrderedDict with the C version. Now, both versions set up their internal state in __new__. Formerly, the pure Python version did the set up in __init__. - gh-107963: Fix multiprocessing.set_forkserver_preload() to check the given list of modules names. Patch by Dong-hee Na. - gh-106242: Fixes os.path.normpath() to handle embedded null characters without truncating the path. - gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. - gh-107715: Fix doctest.DocTestFinder.find() in presence of class names with special characters. Patch by Gertjan van Zwieten. - gh-100814: Passing a callable object as an option value to a Tkinter image now raises the expected TclError instead of an AttributeError. - gh-106684: Close asyncio.StreamWriter when it is not closed by application leading to memory leaks. Patch by Kumar Aditya. - gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo - gh-107396: tarfiles; Fixed use before assignment of self.exception for gzip decompression - gh-62519: Make gettext.pgettext() search plural definitions when translation is not found. - gh-83006: Document behavior of shutil.disk_usage() for non-mounted filesystems on Unix. - gh-106186: Do not report MultipartInvariantViolationDefect defect when the email.parser.Parser class is used to parse emails with headersonly=True. - gh-106831: Fix potential missing NULL check of d2i_SSL_SESSION result in _ssl.c. - gh-106774: Update the bundled copy of pip to version 23.2.1. - gh-106752: Fixed several bug in zipfile.Path in name/suffix/suffixes/stem operations when no filename is present and the Path is not at the root of the zipfile. - gh-106602: Add __copy__ and __deepcopy__ in enum - gh-106530: Revert a change to colorsys.rgb_to_hls() that caused division by zero for certain almost-white inputs. Patch by Terry Jan Reedy. - gh-106052: re module: fix the matching of possessive quantifiers in the case of a subpattern containing backtracking. - gh-106510: Improve debug output for atomic groups in regular expressions. - gh-105497: Fix flag mask inversion when unnamed flags exist. - gh-90876: Prevent multiprocessing.spawn from failing to import in environments where sys.executable is None. This regressed in 3.11 with the addition of support for path-like objects in multiprocessing. - gh-106350: Detect possible memory allocation failure in the libtommath function mp_init() used by the _tkinter module. - gh-102541: Make pydoc.doc catch bad module ImportError when output stream is not None. ... changelog too long, skipping 124 lines ... data: *consumed was not set. ==== python311-core ==== Version update (3.11.4 -> 3.11.5) Subpackages: libpython3_11-1_0 python311-base - Update to 3.11.5 (bsc#1214692): - Security - gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - Core and Builtins - gh-104432: Fix potential unaligned memory access on C APIs involving returned sequences of char * pointers within the grp and socket modules. These were revealed using a - fsaniziter=alignment build on ARM macOS. Patch by Christopher Chavez. - gh-77377: Ensure that multiprocessing synchronization objects created in a fork context are not sent to a different process created in a spawn context. This changes a segfault into an actionable RuntimeError in the parent process. - gh-106092: Fix a segmentation fault caused by a use-after-free bug in frame_dealloc when the trashcan delays the deallocation of a PyFrameObject. - gh-106719: No longer suppress arbitrary errors in the __annotations__ getter and setter in the type and module types. - gh-106723: Propagate frozen_modules to multiprocessing spawned process interpreters. - gh-105979: Fix crash in _imp.get_frozen_object() due to improper exception handling. - gh-105840: Fix possible crashes when specializing function calls with too many __defaults__. - gh-105588: Fix an issue that could result in crashes when compiling malformed ast nodes. - gh-105375: Fix bugs in the builtins module where exceptions could end up being overwritten. - gh-105375: Fix bug in the compiler where an exception could end up being overwritten. - gh-105375: Improve error handling in PyUnicode_BuildEncodingMap() where an exception could end up being overwritten. - gh-105235: Prevent out-of-bounds memory access during mmap.find() calls. - gh-101006: Improve error handling when read marshal data. - Library - gh-105736: Harmonized the pure Python version of OrderedDict with the C version. Now, both versions set up their internal state in __new__. Formerly, the pure Python version did the set up in __init__. - gh-107963: Fix multiprocessing.set_forkserver_preload() to check the given list of modules names. Patch by Dong-hee Na. - gh-106242: Fixes os.path.normpath() to handle embedded null characters without truncating the path. - gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. - gh-107715: Fix doctest.DocTestFinder.find() in presence of class names with special characters. Patch by Gertjan van Zwieten. - gh-100814: Passing a callable object as an option value to a Tkinter image now raises the expected TclError instead of an AttributeError. - gh-106684: Close asyncio.StreamWriter when it is not closed by application leading to memory leaks. Patch by Kumar Aditya. - gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo - gh-107396: tarfiles; Fixed use before assignment of self.exception for gzip decompression - gh-62519: Make gettext.pgettext() search plural definitions when translation is not found. - gh-83006: Document behavior of shutil.disk_usage() for non-mounted filesystems on Unix. - gh-106186: Do not report MultipartInvariantViolationDefect defect when the email.parser.Parser class is used to parse emails with headersonly=True. - gh-106831: Fix potential missing NULL check of d2i_SSL_SESSION result in _ssl.c. - gh-106774: Update the bundled copy of pip to version 23.2.1. - gh-106752: Fixed several bug in zipfile.Path in name/suffix/suffixes/stem operations when no filename is present and the Path is not at the root of the zipfile. - gh-106602: Add __copy__ and __deepcopy__ in enum - gh-106530: Revert a change to colorsys.rgb_to_hls() that caused division by zero for certain almost-white inputs. Patch by Terry Jan Reedy. - gh-106052: re module: fix the matching of possessive quantifiers in the case of a subpattern containing backtracking. - gh-106510: Improve debug output for atomic groups in regular expressions. - gh-105497: Fix flag mask inversion when unnamed flags exist. - gh-90876: Prevent multiprocessing.spawn from failing to import in environments where sys.executable is None. This regressed in 3.11 with the addition of support for path-like objects in multiprocessing. - gh-106350: Detect possible memory allocation failure in the libtommath function mp_init() used by the _tkinter module. - gh-102541: Make pydoc.doc catch bad module ImportError when output stream is not None. ... changelog too long, skipping 124 lines ... data: *consumed was not set. ==== shaderc ==== Version update (2023.4 -> 2023.6) - Update to release 2023.6 * Build system updates only ==== sssd ==== Version update (2.9.1 -> 2.9.2) Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-krb5-common sssd-ldap - Update to release 2.9.2 * sssctl cert-show and cert-show cert-eval-rule can now be run as non-root user. * New option local_auth_policy is added to control which offline authentication methods will be enabled by SSSD. ==== unbound ==== Version update (1.17.1 -> 1.18.0) Subpackages: libunbound8 unbound-anchor - Update to 1.18.0: * Features: - Аdd a metric about the maximum number of collisions in lrushah. - Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. - Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. - Added new static zone type block_a to suppress all A queries for specific zones. - [FR] Ability to use Redis unix sockets. - [FR] Ability to set the Redis password. - Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts. - 'eqvinox' Lamparter: NAT64 support. - [FR] Use kernel timestamps for dnstap. - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter. - Add SVCB dohpath support. - Add validation EDEs to queries where the CD bit is set. - Add prefetch support for subnet cache entries. - Add EDE (RFC8914) caching. - Add support for EDE caching in cachedb and subnetcache. - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. * Bug Fixes - Response change to NODATA for some ANY queries since 1.12. - Fix not following cleared RD flags potentially enables amplification DDoS attacks. - Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments. - Fix to ignore entirely empty responses, and try at another authority. This turns completely empty responses, a type of noerror/nodata into a servfail, but they do not conform to RFC2308, and the retry can fetch improved content. - Allow TTL refresh of expired error responses. - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired - Fix unbound-dnstap-socket test program to reply the finish frame over a TLS connection correctly. - Fix: reserved identifier violation - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundle - Extra consistency check to make sure that when TLS is requested, either we set up a TLS connection or we return an error. - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. - Fix: Bad interaction with 0 TTL records and serve-expired - Fix RPZ IP responses with trigger rpz-drop on cache entries. - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. - Fix dereference of NULL variable warning in mesh_do_callback. - Fix ip_ratelimit test to work with dig that enables DNS cookies. - Fix for iter_dec_attempts that could cause a hang, part of capsforid and qname minimisation, depending on the settings. - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. - Fix stat_values test to work with dig that enables DNS cookies. - unbound.service: Main process exited, code=killed, status=11/SEGV. Fixes cachedb configuration handling. - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply. ==== wireless-regdb ==== Version update (20230721 -> 20230901) - Update to version 20230901: * wireless-regdb: update regulatory database based on preceding changes * wireless-regdb: Update regulatory rules for Australia (AU) for June 2023