Removed rpms ============ - libqhull7-7_2_0 - libscalapack2-mvapich2-32bit - libscalapack2-mvapich2-devel-32bit - libscalapack2_2_1_0-gnu-mpich-hpc - libscalapack2_2_1_0-gnu-mpich-hpc-devel - libscalapack2_2_1_0-gnu-mpich-hpc-devel-static - libscalapack2_2_1_0-gnu-mvapich2-hpc - libscalapack2_2_1_0-gnu-mvapich2-hpc-devel - libscalapack2_2_1_0-gnu-mvapich2-hpc-devel-static - libscalapack2_2_1_0-gnu-openmpi2-hpc - libscalapack2_2_1_0-gnu-openmpi2-hpc-devel - libscalapack2_2_1_0-gnu-openmpi2-hpc-devel-static - libscalapack2_2_1_0-gnu-openmpi3-hpc - libscalapack2_2_1_0-gnu-openmpi3-hpc-devel - libscalapack2_2_1_0-gnu-openmpi3-hpc-devel-static - libscalapack2_2_1_0-gnu-openmpi4-hpc - libscalapack2_2_1_0-gnu-openmpi4-hpc-devel - libscalapack2_2_1_0-gnu-openmpi4-hpc-devel-static - python3-Sphinx-doc-man - python3-libfdt - qhull-devel - superlu-gnu-hpc-devel - superlu-gnu-hpc-doc - superlu-gnu-hpc-examples - superlu_5_2_2-gnu-hpc-devel - superlu_5_2_2-gnu-hpc-doc - superlu_5_2_2-gnu-hpc-examples Added rpms ========== - libcamel-1_2-62 - libcamel-1_2-62-32bit - libedataserver-1_2-24 - libedataserver-1_2-24-32bit - libedataserverui-1_2-2 - libedataserverui-1_2-2-32bit Package Source Changes ====================== bouncycastle +- Update to version 1.72: + * Defects Fixed: + - There were parameter errors in XMSS^MT OIDs for + XMSSMT_SHA2_40/4_256 and XMSSMT_SHA2_60/3_256. These have + been fixed. + - There was an error in Merkle tree construction for the + Evidence Records (ERS) implementation which could result in + invalid roots been timestamped. ERS now produces an + ArchiveTimeStamp for each data object/group with an associated + reduced hash tree. The reduced hash tree is now calculated as + a simple path to the root of the tree for each record. + - OpenPGP will now ignore signatures marked as non-exportable + on encoding. + - A tagging calculation error in GCMSIV which could result in + incorrect tags has been fixed. + - Issues around Java 17 which could result in failing tests + have been addressed. + * Additional Features and Functionality: + - BCJSSE: TLS 1.3 is now enabled by default where no explicit + protocols are supplied (e.g. "TLS" or "Default" SSLContext + algorithms, or SSLContext.getDefault() method). + - BCJSSE: Rewrite SSLEngine implementation to improve compatibility + with SunJSSE. + - BCJSSE: Support export of keying material via extension API. + - (D)TLS: Add support for 'tls-exporter' channel binding per RFC 9266. + - (D)TLS (low-level API): By default, only (D)TLS 1.2 and TLS 1.3 are + offered now. Earlier versions are still supported if explicitly + enabled. Users may need to check they are offering suitable + cipher suites for TLS 1.3. + - (D)TLS (low-level API): Add support for raw public keys per RFC 7250. + - CryptoServicesRegistrar now has a setServicesConstraints() method + on it which can be used to selectively turn off algorithms. + - The NIST PQC Alternate Candidate, Picnic, has been added to the low + level API and the BCPQC provider. + - SPHINCS+ has been upgraded to the latest submission, SPHINCS+ 3.1 + and support for Haraka has been added. + - Evidence records now support timestamp renewal and hash renewal. + - The SIKE Alternative Candidate NIST Post Quantum Algorithm has + been added to the low-level PQC API. + - The NTRU Round 3 Finalist Candidate NIST Post Quantum Algorithm + has been added to the low-level API and the BCPQC provider. + - The Falcon Finalist NIST Post Quantum Algorithm has been added to + the low-level API and the BCPQC provider. + - The CRYSTALS-Kyber Finalist NIST Post Quantum Algorithm has been + added to the low-level API and the BCPQC provider. + - Argon2 Support has been added to the OpenPGP API. + - XDH IES has now been added to the BC provider. + - The OpenPGP API now supports AEAD encryption and decryption. + - The NTRU Prime Alternative Candidate NIST Post Quantum Algorithms + have been added to the low-level API and the BCPQC provider. + - The CRYSTALS-Dilithium Finalist NIST Post Quantum Algorithm has + been added to the low-level API and the BCPQC provider. + - The BIKE NIST Post Quantum Alternative/Round-4 Candidate has been + added to the low-level API and the BCPQC provider. + - The HQC NIST Post Quantum Alternative/Round-4 Candidate has been + added to the low-level API and the BCPQC provider. + - Grain128AEAD has been added to the lightweight API. + - A fast version of CRC24 has been added for use with the PGP API. + - Some additional methods and fields have been exposed in the + PGPOnePassSignature class to (hopefully) make it easier to + deal with nested signatures. + - CMP support classes have been updated to reflect the latest + editions to the the draft RFC "Lightweight Certificate Management + Protocol (CMP) Profile". + - Support has been added to the PKCS#12 implementation for the + Oracle trusted certificate attribute. + - Performance of our BZIP2 classes has been improved. + * Notes: + - Keep in mind the PQC algorithms are still under development and + we are still at least a year and a half away from published standards. + This means the algorithms may still change so by all means experiment, + but do not use the PQC algoritms for anything long term. + - The legacy "Rainbow" and "McEliece" implementations have been + removed from the BCPQC provider. The underlying classes are + still present if required. Other legacy algorithm implementations + can be found under the org.bouncycastle.pqc.legacy package. + * Security Notes: + - The PQC SIKE algorithm is provided for research purposes only. + It should now be regarded as broken. The SIKE implementation + will be withdrawn in BC 1.73. + * Rebase bouncycastle-javadoc.patch + dracut +- Update to version 055+suse.360.g076f1113: + * fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640) + fips=1 and separate /boot break s390x (bsc#1204478): + * fix(fips): move fips-boot script to pre-pivot + * fix(fips): only unmount /boot if it was mounted by the fips module + * feat(fips): add progress messages + * fix(fips): do not blindly remove /boot + dtc +- makefile-bison-rule.patch: Makefile: fix infinite recursion by dropping + non-existent `%.output` + +- update to 1.6.1: + * A number of bugfixes + * Fix many warnings with -Wsign-compare + * Add compilation with meson (not used by default so far) + * Yet another revamp of how we handle unaligned accesses + * Added a number of extra checks for common tree errors + * Checks for interrupt providers + * i2c reg properties + * Tighten checking of gpio properties + * Reduce dependencies when building libfdt only + * Allow libfdt.h header to be used from C++ more easily + * Accept .dtbo extension for overlays + * Update valid node and property characters to match current devicetree spec + * Add several checks for root node sanity in fdt_check_full() + * Somewhat more robust type labelling for the benefit of yaml output + +- Update to 1.6.0 (no changelog) +- Removed dtc-no-common-conflict.patch + +- add dtc-no-common-conflict.patch (bsc#1160388) + +- Use %make_build and recpect %optflags. + git +- Apply "CVE-2023-25652.patch" to fix a security vulnerability + where by feeding a specially crafted input to `git apply + - -reject`, a path outside the working tree could be overwritten + with partially controlled contents (corresponding to the rejected + hunk(s) from the given patch). [CVE-2023-25652, bsc#1210686] +- Apply "CVE-2023-25815.patch" to fix a security vulnerability that + exists when Git is compiled with runtime prefix support and runs + without translated messages, then it still used the gettext + machinery to display messages, which subsequently potentially + looked for translated messages in unexpected places. This allowed + for malicious placement of crafted messages. [CVE-2023-25815, + bsc#1210686] +- Apply "CVE-2023-29007-0.patch", "CVE-2023-29007-1.patch", + "CVE-2023-29007-2.patch", and "CVE-2023-29007-3.patch" to fix a + security vulnerability that occurred when renaming or deleting a + section from a configuration file, then certain malicious + configuration values might have been misinterpreted as the + beginning of a new configuration section, leading to arbitrary + configuration injection. [CVE-2023-29007, bsc#1210686] + glib2 +- Update glib2-fix-normal-form-handling-in-gvariant.patch: + Backported from upstream to fix regression on s390x. + (bsc#1210135, glgo#GNOME/glib!2978) + +- Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported + from upstream to fix normal form handling in GVariant. + (CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713, + glgo#GNOME/glib!3125) + kernel-firmware-nvidia-gsp-G06 +- update firmware to version 525.116.03 + ledmon +- Don't use ProtectKernelTunables, can break some use cases + (bsc#1210656) + libtpms +- 0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch: + Fixes CVE-2023-1017 & CVE-2023-1018: fixed memory corruptions in CryptParameterDecryption (bsc#1206022 bsc#1206023) + lshw +- Update to version B.02.19.2+git.20230320 (bsc#1209531): + * fix NVMe multipath detection + * NVMe: fix logical name with native multipath + +- Update to version B.02.19.2+git.20220831: + * PA-RISC: handle pushd failure + mdadm +- Fixes for mdmon to ensure it run at the right time in the + fight mount namespace. This fixes various problems with + IMSM raid arrays in 15-SP4 (bsc#1205493, bsc#1205830) + - mdmon: fix segfault + 0052-mdmon-fix-segfault.patch + - util: remove obsolete code from get_md_name + 0053-util-remove-obsolete-code-from-get_md_name.patch + - mdmon: don't test both 'all' and 'container_name'. + 0054-mdmon-don-t-test-both-all-and-container_name.patch + - mdmon: change systemd unit file to use --foreground + 0055-mdmon-change-systemd-unit-file-to-use-foreground.patch + - mdmon: Remove need for KillMode=none + 0056-mdmon-Remove-need-for-KillMode-none.patch + - mdmon: Improve switchroot interactions. + 0057-mdmon-Improve-switchroot-interactions.patch + - mdopen: always try create_named_array() + 0058-mdopen-always-try-create_named_array.patch + - Improvements for IMSM_NO_PLATFORM testing + 0059-Improvements-for-IMSM_NO_PLATFORM-testing.patch + nvidia-open-driver-G06-signed +- Update to version 525.116.03 + python-osc-tiny +- Release .0.7.12 + * Enhanced usability and reliability for `HttpSignatureAuth` + * Prevent sharing of sessions across forked processes + * Fixed typo in quickstart doc + +- Release 0.7.11 + * Make it possible to force setting meta + * Improved strong authentication method + * Support product list views honoring the `expand` parameter + +- Release 0.7.10 + * Include the original error message, when an SSH key cannot be read + * Added a link to the documentation of `HttpSignatureAuth` + * Allow `Package.exists` to raise exceptions + * Added methods to get/set the project config + +- Release 0.7.9: + * Simplified handling of SSH keys (fixes #114) + * Replaced `Request.cmd` with `Request.update` (fixes #113) + * Added a comment parameter to project and package `set_meta` + +- Fixed problem with dependency in SPEC file(bsc#1206040) +- Release 0.7.7: + * Support for Python 3.11 + * Workaround for another parameter inconsistency in the API + * Treat `deleted` and `expand` parameters of `/source//` + as boolean (despite not being documented as such) + * Do not send the `deleted` parameter, when the `view` parameter + is present + rubygem-actionview-5_1 +- Add patch to fix CVE-2022-27777 (bsc#1199060) + 0004-CVE-2022-27777.patch + +- Add patch to fix CVE-2020-15169 (bsc#1176421) + 0003-CVE-2020-15169.patch + +- Add patch to fix CVE-2020-8167 (bsc#1172184) + 0002-CVE-2020-8167.patch +