- apache-commons-codec
-
- Update to 1.16.1:
* New features:
+ Add Maven property project.build.outputTimestamp for build
reproducibility
* Fixed Bugs:
+ CODEC-295: Test clean ups
+ CODEC-295: Correct error in Base64 Javadoc
+ CODEC-295: Add minimum Java version in changes.xml
+ CODEC-310: Documentation update for the
org.apache.commons.codec.digest.* package
+ Precompile regular expression in UnixCrypt.crypt(byte[],
String)
+ CODEC-315: Fix possible IndexOutOfBoundException in
PhoneticEngine.encode method
+ CODEC-313: Fix possible ArrayIndexOutOfBoundsException in
QuotedPrintableCodec.encodeQuotedPrintable() method
+ CODEC-312: Fix possible StringIndexOutOfBoundException in
MatchRatingApproachEncoder.encode() method
+ CODEC-311: Fix possible ArrayIndexOutOfBoundException in
RefinedSoundex.getMappingCode()
+ CODEC-314: Fix possible IndexOutOfBoundsException in
PercentCodec.insertAlwaysEncodeChars() method
+ Deprecate UnixCrypt 0-argument constructor
+ Deprecate Md5Crypt 0-argument constructor
+ Deprecate Crypt 0-argument constructor
+ Deprecate StringUtils 0-argument constructor
+ Deprecate Resources 0-argument constructor
+ Deprecate Charsets 0-argument constructor
+ Deprecate CharEncoding 0-argument constructor
- Update to 1.16.0:
* Minor improvements #67. Fixes CODEC-295.
* Remove duplicated words from Javadocs.
* Simplify assertion #84. Fixes CODEC-301.
* Simplify assertion #84. Fixes CODEC-300.
* Use Standard Charset object #82. Fixes CODEC-298.
* Use String.contains() functions #125.
* Avoid use toString() or substring() in favor of a simplified expression #126.
* Fix byte-skipping in Base16 decoding #135. Fixes CODEC-305.
* Fix several typos, improve writing in some javadocs #139.
* BaseNCodecOutputStream.eof() should not throw IOException.
* Javadoc improvements and cleanups.
* Deprecate BaseNCodec.isWhiteSpace(byte) and use Character.isWhitespace(int).
* Add support for Blake3 family of hashes. Fixes CODEC-296.
* Add github/codeql-action.
* Bump actions/cache from v2 to v3.0.10 #75, #99, #119, #138, #149, #152.
* Bump actions/setup-java from v1.4.1 to 3.5.1 #60, #62, #121.
* Bump actions/checkout from 2.3.2 to 3.1.0 #65, #98, #114, #153.
* Bump commons-parent from 52 to 58, #147, #165, #170.
* Bump junit from 4.13.1 to 5.9.1 #76, #39, #140, #148. Fixes CODEC-285.
* Bump Java 7 to 8.
* Bump japicmp-maven-plugin from 0.14.3 to 0.17.1.
* Bump jacoco-maven-plugin from 0.8.5 to 0.8.8 (Fixes Java 15 builds).
* Bump maven-surefire-plugin from 2.22.2 to 3.0.0-M7 #122, #134.
* Bump maven-javadoc-plugin from 3.2.0 to 3.4.1.
* Bump animal-sniffer-maven-plugin from 1.19 to 1.22.
* Bump maven-pmd-plugin from 3.13.0 to 3.19.0, #133, #142, #145.
* Bump pmd from 6.47.0 to 6.52.0.
* Bump maven-checkstyle-plugin from 2.17 to 3.2.0 #143.
* Bump checkstyle from 8.45.1 to 9.3 #97, #100, #101, #103.
* Bump taglist-maven-plugin from 2.4 to 3.0.0 #102.
* Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
- apache-commons-compress
-
- Use %patch -P N instead of deprecated %patchN.
- Upgrade to 1.26
* Fixing several vulnerabilities
+ bsc#1220068, CVE-2024-26308
+ bsc#1220070, CVE-2024-25710
* New Features
+ Add and use ZipFile.builder(), ZipFile.Builder, and deprecate
constructors
+ Add and use SevenZFile.builder(), SevenZFile.Builder, and
deprecate constructors
+ Add and use ArchiveInputStream.getCharset()
+ Add and use ArchiveEntry.resolveIn(Path)
+ Add Maven property project.build.outputTimestamp for build
reproducibility
* Fixed Bugs
+ COMPRESS-632: Check for invalid PAX values in TarArchiveEntry
+ COMPRESS-632: Fix for zero size headers in ArjInputStream
+ COMPRESS-632: Fixes and tests for ArInputStream
+ COMPRESS-632: Fixes for dump file parsing
+ COMPRESS-632: Improve CPIO exception detection and handling
+ Deprecate SkipShieldingInputStream without replacement (no
longer used)
+ Reuse commons-codec, don't duplicate class PureJavaCrc32C
(removed package-private class)
+ Reuse commons-codec, don't duplicate class XXHash32
(deprecated class)
+ Reuse commons-io, don't duplicate class Charsets (deprecated
class)
+ Reuse commons-io, don't duplicate class IOUtils (deprecated
methods)
+ Reuse commons-io, don't duplicate class BoundedInputStream
(deprecated class)
+ Reuse commons-io, don't duplicate class FileTimes (deprecated
TimeUtils methods)
+ Reuse Arrays.equals(byte[], byte[]) and deprecate
ArchiveUtils.isEqual(byte[], byte[])
+ Add a null-check for the class loader of OsgiUtils
+ Add a null-check in Pack200.newInstance(String, String)
+ Deprecate ChecksumCalculatingInputStream in favor of
java.util.zip.CheckedInputStream
+ Deprecate CRC32VerifyingInputStream
.CRC32VerifyingInputStream(InputStream, long, int)
+ COMPRESS-655: FramedSnappyCompressorOutputStream produces
incorrect output when writing a large buffer
+ COMPRESS-657: Fix TAR directory entries being misinterpreted
as files
+ Deprecate unused method FileNameUtils.getBaseName(String)
+ Deprecate unused method FileNameUtils.getExtension(String)
+ ArchiveInputStream.BoundedInputStream.read() incorrectly adds
1 for EOF to the bytes read count
+ Deprecate IOUtils.read(File, byte[])
+ Deprecate IOUtils.copyRange(InputStream, long, OutputStream,
int)
+ COMPRESS-653: ZipArchiveOutputStream multi archive updates
metadata in incorrect file
+ Deprecate ByteUtils.InputStreamByteSupplier
+ Deprecate ByteUtils.fromLittleEndian(InputStream, int)
+ Deprecate ByteUtils.toLittleEndian(DataOutput, long, int)
+ Reduce duplication by having ArchiveInputStream extend
FilterInputStream
+ Support preamble garbage in ZipArchiveInputStream
+ COMPRESS-658: Fix formatting the lowest expressable DOS time
+ Drop reflection from ExtraFieldUtils static initialization
+ Preserve exception causation in
ExtraFieldUtils.register(Class)
- Upgrade to 1.25.0
* New features:
+ Add GzipParameters.getFileName() and deprecate getFilename()
+ Add GzipParameters.setFileName(String) and deprecate
setFilename(String)
+ Add FileNameUtil.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add FileNameUtil.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add FileNameUtil.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add BZip2Utils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add BZip2Utils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add BZip2Utils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add LZMAUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add LZMAUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add LZMAUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add XYUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add XYUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add XYUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add GzipUtils.getCompressedFileName(String) and deprecate
getCompressedFilename(String)
+ Add GzipUtils.getUncompressedFileName(String) and deprecate
getUncompressedFilename(String)
+ Add GzipUtils.isCompressedFileName(String) and deprecate
isCompressedFilename(String)
+ Add SevenZOutputFile.putArchiveEntry(SevenZArchiveEntry) and
deprecate putArchiveEntry(ArchiveEntry)
+ Add generics to ChangeSet and ChangeSetPerformer
+ Add generics to ArchiveStreamProvider and friends
+ Add a generic type parameter to ArchiveOutputStream and avoid
unchecked/unconfirmed type casts in subclasses
+ Add a generic type parameter to ArchiveInputStream and
deprecate redundant get methods in subclasses
+ COMPRESS-648: Add ability to restrict autodetection in
CompressorStreamFactory
* Fixed Bugs:
+ Precompile regular expression in
ArArchiveInputStream.isBSDLongName(String)
+ Precompile regular expression in
ArArchiveInputStream.isGNULongName(String)
+ Precompile regular expression in
TarArchiveEntry.parseInstantFromDecimalSeconds(String)
+ Precompile regular expression in
ChangeSet.addDeletion(Change)
+ COMPRESS-649: Improve performance in
BlockLZ4CompressorOutputStream
+ Null-guard Lister.main(String[]) for programmatic invocation
+ NPE in pack200.NewAttributeBands.Reference
.addAttributeToBand(NewAttribute, InputStream)
+ Incorrect lazy initialization and update of static field in
pack200.CodecEncoding.getSpecifier(Codec, Codec)
+ Incorrect string comparison in unpack200.AttributeLayout
.numBackwardsCallables()
+ Inefficient use of keySet iterator instead of entrySet
iterator in pack200.PackingOptions
.addOrUpdateAttributeActions(List, Map, int)
+ Package private class pack200.IcBands.IcTuple should be a
static inner class
+ Private class ZipFile.BoundedFileChannelInputStream should be
a static inner class
+ Refactor internal SevenZ AES256SHA256Decoder InputStream into
a named static inner class
+ Refactor internal SevenZ AES256SHA256Decoder OutputStream into
a named static inner class
+ Use the root Locale for string conversion of command line
options in org.apache.commons.compress.archivers.sevenz.CLI
+ Calling PackingUtils.config(PackingOptions) with null now
closes the internal FileHandler
+ COMPRESS-650: LZ4 compressor throws IndexOutOfBoundsException
+ COMPRESS-632: LZWInputStream.initializeTables(int) should
throw IllegalArgumentException instead of
ArrayIndexOutOfBoundsException
+ COMPRESS-647: Throw IOException instead of
ArrayIndexOutOfBoundsException when reading Zip with data
descriptor entries
- Update to 1.24.0
* New features:
+ Make ZipArchiveEntry.getLocalHeaderOffset() public
* Fixed Bugs:
+ Use try-with-resources in ArchiveStreamFactory
+ Javadoc and code comments: Sanitize grammar issues and typos
+ Remove redundant (null) initializations
+ [StepSecurity] ci: Harden GitHub Actions
- Update to 1.23.0
* New features:
+ COMPRESS-614: Use FileTime for time fields in
SevenZipArchiveEntry
+ COMPRESS-621: Fix calculation the offset of the first ZIP
central directory entry
+ COMPRESS-633:Add encryption support for SevenZ
+ COMPRESS-613: Support for extra time data in Zip archives
+ COMPRESS-621: Add org.apache.commons.compress.archivers.zip
.DefaultBackingStoreSupplier to write to a custom folder
instead of the default temporary folder.
+ COMPRESS-600: Add capability to configure Deflater strategy
in GzipCompressorOutputStream:
GzipParameters.setDeflateStrategy(int).
* Fixed Bugs:
+ Implicit narrowing conversion in compound assignment
+ Avoid NPE in FileNameUtils.getBaseName(Path) for paths with
zero elements like root paths
+ Avoid NPE in FileNameUtils.getExtension(Path) for paths with
zero elements like root paths
+ LZMA2Decoder.decode() looses original exception
+ Extract conditions and avoid duplicate code.
+ Remove duplicate conditions. Use switch instead.
+ Replace JUnit 3 and 4 with JUnit 5
+ Make 'ZipFile.offsetComparator' static
+ COMPRESS-638: The GzipCompressorOutputStream#writeHeader()
uses ISO_8859_1 to write the file name and comment. If the
strings contains non-ISO_8859_1 characters, unknown characters
are displayed after decompression. Use percent encoding for
non ISO_8859_1 characters.
+ Port some code from IO to NIO APIs
+ pack200: Fix FileBands misusing InputStream#read(byte[])
+ COMPRESS-641: Add TarArchiveEntry.getLinkFlag()
+ COMPRESS-642: Integer overflow ArithmeticException in
TarArchiveOutputStream
+ COMPRESS-642: org.apache.commons.compress.archivers.zip
.ZipFile.finalize() should not write to std err.
* Removed:
+ Remove BZip2CompressorOutputStream.finalize() which only wrote
to std err
- Update to 1.22
* New features:
+ COMPRESS-602: Migrate zip package to use NIO
+ Add APK file extension constants: ArchiveStreamFactory.APK,
APKM, APKS, XAPK
+ ArchiveStreamFactory.createArchiveInputStream(String,
InputStream, String) supports the "APK" format (it's a JAR)
+ Expander example now has NIO Path versions of IO File APIs
+ COMPRESS-612: Improve TAR support for file times
+ Add SevenZArchiveEntry.setContentMethods(SevenZMethodConfiguration...)
* Fixed Bugs:
+ Fix some compiler warnings in pack200 packages
+ Close File input stream after unpacking in
Pack200UnpackerAdapter.unpack(File, JarOutputStream)
+ Pack200UnpackerAdapter.unpack(InputStream, JarOutputStream)
should not close its given input stream
+ COMPRESS-596: Fix minor problem in examples.
+ COMPRESS-584: Add a limit to the copy buffer in
IOUtils.readRange() to avoid reading more from a channel than
asked for
+ Documentation nits
+ Replace wrapper Collections.sort is with an instance method
directly
+ Replace manual comparisons with Comparator.comparingInt()
+ Replace manual copy of array contents with System.arraycopy()
+ Fix thread safety issues when encoding 7z password
+ bzip2: calculate median-of-3 on unsigned values
+ Use Math.min and Math.max calculations.
+ COMPRESS-603: Expander should be able to work if an entry's
name is "./".
+ COMPRESS-604: Ensure compatibility with Java 8
+ Use StringBuilder instead of StringBuffer.
+ Inline variable. Remove redundant local variable.
+ Use compare method
+ Remove Unnecessary interface modifiers
+ Avoid use C-style array declaration.
+ ChecksumVerifyingInputStream.read() does not always validate
checksum at end-of-stream
+ Fix TarFileTest
+ COMPRESS-625: Update Wikipedia link in TarUtils.java:627.
+ COMPRESS-626: OutOfMemoryError on malformed pack200 input
(attributes).
+ COMPRESS-628: OutOfMemoryError on malformed pack200 input
(org.apache.commons.compress.harmony.pack200.NewAttributeBands
.readNextUnionCase).
+ COMPRESS-628: OutOfMemoryError on malformed unpack200 input
(org.apache.commons.compress.harmony.unpack200
.NewAttributeBands.readNextUnionCase).
+ Some input streams are not closed in org.apache.commons
.compress.harmony.pack200.PackingUtils
+ COMPRESS-627: Pack200 causes a 'archive.3E' error if it's not
in the system class loader.
- Modified patches:
* 0001-Remove-Brotli-compressor.patch
* 0002-Remove-ZSTD-compressor.patch
* 0003-Remove-Pack200-compressor.patch
+ rediff to changed context
- Removed patch:
* fix_java_8_compatibility.patch
+ not needed, since we handle the compatibility differently
- apache-commons-io
-
- Upgrade to 2.15.1
* Fixed Bugs:
+ Fix wrong issue id in change log
+ Add test for FileChannels.contentEquals()
+ Fix FileChannels.contentEquals()
+ Fix some Javadoc issues in LineIterator and IOUtils
+ Simplify FileAlterationObserver internal processing
+ Avoid NullPointerException in RegexFileFilter
.RegexFileFilter(Pattern)
+ Avoid NullPointerException in RegexFileFilter
.accept(Path, BasicFileAttributes)
+ Fix SpotBugs error: Class org.apache.commons.io.filefilter
.RegexFileFilter defines non-transient non-serializable
instance field pathToString [org.apache.commons.io.filefilter
.RegexFileFilter] In RegexFileFilter.java SE_BAD_FIELD
+ Fix SpotBugs error: Class org.apache.commons.io.filefilter
.DelegateFileFilter defines non-transient non-serializable
instance field fileFilter [org.apache.commons.io.filefilter
.DelegateFileFilter] In DelegateFileFilter.java SE_BAD_FIELD
+ Fix SpotBugs error: Class org.apache.commons.io.filefilter
.DelegateFileFilter defines non-transient non-serializable
instance field fileNameFilter [org.apache.commons.io
.filefilter.DelegateFileFilter] In DelegateFileFilter.java
SE_BAD_FIELD
+ Fix SpotBugs error: org.apache.commons.io.function.IOStream$1
.next() cannot throw NoSuchElementException [org.apache
.commons.io.function.IOStream$1] At IOStream.java:[line 98]
IT_NO_SUCH_ELEMENT
+ Fix SpotBugs error: org.apache.commons.io.monitor
.FileAlterationMonitor.getObservers() may expose internal
representation by returning FileAlterationMonitor.observers
[org.apache.commons.io.monitor.FileAlterationMonitor] At
FileAlterationMonitor.java:[line 124] EI_EXPOSE_REP
+ Fix SpotBugs error: Class org.apache.commons.io.monitor
.FileAlterationObserver defines non-transient non-serializable
instance field fileFilter [org.apache.commons.io.monitor
.FileAlterationObserver] In FileAlterationObserver.java
SE_BAD_FIELD
+ Fix SpotBugs error: Class org.apache.commons.io.monitor
.FileAlterationObserver defines non-transient non-serializable
instance field listeners [org.apache.commons.io.monitor
.FileAlterationObserver] In FileAlterationObserver.java
SE_BAD_FIELD
+ Fix SpotBugs error: org.apache.commons.io.FileCleaningTracker
.getDeleteFailures() may expose internal representation by
returning FileCleaningTracker.deleteFailures [org.apache
.commons.io.FileCleaningTracker] At
FileCleaningTracker.java:[line 218] EI_EXPOSE_REP
+ Fix SpotBugs error: org.apache.commons.io.IOExceptionList
.getCauseList() may expose internal representation by
returning IOExceptionList.causeList [org.apache.commons.io
.IOExceptionList] At IOExceptionList.java:[line 118]
EI_EXPOSE_REP
+ Fix SpotBugs error: org.apache.commons.io.IOExceptionList
.getCauseList(Class) may expose internal representation by
returning IOExceptionList.causeList [org.apache.commons.io
.IOExceptionList] At IOExceptionList.java:[line 129]
EI_EXPOSE_REP
+ Fix SpotBugs error: org.apache.commons.io.file
.AccumulatorPathVisitor.getDirList() may expose internal
representation by returning AccumulatorPathVisitor.dirList
[org.apache.commons.io.file.AccumulatorPathVisitor] At
AccumulatorPathVisitor.java:[line 179] EI_EXPOSE_REP
+ Fix SpotBugs error: org.apache.commons.io.file
.AccumulatorPathVisitor.getFileList() may expose internal
representation by returning AccumulatorPathVisitor.fileList
[org.apache.commons.io.file.AccumulatorPathVisitor] At
AccumulatorPathVisitor.java:[line 188] EI_EXPOSE_REP
+ Fix SpotBugs error: org.apache.commons.io.input
.ObservableInputStream.getObservers() may expose internal
representation by returning ObservableInputStream.observers
[org.apache.commons.io.input.ObservableInputStream] At
ObservableInputStream.java:[line 187] EI_EXPOSE_REP
+ Fix SpotBugs error: Exception thrown in class org.apache
.commons.io.input.UnsynchronizedByteArrayInputStream at new
org.apache.commons.io.input
.UnsynchronizedByteArrayInputStream(byte[], int) will leave
the constructor. The object under construction remains
partially initialized and may be vulnerable to Finalizer
attacks. [org.apache.commons.io.input
.UnsynchronizedByteArrayInputStream, org.apache.commons.io
.input.UnsynchronizedByteArrayInputStream] At
UnsynchronizedByteArrayInputStream.java:[line 202]
CT_CONSTRUCTOR_THROW
+ Fix SpotBugs error: Exception thrown in class org.apache
.commons.io.input.UnsynchronizedByteArrayInputStream at new
org.apache.commons.io.input
.UnsynchronizedByteArrayInputStream(byte[], int, int) will
leave the constructor. The object under construction remains
partially initialized and may be vulnerable to Finalizer
attacks. [org.apache.commons.io.input
.UnsynchronizedByteArrayInputStream, org.apache.commons.io
.input.UnsynchronizedByteArrayInputStream] At
UnsynchronizedByteArrayInputStream.java:[line 223]
CT_CONSTRUCTOR_THROW
- Upgrade to 2.15.0
* New features:
+ Add org.apache.commons.io.channels.FileChannels
+ Add RandomAccessFiles#contentEquals(RandomAccessFile,
RandomAccessFile)
+ Add RandomAccessFiles#reset(RandomAccessFile)
+ Add PathUtilsContentEqualsBenchmark
+ Add org.apache.commons.io.StreamIterator
+ Add MessageDigestInputStream and deprecate
MessageDigestCalculatingInputStream
* Fixed Bugs:
+ IO-815: XmlStreamReader encoding match RE is too strict
+ IO-810: Javadoc in FileUtils does not reflect code for thrown
exceptions
+ IO-812: Javadoc should mention closing Streams based on file
resources
+ IO-811: In tests, Files.walk() direct and indirect callers
fail to close the returned Stream
+ IO-811: FileUtils.listFiles(File, String[], boolean) fails to
close its internal Stream
+ IO-811: FileUtils.iterateFiles(File, String[], boolean) fails
to close its internal Stream
+ IO-811: StreamIterator fails to close its internal Stream
+ IO-814: Don't throw UncheckedIOException
+ IO-414: Don't write a BOM on every (or any) line
+ IO-814: RandomAccessFileMode.create(Path) provides a better
NullPointerException message
+ Improve performance of PathUtils.fileContentEquals(Path, Path,
LinkOption[], OpenOption[]) by about 60%, see
PathUtilsContentEqualsBenchmark
+ Improve performance of PathUtils.fileContentEquals(Path, Path)
by about 60%, see PathUtilsContentEqualsBenchmark
+ Improve performance of FileUtils.contentEquals(File, File) by
about 60%, see PathUtilsContentEqualsBenchmark
+ Remove unused test code
+ [Javadoc] IOUtils#contentEquals does not throw
NullPointerException
+ Fix CodeQL warnings in UnsynchronizedBufferedInputStream:
Implicit narrowing conversion in compound assignment
+ MessageDigestCalculatingInputStream
.MessageDigestMaintainingObserver
.MessageDigestMaintainingObserver(MessageDigest) now throws a
NullPointerException if the MessageDigest is null
+ MessageDigestCalculatingInputStream
.MessageDigestCalculatingInputStream(InputStream,
MessageDigest) now throws a NullPointerException if the
MessageDigest is null
+ IO-816: UnsynchronizedBufferedInputStream.read(byte[], int,
int) does not use buffer
- Build with source and target levels 8
- Update to 2.14.0:
* Lots of new features, fixes and updates.
* https://commons.apache.org/proper/commons-io/changes-report.html#a2.14.0
- bind
-
- Update to release 9.16.48
Feature Changes:
* The IP addresses for B.ROOT-SERVERS.NET have been updated to
170.247.170.2 and 2801:1b8:10::b.
Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823]
* Preparing an NSEC3 closest encloser proof could cause excessive
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851]
* Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been
fixed. (CVE-2023-5517)
[bsc#1219852]
* A bad interaction between DNS64 and serve-stale could cause
named to crash with an assertion failure, when both of these
features were enabled. This has been fixed. (CVE-2023-5679)
[bsc#1219853]
* Query patterns that continuously triggered cache database
maintenance could cause an excessive amount of memory to be
allocated, exceeding max-cache-size and potentially leading to
all available memory on the host running named being exhausted.
This has been fixed. (CVE-2023-6516)
[bsc#1219854]
Removed Features:
* Support for using AES as the DNS COOKIE algorithm
(cookie-algorithm aes;) has been deprecated and will be removed
in a future release. Please use the current default,
SipHash-2-4, instead.
- cloud-netconfig
-
- Add Provides/Obsoletes for dropped cloud-netconfig-nm
- Install dispatcher script into /etc/NetworkManager/dispatcher.d
on older distributions
- Add BuildReqires: NetworkManager to avoid owning dispatcher.d
parent directory
- Update to version 1.11:
+ Revert address metadata lookup in GCE to local lookup (bsc#1219454)
+ Fix hang on warning log messages
+ Check whether getting IPv4 addresses from metadata failed and abort
if true
+ Only delete policy rules if they exist
+ Skip adding/removing IPv4 ranges if metdata lookup failed
+ Improve error handling and logging in Azure
+ Set SCRIPTDIR when installing netconfig wrapper
- Update to version 1.10:
+ Drop cloud-netconfig-nm sub package and include NM dispatcher
script in main packages (bsc#1219007)
+ Spec file cleanup
- Update to version 1.9:
+ Drop package dependency on sysconfig-netconfig
+ Improve log level handling
+ Support IPv6 IMDS endpoint in EC2 (bsc#1218069)
- cloud-regionsrv-client
-
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
+ Fix the failover path to a new target update server. At present a new
server is not found since credential validation fails. We targeted
the server detected in down condition to verify the credentials instead
of the replacement server.
- cobbler
-
- Build the appendline correctly for RHEL-family <= 9 (bsc#1216437)
- Notify to "systemd" when cobblerd startup is finished (bsc#1215982)
- Enable ppc64(le) buildiso support (bsc#1214077)
- gcc7
-
- Add gcc7-pr88345-min-func-alignment.diff to add support for
- fmin-function-alignment. [bsc#1214934]
- Use %{_target_cpu} to determine host and build.
- docker
-
- Vendor latest buildkit v0.11:
Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that
vendors in the latest v0.11 buildkit branch including bugfixes for the following:
* bsc#1219438: CVE-2024-23653
* bsc#1219268: CVE-2024-23652
* bsc#1219267: CVE-2024-23651
- rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- switch from %patchN to %patch -PN syntax
- remove unused rpmlint filters and add filters to silence pointless bash & zsh
completion warnings
- ecj
-
- Added patch:
* ecj-java8compat.patch
+ Allow building ecj with language levels 8 (bsc#1219862)
- Distribute the bundled javax17api.jar under maven coordinate of
org.eclipse:javax17api:17, so that it can be used if needed
- hwdata
-
- update to 0.378:
* Update pci, usb and vendor ids
- update to 0.377:
* Fixed trailing spaces in pnp.ids
- update to 0.376:
* Update pci, usb and vendor ids
- update to 0.373:
* Update pci, usb and vendor ids
- update to 0.372:
* Update pci, usb and vendor ids
- jose4j
-
- Check iteration of Pbes2HmacShaWithAesKey algorithm
CVE-2023-31582 (bsc#1216609)
Added: PBES2-check-iteration-count.patch
- kernel-default
-
- vhost: use kzalloc() instead of kmalloc() followed by memset()
(CVE-2024-0340, bsc#1218689).
- commit 4c5a740
- README.BRANCH: Update cve/linux-5.14 maintainers
Add myself to match SLE15-SP5 consumer + fix typo in branch name.
- commit da26653
- Refresh patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch.
Accidentally removed nfs4_get_stateowner
- commit d77a474
- Bluetooth: Fix atomicity violation in {min,max}_key_size_set
(git-fixes bsc#1219608 CVE-2024-24860).
- commit a1186fd
- README.BRANCH: update branch name to cve/linux-5.14, update maintainers
as requested
- commit 8e34879
- netfilter: nf_tables: check if catch-all set element is active
in next generation (CVE-2024-1085 bsc#1219429).
- commit 7b3f4c4
- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
(CVE-2024-1086 bsc#1219434).
- commit 5f917ff
- Update
patches.suse/drm-amdgpu-Fix-potential-fence-use-after-free-v2.patch
(bsc#1219128 CVE-2023-51042 git-fixes).
- commit 4b937fc
- rpm/mkspec: sort entries in _multibuild
Otherwise it creates unnecessary diffs when tar-up-ing. It's of course
due to readdir() using "random" order as served by the underlying
filesystem.
See for example:
https://build.opensuse.org/request/show/1144457/changes
- commit d1155de
- Revert "tracing: Increase trace array ref count on enable and
filter files" (bsc#1219490).
Deleted:
patches.suse/tracing-Increase-trace-array-ref-count-on-enable-and-filter-files.patch
patches.suse/tracing-Have-event-inject-files-inc-the-trace-array-ref-count.patch
Backported commit f5ca233e2e66 ("tracing: Increase trace array ref count
on enable and filter files") causes a kernel panic and its upstream
fix-up bb32500fb9b7 ("tracing: Have trace_event_file have ref counters")
cannot be easily backported because it affects kABI. Revert the commit
and its one related + dependent patch, at least for now.
- commit 90d885a
- README.BRANCH: SLE15-SP4 became LTSS, update maintainers
- commit 94325df
- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
bsc#1218730).
- commit 658d424
- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
XSA-448, bsc#1218836).
- commit 9a897ff
- Update
patches.suse/ext4-fix-kernel-BUG-in-ext4_write_inline_data_end.patch
(CVE-2021-33631 bsc#1219412 bsc#1206894).
- commit 96c942c
- kabi, vmstat: skip periodic vmstat update for isolated CPUs
(bsc#1217895).
- commit 8cb5798
- sched/isolation: add cpu_is_isolated() API (bsc#1217895).
- trace,smp: Add tracepoints around remotelly called functions
(bsc#1217895).
- vmstat: skip periodic vmstat update for isolated CPUs
(bsc#1217895).
- Refresh
patches.suse/0002-kernel-smp-make-csdlock-timeout-depend-on-boot-param.patch.
- commit 668c0e0
- kernel-source: Fix description typo
- commit 8abff35
- nvmet-tcp: Fix the H2C expected PDU len calculation
(bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356).
- nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988
bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356).
- nvmet-tcp: fix a crash in nvmet_req_complete() (bsc#1217987
bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356).
- nvmet-tcp: Fix a kernel panic when host sends an invalid H2C
PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535
CVE-2023-6536 CVE-2023-6356).
- commit d968940
- clocksource: Skip watchdog check for large watchdog intervals
(bsc#1217217).
- commit 63b1d6d
- clocksource: disable watchdog checks on TSC when TSC is watchdog
(bsc#1215885).
- commit 2f92dd8
- nfsd4: add refcount for nfsd4_blocked_lock (bsc#1218968
bsc#1219349).
- commit d38f35d
- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
(CVE-2023-47233 bsc#1216702).
- commit 433859d
- rpm/constraints.in: set jobs for riscv to 8
The same workers are used for x86 and riscv and the riscv builds take
ages. So align the riscv jobs count to x86.
- commit b2c82b9
- net: sched: sch_qfq: Use non-work-conserving warning handler
(CVE-2023-4921 bsc#1215275).
- commit b50ba0e
- mkspec: Use variant in constraints template
Constraints are not applied consistently with kernel package variants.
Add variant to the constraints template as appropriate, and expand it
in mkspec.
- commit cc68ab9
- rpm/constraints.in: add static multibuild packages
Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
constraints on multibuild) added "kernel-source:" prefix to the
dynamically generated kernels. But there are also static ones like
kernel-docs. Those fail to build as the constraints are still not
applied.
So add the prefix also to the static ones.
Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
will ever be multibuilt...
- commit c2e0681
- Update
patches.suse/drm-atomic-Fix-potential-use-after-free-in-nonblocki.patch
(bsc#1219120 CVE-2023-51043 git-fixes).
- commit d004027
- Revert "Limit kernel-source build to architectures for which the kernel binary"
This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a
- mkspec: Include constraints for both multibuild and plain package always
There is no need to check for multibuild flag, the constraints can be
always generated for both cases.
- commit 308ea09
- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b
- rpm/kernel-source.rpmlintrc: add action-ebpf
Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
plugin) added this precompiled binary blob. Adapt rpmlintrc for
kernel-source.
- commit b5ccb33
- block: Fix kabi header include (bsc#1218929).
- commit 8f511ac
- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
The previous change added the manual entry from kernel-sources.change.old
to old_changelog.txt unnecessarily. Let's fix it.
- commit fb033e8
- Update
patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch
(bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit 97ea702
- block: free the extended dev_t minor later (bsc#1218930).
- commit 0972f94
- rpm/kernel-docs.spec.in: fix build with 6.8
Since upstream commit f061c9f7d058 (Documentation: Document each netlink
family), the build needs python yaml.
- commit 6a7ece3
- hv_netvsc: rndis_filter needs to select NLS (git-fixes).
- commit 6f3116b
- nfsd: fix RELEASE_LOCKOWNER (bsc#1218968).
- commit 605df5b
- netfilter: nf_tables: Reject tables of unsupported family
(bsc#1218752 CVE-2023-6040).
- commit e03f1d3
- bcache: revert replacing IS_ERR_OR_NULL with IS_ERR (git-fixes).
- bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in
btree_gc_coalesce() (git-fixes).
- rbd: take header_rwsem in rbd_dev_refresh() only when updating
(git-fixes).
- dm: don't lock fs when the map is NULL during suspend or resume
(git-fixes).
- commit fe9ee72
- tipc: fix a potential deadlock on &tx->lock (bsc#1218916
CVE-2024-0641).
- commit c872674
- Update metadata
- commit d121b79
- tipc: fix a potential deadlock on &tx->lock (bsc#1218916
CVE-2024-0641).
- commit 7953be2
- Update metadata
- commit c015ae2
- smb: client: fix OOB in receive_encrypted_standard()
(bsc#1218832 CVE-2024-0565).
- commit 3cac9c2
- ida: Fix crash in ida_free when the bitmap is empty (bsc#1218804
CVE-2023-6915).
- commit 7caa324
- dm-integrity: don't modify bio's immutable bio_vec in
integrity_metadata() (git-fixes).
- dm-verity: align struct dm_verity_fec_io properly (git-fixes).
- dm verity: don't perform FEC for failed readahead IO
(git-fixes).
- bcache: avoid NULL checking to c->root in run_cache_set()
(git-fixes).
- bcache: add code comments for bch_btree_node_get() and
__bch_btree_node_alloc() (git-fixes).
- bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up
race (git-fixes).
- bcache: fixup lock c->root error (git-fixes).
- bcache: fixup init dirty data errors (git-fixes).
- bcache: prevent potential division by zero error (git-fixes).
- bcache: remove redundant assignment to variable cur_idx
(git-fixes).
- bcache: check return value from btree_node_alloc_replacement()
(git-fixes).
- bcache: avoid oversize memory allocation by small stripe_size
(git-fixes).
- dm-delay: fix a race between delay_presuspend and delay_bio
(git-fixes).
- dm zoned: free dmz->ddev array in dmz_put_zoned_devices
(git-fixes).
- rbd: decouple parent info read-in from updating rbd_dev
(git-fixes).
- rbd: decouple header read-in from updating rbd_dev->header
(git-fixes).
- rbd: move rbd_dev_refresh() definition (git-fixes).
- rbd: prevent busy loop when requesting exclusive lock
(git-fixes).
- rbd: retrieve and check lock owner twice before blocklisting
(git-fixes).
- rbd: harden get_lock_owner_info() a bit (git-fixes).
- rbd: make get_lock_owner_info() return a single locker or NULL
(git-fixes).
- dm cache policy smq: ensure IO doesn't prevent cleaner policy
progress (git-fixes).
- dm raid: clean up four equivalent goto tags in raid_ctr()
(git-fixes).
- dm raid: fix missing reconfig_mutex unlock in raid_ctr()
error paths (git-fixes).
- dm integrity: reduce vmalloc space footprint on 32-bit
architectures (git-fixes).
- dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client
(git-fixes).
- bcache: fixup btree_cache_wait list damage (git-fixes).
- bcache: Fix __bch_btree_node_alloc to make the failure behavior
consistent (git-fixes).
- bcache: Remove unnecessary NULL point check in node allocations
(git-fixes).
- dm thin metadata: check fail_io before using data_sm
(git-fixes).
- commit 7e800d7
- rbd: get snapshot context after exclusive lock is ensured to
be held (git-fixes).
- Refresh for the above change,
patches.suse/rbd-export-some-functions-used-by-lio-rbd-backend.patch.
patches.suse/target_core_rbd-fix-rbd_img_request.snap_id-assignme.patch.
- commit dcd100d
- rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting (git-fixes).
- Rebased for the above change,
patches.suse/rbd-add-support-for-COMPARE_AND_WRITE-CMPEXT.patch.
- commit b5f85f8
- nbd: Fix debugfs_create_dir error checking (git-fixes).
- dm: don't lock fs when the map is NULL in process of resume
(git-fixes).
- dm flakey: fix a crash with invalid table line (git-fixes).
- dm integrity: call kmem_cache_destroy() in dm_integrity_init()
error path (git-fixes).
- dm clone: call kmem_cache_destroy() in dm_clone_init() error
path (git-fixes).
- dm verity: fix error handling for check_at_most_once on FEC
(git-fixes).
- nbd: fix incomplete validation of ioctl arg (git-fixes).
- null_blk: Always check queue mode setting from configfs
(git-fixes).
- dm stats: check for and propagate alloc_percpu failure
(git-fixes).
- dm crypt: avoid accessing uninitialized tasklet (git-fixes).
- dm crypt: add cond_resched() to dmcrypt_write() (git-fixes).
- commit ad93a37
- dm thin: fix deadlock when swapping to thin device
(bsc#1177529).
- Delete the in-house patch by the above upstream patch,
patches.suse/Avoid-deadlock-for-recursive-I-O-on-dm-thin-when-used-as-swap-4905.patch.
- commit 13bcec1
- rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create()
fails (git-fixes).
- dm cache: add cond_resched() to various workqueue loops
(git-fixes).
- dm thin: add cond_resched() to various workqueue loops
(git-fixes).
- dm: add cond_resched() to dm_wq_work() (git-fixes).
- dm: remove flush_scheduled_work() during local_exit()
(git-fixes).
- dm: send just one event on resize, not two (git-fixes).
- dm flakey: fix logic when corrupting a bio (git-fixes).
- dm flakey: don't corrupt the zero page (git-fixes).
- dm init: add dm-mod.waitfor to wait for asynchronously probed
block devices (git-fixes).
- loop: suppress uevents while reconfiguring the device
(git-fixes).
- commit 2a9583d
- nbd: use the correct block_device in nbd_bdev_reset (git-fixes).
- Refresh for the above change,
patches.suse/0019-nbd-fix-io-hung-while-disconnecting-device.patch.
patches.suse/0031-nbd-Fix-hung-when-signal-interrupts-nbd_start_device_ioctl.patch.
- commit 2cb1a83
- blacklist.conf: add non-backport git-fixes commit
- commit ab480ce
- dm verity: skip redundant verity_handle_err() on I/O errors
(git-fixes).
- commit 7d823a7
- Update
patches.kabi/NFS-Fix-another-fsync-issue-after-a-server-reboot.patch
(git-fixes, bsc#1217670).
- commit 69dfe32
- blacklist.conf: df1c357f25d8 netfs: Only call folio_start_fscache() one time for each folio
- commit 049ab09
- intel_idle: add Emerald Rapids Xeon support (bsc#1216016).
- commit 30bac4b
- Update patch reference for rose fix (CVE-2023-51782 bsc#1218757)
- commit da9f8e9
- blacklist.conf: c4d361f66ac9 fuse: share lookup state between submount and its parent
- commit 3180cfa
- powerpc/pseries/iommu: enable_ddw incorrectly returns direct
mapping for SR-IOV device (bsc#1212091 ltc#199106 git-fixes).
- commit f20e9a0
- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
The old entries are found in kernel-docs/old_changelog.txt in docdir.
rpm/old_changelog.txt can be an optional file that stores the similar
info like rpm/kernel-sources.changes.old. It can specify the commit
range that have been truncated. scripts/tar-up.sh expands from the
git log accordingly.
- commit c9a2566
- mozilla-nss
-
- update to NSS 3.90.2
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
decryption in TLS. (bsc#1216198)
* bmo#1867408 - add a defensive check for large ssl_DefSend
return values.
- giflib
-
- Update to version 5.2.2
* Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506
(bsc#1198880)
* Address SF issue #138 Documentation for obsolete utilities still
installed
* Address SF issue #139: Typo in "LZW image data" page
("110_2 = 4_10")
* Address SF issue #140: Typo in "LZW image data" page ("LWZ")
* Address SF issue #141: Typo in "Bits and bytes" page ("filed")
* Note as already fixed SF issue #143: cannot compile under mingw
* Address SF issue #144: giflib-5.2.1 cannot be build on windows
and other platforms using c89
* Address SF issue #145: Remove manual pages installation for
binaries that are not installed too
* Address SF issue #146: [PATCH] Limit installed man pages to
binaries, move giflib to section 7
* Address SF issue #147 [PATCH] Fixes to doc/whatsinagif/ content
* Address SF issue #148: heap Out of Bound Read in gif2rgb.c:298
DumpScreen2RGB
* Declared no-info on SF issue #150: There is a denial of service
vulnerability in GIFLIB 5.2.1
* Declared Won't-fix on SF issue 149: Out of source builds no
longer possible
* Address SF issue #151: A heap-buffer-overflow in gif2rgb.c:294:45
* Address SF issue #152: Fix some typos on the html documentation
and man pages
* Address SF issue #153: Fix segmentation faults due to non
correct checking for args
* Address SF issue #154: Recover the giffilter manual page
* Address SF issue #155: Add gifsponge docs
* Address SF issue #157: An OutofMemory-Exception or Memory Leak
in gif2rgb
* Address SF issue #158: There is a null pointer problem in
gif2rgb
* Address SF issue #159 A heap-buffer-overflow in GIFLIB5.2.1
DumpScreen2RGB() in gif2rgb.c:298:45
* Address SF issue #163: detected memory leaks in
openbsd_reallocarray giflib/openbsd-reallocarray.c
* Address SF issue #164: detected memory leaks in GifMakeMapObject
giflib/gifalloc.c
* Address SF issue #166: a read zero page leads segment fault in
getarg.c and memory leaks in gif2rgb.c and gifmalloc.c
* Address SF issue #167: Heap-Buffer Overflow during Image Saving
in DumpScreen2RGB Function at Line 321 of gif2rgb.c
- Added patch:
* giflib-5.2.2-no-imagemagick.patch
+ do not use ImageMagick to resize one gif file. It creates a
build cycle.
* 0001-Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch
+ upstream fix for CVE-2021-40633 (bsc#1200551)
- Modified patches:
* PIE.patch
* reproducible.patch
+ rediff to changed context
- Define make_build for distributions which do not define them in
system macros
- add reproducible.patch to avoid timestamp patching in the build
section and allowing it to build with -Werror=date-time
- gnutls
-
- Security fix: [bsc#1218862, CVE-2024-0567]
* gnutls: rejects certificate chain with distributed trust
* Cockpit (which uses gnuTLS) rejects certificate chain with
distributed trust.
* Add gnutls-CVE-2024-0567.patch
- Security fix: [bsc#1218865, CVE-2024-0553]
* Incomplete fix for CVE-2023-5981.
* The response times to malformed ciphertexts in RSA-PSK
ClientKeyExchange differ from response times of ciphertexts
with correct PKCS#1 v1.5 padding.
* Add gnutls-CVE-2024-0553.patch
- nftables
-
- port python-single-spec logic from Factory package to allow shipment of
python311 modules as well (bsc#1219253).
- postgresql16
-
- Upgrade to 16.2:
* bsc#1219679, CVE-2024-0985: Tighten security restrictions
within REFRESH MATERIALIZED VIEW CONCURRENTLY.
One step of a concurrent refresh command was run under weak
security restrictions. If a materialized view's owner could
persuade a superuser or other high-privileged user to perform a
concurrent refresh on that view, the view's owner could control
code executed with the privileges of the user running REFRESH.
Fix things so that all user-determined code is run as the
view's owner, as expected
* If you use GIN indexes, you may need to reindex after updating
to this release.
* LLVM 18 is now supported.
* https://www.postgresql.org/docs/release/16.2/
- python3
-
- Refresh CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- libsolv
-
- build for multiple python versions [jsc#PED-6218]
- bump version to 0.7.28
- libssh
-
- Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)
* Added libssh-fix-ipv6-hostname-regression.patch
- suseconnect-ng
-
- Update to version 1.7.0~git0.5338270
* Allow SUSEConnect on read write transactional systems (bsc#1219425)
- libxml2
-
- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
* Added libxml2-CVE-2024-25062.patch
- libzypp
-
- tui: allow to access the underlying ostream of out::Info.
- Add MLSep: Helper to produce not-NL-terminated multi line
output.
- version 17.31.31 (22)
- applydeltaprm: Create target directory if it does not exist
(bsc#1219442)
- Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514)
- Fix problems with EINTR in ExternalDataSource::getline (fixes
bsc#1215698)
- version 17.31.30 (22)
- CheckAccessDeleted: fix running_in_container detection
(bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime
(bsc#1218831)
- Make Wakeup class EINTR safe.
- Add a way to cancel media operations on shutdown
(openSUSE/zypper#522)
This patch adds a mechanism to signal libzypp that a shutdown was
requested, usually when CTRL+C was pressed by the user. Currently
only the media backend will utilize this, but can be extended to
all code paths that use g_poll() to wait for events.
- Manually poll fds for curl in MediaCurl.
Using curl_easy_perform does not give us the required control on
when we want to cancel a download. Switching to the MultiCurl
implementation with a external poll() event loop will give us
much more freedom and helps us to improve our Ctrl+C handling.
- Move reusable curl poll code to curlhelper.h.
- version 17.31.29 (22)
- Fix to build with libxml 2.12.x (fixes #505)
- version 17.31.28 (22)
- netcfg
-
- Add krb-prop entry, fix for bsc#1211886.
- objectweb-asm
-
- Upgrade to version 9.6
* new Opcodes.V22 constant for Java 22
* bug fixes
+ 317991: Analyzer produces frames that have different locals
than those detected by JRE bytecode verifier
+ 317995: Invalid stackmap generated when the instruction
stream has new instruction after invokespecial to <init>
+ 317998: Analyzer can fail to catch thrown exceptions
+ 318002: asm-analysis Frame allocates an array unnecessarily
inside executeInvokeInsn
+ bug in CheckFrameAnalyzer with static methods
- Upgrade to version 9.5
* new Opcodes.V21 constant for Java 21
* new readBytecodeInstructionOffset hook in ClassReader
* more detailed exception messages
* Javadoc improvements and fixes
* bug fixes
+ 317989: Silent removal of zero-valued entries from the
line-number table
- Upgrade to version 9.4
* new Opcodes.V20 constant for Java 20
* more checks in CheckClassAdapter
* Javadoc improvements and fixes
* module-info classes can be built without Gradle and Bnd
* parent POM updated to org.ow2:ow2:1.5.1
* bug fixes
+ 317977: CheckClassAdapter is no longer transparent for MAXLOCALS
+ 317981: Add public getDelegate method to all visitor classes
+ Analyzer does not compute optimal maxLocals for static methods
+ Fix SignatureWriter when a generic type has a depth over 30
+ Skip remap inner class name if not changed in Remapper
- openssh
-
- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
This limits the use of shell metacharacters in host- and
user names.
- patterns-suse-manager
-
- Add liberate-formula to the required packages for the server
to get it installed by default
- postgresql
-
- bsc#1219340: Require fillup.
- postgresql-jdbc
-
- fix postgresql vulnerable to SQL Injection via line comment
generation CVE-2024-1597 (bsc#1220644)
Added: CVE-2024-1597.patch
- change patching commands:
Modified: fix-createTempFile-vulnerability-CVE-2022-41946.patch
- postgresql14
-
- Upgrade to 14.11:
* bsc#1219679, CVE-2024-0985: Tighten security restrictions
within REFRESH MATERIALIZED VIEW CONCURRENTLY.
One step of a concurrent refresh command was run under weak
security restrictions. If a materialized view's owner could
persuade a superuser or other high-privileged user to perform a
concurrent refresh on that view, the view's owner could control
code executed with the privileges of the user running REFRESH.
Fix things so that all user-determined code is run as the
view's owner, as expected
* If you use GIN indexes, you may need to reindex after updating
to this release.
* LLVM 18 is now supported.
* https://www.postgresql.org/docs/release/14.11/
- python3-M2Crypto
-
- Disable broken tests with openssl 3.2, bsc#1217782
- add timeout_300hz.patch to accept a small deviation from time
in the testsuite (bsc#1212757)
- Adapt tests for OpenSSL v3.1.0
* Add openssl-adapt-tests-for-3.1.0.patch
- add openssl-stop-parsing-header.patch (bsc#1205042)
- add m2crypto-0.38-ossl3-tests.patch
- python-argcomplete
-
- Use update-alternatives for package binaries to avoid conflict with
python311 stack. bsc#1219305
- python3-azuremetadata
-
- Version 5.1.6
Fix empty list attributes (bsc#1218760)
- salt
-
- Prevent directory traversal when creating syndic cache directory
on the master (CVE-2024-22231, bsc#1219430)
- Prevent directory traversal attacks in the master's serve_file
method (CVE-2024-22232, bsc#1219431)
- Added:
* fix-cve-2024-22231-and-cve-2024-22232-bsc-1219430-bs.patch
- Ensure that pillar refresh loads beacons from pillar without restart
- Fix the aptpkg.py unit test failure
- Prefer unittest.mock to python-mock in test suite
- Enable "KeepAlive" probes for Salt SSH executions (bsc#1211649)
- Revert changes to set Salt configured user early in the stack (bsc#1216284)
- Align behavior of some modules when using salt-call via symlink (bsc#1215963)
- Fix gitfs "__env__" and improve cache cleaning (bsc#1193948)
- Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed
- Added:
* fix-the-aptpkg.py-unit-test-failure.patch
* enable-keepalive-probes-for-salt-ssh-executions-bsc-.patch
* prefer-unittest.mock-for-python-versions-that-are-su.patch
* update-__pillar__-during-pillar_refresh.patch
* revert-make-sure-configured-user-is-properly-set-by-.patch
* fix-gitfs-__env__-and-improve-cache-cleaning-bsc-119.patch
* dereference-symlinks-to-set-proper-__cli-opt-bsc-121.patch
- spacewalk-certs-tools
-
- version 4.3.22-1
* Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
- version 4.3.21-1
* Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
- version 4.3.20-1
* Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
* Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588)
- spacewalk-client-tools
-
- version 4.3.18-1
* Update translation strings
- python-uamqp
-
- Add patch to fix use-after-free issue in open_get_offered_capabilities()
+ CVE-2024-25110.patch (CVE-2024-25110, bsc#1219867)
- release-notes-susemanager
-
- Update to SUSE Manager 4.3.11
* Migrate from RHEL and its clones to SUSE Liberty Linux
* Reboot required indication for non-SUSE distributions
* SSH key rotation for enhanced security
* Configure remote command execution
* End of Debian 10 support
* CVEs fixed:
CVE-2023-32189, CVE-2024-22231, CVE-2024-22232
* Bugs mentioned:
bsc#1170848, bsc#1210911, bsc#1211254, bsc#1211560, bsc#1211912
bsc#1213079, bsc#1213507, bsc#1213738, bsc#1213981, bsc#1214077
bsc#1214791, bsc#1215166, bsc#1215514, bsc#1215769, bsc#1215810
bsc#1215813, bsc#1215982, bsc#1216114, bsc#1216394, bsc#1216437
bsc#1216550, bsc#1216657, bsc#1216753, bsc#1216781, bsc#1216988
bsc#1217069, bsc#1217209, bsc#1217588, bsc#1217784, bsc#1217869
bsc#1218019, bsc#1218074, bsc#1218075, bsc#1218089, bsc#1218094
bsc#1218490, bsc#1218615, bsc#1218669, bsc#1218849, bsc#1219577
bsc#1219850, bsc#1218146
- rpm
-
- backport lua support for rpm.execute to ease migrating [bnc#1216752]
* new patch: luaexecute.diff
- runc
-
- Update to runc v1.1.12. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
* This release fixes a container breakout vulnerability (CVE-2024-21626). For
more details, see the upstream security advisory:
<https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
* Remove upstreamed patches:
- CVE-2024-21626.patch
* Update runc.keyring to match upstream changes.
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-containers-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- 000release-packages:sle-module-web-scripting-release
-
n/a
- spacecmd
-
- version 4.3.26-1
* Update translation strings
- spacewalk-backend
-
- version 4.3.27-1
* Fix issue in "spacewalk-repo-sync" when RPM packages contains files with
size greater than 4GB (bsc#1219151)
- version 4.3.26-1
* Fix decompressing and renaming bzip2 comps files in reposync
* Update query to the new credentials structure
* Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781)
* Skip syncing packages with incorrect metadata (bsc#1213738)
* Update translation strings
- spacewalk-web
-
- version 4.3.37-1
* Fix the use of page size preference in systems and packages lists (bsc#1217209)
* Fix issue displaying Ansible playbook name (bsc#1216657)
* Add support for `PaygNotCompliantWarning` notification
* Bump web.version to 4.3.11
- spacewalk-java
-
- version 4.3.71-1
* Generate server SSH key also when bootstrapping regular Minions (bsc#1219449)
- version 4.3.70-1
* Fix the use of page size preference in systems and packages lists (bsc#1217209)
* Fix issue with disabling token check not working (bsc#1218669)
* Enforce snakeyaml version requirement (bsc#1215166)
* Improve the performance of paginated queries when syncing the
reporting database (bsc#1211912, bsc#1213079)
* Do not require entitlement for PAYG SLES for SAP (bsc#1217069)
* Use the base product file to show the correct SUSE Manager
product in the subscription matching results page
* Do not require entitlements if SUSE Manager is PAYG
* Exclude SUSE Manager from subscription matching if it's PAYG
* Refactor Credentials to a proper class hierarchy
* Fix unit test about duplicated packages
* Prevent installation of packages with same name
in a single action (bsc#1214791)
* When canceling an action which has prerequisites, return hints to
get the first action id which can be canceled (bsc#1216988)
* Fix exception when removing a Debian package (bsc#1216781)
* Fix XSS in taskomatic XML RPC handler (bsc#1210911)
* Improve logging for Product Migration (bsc#1218490)
* Add only 1 IP for Cloud RMT Host in /etc/hosts
* Change org for orphan vendor packages that an admin can delete (bsc#1216781)
* Expose the monitoring data for the Salt queue handling the Salt results
* Provide total number of CPUs for SLE Micro systems to subscription matcher
when it is not used as hypervisor to match vCore subscriptions correctly
(bsc#1218074)
* Try to download compressed Ubuntu USN database
* Add user information to system organization transfer message (bsc#1216753)
* Fix issue with Salt ssh keys for Salt ssh minions CVE-2023-32189 (bsc#1170848)
* Add notification in daily email in addition to in SUSE Manager home page when
SUSE Manager PAYG is not compliant
* Fix apidoc link from #top to $call.name (bsc#1213507)
* Add config option to disable remote commands from web UI (bsc#1217869)
* Address high rating Sonar issues
* Refactor SCC registration flow
* Avoid blocking Taskomatic thread when waiting for queued action (bsc#1211560)
* Fix modify kickstart profile when using "Always newest tree" option (bsc#1215813)
* Configure reboot method for SLE Micro when applying bootstrap state (bsc#1213981)
* Handle not existing known_host file in permission check
* Fix handling of proxy ssh public keys
* Include reboot required indication for non-Suse distros
- spacewalk-setup
-
- version 4.3.19-1
* Update query to the new credentials structure
* Fix setting SCC password during setup
- spacewalk-utils
-
- version 4.3.19-1
* Add SLE Micro 5.4 and 5.5 to spacewalk-commons-channels
- subscription-matcher
-
- Version 0.35
* Added missing part number
- Version 0.34
* Enabled support for LTSS subscriptions (bsc#1218075)
* Added SLE Micro vCore handling (bsc#1218074)
* Added new SKUs and new bundles
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
+ Remove duplicate data collection for the plugin itself
+ Collect archive metering data when available
+ Query billing flavor status
- supportutils-plugin-susemanager
-
- version 4.3.10-1
* Update query to the new credentials structure
- supportutils
-
- Additional changes in version 3.1.28
+ ipset - List entries for all sets
+ ipvsadm - Inspect the virtual server table (pr#185)
+ Correctly detects Xen Dom0 (bsc#1218201)
+ Fixed smart disk error (bsc#1218282)
- Changes in version 3.1.28
+ Inhibit the conversion of port numbers to port names for network files (cherry picked from commit 55f5f716638fb15e3eb1315443949ed98723d250)
+ powerpc: collect rtas_errd.log and lp_diag.log files (pr#175)
+ Get list of pam.d file (cherry picked from commit eaf35c77fd4bc039fd7e3d779ec1c2c6521283e2)
+ Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
+ Added missing klp information to kernel-livepatch.txt (bsc#1216390)
+ Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
+ Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
+ Optimize lsof usage (bsc#1183663)
+ Added mokutil commands for secureboot (pr#179)
+ Collects chrony or ntp as needed (bsc#1196293)
- Changes in version 3.1.27
+ Fixed podman display issue (bsc#1217287)
+ Added nvme-stas configuration to nvme.txt (bsc#1216049)
+ Added timed command to fs-files.txt (bsc#1216827)
+ Collects zypp history file issue#166 (bsc#1216522)
+ Changed -x OPTION to really be exclude only (issue#146)
+ Collect HA related rpm package versions in ha.txt (pr#169)
- suse-build-key
-
- Switch container key to be default RSA 4096bit. (jsc#PED-2777)
- run rpm commands in import script only when libzypp is not
active. bsc#1219189 bsc#1219123
- run import script also in %posttrans section, but only when
libzypp is not active. bsc#1219189 bsc#1219123
- susemanager-build-keys
-
- Version 15.4.10
* Add new Almalinux 8 GPG Key (bsc#1218849)
- Added:
* RPM-GPG-KEY-AlmaLinux-8
- Refresh extended Uyuni GPG public key
* Modified: gpg-pubkey-0d20833e.asc
- susemanager-docs_en
-
- Removed obsolete traditional to Salt migration documentation from
the System Types section of the Client Configuration Guide and
updated the Migrate traditional clients to Salt clients section
- Fixed navigation bar of Client Configuration Guide (bsc#1218089)
- Added openSUSE Leap to Supported Features navigation list in Client
Configuration Guide (bsc#1218094)
- Described new monitoring metrics for Salt queue in Administration
Guide
- Fixed xrefs for internal book references
- Removed mentioning that CVE number for CVE auditing is optional
(bsc#1218019)
- Corrected channel names for CentOS 7 Updates and Extras in CentOS
Client Configuration Guide
- Documented bootstrap settings for SUSE Linux Enterprise Micro in
Client Configuration Guide (bsc#1216394)
- Corrected command mgr-push to mgrpush in Administration Guide
(bsc#1215810)
- Updated Red Hat OVAL data URL and file in CentOS Clients Registration
in Client Configution Guide
- Added Pay-as-you-go for Azure documentation to the Specialized Guides
book
- Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide
- Removed Ubuntu 18.04 from the list of supported clients
- Fixed file location in Custom Salt Formulas section of Salt Guide
- Documented using Virtualization Host formula in Client Configuration
Guide
- susemanager-schema
-
- version 4.3.24-1
* Refactor susecredentials to support the new hierarchy
* Improve performance of System (bsc#1211254)
* Change schedule of system-profile-refresh to run on the 2nd Saturday
of a month to not collide with normal working times (bsc#1215769)
- susemanager-sls
-
- version 4.3.40-1
* Remove automatic reboot from transactional systems bootstrap (bsc#1218146)
- version 4.3.39-1
* Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file
(bsc#1219577)
- version 4.3.38-1
* Improve PAYG instance detection (bsc#1217784)
* Fix issue with Salt ssh keys for Salt ssh minions CVE-2023-32189 (bsc#1170848)
* Configure reboot method for SLE Micro when applying bootstrap state (bsc#1213981)
* Include reboot required indication for non-Suse distros
- susemanager-sync-data
-
- version 4.3.16-1
* Fix OES 23.4 internal name (bsc#1218837)
- version 4.3.15-1
* Update release status and repository description of OES 23.4 (bsc#1215514)
* Add new SUSE Liberty Linux 7 LTSS channel families
* Rename RHEL and Liberty 8 Base product to remove EOL CentOS 8 from the name
- susemanager
-
- version 4.3.34-1
* Rename OES label to OES23.4 (bsc#1215514)
* Verify in Yast FQDN with name returned via DNS reverse lookup
* Fix issue with Salt ssh keys for Salt ssh minions CVE-2023-32189 (bsc#1170848)
- tomcat
-
- Fixed CVEs:
* CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208)
- Update to Tomcat 9.0.85
* Fixed CVEs:
+ CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
incorrect headers parsing (bsc#1217649)
* Catalina
+ Update: 68378: Align extension to MIME type mappings in the
global web.xml with those in httpd by adding
application/vnd.geogebra.slides for ggs, text/javascript for mjs
and audio/ogg for opus. (markt)
+ Fix: Background processes should not be run concurrently with
lifecycle operations of a container. (remm)
+ Fix: Correct unintended escaping of XML in some WebDAV
responses. The XML list of support locks when provided in
response to a PROPFIND request was incorrectly XML escaped.
(markt)
+ Fix: 68227: Ensure that AsyncListener.onComplete() is called
if AsyncListener.onError() calls AsyncContext.dispatch().
(markt)
+ Fix: 68228: Use a 408 status code if a read timeout occurs
during HTTP request processing. Includes a test case based on
code provided by adwsingh. (markt)
+ Fix: 67667: TLSCertificateReloadListener prints unreadable
rendering of X509Certificate#getNotAfter(). (michaelo)
+ Update: The status servlet included in the manager webapp
can now output statistics as JSON, using the JSON=true URL
parameter. (remm)
+ Update: Optionally allow ServiceBindingPropertySource to
trim a trailing newline from a file containing a
property-value. (schultz)
+ Fix: 67793: Ensure the original session timeout is restored
after FORM authentication if the user refreshes a page during
the FORM authentication process. Based on a suggestion by
Mircea Butmalai. (markt)
+ Update: 67926: PEMFile prints unidentifiable string
representation of ASN.1 OIDs. (michaelo)
+ Fix: 66875: Ensure that setting the request attribute
jakarta.servlet.error.exception is not sufficient to trigger
error handling for the current request and response. (markt)
+ Fix: 68054: Avoid some file canonicalization calls
introduced by the fix for 65433. (remm)
+ Fix: 68089: Improve performance of request attribute access
for ApplicationHttpRequest and ApplicationRequest. (markt)
+ Fix: Use a 400 status code to report an error due to a bad
request (e.g. an invalid trailer header) rather than a 500
status code. (markt)
+ Fix: Ensure that an IOException during the reading of the
request triggers always error handling, regardless of whether
the application swallows the exception. (markt)
* Coyote
+ Fix: Refactor the VirtualThreadExecutor so that it can be
used by the NIO2 connector which was using platform threads
even when configured to use virtual threads. (markt)
+ Fix: Correct a regression in the fix for 67675 that broke
TLS key file parsing for PKCS#8 format keys that do not specify
an explicit pseudo-random function and rely on the default.
This typically affects keys generated by OpenSSL 1.0.2.
(markt)
+ Fix: Allow multiple operations with the same name on
introspected mbeans, fixing a regression caused by the
introduction of a second addSslHostConfig method. (remm)
+ Fix: Relax the check that the HTTP Host header is consistent
with the host used in the request line, if any, to make the
check case insensitive since host names are case insensitive.
(markt)
+ Add: 68348: Add support for the partitioned attribute for
cookies. (markt)
+ Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and
SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
+ Add: When calling
SSLHostConfigCertificate.setCertificateKeystore(ks),
automatically call setCertificateKeystoreType(ks.getType()).
(markt)
+ Fix: 67628: Clarify how the ciphers attribute of the
SSLHostConfig is used. (markt)
+ Fix: 67666: Ensure TLS connectors using PEM files either
work with the TLSCertificateReloadListener or, in the rare case
that they do not, log a warning on Connector start. (markt)
+ Fix: 67675: Support a wider range of KDF and ciphers for PEM
files than the combinations supported by the JVM by default.
Specifically, support the OpenSSL default of HmacSHA256 and
DES-EDE3-CBC. (markt)
+ Fix: 67927: Reloading TLS configuration can cause the
Connector to refuse new connections or the JVM to crash.
(markt)
+ Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are
available, prefer 1.2.x since it supports the APR/Native
connector whereas 2.0.x does not. (markt)
+ Fix: 67938: Correct handling of large TLS client hello
messages that were causing the TLS handshake to fail. (markt)
+ Fix: 68026: Convert selected MessageByte values to String
when first accessed to speed up subsequent accesses and reduce
garbage collection. (markt)
* Jasper
+ Code: 68119: Refactor the CompositeELResolver to improve
performance during type conversion operations. (markt)
+ Fix: 68068: Performance improvement for EL. Based on a
suggestion by John Engebretson. (markt)
* Web Applications
+ Fix: 68035: Additional fix to the Manager application to
enable the deployment of a web application located in a Host's
appBase where the web application is specified by a bare (no
path) WAR or directory name as shown in the documentation.
(markt)
+ Fix: Examples. Improve the error handling so snakes
associated with a user that drops from the network are removed
from the game. (markt)
+ Fix: 68035: Correct a regression in the fix for 56248 that
prevented deployment via the Manager of a WAR or directory that
was already present in the appBase or a context file that was
already present in the xmlBase. (markt)
* Other
+ Update: Update Checkstyle to 10.12.7. (markt)
+ Update: Update SpotBugs to 4.8.3. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji.
(markt)
+ Update: Update UnboundID to 6.0.11. (markt)
+ Update: Update Checkstyle to 10.12.5. (markt)
+ Update: Update SpotBugs to 4.8.2. (markt)
+ Update: Update Derby to 10.17.1. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji.
(markt)
+ Add: Improvements to Brazilian Portuguese translations by
John William Vicente. (markt)
+ Add: Improvements to Russian translations by usmazat and
remm. (markt)
+ Add: 67538: Make use of Ant's <javaversion /> task to enfore
the mininum Java build version. (michaelo)
+ Update: Update Checkstyle to 10.12.4. (markt)
+ Update: Update JaCoCo to 0.8.11. (markt)
+ Update: Update SpotBugs to 4.8.0. (markt)
+ Update: Update BND to 7.0.0. (markt)
+ Update: The minimum Java version required to build Tomcat
has been raised to Java 17. (markt)
- Added patches:
* tomcat-9.0-build-with-java-11.patch
- change server.xml during %post instead of %posttrans
- Fix server.xml permission (bsc#1217768, bsc#1217402)
- remove serverxmltool and use xsltproc
- replace prep setup and patches macro with autosetup
- uyuni-reportdb-schema
-
- version 4.3.9-1
* Provide reportdb upgrade schema path structure
- yast2-http-server
-
- bsc#1218943
- followup of previous fix - fixed internal issue which caused
Server modules not to be displayed at all.
- 4.4.3