Packages changed: ImageMagick (7.0.5.4 -> 7.0.5.5) Mesa (17.0.4 -> 17.0.5) MozillaFirefox (52.0.2 -> 52.1.0) MozillaFirefox-branding-openSUSE autofs ceph (12.0.1+git.1491557762.4e47e9f -> 12.0.2+git.1493295295.8c88dc6) cpupower (4.10 -> 4.11) hwinfo (21.39 -> 21.40) libsolv (0.6.26 -> 0.6.27) libvirt (3.2.0 -> 3.3.0) libzypp (16.8.0 -> 16.9.0) mxml open-iscsi parted python-kiwi (9.4.10 -> 9.6.0) samba (4.6.2+git.19.c267455e57b -> 4.6.3+git.21.0735c828d4f) slrn (1.0.2 -> 1.0.3) tcsh tmux vim xine-ui xmlbeans zypper (1.13.24 -> 1.13.25) === Details === ==== ImageMagick ==== Version update (7.0.5.4 -> 7.0.5.5) Subpackages: ImageMagick-devel ImageMagick-extra libMagick++-7_Q16HDRI2 libMagickCore-7_Q16HDRI2 libMagickWand-7_Q16HDRI0 perl-PerlMagick - updated to 7.0.5-5 * Minimize buffer copies to improve OpenCL performance. * Morphology thinning is no longer a no-op. * Patch two PCD writer problems, corrupt output and dark pixels. * Support ICC based PDF's. * Fix improper EPS clip path rendering. - workaround failed test + ImageMagick-relax-filter.t.patch ==== Mesa ==== Version update (17.0.4 -> 17.0.5) Subpackages: Mesa-dri-devel Mesa-dri-nouveau Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 Mesa-libglapi0-32bit Mesa-libva libOSMesa8 libOSMesa8-32bit libgbm1 libvdpau_nouveau libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_intel libvulkan_radeon libwayland-egl1 libxatracker2 - update to 17.0.5 * fdo#97524 - Samplers referring to the same texture unit with different types should raise GL_INVALID_OPERATION * nvc0/ir: Properly handle a "split form" of predicate destination * nir: Destination component count of shader_clock intrinsic is 2 * winsys/sw/dri: don't use GNU void pointer arithmetic * st/clover: add space between < and :: * configure.ac: check require_basic_egl only if egl enabled * st/mesa: automake: honour the vdpau header install location * intel/fs: Use regs_written() in spilling cost heuristic for improved accuracy * intel/fs: Take into account amount of data read in spilling cost heuristic. * radv: report timestampPeriod correctly * anv/blorp: Flush the texture cache in UpdateBuffer * anv/cmd_buffer: Flush the VF cache at the top of all primaries * anv/cmd_buffer: Always set up a null surface state * anv/cmd_buffer: Use the null surface state for ATTACHMENT_UNUSED * anv/blorp: Properly handle VK_ATTACHMENT_UNUSED * i965/vec4: Avoid reswizzling MACH instructions in opt_register_coalesce() * st/mesa: invalidate the readpix cache in st_indirect_draw_vbo * anv/cmd_buffer: Disable CCS on BDW input attachments * mesa: fix remaining xfb prims check for GLES with multiple instances * mesa: validate sampler type across the whole program * vbo: fix gl_DrawID handling in glMultiDrawArrays * util/queue: don't hang at exit * mesa: fix remaining xfb prims check for GLES with multiple instances * mesa: extract need_xfb_remaining_prims_check * mesa: move glMultiDrawArrays to vbo and fix error handling + update Mesa.keyring to both upstream release managers - u_gallivm-correct-channel-shift-logic-on-big-endian.patch: * instead of reverse applying a change on s390x ("U_draw-use-SoA-fetch-not-AoS-one.patch") address the issue by a real fix (bsc#1032272, fdo#100613) - baselibs.conf: added libvulkan_intel-32bit as a requirement for Mesa-libd3d (boo#1036282) - No OpenCL on ppc ==== MozillaFirefox ==== Version update (52.0.2 -> 52.1.0) Subpackages: MozillaFirefox-translations-common - update to Firefox 52.1.0esr (boo#1035082) MFSA 2017-12 * CVE-2017-5443 (bmo#1342661) Out-of-bounds write during BinHex decoding * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 * CVE-2017-5464 (bmo#1347075) Memory corruption with accessibility and DOM manipulation * CVE-2017-5465 (bmo#1347617) Out-of-bounds read in ConvolvePixel * CVE-2017-5466 (bmo#1353975) Origin confusion when reloading isolated data:text/html URL * CVE-2017-5467 (bmo#1347262) Memory corruption when drawing Skia content * CVE-2017-5460 (bmo#1343642) Use-after-free in frame selection * CVE-2017-5461 (bmo#1344380) Out-of-bounds write in Base64 encoding in NSS * CVE-2017-5448 (bmo#1346648) Out-of-bounds write in ClearKeyDecryptor * CVE-2017-5449 (bmo#1340127) Crash during bidirectional unicode manipulation with animation * CVE-2017-5446 (bmo#1343505) Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data * CVE-2017-5447 (bmo#1343552) Out-of-bounds read during glyph processing * CVE-2017-5444 (bmo#1344461) Buffer overflow while parsing application/http-index-format content * CVE-2017-5445 (bmo#1344467) Uninitialized values used while parsing application/http-index-format content * CVE-2017-5442 (bmo#1347979) Use-after-free during style changes * CVE-2017-5469 (bmo#1292534) Potential Buffer overflow in flex-generated code * CVE-2017-5440 (bmo#1336832) Use-after-free in txExecutionState destructor during XSLT processing * CVE-2017-5441 (bmo#1343795) Use-after-free with selection during scroll events * CVE-2017-5439 (bmo#1336830) Use-after-free in nsTArray Length() during XSLT processing * CVE-2017-5438 (bmo#1336828) Use-after-free in nsAutoPtr during XSLT processing * CVE-2017-5437 (bmo#1343453) Vulnerabilities in Libevent library * CVE-2017-5436 (bmo#1345461) Out-of-bounds write with malicious font in Graphite 2 * CVE-2017-5435 (bmo#1350683) Use-after-free during transaction processing in the editor * CVE-2017-5434 (bmo#1349946) Use-after-free during focus handling * CVE-2017-5433 (bmo#1347168) Use-after-free in SMIL animation functions * CVE-2017-5432 (bmo#1346654) Use-after-free in text input selection * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476) Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 * CVE-2017-5459 (bmo#1333858) Buffer overflow in WebGL * CVE-2017-5462 (bmo#1345089) DRBG flaw in NSS * CVE-2017-5455 (bmo#1341191) Sandbox escape through internal feed reader APIs * CVE-2017-5454 (bmo#1349276) Sandbox escape allowing file system read access through file picker * CVE-2017-5456 (bmo#1344415) Sandbox escape allowing local file system access * CVE-2017-5451 (bmo#1273537) Addressbar spoofing with onblur event - requires NSS 3.28.4 - rebased patches ==== MozillaFirefox-branding-openSUSE ==== - recognize Leap 42.3 (boo#1036679) ==== autofs ==== - remove rpmlintrc, review was boo#782691 - Fix spurious ELOOP on certain kinds of failures (bsc#968918): * autofs: fix yp map age not updated in s/_/./g case * autofs: properly handle errors in lookup_nss_mount * Added patches: autofs-5.1.1-properly-handle-errors-in-lookup_nss_mount.patch autofs-5.1.1-fix-yp-map-age-not-updated-during-map-lookup.patch ==== ceph ==== Version update (12.0.1+git.1491557762.4e47e9f -> 12.0.2+git.1493295295.8c88dc6) Subpackages: librados2 librbd1 - Update to version 12.0.2+git.1493291471.adb6a43: + rocksdb: sync with upstream (bsc#1025891) + build/ops: cmake: explicitly disable MSSE 4.2 if not supported - _constraints: set higher disk and memory constraints so s390x builds don't fail - Update to version 12.0.2+git.1493238434.71681fd: + cmake: added empty RPATH to libceph_crypto_isal.so - Update to version 12.0.2+git.1493227670.3396ca1: + rgw: use a vector for options passed to civetweb - Update to version 12.0.2+git.1493192333.3305a0c + merge upstream master (0d368d2c8544247a4aed9c71c74e77b0c6bbfb22) including 12.0.2 development release - revert commit a9a50f690085091bb4446095418237f9fef712c8 in preparation for rebasing against the upstream implementation. (bsc#1035937) ==== cpupower ==== Version update (4.10 -> 4.11) Subpackages: libcpupower0 - Update to latest mainline sources - turbostat changed versioning scheme (we now have version 17.04.12) ==== hwinfo ==== Version update (21.39 -> 21.40) Subpackages: hwinfo-devel - enhance documentation - merge gh#openSUSE/hwinfo#45 - small doc changes - 21.40 ==== libsolv ==== Version update (0.6.26 -> 0.6.27) Subpackages: libsolv-devel libsolv-tools perl-solv python-solv - change queue resize code to use adaptive chunk sizes - fix potential segfault in testcase_depstr [bnc#1036002] - fix performance issues with name = md5sum dependencies [bnc#1035946] - improve "forcebest with uninstall" handling - make dirid handling more robust - build with libxml2 instead of libexpat - bump version to 0.6.27 ==== libvirt ==== Version update (3.2.0 -> 3.3.0) Subpackages: libvirt-client libvirt-daemon libvirt-daemon-config-network libvirt-daemon-config-nwfilter libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-driver-uml libvirt-daemon-driver-vbox libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs - Update to libvirt 3.3.0 RC1 - Many incremental improvements and bug fixes, see http://libvirt.org/news.html - Dropped patches: ae102b5d7-qemu-fix-regression-when-hyperv-vendor_id-feature-is-used.patch - Bug fixes: bsc#978121, bsc#1017017, bsc#1032863, bsc#1033117, bsc#1034024, bsc#1034146 - libxl: add default controllers for USB devices libxl-def-usbctrl.patch bsc#1031056 ==== libzypp ==== Version update (16.8.0 -> 16.9.0) - PoolQuery: Treat explicit queries for 'kind:name' correctly (bsc#1035729) - version 16.9.0 (0) ==== mxml ==== Subpackages: libmxml1 - Add reproducible.patch to make build reproducible ==== open-iscsi ==== Subpackages: iscsiuio - Added support for qedi ping (bsc#1036238) ==== parted ==== Subpackages: libparted0 - Use latest fdasd/vtoc code base from s390-tools (fate#321531) - add: libparted-dasd-unify-vtoc-handling-for-cdl-ldl.patch - add: libparted-dasd-update-and-improve-fdasd-functions.patch - add: libparted-dasd-add-new-fdasd-functions.patch - libparted: Don't warn if the HDIO_GET_IDENTITY ioctl isn't supported (bsc#964012, bsc#1001967) - add: libparted-dont-warn-if-no-HDIO_GET_IDENTITY.patch - Amend patch description: - libparted-open-the-device-RO-and-lazily-switch-to-RW.patch ==== python-kiwi ==== Version update (9.4.10 -> 9.6.0) Subpackages: kiwi-pxeboot kiwi-tools - Bump version: 9.5.0 ? 9.6.0 - Additional container commandline options Added --set-container-derived-from and --set-container-tag commandline options which allows to overwrite the data set in the XML configuration - Implement obsrepositories source on derived_from The following reference to a derived container: obsrepositories:/container#latest Will be translated into the following buildservice local path: /usr/src/packages/SOURCES/containers/_obsrepositories/container#latest - Implement obs source on derived_from The following reference to a derived container: obs:/project/repo/container#tag Will be translated into the following buildservice local path: /usr/src/packages/SOURCES/containers/project/repo/container#tag - Use urlparse to detect uri scheme The source location postfix can contain several different formats e.g :/, or :// or even just :, python's urlparse is able to cope with all that which allows to work with the url scheme base name and thus makes handling this code more robust - Bump version: 9.4.11 ? 9.5.0 - Include '--delete' in OCI images DataSync This commit includes #310 patch for OCI images. It also corrects the end of line format for kiwi/container/docker.py and test/unit/container_image_docker_test.py, so flake tests are all green. - Include --delete flag in DataSync for docker images This commit includes the --delete flag in order to synchronize the docker images. This is relevant for derived images where the new layer might not only add files, but also remove something from the base image. Fixes #309 - Define correct default locations for sources-dir and preferences-dir In order to ensure that the defined repositories in the KIWI configuration are set to the correct places for installing into the image, the sources-dir and preferences-dir need to be redefined to point to the in-image location, as it is done for the other package managers. - Do not purge the repositories before inserting them There are no good reasons to be purging the repo directories, especially when it is common for some distributions (Red Hat/CentOS/Fedora, for example) to ship repository configuration as packages. Deleting them puts the package manager in the system into a weird state, so we want to avoid this. - Fix default reposdir path for Yum - Add support for OCI images This commit adds support for OCI images. Most of the docker related code is reused for OCI classes and Docker classes have been refactored so now they are a splecialization of the OCI classes. It is done this way since KIWI internally only uses OCI format to operate with containers, therefore docker images just differ from OCI images by the way they are packaged or unpackaged. - Add clear attribute for entrypoint and subcommand sections This commit adds the possibility of clearing asny subcommand or entrypoint. This is relevant for docker derived images, as they inherit the configuration and it might lead to some bad behavior. - Bump version: 9.4.10 ? 9.4.11 - Add require/recommend installation support for yum This commit adds support to install required only or required plus recommended packages using yum as the package manager. - Add support for required/recommended packages This commit enables support to install only required packages or install required plus recommended packages. - Include 'plusRecommended' management for dnf Add support to enable/disable installation of recommended packages for dnf package manager. With this commit 'plusRecommended' patternType triggers on installation of recommended packages, which is turned off by default. - Make sure debian repositories database is populated before install This commit includes an 'apt-get update' call before any 'apt-get install' command. This way the packages database is always ready, even if no bootstrap procedure has been executed. ==== samba ==== Version update (4.6.2+git.19.c267455e57b -> 4.6.3+git.21.0735c828d4f) Subpackages: libdcerpc-binding0 libdcerpc-binding0-32bit libdcerpc0 libdcerpc0-32bit libndr-krb5pac0 libndr-krb5pac0-32bit libndr-nbt0 libndr-nbt0-32bit libndr-standard0 libndr-standard0-32bit libndr0 libndr0-32bit libnetapi0 libnetapi0-32bit libsamba-credentials0 libsamba-credentials0-32bit libsamba-errors0 libsamba-errors0-32bit libsamba-hostconfig0 libsamba-hostconfig0-32bit libsamba-passdb0 libsamba-passdb0-32bit libsamba-util0 libsamba-util0-32bit libsamdb0 libsamdb0-32bit libsmbclient-devel libsmbclient0 libsmbconf0 libsmbconf0-32bit libsmbldap0 libsmbldap0-32bit libtevent-util0 libtevent-util0-32bit libwbclient0 libwbclient0-32bit samba-client samba-client-32bit samba-doc samba-libs samba-libs-32bit samba-winbind samba-winbind-32bit - Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737). - Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416). ==== slrn ==== Version update (1.0.2 -> 1.0.3) Subpackages: slrn-lang - remove unused files with restrictive licenses - bsc#1036331 - Ensure neutrality in description. - slrn 1.0.3: * A quoted-string in the display portion of an address was not being marked as allowing mime-encoded text. * After calling iconv to perform a character set conversion on an article line, call it again with just the newline character. This resets the state for some conversion types (UTF-7). * Disable support for SSLv3, which is vulnerable to POODLE attacks CVE-2014-3566 bsc#1031023 * The reject_long_lines option was not working as documented. Setting it to 0 had no effect when netiquette_warnings was set to a non-zero value. * replace_article_with_mime_obj, also decode quoted-printable/base64. * Add a file from the autoconf archive that detects libraries needed for socket support. The old method used X_EXTRA_LIBS, which breaks if X in not installed. * Added support for large (>2GB) files on 32 bit unix systems. * Updated Danish translation * If a mime message has already been base64/QP converted, do not try to convert it again. * Do not use SSL_CTX_set_options if gnutls is being used * Use labs instead of abs for long integer * Removed compilation date info for a reproducible build * rfc1522_encode_word: max_nbytes was not being properly limit checked. ==== tcsh ==== Subpackages: tcsh-lang - Add patch tcsh-6.20.00-8bit-cmdkeys.patch Do not convert current used control bytes into wide characters - Extend bindkey.tcsh with 8-bit controls key escape sequences ==== tmux ==== - Fix boo#1037468 - tmux_issue889.patch ==== vim ==== Subpackages: gvim vim-data - Extend vimrc with mappings for 8-bit controls key escape sequences - Conflict with old vim versions to fix the upgrade from 12.3 boo#1036583 ==== xine-ui ==== - Add reproducible.patch to make build fully reproducible by not having variations in mime type order in .desktop file ==== xmlbeans ==== - Buildignore xml-commons-jaxp-1.3-apis and xml-commons-resolver12 only when building xmlbeans-mini. ==== zypper ==== Version update (1.13.24 -> 1.13.25) Subpackages: zypper-aptitude zypper-log - Fix translation shortcut error (bsc#1035344) - version 1.13.25