Packages changed:
  ImageMagick (7.0.7.15 -> 7.0.7.21)
  Mesa (17.2.6 -> 17.3.2)
  Mesa-drivers (17.2.6 -> 17.3.2)
  ModemManager (1.6.8 -> 1.6.12)
  MozillaFirefox
  NetworkManager-applet
  acpica
  antlr
  bluez (5.47 -> 5.48)
  brltty
  btrfsprogs (4.13.3 -> 4.14.1)
  cairo (1.15.8 -> 1.15.10)
  corosync
  deltarpm
  device-mapper
  evince (3.26.0 -> 3.26.0+20171120.3955d480)
  evolution (3.26.3 -> 3.26.4)
  evolution-data-server (3.26.3 -> 3.26.4)
  evolution-ews (3.26.3 -> 3.26.4)
  fftw3
  fluidsynth (1.1.8 -> 1.1.9)
  freerdp
  gdk-pixbuf
  gdm
  gimp
  gnome-font-viewer
  gnome-shell (3.26.2 -> 3.26.2+20171218.15b1810a6)
  gnome-software (3.26.3 -> 3.26.4)
  gpgme
  gstreamer-plugins-base
  gtk2 (2.24.31+20171209.61d5c82f5c -> 2.24.32)
  gutenprint (5.2.13 -> 5.2.13pre14.2)
  harfbuzz
  hdf5
  hwinfo (21.50 -> 21.51)
  hyper-v
  iputils
  ispell
  k3b (17.12.0 -> 17.12.1)
  kdump
  kernel-source (4.14.12 -> 4.14.13)
  kio
  krita (3.3.2.1 -> 3.3.3)
  krusader
  ldns
  libdrm (2.4.88 -> 2.4.89)
  libe-book (0.1.2 -> 0.1.3)
  libepoxy
  libglvnd
  libmediaart
  libpagemaker (0.0.3 -> 0.0.4)
  libpeas
  libpwquality (1.3.0 -> 1.4.0)
  libqt5-qtwebengine
  libqt5-qtwebsockets
  librsvg (2.40.20 -> 2.42.0)
  libsamplerate
  libteam
  libvirt
  libxcb
  libzio (1.05 -> 1.06)
  llvm
  logrotate (3.12.3 -> 3.13.0)
  lvm2
  makedumpfile
  mdadm
  mjpegtools
  mutter (3.26.2 -> 3.26.2+20171231.0bd1d7cf0)
  nbd (3.16.1 -> 3.16.2)
  newt
  nghttp2 (1.28.0 -> 1.29.0)
  ntp
  numactl
  openblas_pthreads
  opencv
  openssh (7.2p2 -> 7.6p1)
  patterns-kde
  php7 (7.2.0 -> 7.2.1)
  plasma5-desktop
  plasma5-pk-updates
  publicsuffix (20171028 -> 20171228)
  python-attrs (17.3.0 -> 17.4.0)
  python-cssselect (1.0.1 -> 1.0.3)
  python-dbus-python
  python-gpgme
  python-httplib2
  python-kiwi (9.11.24 -> 9.11.30)
  python-numpy (1.13.3 -> 1.14.0)
  python-pywbem
  qemu
  qemu-linux-user
  rsync
  ruby2.4
  serd
  speech-dispatcher
  swig
  tbb
  texinfo (6.4 -> 6.5)
  totem
  tracker
  tracker-miners
  vim (8.0.1417 -> 8.0.1428)
  virtualbox
  webkit2gtk3 (2.18.4 -> 2.18.5)
  wireless-regdb (2017.03.07 -> 2017.12.23)
  wireshark (2.4.3 -> 2.4.4)
  xen (4.10.0_08 -> 4.10.0_10)
  xorg-x11-server (1.19.5 -> 1.19.6)
  yast2-ruby-bindings (4.0.3 -> 4.0.4)

=== Details ===

==== ImageMagick ====
Version update (7.0.7.15 -> 7.0.7.21)
Subpackages: ImageMagick-devel ImageMagick-extra libMagick++-7_Q16HDRI4 libMagickCore-7_Q16HDRI5 libMagickWand-7_Q16HDRI5 perl-PerlMagick

- update to 7.0.7.21
  * Fix some enum values in the OpenCL code.
  * Fixed numerous memory leaks.
  * Check for webpmux library version 0.4.4.
  * Fix heap use after free error.
  * Fix error reading multi-layer XCF image file.
  * Fix possible stack overflow in WEBP reader.

==== Mesa ====
Version update (17.2.6 -> 17.3.2)
Subpackages: Mesa-dri-devel Mesa-libEGL-devel Mesa-libEGL1 Mesa-libGL-devel Mesa-libGL1 Mesa-libglapi0 libgbm1 libwayland-egl1

- U_intel-Add-more-Coffee-Lake-PCI-IDs.patch
  * Add more Coffeelake PCI IDs (request by Intel)
- Update to 17.3.2
  * Multiple fixes in the RADV Vulkan driver, workaround when using
    slibtool and a GLSL workaround for various titles using Unreal
    Engine 4.
- Drop upstreamed u_r600-Add-support-for-B5G5R5A1.patch
- Modify u_mesa-python3-only.patch to not break python 2.
- Update to 17.3.1
  * Multiple fixes and improvements of the GLSL shader cache. The
    RADV driver no longer advertises VK_EXT_debug_report - there is
    no support for it.
  * The i965, radeonsi, nvc0 and freedreno drivers have received a
    few small fixes each.
  * A number of big endian fixes have been merged.
- Switch to python3 during build instead of python2
  * Add patch u_mesa-python3-only.patch
- Add Mesa-dri and Mesa-gallium to baselibs.conf.
- Require llvm >= 3.9.0
  * The build fails otherwise because it is required for multiple
    Mesa components.
- Drop some redundant wording from descriptions.
  Drop redundant %if guard around a %post section.
- Use different form of split for faster build (bnc#1071297)
  * Mesa.spec does not use llvm and builds most of the *-devel
    subpackages.
  * Mesa-drivers.spec uses llvm and builds extra things installable
    in addition to packages from Mesa.spec. These packages are
    required for actual rendering.
- update to 17.3.0
- drop U_configure.ac-rework-llvm-libs-handling-for-3.9.patch
  * new major release comitng with changes in RADV, intel ANV,
    S3TC support, RadeonSI driver with RX Vega. On-disk shader cache
- Split Mesa into Mesa and Mesa-mini. Mesa-mini does not depend on
  llvm and its purpose is to build fast and allow other packages
  that BuildRequire Mesa to be build independently on llvm.
  Packages built against Mesa-mini should work correctly when
  installed with full Mesa package. (bsc#1071297)

==== Mesa-drivers ====
Version update (17.2.6 -> 17.3.2)
Subpackages: Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_radeon libxatracker2

- U_intel-Add-more-Coffee-Lake-PCI-IDs.patch
  * Add more Coffeelake PCI IDs (request by Intel)
- Update to 17.3.2
  * Multiple fixes in the RADV Vulkan driver, workaround when using
    slibtool and a GLSL workaround for various titles using Unreal
    Engine 4.
- Drop upstreamed u_r600-Add-support-for-B5G5R5A1.patch
- Modify u_mesa-python3-only.patch to not break python 2.
- Update to 17.3.1
  * Multiple fixes and improvements of the GLSL shader cache. The
    RADV driver no longer advertises VK_EXT_debug_report - there is
    no support for it.
  * The i965, radeonsi, nvc0 and freedreno drivers have received a
    few small fixes each.
  * A number of big endian fixes have been merged.
- Switch to python3 during build instead of python2
  * Add patch u_mesa-python3-only.patch
- Add Mesa-dri and Mesa-gallium to baselibs.conf.
- Require llvm >= 3.9.0
  * The build fails otherwise because it is required for multiple
    Mesa components.
- Drop some redundant wording from descriptions.
  Drop redundant %if guard around a %post section.
- Use different form of split for faster build (bnc#1071297)
  * Mesa.spec does not use llvm and builds most of the *-devel
    subpackages.
  * Mesa-drivers.spec uses llvm and builds extra things installable
    in addition to packages from Mesa.spec. These packages are
    required for actual rendering.
- update to 17.3.0
- drop U_configure.ac-rework-llvm-libs-handling-for-3.9.patch
  * new major release comitng with changes in RADV, intel ANV,
    S3TC support, RadeonSI driver with RX Vega. On-disk shader cache
- Split Mesa into Mesa and Mesa-mini. Mesa-mini does not depend on
  llvm and its purpose is to build fast and allow other packages
  that BuildRequire Mesa to be build independently on llvm.
  Packages built against Mesa-mini should work correctly when
  installed with full Mesa package. (bsc#1071297)

==== ModemManager ====
Version update (1.6.8 -> 1.6.12)
Subpackages: ModemManager-bash-completion ModemManager-devel ModemManager-lang libmm-glib0 typelib-1_0-ModemManager-1_0

- Update to version 1.6.12:
  + Blacklist:
  - Ignored Pycom devices.
  - Added Microchip's VID to the greylist.
  + QMI:
  - Fixed connection state machine when built against libqmi <
    1.18.
  - Fixed connection state machine when an error is reported
    setting up WDS indications.
- Changes from version 1.6.10:
  + Blacklist:
  - Ignored Silicon Labs USB Zigbee dongles.
  - Ignored Garmin ANT+ sticks.
  - Ignored Intel coredump downloader device.
  + QMI:
  - Fixed potential user-after-free issues.
  - Fixed missing handler cleanups on network-initiated
    disconnects.
  + MBIM:
  - Fix invalid session_id and nw_error reads.
  - Avoid calling mbim_message_unref() on NULL message.
  - Fixed invalid object access due to handlers not being removed
    correctly.
  - Ensure session is disconnected before trying to connect.
  - Fixed t crash when modem doesn't send gateways.
  + udev:
  - Removed default ID_MM_PLATFORM_DRIVER_PROBE whitelist.
    Devices exposed via the 'atmel_usart' driver aren't probed
    automatically any more.
  + Core:
  - Fixed running init sequence after port flashing in
    disconnection.
  - Fixed "forbidden product strings" check in plugins.
  - Fixed multiple memory leaks and invalid memory read/writes.
  - Fixed multiple async operation completions in event handlers.
  - Fixed multiple potential NULL dereferences.
  - Fixed deadlock when trying to disconnect cancellable.
  - Fixed reporting TX/RX stats (numbers were swapped).
  - Ignored USB interface removal events.
  + libmm-glib: Fix NULL dereference on firmware unique_id checks.
  + polkit: Added missing Location interface method rules.
  + Plugins:
  - MBM: set data port for Dell DW5560.
  - Simtech: fix error reporting in 3gpp unsolicited events
    enabling.
  - Fixed multiple memory leaks.
  + systemd: Drop After=syslog.target rule.
- Drop post(un) handling of icon_theme_cache_post(un), no longer
  needed, file-triggers takes care of this now.
- Drop ModemManager-1.0.0-systemd-activation.patch: No longer
  needed.

==== MozillaFirefox ====
Subpackages: MozillaFirefox-translations-common

- fixed build with latest rust (mozilla-rust-1.23.patch)

==== NetworkManager-applet ====
Subpackages: NetworkManager-applet-lang NetworkManager-connection-editor libnm-gtk0 libnma0 nma-data typelib-1_0-NMGtk-1_0

- Add
  0001-shared-compat-fix-memory-handling-of-nm_setting_vpn_.patch
  and
  0002-shared-compat-fix-memory-handling-of-nm_setting_vpn_.patch:
  fix crashes due to double frees.

==== acpica ====

- Changed shebang path in wmidump_add_she_bang.patch
  to /usr/bin/python3
  [bsc#1075687,wmidump_add_she_bang.patch]

==== antlr ====
Subpackages: antlr-devel antlr-java

- Add condition about python2 module, the rewrite happened in antlr4
  for python3 support and it is completely different than the antlr2
  * The python module is not used by any package in TW bsc#1068226

==== bluez ====
Version update (5.47 -> 5.48)
Subpackages: bluez-cups bluez-devel libbluetooth3

- update to version 5.48:
  This release brings many fixes and feature enhancements.
  Some notable enhancements include support for devices with the
  BLE battery service, as well as improved Mesh support in the
  meshctl tool. Several previously experimental D-Bus APIs have now
  been marked as stable, notably the Advertising Manager API as
  well as the AquireWrite & AquireNotify GATT APIs.
  As far as fixes go, these can be found in many areas of the stack,
  including A2DP, AVCTP, device discovery, Mesh, and GATT.

==== brltty ====
Subpackages: brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-espeak brltty-driver-speech-dispatcher brltty-driver-xwindow brltty-lang libbrlapi0_6 python3-brlapi xbrlapi

- Fix %pre, %post, and %postun: brltty.service is now
  brltty@.service (boo#1074096).

==== btrfsprogs ====
Version update (4.13.3 -> 4.14.1)
Subpackages: btrfsprogs-udev-rules libbtrfs0

- spec: fix distro version condition
- update to version 4.14.1
  * dump-tree: print times of root items
  * check: fix several lowmem mode bugs
  * convert: fix rollback after balance
  * other
  * new and updated tests, enabled lowmem mode in CI
  * docs updates
  * fix travis CI build
  * build fixes
  * cleanups
- update to version 4.14
  * build: libzstd now required by default
  * check: more lowmem mode repair enhancements
  * subvol set-default: also accept path
  * prop set: compression accepts no/none, same as ""
  * filesystem usage: enable for filesystem on top of a seed device
  * rescue: new command fix-device-size
  * other
  * new tests
  * cleanups and refactoring
  * doc updates
- Removed patches:
  - rollback-regression-fix.patch - upstreamed
- spec: disable static build, missing libzstd-devel-static
- spec: disable zstd support for non-Tumbleweed distros

==== cairo ====
Version update (1.15.8 -> 1.15.10)
Subpackages: cairo-devel libcairo-gobject2 libcairo-script-interpreter2 libcairo2 libcairo2-32bit

- Update to version 1.15.10:
  + Features and Enhancements:
  - Add support for OpenGL ES 3.0 to the gl backend.
  - Use Reusable streams for forms in Level 3 Postscript.
  - Add CAIRO_MIME_TYPE_EPS mime type for embedding EPS files.
  - Add CCITT_FAX mime type for PDF and PS surfaces.
  - svg: add a new function to specify the SVG document unit
    (fdo#90166).
  - Use UTF-8 filenames on Windows.
  + API Changes: cairo_svg_surface_set_document_unit() and
    cairo_svg_surface_get_document_unit().
  + Bugs fixed:
  - Fix regression in gles version detection.
  - Fix undefined-behavior with integer math.
  - Handle SOURCE and CLEAR operators when painting color glyphs
    (fdo#102661).
  - Convert images to rgba or a8 formats when uploading with
    GLESv2.
  - Use _WIN32 instead of windows.h to check for windows build.
  - Fix sigabrt printing documents with fonts lacking the
    mandatory .nodef glyph (fdo#102922).
  - Prevent curved strokes in small ctms from being culled from
    vector surfaces (fdo#103071).
  - Fix painting an unbounded recording surface with the SVG
    backend.
  - Fix falling back to system font with PDFs using certain
    embedded fonts, due to truncated font names (fdo#103249).
  - Fix handling of truetype fonts with excessively long font
    names (fdo#103249).
  - Fix race conditions with cairo_mask_compositor_t
    (fdo#103037).
  - Fix build error with util/font-view.
  - Fix assertion hit with PDFs using Type 4 fonts rendered with
    user fonts, due to error when destroying glyph page
    (fdo#103335).
  - Set default creation date for PDFs.
  - Prevent invalid ptr access for > 4GB images (fdo#98165).
  - Prevent self-copy infinite loop in Postscript surface.
  - Fix padded image crash in Postscript surface.
  - Fix annotation bugs in PDFs and related memory leaks.
  - Fix test failures and other assorted issues in ps and pdf
    code.
  - Fix code generation when using GCC legacy atomic operations
    (fdo#103559).
  - Fix various compilation warnings and errors.
  - Fix various distcheck errors with private symbols, doxygen
    formatting etc.
- Drop cairo-image-prevent-invalid-ptr-access.patch

==== corosync ====
Subpackages: libcmap4 libcorosync_common4

- totemudp[u]: Drop truncated packets on receive(bsc#1075300)
    Added: 0012-totemudp-u-Drop-truncated-packets-on-receive.patch
- issue with partial packets assembly when multiple nodes are sending big packets(bsc#1074929)
    Added: 0011-libcpg-Fix-issue-with-partial-big-packet-assembly.patch

==== deltarpm ====
Subpackages: python2-deltarpm

- Make python2 and python3 conditional to ensure we can build with
  python3 only

==== device-mapper ====
Subpackages: libdevmapper-event1_03 libdevmapper1_03 libdevmapper1_03-32bit

- lvmlockd: add lockopt values for skipping selected locks (fate#323203)
  + fate-323203_lvmlockd-add-lockopt-values-for-skipping-selected-lo.patch

==== evince ====
Version update (3.26.0 -> 3.26.0+20171120.3955d480)
Subpackages: evince-lang evince-plugin-comicsdocument evince-plugin-djvudocument evince-plugin-dvidocument evince-plugin-pdfdocument evince-plugin-psdocument evince-plugin-tiffdocument evince-plugin-xpsdocument libevdocument3-4 libevview3-3 nautilus-evince typelib-1_0-EvinceDocument-3_0 typelib-1_0-EvinceView-3_0

- Update to version 3.26.0+20171120.3955d480:
  + Updated translations.
- Switch to git-checkout via source service.
- Following the above, add gnome-common BuildRequires, pass
  autogen.sh and pass enable-gtk doc to configure, as we need to
  bootstrap the tarball.
- Clean up spec, use modern macros.
- Drop update-desktop-files BuildRequires and stop using
  suse_update_desktop macro, no longer needed.
- Drop obsolete conditionals for no longer supported versions of
  openSUSE.
- Avoid running fdupes across hardlink boundaries.

==== evolution ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-lang evolution-plugin-bogofilter evolution-plugin-pst-import evolution-plugin-spamassassin

- Update to version 3.26.4:
  + Bugs fixed: bgo#791291, bgo#791341, bgo#791346, bgo#791793.
  + Updated translations.

==== evolution-data-server ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-data-server-lang libcamel-1_2-60 libebackend-1_2-10 libebook-1_2-19 libebook-contacts-1_2-2 libecal-1_2-19 libedata-book-1_2-25 libedata-cal-1_2-28 libedataserver-1_2-22 libedataserverui-1_2-1

- Update to version 3.26.4:
  + Prevent passing NULL ldap handle into LDAP functions.
  + [Maildir]: Correct double free when the source message file
    doesn't exist.
  + Bugs fixed: bgo#791475, bgo#791282.

==== evolution-ews ====
Version update (3.26.3 -> 3.26.4)
Subpackages: evolution-ews-lang

- Update to version 3.26.4:
  + Bugs fixed: bgo#792190.

==== fftw3 ====
Subpackages: fftw3-devel libfftw3-3 libfftw3_threads3

- Disable the openmpi3 flavor in some products.
- Add gcc7 as additional compiler flavor for HPC on SLES.
- Fix library package requires - use HPC macro (boo#1074890).
- Add support for mpich and openmpi3 for HPC.

==== fluidsynth ====
Version update (1.1.8 -> 1.1.9)

- Update to version 1.1.9:
  * fix building the portaudio driver on Windows
  * fix build if no MIDI drivers are available
  * fix return value of fluid_file_set_encoding_quality()
  * fix use-after-free in fluid_timer
  * fix memory leak in pulseaudio driver
  * fix memory leak in rvoice_mixer
  * fix dumptuning shell command displaying uninitialized values
  * fix a resource leak in source shell command
  * harmonize fluidsynth's output library naming with autotools on Windows
  * dont set LIB_SUFFIX when building with MinGW
  * avoid a possible deadlock when initializing fluidsynths DLL on windows
  * avoid a buffer overrun when mixing effects channels in fluid_synth_nwrite_float()
  * correctly clean up fluid_server on Windows
  * implement handling of FLUID_SEQ_ALLSOUNDSOFF events in fluid_seq_fluidsynth_callback()
  * support for registering audio drivers based on actual needs

==== freerdp ====
Subpackages: libfreerdp2 libwinpr2

- Users can connect only once wo windows sessions due to
  [#]gh/FreeRDP/FreeRDP/4348
  Therefore WITH_GSSAPI has been disabled until that issue has been
  solved

==== gdk-pixbuf ====
Subpackages: gdk-pixbuf-devel gdk-pixbuf-lang gdk-pixbuf-query-loaders gdk-pixbuf-query-loaders-32bit gdk-pixbuf-thumbnailer libgdk_pixbuf-2_0-0 libgdk_pixbuf-2_0-0-32bit typelib-1_0-GdkPixbuf-2_0

- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
  integer overflow (boo#1027026 CVE-2017-6312).
- Add gdk-pixbuf-gif-negative-array-indexes.patch and
  gdk-pixbuf-gif-uninitialized-variable.patch: protect against
  access to negative array indexes (BGO#778584).
- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
  computation (bgo#779020).
- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
  short block length when reading icns (boo#1027024
  CVE-2017-6313).

==== gdm ====
Subpackages: gdm-lang gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0

- Add gdm-nb-translations.patch: Update Norwegian Bokm�l
  translations.
- Drop gdmflexiserver Obsoletes from main package, we ship
  gdmflexiserver again, so this is not needed nor wanted.
- Do minor spec-cleanup, silence a couple of rpmlint warnings.
- Add gdm-not-run-with-bogus-DISPLAY-XAUTHORITY.patch: When run
  PreSession script, don't set DISPLAY and XAUTHORITY environment
  variable, avoiding environment variable equal (null)
  (bsc#1068016 bgo#792150).
- Remove gdm-ignore-SLE-CLASSIC-MODE.patch: SLE-Classic doesn't use
  environment variable SLE_CLASSIC_MODE anymore.

==== gimp ====
Subpackages: gimp-lang gimp-plugin-aa gimp-plugins-python libgimp-2_0-0 libgimpui-2_0-0

- Run spec-cleaner, modernize spec, drop Obsoletes for versions
  no longer supported.
- Don't build with webkit1, as it is no longer maintained and has
  plenty of security bugs.  This disables the GIMP's built-in help
  browser; it will use an external browser when configured this way.
  This works around a number of security vulnerabilities in Webkit1:
  https://bugzilla.suse.com/show_bug.cgi?id=923223
  https://bugzilla.suse.com/show_bug.cgi?id=906375
  https://bugzilla.suse.com/show_bug.cgi?id=906374
  https://bugzilla.suse.com/show_bug.cgi?id=906373
  https://bugzilla.suse.com/show_bug.cgi?id=1034856
  https://bugzilla.suse.com/show_bug.cgi?id=871792
  https://bugzilla.suse.com/show_bug.cgi?id=879607
  https://bugzilla.suse.com/show_bug.cgi?id=892084

==== gnome-font-viewer ====
Subpackages: gnome-font-viewer-lang

- Add gfv-handle-ttf-otf-mime-types.patch: Handle new font/ttf and
  font/otf mime types (bgo#788383).
- Add gfv-update-nb-translations.patch: Update Norwegian Bokm�l
  translations.

==== gnome-shell ====
Version update (3.26.2 -> 3.26.2+20171218.15b1810a6)
Subpackages: gnome-shell-browser-plugin gnome-shell-calendar gnome-shell-lang

- Add gnome-shell-network-fix-visibility-VPN.patch: network: Fix
  visibility of VPN section (bgo#787845).
- Own directories
  {_datadir}/gnome-shell/extensions|search-providers|modes again,
  seems a lot of packages depended on this beeing true.
- Update to version 3.26.2+20171218.15b1810a6:
  + background: don't leak wall clock when background changes.
  + dateMenu:
  - Fix possible crash with unknown locations.
  - Ignore malformed world-clocks settings.
  + dash:
  - Do not shadow ClutterActor's destroy().
  - Make sure item labels are only destroyed once.
  + status/keyboard: Reset menuItems and Label objects on change.
  + overview: Protect ::drag-end handlers.
  + Updated translations.
- Switch to git-checkout via source services.
- Pass enable-browser-plugin=true, enable-documentation=true,
  enable-man=true, enable-networkmanager=yes and
  enable-systemd=yes to meson, ensure we build the features we
  want.
- Following the above, add gtk-doc BuildRequires and build
  documentation again.
- Run spec-cleaner, modernize spec.
- Drop update-desktop-files BuildRequires and stop using the
  suse_update_desktop_file macro.
- Drop conditional libaccountsservice0, libcaribou0 and
  libgdmgreeter1 Requires needed for no longer supported versions
  of openSUSE.
- Add fdupes BuildRequires and pass fdupes macro, remove duplicate
  files.
- Drop gnome-shell-wayland Obsoletes: No currently supported
  version of openSUSE have ever had this binary, so this is no
  longer needed.
- Stop exporting BROWSER_PLUGIN_DIR=%%{_libdir}/browser-plugins,
  does not work as we are using meson buildsystem.

==== gnome-software ====
Version update (3.26.3 -> 3.26.4)
Subpackages: gnome-software-lang

- Update to version 3.26.4:
  + Fix crashes in the repos plugin due to missing locking.
  + Work around Firefox deleting rpm/deb files downloaded to /tmp
    when closing.
  + Do not require the user to keep clicking 'More reviews' after
    each click.
  + Fix a critical when updating (flatpak) packages live.
  + fwupd: Prepend the vendor name to the device name if not
    included.
  + Improve SPDX ID parsing when working out if it is 'free'.
  + packagekit: Do not crash when getting an invalid ID from
    PackageKit.
  + Do not crash when closing the source dialog while it is
    loading.
  + Updated translations.
- Drop gs-add-locking-to-the-repos-plugin.patch: Fixed upstream.

==== gpgme ====
Subpackages: libgpgme-devel libgpgme11 libgpgmepp6 libqgpgme7

- Tweak up the python conditional to allow us finegraining and
  selecting only py2 or py3 if needed

==== gstreamer-plugins-base ====
Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0

- Add gst-pb-playbin3-fix-accessing-invalid-index.patch: playbin3:
  Fix accessing invalid index in GstStream when received
  select-stream event (bgo#791638).
- Clean up spec with spec-cleaner.

==== gtk2 ====
Version update (2.24.31+20171209.61d5c82f5c -> 2.24.32)
Subpackages: gtk2-data gtk2-devel gtk2-immodule-amharic gtk2-immodule-inuktitut gtk2-immodule-thai gtk2-immodule-vietnamese gtk2-immodule-xim gtk2-lang gtk2-tools gtk2-tools-32bit libgtk-2_0-0 libgtk-2_0-0-32bit typelib-1_0-Gtk-2_0

- Update to version 2.24.32:
  + Fix abicheck.
- Use the release version as revision and set versionformat to
  PARENT_TAG, ensure we build the upstream released tag.

==== gutenprint ====
Version update (5.2.13 -> 5.2.13pre14.2)

- Version upgrade to 5.2.13pre14.2 which is the
  second pre-release of Gutenprint 5.2.14.
  Major changes in this release (compared to 5.2.12):
  * The PCL driver now supports color laser printers
    that use PCL 5c natively (as opposed to emulation).
    The support is considered to be preliminary at this time.
    Tons of PCL printers have been added with color support.
    Please report success or failure with PCL color laser printers
    using the Generic PCL Color drivers.
    Based on feedback from this pre-release, some or all of these
    printers may be removed from the list prior to 5.2.14 release.
  * Support for the Brother HL-2030 and HL-2035 has been removed
    because these printers do not support standard PCL.
  * A crash that affected certain dyesub printers when used with
    simplified PPD files has been fixed.
  * Enhanced support for some dye-sublimation printers.
  For details see the NEWS file.

==== harfbuzz ====
Subpackages: harfbuzz-devel libharfbuzz-icu0 libharfbuzz0 libharfbuzz0-32bit

- harfbuzz-devel hb-ft.h requires pkgconfig(freetype2) but it is
  not automatically added by the dependency generator.

==== hdf5 ====
Subpackages: libhdf5-101 libhdf5_hl100

- Disable the openmpi3 flavor in some products.
- Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES.
- Add support for mpich and openmpi3 for HPC.

==== hwinfo ====
Version update (21.50 -> 21.51)
Subpackages: hwinfo-devel

- merge gh#openSUSE/hwinfo#55
- Please make CDBISDN_DATE ignore timezone.
- 21.51

==== hyper-v ====

- update buffer handling in hv_fcopy_daemon
- remove unnecessary header files and netlink related code
- Avoid reading past allocated blocks from KVP file
- fix snprintf warning in kvp_daemon
- properly handle long paths
- kvp: configurable external scripts path
- vss: Thaw the filesystem and continue if freeze call has timed out
- vss: Skip freezing filesystems backed by loop

==== iputils ====
Subpackages: rarpd

- Backport iputils-ping-fix-pmtu-for-ipv6.patch from upstream
  to fix PMTU discovery in ping6. (bsc#1072460)

==== ispell ====
Subpackages: ispell-american ispell-british

- Avoid `set -e' in munchlist (boo#1075882)

==== k3b ====
Version update (17.12.0 -> 17.12.1)
Subpackages: k3b-lang

- Update to 17.12.1
  * New bugfix release
  * For more details please see:
  * https://www.kde.org/announcements/announce-applications-17.12.1.php
- Changes since 17.12.0:
  * Revert "Fix Settings dialog resizes itself issue"
- Add fix-build-with-older-kio.patch to make it build again on
  standard Leap 42.x.

==== kdump ====

- Add kdump-fillupdir-fixes.patch and correct specfile to build
  with new fillupdir location
- Replace references to /var/adm/fillup-templates with new
  %_fillupdir macro (boo#1069468)

==== kernel-source ====
Version update (4.14.12 -> 4.14.13)
Subpackages: kernel-default kernel-default-devel kernel-devel kernel-docs kernel-macros kernel-syms

- Linux 4.14.13 (bnc#1012628).
- x86/mm: Set MODULES_END to 0xffffffffff000000 (bnc#1012628).
- x86/mm: Map cpu_entry_area at the same place on 4/5 level
  (bnc#1012628).
- x86/kaslr: Fix the vaddr_end mess (bnc#1012628).
- x86/events/intel/ds: Use the proper cache flush method for
  mapping ds buffers (bnc#1012628).
- x86/tlb: Drop the _GPL from the cpu_tlbstate export
  (bnc#1012628).
- x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline
  asm (bnc#1012628).
- x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
  (bnc#1012628).
- kernel/acct.c: fix the acct->needcheck check in
  check_free_space() (bnc#1012628).
- mm/mprotect: add a cond_resched() inside change_pmd_range()
  (bnc#1012628).
- mm/sparse.c: wrong allocation for mem_section (bnc#1012628).
- userfaultfd: clear the vma->vm_userfaultfd_ctx if
  UFFD_EVENT_FORK fails (bnc#1012628).
- btrfs: fix refcount_t usage when deleting btrfs_delayed_nodes
  (bnc#1012628).
- efi/capsule-loader: Reinstate virtual capsule mapping
  (bnc#1012628).
- crypto: n2 - cure use after free (bnc#1012628).
- crypto: chacha20poly1305 - validate the digest size
  (bnc#1012628).
- crypto: pcrypt - fix freeing pcrypt instances (bnc#1012628).
- crypto: chelsio - select CRYPTO_GF128MUL (bnc#1012628).
- drm/i915: Disable DC states around GMBUS on GLK (bnc#1012628).
- drm/i915: Apply Display WA #1183 on skl, kbl, and cfl
  (bnc#1012628).
- sunxi-rsb: Include OF based modalias in device uevent
  (bnc#1012628).
- fscache: Fix the default for fscache_maybe_release_page()
  (bnc#1012628).
- x86 / CPU: Avoid unnecessary IPIs in arch_freq_get_on_cpu()
  (bnc#1012628).
- x86 / CPU: Always show current CPU frequency in /proc/cpuinfo
  (bnc#1012628).
- kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks
  from SIGKILL (bnc#1012628).
- kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from
  !sig_kernel_only() signals (bnc#1012628).
- kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE
  check in complete_signal() (bnc#1012628).
- iommu/arm-smmu-v3: Don't free page table ops twice
  (bnc#1012628).
- iommu/arm-smmu-v3: Cope with duplicated Stream IDs
  (bnc#1012628).
- ARC: uaccess: dont use "l" gcc inline asm constraint modifier
  (bnc#1012628).
- powerpc/mm: Fix SEGV on mapped region to return SEGV_ACCERR
  (bnc#1012628).
- Input: elantech - add new icbody type 15 (bnc#1012628).
- apparmor: fix regression in mount mediation when feature set
  is pinned (bnc#1012628).
- parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit
  SMP kernel (bnc#1012628).
- parisc: qemu idle sleep support (bnc#1012628).
- mtd: nand: pxa3xx: Fix READOOB implementation (bnc#1012628).
- KVM: s390: fix cmma migration for multiple memory slots
  (bnc#1012628).
- KVM: s390: prevent buffer overrun on memory hotplug during
  migration (bnc#1012628).
- commit bd444a0
- Refresh
  patches.suse/0007-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Refresh
  patches.suse/0013-x86-entry-Stuff-RSB-for-entry-to-kernel-for-non-SMEP.patch.
- Refresh
  patches.suse/0015-x86-syscall-Clear-unused-extra-registers-on-32-bit-c.patch.
  Fix double fault in 32bit binaries (bnc#1074869, bnc#1074918,
  bnc#1074920, bnc#1074921, bnc#1075018, bnc#1075034)
- commit f4b3cf0
- rpm/constraints.in: lower kernel-syzkaller's mem requirements
  OBS now reports that it needs only around 2G, so lower the limit to
  8G, so that more compliant workers can be used.
- commit 7637ae2

==== kio ====
Subpackages: kio-core kio-devel kio-lang

- Add patch to fix layout of icons in the file dialog (kde#352776):
  * 0001-Fix-KFilePreviewGenerator-LayoutBlocker.patch

==== krita ====
Version update (3.3.2.1 -> 3.3.3)
Subpackages: krita-lang

- Update to 3.3.3:
  * See https://krita.org/en/item/krita-3-3-3/
  * Fix an issue where it would not be possible to select certain
    blending modes when the current layer is grayscale but the
    image is rgb.
  * Set the OS and platform when reporting a bug from within Krita
    on Windows.
  * Make it possible to enter color values as percentage in the
    specific color selector
  * Add OpenGL warnings and make ANGLE default on Intel GPUs
  * Add an Invert button to the levels filter
  * Implement loading and saving of styles for group layers to and
    from PSD
  * Fix the erase mode not showing correctly when returning to the
    brush tool
  * Save the visibility of individual assistants in .kra files
  * Add an option to draw ruler tips as a power of 2
  * Disable autoscroll on move and transform tools
  * Improve handling of native mouse events when using a pen and
    the Windows Ink API
  * Fix the focal point for the pinch zoom gesture
  * Fix loading netpbm files with comment

==== krusader ====
Subpackages: kio_iso

- Add Panel-fixed-actions-in-PanelContextMenu-ignored.patch to fix
  the "Create New" context menu not working when the '..' entry is
  selected (boo#1075690, kde#383544)

==== ldns ====
Subpackages: libldns2

- Switch directly to python3 in order for us to proceed with py2
  obsoletion for future releases
  * Upstream sadly can build only against one of the two

==== libdrm ====
Version update (2.4.88 -> 2.4.89)
Subpackages: libdrm-devel libdrm2 libdrm_amdgpu1 libdrm_intel1 libdrm_nouveau2 libdrm_radeon1

- U_intel-Add-more-Coffeelake-PCI-IDs.patch
  * Add more Coffeelake PCI IDs (request by Intel)
- Update to version 2.4.89:
  libdrm release with leasing and syncobj api updates, updated amdgpu marketing
  ids, amdgpu tests, updated uapi headers & etnaviv updates.

==== libe-book ====
Version update (0.1.2 -> 0.1.3)

- Cure linguistic problem in descriptions.
- Update to 0.1.3:
  * Fix various problems when reading broken files, found with the help of
    american-fuzzy-lop and oss-fuzz.
  * Fix build with boost >= 1.59.
  * Set default page margins. (tdf#94162)
  * Make output of ebook2* --help more compatible with help2man.
  * Check for librevenge-stream if tests are enabled. (gentoo#603098)
  * Require C++11 for build.
  * Drop outdated MSVC project files.
  * Fix several issues found by Coverity.
  * FictionBook v.2:
  * Use document language as default language for text.
  * Use note title as footnote mark.
  * Handle subscript and superscript.
  * Output content of <code> in monospace font.

==== libepoxy ====

- -devel package requires pkgconfig(x11), pkgconfig(egl)
  but those deps are not generated automatically.

==== libglvnd ====
Subpackages: libglvnd-32bit libglvnd-devel

- Make sure to use only python3 for the build and do not rely
  on env calls for python

==== libmediaart ====
Subpackages: libmediaart-2_0-0 typelib-1_0-MediaArt-2_0

- Add meson-Introspection-fix.patch: The meson build did not add
  the extractdummy.c to the sources, which contains introspection
  annotations (bgo#792272, bgo#791586).

==== libpagemaker ====
Version update (0.0.3 -> 0.0.4)

- Cure linguistic problem in descriptions.
- Update to 0.0.4:
  * Add a command line tool for conversion to plain text, called pmd2text.
  * Require C++11 for build.
  * Drop outdated MSVC project files.
  * Fix parsing of page dimensions and shape coordinates in Mac documents.
    That makes the output at least somewhat useful, but more work is needed
    to handle big endian files properly.
  * Fix parsing of color tint in Mac documents. (tdf#109126)
  * Fix parsing of text formatting attributes in Mac documents.
  * Properly handle all caps and small caps.
  * Parse more text formatting attributes.
  * Parse more paragraph attributes.

==== libpeas ====
Subpackages: libpeas-1_0-0 libpeas-gtk-1_0-0 libpeas-lang libpeas-loader-python libpeas-loader-python3 typelib-1_0-Peas-1_0 typelib-1_0-PeasGtk-1_0

- Use make_build macro.
- Avoid running fdupes across hardlink boundaries.
- Update URL to reflect current web, old was 404.
- Run spec-cleaner.
- Fix typo on parallel build command call.
- Conditionalize py2 and py3 build to allow us building of the
  one we desire based on codestream.

==== libpwquality ====
Version update (1.3.0 -> 1.4.0)
Subpackages: libpwquality-lang libpwquality1

- Update RPM groups and summaries.
- Switch url to https://github.com/libpwquality/libpwquality/
- Update to release 1.4.0:
  * Fix possible buffer overflow with data from /dev/urandom
    in pwquality_generate().
  * Do not try to check presence of too short username in password.
    (thanks to Nikos Mavrogiannopoulos)
  * Make the user name check optional (via usercheck option).
  * Add an 'enforcing' option to make the checks to be warning-only
    in PAM.
  * The difok = 0 setting will disable all old password similarity
    checks except new and old passwords being identical.
  * Updated translations from Zanata.
- Add patch libpwquality-pythons.patch to avoid duping pythondir
- Make python3 default and enable py2 only when needed

==== libqt5-qtwebengine ====

- Also work around crashes on wayland by disabling the GPU by default (boo#1060990):
  * disable-gpu-when-using-nouveau-boo-1005323.diff

==== libqt5-qtwebsockets ====
Subpackages: libQt5WebSockets5 libQt5WebSockets5-imports libqt5-qtwebsockets-devel

- fix Typo

==== librsvg ====
Version update (2.40.20 -> 2.42.0)
Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0

- Update to version 2.42.0:
  + Fix a memory leak in rsvg_handle_new_from_file().
  + Optimize the xml:space normalization function.
  + Fix a runtime warning in the feMergeNode code
    (glgo#GNOME/librsvg#179).
  + Clarify documentation about the rsvg_*_sub() APIs
    (glgo#GNOME/librsvg#175).
  + Stylistic fixes from cargo-clippy.
  + Port the Pango glue code to Rust.
  + New ARCHITECTURE.md with a description of librsvg's internals.
- Clean up spec, use autosetup macro.

==== libsamplerate ====
Subpackages: libsamplerate-devel libsamplerate0

- Add libsamplerate-0.1.9-reproducible.patch to disable throughput
  test to make builds reproducible in spite of Profile Guided Optimizations

==== libteam ====

- Drop /pkg/ subpart from includedir
- Remove defattr that is not really needed
- Add condition around python bindings, they are really based on
  swig code that would need to be rewritten to support python3

==== libvirt ====
Subpackages: libvirt-client libvirt-daemon libvirt-daemon-config-network libvirt-daemon-config-nwfilter libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-driver-uml libvirt-daemon-driver-vbox libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs

- Add a qemu hook script providing functionality similar to Xen's
  block-dmmd script
  suse-qemu-domain-hook.py
  FATE#324177

==== libxcb ====
Subpackages: libxcb-render0-32bit libxcb-shm0-32bit libxcb1-32bit

- Enable xinput extension. (bnc#1074249)
- U_add-support-for-eventstruct.patch
  * Update xinput to the state when it was enabled by default
    upstream.
- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
  * Prevent infinite loop also in case DISPLAY is non-local.
- Use spaces instead of tabs in the patches (as does the original
  source code) to avoid confusion.
- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch
  * If authentication (with *stage == 0) failed and the variable
    XAUTHLOCALHOSTNAME wasn't set, we were never getting to stage 2
    in the original patch, causing calls to xcb_connect_to_display
    to be stuck in an infinite loop.
    Now we also go to stage 2 if the variable isn't set.

==== libzio ====
Version update (1.05 -> 1.06)

- Add changes from Jerrell Watts which has kindly provided
  his changes for lzma/xz support with large I/O buffers

==== llvm ====

- Add missing %files for lld.

==== logrotate ====
Version update (3.12.3 -> 3.13.0)

- Version update to 3.13.0:
  * make distribution tarballs report logrotate version properly
  * make (un)compress work even if stdin and/or stdout are closed (#154)
  * remove -s from DEFAULT_MAIL_COMMAND and improve its documenation (#152)
  * uncompress logs before mailing them even if delaycompress is enabled (#151)
  * handle unlink of a non-existing log file as a warning only (#144)
  * include compile-time options in the output of logrotate --version (#145)
  * make logrotate --version print to stdout instead of stderr (#145)
  * flush write buffers before syncing state file (#148)
  * specify (un)compress utility explicitly in tests (#137)
  * enable running tests in parallel (#132)
  * explicitly map root UID/GID to 0 on Cygwin (#133)
  * add .dpkg-bak and .dpkg-del to default tabooext list (#134)

==== lvm2 ====
Subpackages: liblvm2app2_2 liblvm2cmd2_02

- lvmlockd: add lockopt values for skipping selected locks (fate#323203)
  + fate-323203_lvmlockd-add-lockopt-values-for-skipping-selected-lo.patch

==== makedumpfile ====

- makedumpfile-__cpu_online_mask-symbol.patch: Support symbol
  __cpu_online_mask (FATE#323473, bsc#1070291).
- makedumpfile-vtop4_x86_64_pagetable.patch: Introduce
  vtop4_x86_64_pagetable (FATE#323473, bsc#1070291).
- makedumpfile-fix-KASLR-for-sadump.patch: Fix a KASLR problem of
  sadump (FATE#323473, bsc#1070291).
- makedumpfile-fix-KASLR-for-sadump-while-kdump.patch: sadump: Fix
  a KASLR problem of sadump while kdump is working (FATE#323473,
  bsc#1070291).

==== mdadm ====

- 0208-mdadm-grow-correct-the-s-size-1-to-make-max-work.patch
  (bsc#1074949)

==== mjpegtools ====
Subpackages: libmjpegutils-2_0-0

- Add conditional post(un) handling for libmpeg2encpp-2_0-0.

==== mutter ====
Version update (3.26.2 -> 3.26.2+20171231.0bd1d7cf0)
Subpackages: libmutter-1-0 mutter-data mutter-lang

- Update to version 3.26.2+20171231.0bd1d7cf0:
  + Revert "window: Raise and lower tile match in tandem".
  + wayland: Only send full sequences of touch events to clients.
  + stage: Push framebuffer before setting up viewport.
  + keybindings: Only add multiple keycodes from the same level.
  + wayland-outputs: Delay wl_output destruction.
  + monitor-manager-kms:
  - Fix recently introduced build issue.
  - poll() on KMS fd on EAGAIN.
  + compositor: reset top_window_actor and remove it from windows
    when destroyed.
  + monitor-manager: Compare keys when checking whether a config is
    complete.
  + Updated translations.
- Switch to git-checkout via source services.
- Following the above, add intltool and libtool BuildRequires and
  pass autogen.sh to bootstrap the generated tarball.
- Pkgconfigy the BuildRequires, replace:
  gobject-introspection-devel, libSM-devel, libX11-devel and
  libXinerama-devel with pkgconfig(gobject-introspection-1.0),
  pkgconfig(sm), pkgconfig(x11) and pkgconfig(xinerama).
- Drop update-desktop-files BuildRequires and stop using
  suse_update_desktop_file macro, no longer needed.
- Drop pkgconfig(gbm) BuildRequires listed twice.
- Run spec-cleaner, modernize spec, use make_build macro.

==== nbd ====
Version update (3.16.1 -> 3.16.2)

- Update to version 1.16.2:
  * Make the test suite less chatty
  * Various build system improvements
  * Fixes to the systemd unit to make it work again with recent
    systemd
  * Point to the nbd mailinglist, rather than to the maintainer's
    personal email address, for bug reports.

==== newt ====

- Build without py2 if needed
- Fix upstream url

==== nghttp2 ====
Version update (1.28.0 -> 1.29.0)

- Update to version 1.29.0:
  * lib: Use NGHTTP2_REFUSED_STREAM for streams which are closed by
    GOAWAY
  * build: Remove SPDY
  * build: Fix CMAKE_MODULE_PATH
  * nghttpx: Revert "nghttpx: Use an existing h2 backend connection
    as much as possible"
  * nghttpx: Write API request body in temporary file
  * nghttpx: Increase api-max-request-body
  * nghttpx: Faster configuration loading with lots of backends
  * nghttpx: Fix crash with --backend-http-proxy-uri option

==== ntp ====
Subpackages: ntp-doc

- Add ntp-reproducible.patch to make build reproducible (boo#1047218)
- Restart nptd if failed or aborted (FATE#315133).
- Do not try to set the HW clock when adding a server at runtime
  to avoid blocking systemd.

==== numactl ====
Subpackages: libnuma1

- Disable building at 32-bit ARM.
  NUMA is not supported by 32-bit ARM Linux Kernel, so build failed
  with
  [#]error "Add syscalls for your architecture or update kernel headers"

==== openblas_pthreads ====

- Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES.
- Fix library package requires - use HPC macro (boo#1074890).
- Fix unexpanded rpm macro in environment module file for HPC (boo#1074897).

==== opencv ====
Subpackages: libopencv3_3 opencv-devel

- Add conditionals for python2 and python3 to allow us enabling
  only desired python variants when needed
- Do not depend on sphinx as py2 and py3 seem to collide there

==== openssh ====
Version update (7.2p2 -> 7.6p1)
Subpackages: openssh-helpers

- Replace forgotten references to /var/adm/fillup-templates
  with new %_fillupdir macro (boo#1069468)
- tighten configuration access rights
- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  - --- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC
    padding oracle countermeasures. Reported by Jean Paul
    Degabriele, Kenny Paterson, Torben Hansen and Martin
    Albrecht. Note that CBC ciphers are disabled by default and
    only included for legacy compatibility.
  * ssh(1), sshd(8): Improve operation ordering of MAC
    verification for Encrypt-then-MAC (EtM) mode transport MAC
    algorithms to verify the MAC before decrypting any
    ciphertext. This removes the possibility of timing
    differences leaking facts about the plaintext, though no such
    leakage has been observed.  Reported by Jean Paul Degabriele,
    Kenny Paterson, Torben Hansen and Martin Albrecht.
  * sshd(8): (portable only) Ignore PAM environment vars when
    UseLogin=yes. If PAM is configured to read user-specified
    environment variables and UseLogin=yes in sshd_config, then a
    hostile local user may attack /bin/login via LD_PRELOAD or
    similar environment variables set via PAM. CVE-2015-8325,
    found by Shayan Sadigh.
  - --- New Features
  * ssh(1): Add a ProxyJump option and corresponding -J
    command-line flag to allow simplified indirection through a
    one or more SSH bastions or "jump hosts".
  * ssh(1): Add an IdentityAgent option to allow specifying
    specific agent sockets instead of accepting one from the
    environment.
  * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to
    be optionally overridden when using ssh -W. bz#2577
  * ssh(1), sshd(8): Implement support for the IUTF8 terminal
    mode as per draft-sgtatham-secsh-iutf8-00.
  * ssh(1), sshd(8): Add support for additional fixed
    Diffie-Hellman 2K, 4K and 8K groups from
    draft-ietf-curdle-ssh-kex-sha2-03.
  * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
    signatures in certificates;
  * ssh(1): Add an Include directive for ssh_config(5) files.
  * ssh(1): Permit UTF-8 characters in pre-authentication banners
    sent from the server. bz#2058
  - --- Bugfixes
  * ssh(1), sshd(8): Reduce the syslog level of some relatively
    common protocol events from LOG_CRIT. bz#2585
  * sshd(8): Refuse AuthenticationMethods="" in configurations
    and accept AuthenticationMethods=any for the default
    behaviour of not requiring multiple authentication. bz#2398
  * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
    ATTEMPT!" message when forward and reverse DNS don't match.
    bz#2585
  * ssh(1): Close ControlPersist background process stderr except
    in debug mode or when logging to syslog. bz#1988
  * misc: Make PROTOCOL description for
    direct-streamlocal@openssh.com channel open messages match
    deployed code. bz#2529
  * ssh(1): Deduplicate LocalForward and RemoteForward entries to
    fix failures when both ExitOnForwardFailure and hostname
    canonicalisation are enabled. bz#2562
  * sshd(8): Remove fallback from moduli to obsolete "primes"
    file that was deprecated in 2001. bz#2559.
  * sshd_config(5): Correct description of UseDNS: it affects ssh
    hostname processing for authorized_keys, not known_hosts;
    bz#2554
  * ssh(1): Fix authentication using lone certificate keys in an
    agent without corresponding private keys on the filesystem.
    bz#2550
  * sshd(8): Send ClientAliveInterval pings when a time-based
    RekeyLimit is set; previously keepalive packets were not
    being sent. bz#2252
  - --- Portability
  * ssh(1), sshd(8): Fix compilation by automatically disabling
    ciphers not supported by OpenSSL. bz#2466
  * misc: Fix compilation failures on some versions of AIX's
    compiler related to the definition of the VA_COPY macro.
    bz#2589
  * sshd(8): Whitelist more architectures to enable the
    seccomp-bpf sandbox. bz#2590
  * ssh-agent(1), sftp-server(8): Disable process tracing on
    Solaris using setpflags(__PROC_PROTECT, ...). bz#2584
  * sshd(8): On Solaris, don't call Solaris setproject() with
    UsePAM=yes it's PAM's responsibility. bz#2425
- OpenSSH 7.4
  - --- Potentially-incompatible changes
  * ssh(1): Remove 3des-cbc from the client's default proposal.
    64-bit block ciphers are not safe in 2016 and we don't want
    to wait until attacks like SWEET32 are extended to SSH. As
    3des-cbc was the only mandatory cipher in the SSH RFCs, this
    may cause problems connecting to older devices using the
    default configuration, but it's highly likely that such
    devices already need explicit configuration for key exchange
    and hostkey algorithms already anyway.
  * sshd(8): Remove support for pre-authentication compression.
    Doing compression early in the protocol probably seemed
    reasonable in the 1990s, but today it's clearly a bad idea in
    terms of both cryptography (cf. multiple compression oracle
    attacks in TLS) and attack surface. Pre-auth compression
    support has been disabled by default for >10 years. Support
    remains in the client.
  * ssh-agent will refuse to load PKCS#11 modules outside a
    whitelist of trusted paths by default. The path whitelist may
    be specified at run-time.
  * sshd(8): When a forced-command appears in both a certificate
    and an authorized keys/principals command= restriction, sshd
    will now refuse to accept the certificate unless they are
    identical.  The previous (documented) behaviour of having the
    certificate forced-command override the other could be a bit
    confusing and error-prone.
  * sshd(8): Remove the UseLogin configuration directive and
    support for having /bin/login manage login sessions.
  - --- Security
  * ssh-agent(1): Will now refuse to load PKCS#11 modules from
    paths outside a trusted whitelist (run-time configurable).
    Requests to load modules could be passed via agent forwarding
    and an attacker could attempt to load a hostile PKCS#11
    module across the forwarded agent channel: PKCS#11 modules
    are shared libraries, so this would result in code execution
    on the system running the ssh-agent if the attacker has
    control of the forwarded agent-socket (on the host running
    the sshd server) and the ability to write to the filesystem
    of the host running ssh-agent (usually the host running the
    ssh client). Reported by Jann Horn of Project Zero.
  * sshd(8): When privilege separation is disabled, forwarded
    Unix- domain sockets would be created by sshd(8) with the
    privileges of 'root' instead of the authenticated user. This
    release refuses Unix-domain socket forwarding when privilege
    separation is disabled (Privilege separation has been enabled
    by default for 14 years).  Reported by Jann Horn of Project
    Zero.
  * sshd(8): Avoid theoretical leak of host private key material
    to privilege-separated child processes via realloc() when
    reading keys. No such leak was observed in practice for
    normal-sized keys, nor does a leak to the child processes
    directly expose key material to unprivileged users. Reported
    by Jann Horn of Project Zero.
  * sshd(8): The shared memory manager used by pre-authentication
    compression support had a bounds checks that could be elided
    by some optimising compilers. Additionally, this memory
    manager was incorrectly accessible when pre-authentication
    compression was disabled. This could potentially allow
    attacks against the privileged monitor process from the
    sandboxed privilege-separation process (a compromise of the
    latter would be required first).  This release removes
    support for pre-authentication compression from sshd(8).
    Reported by Guido Vranken using the Stack unstable
    optimisation identification tool
    (http://css.csail.mit.edu/stack/)
  * sshd(8): Fix denial-of-service condition where an attacker
    who sends multiple KEXINIT messages may consume up to 128MB
    per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
  * sshd(8): Validate address ranges for AllowUser and DenyUsers
    directives at configuration load time and refuse to accept
    invalid ones. It was previously possible to specify invalid
    CIDR address ranges (e.g. user@127.1.2.3/55) and these would
    always match, possibly resulting in granting access where it
    was not intended.  Reported by Laurence Parry.
  - --- New Features
  * ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by
    the version in PuTTY by Simon Tatham. This allows a
    multiplexing client to communicate with the master process
    using a subset of the SSH packet and channels protocol over a
    Unix-domain socket, with the main process acting as a proxy
    that translates channel IDs, etc.  This allows multiplexing
    mode to run on systems that lack file- descriptor passing
    (used by current multiplexing code) and potentially, in
    conjunction with Unix-domain socket forwarding, with the
    client and multiplexing master process on different machines.
    Multiplexing proxy mode may be invoked using "ssh -O proxy
    ..."
  * sshd(8): Add a sshd_config DisableForwarding option that
    disables X11, agent, TCP, tunnel and Unix domain socket
    forwarding, as well as anything else we might implement in
    the future. Like the 'restrict' authorized_keys flag, this is
    intended to be a simple and future-proof way of restricting
    an account.
  * sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
    method. This is identical to the currently-supported method
    named "curve25519-sha256@libssh.org".
  * sshd(8): Improve handling of SIGHUP by checking to see if
    sshd is already daemonised at startup and skipping the call
    to daemon(3) if it is. This ensures that a SIGHUP restart of
    sshd(8) will retain the same process-ID as the initial
    execution. sshd(8) will also now unlink the PidFile prior to
    SIGHUP restart and re-create it after a successful restart,
    rather than leaving a stale file in the case of a
    configuration error. bz#2641
  * sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
    directives to appear in sshd_config Match blocks.
  * sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to
    match those supported by AuthorizedKeysCommand (key, key
    type, fingerprint, etc.) and a few more to provide access to
    the contents of the certificate being offered.
  * Added regression tests for string matching, address matching
    and string sanitisation functions.
  * Improved the key exchange fuzzer harness.
  - --- Bugfixes
  * ssh(1): Allow IdentityFile to successfully load and use
    certificates that have no corresponding bare public key.
    bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
  * ssh(1): Fix public key authentication when multiple
    authentication is in use and publickey is not just the first
    method attempted. bz#2642
  * regress: Allow the PuTTY interop tests to run unattended.
    bz#2639
  * ssh-agent(1), ssh(1): improve reporting when attempting to
    load keys from PKCS#11 tokens with fewer useless log messages
    and more detail in debug messages. bz#2610
  * ssh(1): When tearing down ControlMaster connections, don't
    pollute stderr when LogLevel=quiet.
  * sftp(1): On ^Z wait for underlying ssh(1) to suspend before
    suspending sftp(1) to ensure that ssh(1) restores the
    terminal mode correctly if suspended during a password
    prompt.
  * ssh(1): Avoid busy-wait when ssh(1) is suspended during a
    password prompt.
  * ssh(1), sshd(8): Correctly report errors during sending of
    ext- info messages.
  * sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
    sequence NEWKEYS message.
  * sshd(8): Correct list of supported signature algorithms sent
    in the server-sig-algs extension. bz#2547
  * sshd(8): Fix sending ext_info message if privsep is disabled.
  * sshd(8): more strictly enforce the expected ordering of
    privilege separation monitor calls used for authentication
    and allow them only when their respective authentication
    methods are enabled in the configuration
  * sshd(8): Fix uninitialised optlen in getsockopt() call;
    harmless on Unix/BSD but potentially crashy on Cygwin.
  * Fix false positive reports caused by explicit_bzero(3) not
    being recognised as a memory initialiser when compiled with
  - fsanitize-memory.
  * sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet
    for configuration examples.
  - --- Portability
  * On environments configured with Turkish locales, fall back to
    the C/POSIX locale to avoid errors in configuration parsing
    caused by that locale's unique handling of the letters 'i'
    and 'I'. bz#2643
  * sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
    ptrace(PT_DENY_ATTACH, ..)
  * ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8)
    OpenSSL.
  * Fix compilation for libcrypto compiled without RIPEMD160
    support.
  * contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
  * sshd(8): Improve PRNG reseeding across privilege separation
    and force libcrypto to obtain a high-quality seed before
    chroot or sandboxing.
  * All: Explicitly test for broken strnvis. NetBSD added an
    strnvis and unfortunately made it incompatible with the
    existing one in OpenBSD and Linux's libbsd (the former having
    existed for over ten years). Try to detect this mess, and
    assume the only safe option if we're cross compiling.
- OpenSSH 7.5
  - --- Potentially-incompatible changes
  * This release deprecates the sshd_config
    UsePrivilegeSeparation option, thereby making privilege
    separation mandatory. Privilege separation has been on by
    default for almost 15 years and sandboxing has been on by
    default for almost the last five.
  * The format of several log messages emitted by the packet code
    has changed to include additional information about the user
    and their authentication state. Software that monitors
    ssh/sshd logs may need to account for these changes. For
    example:
  Connection closed by user x 1.1.1.1 port 1234 [preauth]
  Connection closed by authenticating user x 10.1.1.1 port 1234
  [preauth] Connection closed by invalid user x 1.1.1.1 port
  1234 [preauth]
  Affected messages include connection closure, timeout, remote
  disconnection, negotiation failure and some other fatal
  messages generated by the packet code.
  * [Portable OpenSSH only] This version removes support for
    building against OpenSSL versions prior to 1.0.1. OpenSSL
    stopped supporting versions prior to 1.0.1 over 12 months ago
    (i.e. they no longer receive fixes for security bugs).
  - --- Security
  * ssh(1), sshd(8): Fix weakness in CBC padding oracle
    countermeasures that allowed a variant of the attack fixed in
    OpenSSH 7.3 to proceed.  Note that the OpenSSH client
    disables CBC ciphers by default, sshd offers them as
    lowest-preference options and will remove them by default
    entriely in the next release. Reported by Jean Paul
    Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen
    of Royal Holloway, University of London.
  * sftp-client(1): [portable OpenSSH only] On Cygwin, a client
    making a recursive file transfer could be maniuplated by a
    hostile server to perform a path-traversal attack. creating
    or modifying files outside of the intended target directory.
    Reported by Jann Horn of Google Project Zero.
  - --- New Features
  * ssh(1), sshd(8): Support "=-" syntax to easily remove methods
    from algorithm lists, e.g. Ciphers=-*cbc. bz#2671
  - --- Bugfixes
  * sshd(1): Fix NULL dereference crash when key exchange start
    messages are sent out of sequence.
  * ssh(1), sshd(8): Allow form-feed characters to appear in
    configuration files.
  * sshd(8): Fix regression in OpenSSH 7.4 support for the
    server-sig-algs extension, where SHA2 RSA signature methods
    were not being correctly advertised. bz#2680
  * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs
    in known_hosts processing. bz#2591 bz#2685
  * ssh(1): Allow ssh to use certificates accompanied by a
    private key file but no corresponding plain *.pub public key.
    bz#2617
  * ssh(1): When updating hostkeys using the UpdateHostKeys
    option, accept RSA keys if HostkeyAlgorithms contains any RSA
    keytype.  Previously, ssh could ignore RSA keys when only the
    ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and
    not the old ssh-rsa method. bz#2650
  * ssh(1): Detect and report excessively long configuration file
    lines. bz#2651
  * Merge a number of fixes found by Coverity and reported via
    Redhat and FreeBSD. Includes fixes for some memory and file
    descriptor leaks in error paths. bz#2687
  * ssh-keyscan(1): Correctly hash hosts with a port number.
    bz#2692
  * ssh(1), sshd(8): When logging long messages to stderr, don't
    truncate "\r\n" if the length of the message exceeds the
    buffer. bz#2688
  * ssh(1): Fully quote [host]:port in generated ProxyJump/-J
    command- line; avoid confusion over IPv6 addresses and shells
    that treat square bracket characters specially.
  * ssh-keygen(1): Fix corruption of known_hosts when running
    "ssh-keygen -H" on a known_hosts containing already-hashed
    entries.
  * Fix various fallout and sharp edges caused by removing SSH
    protocol 1 support from the server, including the server
    banner string being incorrectly terminated with only \n
    (instead of \r\n), confusing error messages from ssh-keyscan
    bz#2583 and a segfault in sshd if protocol v.1 was enabled
    for the client and sshd_config contained references to legacy
    keys bz#2686.
  * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
  * sshd(8): Fix Unix domain socket forwarding for root
    (regression in OpenSSH 7.4).
  * sftp(1): Fix division by zero crash in "df" output when
    server returns zero total filesystem blocks/inodes.
  * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL
    errors encountered during key loading to more meaningful
    error codes.  bz#2522 bz#2523
  * ssh-keygen(1): Sanitise escape sequences in key comments sent
    to printf but preserve valid UTF-8 when the locale supports
    it; bz#2520
  * ssh(1), sshd(8): Return reason for port forwarding failures
    where feasible rather than always "administratively
    prohibited". bz#2674
  * sshd(8): Fix deadlock when AuthorizedKeysCommand or
    AuthorizedPrincipalsCommand produces a lot of output and a
    key is matched early. bz#2655
  * Regression tests: several reliability fixes. bz#2654 bz#2658
    bz#2659
  * ssh(1): Fix typo in ~C error message for bad port forward
    cancellation. bz#2672
  * ssh(1): Show a useful error message when included config
    files can't be opened; bz#2653
  * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the
    manual page (previously incorrectly) advertised. bz#2637
  * sshd_config(5): Repair accidentally-deleted mention of %k
    token in AuthorizedKeysCommand; bz#2656
  * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
    bz#2665
  * ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
    common 32-bit compatibility library directories.
  * sftp-client(1): Fix non-exploitable integer overflow in
    SSH2_FXP_NAME response handling.
  * ssh-agent(1): Fix regression in 7.4 of deleting
    PKCS#11-hosted keys. It was not possible to delete them
    except by specifying their full physical path. bz#2682
  - --- Portability
  * sshd(8): Avoid sandbox errors for Linux S390 systems using an
    ICA crypto coprocessor.
  * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox
    arg inspection.
  * ssh(1): Fix X11 forwarding on OSX where X11 was being started
    by launchd. bz#2341
  * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for
    various that contain non-printable characters where the
    codeset in use is ASCII.
  * build: Fix builds that attempt to link a kerberised libldns.
    bz#2603
  * build: Fix compilation problems caused by unconditionally
    defining _XOPEN_SOURCE in wide character detection.
  * sshd(8): Fix sandbox violations for clock_gettime VSDO
    syscall fallback on some Linux/X32 kernels. bz#2142
- OpenSSH 7.6
  - --- Potentially-incompatible changes
  This release includes a number of changes that may affect
  existing configurations:
  * ssh(1): delete SSH protocol version 1 support, associated
    configuration options and documentation.
  * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
  * ssh(1)/sshd(8): remove support for the arcfour, blowfish and
    CAST ciphers.
  * Refuse RSA keys <1024 bits in length and improve reporting
    for keys that do not meet this requirement.
  * ssh(1): do not offer CBC ciphers by default.
  - --- Security
  * sftp-server(8): in read-only mode, sftp-server was
    incorrectly permitting creation of zero-length files.
    Reported by Michal Zalewski.
  - --- New Features
  * ssh(1): add RemoteCommand option to specify a command in the
    ssh config file instead of giving it on the client's command
    line. This allows the configuration file to specify the
    command that will be executed on the remote host.
  * sshd(8): add ExposeAuthInfo option that enables writing
    details of the authentication methods used (including public
    keys where applicable) to a file that is exposed via a
    $SSH_USER_AUTH environment variable in the subsequent
    session.
  * ssh(1): add support for reverse dynamic forwarding. In this
    mode, ssh will act as a SOCKS4/5 proxy and forward
    connections to destinations requested by the remote SOCKS
    client. This mode is requested using extended syntax for the
  - R and RemoteForward options and, because it is implemented
    solely at the client, does not require the server be updated
    to be supported.
  * sshd(8): allow LogLevel directive in sshd_config Match
    blocks; bz#2717
  * ssh-keygen(1): allow inclusion of arbitrary string or flag
    certificate extensions and critical options.
  * ssh-keygen(1): allow ssh-keygen to use a key held in
    ssh-agent as a CA when signing certificates. bz#2377
  * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an
    explicit ToS/DSCP value and just use the operating system
    default.
  * ssh-add(1): added -q option to make ssh-add quiet on success.
  * ssh(1): expand the StrictHostKeyChecking option with two new
    settings. The first "accept-new" will automatically accept
    hitherto-unseen keys but will refuse connections for changed
    or invalid hostkeys. This is a safer subset of the current
    behaviour of StrictHostKeyChecking=no. The second setting
    "off", is a synonym for the current behaviour of
    StrictHostKeyChecking=no: accept new host keys, and continue
    connection for hosts with incorrect hostkeys. A future
    release will change the meaning of StrictHostKeyChecking=no
    to the behaviour of "accept-new". bz#2400
  * ssh(1): add SyslogFacility option to ssh(1) matching the
    equivalent option in sshd(8). bz#2705
  - --- Bugfixes
  * ssh(1): use HostKeyAlias if specified instead of hostname for
    matching host certificate principal names; bz#2728
  * sftp(1): implement sorting for globbed ls; bz#2649
  * ssh(1): add a user@host prefix to client's "Permission
    denied" messages, useful in particular when using "stacked"
    connections (e.g. ssh -J) where it's not clear which host is
    denying. bz#2720
  * ssh(1): accept unknown EXT_INFO extension values that contain
    \0 characters. These are legal, but would previously cause
    fatal connection errors if received.
  * ssh(1)/sshd(8): repair compression statistics printed at
    connection exit
  * sftp(1): print '?' instead of incorrect link count (that the
    protocol doesn't provide) for remote listings. bz#2710
  * ssh(1): return failure rather than fatal() for more cases
    during session multiplexing negotiations. Causes the session
    to fall back to a non-mux connection if they occur. bz#2707
  * ssh(1): mention that the server may send debug messages to
    explain public key authentication problems under some
    circumstances; bz#2709
  * Translate OpenSSL error codes to better report incorrect
    passphrase errors when loading private keys; bz#2699
  * sshd(8): adjust compatibility patterns for WinSCP to
    correctly identify versions that implement only the legacy DH
    group exchange scheme. bz#2748
  * ssh(1): print the "Killed by signal 1" message only at
    LogLevel verbose so that it is not shown at the default
    level; prevents it from appearing during ssh -J and
    equivalent ProxyCommand configs.  bz#1906, bz#2744
  * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A),
    clobber existing keys if they exist but are zero length.
    zero-length keys could previously be made if ssh-keygen
    failed or was interrupted part way through generating them.
    bz#2561
  * ssh(1): fix pledge(2) violation in the escape sequence "~&"
    used to place the current session in the background.
  * ssh-keyscan(1): avoid double-close() on file descriptors;
    bz#2734
  * sshd(8): avoid reliance on shared use of pointers shared
    between monitor and child sshd processes. bz#2704
  * sshd_config(8): document available AuthenticationMethods;
    bz#2453
  * ssh(1): avoid truncation in some login prompts; bz#2768
  * sshd(8): Fix various compilations failures, inc bz#2767
  * ssh(1): make "--" before the hostname terminate argument
    processing after the hostname too.
  * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for
    encrypting new-style private keys. Fixes problems related to
    private key handling for no-OpenSSL builds. bz#2754
  * ssh(1): warn and do not attempt to use keys when the public
    and private halves do not match. bz#2737
  * sftp(1): don't print verbose error message when ssh
    disconnects from under sftp. bz#2750
  * sshd(8): fix keepalive scheduling problem: activity on a
    forwarded port from preventing the keepalive from being sent;
    bz#2756
  * sshd(8): when started without root privileges, don't require
    the privilege separation user or path to exist. Makes running
    the regression tests easier without touching the filesystem.
  * Make integrity.sh regression tests more robust against
    timeouts.  bz#2658
  * ssh(1)/sshd(8): correctness fix for channels implementation:
    accept channel IDs greater than 0x7FFFFFFF.
  - --- Portability
  * sshd(9): drop two more privileges in the Solaris sandbox:
    PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723
  * sshd(8): expose list of completed authentication methods to
    PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408
  * ssh(1)/sshd(8): fix several problems in the tun/tap
    forwarding code, mostly to do with host/network byte order
    confusion. bz#2735
  * Add --with-cflags-after and --with-ldflags-after configure
    flags to allow setting CFLAGS/LDFLAGS after configure has
    completed. These are useful for setting sanitiser/fuzzing
    options that may interfere with configure's operation.
  * sshd(8): avoid Linux seccomp violations on ppc64le over the
    socketcall syscall.
  * Fix use of ldns when using ldns-config; bz#2697
  * configure: set cache variables when cross-compiling. The
    cross- compiling fallback message was saying it assumed the
    test passed, but it wasn't actually set the cache variables
    and this would cause later tests to fail.
  * Add clang libFuzzer harnesses for public key parsing and
    signature verification.
- packaging:
  * moving patches into a separate archive
  * first round of rebased patches:
    [-X11_trusted_forwarding]
    [-allow_root_password_login]
    [-blocksigalrm]
    [-cavstest-ctr]
    [-cavstest-kdf]
    [-disable_short_DH_parameters]
    [-eal3]
    [-enable_PAM_by_default]
    [-fips]
    [-fips_checks]
    [-gssapi_key_exchange]
    [-hostname_changes_when_forwarding_X]
    [-lastlog]
    [-missing_headers]
    [-pam_check_locks]
    [-pts_names_formatting]
    [-remove_xauth_cookies_on_exit]
    [-seccomp_geteuid]
    [-seccomp_getuid]
    [-seccomp_stat]
    [-seed-prng]
    [-send_locale]
    [-systemd-notify]
  * not rebased (obsoleted) patches (so far):
    [-additional_seccomp_archs]
    [-allow_DSS_by_default]
    [-default_protocol]
    [-dont_use_pthreads_in_PAM]
    [-eal3_obsolete]
    [-gssapimitm]
    [-saveargv-fix]
  * obviously removing all standalone patch files:
    [openssh-7.2p2-allow_root_password_login.patch]
    [openssh-7.2p2-allow_DSS_by_default.patch]
    [openssh-7.2p2-X11_trusted_forwarding.patch]
    [openssh-7.2p2-lastlog.patch]
    [openssh-7.2p2-enable_PAM_by_default.patch]
    [openssh-7.2p2-dont_use_pthreads_in_PAM.patch]
    [openssh-7.2p2-eal3.patch]
    [openssh-7.2p2-blocksigalrm.patch]
    [openssh-7.2p2-send_locale.patch]
    [openssh-7.2p2-hostname_changes_when_forwarding_X.patch]
    [openssh-7.2p2-remove_xauth_cookies_on_exit.patch]
    [openssh-7.2p2-pts_names_formatting.patch]
    [openssh-7.2p2-pam_check_locks.patch]
    [openssh-7.2p2-disable_short_DH_parameters.patch]
    [openssh-7.2p2-seccomp_getuid.patch]
    [openssh-7.2p2-seccomp_geteuid.patch]
    [openssh-7.2p2-seccomp_stat.patch]
    [openssh-7.2p2-additional_seccomp_archs.patch]
    [openssh-7.2p2-fips.patch]
    [openssh-7.2p2-cavstest-ctr.patch]
    [openssh-7.2p2-cavstest-kdf.patch]
    [openssh-7.2p2-seed-prng.patch]
    [openssh-7.2p2-gssapi_key_exchange.patch]
    [openssh-7.2p2-audit.patch]
    [openssh-7.2p2-audit_fixes.patch]
    [openssh-7.2p2-audit_seed_prng.patch]
    [openssh-7.2p2-login_options.patch]
    [openssh-7.2p2-disable_openssl_abi_check.patch]
    [openssh-7.2p2-no_fork-no_pid_file.patch]
    [openssh-7.2p2-host_ident.patch]
    [openssh-7.2p2-sftp_homechroot.patch]
    [openssh-7.2p2-sftp_force_permissions.patch]
    [openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
    [openssh-7.2p2-ldap.patch]
    [openssh-7.2p2-IPv6_X_forwarding.patch]
    [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
    [openssh-7.2p2-prevent_timing_user_enumeration.patch]
    [openssh-7.2p2-limit_password_length.patch]
    [openssh-7.2p2-keep_slogin.patch]
    [openssh-7.2p2-kex_resource_depletion.patch]
    [openssh-7.2p2-verify_CIDR_address_ranges.patch]
    [openssh-7.2p2-restrict_pkcs11-modules.patch]
    [openssh-7.2p2-prevent_private_key_leakage.patch]
    [openssh-7.2p2-secure_unix_sockets_forwarding.patch]
    [openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
    [openssh-7.2p2-disable_preauth_compression.patch]
    [openssh-7.2p2-s390_hw_crypto_syscalls.patch]
    [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
- Replace references to /var/adm/fillup-templates with new
  %_fillupdir macro (boo#1069468)

==== patterns-kde ====
Subpackages: patterns-kde-devel_kde patterns-kde-devel_kde_frameworks patterns-kde-devel_qt5 patterns-kde-kde patterns-kde-kde_edutainment patterns-kde-kde_games patterns-kde-kde_ide patterns-kde-kde_imaging patterns-kde-kde_internet patterns-kde-kde_multimedia patterns-kde-kde_office patterns-kde-kde_plasma patterns-kde-kde_utilities patterns-kde-kde_utilities_opt patterns-kde-kde_yast

- Recommend discover in the kde_plasma pattern

==== php7 ====
Version update (7.2.0 -> 7.2.1)
Subpackages: apache2-mod_php7 php7-bcmath php7-bz2 php7-calendar php7-ctype php7-curl php7-dba php7-devel php7-dom php7-exif php7-fastcgi php7-ftp php7-gd php7-gettext php7-gmp php7-iconv php7-imap php7-json php7-ldap php7-mbstring php7-mysql php7-odbc php7-openssl php7-pdo php7-pear php7-pear-Archive_Tar php7-pgsql php7-shmop php7-snmp php7-sockets php7-sqlite php7-sysvsem php7-sysvshm php7-tidy php7-tokenizer php7-wddx php7-xmlreader php7-xmlwriter php7-xsl php7-zlib

- updated to 7.2.1: Several security bugs were fixed in this release.
  http://php.net/ChangeLog-7.php#7.2.1
- build against newer webp [bsc#1074121]

==== plasma5-desktop ====
Subpackages: plasma5-desktop-lang

- Add patch to fix generation of font previews:
  * 0001-Support-font-ttf-and-font-otf-mimetypes-in-kfontinst.patch

==== plasma5-pk-updates ====
Subpackages: plasma5-pk-updates-lang

- Fix refresh logic on startup:
  * 0001-Only-save-the-last-update-timestep-on-success.patch
  * 0002-Show-that-the-last-check-failed-if-no-updates-availa.patch
  * 0003-List-known-updates-on-startup.patch

==== publicsuffix ====
Version update (20171028 -> 20171228)

- Update to version 20171228:
  * Add Paris region (#579)
  * Fixed alwaysdata.net. (#555)
  * Add Combell domains (#565)
  * Adding scrysec.com (#528)
  * Add Fedora Openshift app domains (#533)
  * Add resin.io device domains to list (#499)
  * Add nh-serv.co.uk to list file (#491)
  * Add 1Password domains (#562)
  * Add s5y.io (#572)
  * Add social domains - NIC.bo (#467)

==== python-attrs ====
Version update (17.3.0 -> 17.4.0)

- specfile:
  * update copyright year
- update to version 17.4.0:
  * Backward-incompatible Changes
    + The traversal of MROs when using multiple inheritance was
    backward:
    If you defined a class "C" that subclasses "A" and "B" like
    "C(A, B)", "attrs" would have collected the attributes from "B"
  * before* those of "A".
    This is now fixed and means that in classes that employ multiple
    inheritance, the output of "__repr__" and the order of
    positional arguments in "__init__" changes.
    Due to the nature of this bug, a proper deprecation cycle was
    unfortunately impossible.
    Generally speaking, it's advisable to prefer "kwargs"-based
    initialization anyways ? *especially* if you employ multiple
    inheritance and diamond-shaped hierarchies.
    + The "__repr__" set by "attrs" no longer produces an
    "AttributeError" when the instance is missing some of the
    specified attributes (either through deleting or after using
    "init=False" on some attributes).
    This can break code that relied on "repr(attr_cls_instance)"
    raising "AttributeError" to check if any attr-specified members
    were unset.
    If you were using this, you can implement a custom method for
    checking this::
    def has_unset_members(self):
    for field in attr.fields(type(self)):
    try:
    getattr(self, field.name)
    except AttributeError:
    return True
    return False
  * Deprecations
    + The "attr.ib(convert=callable)" option is now deprecated in
    favor of "attr.ib(converter=callable)".
    This is done to achieve consistency with other noun-based
    arguments like *validator*.  *convert* will keep working until
    at least January 2019 while raising a "DeprecationWarning".
  * Changes
    + Generated "__hash__" methods now hash the class type along with
    the attribute values.  Until now the hashes of two classes with
    the same values were identical which was a bug.
    The generated method is also *much* faster now.
    + "attr.ib"?s "metadata" argument now defaults to a unique empty
    "dict" instance instead of sharing a common empty "dict" for
    all.  The singleton empty "dict" is still enforced.
    + "ctypes" is optional now however if it's missing, a bare
    "super()" will not work in slots classes.  This should only
    happen in special environments like Google App Engine.
    + The attribute redefinition feature introduced in 17.3.0 now
    takes into account if an attribute is redefined via multiple
    inheritance.  In that case, the definition that is closer to the
    base of the class hierarchy wins.
    + Subclasses of "auto_attribs=True" can be empty now.
    + Equality tests are *much* faster now.
    + All generated methods now have correct "__module__", "__name__",
    and (on Python 3) "__qualname__" attributes.

==== python-cssselect ====
Version update (1.0.1 -> 1.0.3)
Subpackages: python2-cssselect python3-cssselect

- specfile:
  * update copyright year
- update to version 1.0.3:
  * Fix artifact uploads to pypi
- changes from version 1.0.2:
  * Drop support for Python 2.6 and Python 3.3.
  * Fix deprecation warning in Python 3.6.
  * Minor cleanups.

==== python-dbus-python ====
Subpackages: python2-dbus-python python3-dbus-python

- drop unneeded epydoc requirement properly

==== python-gpgme ====

- Use python macros to not directly pull both develpackages

==== python-httplib2 ====

- update httplib2-use-system-certs.patch: handle
  the case with ssl_version being None correctly
- update httplib2-use-system-certs.patch: Also use
  ssl.create_default_context in the python2 case so that
  the system wide certificates are loaded as trusted again.

==== python-kiwi ====
Version update (9.11.24 -> 9.11.30)

- Bump version: 9.11.29 ? 9.11.30
- Deleted syslinux from ppc/oemboot/suse-SLES15
  syslinux is not provided for ppc. This Fixes bsc#1073310
[boot] fix double quote in grub menu which makes kernel updates for CentOS / RHEL / Fedora break grub.cfg
- Omit kiwi-repart dracut module in oemboot initrd
  KIWI's oemboot initrd with initrd_system="dracut" together with
  installiso="true" requires to have dracut-kiwi-oem-repart package
  installed in the system, thus it ends up also being included in the
  recreated dracut initrd after booting the oemboot initrd from the
  installation iso. This kiwi-repart module causes a boot failure in that
  case since no .profile file is present, moreover, it has no sense to
  run it at that stage, since the disk is already reparted by the
  oemboot code.
  This commit allows installiso="true" and initrd_system="dracut" to
  play well together.
- Improve locale pattern in schema
  Now the locale pattern in the schema also supports POSIX. Note
  that POSIX will be only accepted if listed in the first place of the comma
  separated list.
  This commit fixes #570
- Bump version: 9.11.28 ? 9.11.29
- Allow to choose dracut live module
  There is the standard dracut dmsquash-live module based on
  the device mapper technology and the kiwi-live module based
  on the overlayfs technology. The setup of the live iso structure
  in kiwi is compatible to both modules. Thus it makes sense
  to allow to choose the technology via the flags attribute
  <type image="iso" ... flags="overlay|dmsquash"/>
  Please note both modules supports a different set of live
  features. This Fixes #568
- Bump version: 9.11.27 ? 9.11.28
- Fixed ec2 and azure test builds
  cryptconfig is no longer provided
- Bump version: 9.11.26 ? 9.11.27
- Apply target permissions only if target dir exists
- Bump version: 9.11.25 ? 9.11.26
- Fixed use of stat result in os.chmod
  oct method returns a string representation which was mistakenly
  used in a subsequent os.chmod call. This Fixes #564
- Fixed tox doc target
  Correctly include schema pictures after travis-sphinx build
- Bump version: 9.11.24 ? 9.11.25
- Update failsafe kernel option list
  Delete obsolete parameters and make sure a failsafe boot
  does boot into runlevel 3. This Fixes #554
- Apply xslt validation on boot images
- Do not match comments and PIs in XSLT templates
  I wanted to add a simple vim modeline to my XML description:
  <!--
  vim: et:sts=2:sw=2
-->
  This made kiwi consume insane amounts of memory during the XSLT
  transform step. While this may be a bug in my version of lxml, we do not
  transform comments on processing instructions in the conversion
  templates, so the easiest solution is not to match them.
  Signed-off-by: Michal Marek <MichalMarek1@eaton.com>
- Make sure toplevel target dir keeps permissions
  When syncing data via rsync we make sure the toplevel target
  directory the data gets synced to does not change it's origin
  permissions. This Fixes #557
- Rebuild schema documentation
- Fixed dependencies for dracut-kiwi-lib
  Adapt package names for gdisk/gptfdisk and btrfs-progs/btrfsprogs
  Install and require fdasd only on s390 architecture
  Delete fbiterm requirement since the project seems unmaintained
  and the use of the framebuffer terminal is an option in the code
  but not mandatory. This Fixes #559
- add missing deps for docker builds.
  Moving kiwi-image:* provides to -requires package
- Update text per review
- Fix and cleanup tox setup
  Along with the cleanup of the tox setup also the workaround
  using an older version of the py module has been fixed
- Fixed travis-sphinx call syntax
- Update dropped feature list
  Legacy kiwi's oem recovery feature will not be ported
  due to technologes like ReaR, snapper, btrfs and due
  to the container, cloud and public cloud orientation of
  OS images

==== python-numpy ====
Version update (1.13.3 -> 1.14.0)
Subpackages: python2-numpy python3-numpy

- update to version 1.14.0
  Changes documented in release notes:
  https://github.com/numpy/numpy/blob/master/doc/release/1.14.0-notes.rst
- Switch from gcc6 to gcc7 as additional compiler flavor for HPC on SLES.
- Fix library package requires - use HPC macro (boo#1074890).

==== python-pywbem ====

- Fix another lost dependency. Need ssl module which python-base
  does not provide. (bnc#1072564)

==== qemu ====
Subpackages: qemu-arm qemu-block-curl qemu-block-dmg qemu-block-gluster qemu-block-iscsi qemu-block-rbd qemu-block-ssh qemu-extra qemu-ipxe qemu-ksm qemu-kvm qemu-lang qemu-ppc qemu-s390 qemu-seabios qemu-sgabios qemu-tools qemu-vgabios qemu-x86

- Pass through to guest info related to x86 security vulnerability
  (CVE-2017-5715 bsc#1068032)
  0034-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11

==== qemu-linux-user ====

- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
  * Patches added:
  0034-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch

==== rsync ====

- Fix: Stop file upload after errors [bsc#1062063]
- Added patches:
  * rsync-send_error_to_sender.patch
  * rsync-avoid-uploading-after-error.patch

==== ruby2.4 ====
Subpackages: libruby2_4-2_4 ruby2.4-devel ruby2.4-stdlib

- merge in some improvements from the 2.5 package
  - track all binaries handled via u-a in an ua_binaries variable
  - set an UTF-8 locale for building

==== serd ====

- Tweak a bit more py3 dep to not pull whole python but just base
- Fix group on one of the subpkgs
- Remove python-base dependency and change headers in python scripts
  to python3

==== speech-dispatcher ====
Subpackages: libspeechd-devel libspeechd2 python3-speechd speech-dispatcher-configure speech-dispatcher-module-espeak

- Add baselibs.conf: create libspeechd2-32bit, required by
  libQt5TextToSpeech5-32bit.

==== swig ====

- Reduce some conditionals for old distros lets consider sle11/rhel6
  as minimal supported configuration
- Make sure we can be built and distributed with python3 only
  present in the system

==== tbb ====

- Add conditions to build with py2 and py3 respectively in order
  to allow us disable one based on codestream

==== texinfo ====
Version update (6.4 -> 6.5)
Subpackages: info makeinfo

- Update to version 6.5:
  * info:
    + some bugs fixed:
    a bug where a segfault could happen in the regex search, for
    example when the user entered a single \ as the search string
    + another bug which could make nodes inaccessible in long
    "split" info files
    + a bug where it was not possible to follow a cross-reference
    that was split across more than one line has been fixed
    + do not fall back to a man page if following a cross-reference
    in an info file failed
    + if looking for a file failed, do not convert the name of a
    file to lower-case and look for it again
  * texinfo.tex
    + some faulty definitions for Unicode characters have been
    changed or removed
    + fix indentation in table of contents for entries that are
    split across multiple lines
  * texi2dvi
    + a bug that broke the processing of LaTeX files that did not
    use BibTeX has been fixed
  * texi2any
    + output the encoding declaration of a HTML file earlier so it
    will always occur within first 1024 bytes of file
    + `INLINE_INSERTCOPYING' removed as a customization variable

==== totem ====
Subpackages: nautilus-totem totem-lang totem-plugin-brasero totem-plugins

- Add totem-thumbnailer-blacklist-fixes.patch: Fixes to the
  thumbnailer blacklists plugins (bgo#790491).

==== tracker ====
Subpackages: libtracker-common-2_0 libtracker-control-2_0-0 libtracker-miner-2_0-0 libtracker-sparql-2_0-0 tracker-lang typelib-1_0-Tracker-2_0 typelib-1_0-TrackerControl-2_0

- Add tracker-nb-translations.patch: Update Norwegian bokm�l
  translations.

==== tracker-miners ====
Subpackages: tracker-miner-files tracker-miners-lang

- Add tracker-miners-nb-translations.patch: Update Norwegian Bokm�l
  translations.

==== vim ====
Version update (8.0.1417 -> 8.0.1428)
Subpackages: gvim vim-data

- Updated to revision 1428, fixes the following problems
  * No test for expanding backticks.
  * Cursor column is not updated after ]s. (Gary Johnson)
  * Accessing freed memory in vimgrep.
  * Accessing invalid memory with overlong byte sequence.
  * No fallback to underline when undercurl is not set. (Ben Jackson)
  * Error in return not caught by try/catch.
  * The timer_pause test is flaky on Travis.
  * execute() does not work in completion of user command. (thinca)
  * "gf" and <cfile> don't accept ? and & in URL. (Dmitrii Tcyganok)
  * The :leftabove modifier doesn't work for :copen.
  * Compiler warning on 64 bit MS-Windows system.
- ignore make check transient errors for PowerPC
  bypass boo#1072651
- Update apparmor.vim (taken from AppArmor 2.12)
  * add support for the "smc" network keyword

==== virtualbox ====
Subpackages: virtualbox-host-kmp-default virtualbox-qt

- Updated file "fixes_for_leap15.patch" for new source.

==== webkit2gtk3 ====
Version update (2.18.4 -> 2.18.5)
Subpackages: libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 libwebkit2gtk3-lang typelib-1_0-JavaScriptCore-4_0 typelib-1_0-WebKit2-4_0 webkit2gtk-4_0-injected-bundles

- Update to version 2.18.5:
  + Disable SharedArrayBuffers from Web API.
  + Reduce the precision of ?high? resolution time to 1ms.
  + Fix API documentation generation with newer gtk-doc.
  + bsc#1075419 - Security fixes: includes improvements to mitigate
    the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

==== wireless-regdb ====
Version update (2017.03.07 -> 2017.12.23)

- Update to version 2017.12.23 (boo#1074838):
  * update regulatory database based on preceding changes
  * Document regulatory.db in the manual page
  * Install regulatory.db and regulatory.db.p7s to /lib/firmware
  * Better support for generating public certificates
  * Add sforshee's x509 certificate
  * Restore generation of old format database files
  * regdb: write firmware file format (version code 20)

==== wireshark ====
Version update (2.4.3 -> 2.4.4)
Subpackages: libwiretap7 libwscodecs1 libwsutil8 wireshark-ui-qt

- Wireshark 2.4.4:
  * fixes for dissector crashes:
    + CVE-2018-5334: IxVeriWave file could crash (bsc#1075737)
    + CVE-2018-5335: WCP dissector could crash (bsc#1075738)
    + CVE-2018-5336: Multiple dissector crashes (bsc#1075739)
  * No longer enable the Linux kernel BPF JIT compiler via the
    net.core.bpf_jit_enable sysctl, as this would make systems
    more vulnerable to Spectre variant 1 (bsc#1075748, CVE-2017-5753)
  * Further bug fixes and updated protocol support as listed in:
    https://www.wireshark.org/docs/relnotes/wireshark-2.4.4.html

==== xen ====
Version update (4.10.0_08 -> 4.10.0_10)
Subpackages: xen-doc-html xen-libs xen-tools xen-tools-domU

- bsc#1067317 - pass cache=writeback|unsafe|directsync to qemu,
  depending on the libxl disk settings
  libxl.add-option-to-disable-disk-cache-flushes-in-qdisk.patch
- Remove libxl.LIBXL_DESTROY_TIMEOUT.debug.patch
- bsc#1067224 - xen-tools have hard dependency on Python 2
  build-python3-conversion.patch
  bin-python3-conversion.patch
- bsc#1070165 - xen crashes after aborted localhost migration
  5a2ffc1f-x86-mm-drop-bogus-paging-mode-assertion.patch
- bsc#1035442 - L3: libxl: error: libxl.c:1676:devices_destroy_cb:
  libxl__devices_destroy failed
  5a33a12f-domctl-improve-locking-during-domain-destruction.patch
- Upstream patches from Jan (bsc#1027519)
  5a21a77e-x86-pv-construct-d0v0s-GDT-properly.patch
  5a2fda0d-x86-mb2-avoid-Xen-when-looking-for-module-crashkernel-pos.patch
  5a313972-x86-microcode-add-support-for-AMD-Fam17.patch
  5a32bd79-x86-vmx-dont-use-hvm_inject_hw_exception-in-.patch

==== xorg-x11-server ====
Version update (1.19.5 -> 1.19.6)
Subpackages: xorg-x11-server-sdk

- Update to version 1.19.6:
  Another collection of fixes from master. There will likely be at east one more
  1.19.x release in 2018.

==== yast2-ruby-bindings ====
Version update (4.0.3 -> 4.0.4)

- Set proper title also for YaST2 scc (bsc#1075164)
- 4.0.4