Packages changed: apparmor distribution-logos-openSUSE (20241022 -> 20250203) dtc freerdp krb5 libapparmor libsmbios openSUSE-release (20250205 -> 20250206) pam_pkcs11 (0.6.12 -> 0.6.13) python-cryptography (43.0.3 -> 44.0.0) python-pyOpenSSL (24.2.1 -> 25.0.0) sssd (2.10.1 -> 2.10.2) tiff === Details === ==== apparmor ==== Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-parser-lang apparmor-profiles apparmor-utils apparmor-utils-lang python3-apparmor - add python313.patch to fix build with python 3.13 ==== distribution-logos-openSUSE ==== Version update (20241022 -> 20250203) Subpackages: distribution-logos-openSUSE-Aeon distribution-logos-openSUSE-Tumbleweed distribution-logos-openSUSE-icons - Update to version 20250203: * Kalpa: Add Distribution Logos ==== dtc ==== - Mark assembler output as noexecstack ==== freerdp ==== Subpackages: libfreerdp3-3 librdtk0-0 libwinpr3-3 - Drop pkgconfig(webkit2gtk-4.0) BuildRequires, we are not passing webview=on to cmake, hence unused and nobody complained. ==== krb5 ==== Subpackages: krb5-32bit krb5-client - Prevent overflow when calculating ulog block size. An authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash; (CVE-2025-24528); (bsc#1236619). - Add patch 0010-CVE-2025-24528.patch ==== libapparmor ==== - add python313.patch to fix build with python 3.13 ==== libsmbios ==== Subpackages: libsmbios-lang libsmbios_c2 python3-smbios python3-smbios-utils - switch to manual service runs - Add unittest-drop-makeSuite.patch to adapt the testsuite to Python 3.13 ==== openSUSE-release ==== Version update (20250205 -> 20250206) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== pam_pkcs11 ==== Version update (0.6.12 -> 0.6.13) - Update to 0.6.13 * Added pkcs11-eventmgr systemd service unit. * Updated Russian translations for pam_pkcs11 (thx Max Kosmach and Andrey Cherepanov). * Fixed possible authentication bypass (CVE-2025-24032): * Use signatures to verify authentication by default (thx Frank Morgner). * Fixed possible authentication bypass (CVE-2025-24531): * Restoring the original card_only / wait_for_card behavior (thx Matthias Gerstner, Frank Morgner). * Move pam_securetty.so upward in the example PAM config. * Set 'slot_num' configuration parameter to 0 by default (thx Jpereyra316). * Print details about configuration parse errors (thx Jpereyra316). * Add Chinese (Simplified) translation. * Capitalize all PAM messages (thx Alynx Zhou). * Made pkcs11_make_hash_link support whitespaces in file names * Drop 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch * Drop 0001-memory-leak-fixes.patch * Rebase pam_pkcs11-0.5.3-nss-conf.patch * Rebase pam_pkcs11-0.6.0-nss-autoconf.patch ==== python-cryptography ==== Version update (43.0.3 -> 44.0.0) - Update to version 44.0.0: * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9. * Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0. * macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves. * Enforce the RFC 5280 requirement that extended key usage extensions must not be empty. * Added support for timestamp extraction to the :class:`~cryptography.fernet.MultiFernet` class. * Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by RFC 5280 but forbidden by the CA/Browser BRs. * Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` when using OpenSSL 3.2.0+. * Added support for the :class:`~cryptography.x509.Admissions` certificate extension. * Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`, :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`, and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`. - Update specfile to accommodate new project structure at version 44.0.0 - Update no-pytest_benchmark.patch ==== python-pyOpenSSL ==== Version update (24.2.1 -> 25.0.0) - Switch to pyproject macros. - Add typing-extensions to Requires for 3.11 and 3.12. - Update to 25.0.0 * Backward-incompatible changes: - * Deprecations: - * Changes: - Corrected type annotations on Context.set_alpn_select_callback, Context.set_session_cache_mode, Context.set_options, Context.set_mode, X509.subject_name_hash, and X509Store.load_locations. - Deprecated APIs are now marked using warnings.deprecated. mypy will emit deprecation notices for them when used with --enable-error-code deprecated. - Changes from 24.3.0 * Backward-incompatible changes: - Removed the deprecated OpenSSL.crypto.CRL, OpenSSL.crypto.Revoked, OpenSSL.crypto.dump_crl, and OpenSSL.crypto.load_crl. cryptography.x509's CRL functionality should be used instead. - Removed the deprecated OpenSSL.crypto.sign and OpenSSL.crypto.verify. cryptography.hazmat.primitives.asymmetric's signature APIs should be used instead. * Deprecations: - Deprecated OpenSSL.rand - callers should use os.urandom() instead. - Deprecated add_extensions and get_extensions on OpenSSL.crypto.X509Req and OpenSSL.crypto.X509. These should have been deprecated at the same time X509Extension was. Users should use pyca/cryptography's X.509 APIs instead. - Deprecated OpenSSL.crypto.get_elliptic_curves and OpenSSL.crypto.get_elliptic_curve, as well as passing the reult of them to OpenSSL.SSL.Context.set_tmp_ecdh, users should instead pass curves from cryptography. - Deprecated passing X509 objects to OpenSSL.SSL.Context.use_certificate, OpenSSL.SSL.Connection.use_certificate, OpenSSL.SSL.Context.add_extra_chain_cert, and OpenSSL.SSL.Context.add_client_ca, users should instead pass cryptography.x509.Certificate instances. This is in preparation for deprecating pyOpenSSL's X509 entirely. - Deprecated passing PKey objects to OpenSSL.SSL.Context.use_privatekey and OpenSSL.SSL.Connection.use_privatekey, users should instead pass cryptography priate key instances. This is in preparation for deprecating pyOpenSSL's PKey entirely. * Changes: - cryptography maximum version has been increased to 44.0.x. - OpenSSL.SSL.Connection.get_certificate, OpenSSL.SSL.Connection.get_peer_certificate, OpenSSL.SSL.Connection.get_peer_cert_chain, and OpenSSL.SSL.Connection.get_verified_chain now take an as_cryptography keyword-argument. When True is passed then cryptography.x509.Certificate are returned, instead of OpenSSL.crypto.X509. In the future, passing False (the default) will be deprecated. - Rebase skip-networked-test.patch. ==== sssd ==== Version update (2.10.1 -> 2.10.2) Subpackages: libnfsidmap-sss libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap - Update to release 2.10.2 * If the ssh responder is not running, sss_ssh_knownhosts will not fail (but it will not return the keys). * SSSD is now capable of handling multiple services associated with the same port. * sssd_pam, being a privileged binary, now clears the environment and does not allow configuration of the PR_SET_DUMPABLE flag as a precaution. ==== tiff ==== - Update test/test_directory.c not to fail on big-endian machines. * Add tiff-4.7.0-test_directory.patch Fix memory leaks (fixes issue #652) * Resolves bsc#1236834 fix build fail on s390x