Packages changed:
c-ares (1.16.1 -> 1.17.0)
gpg2 (2.2.23 -> 2.2.24)
gpgme (1.14.0 -> 1.15.0)
libfido2
mozilla-nss (3.57 -> 3.58)
patterns-microos
sudo (1.9.2 -> 1.9.3p1)
ucode-intel (20201110 -> 20201118)
=== Details ===
==== c-ares ====
Version update (1.16.1 -> 1.17.0)
- ares_dns.h, missing_header.patch: re-add missing header in last release
- Version update to 1.17.0
Security:
* avoid read-heap-buffer-overflow in ares_parse_soa_reply found during
fuzzing
* Avoid theoretical buffer overflow in RC4 loop comparison
* Empty hquery->name could lead to invalid memory access
* ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was
passed in (bsc#1178882, CVE-2020-8277)
Changes:
* Update help information for adig, acountry, and ahost
* Test Suite now uses dynamic system-assigned ports rather than hardcoded
ports to prevent failures in containers
* Detect remote DNS server does not support EDNS using rules from RFC 6891
* Source tree has been reorganized to use a more modern layout
* Allow parsing of CAA Resource Record
Bug fixes:
* readaddrinfo bad sizeof()
* Test cases should honor HAVE_WRITEV flag, not depend on WIN32
* FQDN with trailing period should be queried first
* ares_getaddrinfo() was returning members of the struct as garbage values if
unset, and was not honoring ai_socktype and ai_protocol hints.
* ares_gethostbyname() with AF_UNSPEC and an ip address would fail
* Properly document ares_set_local_ip4() uses host byte order
For details, see https://c-ares.haxx.se/changelog.html
- add missing upstream sources, to be removed for next release
- remove unnecessary BuildRequires
- fix building on SLE12 systems
==== gpg2 ====
Version update (2.2.23 -> 2.2.24)
- GnuPG 2.2.24:
* gpg: New command --quick-revoke-sig
* gpg: Do not use weak digest algos if selected by recipient
preference during sign+encrypt
* gpg: Switch to AES256 for symmetric encryption in de-vs mode
* gpg: Silence weak digest warnings with --quiet
* gpg: Print new status line CANCELED_BY_USER for a cancel during
symmetric encryption
* gpg: Fix the encrypt+sign hash algo preference selection for
ECDSA. This is in particular needed for keys created from
existing smartcard based keys
* agent: Fix secret key import of GnuPG 2.3 generated Ed25519
keys
* agent: Keep some permissions of private-keys-v1.d
* dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and
gnutls builds
* dirmngr: Fix the pool keyserver case for a single host in the
pool
* scd: Fix the use case of verify_chv2 by CHECKPIN
* scd: Various improvements to the ccid-driver
* scd: Minor fixes for Yubikey
* gpgconf: New option --show-versions
* i18n: Complete overhaul and completion of the Italian
translation
==== gpgme ====
Version update (1.14.0 -> 1.15.0)
- gpgme 1.15.0:
* New function gpgme_op_setexpire to make changing the expiration
easier
* New function gpgme_op_revsig to revoke key signatures
* Support exporting secret keys
* cpp: Support for set expire operations in the C++ bindings
* cpp: Support for revoking key signatures in the C++ bindings
* qt: Extended ChangeExpiryJob to support changing the expiry of
subkeys
* qt: Extended QuickJob to support revoking of key signatures
* qt: Added QDebug stream operator for GpgME::Error.
* Require libgpg-error 1.36
==== libfido2 ====
Subpackages: libfido2-1 libfido2-udev
- Add Conflicts: to supersede version 1.0.0. This is needed for
a clean upgrade path on SLE.
==== mozilla-nss ====
Version update (3.57 -> 3.58)
- update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
==== patterns-microos ====
Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-selinux patterns-microos-sssd_ldap
- GNOME: encrypt/decript files from Nautilus
* we need both the extension and the package providing
/usr/bin/seahorse-daemon
* Seahorse, the app, is _not_ installed as it's available on
flathub
- GNOME pattern package changes:
* drop file roller RPM as there is org.gnome.FileRoller
* add some packages that I've (as well as most users that have
tried MicroOS desktop recently) found useful during initial
setup
* while there, update a comment about using Requires vs. Recommends
==== sudo ====
Version update (1.9.2 -> 1.9.3p1)
- Update to 1.9.3p1
* Fixed a regression introduced in sudo 1.9.3 where the configure
script would not detect the crypt(3) function if it was present
in the C library, not an additional library.
* Fixed a regression introduced in sudo 1.8.23 with shadow passwd
file authentication on OpenBSD. BSD authentication was not
affected.
* Sudo now logs when a user-specified command-line option is
rejected by a sudoers rule. Previously, these conditions were
written to the audit log, but the default sudo log file. Affected
command line arguments include -C (--close-from), -D (--chdir),
- R (--chroot), -g (--group) and -u (--user).
- News in 1.9.3
* Fixed building the Python plugin on systems with a compiler that
doesn't support symbol hiding.
* Sudo now uses a linker script to hide symbols even when the
compiler has native symbol hiding support. This should make it
easier to detect omissions in the symbol exports file, regardless
of the platform.
* Fixed the libssl dependency in Debian packages for older releases
that use libssl1.0.0.
* Sudo and visudo now provide more detailed messages when a syntax
error is detected in sudoers. The offending line and token are
now displayed. If the parser was generated by GNU bison,
additional information about what token was expected is also
displayed. Bug #841.
* Sudoers rules must now end in either a newline or the end-of-file.
Previously, it was possible to have multiple rules on a single
line, separated by white space. The use of an end-of-line
terminator makes it possible to display accurate error messages.
* Sudo no longer refuses to run if a syntax error in the sudoers
file is encountered. The entry with the syntax error will be
discarded and sudo will continue to parse the file. This makes
recovery from a syntax error less painful on systems where sudo
is the primary method of superuser access. The historic behavior
can be restored by add "error_recovery=false" to the sudoers
plugin's optional arguments in sudo.conf. Bug #618.
* Fixed the sample_approval plugin's symbol exports file for systems
where the compiler doesn't support symbol hiding.
* Fixed a regression introduced in sudo 1.9.1 where arguments to
the "sudoers_policy" plugin in sudo.conf were not being applied.
The sudoers file is now parsed by the "sudoers_audit" plugin,
which is loaded implicitly when "sudoers_policy" is listed in
sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments
for "sudoers_policy" but "sudoers_audit" is not listed, those
arguments will be applied to "sudoers_audit" instead.
* The user's resource limits are now passed to sudo plugins in
the user_info[] list. A plugin cannot determine the limits
itself because sudo changes the limits while it runs to prevent
resource starvation.
* It is now possible to set the working directory or change the
root directory on a per-command basis using the CWD and CHROOT
options. There are also new Defaults settings, runchroot and
runcwd, that can be used to set the working directory or root
directory on a more global basis.
* New -D (--chdir) and -R (--chroot) command line options can be
used to set the working directory or root directory if the sudoers
file allows it. This functionality is not enabled by default
and must be explicitly enabled in the sudoers file.
- add sudo-1.9.3p1-pam_xauth.patch to stay setuid until just before
executing the command. Fixes a problem with pam_xauth which
checks effective and real uids to get the real identity of the
user [bsc#1174593]
==== ucode-intel ====
Version update (20201110 -> 20201118)
- Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971)
- Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms.