Packages changed: busybox (1.36.0 -> 1.36.1) criu (3.17.1 -> 3.18) evolution-data-server (3.48.2 -> 3.48.3) git (2.40.1 -> 2.41.0) gnome-shell (44.1 -> 44.2) gtk4 kernel-firmware (20230517 -> 20230531) kernel-source (6.3.4 -> 6.3.6) keylime (7.0.0 -> 7.2.5) libcontainers-common libstorage-ng (4.5.115 -> 4.5.116) libzypp (17.31.11 -> 17.31.12) llvm16 (16.0.4 -> 16.0.5) m17n-db (1.8.0 -> 1.8.2) mutter (44.1+2 -> 44.2) openssh (8.9p1 -> 9.3p1) openssh-askpass-gnome (8.9p1 -> 9.3p1) permissions (1699_20230516 -> 1699_20230602) polkit-default-privs (1550+20230517.ab68b2d -> 1550+20230606.5001571) rubygem-ruby-dbus (0.22.1 -> 0.23.0.beta1) rust-keylime (0.2.1+git.1682587333.b497f1d -> 0.2.1+git.1685699835.3c9d17c) shim-leap sof-firmware (2.2.4 -> 2.2.5) suse-module-tools (16.0.30 -> 16.0.31) systemd-presets-branding-openSUSE yast2-trans (84.87.20230516.e4ba802a -> 84.87.20230602.240a95214f) === Details === ==== busybox ==== Version update (1.36.0 -> 1.36.1) Subpackages: busybox-static - update to 1.36.1: * fixes for line editing, detection of hardware sha1/sha256 support, unzip (do not create suid/sgid files unless -K), shell (printf and sleep with no args, handing of SIGINT in sleep), ed. ==== criu ==== Version update (3.17.1 -> 3.18) - Update to criu 3.18: New features: * Allow CRIU to be used as non-root * Add SIGTSTP support * Add opt to skip file r/w/x check on restore Bugfixes: * Many fixes here and there Improvements: * cgroup2: Dump cgroup controllers of every threads in a process * save IP_FREEBIND option for SOCK_RAW sockets also * support IP_PKTINFO and IPV6_RECVPKTINFO options * Implement hw breakpoint for arm64 platform * Set only used XFEATURE_* in xstate_bv * Checkpoint and restore some global properties * A checkpoint optimization for highly sparse ghost files (--ghost-fiemap) - Refresh criu-py-install-fix.diff: a workaround for non-working python-pip inside build environment by reviving the old setup script - Fix shebang of criu-ns script: criu-ns-python3-shebang.patch - Drop obsoleted patches: criu-fix-conflicting-headers.patch mount-add-definition-for-FSOPEN_CLOEXEC.patch ==== evolution-data-server ==== Version update (3.48.2 -> 3.48.3) Subpackages: evolution-data-server-lang libcamel-1_2-64 libebackend-1_2-11 libebook-1_2-21 libebook-contacts-1_2-4 libecal-2_0-2 libedata-book-1_2-27 libedata-cal-2_0-2 libedataserver-1_2-27 libedataserverui-1_2-4 - Update to version 3.48.3: + Bug Fixed: EWebDAVSession: Claim also error nodes from propstat response. ==== git ==== Version update (2.40.1 -> 2.41.0) - git 2.41.0: This update contains a number of compatible updates, improvements and extensions to multiple workflows. Some changes may break backwards compatibility: * The libsecret credential helper obsoletes direct GNOME keyring support, which was dropped (git-credential-gnome-keyring) * "git format-patch" has been taught to ignore end-user configuration ("diff.noprefix") and always use the standard prefixes, to avoid breaking the receiving end of the patch - drop sha256_clone_fix.patch ==== gnome-shell ==== Version update (44.1 -> 44.2) Subpackages: gnome-extensions gnome-shell-calendar gnome-shell-lang - Update to version 44.2: + Improve built-in screen recorder + Use user-defined names in bluetooth menu + Fix stuck authentication dialog in remote sessions + Fix glitches in calendar when using large-text option + Fix IM popup getting stuck on engine changes + Fixed crash + Misc. bug fixes and cleanups + Updated translations. ==== gtk4 ==== Subpackages: gtk4-lang gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Add fix-gridview.patch: Add border-spacing where it was missed. We were computing column widths without taking border-spacing into account, making them slightly too big (glgo#GNOME/nautilus#2980). ==== kernel-firmware ==== Version update (20230517 -> 20230531) Subpackages: kernel-firmware-all kernel-firmware-amdgpu kernel-firmware-ath10k kernel-firmware-ath11k kernel-firmware-atheros kernel-firmware-bluetooth kernel-firmware-bnx2 kernel-firmware-brcm kernel-firmware-chelsio kernel-firmware-dpaa2 kernel-firmware-i915 kernel-firmware-intel kernel-firmware-iwlwifi kernel-firmware-liquidio kernel-firmware-marvell kernel-firmware-media kernel-firmware-mediatek kernel-firmware-mellanox kernel-firmware-mwifiex kernel-firmware-network kernel-firmware-nfp kernel-firmware-nvidia kernel-firmware-platform kernel-firmware-prestera kernel-firmware-qcom kernel-firmware-qlogic kernel-firmware-radeon kernel-firmware-realtek kernel-firmware-serial kernel-firmware-sound kernel-firmware-ti kernel-firmware-ueagle kernel-firmware-usb-network ucode-amd - Update to version 20230531 (git commit 9d4c9a52c237): * qcom: apq8016: add Dragonboard 410c WiFi and modem firmware * cirrus: Add firmware for new Asus ROG Laptops * brcm: Add symlinks from Pine64 devices to AW-CM256SM.txt * amdgpu: Update GC 11.0.1 and 11.0.4 * rtw89: 8851b: add firmware v0.29.41.0 * amdgpu: update yellow carp firmware for amd.5.5 release * amdgpu: update navi14 firmware for amd.5.5 release * amdgpu: update navi12 firmware for amd.5.5 release * amdgpu: update vega20 firmware for amd.5.5 release * amdgpu: update vega12 firmware for amd.5.5 release * amdgpu: update navi10 firmware for amd.5.5 release * amdgpu: update vega10 firmware for amd.5.5 release * amdgpu: update PSP 13.0.11 firmware for amd.5.5 release * amdgpu: update GC 11.0.4 firmware for amd.5.5 release * amdgpu: update SDMA 6.0.1 firmware for amd.5.5 release * amdgpu: update PSP 13.0.4 firmware for amd.5.5 release * amdgpu: update GC 11.0.1 firmware for amd.5.5 release * amdgpu: update 13.0.8 firmware for amd.5.5 release * amdgpu: update GC 10.3.7 firmware for amd.5.5 release * amdgpu: update vangogh firmware for amd.5.5 release * amdgpu: update VCN 4.0.4 firmware for amd.5.5 release * amdgpu: update SMU 13.0.7 firmware for amd.5.5 release * amdgpu: update PSP 13.0.7 firmware for amd.5.5 release * amdgpu: update GC 11.0.2 firmware for amd.5.5 release * amdgpu: update renoir firmware for amd.5.5 release * amdgpu: update VCN 4.0.0 firmware for amd.5.5 release * amdgpu: update SMU 13.0.0 firmware for amd.5.5 release * amdgpu: update PSP 13.0.0 firmware for amd.5.5 release * amdgpu: update GC 11.0.0 firmware for amd.5.5 release * amdgpu: update green sardine firmware for amd.5.5 release * amdgpu: update beige goby firmware for amd.5.5 release * amdgpu: update dimgrey cavefish firmware for amd.5.5 release * amdgpu: update arcturus firmware for amd.5.5 release * amdgpu: update vcn 3.1.2 firmware for amd.5.5 release * amdgpu: update psp 13.0.5 firmware for amd.5.5 release * amdgpu: update GC 10.3.6 firmware for amd.5.5 release * amdgpu: update navy flounder firmware for amd.5.5 release * amdgpu: update sienna cichlid firmware for amd.5.5 release * amdgpu: update aldebaran firmware for amd.5.5 release * amdgpu: DMCUB updates for various AMDGPU asics * ice: update ice DDP comms package to 1.3.40.0 * cxgb4: Update firmware to revision 1.27.3.0 - Fix the broken symlink targets for cirrus firmware: cirrus-WHENCE-link-fixes.patch - Clean up spec template to match with the actual output ==== kernel-source ==== Version update (6.3.4 -> 6.3.6) - Linux 6.3.6 (bsc#1012628). - netfilter: ctnetlink: Support offloaded conntrack entry deletion (bsc#1012628). - cpufreq: amd-pstate: Add ->fast_switch() callback (bsc#1012628). - cpufreq: amd-pstate: Update policy->cur in amd_pstate_adjust_perf() (bsc#1012628). - bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() (bsc#1012628). - net: phy: mscc: enable VSC8501/2 RGMII RX clock (bsc#1012628). - cpufreq: amd-pstate: Remove fast_switch_possible flag from active driver (bsc#1012628). - vfio/type1: check pfn valid before converting to struct page (bsc#1012628). - blk-mq: fix race condition in active queue accounting (bsc#1012628). - blk-wbt: fix that wbt can't be disabled by default (bsc#1012628). - bpf, sockmap: Incorrectly handling copied_seq (bsc#1012628). - bpf, sockmap: Wake up polling after data copy (bsc#1012628). - bpf, sockmap: TCP data stall on recv before accept (bsc#1012628). - bpf, sockmap: Handle fin correctly (bsc#1012628). - bpf, sockmap: Improved check for empty queue (bsc#1012628). - bpf, sockmap: Reschedule is now done through backlog (bsc#1012628). - bpf, sockmap: Convert schedule_work into delayed_work (bsc#1012628). - bpf, sockmap: Pass skb ownership through read_skb (bsc#1012628). - gpio-f7188x: fix chip name and pin count on Nuvoton chip (bsc#1012628). - net/mlx5: E-switch, Devcom, sync devcom events and devcom comp register (bsc#1012628). - Revert "net/mlx5: Expose vnic diagnostic counters for eswitch managed vports" (bsc#1012628). - Revert "net/mlx5: Expose steering dropped packets counter" (bsc#1012628). - net/mlx5e: TC, Fix using eswitch mapping in nic mode (bsc#1012628). - drm/i915: Fix PIPEDMC disabling for a bigjoiner configuration (bsc#1012628). - drm/i915: Disable DPLLs before disconnecting the TC PHY (bsc#1012628). - drm/i915: Move shared DPLL disabling into CRTC disable hook (bsc#1012628). - ASoC: Intel: avs: Fix module lookup (bsc#1012628). - cxl/port: Fix NULL pointer access in devm_cxl_add_port() (bsc#1012628). - net: fec: add dma_wmb to ensure correct descriptor values (bsc#1012628). - tls: rx: strp: don't use GFP_KERNEL in softirq context (bsc#1012628). - tls: rx: strp: preserve decryption status of skbs when needed (bsc#1012628). - tls: rx: strp: factor out copying skb data (bsc#1012628). - tls: rx: strp: force mixed decrypted records into copy mode (bsc#1012628). - tls: rx: strp: fix determining record length in copy mode (bsc#1012628). - tls: rx: strp: set the skb->len of detached / CoW'ed skbs (bsc#1012628). - tls: rx: device: fix checking decryption status (bsc#1012628). - gpiolib: fix allocation of mixed dynamic/static GPIOs (bsc#1012628). - bpf: netdev: init the offload table earlier (bsc#1012628). - platform/x86/amd/pmf: Fix CnQF and auto-mode after resume (bsc#1012628). - power: supply: rt9467: Fix passing zero to 'dev_err_probe' (bsc#1012628). - selftests/bpf: Fix pkg-config call building sign-file (bsc#1012628). - ARM: dts: imx6ull-dhcor: Set and limit the mode for PMIC buck 1, 2 and 3 (bsc#1012628). - coresight: perf: Release Coresight path when alloc trace id failed (bsc#1012628). - spi: spi-geni-qcom: Select FIFO mode for chip select (bsc#1012628). - firmware: arm_ffa: Fix usage of partition info get count flag (bsc#1012628). - firmware: arm_scmi: Fix incorrect alloc_workqueue() invocation (bsc#1012628). - commit f583ba4 - drm/amd/display: Only wait for blank completion if OTG active (https://gitlab.freedesktop.org/drm/amd/-/issues/2447). - commit fc379fb - Revert "Remove usrmerge compatibility symlink in buildroot (boo#1211796)" This reverts commit b8e00c5a84bcd75a1e2c491b6de601278e1572c7. It still breaks build as it needs support in kmod (SR#1089967). - commit 6db9c44 - Revert "Fix usrmerge error (boo#1211796)" This reverts commit da84579e78f4c4efa5b3b910484fdaedc79fefec. It still breaks build as it needs support in kmod (SR#1089967). - commit 4b4675f - Revert "Revert "Remove usrmerge compatibility symlink in buildroot (boo#1211796)"" This reverts commit d3cbce2379049d1657919d6ced51f6f5141f66fd, we will merge a fix from the packaging branch. - commit 07d1779 - Fix usrmerge error (boo#1211796) - commit da84579 - Revert "Remove usrmerge compatibility symlink in buildroot (boo#1211796)" ... changelog too long, skipping 225 lines ... - commit fc86ff2 ==== keylime ==== Version update (7.0.0 -> 7.2.5) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python310-keylime - Update to version v7.2.5: * bump version to 7.2.5 * installer.sh: remove unused codes * tpm: Implement BigNum context creation and usage * tpm: Implement int2bn and bn2int in our class * tpm_util: Add EC key support for makecredential in python * tpm: Replace tpm2_makecredential with python implementation * tpm_util: Implement makecredential in python * tpm2_objects: Return parameters when unmarshalling tpm2b_public * The first of several PRs to clean up MBA * verifier: Update agent dict values only after checking each value * verifier: Remove assignment to variable overwritten immediately after * registrar: Reformat initialization of dictionary * registrar: Check for error case aik_enc being None first * tpm_main: Remove unused run() method * tpm_main: Remove unnecessary code for support of tpm2_quote * tpm_main: Get rid of hashdigest() method * tpm_main: Get rid of start_hash and use get_start_hash() of given Hash * algorithms: Make get_START_HASH and get_FF_HASH methods of Hash * Use .hex() to create hex string * Use bytes.fromhex() instead of codecs for parsing of string with hex number * Tpm: Rename START_HASH to start_hash * Tpm: Remove unused parameters of __run method * tpm: Move EXIT_SUCCESS outside class scope * tpm: Rename tpm class to Tpm * tpm: Access agent_id directory from structure * codestyle: Fix issues detected by older pylint 2.13.9 * tpm: Get rid of AbstractTPM class * codestyle: Add missing annotations to test_ima_dm.py to pass pyright * pypright: Remove ignored files that do not exist anymore * ima: Replace usage of codec to parse hex string with bytes.fromhex() * ima: Replace usage of codec with hex() method on bytes * ima: Validate proper JSON before trying to convert from string to JSON * tenant: fixes a (timing) issue whenever an agent is removed and re-added * verifier: Simplify initialization of agent_data dict * verifier: Use kwargs to pass ssl_context if it exists * verifier: Return an Empty Dict rather than None in case of error * verifier: Use get() on dict rather than catching an Exception * cloud_verifier: AgentsHandler: Consolidate checking of input parameters * registrar: Consolidate __validate_input() in BaseHandler * registrar: ProtectedHandler: Refactor __validate_input * registrar: UnprotectedHandler: Consolidate checking of input parameters * registrar: ProtectedHandler: Consolidate checking of input parameters * docs: remove Vagrant setup * registrar: Move getting network parameters into own function * [tests] Update test coverage task name regexp * tenant: report when the keystore fails * ca_util: fix captured exception * [tests] Simply coverage file URL parsing * tpm+ima: Convert tables to hold instances of hashers * docs/rest_apis.rst: remove the comma at the end of the JSON string * tpm: Activate tpm2_checkquote replacement code * tests: Add test case for checkquote and parsing of tpms_attest * tpm: Implement tpm2_checkquote in python * README.md: fix the invalid URL about IMA stub service. * README.md: fix the script name(./services/installer.sh) error * installer.sh: support Alibaba Cloud Linux OS whose ID is alinux * web_util: handle tls_dir default with cacerts correctly * codestyle: Add pyright ignore annoatations due to pyright 1.1.306 * codestyle: Ignore import of NoResultFound from sqlalchemy 1.3 file * CI/CD: Run pyright as part of tox * agentstates: Reformat construction of returned dictionary * docker: fix tpm2-tools build * docker: upate to newer tpm2-tools version * docs/installation.rst: add the missing popd command in the manual deployment. * tpm: Implement function to extract clock info from TPMS_ATTEST * [tests] Reduce duplication in packit-ci test plan * Enable Packit CI again on all Fedora releases * Redefine the list of maintainers taking into account activity on the last 12 months, proposing a few new names to be added (please feel free to decline) ==== libcontainers-common ==== - Enforce BCI verification via Podman on openSUSE distributions using the already shipped container signing keys. (bsc#1197030) ==== libstorage-ng ==== Version update (4.5.115 -> 4.5.116) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Georgian) (bsc#1149754) - 4.5.116 ==== libzypp ==== Version update (17.31.11 -> 17.31.12) - Do not unconditionally release a medium if provideFile failed (bsc#1211661) - libzypp.spec.cmake: remove duplicate file listing. - version 17.31.12 (22) ==== llvm16 ==== Version update (16.0.4 -> 16.0.5) - Update to version 16.0.5. * This release contains bug-fixes for the LLVM 16.0.0 release. This release is API and ABI compatible with 16.0.0. - Rebase patches: * llvm-do-not-install-static-libraries.patch * llvm-remove-clang-only-flags.patch - Enable ThinLTO on riscv64. ==== m17n-db ==== Version update (1.8.0 -> 1.8.2) Subpackages: m17n-db-lang - update to 1.8.2: * New input methods are added. * si-sayura.mim: Sinhala input method using the sayura transliteration system, see https://www.sayura.net/im/ * mr-gamabhana.mim: Marathi input method with GaMaBhaNa * bn-national-jatiya.mim: Bengali input method National Jatiya layout * hu-rovas-post: icon added. * kn-inscript.mim: Add mapping for ZWNJ * gu-itrans.mim: Fix e o mappings * bo-ewts.mim: Fix ld mapping * bo-ewts.mim: remove whitespace in rn and brn mapping * Changes in the build system. * pa-remington.mim: Punjabi input method for remington layout * ta-remington.mim: Tamil input method for Remington typewriter layout * as-inscript2.mim: Input method for enhanced inscript layout * bn-inscript2.mim: Input method for enhanced inscript layout * brx-inscript2-deva.mim: Input method for enhanced inscript layout * doi-inscript2-deva.mim: Input method for enhanced inscript layout * gu-inscript2.mim: Input method for enhanced inscript layout * hi-inscript2.mim: Input method for enhanced inscript layout * kn-inscript2.mim: Input method for enhanced inscript layout * kok-inscript2-deva.mim: Input method for enhanced inscript layout * ks-inscript2-deva.mim: Input method for enhanced inscript layout * mai-inscript2.mim: Input method for enhanced inscript layout * ml-inscript2.mim: Input method for enhanced inscript layout * mni-inscript2-beng.mim: Input method for enhanced inscript layout * mni-inscript2-mtei.mim: Input method for enhanced inscript layout * mr-inscript2.mim: Input method for enhanced inscript layout * ne-inscript2-deva.mim: Input method for enhanced inscript layout * or-inscript2.mim: Input method for enhanced inscript layout * pa-inscript2-guru.mim: Input method for enhanced inscript layout * sa-inscript2.mim: Input method for enhanced inscript layout * sat-inscript2-deva.mim: Input method for enhanced inscript layout * sat-inscript2-olck.mim: Input method for enhanced inscript layout * sd-inscript2-deva.mim: Input method for enhanced inscript layout * ta-inscript2.mim: Input method for enhanced inscript layout * te-inscript2.mim: Input method for enhanced inscript layout * ml-swanalekha.mim: Adjusted for the latest Unicode * unicode.mim: allow input of characters above the BMP * ar-kbd.mim: Use digits 0-9 on the 0-9 keys * ml-mozhi.mim: fix spurious ZWNJ being added (Resolves: https://savannah.nongnu.org/bugs/index.php?59681) ==== mutter ==== Version update (44.1+2 -> 44.2) Subpackages: mutter-lang - Update to version 44.2: + Fix DND in some server-side decorated windows + Fix redrawing regression in non-DMA remote sessions + Avoid race condition in xwayland-on-demand + Do not unminimize windows with initial IconicState + Fix mispositioning of some X11 fullscreen windows + Fix legacy fullscreen windows appearing on all monitors + Improve support for display-attached tablets + Fix stuck cursor in some clients + Avoid unexpected orientation changes around suspend/resume + Fix oversized input region around Xwayland windows + Fix X11 client input region issues + Plugged leak + Fixed crashes + Misc. bug fixes and cleanups + Updated translations. - Drop patches fixed upstream: + mutter-do-not-unminimize-windows-with-initial-iconic.patch + mutter-fix-wacom-tablet-crash.patch ==== openssh ==== Version update (8.9p1 -> 9.3p1) Subpackages: openssh-clients openssh-common openssh-server - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 * sshd(8): add a `sshd -G` option that parses and prints the effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated and for configuration evaluation and verification by unprivileged users. = Bugfixes * scp(1), sftp(1): fix progressmeter corruption on wide displays; bz3534 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto. * sftp-server(8): fix a memory leak. GHPR363 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol compatibility code and simplify what's left. * Fix a number of low-impact Coverity static analysis findings. These include several reported via bz2687 * ssh_config(5), sshd_config(5): mention that some options are not first-match-wins. * Rework logging for the regression tests. Regression tests will now capture separate logs for each ssh and sshd invocation in a test. * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should; bz3532. * ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts; bz3529 = Portability * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of mmap(2), madvise(2) and futex(2) flags, removing some concerning kernel attack surface. * sshd(8): improve Linux seccomp-bpf sandbox for older systems; bz3537 - Update to openssh 9.2p1: = Security * sshd(8): fix a pre-authentication double-free memory fault introduced in OpenSSH 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms. * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option would ignore its first argument unless it was one of the special keywords "any" or "none", causing the permission list to fail open if only one permission was specified. bz3515 * ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs options were enabled, and the system/libc resolver did not check that names in DNS responses were valid, then use of these options could allow an attacker with control of DNS to include invalid characters (possibly including wildcards) in names added to known_hosts files when they were updated. These names would still have to match the CanonicalizePermittedCNAMEs allow-list, so practical exploitation appears unlikely. = Potentially-incompatible changes * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. This option defaults to "no", disabling the ~C command-line that was previously enabled by default. Turning off the command-line allows platforms that support sandboxing of the ssh(1) client (currently only OpenBSD) to use a stricter default sandbox policy. = New features * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client ... changelog too long, skipping 345 lines ... - wtmpdb.patch: add support for wtmpdb to sshd [jsc#PED-3144] ==== openssh-askpass-gnome ==== Version update (8.9p1 -> 9.3p1) - openssh-askpass-gnome: require only openssh-clients, not the full openssh (including -server), to avoid pulling in excessive dependencies when installing git on Gnome (boo#1211446) - Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details ==== permissions ==== Version update (1699_20230516 -> 1699_20230602) Subpackages: chkstat permissions-config - Update to version 20230602: * profiles: remove dropped pppoe-wrapper ==== polkit-default-privs ==== Version update (1550+20230517.ab68b2d -> 1550+20230606.5001571) - Update to version 1550+20230606.5001571: * Whitelist org.freedesktop.systemd1.bypass-dump-ratelimit (bsc#1211978) - Update to version 1550+20230602.0c9c3c6: * profiles: drop dead mousepad action ==== rubygem-ruby-dbus ==== Version update (0.22.1 -> 0.23.0.beta1) - 0.23.0.beta1 Bug fixes: * A service can now have more than one name (gh#mvidner/ruby-dbus#69). Connection#request_service is deprecated in favor of Connection#object_server and BusConnection#request_name API: * Remove Service, splitting it into ProxyService and ObjectServer * Split off BusConnection from Connection ==== rust-keylime ==== Version update (0.2.1+git.1682587333.b497f1d -> 0.2.1+git.1685699835.3c9d17c) Subpackages: keylime-ima-policy - Update to version 0.2.1+git.1685699835.3c9d17c: * Remove MOUNT_SECURE bool * rpm: Remove unused directory and add dependency for mount * keylime-agent/src: update API version to 2.1 to consistent with https://github.com/keylime/keylime/blob/master/docs/rest_apis.rst * docker/fedora/keylime_rust.Dockerfile: add the logic of cloning and compiling rust-keylime * [tests] Update test coverage task name regexp * [tests] Simply coverage file URL parsing ==== shim-leap ==== - Update shim-install to support FDE + Read GRUB_CRYPTODISK_PASSWORD and GRUB_TPM2_SEALED_KEY to create the proper cryptomount command for grub.cfg + Save the PCR snapshot if grub2 supports the command + Support 'no_grub_install' to skip grub2-install + Detect the OS ID of openSUSE Leap ==== sof-firmware ==== Version update (2.2.4 -> 2.2.5) - Update to version 2.2.5: There's no FW binary change. This release adds a few new topology binaries for Intel Alder Lake (ADL) platforms. - Update supplements for RPL and MTL ==== suse-module-tools ==== Version update (16.0.30 -> 16.0.31) Subpackages: suse-module-tools-scriptlets - Update to version 16.0.31: * rpm-script: skip run_bootloader check (boo#1208117) ==== systemd-presets-branding-openSUSE ==== - fix drkonqi entry, should end with .service ==== yast2-trans ==== Version update (84.87.20230516.e4ba802a -> 84.87.20230602.240a95214f) Subpackages: yast2-trans-cs yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-fr yast2-trans-hu yast2-trans-it yast2-trans-ja yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ru yast2-trans-zh_CN yast2-trans-zh_TW - Update to version 84.87.20230602.240a95214f: * New POT for text domain 'control'. * Translated using Weblate (Macedonian) * New POT for text domain 'autoinst'.