Packages changed: LibVNCServer alpine (2.24 -> 2.25) apache2 (2.4.48 -> 2.4.49) apache2-manual (2.4.48 -> 2.4.49) apache2-prefork (2.4.48 -> 2.4.49) apache2-utils (2.4.48 -> 2.4.49) cppcheck cryptsetup (2.4.0 -> 2.4.1) e2fsprogs (1.46.3 -> 1.46.4) eog-plugins epiphany fetchmail glabels gnome-maps (40.4 -> 40.5) gnome-packagekit gstreamer-devtools (1.18.3 -> 1.18.5) libXi (1.7.10 -> 1.8) libcontainers-common libtirpc libzypp (17.28.3 -> 17.28.4) perl-Bootloader (0.935 -> 0.936) pidgin-sipe pipewire (0.3.35 -> 0.3.36) pitivi plasma5-workspace python-gst (1.18.4 -> 1.18.5) python-kiwi (9.23.54 -> 9.23.56) rygel samba (4.14.6+git.168.6a9fc8a1ddd -> 4.14.6+git.182.2205d5224e3) transactional-update (3.5.4 -> 3.5.5) xfce4-whiskermenu-plugin (2.5.3 -> 2.6.0) xkeyboard-config xorgproto (2021.4 -> 2021.5) === Details === ==== LibVNCServer ==== Subpackages: libvncclient1 libvncserver1 - purposedly adding just this changelog entry - previous version updates fixed also: * CVE-2020-14398 [bsc#1173880] -- improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c * CVE-2017-18922 [bsc#1173477] -- preauth buffer overwrite * CVE-2018-20748 [bsc#1123823] -- libvnc contains multiple heap out-of-bounds writes * CVE-2020-25708 [bsc#1178682] -- libvncserver/rfbserver.c has a divide by zero which could result in DoS * CVE-2018-21247 [bsc#1173874] -- uninitialized memory contents are vulnerable to Information leak * CVE-2018-20750 [bsc#1123832] -- heap out-of-bounds write vulnerability in libvncserver/rfbserver.c * CVE-2020-14397 [bsc#1173700] -- NULL pointer dereference in libvncserver/rfbregion.c * CVE-2019-20839 [bsc#1173875] -- buffer overflow in ConnectClientToUnixSock() * CVE-2020-14401 [bsc#1173694] -- potential integer overflows in libvncserver/scale.c * CVE-2020-14400 [bsc#1173691] -- Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. * CVE-2019-20840 [bsc#1173876] -- unaligned accesses in hybiReadAndDecode can lead to denial of service * CVE-2020-14399 [bsc#1173743] -- Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. * CVE-2020-14402 [bsc#1173701] -- out-of-bounds access via encodings. * CVE-2020-14403 [bsc#1173701] * CVE-2020-14404 [bsc#1173701] ==== alpine ==== Version update (2.24 -> 2.25) Subpackages: pico - Update to release 2.25 * New configuration variable VAR_ssl-ciphers that allows users to list the ciphers to use when connecting to a SSL server. * New hidden feature FEAT_enable-delete-before-writing to add support for terminals that need lines to be deleted before being written. * Always follow ?suppress-asterisks-in-password-prompt? setting in the various password prompts. * Fixed a memory corruption when alpine searches for a string that is an incomplete utf8 string in a local folder. * Fixed: When forwarding a message, replacing an attachment might make Alpine re-attach the original attachment. ==== apache2 ==== Version update (2.4.48 -> 2.4.49) - version update to 2.4.49 * ) core/mod_proxy/mod_ssl: Adding `outgoing` flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing()` function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function `ssl_engine_set`. This enables other SSL module to secure proxy connections. The optional functions `ssl_engine_set`, `ssl_engine_disable` and `ssl_proxy_enable` are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for `ssl_is_ssl`. [Stefan Eissing] * ) mod_ssl: Support logging private key material for use with wireshark via log file given by SSLKEYLOGFILE environment variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] * ) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and "ProxyPassInterpolateEnv On" are configured. PR 65549. [Joel Self ] * ) mpm_event: Fix children processes possibly not stopped on graceful restart. PR 63169. [Joel Self ] * ) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d) protocols from mod_proxy_http, and a timeout triggering falsely when using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with upgrade= setting. PRs 65521 and 65519. [Yann Ylavic] * ) mod_unique_id: Reduce the time window where duplicates may be generated PR 65159 [Christophe Jaillet] * ) mpm_prefork: Block signals for child_init hooks to prevent potential threads created from there to catch MPM's signals. [Ruediger Pluem, Yann Ylavic] * ) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load. PR 65159" added in 2.4.47. This causes issue on Windows. [Christophe Jaillet] * ) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic] * ) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted as successful or a staged renewal is replacing the existing certificates. This avoid potential mess ups in the md store file system to render the active certificates non-working. [@mkauf] * ) mod_proxy: Faster unix socket path parsing in the "proxy:" URL. [Yann Ylavic] * ) mod_ssl: tighten the handling of ALPN for outgoing (proxy) connections. If ALPN protocols are provided and sent to the remote server, the received protocol selected is inspected and checked for a match. Without match, the peer handshake fails. An exception is the proposal of "http/1.1" where it is accepted if the remote server did not answer ALPN with a selected protocol. This accomodates for hosts that do not observe/support ALPN and speak http/1.x be default. * ) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances with others when their URLs contain a '$' substitution. PR 65419 + 65429. [Yann Ylavic] * ) mod_dav: Add method_precondition hook. WebDAV extensions define conditions that must exist before a WebDAV method can be executed. This hook allows a WebDAV extension to verify these preconditions. [Graham Leggett] * ) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other modules apart from versioning implementations to handle the REPORT method. [Graham Leggett] * ) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and dav_get_resource() to mod_dav.h. [Graham Leggett] * ) core: fix ap_escape_quotes substitution logic. [Eric Covener] * ) Easy patches: synch 2.4.x and trunk - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp. - mod_ldap: log and abort locking errors. - mod_ldap: style fix for r1831165 - mod_ldap: build break fix for r1831165 - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590) - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case. - mod_rewrite: Save a few cycles. - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED [Christophe Jaillet] * ) core/mpm: add hook 'child_stopping` that gets called when the MPM is stopping a child process. The additional `graceful` parameter allows registered hooks to free resources early during a graceful shutdown. [Yann Ylavic, Stefan Eissing] * ) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the balancer-manager, which can lead to a crash. [Yann Ylavic] * ) mpm_event: Fix graceful stop/restart of children processes if connections are in lingering close for too long. [Yann Ylavic] * ) mod_md: fixed a potential null pointer dereference if ACME/OCSP server returned 2xx responses without content type. Reported by chuangwen. [chuangwen, Stefan Eissing] * ) mod_md: - Domain names in `` can now appear in quoted form. - Fixed a failure in ACME challenge selection that aborted further searches when the tls-alpn-01 method did not seem to be suitable. - Changed the tls-alpn-01 setup to only become unsuitable when none of the dns names showed support for a configured 'Protocols ... acme-tls/1'. This allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. * ) Add CPING to health check logic. [Jean-Frederic Clere] * ) core: Split ap_create_request() from ap_read_request(). [Graham Leggett] * ) core, h2: common ap_parse_request_line() and ap_check_request_header() code. [Yann Ylavic] * ) core: Add StrictHostCheck to allow unconfigured hostnames to be rejected. [Eric Covener] * ) htcacheclean: Improve help messages. [Christophe Jaillet] - modified patches % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) - modified sources % apache2.keyring ==== apache2-manual ==== Version update (2.4.48 -> 2.4.49) - version update to 2.4.49 * ) core/mod_proxy/mod_ssl: Adding `outgoing` flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing()` function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function `ssl_engine_set`. This enables other SSL module to secure proxy connections. The optional functions `ssl_engine_set`, `ssl_engine_disable` and `ssl_proxy_enable` are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for `ssl_is_ssl`. [Stefan Eissing] * ) mod_ssl: Support logging private key material for use with wireshark via log file given by SSLKEYLOGFILE environment variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] * ) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and "ProxyPassInterpolateEnv On" are configured. PR 65549. [Joel Self ] * ) mpm_event: Fix children processes possibly not stopped on graceful restart. PR 63169. [Joel Self ] * ) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d) protocols from mod_proxy_http, and a timeout triggering falsely when using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with upgrade= setting. PRs 65521 and 65519. [Yann Ylavic] * ) mod_unique_id: Reduce the time window where duplicates may be generated PR 65159 [Christophe Jaillet] * ) mpm_prefork: Block signals for child_init hooks to prevent potential threads created from there to catch MPM's signals. [Ruediger Pluem, Yann Ylavic] * ) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load. PR 65159" added in 2.4.47. This causes issue on Windows. [Christophe Jaillet] * ) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic] * ) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted as successful or a staged renewal is replacing the existing certificates. This avoid potential mess ups in the md store file system to render the active certificates non-working. [@mkauf] * ) mod_proxy: Faster unix socket path parsing in the "proxy:" URL. [Yann Ylavic] * ) mod_ssl: tighten the handling of ALPN for outgoing (proxy) connections. If ALPN protocols are provided and sent to the remote server, the received protocol selected is inspected and checked for a match. Without match, the peer handshake fails. An exception is the proposal of "http/1.1" where it is accepted if the remote server did not answer ALPN with a selected protocol. This accomodates for hosts that do not observe/support ALPN and speak http/1.x be default. * ) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances with others when their URLs contain a '$' substitution. PR 65419 + 65429. [Yann Ylavic] * ) mod_dav: Add method_precondition hook. WebDAV extensions define conditions that must exist before a WebDAV method can be executed. This hook allows a WebDAV extension to verify these preconditions. [Graham Leggett] * ) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other modules apart from versioning implementations to handle the REPORT method. [Graham Leggett] * ) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and dav_get_resource() to mod_dav.h. [Graham Leggett] * ) core: fix ap_escape_quotes substitution logic. [Eric Covener] * ) Easy patches: synch 2.4.x and trunk - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp. - mod_ldap: log and abort locking errors. - mod_ldap: style fix for r1831165 - mod_ldap: build break fix for r1831165 - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590) - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case. - mod_rewrite: Save a few cycles. - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED [Christophe Jaillet] * ) core/mpm: add hook 'child_stopping` that gets called when the MPM is stopping a child process. The additional `graceful` parameter allows registered hooks to free resources early during a graceful shutdown. [Yann Ylavic, Stefan Eissing] * ) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the balancer-manager, which can lead to a crash. [Yann Ylavic] * ) mpm_event: Fix graceful stop/restart of children processes if connections are in lingering close for too long. [Yann Ylavic] * ) mod_md: fixed a potential null pointer dereference if ACME/OCSP server returned 2xx responses without content type. Reported by chuangwen. [chuangwen, Stefan Eissing] * ) mod_md: - Domain names in `` can now appear in quoted form. - Fixed a failure in ACME challenge selection that aborted further searches when the tls-alpn-01 method did not seem to be suitable. - Changed the tls-alpn-01 setup to only become unsuitable when none of the dns names showed support for a configured 'Protocols ... acme-tls/1'. This allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. * ) Add CPING to health check logic. [Jean-Frederic Clere] * ) core: Split ap_create_request() from ap_read_request(). [Graham Leggett] * ) core, h2: common ap_parse_request_line() and ap_check_request_header() code. [Yann Ylavic] * ) core: Add StrictHostCheck to allow unconfigured hostnames to be rejected. [Eric Covener] * ) htcacheclean: Improve help messages. [Christophe Jaillet] - modified patches % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) - modified sources % apache2.keyring ==== apache2-prefork ==== Version update (2.4.48 -> 2.4.49) - version update to 2.4.49 * ) core/mod_proxy/mod_ssl: Adding `outgoing` flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing()` function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function `ssl_engine_set`. This enables other SSL module to secure proxy connections. The optional functions `ssl_engine_set`, `ssl_engine_disable` and `ssl_proxy_enable` are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for `ssl_is_ssl`. [Stefan Eissing] * ) mod_ssl: Support logging private key material for use with wireshark via log file given by SSLKEYLOGFILE environment variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] * ) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and "ProxyPassInterpolateEnv On" are configured. PR 65549. [Joel Self ] * ) mpm_event: Fix children processes possibly not stopped on graceful restart. PR 63169. [Joel Self ] * ) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d) protocols from mod_proxy_http, and a timeout triggering falsely when using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with upgrade= setting. PRs 65521 and 65519. [Yann Ylavic] * ) mod_unique_id: Reduce the time window where duplicates may be generated PR 65159 [Christophe Jaillet] * ) mpm_prefork: Block signals for child_init hooks to prevent potential threads created from there to catch MPM's signals. [Ruediger Pluem, Yann Ylavic] * ) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load. PR 65159" added in 2.4.47. This causes issue on Windows. [Christophe Jaillet] * ) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic] * ) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted as successful or a staged renewal is replacing the existing certificates. This avoid potential mess ups in the md store file system to render the active certificates non-working. [@mkauf] * ) mod_proxy: Faster unix socket path parsing in the "proxy:" URL. [Yann Ylavic] * ) mod_ssl: tighten the handling of ALPN for outgoing (proxy) connections. If ALPN protocols are provided and sent to the remote server, the received protocol selected is inspected and checked for a match. Without match, the peer handshake fails. An exception is the proposal of "http/1.1" where it is accepted if the remote server did not answer ALPN with a selected protocol. This accomodates for hosts that do not observe/support ALPN and speak http/1.x be default. * ) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances with others when their URLs contain a '$' substitution. PR 65419 + 65429. [Yann Ylavic] * ) mod_dav: Add method_precondition hook. WebDAV extensions define conditions that must exist before a WebDAV method can be executed. This hook allows a WebDAV extension to verify these preconditions. [Graham Leggett] * ) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other modules apart from versioning implementations to handle the REPORT method. [Graham Leggett] * ) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and dav_get_resource() to mod_dav.h. [Graham Leggett] * ) core: fix ap_escape_quotes substitution logic. [Eric Covener] * ) Easy patches: synch 2.4.x and trunk - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp. - mod_ldap: log and abort locking errors. - mod_ldap: style fix for r1831165 - mod_ldap: build break fix for r1831165 - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590) - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case. - mod_rewrite: Save a few cycles. - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED [Christophe Jaillet] * ) core/mpm: add hook 'child_stopping` that gets called when the MPM is stopping a child process. The additional `graceful` parameter allows registered hooks to free resources early during a graceful shutdown. [Yann Ylavic, Stefan Eissing] * ) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the balancer-manager, which can lead to a crash. [Yann Ylavic] * ) mpm_event: Fix graceful stop/restart of children processes if connections are in lingering close for too long. [Yann Ylavic] * ) mod_md: fixed a potential null pointer dereference if ACME/OCSP server returned 2xx responses without content type. Reported by chuangwen. [chuangwen, Stefan Eissing] * ) mod_md: - Domain names in `` can now appear in quoted form. - Fixed a failure in ACME challenge selection that aborted further searches when the tls-alpn-01 method did not seem to be suitable. - Changed the tls-alpn-01 setup to only become unsuitable when none of the dns names showed support for a configured 'Protocols ... acme-tls/1'. This allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. * ) Add CPING to health check logic. [Jean-Frederic Clere] * ) core: Split ap_create_request() from ap_read_request(). [Graham Leggett] * ) core, h2: common ap_parse_request_line() and ap_check_request_header() code. [Yann Ylavic] * ) core: Add StrictHostCheck to allow unconfigured hostnames to be rejected. [Eric Covener] * ) htcacheclean: Improve help messages. [Christophe Jaillet] - modified patches % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) - modified sources % apache2.keyring ==== apache2-utils ==== Version update (2.4.48 -> 2.4.49) - version update to 2.4.49 * ) core/mod_proxy/mod_ssl: Adding `outgoing` flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing()` function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function `ssl_engine_set`. This enables other SSL module to secure proxy connections. The optional functions `ssl_engine_set`, `ssl_engine_disable` and `ssl_proxy_enable` are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for `ssl_is_ssl`. [Stefan Eissing] * ) mod_ssl: Support logging private key material for use with wireshark via log file given by SSLKEYLOGFILE environment variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] * ) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and "ProxyPassInterpolateEnv On" are configured. PR 65549. [Joel Self ] * ) mpm_event: Fix children processes possibly not stopped on graceful restart. PR 63169. [Joel Self ] * ) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d) protocols from mod_proxy_http, and a timeout triggering falsely when using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with upgrade= setting. PRs 65521 and 65519. [Yann Ylavic] * ) mod_unique_id: Reduce the time window where duplicates may be generated PR 65159 [Christophe Jaillet] * ) mpm_prefork: Block signals for child_init hooks to prevent potential threads created from there to catch MPM's signals. [Ruediger Pluem, Yann Ylavic] * ) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load. PR 65159" added in 2.4.47. This causes issue on Windows. [Christophe Jaillet] * ) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic] * ) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted as successful or a staged renewal is replacing the existing certificates. This avoid potential mess ups in the md store file system to render the active certificates non-working. [@mkauf] * ) mod_proxy: Faster unix socket path parsing in the "proxy:" URL. [Yann Ylavic] * ) mod_ssl: tighten the handling of ALPN for outgoing (proxy) connections. If ALPN protocols are provided and sent to the remote server, the received protocol selected is inspected and checked for a match. Without match, the peer handshake fails. An exception is the proposal of "http/1.1" where it is accepted if the remote server did not answer ALPN with a selected protocol. This accomodates for hosts that do not observe/support ALPN and speak http/1.x be default. * ) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances with others when their URLs contain a '$' substitution. PR 65419 + 65429. [Yann Ylavic] * ) mod_dav: Add method_precondition hook. WebDAV extensions define conditions that must exist before a WebDAV method can be executed. This hook allows a WebDAV extension to verify these preconditions. [Graham Leggett] * ) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other modules apart from versioning implementations to handle the REPORT method. [Graham Leggett] * ) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and dav_get_resource() to mod_dav.h. [Graham Leggett] * ) core: fix ap_escape_quotes substitution logic. [Eric Covener] * ) Easy patches: synch 2.4.x and trunk - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp. - mod_ldap: log and abort locking errors. - mod_ldap: style fix for r1831165 - mod_ldap: build break fix for r1831165 - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590) - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case. - mod_rewrite: Save a few cycles. - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED [Christophe Jaillet] * ) core/mpm: add hook 'child_stopping` that gets called when the MPM is stopping a child process. The additional `graceful` parameter allows registered hooks to free resources early during a graceful shutdown. [Yann Ylavic, Stefan Eissing] * ) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the balancer-manager, which can lead to a crash. [Yann Ylavic] * ) mpm_event: Fix graceful stop/restart of children processes if connections are in lingering close for too long. [Yann Ylavic] * ) mod_md: fixed a potential null pointer dereference if ACME/OCSP server returned 2xx responses without content type. Reported by chuangwen. [chuangwen, Stefan Eissing] * ) mod_md: - Domain names in `` can now appear in quoted form. - Fixed a failure in ACME challenge selection that aborted further searches when the tls-alpn-01 method did not seem to be suitable. - Changed the tls-alpn-01 setup to only become unsuitable when none of the dns names showed support for a configured 'Protocols ... acme-tls/1'. This allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. * ) Add CPING to health check logic. [Jean-Frederic Clere] * ) core: Split ap_create_request() from ap_read_request(). [Graham Leggett] * ) core, h2: common ap_parse_request_line() and ap_check_request_header() code. [Yann Ylavic] * ) core: Add StrictHostCheck to allow unconfigured hostnames to be rejected. [Eric Covener] * ) htcacheclean: Improve help messages. [Christophe Jaillet] - modified patches % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) - modified sources % apache2.keyring ==== cppcheck ==== - Add glibc 2.34 build fix: * 0001-Fix-compilation-with-recent-glibc-where-SIGSTKSZ-is-.patch ==== cryptsetup ==== Version update (2.4.0 -> 2.4.1) Subpackages: cryptsetup-lang libcryptsetup12 libcryptsetup12-32bit libcryptsetup12-hmac - cryptsetup 2.4.1 * Fix compilation for libc implementations without dlvsym(). * Fix compilation and tests on systems with non-standard libraries * Try to workaround some issues on systems without udev support. * Fixes for OpenSSL3 crypto backend (including FIPS mode). * Print error message when assigning a token to an inactive keyslot. * Fix offset bug in LUKS2 encryption code if --offset option was used. * Do not allow LUKS2 decryption for devices with data offset. * Fix LUKS1 cryptsetup repair command for some specific problems. ==== e2fsprogs ==== Version update (1.46.3 -> 1.46.4) Subpackages: e2fsprogs-scrub libcom_err2 libcom_err2-32bit libext2fs2 - Update to 1.46.4: * Default to 256-byte inodes for all filesystems, not only larger ones * Bigalloc is considered supported now for small cluster sizes * E2fsck and e2image fixes for quota feature * Fix mke2fs creation of filesystem into non-existent file - libss-add-newer-libreadline.so.8-to-dlopen-path.patch: libss: add newer libreadline.so.8 to dlopen path (bsc#1189453) - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_e2scrub@.service.patch * harden_e2scrub_all.service.patch * harden_e2scrub_fail@.service.patch * harden_e2scrub_reap.service.patch ==== eog-plugins ==== Subpackages: eog-plugins-lang - Remove obsolete translation-update-upstream support (jsc#SLE-21105). ==== epiphany ==== Subpackages: epiphany-lang gnome-shell-search-provider-epiphany - Remove obsolete translation-update-upstream support (jsc#SLE-21105). ==== fetchmail ==== Subpackages: fetchmailconf - Added hardening to systemd service(s) (bsc#1181400). Modified: * fetchmail.service ==== glabels ==== Subpackages: glabels-lang - Remove obsolete translation-update-upstream support (jsc#SLE-21105). ==== gnome-maps ==== Version update (40.4 -> 40.5) Subpackages: gnome-maps-lang - Update to version 40.5: + Updated translations. ==== gnome-packagekit ==== Subpackages: gnome-packagekit-lang - Add gnome-packagekit-drop-NEWEST-on-get-updates.patch: Don't use PK_FILTER_ENUM_NEWEST filter when getting updates (glgo#GNOME/gnome-packagekit!3, bsc#1190330). ==== gstreamer-devtools ==== Version update (1.18.3 -> 1.18.5) Subpackages: libgstvalidate-1_0-0 typelib-1_0-GstValidate-1_0 - Update to version 1.18.5: + scenario: Fix EOS handling in seek_forward.scenario + validate-utils: Only modify structure fields that really need updates + Don't use volatile to mean atomic (fixes compiler warnings with gcc 11) - Changes from version 1.18.4: + No changes ==== libXi ==== Version update (1.7.10 -> 1.8) Subpackages: libXi6 libXi6-32bit - Update to version 1.8 * This release of libXi marks the support of XI 2.4 touchpad gesture events official. This feature is the only difference between libXi 1.8 and the latest release in the 1.7.x series (1.7.10). ==== libcontainers-common ==== - Comment out ostree_repo if it's blank [boo#1189893] - Comment out ostree_repo [boo#1189893] ==== libtirpc ==== Subpackages: libtirpc-netconfig libtirpc3 libtirpc3-32bit - Backport DoS vulnerability fix 0001-Fix-DoS-vulnerability-in-libtirpc.patch - Replace %setup with %autosetup ==== libzypp ==== Version update (17.28.3 -> 17.28.4) - Make sure to keep states alives while transitioning (bsc#1190199) - May set techpreview variables for testing in /etc/zypp/zypp.conf. If environment variables are unhandy one may enable the desired techpreview in zypp.conf as well: [main] techpreview.ZYPP_SINGLE_RPMTRANS=1 techpreview.ZYPP_MEDIANETWORK=1 - version 17.28.4 (22) ==== perl-Bootloader ==== Version update (0.935 -> 0.936) - merge gh#openSUSE/perl-bootloader#136 - report error if config file could not be updated (bsc#1188768) - 0.936 ==== pidgin-sipe ==== Subpackages: libpurple-plugin-sipe libpurple-plugin-sipe-lang pidgin-plugin-sipe - Remove obsolete translation-update-upstream support (jsc#SLE-21105). ==== pipewire ==== Version update (0.3.35 -> 0.3.36) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-lang pipewire-media-session pipewire-modules pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Add patches from upstream to fix an "use-after-free" error and to set the version number correctly: * 0001-media-session-dont-use-after-free-if-linking-node-removed.patch * 0002-update-version-number-as-well.patch - Update to version 0.3.36: * Highlights - A quick update with mostly only bugfixes and small improvements. - Capture and playback is now avoided on unavailable devices. This should fix some issues where an unusable microphone was selected by default. - MIDI output should not stop randomly now. - The GStreamer elements are much improved, cheese should work a lot better now. - Virtual sinks and sources should now always show up immediately. - JACK processing is now delayed until buffersize and samplerate are emited. This should improve stability of many JACK apps. - JACK transport sync is now implemented correctly so that preroll in bitwig works. * PipeWire - The module dir environment variable can now contain multiple paths. - Documentation now contains dot graphs of dependencies. (#1585) - config min/max/default quantum values are now scaled with the samplerate. - A potential crash was fixed where destroyed memory was still used by a node. This could cause crashes in cheese. * pipewire-media-session - Only allow passthrough for passthrough formats (S/PDIF) for now. (#1587) - Improve bluetooth profile autoswitch. - Don't try to route audio to nodes with unavailable routes. * ALSA - Pass the right AES bits to the alsa device when opening an S/PDIF stream. - Fix a bug in the MIDI bridge port management logic. When a port was added and immediately removed, output would stop. * GStreamer - The GStreamer source now handles the flushing state correctly. - All blocking operations now have a 30 seconds timeout, to avoid infinite locks. * Plugins - V4l2 Device formats and controls are now passed on the node, just like with audio devices. - audioconvert now also exposes the softMute property. * JACK - Improve stability when changing buffer size and sample rate dynamically by pausing the processing until the application has handled the callback. - Improve handling of timebase master. When the master was moved to another driver, it did not attempt to become a new timebase master on the new driver. (#1589) - Implement transport sync to make preroll in bitwig work. (#1589) * pulse-server - Fix an issue where virtual sinks/sources would not show up immediately. (#1588) ==== pitivi ==== Subpackages: pitivi-lang - Remove obsolete translation-update-upstream support (jsc#SLE-21105). ==== plasma5-workspace ==== Subpackages: gmenudbusmenuproxy plasma5-session plasma5-session-wayland plasma5-workspace-lang plasma5-workspace-libs xembedsniproxy - Add upstream patch to fix a bug that would result in power management remaining inhibited even after un-inhibiting it in the UI: * Call-UnInhibit-with-correct-signature-in-powermanagement-dataengine.patch ==== python-gst ==== Version update (1.18.4 -> 1.18.5) - Update to version 1.18.5: + No changes ==== python-kiwi ==== Version update (9.23.54 -> 9.23.56) - Bump version: 9.23.55 ? 9.23.56 - Only wipe bundle dir when required The given result bundle dir must only be wiped if the request to turn the result files into an rpm was given. Only in this case the given bundle dir must start empty - Fixed uninstall handling via dnf, microdnf, zypper The above package managers supports uninstall instructions like 'iwl*'. In kiwi there was code checking via rpm if the packages given to uninstall actually exists. That code does not work if the given package to uninstall is an instruction that matches a pattern. Therefore if we use the uninstall section in the kiwi image description, just pass the provided information to the package manager and don't try to be clever in kiwi itself. - Allow to set --logfile for result namespace Setting a logfile for e.g 'kiwi-ng result bundle ...' is useful and should be possible - Bump version: 9.23.54 ? 9.23.55 - Added support for building rpm package from bundle With the new option --package-as-rpm it is possible to call the kiwi result bundler such that the image build results gets packaged into an rpm. I think this is a handy feature to transport image builds via repositories - Fixed MicroOS integration test With ignition/combustion in place it's not allowed to use tmp as a subvolume ==== rygel ==== Subpackages: librygel-core-2_6-2 librygel-server-2_6-2 - Remove obsolete translation-update-upstream support (jsc#SLE-21105). ==== samba ==== Version update (4.14.6+git.168.6a9fc8a1ddd -> 4.14.6+git.182.2205d5224e3) Subpackages: libdcerpc-binding0 libdcerpc-binding0-32bit libdcerpc0 libdcerpc0-32bit libndr-krb5pac0 libndr-krb5pac0-32bit libndr-nbt0 libndr-nbt0-32bit libndr-standard0 libndr-standard0-32bit libndr1 libndr1-32bit libnetapi0 libnetapi0-32bit libsamba-credentials1 libsamba-credentials1-32bit libsamba-errors0 libsamba-errors0-32bit libsamba-hostconfig0 libsamba-hostconfig0-32bit libsamba-passdb0 libsamba-passdb0-32bit libsamba-policy0-python3 libsamba-util0 libsamba-util0-32bit libsamdb0 libsamdb0-32bit libsmbclient0 libsmbconf0 libsmbconf0-32bit libsmbldap2 libsmbldap2-32bit libtevent-util0 libtevent-util0-32bit libwbclient0 libwbclient0-32bit samba-client samba-client-32bit samba-doc samba-libs samba-libs-32bit samba-libs-python3 samba-python3 samba-winbind samba-winbind-32bit - Add Certificate Auto Enrollment Policy; (jsc#SLE-18457). ==== transactional-update ==== Version update (3.5.4 -> 3.5.5) Subpackages: dracut-transactional-update libtukit0 transactional-update-zypp-config tukit - Version 3.5.5 - t-u: Use tukit for SUSEConnect call [bsc#1190574] Correctly registers repositories ==== xfce4-whiskermenu-plugin ==== Version update (2.5.3 -> 2.6.0) Subpackages: xfce4-whiskermenu-plugin-lang - Update to version 2.6.0 * Fix unable to resize with metacity. (gxo#panel-plugins/xfce4-whiskermenu-plugin#56) * Fix invalid desktop files when hiding applications. (gxo#panel-plugins/xfce4-whiskermenu-plugin#53) * Fix not showing focused launcher when searching. (gxo#panel-plugins/xfce4-whiskermenu-plugin#45) * Add option to disable sorting categories. (gxo#panel-plugins/xfce4-whiskermenu-plugin#42) * Translation updates ==== xkeyboard-config ==== Subpackages: xkeyboard-config-lang - Remove obsolete translation-update-upstream support (jsc#SLE-21105). ==== xorgproto ==== Version update (2021.4 -> 2021.5) - xorgproto 2021.5 * This release introduces the version 2.4 of the X Input protocol. It contains the addition of the concept of touchpad gestures. Touchpad gesture is an interaction of two or more fingers that can be interpreted as a swipe or a pinch.