Removed rpms ============ - alsa-oss-32bit - alsa-plugins-32bit - gettext-runtime-32bit - glibc-32bit - cyrus-sasl-plain-32bit - glibc-locale-base-32bit - krb5-32bit - libFLAC8-32bit - libacl1-32bit - libavahi-client3-32bit - libblkid1-32bit - libbz2-1-32bit - libdbus-1-3-32bit - libfontconfig1-32bit - libgcrypt20-32bit - libglib-2_0-0-32bit - libkeyutils1-32bit - liblua5_3-5-32bit - libmount1-32bit - libnss_usrfiles2-32bit - libogg0-32bit - libssh4-32bit - libtevent0-32bit - libunistring2-32bit - libvorbis0-32bit - libxcb1-32bit - samba-ad-dc-libs-32bit - qemu-ipxe - libBasicUsageEnvironment1 - libXau6-32bit - libattr1-32bit - libbrotlicommon1-32bit - libcap2-32bit - libcom_err2-32bit - libcurl4-32bit - libffi7-32bit - libgnutls30-32bit - libjansson4-32bit - libldap-2_4-2-32bit - libnghttp2-14-32bit - libnsl2-32bit - libpng16-16-32bit - libpsl5-32bit - libpwquality1-32bit - libsasl2-3-32bit - libsndfile1-32bit - libtalloc2-32bit - libtextstyle0-32bit - nss-mdns-32bit - pam_pwquality-32bit - qemu-seabios - qemu-sgabios - rpm-32bit Added rpms ========== - cyrus-sasl-plain-32bit - glibc-locale-base-32bit - alsa-oss-32bit - alsa-plugins-32bit - gettext-runtime-32bit - glibc-32bit - libXau6-32bit - libattr1-32bit - libbrotlicommon1-32bit - libcap2-32bit - libcom_err2-32bit - libcurl4-32bit - libffi7-32bit - libgnutls30-32bit - libjansson4-32bit - libldap-2_4-2-32bit - libnghttp2-14-32bit - libnsl2-32bit - libpng16-16-32bit - libpsl5-32bit - libpwquality1-32bit - libsasl2-3-32bit - libsndfile1-32bit - libtalloc2-32bit - libtextstyle0-32bit - nss-mdns-32bit - pam_pwquality-32bit - rpm-32bit - qemu-seabios - qemu-sgabios - krb5-32bit - libBasicUsageEnvironment2 - libFLAC8-32bit - libacl1-32bit - libavahi-client3-32bit - libblkid1-32bit - libbz2-1-32bit - libdbus-1-3-32bit - libfontconfig1-32bit - libgcrypt20-32bit - libglib-2_0-0-32bit - libkeyutils1-32bit - liblua5_3-5-32bit - libmount1-32bit - libnss_usrfiles2-32bit - libogg0-32bit - libssh4-32bit - libtevent0-32bit - libunistring2-32bit - libvorbis0-32bit - libxcb1-32bit - qemu-ipxe - samba-ad-dc-libs-32bit - wicked-nbft Package Source Changes ====================== ImageMagick + fix CVE-2022-44267 [bsc#1207982], denial of service when parsing a PNG image + fix CVE-2022-44268 [bsc#1207983], arbitrary file disclosure when parsing a PNG image + + ImageMagick-CVE-2022-44267,44268.patch + +- security update +- added patches NetworkManager-applet +- Add meson-0.61-build-fix.patch to fix the build on meson >= 0.61 + (jsc#PED-2644, glgo#GNOME/network-manager-applet!107) + acl +- test: Add helper library to fake passwd/group files +- quote: escape literal backslashes (bsc#953659). +- Added patch: + * 0001-test-Add-helper-library-to-fake-passwd-group-files.patch + * 0002-quote-escape-literal-backslashes.patch + +- refresh acl-2.2.52-tests.patch to work with perl 5.26 + +- BuildRequires gettext-tools-mini instead of gettext-tools: as + acl is part of the bootstrap, we want to try to keep the dep + chain as small as possible. + +- Remove --with-pic that's just for static libraries. +- Replace %__-type macro indirections. + Replace old $RPM_ by their macro equivalents for consistency. + Make the macro style consistent across the file again. + +- reenable full Larg File Support for i586 + +- Make it possible to disable tests (for Ring0) +- Add BuildRequires: system-user-daemon for the testsuite + +- Add BuildRequires for system user bin needed by test suite + +- Update to git snapshot dated 21 Sep 2015. + - Added: + * 0001-Install-the-libraries-to-the-appropriate-directory.patch + * 0002-setfacl.1-fix-typo-inclu-de-include.patch + * 0003-test-fix-insufficient-quoting-of.patch + * 0004-Makefile-rename-configure.in-to-configure.ac.patch + * 0005-Bad-markup-in-acl.5-page.patch + * 0006-.gitignore-ignore-and-config.h.in.patch + * 0007-Use-autoreconf-rather-than-autoconf-to-regenerate-th.patch + * 0008-libacl-Make-sure-that-acl_from_text-always-sets-errn.patch + * 0009-libacl-fix-SIGSEGV-of-getfacl-e-on-overly-long-group.patch + * 0010-punt-debian-rpm-packaging-logic.patch + * 0011-move-gettext-logic-into-misc.h.patch + * 0012-test-make-running-parallel-out-of-tree-safe.patch + * 0013-modernize-build-system.patch + * 0014-po-regenerate-files-after-move.patch + * 0015-build-drop-aclincludedir-use-pkgincludedir.patch + * 0016-build-make-use-of-an-aux-dir-to-stow-away-helper-scr.patch + * 0017-build-ship-a-pkgconfig-file-for-libacl.patch + * 0018-read_acl_-comments-seq-rename-line-to-lineno.patch + * 0019-read_acl_-comments-seq-switch-to-next_line.patch + * 0020-telldir-return-value-and-seekdir-second-parameters-a.patch + * 0021-mark-libmisc-funcs-as-hidden-so-they-are-not-exporte.patch + * 0022-add-__acl_-prefixes-to-internal-symbols.patch + * 0023-cp.test-Check-permissions-of-the-right-file.patch + * 0024-libacl-acl_set_file-Remove-unnecesary-racy-check.patch + * 0025-fix-compilation-with-latest-xattr-git.patch + * 0026-getfacl-Fix-memory-leak.patch + * 0027-Fix-the-display-block-nesting-in-acl.5.patch + * 0028-setfacl-man-page-Minor-wording-improvements.patch + * 0029-getfacl-Fix-minor-resource-leak.patch + * 0030-Do-not-export-symbols-that-are-not-supposed-to-be-ex.patch + * 0031-walk_tree-mark-internal-variables-as-static.patch + * 0032-ignore-configure.lineno.patch +- Signficant spec file restructuring due to 0013-modernize-build-system.patch +- removed builddefs.in.diff + +- Reduce size of filelist by using wildcards; + remove %doc (some locations are always %doc), + remove %attr (files already have proper permissions) + +- add acl-2.2.52-tests.patch and enable tests, check section taken + from Fedora package + +- remove gpg-offline calls from bootstrap package + +- Update to new upstream release 2.2.52 + * This release fixes a few build system issues that were found and + merges in a tree walking bug fix. +- Remove acl-fiximplicit.patch (merged upstream), + config-guess-sub-update.diff (no longer applies) +- Sync baselibs.conf with in-.spec obsoletes/provides. + +- add gpg checking + +- use source url + +- Add config-guess-sub-update.diff: + update config.guess/sub to latest state for AArch64 + +- Use OS byteswapping routines, application already Includes + "endian.h" but then goes ahead defining ad-hoc equivalent + functionality (0001-Use-OS-byteswapping-macros.patch) + +- remove useless automake deps + +- patch license to follow spdx.org standard + +- license update: GPL-2.0+;LGPL-2.1+ + SPDX format + +- add automake as buildrequire to avoid implicit dependency + +- Fix provides/Obsoletes + +- Implement shlib package (libacl1) +- Enable libacl-devel on all baselib arches + +- upgrade to 2.2.51 + - Test fixes + +- upgrade to 2.2.50 + - OPTIONS in man pages should be a section heading, not a subsection heading + - Fix a typo in the setfacl man page + - setfacl: Clarify that removing a non-existent acl entry is not an error + - Prevent setfacl --restore from SIGSEGV on malformed restore file + - setfacl: make sure that -R only calls stat(2) on symlinks when it needs to + - libacl: fix potential null pointer dereference + - setfacl: fix restore crash on malformed input + - setfacl: print useful error from read_acl_comments + - setfacl: changing owner and when S_ISUID should be set --restore fix + +- use %_smp_mflags + +- add baselibs.conf as a source +- adjust baselibs.conf for SPARC + +- readded incorrectly removed libattr-devel requires in -devel + +- fixed implicit strchr() usage. + +- do not package static libraries +- fix -devel package dependencies + +- Version bump to 2.2.48 + - Document the new flags comments + - Include the S_ISUID, S_ISGID, S_ISVTX flags in the getfacl output, and restore them with "setfacl --restore=file". + - Make sure that getfacl -R only calls stat(2) on symlinks when it needs to + - Stop quoting nonprintable characters in the getfacl output + - Avoid unnecessary but destructive chown calls + - Clarify license notice + alsa-oss -- use https for urls - -- Drop the superfluous buildreq alsa-topology-devel again; - it's no longer mandatory - -- Fix build breakage by the new alsa update; now it requires - alsa-topology-devel - -- Avoid repetition of name in summary. Update description. - -- Update to alsa-oss 1.1.8 (bsc#1181571): - Fix the build with the recent glibc -- Remove obsoleted patch: - remove-libio.patch: - -- remove-libio.patch: don't use obsolete - -- Remove old kludges -- Run spec-cleaner - -- Update to alsa-oss 1.1.6: - * Change FSF address (Franklin Street) -- Use %license file tag - -- Updated to alsa-oss 1.0.28: - All pervious fix patches are obsoleted: - 0002-Add-AM_MAINTAINER_MODE-enable-to-configure.in.patch - 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch - 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch - -- Fix for dmix with unaligned sample rate: - 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch - 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch - apr-util +- security fix CVE-2022-25147, bsc#1207866: buffer overflow + possible with specially crafted input + + added patch apr-util-CVE-2022-25147.patch + bind +- Update to release 9.16.37 + Security Fixes: + * An UPDATE message flood could cause named to exhaust all + available memory. This flaw was addressed by adding a new + update-quota option that controls the maximum number of + outstanding DNS UPDATE messages that named can hold in a queue + at any given time (default: 100). (CVE-2022-3094) + * named could crash with an assertion failure when an RRSIG query + was received and stale-answer-client-timeout was set to a + non-zero value. This has been fixed. (CVE-2022-3736) + * named running as a resolver with the + stale-answer-client-timeout option set to any value greater + than 0 could crash with an assertion failure, when the + recursive-clients soft quota was reached. This has been fixed. + (CVE-2022-3924) + New Features: + * The new update-quota option can be used to control the number + of simultaneous DNS UPDATE messages that can be processed to + update an authoritative zone on a primary server, or forwarded + to the primary server by a secondary server. The default is + 100. A new statistics counter has also been added to record + events when this quota is exceeded, and the version numbers for + the XML and JSON statistics schemas have been updated. + Feature Changes: + * The Differentiated Services Code Point (DSCP) feature in BIND + has been deprecated. Configuring DSCP values in named.conf now + causes a warning to be logged. Note that this feature has only + been partly operational since the new Network Manager was + introduced in BIND 9.16.0. + * The catalog zone implementation has been optimized to work with + hundreds of thousands of member zones. + Bug Fixes: + * In certain query resolution scenarios (e.g. when following + CNAME records), named configured to answer from stale cache + could return a SERVFAIL response despite a usable, non-stale + answer being present in the cache. This has been fixed. + [bsc#1207471, bsc#1207473, bsc#1207475, jsc#SLE-24600] + +- Update to release 9.16.36 + Feature Changes: + * The auto-dnssec option has been deprecated and will be removed + in a future BIND 9.19.x release. Please migrate to + dnssec-policy. + Bug Fixes: + * When a catalog zone was removed from the configuration, in some + cases a dangling pointer could cause the named process to + crash. + * When a zone was deleted from a server, a key management object + related to that zone was inadvertently kept in memory and only + released upon shutdown. This could lead to constantly + increasing memory use on servers with a high rate of changes + affecting the set of zones being served. + * In certain cases, named waited for the resolution of + outstanding recursive queries to finish before shutting down. + * The zone /: final reference detached log message + was moved from the INFO log level to the DEBUG(1) log level to + prevent the named-checkzone tool from superfluously logging + this message in non-debug mode. + [jsc#SLE-24600] + chromium +- Chromium 110.0.5481.77 (boo#1208029): + * CVE-2023-0696: Type Confusion in V8 + * CVE-2023-0697: Inappropriate implementation in Full screen mode + * CVE-2023-0698: Out of bounds read in WebRTC + * CVE-2023-0699: Use after free in GPU + * CVE-2023-0700: Inappropriate implementation in Download + * CVE-2023-0701: Heap buffer overflow in WebUI + * CVE-2023-0702: Type Confusion in Data Transfer + * CVE-2023-0703: Type Confusion in DevTools + * CVE-2023-0704: Insufficient policy enforcement in DevTools + * CVE-2023-0705: Integer overflow in Core + * Various fixes from internal audits, fuzzing and other initiatives +- build with bundled libavif +- dropped patches: + * chromium-109-compiler.patch + * chromium-icu72-3.patch +- added patches: + * chromium-110-compiler.patch + * chromium-110-system-libffi.patch + * chromium-110-NativeThemeBase-fabs.patch + * chromium-110-CredentialUIEntry-const.patch + * chromium-110-DarkModeLABColorSpace-pow.patch + * v8-move-the-Stack-object-from-ThreadLocalTop.patch + curl +- Security Fix: [bsc#1207992, CVE-2023-23916] + * HTTP multi-header compression denial of service + * Add curl-CVE-2023-23916.patch + +- Security Fixes: + * HSTS ignored on multiple requests [bsc#1207990, CVE-2023-23914] + * HSTS amnesia with --parallel [bsc#1207991, CVE-2023-23915] + * Add curl-CVE-2023-23914-23915.patch + cyrus-sasl -- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store - in plugins/sql.c (bsc#1196036) - o add upstream patch: - 0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch - -- postfix: sasl authentication with password fails (bsc#1194265) - Add config parameter --with-dblib=gdbm -- Avoid converting of /etc/sasldb2 by every update. Convert - /etc/sasldb2 only if it is a Berkeley DB - -- CVE-2020-8032: cyrus-sasl: Local privilege escalation to root - due to insecure tmp file usage. (bsc#1180669) - Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary - files. - -- Remove Berkeley DB dependency (JIRA#SLE-12190) - The packages cyrus-sasl and cyrus-sasl-saslauthd are built - without Berkely DB support. gdbm will be used instead of BDB. - The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built - with Berkely DB support. -- Update to 2.1.27 - * Added support for OpenSSL 1.1 - * Added support for lmdb - * Lots of build fixes - * Treat SCRAM and DIGEST-MD5 as more secure than PLAIN when selecting client mech - * DIGEST-MD5 plugin: - Fixed memory leaks - Fixed a segfault when looking for non-existent reauth cache - Prevent client from going from step 3 back to step 2 - Allow cmusaslsecretDIGEST-MD5 property to be disabled - * GSSAPI plugin: - Added support for retrieving negotiated SSF - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF - Properly compute maxbufsize AFTER security layers have been set - * SCRAM plugin: - Added support for SCRAM-SHA-256 - * LOGIN plugin: - Don’t prompt client for password until requested by server - * NTLM plugin: - Fixed crash due to uninitialized HMAC context -- Replace references to /var/adm/fillup-templates with new - %_fillupdir macro (boo#1069468) -- bsc#983938 `After=syslog.target` left-overs in several unit files -- added patches: - fix_libpq-fe_include.diff for fixing including libpq-fe.h -- removed patches obsoleted by upstream changes: - * shared_link_on_ppc.patch - * cyrus-sasl-2.1.27-openssl-1.1.0.patch - * 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch - * 0003-Check-return-error-from-gss_wrap_size_limit.patch - * 0004-Add-support-for-retrieving-the-mech_ssf.patch - * 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch - * cyrus-sasl-fix-logging-in-gssapi.patch - -- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - * Add 0002-Drop-unused-parameter-from-gssapi_spnego_ssf.patch - * Add 0003-Check-return-error-from-gss_wrap_size_limit.patch - * Add 0004-Add-support-for-retrieving-the-mech_ssf.patch -- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) - * Add 0001-Fix-GSS-SPNEGO-mechanism-s-incompatible-behavior.patch - -- added backport-patch cyrus-sasl-bug587.patch which fixes - off-by-one error in _sasl_add_string function - (see CVE-2019-19906 bsc#1159635) - -- bnc#1044840 syslog is polluted with messages "GSSAPI client step 1" - By server context the connection will be sent to the log function. - Client content does not have log level information. I.e. there is no - way to stop DEBUG level logs nece I've removed it. - * add cyrus-sasl-fix-logging-in-gssapi.patch - -- OpenSSL 1.1 support (bsc#1055463) - * add cyrus-sasl-2.1.27-openssl-1.1.0.patch from Fedora - -- added cyrus-sasl-issue-402.patch to fix - SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize #402 - (see https://github.com/cyrusimap/cyrus-sasl/issues/402) - -- bnc#1026825 saslauthd: :set_auth_mech : unknown authentication mechanism: kerberos5 - -- really use SASLAUTHD_PARAMS variable (bnc#938657) - -- bnc#908883 cyrus-sasl-scram refers to wrong RFC - -- Make sure /usr/sbin/rcsaslauthd exists - dbus-1 +- Fix a potential crash that could be triggered by an invalid signature. + (CVE-2022-42010, bsc#1204111) + * fix-upstream-CVE-2022-42010.patch +- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011, + bsc#1204112) + * fix-upstream-CVE-2022-42011.patch +- A message in non-native endianness with out-of-band Unix file descriptors + would cause a use-after-free and possible memory corruption CVE-2022-42012, + bsc#1204113) + * fix-upstream-CVE-2022-42012.patch +- Disable asserts (bsc#1087072) +- Refreshed patches + * fix-upstream-CVE-2020-35512.patch + +- Remove pointless %%post scriptlet leveraging non-existent systemd env + variables + FIRST_ARG has been used in our systemd macros, but this has now been gone for + years. Thus the true branch of the if has never been executed for years and is + only causing warnings when installing dbus. + +- Add missing patch for CVE-2020-12049 + * fix-upstream-CVE-2020-12049_2.patch + +- Fix CVE-2020-12049 truncated messages lead to resource exhaustion + (CVE-2020-12049, bsc#1172505) + * fix-upstream-CVE-2020-12049.patch +- Rebased fix-CVE-2019-12749.patch + +- Fix CVE-2020-35512 - shared UID's caused issues (CVE-2020-35512 bsc#1187105) + * fix-upstream-userdb-constpointer.patch + * fix-upstream-CVE-2020-35512.patch + +- Fix CVE-2019-12749 Authentication bypass (CVE-2019-12749 bsc#1137832) + * added fix-CVE-2019-12749.patch + +- Make libdbus-1-3 own the %{_datadir}/dbus-1/system.d directory + +- Use %license instead of %doc [bsc#1082318] + +- Avoid bashisms in scriptlets. + +- Avoid ugly error message from %pre(install) script when installing + for the first time. + +- Don't spit out a warning if /usr/bin/dbus-daemon does not exist + when we run the pre-script. + +- Swap a missed libdir to libexecdir + +- Do not hide errors during useradd. + +- Fix dbus-daemon-launch-helper to use proper ref to libexecdir + +- use %{_libexecdir}/dbus-1 as libexecdir + +- Update to 1.12.2 + Deprecations: + • Eavesdropping is officially deprecated in favour of BecomeMonitor. + See the release notes for spec version 0.31 (in dbus 1.11.14). + • [Unix] Flag files in /var/run/console/${username} are deprecated. + See the release notes for 1.11.18. + New APIs: + • and rules in dbus-daemon configuration can now + include send_broadcast="true", send_broadcast="false", + max_unix_fds="N", min_unix_fds="N" (for some integer N). + See the release notes for 1.11.18. + • dbus_try_get_local_machine_id() is like + dbus_get_local_machine_id(), but returns a DBusError. + • New APIs around DBusMessageIter to simplify cleanup. + See the release notes for 1.11.16. + • The message bus daemon now implements the standard Introspectable, + Peer and Properties interfaces. See the release notes for + dbus 1.11.14 and spec version 0.31. + • DTDs for introspection XML and bus configuration are installed. + • [Unix] A new unix:dir=… address family resembles unix:tmpdir=… but + never uses Linux abstract sockets, which is advantageous for + containers. On non-Linux it is equivalent to unix:tmpdir=…. + See the release notes for dbus 1.11.14 and spec version 0.31. + • [Unix] New option "dbus-launch --exit-with-x11". + • [Unix] Session managers can create transient .service files in + $XDG_RUNTIME_DIR/dbus-1/services. See the release notes for 1.11.12. + • [Unix] A sysusers.d snippet can create the messagebus user on-demand. + Miscellaneous behaviour changes: + • [Unix] The session bus now logs to syslog if it was started by + dbus-launch. + • [Unix] Internal warnings are logged to syslog if configured. + • [Unix] Exceeding an anti-DoS limit is logged to syslog if configured, + or to stderr. +- Enabled "make check test suite" +- Patches removed, fixed upstream + * fix-upstream-drop-install-sections-from-user-services.patch + * fix-upstream-increase-backlog.patch + * fix-upstream-timeout-reset-1.patch + * fix-upstream-timeout-reset-2.patch + +- boo#1027201 dbus-daemon not found +- boo#978477 systemd reseting under heavy load + * fix-upstream-timeout-reset-1.patch + * fix-upstream-timeout-reset-2.patch + +- boo#1027200 don't generate machine-id in %post systemd will do it + on first boot. +- swap usage of /bin/false to /usr/bin/false +- Use libexecdir=%{_libdir}/dbus-1 rather then /lib/dbus-1 + +- No need to set --libdir anymore now that prefix is /usr/bin, + * fixes boo#1047532 +- No need to set --bindir, bindir in dbus-1-x11 was incorrect +- Other fixes required to properly change prefix +- Don't pass --with-initscripts we don't use them anymore. + +- Update to 1.10.20 + * Fixes: + + Fix a reference leak when blocking on a pending call on a + connection that has been disconnected (fdo#101481, Shin-ichi + MORITA) + + Don't put timestamps in the Doxygen-generated documentation, + for closer-to-reproducible builds (fdo#100692, Simon + McVittie) + + Avoid an assertion failure when connecting to a + semicolon-separated series of addresses, one of which fails + (fdo#101257, Simon McVittie) + * Documentation: + + Update git URIs in HACKING document to sync up with + cgit.freedesktop.org (fdo#100715, Simon McVittie) + +- swap to /usr/bin bsc#1029968 +- Add the following fixes from SLE12 + * bsc#980928 increase listen() backlog of AF_UNIX sockets to + SOMAXCONN fix-upstream-increase-backlog.patch +- The following bugs were already fixed but are missing changelog + entries + * bsc#867256 (No longer applicable) + * bsc#916785 (No longer applicable) + * bsc#1012564 (Not applicable) + * fdo#90004 (Fixed Upstream) +- Rename the following patches as a tidy up + * dbus-log-deny.patch to feature-suse-log-deny.patch + * dbus-do-autolaunch.patch feature-suse-do-autolaunch.patch + * 0001-Add-RefuseManualStartStop.patch to + feature-suse-refuse-manual-start-stop.patch + * 0001-Drop-Install-sections-from-user-services.patch to + fix-upstream-drop-install-sections-from-user-services.patch + +- Update to 1.10.18 + * Fixes + + Re-order dbus-daemon startup so that on SELinux systems, the + thread that reads AVC notifications retains the ability to + write to the audit log (fdo#92832, Debian #857660; Laurent + Bigonville) + + Fix a harmless read overflow and some memory leaks in a unit + test (fdo#100568, Philip Withnall) + +- Update to 1.10.16 + Fixes: + * Prevent symlink attacks in the nonce-tcp transport on Unix that could + allow an attacker to overwrite a file named "nonce", in a directory + that the user running dbus-daemon can write, with a random value + known only to the user running dbus-daemon. This is unlikely to be + exploitable in practice, particularly since the nonce-tcp transport + is really only useful on Windows. + (fd.o #99828, Simon McVittie) (bsc#1025950) + * Avoid symlink attacks in the "embedded tests", which are not enabled + by default and should never be enabled in production builds of dbus. + (fd.o #99828, Simon McVittie) (bsc#1025951) + * Work around an undesired effect of the fix for CVE-2014-3637 + (fd.o #80559), in which processes that frequently send fds, such as + logind during a flood of new PAM sessions, can get disconnected for + continuously having at least one fd "in flight" for too long; + dbus-daemon interprets that as a potential denial of service attack. + The workaround is to disable that check for uid 0 process such as + logind, with a message in the system log. The bug remains open while + we look for a more general solution. + (fd.o #95263, LP#1591411; Simon McVittie) + * Don't run the test test-dbus-launch-x11.sh if X11 autolaunching + was disabled at compile time. That test is not expected to work + in that configuration. (fd.o #98665, Simon McVittie) + Enhancements: + * Do the Travis-CI build in Docker containers for Ubuntu LTS, Debian + stable and Debian testing in addition to the older Ubuntu that is + the default (fd.o #98889, Simon McVittie) + +- A note for scripts bsc#974092 (remove sysvinit script) is already + fixed here. + +- Don't restart dbus on upgrade - Includes temporary work around + for last version boo#1020301 +- Add 0001-Add-RefuseManualStartStop.patch don't allow users to Manually + start or stop dbus. + +- Add systemd unit files to start session bus via systemd +- Added patch: + * 0001-Drop-Install-sections-from-user-services.patch + + remove install section from socket unit because it does not + need to be enabled explicitly (see fdo#92402) + +- Requires systemd >= 209 and drop the compatibility pkg-config + names that don't exist in newer systemd + +- Drop useless --with-pic which is only for static libs +- Abort installation when user/group creation fails +- Avoid calling %service_* more than once + +- Build the dbus-1 package without X in the dbus-1.spec +- Move the dbus-launch.nox11 to the dbus-1 package and install + it by default +- Build devel-doc package in dbus-1.spec and don't build any + documentation in dbus-1-x11 +- Make dbus-1-x11 package contains only the X11-enabled dbus-launch +- Fix some rpmlint warnings +- Delete the dbus-1-x11.spec.in file, since maintaining it is + more complicated then keeping in sync a dbus-1-x11.spec file of + less then 120 lines + +- Create new subpackage: dbus-1-nox11 + - contains dbus-launch without x11 support +- Rename dbus-launch to dbus-launch.x11 +- use update-alternatives to switch between dbus-launch with and + without X11 +- Solves [bnc#934214] + +- Update to 1.10.12 + * Security fixes: + + Do not treat ActivationFailure message received from + root-owned systemd name as a format string. In principle this + is a security vulnerability, but we do not believe it is + exploitable in practice, because only privileged processes can + own the org.freedesktop.systemd1 bus name, and systemd does + not appear to send activation failures that contain "%". + Please note that this probably *was* exploitable in dbus + versions older than 1.6.30, 1.8.16 and 1.9.10 due to a missing + check which at the time was only thought to be a denial of + service vulnerability (CVE-2015-0245). If you are still + running one of those versions, patch or upgrade immediately. + (fdo#98157, bsc#1003898, Simon McVittie) + * Other fixes: + + Harden dbus-daemon against malicious or incorrect + ActivationFailure messages by rejecting them if they do not + come from a privileged process, or if systemd activation is + not enabled (fdo#98157, Simon McVittie) + + Avoid undefined behaviour when setting reply serial number + without going via union DBusBasicValue (fdo#98035, Marc Mutz) + + autogen.sh: fail cleanly if autoconf fails (Simon McVittie) + +- Moved dbus-run-session from dbus-1-x11 to dbus-1 (bdo#836296) + +- Update to 1.10.10 + * Fixes: + + On Linux, when dbus-daemon is run with reduced susceptibility + to the OOM killer (typically via systemd), do not let child + processes inherit that setting (fdo#32851; + Kimmo Hämäläinen, WaLyong Cho) + + Output valid shell syntax in ~/.dbus/session-bus/ if the bus + address contains a semicolon (fdo#94746, Thiago Macieira) + + Fix memory leaks and thread safety in subprocess starting on + Windows (fdo#95191, Ralf Habacker) + + Do not require systemd to have a service file if using it for + activation (fdo#93194; Simon McVittie; backport from 1.11.0) + + Stop test-dbus-daemon incorrectly failing on platforms that + cannot discover the process ID of clients (fdo#96653, + Руслан Ижбулатов) + + In tests that exercise correct handling of crashing D-Bus + services, suppress Windows crash handler (fdo#95155; + Yiyang Fei, Ralf Habacker) + + Explicitly check for stdint.h (Ioan-Adrian Ratiu) + + update-activation-environment: produce better diagnostics on + error (fdo#96653, Simon McVittie) + + Don't fail the build with an unused const variable warning + under gcc 6 (fdo#97282; Thomas Zimmermann, Simon McVittie) + + Merge dbus-1.10-ci branch, containing backports from 1.11.0 + in build/test code to support continuous integration + (fdo#93194, Simon McVittie) + - Avoid -Wunused-label when compiling with libselinux but no + libaudit + - In development builds, allow OOM tests to be disabled as + documented + - Accept and ignore the --tap argument in all "embedded + tests", and run all automated tests with that argument for + better diagnostics + - Fix the systemd activation test under CMake by installing + the required files + - In Automake, fix shell syntax for installcheck-local with + no DESTDIR + - In Automake, don't try to run manual tests in installcheck + - In CMake, don't run manual-tcp test as an automated test + - Add travis-ci.org build machinery + +- Update to 1.10.8 + * Fixes: + + Enable "large file support" on systems where it exists: + dbus-daemon is not expected to open large files, but it might + need to stat files that happen to have large inode numbers + (fdo#93545, Hongxu Jia) + + Eliminate padding inside DBusMessageIter on 64-bit platforms, + which might result in a pedantic C compiler not copying the + entire contents of a DBusMessageIter; statically assert that + this is not an ABI change in practice (fdo#94136, Simon + McVittie) + + Document dbus-test-tool echo --sleep-ms=N instead of + incorrect --sleep=N (fdo#94244, Dmitri Iouchtchenko) + + Correctly report test failures in C tests from run-test.sh + (fdo#93379; amit tewari, Simon McVittie) + + When tests are enabled, run all the marshal-validate tests, + not just the even-numbered ones (fdo#93908, Nick Lewycky) + + Correct the expected error from one marshal-validate test, + which was previously not run due to the above bug(fdo#93908, + Simon McVittie) + +- Update to 1.10.6 + * Fixes: + - On Unix when running tests as root, don't assert that root + and the dbus-daemon user can still call + UpdateActivationEnvironment; assert that those privileged + users can call BecomeMonitor instead (fdo#93036, Simon + McVittie) + - On Windows, fix a memory leak in the autolaunch transport + (fdo#92899, Simon McVittie) + - On Windows Autotools builds, don't run tests that rely on + dbus-run-session and other Unix-specifics (fdo#92899, Simon + McVittie) + +- Update to 1.10.4 + * Changes between 1.10.2 and 1.10.4 + - Enhancements: + + GetConnectionCredentials, GetConnectionUnixUser and + GetConnectionUnixProcessID with argument + "org.freedesktop.DBus" will now return details of the + dbus-daemon itself. This is required to be able to call + SetEnvironment on systemd. (fdo#92857, Jan Alexander + Steffens) + - Fixes: + + Make UpdateActivationEnvironment always fail with + AccessDenied on the system bus. Previously, it was + possible to configure it so root could call it, but the + environment variables were not actually used, because the + launch helper would discard them. (fdo#92857, Jan Alexander + Steffens) + + On Unix with --systemd-activation on a user bus, make + UpdateActivationEnvironment pass on its arguments to + systemd's SetEnvironment method, solving inconsistency + between the environments used for traditional activation + and systemd user-service activation. (fdo#92857, Jan + Alexander Steffens) + + On Windows, don't crash if or --syslog is used + (fdo#92538, Ralf Habacker) + + On Windows, fix a memory leak when setting a DBusError from + a Windows error (fdo#92721, Ralf Habacker) + + On Windows, don't go into infinite recursion if we abort the + process with backtraces enabled (fdo#92721, Ralf Habacker) + + Fix various failing tests, variously on Windows and + cross-platform: + . don't test system.conf features (users, groups) that only + make sense on the system bus, which is not supported on + Windows + . don't call _dbus_warn() when we skip a test, since it is + fatal + . fix computation of expected + . when running TAP tests, translate newlines to Unix format, + fixing cross-compiled tests under Wine on Linux + . don't stress-test refcounting under Wine, where it's + really slow + . stop assuming that a message looped-back to the test will + be received immediately + . skip some system bus tests on Windows since they make no + sense there (fdo#92538, fdo#92721; Ralf Habacker, Simon + McVittie) + * Changes between 1.10.0 and 1.10.2 + - Fixes: + + Correct error handling for activation: if there are multiple + attempts to activate the same service and it fails + immediately, the first attempt would get the correct reply, + but the rest would time out. We now send the same error + reply to each attempt. (fdo#92200, Simon McVittie) + + If BecomeMonitor is called with a syntactically invalid + match rule, don't crash with an assertion failure, fixing a + regression in 1.9.10. This was not exploitable as a denial + of service, because the check for a privileged user is done + first. (fdo#92298, Simon McVittie) + + On Linux with --enable-user-session, add the bus address to + the environment of systemd services for better backwards + compatibility (fdo#92612, Jan Alexander Steffens) + + On Windows, fix the logic for replacing the installation + prefix in service files' Exec lines (fdo#83539; Milan Crha, + Simon McVittie) + + On Windows, if installed in the conventional layout with + ${prefix}/etc and ${prefix}/share, use relative paths + between bus configuration files to allow the tree to be + relocated (fdo#92028, Simon McVittie) + + Make more of the regression tests pass in Windows builds + (fdo#92538, Simon McVittie) + * Summary of major changes since 1.8.0: + - The basic setup for the well-known system and session buses is + now done in read-only files in ${datadir} (normally /usr/share). + - AppArmor integration has been merged, with features similar to + the pre-existing SELinux integration. It is mostly compatible + with the patches previously shipped by Ubuntu, with one + significant change: Ubuntu's GetConnectionAppArmorSecurityContext + method has been superseded by GetConnectionCredentials and was + not included. + - The --enable-user-session configure option can be enabled + by OS integrators intending to use systemd to provide a + session bus per user (in effect, treating all concurrent + graphical and non-graphical login sessions as one large session). + - The new listenable address mode "unix:runtime=yes" listens on + $XDG_RUNTIME_DIR/bus, the same AF_UNIX socket used by the + systemd user session. libdbus and "dbus-launch --autolaunch" + will connect to this address by default. GLib >= 2.45.3 and + sd-bus >= 209 have a matching default. + - All executables are now dynamically linked to libdbus-1. + Previously, some executables, most notably dbus-daemon, were + statically linked to a specially-compiled variant of libdbus. + This results in various private functions in the _dbus + namespace being exposed by the shared library. These are not + API, and must not be used outside the dbus source tree. + - On platforms with ELF symbol versioning, all public symbols + are versioned LIBDBUS_1_3. + * New bus APIs: + - org.freedesktop.DBus.GetConnectionCredentials returns + LinuxSecurityLabel where supported + - org.freedesktop.DBus.Monitoring interface (privileged) + . BecomeMonitor method supersedes match rules with eavesdrop=true, + which are now deprecated + - org.freedesktop.DBus.Stats interface (semi-privileged) + . now enabled by default + . new GetAllMatchRules method + - org.freedesktop.DBus.Verbose interface (not normally compiled) + . toggles the effect of DBUS_VERBOSE + * New executables: + - dbus-test-tool + - dbus-update-activation-environment + * New optional dependencies: + - The systemd: pseudo-transport requires libsystemd or libsd-daemon + - Complete documentation requires Ducktype and yelp-tools + - Full test coverage requires GLib 2.36 and PyGI + - AppArmor integration requires libapparmor and optionally libaudit + * Dependencies removed: + - dbus-glib + +- Update to 1.8.20: + * Fixes: + - Fix a memory leak when GetConnectionCredentials() succeeds + (fdo#91008, Jacek Bukarewicz) + - Ensure that dbus-monitor does not reply to messages intended + for others (fdo#90952, Simon McVittie) + +- Account for openSUSE:Leap in the conditional for chosing right + local state directories (boo#941352) + +- Move common-begin sections around to make pre_checkin work again +- Unconditionally build with systemd features, there are no cycles + now, systemd no longer buildrequires dbus-1-devel + +- Update to 1.8.18: + * Security hardening: + - On Unix platforms, change the default configuration for the + session bus to only allow EXTERNAL authentication (secure + kernel-mediated credentials-passing), as was already done for + the system bus. + This avoids falling back to DBUS_COOKIE_SHA1, which relies on + strongly unpredictable pseudo-random numbers; under certain + circumstances (/dev/urandom unreadable or malloc() returns + NULL), dbus could fall back to using rand(), which does not + have the desired unpredictability. The fallback to rand() has + not been changed in this stable-branch since the necessary + code changes for correct error-handling are rather intrusive. + If you are using D-Bus over the (unencrypted!) tcp: or + nonce-tcp: transport, in conjunction with DBUS_COOKIE_SHA1 + and a shared home directory using NFS or similar, you will + need to reconfigure the session bus to accept DBUS_COOKIE_SHA1 + by commenting out the element. This configuration is + not recommended. (bsc#931066, fdo#90414, Simon McVittie) + * Other fixes: + - Add locking to DBusCounter's reference count and notify + function (fdo#89297, Adrian Szyndela) + - Ensure that DBusTransport's reference count is protected by + the corresponding DBusConnection's lock (fdo#90312, + Adrian Szyndela) + - On Windows, listen on the same port for IPv4 and IPv6 + (previously broken by an endianness mistake), and fix a + failure to bind TCP sockets on approximately 1 attempt in 256 + (fdo#87999, Ralf Habacker) + - Correctly release DBusServer mutex before early-return if we + run out of memory while copying authentication mechanisms + (fdo#90021, Ralf Habacker) + - Correctly initialize all fields of DBusTypeReader (fdo#90021, + Ralf Habacker, Simon McVittie) + - Fix some missing \n in verbose (debug log) messages + (fdo#90021, Ralf Habacker) + - Clean up some memory leaks in test code (fdo#90021, + Ralf Habacker) + +- Sync changes from SLE12 conditionalized for suse_version <= 1315 + +- Update to 1.8.16: + * Security fixes: + - Do not allow non-uid-0 processes to send forged + ActivationFailure messages. On Linux systems with systemd + activation, this would allow a local denial of service: + unprivileged processes could flood the bus with these forged + messages, winning the race with the actual service activation + and causing an error reply to be sent back when service + auto-activation was requested. This does not prevent the real + service from being started, so it only works while the real + service is not running. (CVE-2015-0245, fdo#88811, bnc#916343; + Simon McVittie) + * Other fixes: + - fix a Windows build failure (fdo#88009, Ralf Habacker) + - on Windows, allow up to 8K connections to the dbus-daemon + instead of the previous 64, completing a previous fix which + only worked under Autotools (fdo#71297, Ralf Habacker) + +- Update to 1.8.14 + * Security hardening: + - Do not allow calls to UpdateActivationEnvironment from uids + other than the uid of the dbus-daemon. If a system service + installs unsafe security policy rules that allow arbitrary + method calls (such as CVE-2014-8148) then this prevents + memory consumption and possible privilege escalation via + UpdateActivationEnvironment. + We believe that in practice, privilege escalation here is + avoided by dbus-daemon-launch-helper sanitizing its + environment; but it seems better to be safe. + - Do not allow calls to UpdateActivationEnvironment or the + Stats interface on object paths other than + /org/freedesktop/DBus. Some system services install unsafe + security policy rules that allow arbitrary method calls to + any destination, method and interface with a specified object + path; while less bad than allowing arbitrary method calls, + these security policies are still harmful, since dbus-daemon + normally offers the same API on all object paths and other + system services might behave similarly. + * Other fixes: + - Add missing initialization so GetExtendedTcpTable doesn't + crash on Windows Vista SP0 (fdo#77008, Ilya A. Tkachenko) + +- Update to 1.8.12: + * Fixes: + - Partially revert the CVE-2014-3639 patch by increasing the + default authentication timeout on the system bus from 5 + seconds back to 30 seconds, since this has been reported to + cause boot regressions for some users, mostly with parallel + boot (systemd) on slower hardware. + On fast systems where local users are considered particularly + hostile, administrators can return to the 5 second timeout + (or any other value in milliseconds) by saving this as + /etc/dbus-1/system-local.conf: + + 5000 + + (fdo#86431, Simon McVittie) + - Add a message in syslog/the Journal when the auth_timeout is + exceeded (fdo#86431, Simon McVittie) + - Send back an AccessDenied error if the addressed recipient is + not allowed to receive a message (and in builds with + assertions enabled, don't assert under the same conditions). + (fdo#86194, Jacek Bukarewicz) + +- Update to 1.8.10: + * Security fixes: + - Increase dbus-daemon's RLIMIT_NOFILE rlimit to 65536 + so that CVE-2014-3636 part A cannot exhaust the system bus' + file descriptors, completing the incomplete fix in 1.8.8. + (CVE-2014-7824, fdo#85105; Simon McVittie, Alban Crequy) + f2fs-tools +- Replace transitional %usrmerged macro with regular version check (boo#1206798) + flac +- Fix out of bound write in append_to_verify_fifo_interleaved_ + (CVE-2021-0561 bsc#1196660): + libFlac-Exit-at-EOS-in-verify-mode.patch + +- Fix memory leak (CVE-2020-0487 bsc#1180112): + stream_decoder.c-Fix-a-memory-leak.patch + +- Fix out-of-bounds access (CVE-2020-0499 bsc#1180099): + libFLAC-bitreader.c-Fix-out-of-bounds-read.patch + +- Fix memory leak in read_metadata_vorbiscomment_() function + (CVE-2017-6888, bsc#1091045): + flac-CVE-2017-6888.patch + +- Update to version 1.3.2 + * Fix undefined behaviour using GCC/Clang UBSAN (erikd). + * General hardening via fuzz testing with AFL (erikd and + others). + * General code improvements (lvqcl, erikd and others). + * Add FLAC in MP4 specification docs (Ralph Giles). + * Fix some cppcheck warnings (erikd). + * Assume all currently used OSes support SSE2. + flac: + * Fix potential infinite loop on flac-to-flac conversion + (erikd). + * Add WAVEFORMATEXTENSIBLE to WAV (as needed) when + decoding (lvqcl). + * Only write vorbis-comments if they are non-empty. + * Error out if decoding RAW with bits != (8|16|24). + metaflac: + * Add --scan-replay-gain option. + libraries: + * CPU detection cleanup and fixes (Julian Calaby, erikd + and lvqcl). + * Fix two stream decoder bugs (Max Kellermann). + * Fix a NULL dereference bug (on a malformed file). + * Changed the LPC order guess for a slight compression + improvement, particularly for classical music + (Martijn van Beurden). + * Improved encoding speed on older Intel CPUs. + * Fixed a seeking bug when decoding certain files + (Miroslav Lichvar). + * Put an upper bound (32768) on the number of seek + points. + * Fix potential memory leaks. + * Support 64bit brword/bwword allowing + FLAC__BYTES_PER_WORD to be set to 8 (disabled by + default). + * Fix an out-of-bounds heap read. +- Refreshed flac-cflags.patch + +- Drop patch that should be upstreamed first, otherwise we will + have to keep it ofrever: + * flac-ocloexec.patch +- Drop wrong patch: + * flac-fix-pkgconfig.patch + + If using this change you get assert.h include overriden in your + project by the one from FLAC/ which is not what upstream desired + If packages fail to build they should fix their include + +- Build documentation as noarch + +- Cleanup spec file with spec-cleaner +- Update url +- Remove no longer needed patches + * flac-fix-CVE-2014-8962.patch + * flac-fix-CVE-2014-9028.patch + * 0001-getopt_long-not-broken-here.patch +- Remove following as benefit of using openssl is small + * 0001-Allow-use-of-openSSL.patch +- Add flac-cflags.patch +- Use doxygen to build documentation +- Split documentation to separate package +- Update to 1.3.1 + * Improved decoding efficiency of all bit depths but especially + so for 24 bits for IA32 architecture (lvqcl and Miroslav Lichvar). + * Faster encoding using SSE and AVX (lvqcl). + * Fixed bartlett, bartlett_hann and triangle functions. + * New apodization functions partial_tukey and punchout_tukey for + improved compression (Martijn van Beurden). + * Retuned compression presets to incorporate new apodization + functions (Martijn van Beurden). + * Fix -Wcast-align warnings on armhf architecture (Erik de + Castro Lopo). + * Help output documentation improvements. + * I/O buffering improvements on Windows to reduce disk + fragmentation when writing files. + * Only write vorbis-comments if they are non-empty. + * Fix symbol visibility in XMMS plugin. + * Many fixes and improvements across all the build systems. + * Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962 + (heap read overflow) + +- A couple of security fixes: + * flac-fix-CVE-2014-8962.patch: + arbitrary code execution by a stack overflow (CVE-2014-8962, + bnc#906831) + * flac-fix-CVE-2014-9028.patch: + Heap overflow via specially crafted .flac files (CVE-2014-9028, + bnc#907016) + +- Update to final upstream release 1.3.0 + * No user-visible changes +- More robust make install call + freerdp +- Multiple CVE fixes (bsc#1205512) + + Add freerdp-Added-missing-length-checks-in-zgfx_decompress_segme.patch + * Fixes CVE-2022-39316 & CVE-2022-39317 + + Add freerdp-CVE-2022-39320.patch + * Added missing length check in urb_control_transfer + + Add freerdp-CVE-2022-39347.patch + * Fix path validation in drive channel + + Add freerdp-CVE-2022-41877.patch + * Fixed missing stream length check in drive_file_query_directory + gnome-chess +- Update to version 43.1: + + Fix build with latest valac. + + Fix keyboard shortcuts dialog. + + Updated translations. + gnome-sudoku +- Update to version 43.1: + + Revert "Fix redundant undo stack entries for earmarks". + + Warnings when solution to puzzle is violated no longer consider + earmarks. + + Updated translations. + gnutls -- FIPS: Change all the 140-2 references to FIPS 140-3 in order to - account for the new FIPS certification [bsc#1207346] - * Add gnutls-FIPS-140-3-references.patch - -- FIPS: GnuTLS DH/ECDH PCT public key regeneration [bsc#1207183] - * Add gnutls-FIPS-PCT-DH.patch gnutls-FIPS-PCT-ECDH.patch - -- Fix AVX CPU feature detection for OSXSAVE [bsc#1203299] - * Fixes a SIGILL termination at the verzoupper instruction when - trying to run GnuTLS on a Linux kernel with the noxsave command - line parameter set. Relevant mostly for virutal systems. - * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1282 - * Add gnutls-clear-AVX-bits-if-it-cannot-be-queried-XSAVE.patch - -- FIPS: Set error state when jent init failed in FIPS mode [bsc#1202146] - * Add patch gnutls-FIPS-Set-error-state-when-jent-init-failed.patch - -- FIPS: Make XTS key check failure not fatal [bsc#1203779] - * Add gnutls-Make-XTS-key-check-failure-not-fatal.patch - -- FIPS: Zeroize the calculated hmac and new_hmac in the - check_binary_integrity() function. [bsc#1191021] - * Add gnutls-FIPS-Zeroize-check_binary_integrity.patch - -- FIPS: Additional modifications to the SLI. [bsc#1190698] - * Mark CMAC and GMAC and non-approved in gnutls_pbkfd2(). - * Mark HMAC keylength less than 112 bits as non-approved in - gnutls_pbkfd2(). - * Adapt the pbkdf2 selftest and the regression tests accordingly. - * Add gnutls-FIPS-SLI-pbkdf2-verify-keylengths-only-SHA.patch - -- FIPS: Port GnuTLS to use jitterentropy [bsc#1202146, jsc#SLE-24941] - * Add new dependency on jitterentropy - * Add gnutls-FIPS-jitterentropy.patch - -- Security fix: [bsc#1202020, CVE-2022-2509] - * Fixed double free during verification of pkcs7 signatures - * Add gnutls-CVE-2022-2509.patch - -- FIPS: - * Modify gnutls-FIPS-force-self-test.patch [bsc#1198979] - - gnutls_fips140_run_self_tests now properly releases fips_context - -- FIPS: - * Add gnutls_ECDSA_signing.patch [bsc#1190698] - - Check minimum keylength for symmetric key generation - - Only allows ECDSA signature with valid set of hashes - (SHA2 and SHA3) - * Add gnutls-FIPS-force-self-test.patch [bsc#1198979] - - Provides interface for running library self tests on-demand - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1598 - -- FIPS: Make sure zeroization is performed in all API functions - * Add gnutls-zeroization-API-functions.patch [bsc#1191021] - * Upsream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1573 - -- FIPS: Add missing requirements for the SLI [bsc#1190698] - * Remove 3DES from FIPS approved algorithms: - - gnutls-Remove-3DES-from-FIPS-approved-algos.patch - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1570 - * DRBG service (gnutls_rnd) should be considered approved: - - gnutls-Add-missing-FIPS-service-indicator-transitions.patch - - gnutls-Add-missing-FIPS-service-indicator-transitions-tests.patch - - gnutls-pkcs12-tighten-algorithm-checks-under-FIPS.patch - - Upstream: https://gitlab.com/gnutls/gnutls/-/merge_requests/1569 - -- FIPS: Mark AES-GCM as approved in the TLS context [bsc#1194907] - * Add gnutls-FIPS-Mark-HKDF-and-AES-GCM-as-approved-when-used-in-TLS.patch - * Upstream issue: https://gitlab.com/gnutls/gnutls/issues/1311 - -- FIPS: Additional PBKDF2 requirements for KAT [bsc#1184669] - * The IG 10.3.A and SP800-132 require some minimum parameters for - the salt length, password length and iteration count. These - parameters should be also used in the KAT. - * Add gnutls-FIPS-PBKDF2-KAT-requirements.patch - * Upstream: https://gitlab.com/gnutls/gnutls/merge_requests/1561 -- Enable to run the regression tests also in FIPS mode. - -- Update to 3.7.3: [bsc#1190698, bsc#1190796] - * libgnutls: The allowlisting configuration mode has been added - to the system-wide settings. In this mode, all the algorithms - are initially marked as insecure or disabled, while the - applications can re-enable them either through the [overrides] - section of the configuration file or the new API (#1172). - * The build infrastructure no longer depends on GNU AutoGen for - generating command-line option handling, template file parsing - in certtool, and documentation generation (#773, #774). This - change also removes run-time or bundled dependency on the - libopts library, and requires Python 3.6 or later to regenerate - the distribution tarball. Note that this brings in known backward - incompatibility in command-line tools, such as long options are - now case sensitive, while previously they were treated in a case - insensitive manner: for example --RSA is no longer a valid option - of certtool. The existing scripts using GnuTLS tools may need - adjustment for this change. - * libgnutls: The tpm2-tss-engine compatible private blobs can be loaded - and used as a gnutls_privkey_t (#594). The code was originally written - for the OpenConnect VPN project by David Woodhouse. To generate such - blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: - https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations - or the tpm2_encodeobject tool from unreleased tpm2-tools. - * libgnutls: The library now transparently enables Linux KTLS (kernel - TLS) when the feature is compiled in with --enable-ktls configuration - option (#1113). If the KTLS initialization fails it automatically falls - back to the user space implementation. - * certtool: The certtool command can now read the Certificate Transparency - (RFC 6962) SCT extension (#232). New API functions are also provided to - access and manipulate the extension values. - * certtool: The certtool command can now generate, manipulate, and evaluate - x25519 and x448 public keys, private keys, and certificates. - * libgnutls: Disabling a hashing algorithm through "insecure-hash" - configuration directive now also disables TLS ciphersuites that use it - as a PRF algorithm. - * libgnutls: PKCS#12 files are now created with modern algorithms by default - (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and - HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with - PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the - default PBKDF2 iteration count has been increased to 600000. - * libgnutls: PKCS#12 keys derived using GOST algorithm now uses - HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, - to conform with the latest TC-26 requirements (#1225). - * libgnutls: The library now provides a means to report the status - of approved cryptographic operations (!1465). To adhere to the - FIPS140-3 IG 2.4.C., this complements the existing mechanism to - prohibit the use of unapproved algorithms by making the library - unusable state. - * gnutls-cli: The gnutls-cli command now provides a --list-config - option to print the library configuration (!1508). - * libgnutls: Fixed possible race condition in - gnutls_x509_trust_list_verify_crt2 when a single trust list object - is shared among multiple threads (#1277). [GNUTLS-SA-2022-01-17, - CVSS: low] - * API and ABI modifications: - GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in - gnutls_privkey_flags_t - GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in - gnutls_certificate_verify_flags - gnutls_ecc_curve_set_enabled: Added. - gnutls_sign_set_secure: Added. - gnutls_sign_set_secure_for_certs: Added. - gnutls_digest_set_secure: Added. - gnutls_protocol_set_enabled: Added. - gnutls_fips140_context_init: New function - gnutls_fips140_context_deinit: New function - gnutls_fips140_push_context: New function - gnutls_fips140_pop_context: New function - gnutls_fips140_get_operation_state: New function - gnutls_fips140_operation_state_t: New enum - gnutls_transport_is_ktls_enabled: New function - gnutls_get_library_configuration: New function - * Remove patches fixed in the update: - - gnutls-FIPS-module-version.patch - - gnutls-FIPS-service-indicator.patch - - gnutls-FIPS-service-indicator-public-key.patch - - gnutls-FIPS-service-indicator-symmetric-key.patch - - gnutls-FIPS-RSA-PSS-flags.patch - - gnutls-FIPS-RSA-mod-sizes.patch - -- FIPS: Fix regression tests in fips and non-fips mode [bsc#1194468] - * Add gnutls-FIPS-disable-failing-tests.patch - * Remove patches: - - gnutls-temporarily_disable_broken_guile_reauth_test.patch - - gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - - disable-psk-file-test.patch - -- FIPS: Provide module identifier and version [bsc#1190796] - * Add configurable options to output the module name/identifier - (--with-fips140-module-name) and the module version - (--with-fips140-module-version). - * Add the CLI option list-config that reports the configuration - of the library. - * Add gnutls-FIPS-module-version.patch - -- FIPS: Provide a service-level indicator [bsc#1190698] - * Add support for a "service indicator" as required in - the FIPS140-3 Implementation Guidance in section 2.4.C - * Add patches: - - gnutls-FIPS-service-indicator.patch - - gnutls-FIPS-service-indicator-public-key.patch - - gnutls-FIPS-service-indicator-symmetric-key.patch - - gnutls-FIPS-RSA-PSS-flags.patch - -- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192008] - * fips: allow more RSA modulus sizes - * Add gnutls-FIPS-RSA-mod-sizes.patch - * Delete gnutls-3.6.7-fips-rsa-4096.patch - -- Drop bogus condition "> 1550": that would mean 'more recent than - Tumbleweed' which is technically impossible, as Tumbleweed is the - leading project (and the condition causes issues as Tumbleweed - needs to move away from 1550 due to CODE 15 SP5 plans). - -- Add crypto-policies support in SLE-15-SP4 [jsc#SLE-20287] - -- Account for the libnettle soname bump [jsc#SLE-19765] - -- Update to 3.7.2 in SLE-15-SP4: [jsc#SLE-19765, jsc#SLE-18139] - - Add gnutls-temporarily_disable_broken_guile_reauth_test.patch - - Rebased patches: - * disable-psk-file-test.patch - * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - * gnutls-fips_mode_enabled.patch - - Remove patches merged upstream: - * gnutls-CVE-2020-11501.patch - * gnutls-CVE-2020-13777.patch - * gnutls-CVE-2020-24659.patch - * gnutls-CVE-2021-20231.patch - * gnutls-CVE-2021-20232.patch - * gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch - * gnutls-fips_XTS_key_check.patch - * 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch - * 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch - * 0003-x509-trigger-fallback-verification-path-when-cert-is.patch - * 0004-tests-add-test-case-for-certificate-chain-supersedin.patch - * 0001-Add-Full-Public-Key-Check-for-DH.patch - * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch - * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch - * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch - * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch - * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch - * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch - * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch - * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch - * 0001-dh-check-validity-of-Z-before-export.patch - * 0002-ecdh-check-validity-of-P-before-export.patch - * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch - * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch - * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch - * 0001-Vendor-in-XTS-functionality-from-Nettle.patch - * 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch - * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - * gnutls-3.6.7-fix-FTBFS-2024.patch - * gnutls-3.6.7-reproducible-date.patch - -- Update to version 3.7.2 - * Added Linux kernel AF_ALG based acceleration - * Fixed timing of early data exchange - * The priority string option DISABLE_TLS13_COMPAT_MODE was added - to disable TLS 1.3 middlebox compatibility mode - * The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to - GNUTLS_NO_IMPLICIT_INIT to reflect the purpose - * certtool: - * When signing a CSR, CRL distribution point (CDP) is no - longer copied from the signing CA by default - * When producing certificates and certificate requests, subject - DN components that are provided individually will now be - ordered by assumed scale - -- Add gnutls-3.6.7-fix-FTBFS-2024.patch to let tests pass after 2024 (boo#1186579) -- Add gnutls-3.6.7-reproducible-date.patch to override build date (boo#1047218) - -- Security fix: [bsc#1183456, CVE-2021-20232] - * A use after free issue in client_send_params - in lib/ext/pre_shared_key.c may lead to memory - corruption and other potential consequences. -- Add gnutls-CVE-2021-20232.patch - -- Security fix: [bsc#1183457, CVE-2021-20231] - * A use after free issue in client sending key_share extension - may lead to memory corruption and other consequences. -- Add gnutls-CVE-2021-20231.patch - -- Update to 3.7.1: - [bsc#1183456, CVE-2021-20232] [bsc#1183457, CVE-2021-20231] - * Fixed potential use-after-free in sending "key_share" and - "pre_shared_key" extensions. - * Fixed a regression in handling duplicated certs in a chain. - * Fixed sending of session ID in TLS 1.3 middlebox compatibility - mode. In that mode the client shall always send a non-zero - session ID to make the handshake resemble the TLS 1.2 - resumption; this was not true in the previous versions. - * Removed dependency on the external 'fipscheck' package, - when compiled with --enable-fips140-mode. - * Added padlock acceleration for AES-192-CBC. -- Remove patches upstream: - * gnutls-gnutls-cli-debug.patch - * gnutls-ignore-duplicate-certificates.patch - * gnutls-test-fixes.patch - -- Fix the test suite for tests/gnutls-cli-debug.sh [bsc#1171565] - * Don't unset system priority settings in gnutls-cli-debug.sh - * Upstream: gitlab.com/gnutls/gnutls/merge_requests/1387 -- Add gnutls-gnutls-cli-debug.patch - -- Fix: Test certificates in tests/testpkcs11-certs have expired - * Upstream bug: gitlab.com/gnutls/gnutls/issues/1135 -- Add gnutls-test-fixes.patch - -- gnutls_x509_trust_list_verify_crt2: ignore duplicate certificates - * Upstream bug: https://gitlab.com/gnutls/gnutls/issues/1131 -- Add gnutls-ignore-duplicate-certificates.patch - -- Update to 3.7.0 - * Depend on nettle 3.6 - * Added a new API that provides a callback function to retrieve - missing certificates from incomplete certificate chains - * Added a new API that provides a callback function to output the - complete path to the trusted root during certificate chain - verification - * OIDs exposed as gnutls_datum_t no longer account for the - terminating null bytes, while the data field is null terminated. - The affected API functions are: gnutls_ocsp_req_get_extension, - gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension - * Added a new set of API to enable QUIC implementation - * The crypto implementation override APIs deprecated in 3.6.9 are - now no-op - * Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support - * Support for padlock has been fixed to make it work with Zhaoxin CPU - * The maximum PIN length for PKCS #11 has been increased from 31 - bytes to 255 bytes -- Remove patch fixed upstream: - * gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch -- Fix threading bug in libgnutls [bsc#1173434] - * Upstream bug: gitlab.com/gnutls/gnutls/issues/1044 - -- Avoid spurious audit messages about incompatible signature algorithms - (bsc#1172695) - * add 0001-pubkey-avoid-spurious-audit-messages-from-_gnutls_pu.patch - -- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch -- FIPS: Add TLS KDF selftest (bsc#1176671) - * add gnutls-FIPS-TLS_KDF_selftest.patch - -- Escape rpm command %%expand when used in comment. - -- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - * add gnutls-FIPS-use_2048_bit_prime_in_DH_selftest.patch - -- FIPS: Add TLS KDF selftest (bsc#1176671) - * add gnutls-FIPS-TLS_KDF_selftest.patch - -- Fix heap buffer overflow in handshake with no_renegotiation alert sent - * CVE-2020-24659 (bsc#1176181) -- add gnutls-CVE-2020-24659.patch - -- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) -- add patches - * 0001-Add-Full-Public-Key-Check-for-DH.patch - * 0001-Add-test-to-ensure-DH-exchange-behaves-correctly.patch - * 0002-Add-test-to-ensure-ECDH-exchange-behaves-correctly.patch - * 0003-Add-plumbing-to-handle-Q-parameter-in-DH-exchanges.patch - * 0004-Always-pass-in-and-check-Q-in-TLS-1.3.patch - * 0005-Check-Q-for-FFDHE-primes-in-prime-check.patch - * 0006-Pass-down-Q-for-FFDHE-in-al-pre-TLS1.3-as-well.patch - * 0001-dh-primes-add-MODP-primes-from-RFC-3526.patch - * 0002-dhe-check-if-DH-params-in-SKE-match-the-FIPS-approve.patch - * 0001-dh-check-validity-of-Z-before-export.patch - * 0002-ecdh-check-validity-of-P-before-export.patch - * 0003-dh-primes-make-the-FIPS-approved-check-return-Q-valu.patch - * 0004-dh-perform-SP800-56A-rev3-full-pubkey-validation-on-.patch - * 0005-ecdh-perform-SP800-56A-rev3-full-pubkey-validation-o.patch -- drop obsolete gnutls-3.6.7-fips_DH_ECDH_key_tests.patch - -- Update to 3.6.15 - * libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing. - [GNUTLS-SA-2020-09-04, CVSS: medium] - * libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now - indicates that with a false return value (!1306). - * libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked - accordingly to SP800-56A rev 3 (!1295, !1299). - * libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than - the size of the internal base64 blob (#1025). - * libgnutls: Certificate verification failue due to OCSP must-stapling is not - honered is now correctly marked with the GNUTLS_CERT_INVALID flag - * libgnutls: The audit log message for weak hashes is no longer printed twice - * libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is - disabled in the priority string. Previously, even when TLS 1.2 is explicitly - disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is - enabled (#1054). -- drop upstreamed patches: - * gnutls-detect_nettle_so.patch - * 0001-crypto-api-always-allocate-memory-when-serializing-i.patch - -- Correctly detect gmp, nettle, and hogweed libraries (bsc#1172666) - * add gnutls-detect_nettle_so.patch - -- Fix a memory leak that could lead to a DoS attack against Samba - servers (bsc#1172663) - * add 0001-crypto-api-always-allocate-memory-when-serializing-i.patch -- Temporarily disable broken guile reauth test (bsc#1171565) - * add gnutls-temporarily_disable_broken_guile_reauth_test.patch - -- GNUTLS-SA-2020-06-03 (Fixed insecure session ticket key construction) - The TLS server would not bind the session ticket encryption key with a - value supplied by the application until the initial key rotation, allowing - attacker to bypass authentication in TLS 1.3 and recover previous - conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) - * add patches: - + gnutls-CVE-2020-13777.patch -- Fixed handling of certificate chain with cross-signed intermediate - CA certificates (#1008). (bsc#1172461) - * add patches: - + 0001-_gnutls_verify_crt_status-apply-algorithm-checks-to-.patch - + 0002-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch - + 0003-x509-trigger-fallback-verification-path-when-cert-is.patch - + 0004-tests-add-test-case-for-certificate-chain-supersedin.patch - -- Update to 3.6.14 - * libgnutls: Fixed insecure session ticket key construction, since 3.6.4. - The TLS server would not bind the session ticket encryption key with a - value supplied by the application until the initial key rotation, allowing - attacker to bypass authentication in TLS 1.3 and recover previous - conversations in TLS 1.2 (#1011). (bsc#1172506, CVE-2020-13777) - [GNUTLS-SA-2020-06-03, CVSS: high] - * libgnutls: Fixed handling of certificate chain with cross-signed - intermediate CA certificates (#1008). (bsc#1172461) - * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). - * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName - (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority - Key Identifier (AKI) properly (#989, #991). - * certtool: PKCS #7 attributes are now printed with symbolic names (!1246). - * libgnutls: Use accelerated AES-XTS implementation if possible (!1244). - Also both accelerated and non-accelerated implementations check key block - according to FIPS-140-2 IG A.9 (!1233). - * libgnutls: Added support for AES-SIV ciphers (#463). - * libgnutls: Added support for 192-bit AES-GCM cipher (!1267). - * libgnutls: No longer use internal symbols exported from Nettle (!1235) - * API and ABI modifications: - GNUTLS_CIPHER_AES_128_SIV: Added - GNUTLS_CIPHER_AES_256_SIV: Added - GNUTLS_CIPHER_AES_192_GCM: Added - gnutls_pkcs7_print_signature_info: Added -- Add key D605848ED7E69871: public key "Daiki Ueno " to - the keyring -- Drop gnutls-fips_correct_nettle_soversion.patch (upstream) - -- Add RSA 4096 key generation support in FIPS mode (bsc#1171422) - * add gnutls-3.6.7-fips-rsa-4096.patch - -- Don't check for /etc/system-fips which we don't have (bsc#1169992) - * add gnutls-fips_mode_enabled.patch - -- Backport AES XTS support (bsc#1168835) - * add 0001-Vendor-in-XTS-functionality-from-Nettle.patch - * add gnutls-fips_XTS_key_check.patch - -- Use correct nettle .so version when looking for a FIPS checksum - (bsc#1166635) - * add gnutls-fips_correct_nettle_soversion.patch - -- Update to 3.6.13 - * libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support) - The DTLS client would not contribute any randomness to the DTLS negotiation, - breaking the security guarantees of the DTLS protocol (#960) - [GNUTLS-SA-2020-03-31, CVSS: high] (bsc#1168345) - * libgnutls: Added new APIs to access KDF algorithms (#813). - * libgnutls: Added new callback gnutls_keylog_func that enables a custom - logging functionality. - * libgnutls: Added support for non-null terminated usernames in PSK - negotiation (#586). - * gnutls-cli-debug: Improved support for old servers that only support - SSL 3.0. - -- Fix zero random value in DTLS client hello - (CVE-2020-11501, bsc#1168345) - * add gnutls-CVE-2020-11501.patch - -- Split off FIPS checksums into a separate libgnutls30-hmac - subpackage (bsc#1152692) - * update baselibs.conf - -- bsc#1166881 - FIPS: gnutls: cfb8 decryption issue - * No longer truncate output IV if input is shorter than block size. - * Added gnutls-3.6.7-fips-backport_dont_truncate_output_IV.patch - -- bsc#1155327 jira#SLE-9518 - FIPS: add DH key test - * Added Diffie Hellman public key verification test. - * gnutls-3.6.7-fips_DH_ECDH_key_tests.patch - -- gnutls 3.6.12 - * libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) - to identify sessions that client request OCSP status request (#829). - * libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 - signature algorithm (RFC 8032) under TLS (#86). - * libgnutls: Added the default-priority-string option to system configuration; - it allows overriding the compiled-in default-priority-string. - * libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by - draft-smyshlyaev-tls12-gost-suites-07). - By default this ciphersuite is disabled. It can be enabled by adding - +GOST to priority string. In the future this priority string may enable - other GOST ciphersuites as well. Note, that server will fail to negotiate - GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It - is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites - are enabled on GnuTLS-based servers. - * libgnutls: added priority shortcuts for different GOST categories like - CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. - * libgnutls: Reject certificates with invalid time fields. That is we reject - certificates with invalid characters in Time fields, or invalid time formatting - To continue accepting the invalid form compile with --disable-strict-der-time - * libgnutls: Reject certificates which contain duplicate extensions. We were - previously printing warnings when printing such a certificate, but that is - not always sufficient to flag such certificates as invalid. Instead we now - refuse to import them (#887). - * libgnutls: If a CA is found in the trusted list, check in addition to - time validity, whether the algorithms comply to the expected level prior - to accepting it. This addresses the problem of accepting CAs which would - have been marked as insecure otherwise (#877). - * libgnutls: The min-verification-profile from system configuration applies - for all certificate verifications, not only under TLS. The configuration can - be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. - * libgnutls: The stapled OCSP certificate verification adheres to the convention - used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag. - * libgnutls: On client side only send OCSP staples if they have been requested - by the server, and on server side always advertise that we support OCSP stapling - * libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible - with gnutls_ocsp_req_t but const. - * certtool: Added the --verify-profile option to set a certificate - verification profile. Use '--verify-profile low' for certificate verification - to apply the 'NORMAL' verification profile. - * certtool: The add_extension template option is considered even when generating - a certificate from a certificate request. - -- gnutls 3.6.11.1: - * libgnutls: Corrected issue with TLS 1.2 session ticket - handling as client during resumption - * libgnutls: gnutls_base64_decode2() succeeds decoding the empty - string to the empty string. This is a behavioral change of the - API but it conforms to the RFC4648 expectations - * libgnutls: Fixed AES-CFB8 implementation, when input is shorter - than the block size. Fix backported from nettle. - * certtool: CRL distribution points will be set in CA - certificates even when non self-signed - * gnutls-cli/serv: added raw public-key handling capabilities - (RFC7250). Key material can be set via the --rawpkkeyfile and - - -rawpkfile flags. - -- gnutls 3.6.10: - * Add support for deterministic ECDSA/DSA (RFC6979) - * Add functions for in-place encryption/decryption of data buffers - * server now selects the highest TLS protocol version, if TLS 1.3 - is enabled and the client advertises an older protocol version - first - * Add support for GOST 28147-89 cipher in CNT (GOST counter) mode - and MAC generation based on GOST 28147-89 (IMIT) - * certtool: when outputting an encrypted private key do not - insert the textual description of it - -- Install checksums for binary integrity verification which are - required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - -- gnutls 3.6.9: - * add support for copying digest or MAC contexts - * Mark the crypto implementation override APIs as deprecated - * Add support for AES-GMAC, as a separate to GCM, MAC algorithm - * Add support for Generalname registeredID - * The priority configuration was enhanced to allow more elaborate - system-wide configuration of the library -- includes changes from 3.6.8: - * Add support for AES-XTS cipher - * Fix calculation of Streebog digests - * During Diffie-Hellman operations in TLS, verify that the peer's - public key is on the right subgroup (y^q=1 mod p), when q is - available (under TLS 1.3 and under earlier versions when RFC7919 - parameters are used). - * Apply STD3 ASCII rules in gnutls_idna_map() to prevent - hostname/domain crafting via IDNA conversion - * certtool: allow the digital signature key usage flag in CA - certificates - * gnutls-cli/serv: add the --keymatexport and --keymatexportsize - options. These allow testing the RFC5705 using these tools -- drop patches to re-enable tests: - * disable-psk-file-test.patch - * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - -- Explicitly require libnettle 3.4.1 (bsc#1134856) - * The RSA decryption code was rewritten in GnuTLS 3.6.5 in order - to fix CVE-2018-16868, the new implementation makes use of a new - rsa_sec_decrypt() function introduced in libnettle 3.4.1 - * libnettle was recently updated to the 3.4.1 version but we need - to add explicit dependency on it to prevent missing symbol errors - with the older versions - -- Restored autoreconf in build. -- Removed gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch - since the version requirements of required libraries are once again - automatically determined. -- Added gnutls-3.6.7-SUSE_SLE15_guile_site_directory.patch because it is a - better patch name for handling the '--with-guile-site-dir=' problem in - 3.6.7. - -- Trim useless %if..%endif guards that do not affect the build. -- Fix language errors in description again. - -- Update gnutls to 3.6.7 - * * libgnutls, gnutls tools: Every gnutls_free() will automatically set - the free'd pointer to NULL. This prevents possible use-after-free and - double free issues. Use-after-free will be turned into NULL dereference. - The counter-measure does not extend to applications using gnutls_free(). - * * libgnutls: Fixed a memory corruption (double free) vulnerability in the - certificate verification API. Reported by Tavis Ormandy; addressed with - the change above. [GNUTLS-SA-2019-03-27, #694] [bsc#1130681] (CVE-2019-3829) - * * libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; - Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] [bsc#1130682] (CVE-2019-3836) - * * libgnutls: enforce key usage limitations on certificates more actively. - Previously we would enforce it for TLS1.2 protocol, now we enforce it - even when TLS1.3 is negotiated, or on client certificates as well. When - an inappropriate for TLS1.3 certificate is seen on the credentials structure - GnuTLS will disable TLS1.3 support for that session (#690). - * * libgnutls: the default number of tickets sent under TLS 1.3 was increased to - two. This makes it easier for clients which perform multiple connections - to the server to use the tickets sent by a default server. - * * libgnutls: enforce the equality of the two signature parameters fields in - a certificate. We were already enforcing the signature algorithm, but there - was a bug in parameter checking code. - * * libgnutls: fixed issue preventing sending and receiving from different - threads when false start was enabled (#713). - * * libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable - session, as non-writeable security officer sessions are undefined in PKCS#11 - (#721). - * * libgnutls: no longer send downgrade sentinel in TLS 1.3. - Previously the sentinel value was embedded to early in version - negotiation and was sent even on TLS 1.3. It is now sent only when - TLS 1.2 or earlier is negotiated (#689). - * * gnutls-cli: Added option --logfile to redirect informational messages output. -- Disabled dane support since dane is not shipped with SLE-15 -- Changed configure script to hardware guile site directory since command-line - option '--with-guile-site-dir=' was removed from the configure script in 3.6.7. - * * Modified gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch -- Modified gnutls-3.6.0-disable-flaky-dtls_resume-test.patch to fix - compilation issues on PPC -- Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification - and padding oracle verification (in 3.6.5) [bsc#1118087] (CVE-2018-16868) - -- FATE#327114 - Update gnutls to 3.6.6 to support TLS 1.3 - * * libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits - on the public key (#640). - * * libgnutls: Added support for raw public-key authentication as defined in RFC7250. - Raw public-keys can be negotiated by enabling the corresponding certificate - types via the priority strings. The raw public-key mechanism must be explicitly - enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280). - * * libgnutls: When on server or client side we are sending no extensions we do - not set an empty extensions field but we rather remove that field competely. - This solves a regression since 3.5.x and improves compatibility of the server - side with certain clients. - * * libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if - the CKA_SIGN is not set (#667). - * * libgnutls: The priority string option %NO_EXTENSIONS was improved to completely - disable extensions at all cases, while providing a functional session. This - also implies that when specified, TLS1.3 is disabled. - * * libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. - The previous definition was non-functional (#609). - * Removed patches: - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch - * Added Patches: - * * disable failing psk-file test (race condition): - disable-psk-file-test.patch - * * Patch configure script to accept specific versions of autotools and guile - that are present in SUSE-SLE15. (A bug prevents configure from accepting - a range of compatible versions. Upstream's solution is to hardwire for - the most current versions.) - gnutls-3.6.6-SUSE_SLE15_congruent_version_requirements.patch - * Modified: - * * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch -- drop no longer needed gnutls-enbale-guile-2.2.patch -- refresh disable-psk-file-test.patch - -- Update to 3.6.5 - * * libgnutls: Provide the option of transparent re-handshake/reauthentication - when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571). - * * libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127) - * * libgnutls: The priority functions will ignore and not enable TLS1.3 if - requested with legacy TLS versions enabled but not TLS1.2. That is because - if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) - servers which do not support TLS1.3 will negotiate TLS1.2 which will be - rejected by the client as disabled (#621). - * * libgnutls: Change RSA decryption to use a new side-channel silent function. - This addresses a security issue where memory access patterns as well as timing - on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher - attacks. Side-channel resistant code is slower due to the need to mask - access and timings. When used in TLS the new functions cause RSA based - handshakes to be between 13% and 28% slower on average (Numbers are indicative, - the tests where performed on a relatively modern Intel CPU, results vary - depending on the CPU and architecture used). This change makes nettle 3.4.1 - the minimum requirement of gnutls (#630). [CVSS: medium] - * * libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword - in the priority string. It is only accepted as legacy option and is ignored. - * * libgnutls: Added support for EdDSA under PKCS#11 (#417) - * * libgnutls: Added support for AES-CFB8 cipher (#357) - * * libgnutls: Added support for AES-CMAC MAC (#351) - * * libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers - have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D - S-BOXes). They are fixed now. - * * libgnutls: Added support for GOST key unmasking and unwrapped GOST private - keys parsing, as specified in R 50.1.112-2016. - * * gnutls-serv: It applies the default settings when no --priority option is given, - using gnutls_set_default_priority(). - * * p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin - option (#561) - * * certtool: Add parameter --no-text that prevents certtool from outputting - text before PEM-encoded private key, public key, certificate, CRL or CSR. -- minimum required libnettle is now 3.4.1 -- refresh - * disable-psk-file-test.patch - * gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - -- search for guile-2.2 during configure, part of boo#1117121 - add patches: - * gnutls-enbale-guile-2.2.patch: search for guile-2.2 - refresh patches: - * disable-psk-file-test.patch: disable psk-file in Makefile.am - -- Temporarily disable failing psk-file test (race condition) - * add disable-psk-file-test.patch - -- Version update to 3.6.4 (bsc#1111757): - * * libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol. - * * libgnutls: Corrected regression since 3.6.3 in the callbacks set with - gnutls_certificate_set_retrieve_function() which could not handle the case where - no certificates were returned, or the callbacks were set to NULL (see #528). - * * libgnutls: gnutls_handshake() on server returns early on handshake when no - certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START - is specified. - * * libgnutls: Added session ticket key rotation on server side with TOTP. - The key set with gnutls_session_ticket_enable_server() is used as a - master key to generate time-based keys for tickets. The rotation - relates to the gnutls_db_set_cache_expiration() period. - * * libgnutls: The 'record size limit' extension is added and preferred to the - 'max record size' extension when possible. - * * libgnutls: Provide a more flexible PKCS#11 search of trust store certificates. - This addresses the problem where the CA certificate doesn't have a subject key - identifier whereas the end certificates have an authority key identifier (#569) - * * libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(), - gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import - and export GOST parameters in the "native" little endian format used for these - curves. This is an intentional incompatible change with 3.6.3. - * * libgnutls: Added support for seperately negotiating client and server certificate types - as defined in RFC7250. This mechanism must be explicitly enabled via the - GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init(). -- Drop upstreamed patch: - * gnutls-3.6.3-backport-upstream-fixes.patch - -- gnutls-3.6.0-disable-flaky-dtls_resume-test.patch: refresh to also patch - test/Makefile.in as autoreconf does not work - -- Backport of upstream fixes (boo#1108450) - * gnutls-3.6.3-backport-upstream-fixes.patch - Fixes taken from upstream commits: - * * 3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function") - * * 42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks") - * * 10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello") - The patch was taken from https://github.com/weechat/weechat/issues/1231 - -- Security update - Improve mitigations against Lucky 13 class of attacks - * "Just in Time" PRIME + PROBE cache-based side channel attack - can lead to plaintext recovery (CVE-2018-10846, bsc#1105460) - * HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of - wrong constant (CVE-2018-10845, bsc#1105459) - * HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not - enough dummy function calls (CVE-2018-10844, bsc#1105437) - * add patches: - 0001-dummy_wait-correctly-account-the-length-field-in-SHA.patch - 0002-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch - 0003-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch - 0004-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch - -- Update to 3.6.3 - Fixes security issues: - CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790 - (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002) - Other Changes: - * * libgnutls: Introduced support for draft-ietf-tls-tls13-28 - * * libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or - earlier and TLS 1.3. - * * Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836. - * * Provide a uniform cipher list across supported TLS protocols - * * The SSL 3.0 protocol is disabled on compile-time by default. - * * libgnutls: Introduced function to switch the current FIPS140-2 operational - mode - * * libgnutls: Introduced low-level function to assist applications attempting client - hello extension parsing, prior to GnuTLS' parsing of the message. - * * libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no - modifications to the certificate. - * * libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups - which are preferred by the server. - * * Improved counter-measures for TLS CBC record padding. - * * Introduced the %FORCE_ETM priority string option. This option prevents the negotiation - of legacy CBC ciphersuites unless encrypt-then-mac is negotiated. - * * libgnutls: gnutls_privkey_import_ext4() was enhanced with the - GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag. - * * libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2, - gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default - unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API - change for these functions which make them err towards safety. - * * libgnutls: improved aarch64 cpu features detection by using getauxval(). - * * certtool: It is now possible to specify certificate and serial CRL numbers greater - than 2**63-2 as a hex-encoded string both when prompted and in a template file. - Default certificate serial numbers are now fully random. -- don't run autoreconf to avoid pulling in gtk-doc - -- Require pkgconfig(autoopts) for building - -- Simplify the DANE support %ifdef condition - * build with DANE on openSUSE only - -- Adjust RPM groups. Drop %if..%endif guards that are idempotent. - -- build without DANE support on SLE-15, as it doesn't have unbound - (bsc#1086428) - -- add back refreshed gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - the dtls-resume test still keeps randomly failing on PPC - -- remove gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - patch does not apply any more and apparently the build - suceeds even if the formerly flaky testcase is run (bsc#1086579) - -- gnutls.keyring: Nikos key refreshed to be unexpired - -- GnuTLS 3.6.2: - * libgnutls: When verifying against a self signed certificate ignore issuer. - That is, ignore issuer when checking the issuer's parameters strength, - resolving issue #347 which caused self signed certificates to be - additionally marked as of insufficient security level. - * libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data - MTU calculation now, it correctly accounts for the fixed overhead due to - padding (as 1 byte), while at the same time considers the rest of the - padding as part of data MTU. - * libgnutls: Address issue of loading of all PKCS#11 modules on startup - on systems with a PKCS#11 trust store (as opposed to a file trust store). - Introduced a multi-stage initialization which loads the trust modules, and - other modules are deferred for the first pure PKCS#11 request. - * libgnutls: The SRP authentication will reject any parameters outside - RFC5054. This protects any client from potential MitM due to insecure - parameters. That also brings SRP in par with the RFC7919 changes to - Diffie-Hellman. - * libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters - for SRP authentication. - * libgnutls: Addressed issue in the accelerated code affecting - interoperability with versions of nettle >= 3.4. - * libgnutls: Addressed issue in the AES-GCM acceleration under aarch64. - * libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by - Vitezslav Cizek). - * srptool: the --create-conf option no longer includes 1024-bit parameters. - * p11tool: Fixed the deletion of objects in batch mode. -- Dropped gnutls-check_aes_keysize.patch as it is included upstream now. - -- Use %license (boo#1082318) - -- Sanity check key size in SSSE3 AES cipher implementation (bsc#1074303) - * add gnutls-check_aes_keysize.patch - -- GnuTLS 3.6.1: - * Fix interoperability issue with openssl when safe renegotiation - was used - * gnutls_x509_crl_sign, gnutls_x509_crt_sign, - gnutls_x509_crq_sign, were modified to sign with a better - algorithm than SHA1. They will now sign with an algorithm that - corresponds to the security level of the signer's key. - * gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign() - accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That - will signal the function to auto-detect an appropriate hash - algorithm to use. - * Remove support for signature algorithms using SHA2-224 in TLS. - TLS 1.3 no longer uses SHA2-224 and it was never a widespread - algorithm in TLS 1.2 - * Refuse to use client certificates containing disallowed - algorithms for a session, reverting a change on 3.5.5 - * Refuse to resume a session which had a different SNI advertised - That improves RFC6066 support in server side. - * p11tool: Mark all generated objects as sensitive by default. - * p11tool: added options --sign-params and --hash. This allows - testing signature with multiple algorithms, including RSA-PSS. - -- Disable flaky dtls_resume test on Power - * add gnutls-3.6.0-disable-flaky-dtls_resume-test.patch - -- GnuTLS 3.6.0: - * Introduce a lock-free random generator which operates per- - thread and eliminates random-generator related bottlenecks in - multi-threaded operation. - * Replace the Salsa20 random generator with one based on CHACHA. - The goal is to reduce code needed in cache (CHACHA is also - used for TLS), and the number of primitives used by the - library. That does not affect the AES-DRBG random generator - used in FIPS140-2 mode. - * Add support for RSA-PSS key type as well as signatures in - certificates, and TLS key exchange - * Add support for Ed25519 signing in certificates and TLS key - exchange following draft-ietf-tls-rfc4492bis-17 - * Enable X25519 key exchange by default, following - draft-ietf-tls-rfc4492bis-17. - * Add support for Diffie-Hellman group negotiation following - RFC7919. - * Introduce various sanity checks on certificate import - * Introduce gnutls_x509_crt_set_flags(). This function can set - flags in the crt structure. The only flag supported at the - moment is GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the - certificate sanity checks on import. - * PKIX certificates with unknown critical extensions are rejected - on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS - * Refuse to generate a certificate with an illegal version, or an - illegal serial number. That is, gnutls_x509_crt_set_version() - and gnutls_x509_crt_set_serial(), will fail on input considered - to be invalid in RFC5280. - * Call to gnutls_record_send() and gnutls_record_recv() prior to - handshake being complete are now refused - * Add support for PKCS#12 files with no salt (zero length) in - their password encoding, and PKCS#12 files using SHA384 and - SHA512 as MAC. - * libgnutls: Exported functions to encode and decode DSA and ECDSA - r,s values. - * Add new callback setting function to gnutls_privkey_t for - external keys. The new function (gnutls_privkey_import_ext4), - allows signing in addition to previous algorithms (RSA PKCS#1 - 1.5, DSA, ECDSA), with RSA-PSS and Ed25519 keys. - * Introduce the %VERIFY_ALLOW_BROKEN and - %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string options. These - allows enabling all broken and SHA1-based signature algorithms - in certificate verification, respectively. - * 3DES-CBC is no longer included in the default priorities list. - It has to be explicitly enabled, e.g., with a string like - "NORMAL:+3DES-CBC". - * SHA1 was marked as insecure for signing certificates. - Verification of certificates signed with SHA1 is now considered - insecure and will fail, unless flags intended to enable broken - algorithms are set. Other uses of SHA1 are still allowed. - * RIPEMD160 was marked as insecure for certificate signatures. - Verification of certificates signed with RIPEMD160 hash - algorithm is now considered insecure and will fail, unless - flags intended to enable broken algorithms are set. - * No longer enable SECP192R1 and SECP224R1 by default on TLS - handshakes. These curves were rarely used for that purpose, - provide no advantage over x25519 and were deprecated by TLS 1.3. - * Remove support for DEFLATE, or any other compression method. - * OpenPGP authentication was removed; the resulting library is ABI - compatible, with the openpgp related functions being stubs that - fail on invocation. - Drop gnutls-broken-openpgp-tests.patch, no longer required. - * Remove support for libidn (i.e., IDNA2003); gnutls can now be - compiled only with libidn2 which provides IDNA2008. - * certtool: The option '--load-ca-certificate' can now accept - PKCS#11 URLs in addition to files. - * certtool: The option '--load-crl' can now be used when - generating PKCS#12 files (i.e., in conjunction with '--to-p12' option). - * certtool: Keys with provable RSA and DSA parameters are now - only read and exported from PKCS#8 form, following - draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt. - This removes support for the previous a non-standard key format. - * certtool: Added support for generating, printing and handling - RSA-PSS and Ed25519 keys and certificates. - * certtool: the parameters --rsa, --dsa and --ecdsa to - - -generate-privkey are now deprecated, replaced by the - - -key-type option. - * p11tool: The --generate-rsa, --generate-ecc and --generate-dsa - options were replaced by the --generate-privkey option. - * psktool: Generate 256-bit keys by default. - * gnutls-server: Increase request buffer size to 16kb, and added - the --alpn and --alpn-fatal options, allowing testing of ALPN - negotiation. - * Enables FIPS 140-2 mode during build - -- Buildrequire iproute2: the test suite calls /usr/bin/ss and as - such we have to ensure to pull it in. - -- GnuTLS 3.5.15: - * libgnutls: Disable hardware acceleration on aarch64/ilp32 mode - * certtool: Keys with provable RSA and DSA parameters are now - only exported in PKCS#8 form - -- RPM group fix. Diversification of summaries. -- Avoid aims and future plans in description. Say what it does now. - -- Drop the deprecated openssl compat ; discussed and suggested by - vcizek -- Cleanup a bit with spec-cleaner - -- GnuTLS 3.5.14: - * Handle specially HSMs which request explicit authentication - * he GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login on HSMs - * do not set leading zeros when copying integers on HSMs - * Fix issue discovering certain OCSP signers, and improved the - discovery of OCSP signer in the case where the Subject Public - Key identifier field matches - * ensure OCSP responses are saved with --save-ocsp even if - certificate verification fails. - -- GnuTLS 3.5.13: - * libgnutls: fixed issue with AES-GCM in-place encryption and - decryption in aarch64 - * libgnutls: no longer parse the ResponseID field of the status - response TLS extension. The field is not used by GnuTLS nor is - made available to calling applications. That addresses a null - pointer dereference on server side caused by packets containing - the ResponseID field. GNUTLS-SA-2017-4, bsc#1043398 - * libgnutls: tolerate certificates which do not have strict DER - time encoding. It is possible using 3rd party tools to generate - certificates with time fields that do not conform to DER - requirements. Since 3.4.x these certificates were rejected and - cannot be used with GnuTLS, however that caused problems with - existing private certificate infrastructures, which were - relying on such certificates. Tolerate reading and using these - certificates. - * minitasn1: updated to libtasn1 4.11. - * certtool: allow multiple certificates to be used in --p7-sign - with the --load-certificate option - -- GnuTLS 3.5.12: - * libgnutls: gnutls_x509_crt_check_hostname2() no longer matches - IP addresses against DNS fields of certificate (CN or DNSname). - The previous behavior was to tolerate some misconfigured - servers, but that was non-standard and skipped any IP - constraints present in higher level certificates. - * libgnutls: when converting to IDNA2008, fallback to IDNA2003 - (i.e., transitional encoding) if the domain cannot be converted. - That provides maximum compatibility with browsers like firefox - that perform the same conversion. - * libgnutls: fix issue in RSA-PSK client callback which resulted - in no username being sent to the peer - * libgnutls: fix regression causing stapled extensions in trust - modules not to be considered. - * certtool: introduced the email_protection_key option. This - option was introduced in documentation for certtool without an - implementation of it. It is a shortcut for option - 'key_purpose_oid = 1.3.6.1.5.5.7.3.4'. - * certtool: made printing of key ID and key PIN consistent - between certificates, public keys, and private keys. That is - the private key printing now uses the same format as the rest. - * gnutls-cli: introduced the --sni-hostname option. This allows - overriding the hostname advertised to the peer. - -- skip trust-store tests to avoid build cycle with - ca-certificates-mozilla, add gnutls-3.5.11-skip-trust-store-tests.patch - -- GnuTLS 3.5.11: - * gnutls.pc: do not include libtool options into Libs.private. - * libgnutls: Fixed issue when rehandshaking without a client certificate in - a session which initially used one - * libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP - certificate parsing (bsc#1038337) - * libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access. - That allows PKCS#11 operations such as signing to be performed with the - same object from multiple threads. - * libgnutls: when disabling OpenPGP authentication, the resulting library - is ABI compatible (will openpgp related functions being stubs that fail - on invocation). - -- call gzip -n to make build fully reproducible - -- update to 3.5.10 - * addresses GNUTLS-SA-2017-3 CVE-2017-7869 bsc#1034173 - * gnutls.pc: do not include libidn2 in Requires.private - * libgnutls: optimized access to subject alternative names (SANs) in parsed - certificates - * libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469 - when printing certificate information. - * libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify() - flags can be set from the gnutls_certificate_verify_flags enumeration. - This allows the functions to pass the same flags available for certificates - to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or - GNUTLS_VERIFY_ALLOW_BROKEN). - * libgnutls: gnutls_store_commitment() can accept flag - GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate - in applications which use SHA1 for example, after SHA1 is deprecated. - * certtool: No longer ignore the 'add_critical_extension' template option if - the 'add_extension' option is not present. - * gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the - starttls-proto command- drop gnutls-3.5.9-pkgconfig.patch (upstream) -- drop gnutls-3.5.9-pkgconfig.patch (upstream) -- remove unknown --disable-srp flag (bsc#901857) - -- disable the deprecated OpenPGP authentication support - * see https://gitlab.com/gnutls/gnutls/issues/102 -- add gnutls-broken-openpgp-tests.patch - -- GnuTLS 3.5.9: - * libgnutls: OpenPGP references removed, functionality deprecated - * libgnutls: Improve detection of AVX support - * libgnutls: Add support for IDNA2008 with libidn2 FATE#321897 - * p11tool: re-use ID from corresponding objects when writing - certificates. - * API and ABI modifications: - gnutls_idna_map: Added - gnutls_idna_reverse_map: Added -- prevent pkgconfig issues due to libidn2 when building with GnuTLS - add gnutls-3.5.9-pkgconfig.patch - -- Version 3.5.8 (released 2016-01-09) - * libgnutls: Ensure that multiple calls to the gnutls_set_priority_* - functions will not leave the verification profiles field to an - undefined state. The last call will take precedence. - * libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned - by PKCS#8 decryption functions when an invalid key is provided. This - addresses regression on decrypting certain PKCS#8 keys. - * libgnutls: Introduced option to override the default priority string - used by the library. The intention is to allow support of system-wide - priority strings (as set with --with-system-priority-file). The - configure option is --with-default-priority-string. - * libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption. - This prevents crashes when decrypting malformed PKCS#8 keys. - * libgnutls: Fix crash on the loading of malformed private keys with certain - parameters set to zero. - * libgnutls: Fix double free in certificate information printing. If the PKIX - extension proxy was set with a policy language set but no policy specified, - that could lead to a double free. - * libgnutls: Addressed memory leaks in client and server side error paths - (issues found using oss-fuzz project) - * libgnutls: Addressed memory leaks in X.509 certificate printing error paths - (issues found using oss-fuzz project) - * libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate - parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) - * libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing. - (issues found using oss-fuzz project) -- security issues fixed: GNUTLS-SA-2017-1 GNUTLS-SA-2017-2 - -- GnuTLS 3.5.7, the next stable branch, with the following - highlights: - * SHA3 as a certificate signature algorithm - * X25519 (formerly curve25519) for ephemeral EC diffie-hellman - key exchange - * TLS false start - * New APIs to access the Shawe-Taylor-based provable RSA and DSA - parameter generation - * Prevent the change of identity on rehandshakes by default - -- GnuTLS 3.4.17: - * libgnutls: Introduced time and constraints checks in the end - certificate in the gnutls_x509_crt_verify_data2() and - gnutls_pkcs7_verify_direct() functions. - * libgnutls: Set limits on the maximum number of alerts handled. - That is, applications using gnutls could be tricked into an - busy loop if the peer sends continuously alert messages. - Applications which set a maximum handshake time (via - gnutls_handshake_set_timeout) will eventually recover but - others may remain in a busy loops indefinitely. This is related - but not identical to CVE-2016-8610, due to the difference in - alert handling of the libraries (gnutls delegates that handling - to applications). boo#1005879 - * libgnutls: Enhanced the PKCS#7 parser to allow decoding old - (pre-rfc5652) structures with arbitrary encapsulated content. - * libgnutls: Backported cipher priorities order from 3.5.x branch - That adds CHACHA20-POLY1305 ciphersuite to SECURE priority - strings. - * certtool: When exporting a CRQ in DER format ensure no text data - are intermixed. - * API and ABI modifications: - gnutls_pkcs7_get_embedded_data_oid: Added -- includes changes from 3.4.16: - * libgnutls: Ensure proper cleanups on - gnutls_certificate_set_*key() failures due to key mismatch. - This prevents leaks or double freeing on such failures. - * libgnutls: Increased the maximum size of the handshake message - hash. This will allow the library to cope better with larger - packets, as the ones offered by current TLS 1.3 drafts. - * libgnutls: Allow to use client certificates despite them - containing disallowed algorithms for a session. That allows for - example a client to use DSA-SHA1 due to his old DSA - certificate, without requiring him to enable DSA-SHA1 (and thus - make it acceptable for the server's certificate). - * guile: Backported all improvements from 3.5.x branch. - * guile: Update code to the I/O port API of Guile >= 2.1.4 - This makes sure the GnuTLS bindings will work with the - forthcoming 2.2 stable series of Guile, of which 2.1 is a - preview. - -- GnuTLS 3.4.15: - * libgnutls: Corrected the comparison of the serial size in OCSP - response. Previously the OCSP certificate check wouldn't verify - the serial length and could succeed in cases it shouldn't - (GNUTLS-SA-2016-3). - * libgnutls: Fixes in gnutls_x509_crt_list_import2, which was - ignoring flags if all certificates in the list fit within the - initially allocated memory. - * libgnutls: Corrected issue which made - gnutls_certificate_get_x509_crt() to return invalid pointers - when returned more than a single certificate. - * libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the - complete chain. - * libgnutls: Added support for decrypting PKCS#8 files which use - the HMAC-SHA256 as PRF. - * libgnutls: Addressed issue with PKCS#11 signature generation on - ECDSA keys. The signature is now written as unsigned integers - into the DSASignatureValue structure. Previously signed - integers could be written depending on what the underlying - module would produce. Addresses #122. -- fix build error for 13.2, 42.1 and 42.2 - -- GnuTLS 3.4.14: - * libgnutls: Address issue when utilizing the p11-kit trust store - for certificate verification (GNUTLS-SA-2016-2, boo#988276) - * libgnutls: Fixed DTLS handshake packet reconstruction. - * libgnutls: Fixed issues with PKCS#11 reading of sensitive - objects from SafeNet Network HSM - * libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER -- drop upstreamed - 0001-tests-use-datefudge-in-name-constraints-test.patch - -- Fix a problem with expired test certificate by using datefudge - (boo#987139) - * add 0001-tests-use-datefudge-in-name-constraints-test.patch - -- Version 3.4.13 (released 2016-06-06) - * libgnutls: Consider the SSLKEYLOGFILE environment to be compatible with - NSS instead of using a separate variable; in addition append any keys to - the file instead of overwriting it. - * libgnutls: use secure_getenv() where available to obtain environment - variables. Addresses GNUTLS-SA-2016-1. -- Version 3.4.12 (released 2016-05-20) - * libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default. This - cipher is prioritized after AES-GCM. - * libgnutls: Fixes in gnutls_privkey_import_ecc_raw(). - * libgnutls: Fixed gnutls_pkcs11_get_raw_issuer() usage with the - GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. Previously that - operation could fail on certain PKCS#11 modules. - * libgnutls: gnutls_pkcs11_obj_import_url() and gnutls_x509_crt_import_url() - can accept the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag. - * libgnutls: gnutls_certificate_set_key() was enhanced to import the DNS - name of the certificates if the provided names are NULL. - * libgnutls: when receiving SNI names, only save and expose to application - the supported DNS names. - * libgnutls: when importing the certificate names at the - gnutls_certificate_set* functions, only consider the CN as a fallback - if DNS names are provided via the alternative name extension. - * gnutls-cli: on OCSP verification do not fail if we have a single valid - reply. Report and reproducer by Thomas Klute. - * libgnutls: The GNUTLS_KEYLOGFILE environment variable can be used to - log session keys in client side. These session keys are compatible with - the NSS Key Log Format and can be used to decrypt the session for - debugging using wireshark. - -- enabled guile support -- removed duplicates - -- Updated to 3.4.11 - * Version 3.4.11 (released 2016-04-11) - * * libgnutls: Fixes in gnutls_record_get/set_state() with DTLS. - Reported by Fridolin Pokorny. - * * libgnutls: Fixes in DSA key generation under PKCS #11. Report and - patches by Jan Vcelak. - * * libgnutls: Corrected behavior of ALPN extension parsing during - session resumption. Report and patches by Yuriy M. Kaminskiy. - * * libgnutls: Corrected regression (since 3.4.0) in - gnutls_server_name_set() which caused it not to accept non-null- - terminated hostnames. Reported by Tim Ruehsen. - * * libgnutls: Corrected printing of the IP Adress name constraints. - * * ocsptool: use HTTP/1.0 for requests. This avoids issue with servers - serving chunk encoding which ocsptool doesn't support. Reported by - Thomas Klute. - * * certtool: do not require a CA for OCSP signing tag. This follows the - recommendations in RFC6960 in 4.2.2.2 which allow a CA to delegate - OCSP signing to another certificate without requiring it to be a CA. - Reported by Thomas Klute. - * Version 3.4.10 (released 2016-03-03) - * * libgnutls: Eliminated issues preventing buffers more than 2^32 bytes - to be used with hashing functions. - * * libgnutls: Corrected leaks and other issues in - gnutls_x509_crt_list_import(). - * * libgnutls: Fixes in DSA key handling for PKCS #11. Report and - patches by Jan Vcelak. - * * libgnutls: Several fixes to prevent relying on undefined behavior - of C (found with libubsan). - * Version 3.4.9 (released 2016-02-03) - * * libgnutls: Corrected ALPN protocol negotiation. Before GnuTLS would - negotiate the last commonly supported protocol, rather than the - first. Reported by Remi Denis-Courmont (#63). - * * libgnutls: Tolerate empty DN fields in informational output - functions. - * * libgnutls: Corrected regression causes by incorrect fix in - gnutls_x509_ext_export_key_usage() at 3.4.8 release. - -- follow the work in the unbound package and use the - libunbound-devel symbol for the buildrequires. we override it for - the distro build with libunbound-devel-mini to avoid build loops. - -- reenable dane support, require unbound-devel bsc#964346 -- split out libgnutls-dane-devel to try to avoid build cycle. - -- Update to 3.4.8 - All changes since 3.4.4: - * libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey() - when used with PKCS #11 keys. - * libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import - their public keys from either a public key object or a certificate. - That is, because private keys do not contain all the required - parameters for a direct import. - * libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11 - tokens. - * libgnutls: Fixed out-of-bounds read in - gnutls_x509_ext_export_key_usage() - * libgnutls: The CHACHA20-POLY1305 ciphersuites were updated to - conform to draft-ietf-tls-chacha20-poly1305-02. - * libgnutls: Several fixes in PKCS #7 signing which improve - compatibility with the MacOSX tools. - * libgnutls: The max-record extension not negotiated on DTLS. This - resolves issue with the max-record being negotiated but ignored. - * certtool: Added the --p7-include-cert and --p7-show-data options. - * libgnutls: Properly require TLS 1.2 in all CBC-SHA256 and CBC-SHA384 - ciphersuites. This solves an interoperability issue with openssl. - * libgnutls: Corrected the setting of salt size in - gnutls_pkcs12_mac_info(). - * libgnutls: On a rehandshake allow switching from anonymous to ECDHE - and DHE ciphersuites. - * libgnutls: Corrected regression from 3.3.x which prevented - ARCFOUR128 from using arbitrary key sizes. - * libgnutls: Added GNUTLS_SKIP_GLOBAL_INIT macro to allow programs - skipping the implicit global initialization. - * gnutls.pc: Don't include libtool specific options to link flags. - * tools: Better support for FTP AUTH TLS negotiation - * libgnutls: Added new simple verification functions. That avoids the - need to install a callback to perform certificate verification. See - doc/examples/ex-client-x509.c for usage. - * libgnutls: Introduced the security parameter 'future' which is at - the 256-bit level of security, and 'ultra' was aligned to its - documented size at 192-bits. - * libgnutls: When writing a certificate into a PKCS #11 token, ensure - that CKA_SERIAL_NUMBER and CKA_ISSUER are written. - * libgnutls: Allow the presence of legacy ciphers and key exchanges in - priority strings and consider them a no-op. - * libgnutls: Handle the extended master secret as a mandatory - extension. That fixes incompatibility issues with Chromium (#45). - * libgnutls: Added the ability to copy a public key into a PKCS #11 - token. - * tools: Added support for LDAP and XMPP negotiation for STARTTLS. - * p11tool: Allow writing a public key into a PKCS #11 token. - * certtool: Key generation security level was switched to HIGH. That - is, by default the tool generates 3072 bit keys for RSA and DSA. - * libgnutls: When re-importing CRLs to a trust list ensure that there - no duplicate entries. - * certtool: Removed any arbitrary limits imposed on input file sizes - and maximum number of certificates imported. - * certtool: Allow specifying fixed dates on CRL generation. - * gnutls-cli-debug: Added check for inappropriate fallback support - (RFC7507). - -- Update to 3.4.4 - This update contains a fix for a denial of service vulnerability: - * Allow the parsing of very long DNs. Also fixes double free - in DN decoding [GNUTLS-SA-2015-3]. boo#941794 CVE-2015-6251 - Other changes: - * Add high level API (gnutls_prf_rfc5705) to access the PRF as - specified by RFC5705. - * Link to trousers (TPM library) dynamically when this - functionality is requested. (disabled in SUSE package) - * Fix issue with server side sending the status request extension - even when not requested. - * Add support for RFC7507 by introducing the %FALLBACK_SCSV - priority string option. - * gnutls_pkcs11_privkey_generate2() will store the generated - public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY - flag is specified. - * Correct regression from 3.4.3 in loading PKCS #8 keys as fallback. - * API and ABI modifications: - gnutls_prf_rfc5705: Added - gnutls_hex_encode2: Added - gnutls_hex_decode2: Added -- build with autogen for libopts compatibility -- fix failures in test suite, add upstream commits - 0001-certtool-lifted-limits-on-file-size-to-load.patch - 0002-certtool-eliminated-memory-leaks-due-to-new-cert-loa.patch - -- update to 3.4.3 - * * libgnutls: Follow closely RFC5280 recommendations and use UTCTime for - dates prior to 2050. - * * libgnutls: Force 16-byte alignment to all input to ciphers (previously it - was done only when cryptodev was enabled). - * * libgnutls: Removed support for pthread_atfork() as it has undefined - semantics when used with dlopen(), and may lead to a crash. - * * libgnutls: corrected failure when importing plain files - with gnutls_x509_privkey_import2(), and a password was provided. - * * libgnutls: Don't reject certificates if a CA has the URI or IP address - name constraints, and the end certificate doesn't have an IP address - name or a URI set. - * * libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites. - * * p11tool: Added --list-token-urls option, and print the token module name - in list-tokens. - * * libgnutls: DTLS blocking API is more robust against infinite blocking, - and will notify of more possible timeouts. - * * libgnutls: corrected regression with Camellia-256-GCM cipher. Reported - by Manuel Pegourie-Gonnard. - * * libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That - allows to disable SIGPIPE for writes done within gnutls. - * * libgnutls: Enhanced the PKCS #7 API to allow signing and verification - of structures. API moved to gnutls/pkcs7.h header. - * * certtool: Added options to generate PKCS #7 bundles and signed - structures. -- includes changes from 3.4.2: - * DTLS blocking API is more robust against infinite blocking, - and will notify of more possible timeouts. - * Correct regression with Camellia-256-GCM cipher. - * Introduce the GNUTLS_NO_SIGNAL flag to gnutls_init(). That - allows to disable SIGPIPE for writes done within gnutls. - * Enhance the PKCS #7 API to allow signing and verification - of structures. Move API to gnutls/pkcs7.h header. - * certtool: Added options to generate PKCS #7 bundles and signed - structures. - -- disable testsuite run against valgrind on aarch64 - -- Updated to 3.4.1 (released 2015-05-03) - * * libgnutls: gnutls_certificate_get_ours: will return the certificate even - if a callback was used to send it. - * * libgnutls: Check for invalid length in the X.509 version field. Without - the check certificates with invalid length would be detected as having an - arbitrary version. Reported by Hanno Böck. - * * libgnutls: Handle DNS name constraints with a leading dot. Patch by - Fotis Loukos. - * * libgnutls: Updated system-keys support for windows to compile in more - versions of mingw. Patch by Tim Kosse. - * * libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by - Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. bsc#929690 - * * libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout - by default. That caused issues with non-blocking programs. - * * certtool: It can generate SHA256 key IDs. - * * gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos. - * * API and ABI modifications: gnutls_x509_crt_get_pk_ecc_raw: Added -- gnutls-fix-double-mans.patch: fixed upstream - -- Disable buggy valgrind on armv7l - -- updated to 3.4.0 (released 2015-04-08) - * * libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251) - ciphersuites. The former are enabled by default, the latter need to be - explicitly enabled, since they reduce the overall security level. - * * libgnutls: Added support for Chacha20-Poly1305 ciphersuites following - draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. - That is currently provided as technology preview and is not enabled by - default, since there are no assigned ciphersuite points by IETF and there - is no guarrantee of compatibility between draft versions. The ciphersuite - priority string to enable it is "+CHACHA20-POLY1305". - * * libgnutls: Added support for encrypt-then-authenticate in CBC - ciphersuites (RFC7366 -taking into account its errata text). This is - enabled by default and can be disabled using the %NO_ETM priority - string. - * * libgnutls: Added support for the extended master secret - (triple-handshake fix) following draft-ietf-tls-session-hash-02. - * * libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h). - * * libgnutls: SSL 3.0 is no longer included in the default priorities - list. It has to be explicitly enabled, e.g., with a string like - "NORMAL:+VERS-SSL3.0". - * * libgnutls: ARCFOUR (RC4) is no longer included in the default priorities - list. It has to be explicitly enabled, e.g., with a string like - "NORMAL:+ARCFOUR-128". - * * libgnutls: DSA signatures and DHE-DSS are no longer included in the - default priorities list. They have to be explicitly enabled, e.g., with - a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The - DSA ciphersuites were dropped because they had no deployment at all - on the internet, to justify their inclusion. - * * libgnutls: The priority string EXPORT was completely removed. The string - was already defunc as support for the EXPORT ciphersuites was removed in - GnuTLS 3.2.0. - * * libgnutls: Added API to utilize system specific private keys in - "gnutls/system-keys.h". It is currently provided as technology preview - and is restricted to windows CNG keys. - * * libgnutls: gnutls_x509_crt_check_hostname() and friends will use - RFC6125 comparison of hostnames. That introduces a dependency on libidn. - * * libgnutls: Depend on p11-kit 0.23.1 to comply with the final - PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21). - * * libgnutls: Depend on nettle 3.1. - * * libgnutls: Use getrandom() or getentropy() when available. That - avoids the complexity of file descriptor handling and issues with - applications closing all open file descriptors on startup. - * * libgnutls: Use pthread_atfork() to detect fork when available. - * * libgnutls: The gnutls_handshake() process will enforce a timeout by - default. - * * libgnutls: If a key purpose (extended key usage) is specified for verification, - it is applied into intermediate certificates. The verification result - GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. - * * libgnutls: When gnutls_certificate_set_x509_key_file2() is used in - combination with PKCS #11, or TPM URLs, it will utilize the provided - password as PIN if required. That removes the requirement for the - application to set a callback for PINs in that case. - * * libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are - restricted to the corresponding protocols only, and the VERS-ALL - string is introduced to catch all possible protocols. - * * libgnutls: Added helper functions to obtain information on PKCS #8 - structures. - * * libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t - will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED. - * * libgnutls: Added functions to export and set the record state. That - allows for gnutls_record_send() and recv() to be offloaded (to kernel, - hardware or any other subsystem). - * * libgnutls: Added the ability to register application specific URL - types, which express certificates and keys using gnutls_register_custom_url(). - * * libgnutls: Added API to override existing ciphers, digests and MACs, e.g., - to override AES-GCM using a system-specific accelerator. That is, (crypto.h) - gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(), - gnutls_crypto_register_mac(), and gnutls_crypto_register_digest(). - * * libgnutls: Added gnutls_ext_register() to register custom extensions. - Contributed by Thierry Quemerais. - * * libgnutls: Added gnutls_supplemental_register() to register custom - supplemental data handshake messages. Contributed by Thierry Quemerais. - * * libgnutls-openssl: it is no longer built by default. - * * certtool: Added --p8-info option, which will print PKCS #8 information - even if the password is not available. - * * certtool: --key-info option will print PKCS #8 encryption information - when available. - * * certtool: Added the --key-id and --fingerprint options. - * * certtool: Added the --verify-hostname, --verify-email and --verify-purpose - options to be used in certificate chain verification, to simulate verification - for specific hostname and key purpose (extended key usage). - * * certtool: --p12-info option will print PKCS #12 MAC and cipher information - when available. - * * certtool: it will print the A-label (ACE) names in addition to UTF-8. - * * p11tool: added options --set-id and --set-label. - * * gnutls-cli: added options --priority-list and --save-cert. - * * guile: Deprecated priority API has been removed. The old priority API, - which had been deprecated for some time, is now gone; use 'set-session-priorities!' - instead. - * * guile: Remove RSA parameters and related procedures. This API had been - deprecated. - * * guile: Fix compilation on MinGW. Previously only the static version of the - 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. - -- updated to 3.3.13 (released 2015-03-30) - * * libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo - structures use BER to decode them (requires libtasn1 4.3). That allows - to decode some more complex structures. - * * libgnutls: When an end-certificate with no name is present and there - are CA name constraints, don't reject the certificate. This follows RFC5280 - advice closely. Reported by Fotis Loukos. - * * libgnutls: Fixed handling of supplemental data with types > 255. - Patch by Thierry Quemerais. - * * libgnutls: Fixed double free in the parsing of CRL distribution points certificate - extension. Reported by Robert Święcki. - * * libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That - protocol is not enabled by default (used by openconnect VPN). - * * libgnutls: The maximum user data send size is set to be the same for - block and non-block ciphersuites. This addresses a regression with wine: - https://bugs.winehq.org/show_bug.cgi?id=37500 - * * libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN, - and CKA_DECRYPT when needed. - * * libgnutls: Allow names with zero size to be set using - gnutls_server_name_set(). That will disable the Server Name Indication. - Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2 -- new main library major version .so.30 -- requires new libnettle >= 3.1, p11-kit-devel >= 0.23.1 -- Now need to configure --enable-openssl-compatibility (might go away) -- added gnutls-fix-double-mans.patch: avoid double installing manpages -- dropped gnutls-3.0.26-skip-test-fwrite.patch: does not seem to be needed - anymore -- install_info_delete moved from %postun to %preun - -- for DANE support, use bcond_with -- for tpm support, same -- note p11-kit >= 0.20.7 requirement -- note libtasn1 3.9 requirement (built-in lib used otherwise) - -- disable trousers and unbound again for now, as it causes too long - build cycles. - -- added unbound-devel (for DANE) and trousers-devel (for TPM support) -- removed now upstreamed gnutls-implement-trust-store-dir-3.2.8.diff -- libgnutls-dane0 new library added -- updated to 3.3.13 (released 2015-02-25) - * * libgnutls: Enable AESNI in GCM on x86 - * * libgnutls: Fixes in DTLS message handling - * * libgnutls: Check certificate algorithm consistency, i.e., - check whether the signatureAlgorithm field matches the signature - field inside TBSCertificate. - * * gnutls-cli: Fixes in OCSP verification. -- Version 3.3.12 (released 2015-01-17) - * * libgnutls: When negotiating TLS use the lowest enabled version in - the client hello, rather than the lowest supported. In addition, do - not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0 - is the only protocol supported. That addresses issues with servers that - immediately drop the connection when the encounter SSL 3.0 as the record - version number. See: - http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html - * * libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters. - * * libgnutls: Handle zero length plaintext for VIA PadLock functions. - This solves a potential crash on AES encryption for small size plaintext. - Patch by Matthias-Christian Ott. - * * libgnutls: In DTLS don't combine multiple packets which exceed MTU. - Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715 - * * libgnutls: In DTLS decode all handshake packets present in a record - packet, in a single pass. Reported by Andreas Schultz. - https://savannah.gnu.org/support/?108712 - * * libgnutls: When importing a CA file with a PKCS #11 URL, simply - import the certificates, if the URL specifies objects, rather than - treating it as trust module. - * * libgnutls: When importing a PKCS #11 URL and we know the type of - object we are importing, don't require the object type in the URL. - * * libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2 - was used by the server. - * * certtool: --pubkey-info will also attempt to load a public key from stdin. - * * gnutls-cli: Added --starttls-proto option. That allows to specify a - protocol for starttls negotiation. -- Version 3.3.11 (released 2014-12-11) - * * libgnutls: Corrected regression introduced in 3.3.9 related to - session renegotiation. Reported by Dan Winship. - * * libgnutls: Corrected parsing issue with OCSP responses. -- Version 3.3.10 (released 2014-11-10) - * * libgnutls: Refuse to import v1 or v2 certificates that contain - extensions. - * * libgnutls: Fixes in usage of PKCS #11 token callback - * * libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used - with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag. - Reported by David Woodhouse. - * * libgnutls: Removed superfluous random generator refresh on every call - of gnutls_deinit(). That reduces load and usage of /dev/urandom. - * * libgnutls: Corrected issue in export of ECC parameters to X9.63 format. - Reported by Sean Burford [GNUTLS-SA-2014-5]. - * * libgnutls: When gnutls_global_init() is called for a second time, it - will check whether the /dev/urandom fd kept is still open and matches - the original one. That behavior works around issues with servers that - close all file descriptors. - * * libgnutls: Corrected behavior with PKCS #11 objects that are marked - as CKA_ALWAYS_AUTHENTICATE. - * * certtool: The default cipher for PKCS #12 structures is 3des-pkcs12. - That option is more compatible than AES or RC4. -- Version 3.3.9 (released 2014-10-13) - * * libgnutls: Fixes in the transparent import of PKCS #11 certificates. - Reported by Joseph Peruski. - * * libgnutls: Fixed issue with unexpected non-fatal errors resetting the - handshake's hash buffer, in applications using the heartbeat extension - or DTLS. Reported by Joeri de Ruiter. - * * libgnutls: When both a trust module and additional CAs are present - account the latter as well; reported by David Woodhouse. - * * libgnutls: added GNUTLS_TL_GET_COPY flag for - gnutls_x509_trust_list_get_issuer(). That allows the function to be used - in a thread safe way when PKCS #11 trust modules are in use. - * * libgnutls: fix issue in DTLS retransmission when session tickets - were in use; reported by Manuel Pégourié-Gonnard. - * * libgnutls-dane: Do not require the CA on a ca match to be direct CA. - * * libgnutls: Prevent abort() in library if getrusage() fails. Try to - detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. - * * guile: new 'set-session-server-name!' procedure; see the manual for - details. - * * certtool: The authority key identifier will be set in a certificate only - if the CA's subject key identifier is set. -- Version 3.3.8 (released 2014-09-18) - * * libgnutls: Updates in the name constraints checks. No name constraints - will be checked for intermediate certificates. As our support for name - constraints is limited to e-mail addresses in DNS names, it is pointless - to check them on intermediate certificates. - * * libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple - object listing would fail completely if a single object could not be exported. - * * libgnutls: Improved the performance of PKCS #11 object listing/retrieving, - by retrieving them in large batches. Report and suggestion by David - Woodhouse. - * * libgnutls: Fixed issue with certificates being sanitized by gnutls prior - to signature verification. That resulted to certain non-DER compliant modifications - of valid certificates, being corrected by libtasn1's parser and restructured as - the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from - Codenomicon. - * * libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle - strings with embedded spaces and escaped commas. - * * libgnutls: when comparing a CA certificate with the trusted list compare - the name and key only instead of the whole certificate. That is to handle - cases where a CA certificate was superceded by a different one with the same - name and the same key. - * * libgnutls: when verifying a certificate against a p11-kit trusted - module, use the attached extensions in the module to override the CA's - extensions (that requires p11-kit 0.20.7). - * * libgnutls: In DTLS prevent sending zero-size fragments in certain cases - of MTU split. Reported by Manuel Pégourié-Gonnard. - * * libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows - verifying using a hostname and a purpose (extended key usage). That - enhances PKCS #11 trust module verification, as it can now check the purpose - when this function is used. - * * libgnutls: Corrected gnutls_x509_crl_verify() which would always report - a CRL signature as invalid. Reported by Armin Burgmeier. - * * libgnutls: added option --disable-padlock to allow disabling the padlock - CPU acceleration. - * * p11tool: when listing tokens, list their type as well. - * * p11tool: when listing objects from a trust module print any attached - extensions on certificates. -- Version 3.3.7 (released 2014-08-24) - * * libgnutls: Added function to export the public key of a PKCS #11 - private key. Contributed by Wolfgang Meyer zu Bergsten. - * * libgnutls: Explicitly set the exponent in PKCS #11 key generation. - That improves compatibility with certain PKCS #11 modules. Contributed by - Wolfgang Meyer zu Bergsten. - * * libgnutls: When generating a PKCS #11 private key allow setting - the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten. - * * libgnutls: gnutls_pkcs11_privkey_t will always hold an open session - to the key. - * * libgnutls: bundle replacements of inet_pton and inet_aton if not - available. - * * libgnutls: initialize parameters variable on PKCS #8 decryption. - * * libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 - algorithms. - * * libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125 - requirement of checking the Common Name (CN) part of DN only if there is - a single CN present in the certificate. - * * libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used - to force the FIPS mode, when set to 1. - * * libgnutls: In DTLS ignore only errors that relate to unexpected packets - and decryption failures. - * * p11tool: Added --info parameter. - * * certtool: Added --mark-wrap parameter. - * * danetool: --check will attempt to retrieve the server's certificate - chain and verify against it. - * * danetool/gnutls-cli-debug: Added --app-proto parameters which can - be used to enforce starttls (currently only SMTP and IMAP) on the connection. - * * danetool: Added openssl linking exception, to allow linking - with libunbound. -- Version 3.3.6 (released 2014-07-23) - * * libgnutls: Use inet_ntop to print IP addresses when available - * * libgnutls: gnutls_x509_crt_check_hostname and friends will also check - IP addresses, and match documented behavior. Reported by David Woodhouse. - * * libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024 - bit parameters. - * * libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens - being usable after a reinitialization. - * * libgnutls: fixed PKCS #11 private key operations after a fork. - * * libgnutls: fixed PKCS #11 ECDSA key generation. - * * libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to - explicitly enable/disable the use of certain CPU capabilities. Note that CPU - detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel - CPU. The currently available options are: - 0x1: Disable all run-time detected optimizations - 0x2: Enable AES-NI - 0x4: Enable SSSE3 - 0x8: Enable PCLMUL - 0x100000: Enable VIA padlock - 0x200000: Enable VIA PHE - 0x400000: Enable VIA PHE SHA512 - * * libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott. - * * p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set. - * * p11tool: ask for label when one isn't provided. - * * p11tool: added --batch parameter to disable any interactivity. - * * p11tool: will not implicitly enable so-login for certain types of - objects. That avoids issues with tokens that require different login - types. - * * certtool/p11tool: Added the --curve parameter which allows to explicitly - specify the curve to use. -- Version 3.3.5 (released 2014-06-26) - * * libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit(). - These functions provide a variant of gnutls_record_recv() that avoids - the final memcpy of data. - * * libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a - faster variant of gnutls_x509_crl_get_crt_serial() when coping with - very large structures. - * * libgnutls: When the decoding of a printable DN element fails, then treat - it as unknown and print its hex value rather than failing. That works around - an issue in a TURKTRST root certificate which improperly encodes the - X520countryName element. - * * libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number - of certificates present in a PKCS #11 token when loading it. - * * libgnutls: Allow the post client hello callback to put the handshake on - hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED. - * * certtool: option --to-p12 will now consider --load-ca-certificate - * * certtol: Added option to specify the PKCS #12 friendly name on command line. - * * p11tool: Allow marking a certificate copied to a token as a CA. -- Version 3.3.4 (released 2014-05-31) - * * libgnutls: Updated Andy Polyakov's assembly code. That prevents a - crash on certain CPUs. -- Version 3.3.3 (released 2014-05-30) - * * libgnutls: Eliminated memory corruption issue in Server Hello parsing. - Issue reported by Joonas Kuorilehto of Codenomicon. - * * libgnutls: gnutls_global_set_mutex() was modified to operate with the - new initialization process. - * * libgnutls: Increased the maximum certificate size buffer - in the PKCS #11 subsystem. - * * libgnutls: Check the return code of getpwuid_r() instead of relying - on the result value. That avoids issue in certain systems, when using - tofu authentication and the home path cannot be determined. Issue reported - by Viktor Dukhovni. - * * libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to - create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552 - * * gnutls-cli: --dane will only check the end certificate if PKIX validation - has been disabled. - * * gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot - be emulated with the implicit initialization of gnutls. - * * certtool: Allow multiple organizations and organizational unit names to - be specified in a template. - * * certtool: Warn when invalid configuration options are set to a template. - * * ocsptool: Include path in ocsp request. This resolves #108582 - (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. -- Version 3.3.2 (released 2014-05-06) - * * libgnutls: Added the 'very weak' certificate verification profile - that corresponds to 64-bit security level. - * * libgnutls: Corrected file descriptor leak on random generator - initialization. - * * libgnutls: Corrected file descriptor leak on PSK password file - reading. Issue identified using the Codenomicon TLS test suite. - * * libgnutls: Avoid deinitialization if initialization has failed. - * * libgnutls: null-terminate othername alternative names. - * * libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly - on a PKCS #11 trust list. - * * libgnutls: Several small bug fixes identified using valgrind and - the Codenomicon TLS test suite. - * * libgnutls-dane: Accept a certificate using DANE if there is at least one - entry that matches the certificate. Patch by simon [at] arlott.org. - * * libgnutls-guile: Fixed compilation issue. - * * certtool: Allow exporting a CRL on DER format. - * * certtool: The ECDSA keys generated by default use the SECP256R1 curve - which is supported more widely than the previously used SECP224R1. -- Version 3.3.1 (released 2014-04-19) - * * libgnutls: Enforce more strict checks to heartbeat messages - concerning padding and payload. Suggested by Peter Dettman. - * * libgnutls: Allow decoding PKCS #8 files with ECC parameters - from openssl. - * * libgnutls: Several small bug fixes found by coverity. - * * libgnutls: The conditionally available self-test functions - were moved to self-test.h. - * * libgnutls: Fixed issue with the check of incoming data when two - different recv and send pointers have been specified. Reported and - investigated by JMRecio. - * * libgnutls: Fixed issue in the RSA-PSK key exchange, which would - result to illegal memory access if a server hint was provided. Reported - by André Klitzing. - * * libgnutls: Fixed client memory leak in the PSK key exchange, if a - server hint was provided. - * * libgnutls: Corrected the *get_*_othername_oid() functions. -- Version 3.3.0 (released 2014-04-10) - * * libgnutls: The initialization of the library was moved to a - constructor. That is, gnutls_global_init() is no longer required - unless linking with a static library or a system that does not - support library constructors. - * * libgnutls: static libraries are not built by default. - * * libgnutls: PKCS #11 initialization is delayed to first usage. - That avoids long delays in gnutls initialization due to broken PKCS #11 - modules. - * * libgnutls: The PKCS #11 subsystem is re-initialized "automatically" - on the first PKCS #11 API call after a fork. - * * libgnutls: certificate verification profiles were introduced - that can be specified as flags to verification functions. They - are enumerations in gnutls_certificate_verification_profiles_t - and can be converted to flags for use in a verification function - using GNUTLS_PROFILE_TO_VFLAGS(). - * * libgnutls: Added the ability to read system-specific initial - keywords, if they are prefixed with '@'. That allows a compile-time - specified configuration file to be used to read pre-configured priority - strings from. That can be used to impose system specific policies. - * * libgnutls: Increased the default security level of priority - strings (NORMAL and PFS strings require at minimum a 1008 DH prime), - and set a verification profile by default. The LEGACY keyword is - introduced to set the old defaults. - * * libgnutls: Added support for the name constraints PKIX extension. - Currently only DNS names and e-mails are supported (no URIs, IPs - or DNs). - * * libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to - SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL. - * * libgnutls: Added new API in x509-ext.h to handle X.509 extensions. - This API handles the X.509 extensions in isolation, allowing to parse - similarly formatted extensions stored in other structures. - * * libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS - can be used to specify a particular subgroup as the number of bits in - gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256). - * * libgnutls: DH parameter generation is now delegated to nettle. - That unfortunately has the side-effect that DH parameters longer than - 3072 bits, cannot be generated (not without a nettle update). - * * libgnutls: Separated nonce RNG from the main RNG. The nonce - random number generator is based on salsa20/12. - * * libgnutls: The buffer alignment provided to crypto backend is - enforced to be 16-byte aligned, when compiled with cryptodev - support. That allows certain cryptodev drivers to operate more - efficiently. - * * libgnutls: Return error when a public/private key pair that doesn't - match is set into a credentials structure. - * * libgnutls: Depend on p11-kit 0.20.0 or later. - * * libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has - been removed. It was not approved by IETF. - * * libgnutls: The experimental xssl library is removed from the gnutls - distribution. - * * libgnutls: Reduced the number of gnulib modules used in the main library. - * * libgnutls: Added priority string %DISABLE_WILDCARDS. - * * libgnutls: Added the more extensible verification function - gnutls_certificate_verify_peers(), that allows checking, in addition - to a peer's DNS hostname, for the key purpose of the end certificate - (via PKIX extended key usage). - * * certtool: Timestamps for serial numbers were increased to 8 bytes, - and in batch mode to 12 (appended with 4 random bytes). - * * certtool: When no CRL number is provided (or value set to -1), then - a time-based number will be used, similarly to the serial generation - number in certificates. - * * certtool: Print the SHA256 fingerprint of a certificate in addition - to SHA1. - * * libgnutls: Added --enable-fips140-mode configuration option (unsupported). - That option enables (when running on FIPS140-enabled system): - o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes) - o The DRBG-CTR-AES256 deterministic random generator from SP800-90A. - o Self-tests on initialization on ciphers/MACs, public key algorithms - and the random generator. - o HMAC-SHA256 verification of the library on load. - o MD5 is included for TLS purposes but cannot be used by the high level - hashing functions. - o All ciphers except AES are disabled. - o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5). - o All keys (temporal and long term) are zeroized after use. - o Security levels are adjusted to the FIPS140-2 recommendations (rather - than ECRYPT). - -- build with PIE for commandline tools - -- Updated to 3.2.21 (released 2014-12-11) - - libgnutls: Corrected regression introduced in 3.2.19 related to - session renegotiation. Reported by Dan Winship. - - libgnutls: Corrected parsing issue with OCSP responses. - -- Updated to 3.2.20 (released 2014-11-10) - * * libgnutls: Removed superfluous random generator refresh on every - call of gnutls_deinit(). That reduces load and usage of /dev/urandom. - * * libgnutls: Corrected issue in export of ECC parameters to X9.63 - format. Reported by Sean Burford [GNUTLS-SA-2014-5]. - (CVE-2014-8564 bnc#904603) -- Updated to 3.2.19 (released 2014-10-13) - * * libgnutls: Fixes in the transparent import of PKCS #11 certificates. - Reported by Joseph Peruski. - * * libgnutls: Fixed issue with unexpected non-fatal errors resetting the - handshake's hash buffer, in applications using the heartbeat extension - or DTLS. Reported by Joeri de Ruiter. - * * libgnutls: fix issue in DTLS retransmission when session tickets were - in use; reported by Manuel Pégourié-Gonnard. - * * libgnutls: Prevent abort() in library if getrusage() fails. Try to - detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. - * * guile: new 'set-session-server-name!' procedure; see the manual - for details. - graphite2 +- fixed license string [bsc#1207676]: + LGPL-2.1-or-later OR MPL-2.0 OR GPL-2.0-or-later + -- Remove harfbuzz dep. Breaks another buildcycle. - This effectively means we are not running tests. No functional - changes otherwise. - -- Remove texlive dep to remove dep circle. - -- Use rpath so the tests work. - -- Enable the tests. They work on 13.1 but fail on Factory... - -- Version bump to 1.2.4: - * Various bugfixes - * Expanded testsuite -- Remove graphite2-arm.patch - applied upstream -- Add patches from debian: - * soname.diff - * no-specific-nunit-version.diff -- Run^Wdocument tests and generate documentation - -- Use cmake macros for nice and tidy setup. - -- Add baselibs.conf and provide libgraphite2-3-32bit, which is at - this moment required by harfbuzz. - -- graphite2-arm.patch :Fix build in arm and possible other platforms, we should - notuse -nodefaultlibs as a linker flag and let the system - do its job automatically. -- freetype-devel should be freetype2-devel - -- license update: LGPL-2.1+ or GPL-2.0+ or MPL-1.1 - See License file (most source code notices concur) - -- Whitespace trying to figure out why spec file is interpreted as - binary. - -- Fix desc not to mention libexttextcat. - -- Initial commit version 1.2.0. - hugin +- Update to 2022.0.0: + https://hugin.sourceforge.io/releases/2022.0.0/en.shtml +- Remove xdg-data.patch (accepted upstream) + kernel-default +- aquantia: Do not purge addresses when setting the number of + rings (jsc#PED-1530). +- commit 39a03b2 + +- net: atlantic: macsec: clear encryption keys from the stack + (jsc#PED-1530). +- commit 643f719 + +- atlantic: fix deadlock at aq_nic_stop (jsc#PED-1530). +- commit 4a9a64f + +- net: atlantic: fix potential memory leak in aq_ndev_close() + (jsc#PED-1530). +- commit 719db2f + +- net: atlantic: remove aq_nic_deinit() when resume + (jsc#PED-1530). +- commit ff2f581 + +- net: atlantic: remove deep parameter on suspend/resume functions + (jsc#PED-1530). +- commit 9e96b4d + +- net: atlantic:fix repeated words in comments (jsc#PED-1530). +- commit d6d4ffb + +- net: atlantic: verify hw_head_ lies within TX buffer ring + (jsc#PED-1530). +- commit 7059ede + +- net: atlantic: add check for MAX_SKB_FRAGS (jsc#PED-1530). +- commit e719b81 + +- net: atlantic: reduce scope of is_rsc_complete (jsc#PED-1530). +- commit b04c254 + +- net: atlantic: fix "frag[0] not initialized" (jsc#PED-1530). +- commit 0263576 + +- Update + patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bsc#1207036 CVE-2023-23454). +- commit 521fdca + +- Update + patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bc#1207125 CVE-2023-23455). +- commit c8b6243 + +- io_uring/poll: fix poll_refs race with cancelation (bsc#1207511 + CVE-2023-0468). +- io_uring: make poll refs more robust (bsc#1207511 + CVE-2023-0468). +- io_uring: cmpxchg for poll arm refs release (bsc#1207511 + CVE-2023-0468). +- io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468). +- io_uring: update res mask in io_poll_check_events (bsc#1207511 + CVE-2023-0468). +- commit 4fe9bfe + +- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and + wakeups (bsc#1207100). +- eventfd: provide a eventfd_signal_mask() helper (bsc#1207100). +- eventpoll: add EPOLL_URING_WAKE poll wakeup flag (bsc#1207100). +- commit 9e5a117 + +- fbdev: Fix invalid page access after closing deferred I/O + devices (bsc#1207284). +- commit 6a8d940 + +- ipmi:ssif: Add 60ms time internal between write retries + (bsc#1206459). +- ipmi:ssif: Increase the message retry time (bsc#1206459). +- commit 14626c0 + kernel-kvmsmall +- aquantia: Do not purge addresses when setting the number of + rings (jsc#PED-1530). +- commit 39a03b2 + +- net: atlantic: macsec: clear encryption keys from the stack + (jsc#PED-1530). +- commit 643f719 + +- atlantic: fix deadlock at aq_nic_stop (jsc#PED-1530). +- commit 4a9a64f + +- net: atlantic: fix potential memory leak in aq_ndev_close() + (jsc#PED-1530). +- commit 719db2f + +- net: atlantic: remove aq_nic_deinit() when resume + (jsc#PED-1530). +- commit ff2f581 + +- net: atlantic: remove deep parameter on suspend/resume functions + (jsc#PED-1530). +- commit 9e96b4d + +- net: atlantic:fix repeated words in comments (jsc#PED-1530). +- commit d6d4ffb + +- net: atlantic: verify hw_head_ lies within TX buffer ring + (jsc#PED-1530). +- commit 7059ede + +- net: atlantic: add check for MAX_SKB_FRAGS (jsc#PED-1530). +- commit e719b81 + +- net: atlantic: reduce scope of is_rsc_complete (jsc#PED-1530). +- commit b04c254 + +- net: atlantic: fix "frag[0] not initialized" (jsc#PED-1530). +- commit 0263576 + +- Update + patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bsc#1207036 CVE-2023-23454). +- commit 521fdca + +- Update + patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bc#1207125 CVE-2023-23455). +- commit c8b6243 + +- io_uring/poll: fix poll_refs race with cancelation (bsc#1207511 + CVE-2023-0468). +- io_uring: make poll refs more robust (bsc#1207511 + CVE-2023-0468). +- io_uring: cmpxchg for poll arm refs release (bsc#1207511 + CVE-2023-0468). +- io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468). +- io_uring: update res mask in io_poll_check_events (bsc#1207511 + CVE-2023-0468). +- commit 4fe9bfe + +- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and + wakeups (bsc#1207100). +- eventfd: provide a eventfd_signal_mask() helper (bsc#1207100). +- eventpoll: add EPOLL_URING_WAKE poll wakeup flag (bsc#1207100). +- commit 9e5a117 + +- fbdev: Fix invalid page access after closing deferred I/O + devices (bsc#1207284). +- commit 6a8d940 + +- ipmi:ssif: Add 60ms time internal between write retries + (bsc#1206459). +- ipmi:ssif: Increase the message retry time (bsc#1206459). +- commit 14626c0 + keyutils +- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) + +- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, + the library is just LGPL-2.1+) (bsc#1180603) + +- update to 1.6.3: + * Revert the change notifications that were using /dev/watch_queue. + * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). + * Allow "keyctl supports" to retrieve raw capability data. + * Allow "keyctl id" to turn a symbolic key ID into a numeric ID. + * Allow "keyctl new_session" to name the keyring. + * Allow "keyctl add/padd/etc." to take hex-encoded data. + * Add "keyctl watch*" to expose kernel change notifications on keys. + * Add caps for namespacing and notifications. + * Set a default TTL on keys that upcall for name resolution. + * Explicitly clear memory after it's held sensitive information. + * Various manual page fixes. + * Fix C++-related errors. + * Add support for keyctl_move(). + * Add support for keyctl_capabilities(). + * Make key=val list optional for various public-key ops. + * Fix system call signature for KEYCTL_PKEY_QUERY. + * Fix 'keyctl pkey_query' argument passing. + * Use keyctl_read_alloc() in dump_key_tree_aux(). + * Various manual page fixes. +- spec-cleaner run (fixup failing homepage url) + +- prepare usrmerge (boo#1029961) + +- updated to 1.6 + - Apply various specfile cleanups from Fedora. + - request-key: Provide a command line option to suppress helper execution. + - request-key: Find least-wildcard match rather than first match. + - Remove the dependency on MIT Kerberos. + - Fix some error messages + - keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. + - Fix doc and comment typos. + - Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). + - Add pkg-config support for finding libkeyutils. +- upstream isn't offering PGP signatures for the source tarballs anymore + +- Replace krb5-devel BuildRequires with pkgconfig(krb5): Allow OBS + to shortcut the ring0 bootstrap cycle by also using krb5-mini. + +- add upstream signing key and verify source signature + +- updated to 1.5.11 (bsc#1113013) + - Add keyring restriction support. + - Add KDF support to the Diffie-Helman function. + - DNS: Add support for AFS config files and SRV records + +- Use %license (boo#1082318) + +- add keyutils-devel for baselibs, to allow biarch LTP builds. + (bsc#1061591) + +- updated to 1.5.10 + - added "dh_compute" callback + - manpage improvements + +- move binaries from /bin to /usr/bin (bsc#1029969) +- keyutils-usr-move.patch: also adjust the request-key.conf file + +- keyutils-nodate.patch: avoid including the timestamp. bsc#916180 + krb5 +- Fix integer overflows in PAC parsing; (CVE-2022-42898); + (bso#15203), (bsc#1205126). +- Added patches: + * 0010-Fix-integer-overflows-in-PAC-parsing.patch + +- Update to 1.19.2 + * Fix a denial of service attack against the KDC encrypted challenge + code; (CVE-2021-36222); + * Fix a memory leak when gss_inquire_cred() is called without a + credential handle. +- Changes from 1.19.1 + * Fix a linking issue with Samba. + * Better support multiple pkinit_identities values by checking whether + certificates can be loaded for each value. +- Changes from 1.19 + Administrator experience + * When a client keytab is present, the GSSAPI krb5 mech will refresh + credentials even if the current credentials were acquired manually. + * It is now harder to accidentally delete the K/M entry from a KDB. + Developer experience + * gss_acquire_cred_from() now supports the "password" and "verify" + options, allowing credentials to be acquired via password and + verified using a keytab key. + * When an application accepts a GSS security context, the new + GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor + both provided matching channel bindings. + * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests + to identify the desired client principal by certificate. + * PKINIT certauth modules can now cause the hw-authent flag to be set + in issued tickets. + * The krb5_init_creds_step() API will now issue the same password + expiration warnings as krb5_get_init_creds_password(). + Protocol evolution + * Added client and KDC support for Microsoft's Resource-Based Constrained + Delegation, which allows cross-realm S4U2Proxy requests. A third-party + database module is required for KDC support. + * kadmin/admin is now the preferred server principal name for kadmin + connections, and the host-based form is no longer created by default. + The client will still try the host-based form as a fallback. + * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT + extension, which causes channel bindings to be required for the + initiator if the acceptor provided them. The client will send this + option if the client_aware_gss_bindings profile option is set. + User experience + * kinit will now issue a warning if the des3-cbc-sha1 encryption type is + used in the reply. This encryption type will be deprecated and removed + in future releases. + * Added kvno flags --out-cache, --no-store, and --cached-only + (inspired by Heimdal's kgetcred). +- Changes from 1.18.3 + * Fix a denial of service vulnerability when decoding Kerberos + protocol messages. + * Fix a locking issue with the LMDB KDB module which could cause + KDC and kadmind processes to lose access to the database. + * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded + and unloaded while libkrb5support remains loaded. +- Changes from 1.18.2 + * Fix a SPNEGO regression where an acceptor using the default credential + would improperly filter mechanisms, causing a negotiation failure. + * Fix a bug where the KDC would fail to issue tickets if the local krbtgt + principal's first key has a single-DES enctype. + * Add stub functions to allow old versions of OpenSSL libcrypto to link + against libkrb5. + * Fix a NegoEx bug where the client name and delegated credential might + not be reported. +- Changes from 1.18.1 + * Fix a crash when qualifying short hostnames when the system has + no primary DNS domain. + * Fix a regression when an application imports "service@" as a GSS + host-based name for its acceptor credential handle. + * Fix KDC enforcement of auth indicators when they are modified by + the KDB module. + * Fix removal of require_auth string attributes when the LDAP KDB + module is used. + * Fix a compile error when building with musl libc on Linux. + * Fix a compile error when building with gcc 4.x. + * Change the KDC constrained delegation precedence order for consistency + with Windows KDCs. +- Changes from 1.18 + Administrator experience: + * Remove support for single-DES encryption types. + * Change the replay cache format to be more efficient and robust. + Replay cache filenames using the new format end with ".rcache2" + by default. + * setuid programs will automatically ignore environment variables + that normally affect krb5 API functions, even if the caller does + not use krb5_init_secure_context(). + * Add an "enforce_ok_as_delegate" krb5.conf relation to disable + credential forwarding during GSSAPI authentication unless the KDC + sets the ok-as-delegate bit in the service ticket. + * Use the permitted_enctypes krb5.conf setting as the default value + for default_tkt_enctypes and default_tgs_enctypes. + Developer experience: + * Implement krb5_cc_remove_cred() for all credential cache types. + * Add the krb5_pac_get_client_info() API to get the client account + name from a PAC. + Protocol evolution: + * Add KDC support for S4U2Self requests where the user is identified + by X.509 certificate. (Requires support for certificate lookup from + a third-party KDB module.) + * Remove support for an old ("draft 9") variant of PKINIT. + * Add support for Microsoft NegoEx. (Requires one or more third-party + GSS modules implementing NegoEx mechanisms.) + User experience: + * Add support for "dns_canonicalize_hostname=fallback", causing + host-based principal names to be tried first without DNS + canonicalization, and again with DNS canonicalization if the + un-canonicalized server is not found. + * Expand single-component hostnames in host-based principal names + when DNS canonicalization is not used, adding the system's first DNS + search path as a suffix. Add a "qualify_shortname" krb5.conf relation + to override this suffix or disable expansion. + * Honor the transited-policy-checked ticket flag on application servers, + eliminating the requirement to configure capaths on servers in some + scenarios. + Code quality: + * The libkrb5 serialization code (used to export and import krb5 GSS + security contexts) has been simplified and made type-safe. + * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED + messages has been revised to conform to current coding practices. + * The test suite has been modified to work with macOS System Integrity + Protection enabled. + * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support + can always be tested. +- Changes from 1.17.1 + * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin. + * Fix a bug preventing time skew correction from working when a KCM + credential cache is used. +- Changes from 1.17: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Replace old $RPM_* shell vars +- Removal of SuSEfirewall2 service since SuSEfirewall2 has been replaced + by firewalld +- Remove cruft to support distributions older than SLE 12 +- Use macros where applicable +- Switch to pkgconfig style dependencies +- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d + notation: libexecdir is likely changing away from /usr/lib to + /usr/libexec +- Build with full Cyrus SASL support. Negotiating SASL credentials with + an EXTERNAL bind mechanism requires interaction. Kerberos provides its + own interaction function that skips all interaction, thus preventing the + mechanism from working. +- Removed patches: + * 0007-krb5-1.12-ksu-path.patch + * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch + * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch +- Renamed patches: + * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch + * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch + * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch + * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch + * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch => + 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch + +- Fix KDC null pointer dereference via a FAST inner body that + lacks a server field; (CVE-2021-37750); (bsc#1189929); +- Added patches: + * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch + +- Fix KDC null deref on bad encrypted challenge; (CVE-2021-36222); + (bsc#1188571); +- Added patches: + * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch + +- Use /run instead of /var/run for daemon PID files; (bsc#1185163); + +- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196); + (bsc#1178512); +- Added patches: + * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch + +- Fix prefix reported by krb5-config, libraries and headers are not + installed under /usr/lib/mit prefix. (bsc#1174079) + +- Update logrotate script, call systemd to reload the services + instead of init-scripts. (boo#1169357) + +- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947); + (bsc#1144047); + +- Move LDAP schema files from /usr/share/doc/packages/krb5 to + /usr/share/kerberos/ldap; (bsc#1134217); + +- Upgrade to 1.16.3 + * Fix a regression in the MEMORY credential cache type which could cause + client programs to crash. + * MEMORY credential caches will not be listed in the global collection, + with the exception of the default credential cache if it is of type MEMORY. + * Remove an incorrect assertion in the KDC which could be used to cause + a crash [CVE-2018-20217]. + * Fix bugs with concurrent use of MEMORY ccache handles. + * Fix a KDC crash when falling back between multiple OTP tokens configured + for a principal entry. + * Fix memory bugs when gss_add_cred() is used to create a new credential, + and fix a bug where it ignores the desired_name. + * Fix the behavior of gss_inquire_cred_by_mech() when the credential does + not contain an element of the requested mechanism. + * Make cross-realm S4U2Self requests work on the client when no + default_realm is configured. + * Add a kerberos(7) man page containing documentation of the environment + variables that affect Kerberos programs. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + +- Upgrade to 1.16.1 + * kdc client cert matching on client principal entry + * Allow ktutil addent command to ignore key version and use + non-default salt string. + * add kpropd pidfile support + * enable "encrypted_challenge_indicator" realm option on tickets + obtained using FAST encrypted challenge pre-authentication. + * dates through 2106 accepted + * KDC support for trivially renewable tickets + * stop caching referral and alternate cross-realm TGTs to prevent + duplicate credential cache entries + +- BSC#1021402 move %{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package + so it is avaiable for krb5-client as well. + +- Upgrade to 1.15.3 + * Fix flaws in LDAP DN checking, including a null dereference KDC + crash which could be triggered by kadmin clients with administrative + privileges [CVE-2018-5729, CVE-2018-5730]. + * Fix a KDC PKINIT memory leak. + * Fix a small KDC memory leak on transited or authdata errors when + processing TGS requests. + * Fix a null dereference when the KDC sends a large TGS reply. + * Fix "kdestroy -A" with the KCM credential cache type. + * Fix the handling of capaths "." values. + * Fix handling of repeated subsection specifications in profile files + (such as when multiple included files specify relations in the same + subsection). + +- Added support for /etc/krb5.conf.d/ for configuration snippets + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +- Remove build dependency doxygen, python-Cheetah, python-Sphinx, + python-libxml2, python-lxml, most of which are python 2 programs. + Consequently remove -doc subpackage. Users are encouraged to use + online documentation. (bsc#1066461) + +- Update package descriptions. + +- Upgrade to 1.15.2 + * Fix a KDC denial of service vulnerability caused by unset status + strings [CVE-2017-11368] + * Preserve GSS contexts on init/accept failure [CVE-2017-11462] + * Fix kadm5 setkey operation with LDAP KDB module + * Use a ten-second timeout after successful connection for HTTPS KDC + requests, as we do for TCP requests + * Fix client null dereference when KDC offers encrypted challenge + without FAST + * Ignore dotfiles when processing profile includedir directive + * Improve documentation + +- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf + in order to improve client security in handling service principle + names. (bsc#1054028) + +- Prevent kadmind.service startup failure caused by absence of + LDAP service. (bsc#903543) + +- There is no change made about the package itself, this is only + copying over some changelog texts from SLE package: +- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355 + krb5: denial of service in krb5_read_message +- bug#912002 owned by varkoly@suse.com: VUL-0 + CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423: + krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token +- bug#910458 owned by varkoly@suse.com: VUL-1 + CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries +- bug#928978 owned by varkoly@suse.com: VUL-0 + CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading + to requires_preauth bypass +- bug#910457 owned by varkoly@suse.com: VUL-1 + CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy + name as a password policy name +- bug#991088 owned by hguo@suse.com: VUL-1 + CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted +- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires +- [fate#320326](https://fate.suse.com/320326) +- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference + from \cite + +- Remove wrong PreRequires from krb5 + +- use HTTPS project and source URLs + +- use source urls. +- krb5.keyring: Added Greg Hudson + +- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch +- Upgrade to 1.15.1 + * Allow KDB modules to determine how the e_data field of principal + fields is freed + * Fix udp_preference_limit when the KDC location is configured with + SRV records + * Fix KDC and kadmind startup on some IPv4-only systems + * Fix the processing of PKINIT certificate matching rules which have + two components and no explicit relation + * Improve documentation + +- remove useless environment.pickle to make build-compare happy + +- Introduce patch + krb5-1.15-fix_kdb_free_principal_e_data.patch + to fix freeing of e_data in the kdb principal + +- Upgrade to 1.15 +- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2 +- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since + file is not available in upstream source anymore +- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15 +- Upgrade from 1.14.4 to 1.15 - major changes: + Administrator experience: + * Add support to kadmin for remote extraction of current keys without + changing them (requires a special kadmin permission that is excluded + from the wildcard permission), with the exception of highly + protected keys. + * Add a lockdown_keys principal attribute to prevent retrieval of the + principal's keys (old or new) via the kadmin protocol. In newly + created databases, this attribute is set on the krbtgt and kadmin + principals. + * Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + * Add DNS auto-discovery of KDC and kpasswd servers from URI records, + in addition to SRV records. URI records can convey TCP and UDP + servers and master KDC status in a single DNS lookup, and can also + point to HTTPS proxy servers. + * Add support for password history to the LDAP back end. + * Add support for principal renaming to the LDAP back end. + * Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + * In the PKINIT client, use the correct DigestInfo encoding for PKCS + [#1] signatures, so that some especially strict smart cards will work. + Code quality: + * Clean up numerous compilation warnings. + * Remove various infrequently built modules, including some preauth + modules that were not built by default. + Developer experience: + * Add support for building with OpenSSL 1.1. + * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + Protocol evolution: + * Add support for the AES-SHA2 enctypes, which allows sites to conform + to Suite B crypto requirements. +- Upgrade from 1.14.3 to 1.14.4 - major changes: + * Fix some rare btree data corruption bugs + * Fix numerous minor memory leaks + * Improve portability (Linux-ppc64el, FreeBSD) + * Improve some error messages + * Improve documentation + +- add pam configuration file required for ksu + just use a copy of "su" one from Tumbleweed + +- Upgrade from 1.14.2 to 1.14.3: + * Improve some error messages + * Improve documentation + * Allow a principal with nonexistent policy to bypass the minimum + password lifetime check, consistent with other aspects of + nonexistent policies + * Fix a rare KDC denial of service vulnerability when anonymous client + principals are restricted to obtaining TGTs only [CVE-2016-3120] + +- Remove comments breaking post scripts. + +- Do no use systemd_requires macros in main package, it adds + unneeded dependencies which pulls systemd into minimal chroot. +- Only call %insserv_prereq when building for pre-systemd + distributions. +- Optimise some %post/%postun when only /sbin/ldconfig is called. + +- Remove source file ccapi/common/win/OldCC/autolock.hxx + that is not needed and does not carry an acceptable license. + (bsc#968111) + +- removed obsolete patches: + * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + * krb5-mechglue_inqure_attrs.patch +- Upgrade from 1.14.1 to 1.14.2: + * Fix a moderate-severity vulnerability in the LDAP KDC back end that + could be exploited by a privileged kadmin user [CVE-2016-3119] + * Improve documentation + * Fix some interactions with GSSAPI interposer mechanisms + +- Upgrade from 1.14 to 1.14.1: + * Remove expired patches: + 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch + 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch + 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch + krbdev.mit.edu-8301.patch + * Replace source archives: + krb5-1.14.tar.gz -> + krb5-1.14.1.tar.gz + krb5-1.14.tar.gz.asc -> + krb5-1.14.1.tar.gz.asc + * Adjust line numbers in: + krb5-fix_interposer.patch + +- Introduce patch + 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + to fix CVE-2016-3119 (bsc#971942) + +- Remove krb5-mini pieces from spec file. + Hence remove pre_checkin.sh +- Remove expired macros and other minor clean-ups in spec file. + +- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character + with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch + (bsc#963968) +- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request + with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch + (bsc#963975) +- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask + with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch + (bsc#963964) + +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch + +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + Major changes in 1.14 (2015-11-20) + Administrator experience: + * Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. + * Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. + * Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. + * Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. + * Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. + * Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. + * Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. + * Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. + * Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. + * Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + Code quality: + * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] + * Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + Developer experience: + * Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. + * Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) + * Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. + * Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. + * Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. + * Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. + * Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. + * Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. + * Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. + * Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. + * Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + Performance: + * On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + User experience: + * Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. + +- Update to 1.13.3 +- removed patches for security fixes now in upstream source: + 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + Major changes in 1.13.3 (2015-12-04) + This is a bug fix release. The krb5-1.13 release series is in + maintenance, and for new deployments, installers should prefer the + krb5-1.14 release series or later. + * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] + * Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + * Allow an iprop slave to receive full resyncs from KDCs running + krb5-1.10 or earlier. + +- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + to fix a memory corruption regression introduced by resolution of + CVE-2015-2698. bsc#954204 + +- Make kadmin.local man page available without having to install krb5-client. bsc#948011 +- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + to fix build_principal memory bug [CVE-2015-2697] bsc#952190 +- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 +- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 + +- Let server depend on libev (module of libverto). This was the + preferred implementation before the seperation of libverto from krb. + +- Drop libverto and libverto-libev Requires from the -server + package: those package names don't exist and the shared libs + are pulled in automatically. + +- Unconditionally buildrequire libverto-devel: krb5-mini also + depends on it. + +- pre_checkin.sh aligned changes between krb5/krb5-mini +- added krb5.keyring + +- update to krb5 1.13.2 +- DES transition + ============== + The Data Encryption Standard (DES) is widely recognized as weak. The + krb5-1.7 release contains measures to encourage sites to migrate away +- From using single-DES cryptosystems. Among these is a configuration + variable that enables "weak" enctypes, which defaults to "false" + beginning with krb5-1.8. + Major changes in 1.13.2 (2015-05-08) + This is a bug fix release. + * Fix a minor vulnerability in krb5_read_message, which is primarily + used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] + * Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. + [CVE-2015-2694] + * Fix some issues with the LDAP KDC database back end. + * Fix an iteration-related memory leak in the DB2 KDC database back + end. + * Fix issues with some less-used kadm5.acl functionality. + * Improve documentation. + +- Use externally built libverto + +- update to krb5 1.13.1 + Major changes in 1.13.1 (2015-02-11) + This is a bug fix release. + * Fix multiple vulnerabilities in the LDAP KDC back end. + [CVE-2014-5354] [CVE-2014-5353] + * Fix multiple kadmind vulnerabilities, some of which are based in the + gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421 + CVE-2014-9422 CVE-2014-9423] + +- Update to krb5 1.13 + * Add support for accessing KDCs via an HTTPS proxy server using the + MS-KKDCP protocol. + * Add support for hierarchical incremental propagation, where slaves + can act as intermediates between an upstream master and other downstream + slaves. + * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf + files in addition to /etc/gss/mech. + * Add support to the LDAP KDB module for binding to the LDAP server using + SASL. + * The KDC listens for TCP connections by default. + * Fix a minor key disclosure vulnerability where using the "keepold" option + to the kadmin randkey operation could return the old keys. [CVE-2014-5351] + * Add client support for the Kerberos Cache Manager protocol. If the host + is running a Heimdal kcm daemon, caches served by the daemon can be + accessed with the KCM: cache type. + * When built on OS X 10.7 and higher, use "KCM:" as the default cache type, + unless overridden by command-line options or krb5-config values. + * Add support for doing unlocked database dumps for the DB2 KDC back end, + which would allow the KDC and kadmind to continue accessing the database + during lengthy database dumps. +- Removed patches, useless or upstreamed + * krb5-1.9-kprop-mktemp.patch + * krb5-1.10-ksu-access.patch + * krb5-1.12-doxygen.patch + * bnc#897874-CVE-2014-5351.diff + * krb5-1.13-work-around-replay-cache-creation-race.patch + * krb5-1.10-kpasswd_tcp.patch +- Refreshed patches + * krb5-1.12-pam.patch + * krb5-1.12-selinux-label.patch + * krb5-1.7-doublelog.patch + less +- Apply "cve-2022-46663.patch" to fix a vulnerability in less that + could be exploited for denial-of-service attacks or even remote + code execution by printing specially crafted escape sequences to + the terminal. [CVE-2022-46663, bsc#1207815] + libmwaw +- update to 0.3.21 (jsc#PED-1785): + * add debug code to read some private rsrc data + + allow to read some MacWrite which does not have printer informations + * add a parser for Scoop files + * add a parser for ScriptWriter files + * add a parser for ReadySetGo 1-4 files + libogg +- Orthographic fixes to descriptions. RPM group fix. + +- Update to version 1.3.2 + * Fix an bug in oggpack_writecopy(). + +- Xiph libogg 1.3.1 + * Guard against very large packets. + * Respect the configure --docdir override. + * Documentation fixes. +- fix SLE build + +- own aclocal directory + +- -O20 optimization level does not exist, use -O3 + +- updated to version 1.3.0 + * Add ogg_stream_flush_fill() call + This produces longer packets on flush, similar to + what ogg_stream_pageout_fill() does for single pages. +- run spec-cleaner on it +- remove "SLES10 -> SLES11 upgrade path" parts since the upgrade + already happened and anyway the entry in bugzilla is not public + +- replace _service with real file + +- update to version 1.2.2 + * Build fix (types correction) for Mac OS X + * Update win32 project files to Visual Studio 2008 + * ogg_stream_pageout_fill documentation fix + +- update to version 1.2.1 + * Various build updates (see SVN) + * Add ogg_stream_pageout_fill() to API to allow applications + greater explicit flexibility in page sizing. + * Documentation updates including multiplexing description, + terminology and API (incl. ogg_packet_clear(), + ogg_stream_pageout_fill()) + * Correct possible buffer overwrite in stream encoding on 32 bit + when a single packet exceed 250MB. + * Correct read-buffer overrun [without side effects] under + similar circumstances. + * Update unit testing to work properly with new page spill + heuristic. + * Alter default flushing behavior to span less often and use + larger page sizes when packet sizes are large. + * Build fixes for additional compilers + * Documentation updates +- run spec-cleaner +- removed configure.dif (reapply if -fsigned-char causes problems) +- removed libogg-compile-warning-fix.diff (upstreamed) + +- add baselibs.conf as a source + libpng16 -- security update -- added patches - CVE-2019-7317 [bsc#1124211] - + libpng16-CVE-2019-7317.patch - -- asan_build: build ASAN included -- debug_build: build more suitable for debugging, install pngcp -- usecase example: [bsc#1121624] - -- security update: - * CVE-2018-13785 [bsc#1100687] - + libpng16-CVE-2018-13785.patch - -- check with -j1 - -- Fix SRPM group and grammar issues. - -- removed obsoleted Obsoletes - -- update to 1.6.34: - * Removed contrib/pngsuite/i*.png; some of these were incorrect - and caused test failures. -- includes 1.6.33: - * Added PNGMINUS_UNUSED macro to contrib/pngminus/p*.c and added - missing parenthesis in contrib/pngminus/pnm2png.c - * Fixed off-by-one error in png_do_check_palette_indexes() - * Initialize png_handler.row_ptr in libpng_read_fuzzer.cc - to fix shortlived oss-fuzz issue 3234. - * Compute a larger limit on IDAT because some applications write - a deflate buffer for each row - * Use current date (DATE) instead of release-date (RDATE) in last - changed date of contrib/oss-fuzz files. - * Enabled ARM support in CMakeLists.txt - * Fixed incorrect typecast of some arguments to png_malloc() and - png_calloc() that were png_uint_32 instead of png_alloc_size_t - * Use pnglibconf.h.prebuilt when building for ANDROID with cmake - * Initialize memory allocated by png_inflate to zero, using - memset, to stop an oss-fuzz "use of uninitialized value" - detection in png_set_text_2() due to truncated iTXt or zTXt - chunk. - * Initialize memory allocated by png_read_buffer to zero, using - memset, to stop an oss-fuzz "use of uninitialized value" - detection in png_icc_check_tag_table() due to truncated iCCP - chunk. - * Removed redundant tests - * Added an interlaced version of each file in contrib/pngsuite. - * Relocate new memset() call in pngrutil.c - * Add support for loading images with associated alpha in the - Simplified API - * Revert contrib/oss-fuzz/libpng_read_fuzzer.cc to libpng-1.6.32 - state - * Initialize png_handler.row_ptr in libpng_read_fuzzer.cc - * Add end_info structure and png_read_end() to the libpng fuzzer -- includes 1.6.32: - * Avoid possible NULL dereference in png_handle_eXIf when - benign_errors are allowed. Avoid leaking the input buffer - "eXIf_buf". - * Eliminated png_ptr->num_exif member from pngstruct.h and added - num_exif to arguments for png_get_eXIf() and png_set_eXIf(). - * Added calls to png_handle_eXIf(() in pngread.c and - png_write_eXIf() in pngwrite.c, and made various other fixes - to png_write_eXIf(). - * Changed name of png_get_eXIF and png_set_eXIf() to - png_get_eXIf_1() and png_set_eXIf_1(), respectively, to avoid - breaking API compatibility with libpng-1.6.31. - * Updated contrib/libtests/pngunknown.c with eXIf chunk. - * Initialized btoa[] in pngstest.c - * Stop memory leak when returning from png_handle_eXIf() with an - error - * Replaced local eXIf_buf with info_ptr-eXIf_buf in png_handle_eXIf(). - * Update libpng.3 and libpng-manual.txt about eXIf functions. - * Restored png_get_eXIf() and png_set_eXIf() to maintain API - compatability. - * Removed png_get_eXIf_1() and png_set_eXIf_1(). - * Check length of all chunks except IDAT against user limit to - fix an OSS-fuzz issue (Fixes CVE-2017-12652) - * Check length of IDAT against maximum possible IDAT size, - accounting for height, rowbytes, interlacing and zlib/deflate - overhead. - * Restored png_get_eXIf_1() and png_set_eXIf_1(), because - strlen(eXIf_buf) does not work (the eXIf chunk data can - contain zeroes). - * Revised symlink creation, no longer using deprecated cmake - LOCATION feature - * Fixed five-byte error in the calculation of IDAT maximum - possible size. - * Moved chunk-length check into a png_check_chunk_length() - private function - * Moved bad pngs from tests to contrib/libtests/crashers - * Moved testing of bad pngs into a separate - tests/pngtest-badpngs script - * Added the --xfail (expected FAIL) option to pngtest.c. It - writes XFAIL in the output but PASS for the libpng test. - * Require cmake-3.0.2 in CMakeLists.txt - * Fix "const" declaration info_ptr argument to png_get_eXIf_1() - and the num_exif argument to png_get_eXIf_1() - * Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks(). - * Added huge_IDAT.png and empty_ancillary_chunks.png to - testpngs/crashers. - * Make pngtest --strict, --relax, --xfail options imply -m - (multiple). - * Removed unused chunk_name parameter from png_check_chunk_length(). - * Relocated setting free_me for eXIf data, to stop an OSS-fuzz' - leak. - * Initialize profile_header[] in png_handle_iCCP() to fix - OSS-fuzz issue. - * Initialize png_ptr->row_buf[0] to 255 in png_read_row() to fix - OSS-fuzz UMR. - * Attempt to fix a UMR in png_set_text_2() to fix OSS-fuzz issue. - * Increase minimum zlib stream from 9 to 14 in png_handle_iCCP(), - to account for the minimum 'deflate' stream, and relocate the - test to a point after the keyword has been read. - * Check that the eXIf chunk has at least 2 bytes and begins with - "II" or "MM". - * Added a set of "huge_xxxx_chunk.png" files to - contrib/testpngs/crashers, one for each known chunk type, with - length = 2GB-1. - * Check for 0 return from png_get_rowbytes() and added some - (size_t) typecasts in contrib/pngminus/*.c to stop some Coverity - issues (162705, 162706, and 162707). - * Renamed chunks in contrib/testpngs/crashers to avoid having - files whose names differ only in case; this causes problems with - some platforms - * Added contrib/oss-fuzz directory which contains files used by - the oss-fuzz project -- cleanup with spec-cleaner - -- update to 1.6.31: - * Guard the definition of _POSIX_SOURCE in pngpriv.h. - * Revised pngpriv.h to work around failure to compile - arm/filter_neon.S. - * Added "Requires: zlib" to libpng.pc.in. - * Added special case for FreeBSD in arm/filter_neon.S. - * Changed "int" to "png_size_t" in intel/filter_sse2.c to prevent - possible integer overflow. - * Added eXIf chunk support. -- remove upstreamed - 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch - -- Drop png-version-info-only.patch, it has no effect after applying - 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch - Both patches achieve the same, prefer the upstream version - -- Add 0001-libpng16-Revised-pngpriv.h-to-use-PNG_VERSION_INFO_O.patch - Fix build on ARM - -- png-version-info-only.patch: fix missing PNG_VERSION_INFO_ONLY check - -- update to 1.6.30: - Revised documentation of png_get_error_ptr() in the libpng manual. - Document need to check for integer overflow when allocating a pixel - buffer for multiple rows in contrib/gregbook, contrib/pngminus, - example.c, and in the manual (suggested by Jaeseung Choi). This - is similar to the bug reported against pngquant in CVE-2016-5735. - Check for integer overflow in contrib/visupng and contrib/tools/genpng. - Do not double evaluate CMAKE_SYSTEM_PROCESSOR in CMakeLists.txt. - Avoid writing an empty IDAT when the last IDAT exactly fills the - compression buffer (bug report by Brian Baird). This bug was - introduced in libpng-1.6.0. - Add a reference to the libpng.download site in README. - -- update to 1.6.29: - Moved SSE2 optimization code into the main libpng source directory. - Configure libpng with "configure --enable-intel-sse" or compile - libpng with "-DPNG_INTEL_SSE" in CPPFLAGS to enable it. - Added code for PowerPC VSX optimisation (Vadim Barkov). - Avoid potential overflow of shift operations in png_do_expand() (Aaron Boxer). - -- update to 1.6.28: fix build issues - -- update to 1.6.27: fixes CVE-2016-10087 - -- update to 1.6.26: - Fixed handling zero length IDAT in pngfix (bug report by Agostino Sarubbo, - bugfix by John Bowler). - Do not issue a png_error() on read in png_set_pCAL() because - png_handle_pCAL has allocated memory that libpng needs to free. - Issue a png_benign_error instead of a png_error on ADLER32 mismatch - while decoding compressed data chunks. - Changed PNG_ZLIB_VERNUM to ZLIB_VERNUM in pngpriv.h, pngstruct.h, and - pngrutil.c. - If CRC handling of critical chunks has been set to PNG_CRC_QUIET_USE, - ignore the ADLER32 checksum in the IDAT chunk as well as the chunk CRCs. - Issue png_benign_error() on ADLER32 checksum mismatch instead of - png_error(). - Updated the documentation about CRC and ADLER32 handling. - Fixed offsets in contrib/intel/intel_sse.patch - Changed integer constant 4294967294 to unsigned 4294967294U in pngconf.h - to avoid a signed/unsigned compare in the preprocessor. - Use zlib-1.2.8.1 inflateValidate() instead of inflateReset2() to - optionally avoid ADLER32 evaluation. - -- update to 1.6.25: - Reject oversized iCCP profile immediately. - Conditionally compile png_inflate(). - Don't install pngcp; it conflicts with pngcp in the pngtools package. - Added MIPS support (Mandar Sahastrabuddhe < - -- update to 1.6.24: - Avoid potential overflow of the PNG_IMAGE_SIZE macro. - Correct filter heuristic overflow handling. - Use a more efficient absolute value calculation on SSE2. - Added pngcp. - etc. see ANNOUNCE - -- Update to new upstream release 1.6.23 - * Fixes a potential memleak in png_set_tRNS. - * Fixed the progressive reader to handle empty first IDAT - chunk properly. - * Added tests in pngvalid.c to check zero-length IDAT chunks - in various positions. - * Fixed the sequential reader to handle these more robustly. - * Corrected progressive read input buffer in pngvalid.c. - * Moved sse2 prototype from pngpriv.h to - contrib/intel/intel_sse.patch. - * Fixed undefined behavior in png_push_save_buffer(). - Do not call memcpy() with a null source, even if count is zero. - * Fixed bad link to RFC2083 in png.5. - -- update to 1.6.22: - Added a png_image_write_to_memory() API and a number of assist macros - to allow an application that uses the simplified API write to bypass - stdio and write directly to memory. - Relaxed limit checks on gamma values in pngrtran.c. As suggested in - the comments gamma values outside the range currently permitted - by png_set_alpha_mode are useful for HDR data encoding. These values - are already permitted by png_set_gamma so it is reasonable caution to - extend the png_set_alpha_mode range as HDR imaging systems are starting - to emerge. - Restored "& 0xff" in png_save_uint_16() and png_save_uint_32() that - were accidentally removed from libpng-1.6.17. - Changed PNG_INFO_cHNK and PNG_FREE_cHNK from 0xnnnn to 0xnnnnU in png.h - (Robert C. Seacord). - Added INTEL-SSE2 support (Mike Klein and Matt Sarett, Google, Inc.). - SSE filter speed improvements for bpp=3: - memcpy-free implementations of load3() / store3(). - Added PNG_FAST_FILTERS macro (defined as - PNG_FILTER_NONE|PNG_FILTER_SUB|PNG_FILTER_UP). - -- Update to new upstream release 1.6.21 - * Widened the 'limit' check on the internally calculated error limits in - the 'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error - checks) and changed the check to only operate in non-release builds - (base build type not RC or RELEASE.) - * Fixed undefined behavior in pngvalid.c, undefined because - (png_byte) << shift is undefined if it changes the signed bit - (because png_byte is promoted to int). The libpng exported functions - png_get_uint_32 and png_get_uint_16 handle this. - -- update to 1.6.20: - Avoid potential pointer overflow/underflow in png_handle_sPLT() and - png_handle_pCAL() (Bug report by John Regehr). - Fixed incorrect implementation of png_set_PLTE() that uses png_ptr - not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 - vulnerability. - Backported tests from libpng-1.7.0beta69. - Fixed an error in handling of bad zlib CMINFO field in pngfix, found by - American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't - immediately fault a bad CMINFO field; instead a 'too far back' error - happens later (at least some times). pngfix failed to limit CMINFO to - the allowed values but then assumed that window_bits was in range, - triggering an assert. The bug is mostly harmless; the PNG file cannot - be fixed. - In libpng 1.6 zlib initialization was changed to use the window size - in the zlib stream, not a fixed value. This causes some invalid images, - where CINFO is too large, to display 'correctly' if the rest of the - data is valid. This provides a workaround for zlib versions where the - error arises (ones that support the API change to use the window size - in the stream). - -- update to 1.6.19: - Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c - Fixed uninitialized variable in contrib/gregbook/rpng2-x.c - Fixed the recently reported 1's complement security issue. - Fixed png_save_int_32 when int is not 2's complement by replacing - the value that is illegal in the PNG spec, in both signed and - unsigned values, with 0. - etc., see ANNOUNCE and CHANGES for details -- removed: libpng-rgb_to_gray-checks.patch (upstreamed) - -- drop unknown configure switch - -- Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c. - + libpng-rgb_to_gray-checks.patch - -- updated to 1.6.17: - Corrected the width limit calculation in png_check_IHDR(). - Removed user limits from pngfix. Also pass NULL pointers to - png_read_row to skip the unnecessary row de-interlace stuff. - Implement previously untested cases of libpng transforms in pngvalid.c - Fixed byte order in 2-byte filler, in png_do_read_filler(). - Made the check for out-of-range values in png_set_tRNS() detect - values that are exactly 2^bit_depth, and work on 16-bit platforms. - Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47. - Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and - pngset.c to avoid warnings about dead code. - Do not build png_product2() when it is unused. - Display user limits in the output from pngtest. - Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column - and 1-million-row default limits in pnglibconf.dfa, that can be reset - by the user at build time or run time. This provides a more robust - defense against DOS and as-yet undiscovered overflows. - Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default. - Allow user to call png_get_IHDR() with NULL arguments (Reuben Hawkins). - Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block - of png.h. - Free the unknown_chunks structure even when it contains no data. - Fixed simplified 8-bit-linear to sRGB alpha. The calculated alpha - value was wrong. It's not clear if this affected the final stored - value; in the obvious code path the upper and lower 8-bits of the - alpha value were identical and the alpha was truncated to 8-bits - rather than dividing by 257 (John Bowler). - -- build with PNG_SAFE_LIMITS_SUPPORTED [bnc#912076], [bnc#912929] - -- updated to 1.6.16: - * Restored a test on width that was removed from png.c at libpng-1.6.9 - (Bug report by Alex Eubanks). - * Fixed an overflow in png_combine_row with very wide interlaced images. - -- updated to 1.6.15: - * Avoid out-of-bounds memory access in png_user_version_check(). - * Fixed incorrect handling of the iTXt compression. - * Free all allocated memory in pngimage. - * Fixed array size calculations to avoid warnings. - etc. see ANNOUNCE - libpsl -- fix [bsc#1197771] - FTBFS: libpsl won't compile on SP4 -- added patches - https://github.com/rockdaboot/libpsl/commit/f364cea73e351ce62e0b337fd1fbc21e70b52d56 - + libpsl-fix-test-data.patch - -- update to 0.20.1: - * Fix issue introduced with PSL_TYPE_NO_STAR_RULE in V0.20.0 - * Fix SO_VERSION to 8:0:3 - * Improve unit tests - -- Use %license (boo#1082318) - -- update to 0.20.0: - * Remove hard-coded gcc flag in Makefile.am - * Prevent excessive CPU cycles on large inputs - * New flag PSL_TYPE_NO_STAR_RULE to skip star rule - -- Make sure to use python3 during build instead of calling env - -- update to 0.19.1: - * New function psl_free_string() - * psl_make_dafsa now works with python2 and python3 - * psl_*count() functions now return -1 if info is not available - * Fixed unsigned integer overflow in _mem_is_ascii() - * Add -fsanitize-address-use-after-scope to --enable-asan if - available - -- update to 0.18.0: - * Fix order of files in psl_latest() - * Add fuzzing architecture - * Fix memleak in _psl_is_public_suffix() - * Add configure option --enable-asan (Address sanitizer) - * Add configure option --enable-usan (Undefined sanitizer) - * Add configure option --enable-cfi (Control Flow Integrity) - * Fix finding libidn2 for static builds - * Fix use of uninitialized stack value - * Fix buffer overflow in libicu build - * Use libidn2 as default for builds (former libicu) - * Add pkg-config support for libidn and libidn2 - -- Use idn2 runtime instead of libicu - as libicu requires 30MB - of unicode data - while idn2 is already part of minimal system - -- libpsl 0.17.0: - * Use TR46 non-transitional for IDNA (libicu, libidn2 >= 0.14) - * Fix coverage upload from TravisCI to Coveralls - * New tests to cover psl_latest() and psl_dist_filename() - -- libpsl 0.16.1: - This version enables consumers of the library to dynamically load - the latest public suffix data from a binary data file in the - publicsuffix package which can then updated without re-building - libpsl. - * Add functions psl_latest() and psl_dist_filename() - * Do not taint out variable on error in psl_str_to_utf8lower() - * Replace psl2c by psl-make-dafsa -- correct licenses for package and subpackages -- package HTML docs in -devel package - -- libpsl 0.15.0: - * Python3 compatibility for psl-make-dafsa - * Support for UTF-8 in DAFSA data - * Skip punycode conversion if DAFSA has UTF-8 - * Better code coverage by test suite - * Code cleanup and enhancements - * Install man pages for psl-make-dafsa and psl - * Enhancements to the documentation - -- libpsl 0.14.0: - * Remove unneeded libraries from tools/psl link step - * Use https instead of http where possible - * Add man page for tools/psl - * Add header magic to DAFSA files - * Rename make_dafsa.py to psl-make-dafsa - * Add man page for psl-make-dafsa - -- libpsl 0.13.0: - * Use tests.txt as PSL test file by default - * Slightly shorter DAFSA array when sorting input - * Check for python 2.7+ in configure.ac - * Fix python3 incompatibilities in make_dafsa.py - -- Add baselibs.conf - -- libpsl 0.12.0 (libpsl.so.5 5:0:0) - * Remove psl_builtin_compile_time() - * Add function psl_is_public_suffix2() - * Avoid libicu dependency with --enable-runtime=no -- drop upstreamed 0001-Remove-include-of-bits-stat.h.patch - -- fix SLE 11 build: - * adding 0001-Remove-include-of-bits-stat.h.patch - * skip IDN feature -- update descriptions and categories - -- initial package for libpsl based on Fedora Spec - libreoffice +- Update to 7.4.3.2 (jsc#PED-1785): + You can check for 7.4 release notes here: + https://wiki.documentfoundation.org/ReleaseNotes/7.4 + You can check for each minor release notes here: + https://wiki.documentfoundation.org/Releases/7.4.3/RC2 + https://wiki.documentfoundation.org/Releases/7.4.3/RC1 + https://wiki.documentfoundation.org/Releases/7.4.2/RC3 + https://wiki.documentfoundation.org/Releases/7.4.2/RC2 + https://wiki.documentfoundation.org/Releases/7.4.2/RC1 + https://wiki.documentfoundation.org/Releases/7.4.1/RC2 + https://wiki.documentfoundation.org/Releases/7.4.1/RC1 + https://wiki.documentfoundation.org/Releases/7.4.0/RC3 + https://wiki.documentfoundation.org/Releases/7.4.0/RC2 + https://wiki.documentfoundation.org/Releases/7.4.0/RC1 +- Updated bundled dependencies: + * boost_1_77_0.tar.xz -> boost_1_79_0.tar.xz + * curl-7.83.1.tar.xz -> curl-7.86.0.tar.xz + * icu4c-70_1-data.zip -> icu4c-71_1-data.zip + * icu4c-70_1-src.tgz -> icu4c-71_1-src.tgz + * pdfium-4699.tar.gz2 -> pdfium-5058.tar.bz2 + * poppler-21.11.0.tar.xz -> poppler-22.09.0.tar.xz + * poppler-data-0.4.10.tar.gz -> poppler-data-0.4.11.tar.gz + * skia-m97-a7230803d64ae9d44f4e1282444801119a3ae967.tar.xz + - > skia-m103-b301ff025004c9cd82816c86c547588e6c24b466.tar.xz +- Added patches: + * fix_harfbuzz_on_sle12_sp5.patch + * fix_webp_on_sle12_sp5.patch + * use-fixmath-shared-library.patch +- Refresh fix_gtk_popover_on_3.20.patch +- Removed upstreamed patches: + * bsc1197498.patch + * bsc1200009.patch + * bsc1201093.patch + * bsc1202032.patch + * bsc1202114.patch + * CVE-2022-3140-4.patch + libsndfile -- Fix heap buffer overflow in flac_buffer_copy (CVE-2021-4156, - bsc#1194006): - libsndfile-CVE-2021-4156.patch - -- Fix heap buffer overflow vulnerability in msadpcm_decode_block - (CVE-2021-3246, bsc#1188540): - ms_adpcm-Fix-and-extend-size-checks.patch - -- Fix segfault in wav conversion due to the invalid loop count - (CVE-2018-19758, bsc#1117954): - libsndfile-wav-loop-count-fix.patch - -- Fix buffer overflow in sndfile-deinterleave, which isn't really a - security issue (bsc#1100167, CVE-2018-13139, bsc#1116993, - CVE-2018-19432): - sndfile-deinterlace-channels-check.patch - -- Use license file tag - -- Fix potential overflow in d2alaw_array() (CVE-2017-17456, - bsc#1071777): - libsndfile-CVE-2017-17456-alaw-range-check.patch -- Fix potential overflow in d2ulaw_array() (CVE-2017-17457, - bsc#1071767): - libsndfile-CVE-2017-17457-ulaw-range-check.patch - -- Fix VUL-0: divide-by-zero error exists in the function - double64_init() in double64.c (CVE-2017-14634, bsc#1059911): - 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch -- Tentative fix for VUL-0: out of bounds read in the function - d2alaw_array() in alaw.c (CVE-2017-14245, bsc#1059912) and - VUL-0: out of bounds read in the function d2ulaw_array() in - ulaw.c (CVE-2017-14246, bsc#1059913): - 0031-sfe_copy_data_fp-check-value-of-max-variable.patch - -- Fix Heap-based Buffer Overflow in the psf_binheader_writef - (CVE-2017-12562, bsc#1052476): - 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch - -- Fix out-of-bounds read memory access in the aiff_read_chanmap() - (CVE-2017-6892, bsc#1043978): - 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch - -- Fix FLAC buffer overflows (CVE-2017-8361 CVE-2017-8363 - CVE-2017-8365 CVE-2017-8362 bsc#1036944 bsc#1036945 bsc#1036946 - bsc#1036943): - 0001-FLAC-Fix-a-buffer-read-overrun.patch - 0002-src-flac.c-Fix-a-buffer-read-overflow.patch - -- Update to version 1.0.27: - * Fix a seek regression in 1.0.26 - * Add metadata read/write for CAF and RF64 - * FIx PAF endian-ness issue -- Update to version 1.0.28 - * Fix buffer overruns in FLAC and ID3 handling code - (CVE-2017-7585, CVE-2017-7586, bsc#1033054, bsc#1033053) - * Reduce default header memory requirements - * Fix detection of Large File Support for 32 bit systems. -- Obsoleted patch: - libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch - -- Fix spec file to enable builds on non opensuse OS - -- Update to version 1.0.26: - * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805. - * Add ALAC/CAF support. Minor bug fixes and improvements. -- Refreshed patches: - sndfile-ocloexec.patch - libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch -- Removed obsoleted patches: - libsndfile-example-fix.diff - libsndfile-fix-header-read-CVE-2015-7805.patch - libsndfile-paf-zero-division-fix.diff - libsndfile-src-common.c-Fix-a-header-parsing-bug.patch - libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch - sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch - sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch - -- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-7805, bsc#953516) - libsndfile-src-common.c-Fix-a-header-parsing-bug.patch - libsndfile-fix-header-read-CVE-2015-7805.patch -- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-8075, bsc#953519) - libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch -- Fix the build with SLE11-SP3 due to AM_SILENT_RULE macro - -- VUL-1: libsndfile DoS/divide-by-zero (CVE-2014-9756, bsc#953521): - libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch - -- Cleanup spec file with spec-cleaner -- Add gpg signature -- Remove old ppc provides/obsoletes - -- VUL-0: two buffer read overflows in sd2_parse_rsrc_fork() - (CVE-2014-9496, bnc#911796): backported upstream fix patches - sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch - sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch - libxcb +- u_don-t-flag-extra-reply-in-xcb_take_socket.patch + * Fix IO errors with KWin in combination with NVIDIA driver. + (bnc#1101560) + +- Update to version 1.13 + * As with xcb-proto, this release mainly enables multi-planar buffers in + DRI3 v1.2 via support for variable-sized lists of FDs, and enables + sending GenericEvents to other clients. Present v1.2 and RandR v1.6 + did not require any specific library changes. +- supersedes U_add-support-for-eventstruct.patch, + u_build_python3.patch + +- Really conditionalize the python3 option to allow us building + without any python2 present + * u_build_python3.patch +- Convert to pkgconfig style deps +- Format bit with spec-cleaner + +- Enable xinput extension. (bnc#1074249) +- U_add-support-for-eventstruct.patch + * Update xinput to the state when it was enabled by default + upstream. + +- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch + * Prevent infinite loop also in case DISPLAY is non-local. + +- Use spaces instead of tabs in the patches (as does the original + source code) to avoid confusion. +- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch + * If authentication (with *stage == 0) failed and the variable + XAUTHLOCALHOSTNAME wasn't set, we were never getting to stage 2 + in the original patch, causing calls to xcb_connect_to_display + to be stuck in an infinite loop. + Now we also go to stage 2 if the variable isn't set. + +- fixes build against python3 (package rename of + python-xcb-proto-devel to python3-xcb-proto-devel) + +- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch + * Modify this patch to do what it say - retry not only if the current hostname is + not found in the xauthority file, but also when it is rejected by X server. + (bnc#1043221) + +- Update to version 1.12 + * here is a new version of libxcb for you to enjoy. The + highlights are the same as for the new xcb-proto release: + xinput support, RandR 1.5 and an automatic alignment checker. +- removed libxcb-xevie0/libxcb-xprint0 subpackages + +- n_If-auth-with-credentials-for-hostname-fails-retry-with-XAUTHLOCALHOSTNAME.patch: + If auth with credentials for hostname fails retry with XAUTHLOCALHOSTNAME + (boo#906622). + +- Update to version 1.11.1: + This fixes some threading-related bugs with + xcb_wait_for_special_event() and adds 64-bit versions of + functions that work with sequence numbers. + live555 +- update to 2023.01.19: + - By default, we no longer compile "groupsock/NetAddress.cpp" for Windows to use + "gethostbyname()", because of a report that this breaks IPv6 name resolution. + +- update to 2023.01.11: + * Updated the "BasicTaskScheduler"/"DelayQueue" implementation to make the 'token counter' + a field of the task scheduler object, rather than having it be a static variable. + This avoids potential problems if an application uses more than one thread (with each thread + having its own task scheduler). + mozilla-nss +- update to NSS 3.79.4 (bsc#1208138) + * Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. + (CVE-2023-0767) + nghttp2 -- security update -- added patches - fix CVE-2020-11080 [bsc#1181358], HTTP/2 Large Settings Frame DoS - + nghttp2-CVE-2020-11080.patch - -- Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and - cilium-proxy (bsc#1166481) - * lib: Add nghttp2_check_authority as public API - * lib: Fix the bug that stream is closed with wrong error code - * lib: Faster huffman encoding and decoding - * build: Avoid filename collision of static and dynamic lib - * build: Add new flag ENABLE_STATIC_CRT for Windows - * build: cmake: Support building nghttpx with systemd - * third-party: Update neverbleed to fix memory leak - * nghttpx: Fix bug that mruby is incorrectly shared between - backends - * nghttpx: Reconnect h1 backend if it lost connection before - sending headers - * nghttpx: Returns 408 if backend timed out before sending - headers - * nghttpx: Fix request stal - -- Conditionally remove dependecy on jemalloc for SLE-12 - -- Require correct library from devel package - boo#1125689 - -- Update to version 1.39.2 (bsc#1146184, bsc#1146182): - * This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 - “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 - frames cause Denial of Service by consuming CPU time. Check out - https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md - for details. For nghttpx, additionally limiting inbound traffic by - - -read-rate and --read-burst options is quite effective against - this kind of attack. - * Add nghttp2_option_set_max_outbound_ack API function - * nghttpx: Fix request stall - -- Update to version 1.39.1: - * This release fixes the bug that log-level is not set with - cmd-line or configuration file. It also fixes FPE with default - backend. -- Changes for version 1.39.0: - * libnghttp2 now ignores content-length in 200 response to - CONNECT request as per RFC 7230. - * mruby has been upgraded to 2.0.1. - * libnghttp2-asio now supports boost-1.70. - * http-parser has been replaced with llhttp. - * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx - or 200 to CONNECT. -- Drop no longer needed boost170.patch - -- Update to 1.38.0: - * This release fixes the bug that authority and path altered by per-pattern mruby script can affect backend selection on retry. - * It also fixes the bug that HTTP/1.1 chunked request stalls. - * Now nghttpx does not log authorization request header field value with -LINFO. - * This release fixes possible backend stall when header and request body are sent in their own packets. - * The backend option gets weight parameter to influence backend selection. - * This release fixes compile error with BoringSSL. -- Add patch from upstream to build with new boost bsc#1134616: - * boost170.patch - -- Update to 1.36.0 - * build: disable shared library if ENABLE_SHARED_LIB is off - * third-party: use http-parser to v2.9.0 (GH-1294) - * third-party: Update mruby to 2.0.0 - * nghttpx: Pool h1 backend connection per address (GH-1292) - * nghttpx: Randomize backend address round robin order per thread - (GH-1291) - * nghttpx: Fix getting long SNs for openssl < 1.1 (GH-1287) - * h2load: add an option to write per-request logs (GH-1256) - * asio: added access to # of the current server port (GH-1257) - -- Use multibuild to not pull in python3 in first build, nghttp2 - is low in the system - -- Update to version 1.35.1: - * nghttpx: Fix broken trailing slash handling (GH-1276) -- Changes for version 1.35: - * build: cmake: Fix libevent version detection (Patch from Jan Kundrát) (GH-1238) - * lib: Use __has_declspec_attribute for shared builds (Patch from Don) (GH-1222) - * src: Require C++14 language feature - * nghttpx: Write mruby send_info early - * nghttpx: Fix assertion failure on mruby send_info with HTTP/1 frontend - * h2load: Handle HTTP/1 non-final response (GH-1259) - * h2load: Clarify that time for connect includes TLS handshake - -- Update to version 1.34.0: (bsc#1112438, FATE#326776) - * lib: Implement RFC 8441 :protocol support - * nghttpx: Add read/write-timeout parameters to backend option - * nghttpx: Fix mruby parameter validation in backend option - * nghttpx: Implement RFC 8441 Bootstrapping WebSocket with HTTP/2 - * nghttpx: Update neverbleed to fix OpenSSL 1.1.1 issues - * nghttpx: Update mruby 1.4.1 - * nghttpx: Add mruby env.tls_handshake_finished - * nghttpx: Add --tls13-ciphers and --tls-client-ciphers options - * nghttpx: Add RFC 8470 Early-Data header field support - * nghttpx: Add RFC 8446 TLSv1.3 0-RTT early data support - -- Update to version 1.33.0: - * lib: Tweak nghttp2_session_set_stream_user_data - * lib: Fix handling of SETTINGS_MAX_CONCURRENT_STREAMS. - * lib: Implement ORIGIN frame - * asio: support definition of local endpoint for cleartext - client session - * integration: Remove remaining SPDY code from the integration tests - * nghttpx: Fix worker process crash with neverbleed write error - * nghttpx: Support per-backend mruby script - * nghttpx: Fix stream reset if data from client is arrived before - dconn is attached - -- Update to version 1.32.0: - * lib: Ignore all input after calling session_terminate_session - * lib: Fix treatment of padding - * lib: Don't allow 101 HTTP status code because HTTP/2 removes - HTTP Upgrade - * build: add ENABLE_STATIC_LIB option to build static lib - * third-party: Upgrade neverbleed to the latest master - * asio: Support client side SNI - * src: Compile with libressl 2.7.2 - * src: Allow building without NPN - * h2load: -r and --duration are mutually exclusive - -- Version umpdate to 1.31.1: - * Fix bsc#1088639 CVE-2018-1000168 - * https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/ - -- Version update to 1.31.0: - * lib: Add nghttp2_session_set_user_data() public API function (GH-1137) - * src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro (GH-1128) - * nghttpx: Close listening socket on graceful shutdown - * nghttpx: Add an option to accept expired client certificate (GH-1126) - * nghttpx: Add mruby tls_client_not_before, and tls_client_not_after (GH-1123) - * nghttpx: Fix potential memory leak - * lib: Allow PING frame to be sent after GOAWAY (GH-1103) - * nghttpx: Fix bug that h1 backend idle timeout expires sooner - * nghttpx: Stop overwrite of first header on mruby call to env.req.set_header(..) (Patch from Dylan Plecki) (GH-1119) - * nghttpx: Add upgrade-scheme parameter to backend option (GH-1099) - * nghttpx: Fix missing ALPN validation (--npn-list) (GH-1094) - * nghttpx: Remember which resource is pushed for RFC 8297 (GH-1101) - -- Drop spdylay dependency as it is deprecated since version 1.28.0 - and removed from cofnigure.ac since 1.29.0 - -- Use %license (boo#1082318) - -- Update to version 1.29.0: - * lib: Use NGHTTP2_REFUSED_STREAM for streams which are closed by - GOAWAY - * build: Remove SPDY - * build: Fix CMAKE_MODULE_PATH - * nghttpx: Revert "nghttpx: Use an existing h2 backend connection - as much as possible" - * nghttpx: Write API request body in temporary file - * nghttpx: Increase api-max-request-body - * nghttpx: Faster configuration loading with lots of backends - * nghttpx: Fix crash with --backend-http-proxy-uri option - -- Export PYTHON=/usr/bin/python3 before running configure: allow to - build without (comnplete) python2 in the buildroot. In any case - we only ship python3-bindings already. - -- Upodate to version 1.28.0: - * lib: Add nghttp2_error_callback2 - * build: Add deprecation warning when spdylay support is enabled - * Switch to clang-format-5.0 - * examples: Make client and server work with libevent-2.1.8 - * third-party: Update neverbleed - * integration: Fix issues reported by the go vet tool. - * nghttpx: Fix affinity retry - * nghttpx: Fix stalled backend connection on retry - * nghttpx: Cookie based session affinity - * nghttpx: Expose additional TLS related variables to mruby and - accesslog - -- Drop forgotten python2 build dependency - -- Update to version 1.27.0: - * h2load: Print out h2 header fields with --verbose option - * nghttpx: Send non-final response to HTTP/1.1 or HTTP/2 client - only -- Changes for version 1.26.0: - * docs: Fix some typos in the nghttpx how-to - * h2load: Fix bug that timing script stalls with -m1 - * h2load: Reservoir sampling (GH-984) - * h2load: Add timing-based load-testing in h2load -- Switch to python3 support - -- Don't use jemalloc on ppc or %arm, where it is broken. - -- Update to version 1.25.0: - * lib: add nghttp2_rcbuf_is_static() (Patch from Anna Henningsen) (GH-983) - * nghttpx: Fix bug that forwarded for is not affected by proxy protocol (GH-979) - * nghttpx: Update mruby to 1.3.0 (GH-957) - -- Drop doc building -- Rename python subpackage to python2 - -- Update to version 1.24.0: - * doc: README.rst: fix typo (Patch from Simone Basso) (GH-947) - * doc: fix up grammar in submit_trailer docs (Patch from Benjamin Peterson) (GH-945) - * doc: fix cleaning in out-of-tree builds (Patch from Benjamin Peterson) (GH-938) - * nghttp: Fix bug that upgrade fails if reason-phrase is missing (GH-949) - * nghttpx: Verify OCSP response using trusted CA certificates (GH-943) - * nghttpx: Set default minimum TLS version to TLSv1.2 (GH-937) -- Changes for version 1.23.1: - * nghttpx: Fix crash in OCSP response verification -- Changes for version 1.23.0: - * lib: nghttp2_session: Allow for compiling library with -DNDEBUG set (Patch from Angus Gratton) (GH-919) - * lib: Treat incoming invalid regular header field as stream error (GH-900) - * lib: Call nghttp2_on_invalid_frame_callback if altsvc validation fails (GH-904) - * doc: spelling mistake in arguments to build nghttp apps (Patch from Soham Sinha) (GH-925) - * doc: Add notes for installation on linux systems (Patch from Tapanito) (GH-917) - * doc: Clarify the effect of nghttp2_option_set_no_http_messaging - * nghttpx: Verify OCSP response (GH-929) - * nghttpx: Fix certificate selection based on pub key algorithm (GH-924) - * nghttpx: Fix certificate indexing bug - * nghttpx: Run OCSP at startup (GH-922) - * nghttpx: Wildcard path matching (GH-914) - * nghttpx: Forward multiple via, xff, and xfp header fields (GH-903) - * nghttp: Add -y, --no-verify-peer option to suppress peer verify warn (GH-906) - -- Update to version 1.22.0: - * lib: Add missing free call on error in inflight_settings_new() (Patch from lstefani) (GH-884) - * asio: Support specifying stream priority via session::submit() (Patch from Matt Way) (GH-881) - * nghttpx: Clarify --conf option behaviour - * nghttpx: Add $tls_sni access log variable (GH-896) - * nghttpx: Rename ssl_* log variables as tls_* (GH-895) - * nghttpx: Fix path matching bug (GH-894) - * nghttpx: SNI based backend server selection (GH-892) - * nghttpx: Enable signed_certificate_timestamp extension for TLSv1.3 (GH-878) - * nghttpx: Add options for X-Forwarded-Proto header field (GH-872) - * nghttpx: Add --single-process option (GH-869) - * nghttpx: Use 502 as server error code - * nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl - * nghttp: Verify server certificate and show warning if it fails (GH-870) - * integration: Use nip.io instead of xip.io - -- Update to version 1.21.1: - * asio: Fix crash if connect takes longer time than ping interval (GH-866) - * nghttpx: Fix bug that 204 from h1 backend is always treated as error (GH-871) -- Changes for version 1.21.0: - * lib: Fix nghttp2_session_want_write (GH-832) - * doc: Document pkg-config path usage - * build: Eliminate U macro; Instead use (void)VAR for better compiler compatibility. - * src: BoringSSL supports SSL_CTX_set_{min,max}_proto_version. (Patch from Piotr Sikora) (GH-853) - * src: Use Mozilla's "Modern compatibility" ciphers by default - * src: nghttp2_gzip: fix this statement may fall through [-Werror=implicit-fallthrough=] found by gcc7 (Patch from Alexis La Goutte) (GH-823) - * nghttpx: Print version number with -v option - * nghttpx: Enable X25519 with boringssl - * nghttpx: Retry getaddrinfo without AI_ADDRCONFIG (GH-858) - * nghttpx: Failing to listen on server socket is fatal error - * nghttpx: Escape certain characters in access log (GH-856) - * nghttpx: Ignore further input if connection is going to close - * nghttpx: Don't call functions which are not async-signal-safe after fork but before execv in multithreaded process. - * nghttpx: Enable backend pattern matching with http2-proxy (GH-733) - * asio: client: Send PING after 30 seconds idle (GH-847) - -- Update to version 1.20.0: - * lib: nghttp2_session: fix The 'then' statement is equivalent to the subsequent code fragment found by PVS Studio (V523) (Patch from Alexis La Goutte) (GH-814) - * lib: Add nghttp2_option_set_no_closed_streams (GH-810) - * build: Disable spdylay detection by default - * build: Add --with-systemd option to configure - * fuzz: Add fuzzer for oss-fuzz (GH-799) - * src: Enable TLSv1.3 if it is supported by OpenSSL (or BoringSSL) (GH-816) - * src: h2 requires >= TLSv1.2 - * asio: More graceful stop of nghttp2::asio_http2::server::http2 (Patch from Amir Pakdel) (GH-805) - * asio: Holding more shared_ptrs instead of raw ptrs to make sure called objects don't get deleted. (Patch from clemahieu) - * asio: Fix infinite loop in acceptor handler (Patch from clemahieu) (GH-794) - * asio: close_stream erases from streams_ while it's being iterated over. (Patch from clemahieu) (GH-795) - * nghttpx: Strip version number from server header field - * nghttpx: Add --single-worker option - * nghttpx: Fix bug that send_reply does not participate graceful shutdown - * nghttpx: Add --frontend-max-requests option - * nghttpx: Enable stream-write-timeout by default - * nghttpx: Fix stream write timer handling - * nghttpx: Add configrevision API endpoint (GH-820) - * nghttpx: Redirect to HTTPS URI with redirect-if-not-tls parameter (GH-819) - * nghttpx: Update log time stamp in millisecond interval - * nghttpx: Better error message when private key and certificate are missing - * nghttpx: Fix bug that old config is used during reloading configuration - * nghttpx: Specify TLS protocol by version range (GH-809) - * nghttpx: Send SIGQUIT to the original master process (GH-807) - * nghttpx: Restrict HTTP major and minor in 0 or 1 - * nghttpx: Drop privilege of neverbleed daemon first - * nghttpx: add systemd support (Patch from Tomasz Torcz) (GH-802) - * nghttpx: Fix crash on SIGHUP with multi thread configuration (GH-801) - * nghttpx: Send 1xx non-final response using mruby script (GH-800) - * nghttpx: Select certificate by client's supported signature algorithm (GH-792) - * nghttpx: Recommend POST for backendconfig API request - * nghttpx: Don't build PSK features with LibreSSL (Patch from Bernard Spil) (GH-789) - * nghttp: add support for link rel="preload" for --get-assets (Patch from Benedikt Christoph Wolters) (GH-791) - * h2load: Fix wrong req_stat updates - * h2load: Explicitly count the number of requests left and inflight - * integration: Fix deprecation warnings - * integration: Redirect nghttpx stdout/stderr to test driver's stdout/stderr -- Changes for version 1.19.0: - * lib: Fix memory leak of nghttp2_stream object in server side nghttp2_session object - * Fix issues found by PVS Studio (Patch from Alexis La Goutte) (GH-769) - * doc: Update README file to write about the issue of Alpine Linux's inability to replace malloc (Patch from makovich) (GH-768) - * build: Compile with Android NDK r13b using clang - * src: Fix assertion error with boringssl - * nghttp: Take into account scheme and port when parsing HTML links - * nghttp: Fix authority for --get-assets if IP address is used in conjunction with user-defined :authority header (Patch from Benedikt Christoph Wolters) (GH-783) - * nghttpx: Add --accesslog-write-early option (GH-777) - * nghttpx: Fix access.log timestamp (GH-778) - * nghttpx: Show default cipher list in -h - * nghttpx: Add client-ciphers option - * nghttpx: Add client-no-http2-cipher-black-list option - * nghttpx: Fix the bug that no-http2-cipher-black-list does not work on backend HTTP/2 connections. - * nghttpx: Add --client-psk-secret option to enable PSK in backend (GH-612) - * nghttpx: Add --psk-secret option to enable PSK in frontend connection (GH-612) - * nghttpx: Enable SCT with OpenSSL 1.1.0 - * nghttpx: Add proxyproto to frontend option to accept PROXY protocol (GH-765) - * h2load: Show default cipher list in -h - * h2load: Show custom server temp key such as X25519 - * h2load: Fix incorrect return value from spdylay_send_callback -- Changes for version 1.18.1: - * nghttpx: Fix assertion error in libev ev_io_start (GH-759) - * nghttpx: Handle c-ares success without result - * nghttpx: Fix bug that DNS timeout was erroneously disabled (GH-763) - * nghttpx: Fix bug that DNS timeout was ignored (GH-763) - -- use individual libboost-*-devel packages instead of boost-devel - -- Update to version 1.18.0: - * lib: Accept and ignore content-length: 0 in 204 response for now - * build: Use pkg-config to detect libxml2 - * build: Require c-ares to compile applications under src - * build: Add Windows CI via AppVeyor (Patch from Alexis La Goutte) - * examples: Delete tiny-nghttpd - * nghttpx: Retry h1 backend request if first write fails (GH-757) - * nghttpx: Keep reading after backend write failed (GH-756) - * nghttpx: Add frontend-keep-alive-timeout option (GH-755) - * nghttpx: New error log format (GH-749) - * nghttpx: Fix bug that fetch-ocsp-response does not work with OpenSSL 1.1.0 (GH-742) - * nghttpx: Backend API call allows non-numeric host with dns parameter (GH-731) - * nghttpx: Lookup backend host name dynamically (GH-721) - * nghttpx: Accept and ignore content-length: 0 in 204 response for now (GH-735) - * nghttpx: Wait for child process to exit - -- Update to version 1.17.0: - * lib: Disallow content-length in 1xx, 204, or 200 to a CONNECT request (GH-722) - * lib: Avoid memcpy against NULL src - * build: MSVC version resource support (Patch from Remo E) (GH-718) - * asio: server: Call on_close callback on connection close (GH-729) - * nghttpx: Fix frequent crash with --backend-http-proxy-uri - * nghttpx: Robust backend read timeout - * nghttpx: Fix bug that mishandles response header from h1 backend - * nghttpx: Fix bug that zero-length POST is not forwarded (GH-726) - * nghttpx: Remove optional reason-phrase from SPDY :status - * nghttpx: Header key and value must be string in mruby script - * nghttpx: Strip content-length with 204 or 200 to CONNECT in mruby (GH-722) - * nghttpx: Strict handling for Content-Length or Transfer-Encoding in h1 (GH-722) - * nghttpx: Fix compilation with BoringSSL (Patch from dalf) (GH-717) - * nghttpd, nghttpx, asio: Add missing mandatory SP after status code - -- Update to version 1.16.1: - * lib: Prevent undefined behavior in decode_length - * nghttpx: Fix bug which may crash nghttpx if non-final response - is forwarded from origin server to HTTP/1.1 client -- Changes for version 1.16.0: - * lib: Add nghttp2_set_debug_vprintf_callback to take advantage - of DEBUGF statements in when building DEBUGBUILD. - * Update .clang-format for clang-format-3.9 - * build: Make it possible to include nghttp2/CMakeLists.txt in - another project using add_subdirectory. - * third-party: Update http-parser to - feae95a3a69f111bc1897b9048d9acbc290992f9 - * asio: Fix crash when end() is called outside nghttp2 callback - * nghttpx: Add --backend-connect-timeout option - * nghttpx: Add TLS signed_certificate_timestamp extension support - * nghttpx: Add --ecdh-curves option to specify list of named - curves - * h2load: Add --header-table-size and --encoder-header-table-size - options - -- Update to version 1.15.0: - * lib: Add nghttp2_option_set_max_deflate_dynamic_table_size() - API function (GH-684) - * lib: Allow NGHTTP2_ERR_PAUSE from - nghttp2_data_source_read_callback (GH-671) - * lib: Add nghttp2_session_get_hd_deflate_dynamic_table_size() - and nghttp2_session_get_hd_inflate_dynamic_table_size() API - functions to get current HPACK dynamic table size (GH-664) - * lib: Add nghttp2_session_get_local_settings() API function - * lib: Add nghttp2_session_get_local_window_size() and - nghttp2_session_get_stream_local_window_size() API functions - * build: Add -lsocket -lnsl to APPLDFLAGS for solaris build - * neverbleed: Update neverbleed to support ECDSA certificate - * doc: Mention --enable-lib-only configure option in README - * integration: Fix test failure with go1.7.1 - * src: Fix compile error with openssl 1.1.0 - * nghttpx: Improve performance with HTTP/1.1 backend when - request body is involved - * nghttpx: Use std::atomic_* overloads for std::shared_ptr if - available - * nghttpx: Migrate backend stream to another h2 session on - graceful shutdown - * nghttpx: Add option to specify HPACK encoder/decoder dynamic - table size - * nghttpx: Log client address - * nghttpx: Add tls_sni to mruby Nghttpx::Env class - * nghttpx: Add --frontend-http2-window-size option, and its - family functions - * nghttpx: Add experimental TCP optimization for h2 frontend - * nghttpx: Workaround for std::make_shared bug in Xcode7, 7.1, - and 7.2 (GH-670) - * nghttpx: Fix bug that bytes are doubly counted to rate limit - for TLS connections - * nghttpx: Add --no-server-rewrite option not to rewrite server - header field (GH-667) - * nghttpx: Retry if backend h1 connection cannot be established - due to timeout - * nghttpx: Reset stream if invalid header field is received in h2 - * nghttpx: Add --server-name option to change server response - header field (GH-667) - * nghttpd: Add --encoder-header-table-size option - * nghttp: Add --encoder-header-table-size option - * python: Support ALPN, require Python 3.5 - -- Update to version 1.14.0: - * lib: Make emit_header() return void since it always succeed - * lib: Add nghttp2_hd_deflate_hd_vec() deflate API to support - multiple buffer input - * lib: since hd_inflate_commit_indexed() always return 0, - remove the return value check in nghttp2_hd_inflate_hd_nv() - * lib: Use memeq() instead of lstreq() in lookup_token() - * lib: More strict stream state handling - * lib: Modify genlibtokenlookup.py to remove redundant header - comparisons and remove inline qualifier of lookup_token() - in genlibtokenlookup.py - * lib: Fix wrong tree operation to avoid cycle - * lib: Make get_max_index() return the max index in frame, - so we don't need to do extra calculation - * lib: Add nghttp2_on_invalid_header_callback - * lib: Log frame's stream ID for header debug logging - * doc: Remove old doc about differential encoding in HPACK - * doc: Document about ALPN in nghttpx howto - * nghttpx: Log error code from getsockopt(SO_ERROR) on first - write event - * nghttpx: Don't change pushed stream's priority - * nghttpx: Log backend connection failure in WARN level - * nghttpx: Fix bug that api and healthmon parameters do not work - with http2 proxy - * nghttpx: Add access log variable for backend host and port - * nghttpx: Use copy instead of const reference of backend group - * nghttpx: Reload configuration with SIGHUP - * nghttp: Adjust weight according to Firefox stable - * nghttp: Call error callback when invalid header field is - received and ignored - * nghttp: Allow multiple -p option - * deflatehd: Call nghttp2_hd_deflate_change_table_size only - if table size is changed from default - -- Update to version 1.13.0: - * lib: Cancel non-DATA frame transmission from - nghttp2_before_frame_send_callback - * doc: Fix warning with Sphinx 1.4 - * build: Work with Android NDK r12b - * nghttpx: Use consistent hashing for client IP based session - affinity - * nghttpx: Fix FTBFS on armel by explicitly including the header - * nghttpx: Cast to double to fix build with gcc 4.8 on Solaris 11 - * nghttpx: Fix build error with libressl - * examples: Fix compile error with OpenSSL v1.1.0-beta2 - -- Update to version 1.12.0: - * Add nghttp2_session_set_local_window_size API function - * Add nghttp2_option_set_max_send_header_block_length API - function (GH-613) - * Fix warning: declaration of 'free' shadows a global declaration - (Patch from Alexis La Goutte) - * examples: Add ALPN support to tutorial client/server (GH-614) - * nghttpx: Reduce TTFB with large number of incoming connections - * nghttpx: Rewrite read timer handling - * nghttpx: Clean up neverbleed AF_UNIX socket - * nghttpx: Add --backend-max-backoff option - * nghttpx: Use 16KiB buffer for reading to match TLS record size - * nghttpx: Add healthmon parameter to -f option to enable health - monitor mode - * nghttpx: Receive reference of std::mt19937, not making a copy - * nghttpx: Fix bug that backend never return to online (GH-615) - * nghttpx: Implement client IP based session affinity - * nghttpx: Add --api-max-request-body option to set maximum API - request body size - * nghttpx: Add api parameter to --frontend option to mark API - endpoint - * h2load: Add content-length header field for HTTP/2 and SPDY as - well - * h2load: Implement HTTP/1 upload (GH-611) - -- Update to 1.11.1 - * lib: Add nghttp2_hd_inflate_hd2() and deprecate - nghttp2_hd_inflate_hd() - * lib: Avoid 0-length DATA if NGHTTP2_DATA_FLAG_NO_END_STREAM is set - * lib: Fix bug that PING flags are ignored in nghttp2_submit_ping - * integration: Workaround runtime error: cgo argument has Go pointer - to Go pointer - * nghttp: Eliminate zero length DATA frame at the end if possible - * nghttpd: Set content-length in status response - * nghttpx: Add sni keyword to --backend option - * nghttpx: Allow mixed protocol and TLS settings among backends under - same pattern - * nghttpx: Don't add 0-length DATA when response HEADERS bears - END_STREAM flag - * nghttpx: Don't add chunked encoded response body for HEAD request - * nghttpx: Don't use CN if we have dNSName or iPAddress field - * nghttpx: Just call execv instead of execve to pass environ - * nghttpx: Make SETTINGS timeout value configurable - * nghttpx: Save PID file after it is ready to accept connections - * nghttpx: Treat backend failure if SETTINGS is not received within - timeout - * nghttpx: Wait for SETTINGS ACK to make sure that backend h2 server - is alive - -- Update to 1.10.0 - * Pass unknown SETTINGS values to nghttp2_on_frame_recv_callback - * Add ALTSVC frame support - * Run error callback when peer does not send initial SETTINGS - frame - * Update http-parser - * Update sphinx_rtd_theme - * nghttp: add an --expect-continue option - * nghttpx: Fix downstream connect callback called early - * nghttpx: Truncate too long -b option signature - * nghttpx: Fix bug that server push from mruby script did not - work - * nghttpx: Try next HTTP/1 backend address when connection - cannot be made - * nghttpx: Retry next HTTP/2 backend address when connection - cannot be made - * nghttpx: Enable link header field based push for non-final - response - * nghttpx: Detect online/offline state of backend servers - * nghttpx: Better load balancing between backend HTTP/2 servers - * nghttpx: Fix crash with backend failure - -- Update to 1.9.2 - * nghttpx: Fix crash with backend failure - * nghttpx: Better distribute load to backend h2 servers - * nghttpx: Fix error messages on deprecated mode - * nghttpx: Fix bug that logger wrote string which was not - NULL-terminated - * nghttpx: Fix bug that proxy with HTTP/1.1 CONNECT did not work - -- Update to 1.9.1 - * nghttpx: Fix bug that backend tls keyword did not work with -s - option - * nghttpx: Fix handing stream after connection check was failed -- Changes for 1.9.0 - * lib: Add nghttp2_error_callback to tell application human - readable error message - * lib: Reference counted HPACK name/value pair, adding - * nghttp2_on_header_callback2 - * lib: Add nghttp2_option_set_no_auto_ping_ack() option - * lib: Add nghttp2_http2_strerror() to return HTTP/2 error code - string - * build: Makefile.msvc enhancements (Patch from Jan-E) - * build: Lower libev version requirement (Patch from Peter Wu) - * build: cmake build support (Patch from Peter Wu) - * asio: Fix bug that server event loop breaks with exception - * integration: Disable tests that sometimes break randomly on - travis - * integration: do not use recursive target (Patch from Peter Wu) - * h2load: Fix bug that it did not try to connect to server again - * h2load: Fix bug that initial max concurrent streams was too - large - * nghttpx: Memcached connection encryption with tls keyword - * nghttpx: Enable/disable TLS per frontend address - * nghttpx: Configure TLS per backend routing pattern - * nghttpx: Workaround for Ubuntu 15.04 which does not - value-initialize on std::make_shared. - * nghttpx: Add --error-page option to set custom error pages - * nghttpx: Add wildcard host routing - * nghttpx: Change read timeout reset timing - * nghttpx: Don't push if Link header field includes nopush - * nghttpx: Deprecate backend-http1-connections-per-host in favor - of backend-connections-per-host - * nghttpx: Restructure mode settings, removing --http2-bridge, - - -client, and --client-proxy options - * nghttpx: Deprecate backend-http1-connections-per-frontend in - favor of backend-connections-per-frontend - * nghttpx: Don't share session which is already in draining - state - * nghttpx: Effectively disable backend HTTP/2 connection flow - control - * nghttpx: Add --frontend-http2-max-concurrent-streams and - - -backend-http2-max-concurrent-streams, and deprecate - - -http2-max-concurrent-streams option - * nghttpx: Deprecate --backend-http2-connections-per-worker - option - * nghttpx: Share TLS session cache between HTTP/2 and HTTP/1 - backend - * nghttpx: Rewrite backend HTTP/2 connection coalesce strategy - -- Update to 1.8.0 - * Add Architecture documents (work in progress) - * List all contributors in AUTHORS - * doc: fix out-of-tree doc builds (Patch from Peter Wu) - * Wrap AM_PATH_XML2 by m4_ifdef to handle the case when - _PATH_XML2 is not found - * Fix configure script for non-gcc, clang build - * Document compiling apps and include h2load in configure (Patch - from David Beitey) - * Don't check for dlopen/libdl on *BSD (Patch from Bernard Spil) - * Don't taint CXXFLAGS from AX_CXX_COMPILE_STDCXX_11 - * Fixing Windows Makefile version detection (Patch from Reza - Tavakoli) - * lib: Tokenize extra HTTP header fields - * lib: Fix typo in HAVE_CONFIG_H name (Patch from Peter Wu) - * lib: Add HTTP/2 extension framework to send and receive - non-critical frames - * tests: remove unused macros (Patch from Peter Wu) - * src: Update default cipher list - * src: Fix compile error with gcc-6 which enables C++14 by default - * asio: client: Fix connect timeout does not work, return from cb - if session stopped, removing client::session::connect_timeout() - functon - * nghttpd: Start SETTINGS timer after it is written to output - buffer - * nghttpd: Add trailer header field to status responses - * nghttpd: Add -w and -W options to change window size - * nghttpx: Worker wide blocker which is used when socket(2) is - failed - * nghttpx: ConnectBlocker per backend address - * nghttpx: Interleave text/html pushed resources with associated - resource - * nghttpx: Add headers given in add-response-headers for mruby - response - * nghttpx: Deprecate --backend-ipv4 and --backend-ipv6 in favor - of --backend-address-family - * nghttpx: Add options to specify address family of memcached - connections - * nghttpx: Add encryption support for TLS ticket key retrieval - * nghttpx: Add TLS support for session cache memcached connection - * nghttpx: Refactor blacklisted cipher suite check (Patch from - Jay Satiro) - * nghttpx: Add TLS support for HTTP/1 backend - * nghttpx: Add request-header-field-buffer and - max-request-header-fields options, deprecating - header-field-buffer and max-header-fields options. - * nghttpx: Add --no-http2-cipher-black-list to allow black listed - cipher suite - * nghttpx: Limit header fields from backend - * nghttpx: Fix bug that IPv6 address in Forwarded "for" is not - quoted-string - * nghttpx: Support multiple frontend addresses - * integration-tests: support out-of-tree tests (Patch from Peter - Wu) - * examples: fix compile warnings (Patch from Peter Wu) -- Drop upstreamed nghttp2-c++14.patch - -- Update to 1.7.1 - * Fix CVE-2016-1544 (boo#966514) - -- Add nghttp2-c++14.patch to properly guard make_unique templates. - [bsc#964140] - -- Update to 1.7.0 - * Reset (RST_STREAM) stream if flow control window gets overflow - * Validate :authroity, host, and :scheme value more strictly - * Check request/response submission error based side of session - * Strict outgoing idle stream detection - * Return error from nghttp2_submit_{headers,request} when self - dependency is made - * Add -ldl to APPLDFLAGS for static openssl linking - * asio: Stop acceptor on server::http2::stop - * asio: Rename http2::get_io_services() as http2::io_services() - * h2load: Support UNIX domain socket - * h2load: Improve readability of traffic numbers - * h2load: Remove "auto" for -m option - * h2load: Show progress in rate mode - * h2load: Perform sampling for request and connection timings to - reduce memory consumption - * nghttpd: Add --no-content-length option to omit content-length - in response - * nghttpx: Interleave pushed streams with the associated stream - if pushed streams are javascript and CSS resources - * nghttpx: The initial value of request/response buffer is - increased to 128K - * nghttpx: Fix bug that --listener-disable-timeout option is not - used - * nghttpx: Don't emit :authority if request does not contain - authority information - * nghttpx: Add clarification of quotes in configuration file - * nghttpx: Don't allow certain characters in host and :scheme - header field - * nghttpx: Add RFC 7239 Forwarded header field support - * nghttpx: Fix crash when running on IPv6 only (Patch from Vernon - Tang) - * nghttpx: Take into account of trailers when applying - max_header_fields - * nghttpx: Don't apply max_header_fields and header_field_buffer - limit to response - * nghttpx: Strict validation for header fields given in - configuration - * nghttpx: header value should not be lower-cased (Patch from - ayanamist) - -- fixed typo in libnghttp2_asio1 [bsc#962914] - -- Update to 1.6.0 - * Fix heap-use-after-free bug when handling idle streams - * Strict error handling for frames which are not allowed after - closed (remote) - * Set max number of outgoing concurrent streams to 100 by - default - * Keep incoming streams only at server side - * Create stream object for pushed resource during - nghttp2_submit_push_promise() - * Add nghttp2_session_create_idle_stream() API - * Handle response in nghttp2_on_begin_frame_callback - * Add --lib-only configure option - * Compile with OpenSSL 1.1.0-pre1 - * Fix build when OpenSSL 1.0.2 is not available (patch from - Sunpoet Po-Chuan Hsieh) - * asio: Add connect and read timeout to client API - * asio: Add TLS handshake and read timeout to server API - * asio: Added access to a requests remote endpoint (patch from - Andreas Pohl) - * asio: libnghttp2_asio: Added io_service accessors (patch from - Andreas Pohl) - * h2load: Add req/s min, max, mean and sd for clients - * h2load: Fix broken connection times - -- Update to 1.5.0 - * Fix bug that nghttp2_session_find_stream(session, 0) returned - NULL - * Add nghttp2_session_change_stream_priority() to change stream - priority without sending PRIORITY frame - * Add nghttp2_session_check_server_session() API - * Consider to use CANCEL error code when closing streams with - GOAWAY - * Don't send push response if GOAWAY has been received - * Use error code CANCEL to reset pushed reserved stream from - remote - * Add nghttp2_session_upgrade2(), deprecate - nghttp2_session_upgrade() - * Workaround HTTP upgrade with HEAD request in - nghttp2_session_upgrade() - * Introduce NGHTTP2_NV_FLAG_NO_COPY_NAME and - NGHTTP2_NV_FLAG_NO_COPY_VALUE - * Add nghttp2_session_check_request_allowed() API function - * Switch to clang-format-3.6 - * Update mruby to 1.2.0 - * tests: fix broken linkage with --disable-static (Patch from - Kamil Dudka) - * python: Send RST_STREAM if remote side is not closed and - response finished - * asio: client: call on_error when connection is dropped - * asio: ALPN support - * h2load: Add --h1 option to force http/1.1 for both http and - https URI - * h2load: Fix crash when dealing with "connection: close" form - HTTP/1.1 server - * h2load: h2load goes into infinite loop when timing script file - starts with 0.0 in first line (Patch from Kit Chan) - * h2load: Override user-agent with -H option - * h2load: Print "space savings" to measure header compression - efficiency - * h2load: Stream error should be counted toward errored - * h2load: Show application protocol with OpenSSL < 1.0.2 - * nghttpx: Don't send RST_STREAM to h2 backend if backend is - disconnected state - * nghttpx: Support server push from HTTP/2 backend - * nghttpx: Fix bug that causes connection failure with backend - proxy URI - * nghttpx: Use --backend-tls-sni-field to verify certificate - hostname - * nghttpx: Log :authority as $http_host if available - * nghttpd: Fix crash with CONNECT request - * nghttpd: Defered eviction of cached fd using timer - * nghttpd: Read /etc/mime.types to set content-type header field - * nghttp: Record request method to output it in har correctly - * nghttp: Use method given in -H with ":method" in HTTP Upgrade -- Drop nghttp2-1.4.0-fix-tests.patch (now in upstream) - -- Enable spdy and more example applications - -- Update to 1.4.0: - * lib: Don't always expect dynamic table size update. - * lib: Shrink to the minimum table size seen in local SETTINGS. - * lib: Add new error code NGHTTP2_ERR_PAUSE to send_data_callback. - * lib: Avoid excessive WINDOW_UPDATE queuing. - * lib: Return fatal error if flooding is detected to close - session immediately. - * lib: Return type of nghttp2_submit_trailer is int. - * lib: Don't send WINDOW_UPDATE with 0 increment. - * lib: Fix bug that headers in CONTINUATION were ignored after - HEADERS with padding. - * package: Use -fvisibility=hidden for internal functions. - * package: Show more information in configure summary. - * package: Add PIDFile directive to systemd service. - * package: Fix daemon upgrade when running under systemd. - * app: Compile with BoringSSL. - * nghttp: Allow multiple -c option occurrence, and take min and - last value. - * nghttpd: Fix leak when server failed to listen to given port. - * nghttpx: Add TLS dynamic record size behaviour command line - options. - * nghttpx: Reduce default timeouts for read sockets to 1m. - * nghttpx: Fix bug that PUT is replaced with POST. - * nghttpx: Change mruby script handling. - * nghttpx: Added support for RFC 7413 (TCP Fast Open) on nghttpx - proxy listening connections. - * nghttpx: Add neverbleed support. - * h2load: Don't DOS our server! - * h2load: Use duration syntax for timeouts. - * h2load: Support subsecond rate period. - * h2load: Simplify rate mode. - * h2load: Add option for user-definable rate period. - * h2load: Reuse SSL/TLS session. - * h2load: Reconnect server on connection: close. - * h2load: Don't exit in the case of no ALPN protocol overlap. - * integration: Update go's http2 package URI. -- Add missing baselibs.conf. -- Add nghttp2-1.4.0-fix-tests.patch from commit 4825009. -- Small spec cleanup. - -- Update to 1.3.4 - * Make traditional init script fail if new config file is broken - (Patch from Janusz Dziemidowicz) - * nghttpx-logrotate: Don't use killall since we have multiple - processes - * nghttpx: Fix improper signal handling -- Changes for 1.3.3 - * Fix bug in padding handling of DATA frame - * Use hash table for dynamic table lookup - * More warning flags for --enable-werror - * Update mruby - * h2load: HTTP/1.1 support (Patch from Lucas Pardue) - * nghttpx: Do not try to set TCP_NODELAY when frontend is an - UNIX socket (Patch from Janusz Dziemidowicz) - * nghttpx: Chown UNIX domain socket to user specified as --user - * nghttpx: Split monolithic one process into control and worker - processes - * nghttpx: Handle SSL/TLS data following PROXY protocol line -- Changes for 1.3.2 - * Check header block limit after new stream is opened - * nghttp: Show error if HEADERS frame cannot be sent for - whatever reason - * nghttpx: Fix assertion failure on TLS handshake - * nghttpx: Add x-http2-push header field for pushed resource - * nghttpx: Fix compile error with --disable-threads - -- Update to 1.3.1 - * Avoid usage of typeof and replace __builtin_offsetof with - offsetof - * Honor stream->weight even if stream->last_writelen is 0 - * Compile third-party libraries if hpack-tools is enabled - * nghttpx-init: Start nghttpx with --daemon - * Bundle sphinxcontrib.rubydomain https://bitbucket.org/birkenfeld/sphinx-contrib/src/default/rubydomain/ - * Bundle mruby - * h2load: Record TTFB on first byte of response body, rather - than first socket read - * h2load: Improve checking for timing script input, prevent - false positive in certain situations - * nghttpx: Implement PROXY protocol version 1 - (--accept-proxy-protocol option) - * nghttpx: Allow link header server push for HTTP/2 backend - as well - * nghttpx: Don't initiate push if client disabled push - * nghttpx: Allow absolute URI in Link header field for push - * nghttpx: Fix crash with multi workers and QUIT signal - * nghttpx: Add mruby support which is disabled by default - (use --with-mruby configure option to enable it) - * nghttpx: Drop connection before TLS finish if h2 requirement - is not fulfilled -- Fix typo in previous changelog entry - -- Update to 1.3.1 - * Limit the number of incoming reserved (remote) streams - * Add stream public API - * Rewrite priority tree handling - * Fix parallel make distcheck - * Define it and itprep recursive target if - AM_EXTRA_RECURSIVE_TARGETS is defined - * fetch-ocsp-response: Handle spurious openssl exist status 0 - * nghttpx: Use nghttp2::ssl::DEFAULT_CIPHER_LIST for backend TLS - connection - * nghttpx: Don't allow blacked listed cipher suites for HTTP/2 - connection - * nghttpx: better handle /dev/stderr and /dev/stdout (Patch from - Tomasz Buchert) - * nghttpd: GOAWAY if SSL/TLS requirements for HTTP/2 are not met - * nghttpd: Return date header field for 304 - * nghttpd: Support HEAD request - * h2load: Add Timing-script and base URI support (Patch from - Lucas Pardue) - * h2load: Add timeout options (Patch from Nora) -- Fix typo in changelog - -- Update to 1.2.1 - * doc: Reword the HPACK tutorial (Patch from Tom Harwood) - * nghttpx: Fix stability issues - * h2load: Fix crash if -r > -n - -- Update to 1.2.0 - * Fix crash if response or data is submitted to closing stream - * Header table size UINT32_MAX must be accepted - * Use PROTOCOL_ERROR against DATA sent to idle stream - * Allow multiple in-flight SETTINGS - * Strictly check occurrence of dynamic table size update - * Fix configure warning that 'missing' is missing or too old - * Fix rm: cannot remove ‘*.rst’: No such file or directory when - "make clean" (Patch from Alexis La Goutte) - * doc: Reword some of the server and client tutorial (Patch - from Tom Harwood) - * src: Remove monotonic_clock replacement macro for gcc-4.6 - * nghttpx: Add TLS ticket key sharing among nghttpx instances - using memcached - * nghttpx: Add shared session cache using memcached - * nghttpx: Set SSL/TLS session timeout to 12 hours - * nghttpx: Enable session resumption on HTTP/2 backend - * nghttpx: Don't rewrite host header field by default - * nghttpx: Generate new ticket key every 1hr and its life time - is now 12hrs - * nghttpx: Don't reuse backend connection if it is not clean - * nghttpx: Add AES-256-CBC encryption for TLS session ticket - * nghttpd: Fix the bug that 304 response has non-empty body - * h2load: Add -r and -C options to h2load (Patch from - Nora Shoemaker) -- Changes for 1.1.2 - * Fix linker error with libnghttp2_asio - * Allow custom installation location for Python bindings -- Drop no longer needed missing_nghttp2_timegm.patch - -- Update to 1.1.1 - * nghttpx: Fix various stability issues and memory leak bug -- Changes for 1.1.0 - * Fix DATA is not consumed if nghttp2_http_on_data_chunk failed - * nghttp2_submit_response and nghttp2_submit_headers may return - * NGHTTP2_ERR_DATA_EXIST - * msvc build fixes and enchantments (Patch from Gabi Davar) - * Compile with IRIX gcc-4.7 (Patch from Klaus Ziegler) - * nghttp: Add --max-concurrent-streams option - * nghttp: Add comment on HAR on pushed objects (Patch from - acesso) - * nghttpx: Add --include option to read additional configuration - from given file - * nghttpx: Add backend routing based on request host and path by - extending -b option - * nghttpx: Allow log variable to be enclosed by curly braces for - disambiguation - * nghttpx: Add log variables related to SSL/TLS connection - * h2load: Add --ciphers option -- Add patches - * missing_nghttp2_timegm.patch to fix building of asio library - * nghttp2-remove-python-build.patch to fix python bindings - installation when autotools are used - -- Update to 1.0.5 - * Add STREAM_DEP_DEBUG macro switch to enable runtime validation - of depedency tree - * Fix another bug in priority handling; sibling's item is not - queued when ancestor's item is detached - * nghttpx: Fix crash with --http2-bridge and both frontend and - backend TLS - -- Update to 1.0.4 - * Fix assertion failure in stream_update_dep_on_detach_item - (GH-264) -- Changes for 1.0.3 - * Fix bug that idle self-depending PRIORITY is not handled - gracefully - * Optimize dependency based priority code to Firefox style tree - * enable third-party for asio_lib too (Patch from Mike - Frysinger) - * fetch-ocsp-response: Support LibreSSL, and include port in - ocsp_host - * src: Support compile with LibreSSL - * nghttpx: Fix bug that x-forwarded-proto header field does not - reflect frontend scheme on HTTP/2 backend - * nghttpx: Validate :path on SPDY frontend - -- Update to 1.0.2 - * Fix bug that data are not consumed for connection in race - condition (GH-253) - * Define NGHTTP2_EXTERN to __declspec(dllimport) when using - nghttp2 for Windows build - * Translate fetch-ocsp-response into Python - * libevent-client: Fix bug that path is broken if URI does not - contain path part - * python: Call on_close callback when connection is lost for - server session - * python: Expose client certificate, if available (Patch from - Fabian Wiesel) - * python: Catch and log failure to set TCP_NODELAY (Patch from - Fabian Wiesel) - * nghttpx: Add --add-request-header option - * nghttpx: Make WebSocket upgrade work - * nghttpx: Fix bug that END_STREAM is not set in backend for - POST with Upgrade - * nghttpx: Don't send "Expect" header field twice - -- Update to 1.0.1 - * Include stdint.h instead of inttypes.h when compiled with MSVC - < 2013 - * Fix invalid memory free on out-of-memory handling - * integration: Use our own copy of golang spdy package - * android: Don't link zlib bundled with android NDK - * Dockerfile.android: Update NDK ver, and ubuntu; build and link - zlib - * src, examples: Fix up OpenSSL initialization - * nghttpx: Allow HTTP Upgrade from POST request if response - header has not been sent to the client - * nghttpx: Fix bug that PUSH_PROMISE is sent after associated - response HEADERS - * nghttpd: Close connection after settings timeout and GOAWAY - was sent - * h2load: Fix bug that NPN fails if ALPN is enabled - -- Update to 1.0.0 - * v1.0.0 introduced backward incompatible changes from 0.7 - series. Read https://nghttp2.org/documentation/package_README.html#migration-from-v0-7-15-or-earlier - to migrate from older version to this latest version. -- Changes for 0.7.15 - * Hopefully, this is the last release for 0.7.x series. - Development continues in 1.x series. - * Access violation in buffers (GH-232) (Patch from Etienne Cimon) - * Retry finding jemalloc lib by je_malloc_stats_print (GH-233) - * inflatehd: Fix crash if 'wire' value is not string (GH-235) - * nghttpx: Revert 585af93 to fix crash with TLS (GH-234) - * nghttpd: Add --echo-upload option to send back request body - -- Update to 0.7.14 - * Fix global-buffer-overflow in HPACK code - * Fix doc for nghttp2_select_next_protocol - * Fix bug that promised stream was not reset on decompression - error - * Add systemd and upstart configuration file for nghttpx - (Patch from Zhuoyun Wei) - * Improve nghttpx logrotate configuration file (Patch from - Zhuoyun Wei) - * Update sphinx_rtd_theme - * h2load: Update h2load to give connect time and ttfb stats - (Patch from ericcarlschwartz) - * nghttpd: Add -m, --max-concurrent-streams option - * nghttpx: Log absolute URI for HTTP/2 or client proxy request - * nghttpx: Add --header-field-buffer and --max-header-fields - options - * nghttp: Fix assertion error if very large value is given to -t - -- Update to 0.7.13 - * Fix bug that promised stream was not reset by returning - NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE from - nghttp2_on_header_callback. Instead, associated stream was reset. - * Allow NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE from - nghttp2_on_begin_headers_callback - * h2load: Effectively disable flow control by setting large - window size - * asio: Graceful shutdown and joinable server (Patch from - Xiaoguang Sun) - -- Update to 0.7.12 - * Fix bug that nghttp2_session_set_next_stream_id accepts invalid - stream_id - * HPACK: Rewrite static header table handling - * HPACK: Never index authorization and small cookie header field - * Don't install libnghttp2_asio headers if they are disabled - * doc: Specify program directive so that hyperlink to option is - correctly pointed to the intended location - * asio: client: Call error_cb on error occurred in do_read and - do_write (Fixes GH-207) - * nghttp: Add --no-push option to disable server push - * nghttp: Show stream ID in statistics output - * nghttp: Remove --dep-idle option - * nghttp: Use same priority anchor nodes as Firefox does - * nghttpx: Don't push resource if link header has non empty - loadpolicy - * nghttpx: Add logging for somewhat important events (logs, - tickets, and ocsp) - * nghttpx: Set Downstream to stream user data on HTTP Upgrade - to h2 - -- Update to 0.7.11 - * nghttpx: Fix waitpid race condition in ocsp response update - * nghttp: Consider user-provided :authority header field for SNI - as well as host header field -- Changes for 0.7.10 - * Make sure that nghttp2 license is MIT license - * Add nghttp2_session_consume_{connection,stream} to consume - bytes independent - * Add nghttp2_send_data_callback to send DATA payload without - copying "static inline" fix for build with VS2013 (Patch from - Remo E) - * Update lib/Makefile.msvc (Patch from Remo E) - * Remove dependency on libws2_32 on Windows build - * Define NGHTTP2_EXTERN macro to export function for Windows - build - * doc: Generate API doc per function - * python: Add async body generation support - * python: Fix pseudo-header field ordering bug - * nghttpx: Redirect stderr to errorlog file - * nghttpx: Fix bug that data buffered in SSL object are not - read - * nghttpx: Remove --tls-ctx-per-worker option - * nghttpx: Add OCSP stapling feature - -- Enable python bindings -- Update to 0.7.9 - * Implements h2-14 protocol (http://tools.ietf.org/html/draft-ietf-httpbis-http2-14) - * Implements HPACK 09 (http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-09) - * h2load: Fix crash if -t > -c - * h2load: Add -d option to upload data to server - * nghttpx: Forward only "trailers" keyword in te when forwarding HTTP/2 backend - * nghttpx: Fix PUSH_PROMISE header field corruption [GH-194] - * nghttpx: Fix te header field is duplicated when forwarding HTTP/2 backend - * nghttp, nghttpd: Add --hexdump option to hexdump incoming traffic. - * examples: Place AM_CPPFLAGS first to use in-package header files first [GH-192] -- Changes for 0.7.8 - * Implements h2-14 protocol (http://tools.ietf.org/html/draft-ietf-httpbis-http2-14) - * Implements HPACK 09 (http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-09) - * Validate :path header field for http or https URI scheme - * NULL-terminate header field name and value presented by callback - * README.rst: Cleaned up the grammar a bit (Patch from Ross Smith II) - * h2load: fix for segfault by reserving correct worker count (Patch from Stefan Eissing) - -- Avoid shipping documentation redundantly. Set RPM groups. - -- Fix rpm group - -- Update to 0.7.5 - * Implements h2-14 protocol - (http://tools.ietf.org/html/draft-ietf-httpbis-http2-14) - * Implements HPACK 09 - (http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-09) - * Validate HTTP semantics by default - * Add nghttp2_option_set_no_http_messaging() API function - * Update http-parser - * nghttp, nghttpd, nghttpx: Use "sensitive" to indicate - "never indexed" header field - * nghttp, nghttpd, nghttpx, h2load: Select/announce h2 in - ALPN/NPN - * nghttp: Fix unaligned field output in --stat - * nghttp: Fix -H does not work with -u upgrade request - * nghttp: Update resource timing terminology according to - Resource Timing TR - * nghttpd: Add -a option which takes an address parameter that - allows nghttpd to bind to a non-default address. Patch - from Brian Card - * nghttpx: Use omit minor version in case of HTTP/2 in via - header and access log - * nghttpx: Support UNIX domain socket on both frontend and backend - * nghttpx: Fix crash in http/1 backend when backend returns more - bytes than CL - * nghttpx: Cast configuration value to rlim_t to avoid compile - error on 32bit - * nghttpx: Fix 1 second delay in HTTP/2 backend connection - * nghttpx: Fix request re-submission bug in HTTP/2 backend - * asio-sv2: Fix compile error with OS X - -- Initial packaging of 0.7.4 - perl-Image-ExifTool +- Update to 12.54: + - Increased precision of Sony FocusDistance2 conversion + - Decode a number of new Apple tags (thanks Frank Rupprecht) + - Fixed bug writing QuickTime-format files which have a zero-sized mdat (ie. + media data extends to end of file) which would cause an incorrect mdat size + to be written + - Added support for a number of new XMP tags written by ACR 15.1 + - Added a new Nikon LensID + - Decode timed GPS from Lamax S9 dual dashcam MOV videos + - Decode a number of new Nikon tags (thanks Warren Hatch) + - Decode a couple of new Canon tags (thanks John Moyer) + - Decode FujiFilm BWMagentaGreen tag + - Enable block-write of EXIF to JXL files + - Accept values of "now" and "Z" when writing EXIF OffsetTime tags + - Changed priority of XMP when reading/writing HEIC files so that it is no + longer preferred as with other QuickTime-based formats + - Changed family 1 group name of Canon DR4 tags from CanonVRD to CanonDR4 to + allow newer tags to be differentiated from older ones. The family 0 group + name for both remains CanonVRD + - Patched to recognize JXL EXIF box with non-zero header length + - Patched to avoid runtime error when writing a PDF with an Info dictionary + which was stored incorrectly as a direct object + - Fixed problem writing EXIF to JXL images where a new EXIF box was created + even if one previously existed + +- Update to 12.52: + - Added a few new Nikon LensID's (thanks LibRaw and Chris) + - Added Slovak translations (thanks Peter Bagin) + - Made SphericalVideoXML readable/writable as a block + - Improved handling of Matroska metadata tags, including language support + - Improved French translations (thanks Philippe Bonnaure of GraphicConverter) + - Improved Composite:GPSAltitude conversion to honour -lang setting + - Improved -v2 messages to indicate files extracted from zip archives + - Added a new Olympus LensType (thanks Herb) + - Extract C2PA JUMBF metadata from PNG images and extract C2PA Salt values + - Decode NikonSettings for Z9 firmware 3.0 (thanks Warren Hatch) + - Decode additional camm metadata from Insta360 Pro2 MP4 videos + - Improved Verbose output when writing Composite tags to add a "+" sign to + indicate related tags that are being written + - Enhanced -geotag option CSV format to support GPSImgDirection column + - Fixed problem where -w+ option didn't work in Windows if there were Unicode + characters in the path name + - Fixed problem where only the last image of the sequence was extracted + (multiple times) when using -ee2 to extract embedded images from FLIR SEQ + files + - Fixed issue where GPS reference directions may be unknowingly written when + using ExifTool 12.44 or later to write GPSLatitude or GPSLongitude without + specifying a group name. The fix was to Avoid writing the Composite tags + unless the Composite group is specified explicitly + - Fixed -geotag to write orientation and track tags even if some tags in the + category were missing + - Fixed inconsistency in selecting which tag to output with the -json option + when multiple tags with the same JSON key exist and the -TAG# feature is + used to disable print conversion + - Fixed problem writing QuickTime:PlayListID + - Fixed problem writing QuickTime tags when specifying tag ID (ie. family 7 + group) as well as a language code + tiff + * CVE-2022-48281 [bsc#1207413] + + tiff-CVE-2022-48281.patch + +- security update: transmission +- Apply downstream patch from Gentoo to fix a crash with openSSL 3 + (boo#1207914): + * transmission-3.00-openssl-3.patch + +- boo#1207555: Transmission can't open Bittorrent v2 torrents + Add transmission-hybrid-torrent-length.patch + xf86-input-joystick +- Update to version 1.6.4 + * Fix quoting in man page synopsis section + * Update README for gitlab migration + * Update configure.ac bug URL for gitlab migration + * Fix spelling/wording issues + * gitlab CI: add a basic build test + * gitlab CI: stop requiring Signed-off-by in commits + * autogen.sh: Implement GNOME Build API + * autogen.sh: use quoted string variables + * Adapt to USB HID header changes on NetBSD-8.99.9. + * autogen: add default patch prefix + * configure: Drop AM_MAINTAINER_MODE + * autogen.sh: use exec instead of waiting for configure to finish + xf86-video-voodoo +- update to 1.2.6: + * Remove miInitializeBackingStore + Stop using deprecated xf86PciInfo.h + Fix spelling/wording issues + Build xz tarballs instead of bzip2 + Update configure.ac bug URL for gitlab migration + autogen: add default patch prefix + autogen.sh: use quoted string variables + autogen.sh: use exec instead of waiting for configure to finish + autogen.sh: Honor NOCONFIGURE=1 + configure: Drop AM_MAINTAINER_MODE + don't use PCITAG in struct anymore +- drop U_don-t-use-PCITAG-in-struct-anymore.patch (upstream) + yast2-bootloader +- make secure boot for ppc64 consistent with how secure boot works + on other architectures (bsc#1206295) +- 4.5.8 + yast2-iscsi-client +- Expose all core functionality from IscsiClientLib, with options + to suppress usage of pop-ups (related t gh#yast/d-installer#402). + +- Finish client: copy the content of both /etc/iscsi and + /var/lib/iscsi (bsc#1207374). +- Finish client: never enable both the iscsid socket and the + service (partial fix for bsc#1207839). +- 4.5.7 + yast2-network +- Fix calling method read on nil crash in bootloader caused by + not restoring SCR chroot in save_network client when running + in autoyast (bsc#1207968) +- 4.5.16 + yast2-packager +- Prevent crash if nil dependencies instead of [] (bsc#1208068) +- 4.5.14 +