Packages changed: ffmpeg-4 libaom (3.7.1 -> 3.7.2) libdrm (2.4.122 -> 2.4.123) ncurses (6.5.20240817 -> 6.5.20240824) openssh (9.6p1 -> 9.8p1) openssh-askpass-gnome (9.6p1 -> 9.8p1) passt (20240814.61c0b0d -> 20240821.1d6142f) patterns-base python-setuptools (70.1.1 -> 72.1.0) sdbootutil (1+git20240822.bc7e06b -> 1+git20240823.30ef4f1) selinux-policy (20240823 -> 20240828) systemd-presets-common-SUSE === Details === ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavformat58_76 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Add 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch [boo#1229338] ==== libaom ==== Version update (3.7.1 -> 3.7.2) - Exclude third_party from obscpio - Update to version 3.7.2: * aomedia:3520: get_cubic_kernel_dbl: Assertion `0 <= x && x < 1' failed. * aomedia:3526: alloc_compressor_data() is called during every aom_codec_control() call on the encoder. Note that this partially reverts the fix for bug aomedia:3349. * b/310457427 and b/310766628: Only use rec_sse in CBR mode. ==== libdrm ==== Version update (2.4.122 -> 2.4.123) Subpackages: libdrm2 libdrm_amdgpu1 libdrm_radeon1 - update to 2.4.123 * amdgpu: add new marketing names * amdgpu: add new marketing names * Convert to Android.bp * libs: Tie DSO minor versions to libdrm version * readdir_r is deprecated. * Fix FTBS on undefined clock_gettime() and asprintf() * Export include dirs with -isystem * Makes libdrm available on host * Adds libdrm_headers * Make libdrm recovery_available * add crosvm to com.android.virt * Enable GPU in crosvm * Android.bp: Add include exports for android dir * Disable ioctl signed overload for Bionic libc * build: bump version to 2.4.123 * Delete all Makefile.sources files * tests: Make modetest and proptest cc_binary in Android.bp ==== ncurses ==== Version update (6.5.20240817 -> 6.5.20240824) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20240824 + modify infocmp and tabs to use actual name in usage and header. + modify test/demo_keyok.c to accept ^Q for quit, for consistency. - Break dependency cycle between libncurses6 which provides "ncurses" by only let terminfo-base recommending "ncurses" ==== openssh ==== Version update (9.6p1 -> 9.8p1) Subpackages: openssh-clients openssh-common openssh-server - Add patch to fix sshd not logging in the audit failed login attempts (submitted to upstream in https://github.com/openssh/openssh-portable/pull/516): * fix-audit-fail-attempt.patch - Use --enable-dsa-keys when building openssh. It's required if the user sets the crypto-policy mode to LEGACY, where DSA keys should be allowed. The option was added by upstream in 9.7 and set to disabled by default. - These two changes fix 2 of the 3 issues reported in bsc#1229650. - Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call (found by Matthias Gerstner): * logind_set_tty.patch - Add a patch that fixes a small memory leak when parsing the subsystem configuration option: * fix-memleak-in-process_server_config_line_depth.patch - Update to openssh 9.8p1: = Security * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387). A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon. Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. OpenBSD is not vulnerable. We thank the Qualys Security Advisory Team for discovering, reporting and demonstrating exploitability of this problem, and for providing detailed feedback on additional mitigation measures. * 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318, CVE-2024-39894). In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective - a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally. This bug was found by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab. Worse, the unconditional sending of both fake and real keystroke packets broke another long-standing timing attack mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for traffic received on TTYs in echo-off mode, such as when entering a password into su(8) or sudo(8). This bug rendered these fake keystroke echoes ineffective and could allow a passive observer of a SSH session to once again detect when echo was off and obtain fairly limited timing information about keystrokes in this situation (20ms granularity by default). This additional implication of the bug was identified by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and we thank them for their detailed analysis. This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested. = Future deprecation notice * OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to-implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release, and its deactivation of DSA by default at compile-time, marks the second step in our timeline to finally deprecate DSA. The final step of removing DSA support entirely is planned for the first OpenSSH release of 2025. DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes" in Makefile.inc. To enable DSA support in portable OpenSSH, pass the "--enable-dsa-keys" option to configure. = Potentially-incompatible changes * all: as mentioned above, the DSA signature algorithm is now disabled at compile time. * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the ... changelog too long, skipping 181 lines ... add "VSOCK VirtIO"). ==== openssh-askpass-gnome ==== Version update (9.6p1 -> 9.8p1) - Update to openssh 9.8p1: * No changes for askpass, see main package changelog for details. ==== passt ==== Version update (20240814.61c0b0d -> 20240821.1d6142f) Subpackages: passt-selinux - Update to version 20240821.1d6142f: * README: pasta is indeed a supported back-end for rootless Docker * util: Don't stop on unrelated values when looking for --fd in close_open_files() * test: Update list of dependencies in README.md * tcp, udp: Allow timerfd_gettime64() and recvmmsg_time64() on arm (armhf) * util: Provide own version of close_range(), and no-op fallback * udp_flow: Add missing unistd.h include for close() * test: Duplicate existing recvfrom() valgrind suppression for recv() * test/passt.mbuto: Install sshd-session OpenSSH's split process * test/passt.mbuto: Run sshd from vsock proxy with absolute path * test/lib/setup: Transform i686 kernel architecture name into QEMU name (i386) * treewide: Allow additional system calls for i386/i686 * fwd, conf: Allow NAT of the guest's assigned address * fwd: Distinguish translatable from untranslatable addresses on inbound * conf: Allow address remapped to host to be configured * test: Reconfigure IPv6 address after changing MTU * conf, fwd: Split notion of gateway/router from guest-visible host address * Don't take "our" MAC address from the host * fwd: Split notion of "our tap address" from gateway for IPv4 * fwd: Helpers to clarify what host addresses aren't guest accessible * Initialise our_tap_ll to ip6.gw when suitable * Clarify which addresses in ip[46]_ctx are meaningful where * treewide: Change misleading 'addr_ll' name * util: Correct sock_l4() binding for link local addresses * conf: Remove incorrect initialisation of addr_ll_seen * conf: Treat --dns addresses as guest visible addresses * conf: Correct setting of dns_match address in add_dns6() * conf: Move adding of a nameserver from resolv.conf into subfunction * conf: Move DNS array bounds checks into add_dns[46] * conf: More accurately count entries added in get_dns() * conf: Use array indices rather than pointers for DNS array slots * treewide: Use struct assignment instead of memcpy() for IP addresses * treewide: Rename MAC address fields for clarity * util: Helper for formatting MAC addresses * treewide: Use "our address" instead of "forwarding address" * netlink: Fix typo in function comment for nl_addr_set() * pasta: Disable neighbour solicitations on device up to prevent DAD * netlink, pasta: Fetch link-local address from namespace interface once it's up * netlink, pasta: Disable DAD for link-local addresses on namespace interface * netlink, pasta: Turn nl_link_up() into a generic function to set link flags * netlink, pasta: Split MTU setting functionality out of nl_link_up() * netlink: Fix typo in function comment for nl_addr_get() * test: Speed up by cutting on eye candy and performance test duration ==== patterns-base ==== Subpackages: patterns-base-base patterns-base-bootloader patterns-base-minimal_base patterns-base-x11 - Move suggests for libz1 from patterns-base-base to patterns-base-minimal_base: be nicer with CI consumers. ==== python-setuptools ==== Version update (70.1.1 -> 72.1.0) - Update to 72.1.0: * Restore the tests command and deprecate access to the module. * Added return types to typed public functions. * Removed lingering unused code around Distribution._patched_dist. * Reset the backports module when enabling vendored packages. * Include all vendored files in the sdist. * Restored package data that went missing in 71.0. This change also incidentally causes tests to be installed once again. * Now setuptools declares its own dependencies in the core extra. Dependencies are still vendored for bootstrapping purposes, but setuptools will prefer installed dependencies if present. The core extra is used for informational purposes and should *not* be declared in package metadata (e.g. build-requires). * Support for loading distutils from the standard library is now deprecated, including use of SETUPTOOLS_USE_DISTUTILS=stdlib and importing distutils before importing setuptools. * Fix distribution name normalisation for valid versions that are not canonical (e.g. 1.0-2). ==== sdbootutil ==== Version update (1+git20240822.bc7e06b -> 1+git20240823.30ef4f1) Subpackages: sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20240823.30ef4f1: * Remove the executed line in grub2bls * Support new grub2-bls package ==== selinux-policy ==== Version update (20240823 -> 20240828) Subpackages: selinux-policy-targeted - Update to version 20240828: * Allow systemd-ssh-generator to load net-pf-40 (bsc#1229766) ==== systemd-presets-common-SUSE ==== - Enable soft-reboot-cleanup.service to make soft-reboot possible with container and/or firewalld.