Packages changed: ffmpeg-4 grub2 (2.04 -> 2.06) hwdata (0.348 -> 0.349) libcdio-paranoia (10.2+2.0.0 -> 10.2+2.0.1) libeconf (0.4.0+git20210413.fdb8025 -> 0.4.1+git20210709.cf671f2) libvirt polkit-default-privs (1550+20210615.e149f78 -> 1550+20210708.6401347) python-kiwi (9.23.31 -> 9.23.43) rubygem-parser (3.0.1.1 -> 3.0.2.0) rubygem-rubocop (1.17.0 -> 1.18.3) selinux-policy === Details === ==== ffmpeg-4 ==== Subpackages: libavcodec58_134 libavdevice58_13 libavfilter7_110 libavformat58_76 libavresample4_0 libavutil56_70 libpostproc55_9 libswresample3_9 libswscale5_9 - Remove second hunk of ffmpeg-CVE-2020-22046.patch, that contains a goto to a none existing label. In order to distinguish this patch from the original, I renamed it to ffmpeg-4.4-CVE-2020-22046.patch - While at it, refresh the other patches with offsets - Add ffmpeg-CVE-2020-22046.patch: Backport from upstream to fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c (bsc#1186849). - Add ffmpeg-CVE-2021-33815.patch: Backport from upstream to fix dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked (bsc#1186865). ==== grub2 ==== Version update (2.04 -> 2.06) Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen - Version bump to 2.06 * rediff - 0001-add-support-for-UEFI-network-protocols.patch - 0002-net-read-bracketed-ipv6-addrs-and-port-numbers.patch - 0003-Make-grub_error-more-verbose.patch - 0003-bootp-New-net_bootp6-command.patch - 0005-grub.texi-Add-net_bootp6-doument.patch - 0006-bootp-Add-processing-DHCPACK-packet-from-HTTP-Boot.patch - 0006-efi-Set-image-base-address-before-jumping-to-the-PE-.patch - 0008-efinet-Setting-DNS-server-from-UEFI-protocol.patch - 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch - grub-install-force-journal-draining-to-ensure-data-i.patch - grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch - grub2-diskfilter-support-pv-without-metadatacopies.patch - grub2-efi-HP-workaround.patch - grub2-efi-xen-cfg-unquote.patch - grub2-efi-xen-chainload.patch - grub2-fix-menu-in-xen-host-server.patch - grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch - grub2-install-remove-useless-check-PReP-partition-is-empty.patch - grub2-lvm-allocate-metadata-buffer-from-raw-contents.patch - grub2-mkconfig-default-entry-correction.patch - grub2-pass-corret-root-for-nfsroot.patch - grub2-s390x-03-output-7-bit-ascii.patch - grub2-s390x-04-grub2-install.patch - grub2-secureboot-install-signed-grub.patch - grub2-setup-try-fs-embed-if-mbr-gap-too-small.patch - use-grub2-as-a-package-name.patch * update by patch squashed: - 0001-Add-support-for-Linux-EFI-stub-loading-on-aarch64.patch - grub2-efi-chainload-harder.patch - grub2-secureboot-no-insmod-on-sb.patch - grub2-secureboot-chainloader.patch - grub2-secureboot-add-linuxefi.patch * remove squashed patches: - 0008-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch - 0009-squash-Add-support-for-linuxefi.patch - 0041-squash-Add-secureboot-support-on-efi-chainloader.patch - 0042-squash-grub2-efi-chainload-harder.patch - 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch - 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch * drop upstream patches: - 0001-Warn-if-MBR-gap-is-small-and-user-uses-advanced-modu.patch - 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch - 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch - 0001-mdraid1x_linux-Fix-gcc10-error-Werror-array-bounds.patch - 0001-normal-Move-common-datetime-functions-out-of-the-nor.patch - 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch - 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch - 0002-grub-install-Avoid-incompleted-install-on-i386-pc.patch - 0002-kern-Add-X-option-to-printf-functions.patch - 0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch - 0002-zfs-Fix-gcc10-error-Werror-zero-length-bounds.patch - 0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch - 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch - 0003-normal-main-Search-for-specific-config-files-for-net.patch - 0004-calloc-Use-calloc-at-most-places.patch - 0004-datetime-Enable-the-datetime-module-for-the-emu-plat.patch - 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch - 0005-Make-linux_arm_kernel_header.hdr_offset-be-at-the-ri.patch - 0005-efi-Add-secure-boot-detection.patch - 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch - 0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch - 0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch - 0007-font-Do-not-load-more-than-one-NAME-section.patch - 0007-verifiers-Move-verifiers-API-to-kernel-image.patch - 0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch - 0008-script-Remove-unused-fields-from-grub_script_functio.patch - 0009-kern-Add-lockdown-support.patch - 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch - 0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch - 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch - 0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch - 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch - 0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch - 0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch - 0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch - 0016-commands-setpci-Restrict-setpci-command-when-locked-.patch - 0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch - 0018-gdb-Restrict-GDB-access-when-locked-down.patch - 0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch - 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch - 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch - 0022-lib-arg-Block-repeated-short-options-that-require-an.patch - 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch - 0024-kern-parser-Fix-resource-leak-if-argc-0.patch - 0025-kern-parser-Fix-a-memory-leak.patch - 0026-kern-parser-Introduce-process_char-helper.patch - 0027-kern-parser-Introduce-terminate_arg-helper.patch - 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch - 0029-kern-buffer-Add-variable-sized-heap-buffer.patch - 0030-kern-parser-Fix-a-stack-buffer-overflow.patch - 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch - 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch - 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch - 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch - 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch - 0036-util-mkimage-Improve-data_size-value-calculation.patch - 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch - 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch - 0039-grub-install-common-Add-sbat-option.patch - 0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch - grub-install-define-default-platform-for-risc-v.patch - grub2-editenv-add-warning-message.patch - grub2-efi-gop-add-blt.patch - grub2-efi-uga-64bit-fb.patch - grub2-verifiers-fix-system-freeze-if-verify-failed.patch - risc-v-add-clzdi2-symbol.patch - risc-v-fix-computation-of-pc-relative-relocation-offset.patch - Add grub2-instdev-fixup.pl for correcting /etc/default/grub_installdevice to use disk devie if grub has been installed to it - Add 0001-30_uefi-firmware-fix-printf-format-with-null-byte.patch to fix detection of efi fwsetup support ==== hwdata ==== Version update (0.348 -> 0.349) - Update to version 0.349 (bsc#1187948: + Updated pci, usb and vendor ids. ==== libcdio-paranoia ==== Version update (10.2+2.0.0 -> 10.2+2.0.1) Subpackages: libcdio_cdda2 libcdio_paranoia2 - version 10.2+2.0.1 (2019-09-16) * cdda toc routines now included * "make distcheck" broken in 2.0.0 works properly again * Remove some gcc/clang warnings - Use %find_lang - Use correct License - Drop --with-pic (no effect with --disable-static) - Trim old rpm macros/constructs - Update descriptions ==== libeconf ==== Version update (0.4.0+git20210413.fdb8025 -> 0.4.1+git20210709.cf671f2) Subpackages: libeconf0 libeconf0-32bit - Update to version 0.4.1+git20210709.cf671f2: * CMake fixes regarding installation of econftool and man pages. - Update to version 0.4.0+git20210708.6918ea1: * Fixed covscan FORWARD_NULL_issues warnings - Update to version 0.4.0+git20210707.537a8a: * Fixed resource leaks found by Iker Pedrosa. ==== libvirt ==== Subpackages: libvirt-client libvirt-daemon libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lxc libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs - virtlockd: Don't report error if lockspace exists de1e0ae0-lockd-no-error-if-lockspace.patch bsc#1184253 ==== polkit-default-privs ==== Version update (1550+20210615.e149f78 -> 1550+20210708.6401347) - Update to version 1550+20210708.6401347: * fprint.device.enroll: keep restrictive profile in sync with upstream - Update to version 1550+20210708.c4d6bf4: * kdenetwork-filesharing: align with upstream (#49) - Update to version 1550+20210701.3047fcb: * ModemManager1.USSD: fix inconsistencies in standard and easy profiles * powerdevil.discretegpuhelper.hasdualgpu: align with upstream settings * cupspkhelper.mechanism.job-edit: align with upstream setting * org.fedoraproject.FirewallD1.info: don't be more restrictive than the 'standard' profile * remove org.selinux.* (policycoreutils) since they no longer exist in Factory * remove cinnamon.controlcenter.datetime.configure: no longer packaged * net.connman.vpn.secret: fix invalid label "auth_admin_keep_session" ==== python-kiwi ==== Version update (9.23.31 -> 9.23.43) - Bump version: 9.23.42 ? 9.23.43 - Re-add suseImportBuildKey suseImportBuildKey is not required during the image build as kiwi imports the correct keys by itself. However, the created images lack the repository signing keys and any `zypper` commands will thus fail. This fixes https://github.com/OSInside/kiwi/issues/1876 - Bump version: 9.23.41 ? 9.23.42 - Fixed fedora integration test builds Maintain the repos in the obs prj config which prevents the weird "nothing provides kernel-obs-build" error - Bump version: 9.23.40 ? 9.23.41 - Remove util-linux-systemd & util-linux Requires from dracut-kiwi-overlay These dependencies are pulled in via dracut-kiwi-lib. - Add missing util-linux-systemd Requires to dracut-kiwi-[live,libs] - Fixed test-image-orthos integration test The test was missing btrfs_root_is_snapshot which is required when using btrfs on tumbleweed. - Fixed test-image-disk-legacy integration test The test did not set a device filter for ramdisk devices but activates unattended mode. In this mode the first device in the list is taken and this is a ramdisk device which is by default too small to be used for the installation. Thus the install usually fails. This commit sets the device filter for ramdisk devices such that only associated disk devices can be used for the install process, which is the purpose of this test. This is related to Issue OSInside/kiwi-functional-tests#8 - Bump version: 9.23.39 ? 9.23.40 - Mount dev and proc filesystems prior dracut In newer versions of dracut /dev and /proc must be mounted for dracut to work correctly. If not present the resulting initrd is incomplete. This Fixes #1867 - Use namespaced files in /var/tmp for large temporary files Previously, kiwi created staging image files as plain temporary files in /tmp, which causes issues on operating systems where /tmp is tmpfs. Notably, image builds would fail with "no space left on the device" because the tmpfs was not big enough for everything to exist there. To fix this, we change to use /var/tmp, and additionally add a prefix for our temporary files so that the user knows which ones kiwi created. Fixes: https://github.com/OSInside/kiwi/issues/1866 - Use latest stylesheet in STYLEROOT Use "suse2021-ns" instead of "suse2013-ns" due to new branding. - Add missing util-linux-systemd dependency to dracut-kiwi-overlay The script kiwi-overlay-root.sh requires lsblk which is provided by util-linux-systemd. If that package is missing in the final image, then booting an overlayroot image hangs with: dracut-pre-mount[480]: //lib/dracut/hooks/pre-mount/30-kiwi-overlay-root.sh: line 46: lsblk: command not found - Make sure chat link points to Element not Riot Riot has changed to Element. The index page on kiwi still uses the old location. This updates the information how to use the Matrix channel and the kiwi room name. This Fixes #1854 - Bump version: 9.23.38 ? 9.23.39 - Functions integration tests (#1851) Add integration tests for functions.sh Implement a container based test system to run shell code for testing. The concept utilizes pytest-testinfra and runs a container per test. The nested container in a container feature is supported by the github actions workflow. Thus the integration of this testing concept runs in the github actions CI rather than on gitlab - Don't shell out for calling dnf refactor the dnf call to install packages and groups in one call. This allows to prevent calling dnf through a shell. For installing of a package group the group ID name is expected. This Fixes #1856 - - Improve the error message if the config file cannot be parsed. - Do not shell out for calling microdnf. In fact it can be counter productive if the shell evaluates eventually existing package name/instruction patterns. This is related to Issue #1856 - Prevent calling pacman through a shell There is no reason to shell out for calling pacman. In fact it can be counter productive if the shell evaluates eventually existing package name/instruction patterns. This is related to Issue #1856 - Make sure mypy stubs will be installed - Allow creation of LUKS system with empty key To support cloud platforms better we should allow the creation of an initial(insecure) LUKS encrypted image with an empty passphrase/keyfile. This Fixes bsc#1187461 and bsc#1187460 - Bump version: 9.23.37 ? 9.23.38 - Fixed cleanup of temporary directory In the custom kiwi initrd build process a temporary directory holding a copy of the initrd root tree is created. That data got never cleaned up. This commit uses a TemporaryDirectory object from the tempfile module to make sure it gets deleted once the execution scope is done. This Fixes #1837 - Bump version: 9.23.36 ? 9.23.37 - Delete deprecated shell functions from docs suseActivateDefaultServices suseSetupProductInformation suseImportBuildKey suseConfig baseCleanMount baseSetupUserPermissions baseGetPackagesForDeletion baseGetProfilesUsed baseStripMans baseStripDocs baseStripInfos Rpm - Fixed creating grub bios module If no prebuilt grub bios module was found, kiwi creates one. In this case kiwi searches for the grub modules and runs the grub mkimage tool. The search for the modules for the bios module used the host system (/) grub and that fails if the host has packaged grub differently than the image target. This fix moves the lookup into the image root directory which is the correct place to lookup the grub data - Bump version: 9.23.35 ? 9.23.36 - Fixed building with custom kiwi initrd setup The change from allowing to build with initrd_system="none" broke the build for initrd_system="kiwi". This commit fixes the regression - Use zypper --gpg-auto-import-keys option When building an image against self managed repos the auto import of the repo gpg key makes sense to me - Cleanup integration tests from obsolete methods Cleanup config.sh scripts calling obsolete helper methods - Cleanup integration tests from obsolete methods Cleanup config.sh scripts calling obsolete helper methods - Bump version: 9.23.34 ? 9.23.35 - Corrected preferences timezone code tag - Refactor config functions code Reorganize the code into more readable areas like methods present as helpers, methods for customers, methods which are distribution specific and also methods that are deprecated and give a good reason why they are deprecated when they get called. This is related to Issue #1828 - Revert "Switch test-image-live-disk to Fedora 33" This reverts commit f80549474c4baa120e6e228bacc7b4a075265753. - Switch test-image-live-disk to Fedora 33 - Fixed codacy code smells - Add strong typing for the following API methods kiwi/boot/image/base.py kiwi/boot/image/builtin_kiwi.py kiwi/boot/image/dracut.py This references issue #1644 - Added support for skipping initrd creation Embedded systems and other customer use cases sometimes doesn't require an initrd. So far the initrd creation was a mandatory step in the process. With this commit it's possible to configure and therefore skip the creation and setup of an initrd. Using this feature comes with a price. Without an initrd the task of mounting the specified root=DEVICE_SPEC now becomes a task of the kernel. If the kernel doesn't have the required filesystem driver compiled in or the mount process of the device is not just a simple mount action, the boot of such an appliance will fail - Remove grep and find from suseSetupProduct - config/functions.sh: Avoid non-zero exit status In baseStripDocs and baseStripFirmware avoid non-zero exit status of grep. This allows the functions to be used in a script that sets the exit-on-error flag. - Bump version: 9.23.33 ? 9.23.34 - Make sure we use sphinx >= 4.0.2 - Revert "Revert "Fix installation of man pages"" This reverts commit db7410f3c5b7b101ec0974cc24de0400c491f065. - Revert "Make sure man pages are part of the sdist tarball" This reverts commit 3bf80506c4bbe381b66febdd38df93e65103ffb6. - Bump version: 9.23.32 ? 9.23.33 - Make sure man pages are part of the sdist tarball Due to the move of man pages in sphinx the MANIFEST.in has to be updated to provide the man pages in the sdist tarball - Revert "Fix installation of man pages" This reverts commit 286b26b5b6598285bf6eb26a1f5c9200c925b529. - Fixed missing shebang in config.sh The ubuntu integration test config.sh script was missing the shebang to let the script code run through bash - Fix installation of man pages The generated source archive on PyPI has the man page files in ./doc/build/man instead of ./doc/build/man/8. Adjust the Makefile to use the correct path to install the man pages. - Bump version: 9.23.31 ? 9.23.32 - Do not return default stdout if it is no raising on failure This commit prevents the use of a default stdout and stderr in case return code reports errors and it is not raising an exception. If we are not raising an exception there is no specific need to artificially append some stdout and stderr default message, we just behave as if there was no error. - Update Ubuntu integration test for system settings In Debian based distributions the kiwi built in way to setup locale, keyboard and timezone via systemd tools does not work because not(yet) provided by the distribution. This commit adds a reference implementation in the Ubuntu integration test to demonstrate how the settings given in the kiwi image description needs to be handled to make them effective in the later image. This Fixes #1787 - Add log information on grub search There is a method in kiwi which searches for grub files. As grub is packaged differently within the distributions a dynamic lookup is needed. However, the result and where kiwi looked it up was not part of the log file. In terms of issues like the one from Issue #1754 it would be very handy to know about this information. Thus this commit adds debug information to the log file regarding what grub files are searched and where and if found - Fixed coday complains - Make dracut version check more robust The check_dracut_module_versions_compatible_to_kiwi() runtime check calls the package manager from the host and reads the package database from the image root. Doing this requires the package database in the image to be compatible with the package manager on the host. However this cannot be guarenteed and it is more robust to chroot into the image root and call the package manager from there. However, this change also comes with the cost that it's required to have a package manager available in the image root tree. Therefore along with the chroot based call, eventual exceptions from the call are now catched and leads to a debug message in the log file but will not lead the runtime check to fail. I consider the cases without a package database inside of the image to be less critical than the incompatibility issue between the host tooling and the package database in the image. This Fixes bsc#1185937 ==== rubygem-parser ==== Version update (3.0.1.1 -> 3.0.2.0) - updated to version 3.0.2.0 API modifications: * Bump maintenance branches to 3.0.2, 2.7.4, and 2.6.8 (#805) (Koichi ITO) Features implemented: * lexer.rl: reject `\u` after control/meta escape chars. (#807) (Ilya Bylich) * ruby31.y: allow "command" syntax in endless method definition (#801) (Koichi ITO) ==== rubygem-rubocop ==== Version update (1.17.0 -> 1.18.3) - updated to version 1.18.3 [#]## Bug fixes * [#9891](https://github.com/rubocop/rubocop/issues/9891): Fix `--auto-gen-config` bug for `Style/HashSyntax`. ([@jonas054][]) * [#9905](https://github.com/rubocop/rubocop/issues/9905): Fix false positive for single line concatenation in `Layout/LineEndStringConcatenationIndentation`. ([@jonas054][]) * [#9907](https://github.com/rubocop/rubocop/issues/9907): Fix an incorrect auto-correct for `Lint/UselessTimes` when using block argument for `1.times`. ([@koic][]) * [#9869](https://github.com/rubocop/rubocop/issues/9869): Fix reference to file in configuration override warning. ([@jonas054][]) * [#9902](https://github.com/rubocop/rubocop/issues/9902): Fix an incorrect auto-correct for `Style/BlockDelimiters` when there is a comment after the closing brace. ([@koic][]) * [#8469](https://github.com/rubocop/rubocop/issues/8469): Add inspection of `class <<` to `Layout/SpaceAroundOperators`. ([@jonas054][]) * [#9909](https://github.com/rubocop/rubocop/pull/9909): This PR fixes an incorrect auto-correct for `Style/SingleLineMethods` when using `return`, `break`, or `next` for one line method body in Ruby 3.0. ([@koic][]) * [#9914](https://github.com/rubocop/rubocop/issues/9914): Fix an error for `Layout/HashAlignment` when using aligned hash argument for `proc.()`. ([@koic][]) ==== selinux-policy ==== Subpackages: selinux-policy-targeted - Add tabrmd SELinux modules from upstream (bsc#1187925) https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux - Automatic spec-cleaner to fix ordering and misaligned spaces