Packages changed:
bubblewrap (0.9.0 -> 0.10.0)
ffmpeg-6
libnftnl (1.2.6 -> 1.2.7)
lvm2
lvm2-device-mapper
lz4
openSUSE-release (20240815 -> 20240816)
python-kiwi (10.0.27 -> 10.1.2)
texlive
unbound (1.20.0 -> 1.21.0)
=== Details ===
==== bubblewrap ====
Version update (0.9.0 -> 0.10.0)
Subpackages: bubblewrap-zsh-completion
- Update to version v0.10.0:
* New features: Add the --[ro-]bind-fd option, which can be used
to mount a filesystem represented by a file descriptor without
time-of-check/time-of-use attacks. This is needed when
resolving CVE-2024-42472 in Flatpak.
* Other changes: Fix some confusing syntax in SetupOpFlag (no
functional change).
==== ffmpeg-6 ====
Subpackages: libavcodec60 libavfilter9 libavformat60 libavutil58 libpostproc57 libswresample4 libswscale7
- Remove ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch and
ffmpeg-6-CVE-2024-32228.patch to make the bot happy.
- Renumber patches.
- Disable ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch and
ffmpeg-6-CVE-2024-32228.patch as they brake compilation with
BUILD_ORIG enabled, i.e. Packman.
==== libnftnl ====
Version update (1.2.6 -> 1.2.7)
- Update to release 1.2.7
* Avoid potential use-after-free when clearing set's expression
list
* Avoid misc buffer overflows in attribute setters
* Implement nftnl_obj_unset symbol already exported in
libnftnl.map
* Remove unimplemented symbols from libnftnl.map
* Validate per-expression and per-object attribute value and
data length
* Fix synproxy object setter with unaligned data
==== lvm2 ====
Subpackages: liblvm2cmd2_03
- lvm2-monitor.service fails to start (boo#1228854)
+ bug-1228854_lvm2-monitor-service-start-after-system-fully-booted.patch
==== lvm2-device-mapper ====
Subpackages: device-mapper libdevmapper-event1_03 libdevmapper1_03
- lvm2-monitor.service fails to start (boo#1228854)
+ bug-1228854_lvm2-monitor-service-start-after-system-fully-booted.patch
==== lz4 ====
Subpackages: liblz4-1 liblz4-1-x86-64-v3
- Switch to cmake build system: Creates extra cmake modules for
consuming projects
==== openSUSE-release ====
Version update (20240815 -> 20240816)
Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen
==== python-kiwi ====
Version update (10.0.27 -> 10.1.2)
- Bump version: 10.1.1 → 10.1.2
- Improve error reporting for remote deployment
Add new method called show_log_and_quit which displays
the written error log file as a file box to the user
- Update test-image-orthos integration test
Update the test such that you can also build it locally.
Change the remote installation target to be a ramdisk
for easy testing of remote deployments
- Setup default minimum volume size per filesystem
The former method provided a static value but there are huge
differences for the minimum size requirement of a filesystem.
For example extX is fine with 30MB whereas XFS requires 300MB.
This commit adds a more dynamic default value based on the
used filesystem.
- Increase default volume size
So far 30MB was set as default volume size which is by far
too small for a number of filesystems, e.g btrfs and also XFS.
This commit increases the default volume size such that all
modern filesystems builds if the default volume size is used.
- Update test-image-raid
Apart from testing raid this integration test also tests
a certain LVM volume setup. The test has been updated
to use the btrfs filesystem because it has the most strict
size requirements.
- Bump version: 10.1.0 → 10.1.1
- Mandatory package scripts for Debian bootstrap
Make sure to run some mandatory package pre/post scripts
such that settings like /etc/passwd, a root user, etc..
exists. This action can also be done in post_bootstrap.sh
but I think it's better to do this in the core code
- Bump version: 10.0.28 → 10.1.0
- kiwi no longer uses debootstrap
For building Debian based images we used debootstrap to
bootstrap an empty root until apt-get could be used to
complete the job. This has now changed such hat apt-get
is also used for bootstrapping a new system. The concept
and also potential alternatives to the way kiwi bootstraps
Debian based systems can be found here:
* https://osinside.github.io/kiwi/working_with_images/build_without_debianbootstrap.html
Due to the drop of debootstrap it might happen that
package lists of existing image descriptions needs to be
extended with packages that were formerly pulled in by
debootstrap but did not get properly pulled in with the
new apt based bootstrap. As reference please check out the
integration tests from here:
* https://github.com/OSInside/kiwi/tree/main/build-tests/x86/ubuntu
* https://github.com/OSInside/kiwi/tree/main/build-tests/x86/debian
Thanks
- Bump version: 10.0.27 → 10.0.28
- Update documentation
kiwi no longer uses debootstrap
- Fix test_process_result_bundle_as_rpm
- Fix Debian/Ubuntu integration tests
Remove package hacks for debootstrap, explicitly add
required packages and or configurations.
- Drop types-pkg_resources
Got removed from PyPI
- Fix test_process_result_bundle_as_rpm
os.path.basename was called on a MagicMock object which
sometimes confused pytest
- Fix kiwi-repart restrictions
The kiwi repart dracut module reads a profile file and if it
does not exists it dies in the initrd. However, that profile
file is not mandatory for the main resize functionality. Thus
this commit turns this into a warning message. In addition
the module-setup for 90kiwi-repart makes sure to include
the required and optional profile files.
This Fixes bsc#1228118
==== texlive ====
- Added -Wno-error=incompatible-pointer-types to optflags to work
around boo#1228342 and enable build with GCC 14 on 32bit
architectures.
==== unbound ====
Version update (1.20.0 -> 1.21.0)
Subpackages: libunbound8 unbound-anchor
- Update to 1.21.0:
Security Fixes:
* Merge #1073: fix null pointer dereference issue in function
ub_ctx_set_fwd.
[CVE-2024-43167, bsc#1229068]
Features:
* Fix #1071: [FR] Clear both in-memory and cachedb module cache
with `unbound-control flush*` commands.
* Fix #144: Port ipset to BSD pf tables.
* Add dnstap-sample-rate that logs only 1/N messages, for high
volume server environments. Thanks Dan Luther.
* Add root key 38696 from 2024 for DNSSEC validation. It is added
to the default root keys in unbound-anchor. The content can be
inspected with `unbound-anchor -l`.
* Merge #1090: Cookie secret file. Adds `cookie-secret-file:
"unbound_cookiesecrets.txt"` option to store cookie secrets for
EDNS COOKIE secret rollover. The remote control
add_cookie_secret, activate_cookie_secret and
drop_cookie_secret commands can be used for rollover, the
command print_cookie_secrets shows the values in use.
Bug Fixes:
* Fix CAMP issues with global quota. Thanks to Huayi
Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
group, ETH Zurich.
* Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
(Tel-Aviv University and Reichman University).
* Merge #1062: Fix potential overflow bug while parsing port in
function cfg_mark_ports.
* Fix for #1062: declaration before statement, avoid print of
null, and redundant check for array size.
* Fix to squelch udp connect errors in the log at low verbosity
about invalid argument for IPv6 link local addresses.
* Fix when the mesh jostle is exceeded that nameserver targets
are marked as resolved, so that the lookup is not stuck on the
requestlist.
* Add missing common functions to tdir tests.
* Merge #1070: Fix rtt assignement for low values of
infra-cache-max-rtt.
* Merge #1069: Fix unbound-control stdin commands for
multi-process Unbounds.
* Fix unbound-control commands that read stdin in multi-process
operation (local_zones_remove, local_zones, local_datas_remove,
local_datas, view_local_datas_remove, view_local_datas). They
will be properly distributed to all processes. dump_cache and
load_cache are no longer supported in multi-process operation.
* Remove testdata/remote-threaded.tdir.
testdata/09-unbound-control.tdir now checks both single and
multi process/thread operation.
* Fix to print a parse error when config is read with no name for
a forward-zone, stub-zone or view.
* Fix for parse end of forward-zone, stub-zone and view.
* Fix for #1064: Fix that cachedb expired messages are considered
insecure, and thus can be served to clients when dnssec is
enabled.
* Fix #1059: Intermittent DNS blocking failure with local-zone
and always_nxdomain. Addition of local_zones dynamically via
unbound-control was not finding the zone's parent correctly.
* Fix #1064: Unbound 1.20 Cachedb broken?
* Fix unused variable warning on compilation with no thread
support.
* unbound-control-setup: check openssl availability before doing
anything, patch from Michael Tokarev.
* Update patch to remove 'command' shell builtin and update error
text.
* Fix to enable that SERVFAIL is cached, for a short period, for
more cases. In the cases where limits are exceeded.
* Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
* Merge #1078: Only check old pid if no username.
* Fix #1079: tags from tagged rpz zones are no longer honored
after upgrade from 1.19.3 to 1.20.0.
* Fix for #1079: fix RPZ taglist in iterator callback that no
client info is like no taglist intersection.
* Fix to squelch connection reset by peer errors from log. And
fix that the tcp read errors are labeled as initial for the
first calls.
* Merge #1080: AddressSanitizer detection in tdir tests and
memory leak fixes.
* Fix memory leak when reload_keep_cache is used and num-threads
changes.
* Fix memory leak on exit for unbound-dnstap-socket; creates
false negatives during testing.
* Fix memory leak in setup of dsa sig.
* Fix typos for 'the the' in text.
* Fix validation for repeated use of a DNAME record.
* Add unit test for validation of repeated use of a DNAME record.
* Fix #1091: Build fails with OpenSSL >= 3.0 built with
OPENSSL_NO_DEPRECATED.
* Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
by adding helpful text for the Python interpreter version and
allowing the default pkg-config unavailability error message to
be shown.
* Fix pkg-config availability check in dnstap/dnstap.m4 and
systemd.m4.
* Explicitly set the RD bit for the mesh query flags when
prefetching. These queries have no waiting client but they need
to be treated as recursive.
* Fix ip-ratelimit-cookie setting, it was not applied.
* Fix to remove unused include from the readzone test program.
... changelog too long, skipping 91 lines ...
example.conf.