SUSE-RU-2020:2072-1: Security update for ansible, crowbar-core, crowbar-ha, crowbar-openstack, etcd, flannel, grafana, keepalived, kibana, memcached, monasca-installer, openstack-dashboard-theme-SUSE, openstack-manila, openstack-neutron-fwaas, openstack-nova, openstack-tempest, python-Django, python-Pillow, python-psql2mysql, python-psutil, python-py, python-pysaml2, python-waitress, rabbitmq-server, release-notes-suse-openstack-cloud, zookeeper
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Wed Jul 29 13:12:46 MDT 2020
SUSE Recommended Update: Security update for ansible, crowbar-core, crowbar-ha, crowbar-openstack, etcd, flannel, grafana, keepalived, kibana, memcached, monasca-installer, openstack-dashboard-theme-SUSE, openstack-manila, openstack-neutron-fwaas, openstack-nova, openstack-tempest, python-Django, python-Pillow, python-psql2mysql, python-psutil, python-py, python-pysaml2, python-waitress, rabbitmq-server, release-notes-suse-openstack-cloud, zookeeper
______________________________________________________________________________
Announcement ID: SUSE-RU-2020:2072-1
Rating: low
References: #1037777 #1068612 #1069468 #1070737 #1077718
#1083903 #1111657 #1126503 #1133817 #1135773
#1138748 #1148383 #1149110 #1149535 #1153191
#1156525 #1159447 #1160152 #1160153 #1160192
#1160790 #1160851 #1161088 #1161089 #1161349
#1161670 #1164316 #1165402 #1167244 #1170657
#1171560 #1171909 #1172166 #1172167 #1172175
#1172176 #1172409 #948198 #981848
Affected Products:
SUSE OpenStack Cloud 7
______________________________________________________________________________
An update that solves 31 vulnerabilities and has 8 fixes is
now available.
Description:
This update for ansible, crowbar-core, crowbar-ha, crowbar-openstack,
etcd, flannel, grafana, keepalived, kibana, memcached, monasca-installer,
openstack-dashboard-theme-SUSE, openstack-manila, openstack-neutron-fwaas,
openstack-nova, openstack-tempest, python-Django, python-Pillow,
python-psql2mysql, python-psutil, python-py, python-pysaml2,
python-waitress, rabbitmq-server, release-notes-suse-openstack-cloud,
zookeeper fixes the following issues:
Security fixes included ins this update:
ansible
- CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503).
grafana
- CVE-2020-13379: Fixed an incorrect access control issue which could lead
to information leaks or denial of service (bsc#1172409).
- CVE-2020-12052: Fixed an cross site scripting vulnerability related to
the annotation popup (bsc#1170657).
kibana
- CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909).
memcached (to version 1.5.17)
- CVE-2019-15026: Fixed a stack-based buffer over-read in conn_to_str()n
(bsc#1149110).
- CVE-2019-11596: Fixed a denial of service in the 'lru' command
(bsc#1133817)
- CVE-2018-1000115: Disabled UDP by default to reduce DDoS amplification
attacks (bsc#1083903).
python-Django
- CVE-2020-13254: Fixed a data leakage via malformed memcached keys
(bsc#1172167).
- CVE-2020-13596: Fixed a cross site scripting vulnerability related to
the admin parameters of the ForeignKeyRawIdWidget (bsc#1172166).
- Fixed a regression with the fix for CVE-2019-3498 (bsc#1161349).
python-Pillow
- CVE-2019-16865: Fixed a denial of service with specially crafted image
files (bsc#1153191).
- CVE-2020-5312: Fixed a buffer overflow in the PCX P mode (bsc#1160152).
- CVE-2020-5313: Fixed a buffer overflow related to FLI (bsc#1160153).
- CVE-2019-19911: Fixed a denial of service in FpxImagePlugin.py
(bsc#1160192).
python-pysaml2
- CVE-2020-5390: Fixed an issue with the verification of signatures in
SAML documents (bsc#1160851)
- CVE-2017-1000246: Fixed an issue with weak encryption data, caused by
initialization vector reuse(bsc#1068612).
python-waitress (to version 1.4.3)
- CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling
(bsc#1161088).
- CVE-2019-16786: Fixed HTTP request smuggling through invalid
Transfer-Encoding (bsc#1161089).
- CVE-2019-16789: Fixed HTTP Request Smuggling through invalid whitespace
characters (bsc#1160790).
- CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length
header handling (bsc#1161670).
rubygem-activeresource
- CVE-2020-8151: Fixed information disclosure issue through specially
crafted requests (bsc#1171560)
rubygem-json-1_7
- CVE-2020-10663: Fixed Unsafe Object Creation Vulnerability in JSON
(bsc#1167244)
rubygem-puma
- CVE-2020-11077: Fixed HTTP Request Smuggling through proxy (bsc#1172175)
- CVE-2020-11076: Fixed HTTP Request smuggling through invalid
Transfer-Encoding header.
- CVE-2020-5247: Fixed HTTP Response Splitting through newline characters
handling (bsc#1165402)
zookeeper:
- CVE-2019-0201: Fixed an information disclosure related to getACL()
(bsc#1135773).
Non security fixes included in this update:
Changes in ansible:
- Add 0001-Disallow-use-of-remote-home-directories-containing-..patch
(bsc#1126503, CVE-2019-3828)
Changes in crowbar-core:
- Update to version 4.0+git.1580209654.1d112d31f:
* network: start OVS before wickedd (SOC-11067)
Changes in crowbar-ha:
- Update to version 4.0+git.1585316203.d6ad2c8:
* [4.0] add ssl termination on haproxy (bsc#1149535)
Changes in crowbar-openstack:
- Update to version 4.0+git.1589804581.9972163f0:
* [4.0] magnum: fix check for image/flavor (SOC-11251)
- Update to version 4.0+git.1589647351.ccfd9481f:
* [4.0] trove: fix rabbitmq connection URL (SOC-11286)
- Update to version 4.0+git.1589458214.9f765aa08:
* [4.0] Fix create magnum k8s image and flavor (SOC-11251)
- Update to version 4.0+git.1588271860.131fc8cc1:
* run keystone_register on cluster founder only when HA (SOC-11248)
* nova: run keystone_register on cluster founder only (SOC-11243)
- Update to version 4.0+git.1588096523.679da5c50:
* tempest: retry openstack commands (SOC-11238)
- Update to version 4.0+git.1587129016.c009e43c9:
* Disable magnum.tests.functional.api.v1.test_cluster (SOC-11224)
- Update to version 4.0+git.1587035427.abb6e9b4e:
* Fix barbican SSL support (SOC-9298)
- Update to version 4.0+git.1586421486.5601320b7:
* Fix magnum tempest tests (SOC-9298)
- Update to version 4.0+git.1585331022.609482166:
* tempest: update blacklisted tempest test cases
(SOC-9801,SOC-11174,SOC-11187)
- Update to version 4.0+git.1585136604.988f3a1da:
* Disabling failing tempest tests on SOC7
* [4.0] ec2-api: run keystone_register on cluster founder only
(SOC-11079)
- Update to version 4.0+git.1582582068.c8c2448c0:
* neutron: Place space between CLI arguments
- Update to version 4.0+git.1580894959.1fe5fd282:
* Revert "[4.0] rabbitmq: sync startup definitions.json with recipe"
(SOC-11082)
- Update to version 4.0+git.1580469474.967ab8baf:
* rabbitmq: sync startup definitions.json with recipe (SOC-11077)
Changes in etcd:
- Build against go 1.6
- Fix etcd build. We are generating 2 binaries, etcd and etcdctl. They
need to be built separately
- Ensure /var/lib/etcd is controlled by etcd:etcd
- exclude i586. We don't expect this package to be built on i586.
- remove sysconfig.etcd: this file is not being used
- Update to version 3.1.0:
* raft: add node should reset the pendingConf state
* v3rpc: don't close watcher if client closes send
* e2e: add test for v3 watch over grpc gateway
* mvcc: remove unused restore method
* integration: don't expect recv to stop on CloseSend in waitResponse
* Documentation: add grpc gateway watch example
* version: bump up v3.1.0-rc.1+git
* discovery: warn on scheme mismatch
* grpcproxy: fix deadlock on watch broadcasts stop
* etcdmain: add '/metrics' HTTP/1 path to grpc-proxy
* etcd-tester: do not resolve localhost
* raftexample: confState should be saved after apply
* raft: test case to check the duplicate add node propose
* raft: fix test case, should wait config propose applied
* raft: fix test case for data race
* raft: use the channel instead of sleep to make test case reliable
* raft: fix TestNodeProposeAddDuplicateNode
* etcdmain: handle TLS in grpc-proxy listener
* etcd-tester:limit max retry backoff delay
* functional-tester: add withBlock() to grpc dial
* op-guide: add notes about Prometheus data source in Grafana
* clientv3: return copy of endpoints, not pointer
* auth: add a timeout mechanism to simple token
* client: update README about health monitoring
* grpcproxy: fix race between watch ranges delete() and broadcasts
empty()
* lease: Use monotonic time in lease
* integration: use Range to wait for reboot in quota tests
* grpcproxy: fix race between coalesce and bcast on nextrev
* etcd-tester: refactor lease checker
* store: check sorted order in TestStoreGetSorted
* vendor: bump go-systemd to v14 to avoid build error
* integration: cancel Watch when TestV3WatchWithPrevKV exits
* grpcproxy: add richer metrics for watch
* grpcproxy: add cache related metrics
* raft: Fix election "logs converge" test
* raft: Export Progress.IsPaused
* benchmark: add rate limit
* etcdctl: remove GetUser check before mutable commands
* grpcproxy: lock store when getting size
* Documentation: link added to libraries-and-tools.md with a new v2
Scala Client
* grpcproxy: fix deadlock in watchbroadcast
* etcdserver: time out when readStateC is blocking
* store: fix store_test.go comments
* vendor: update ugorji/go
* client: update generated ugorji codec
* doc: initial faq
* clientv3/integration: test lease keepalive works following quorum loss
* integration: use RequireLeader for TestV3LeaseFailover
* v3rpc, etcdserver, leasehttp: ctxize Renew with request timeout
* Documentation: add blox and chain as users
* etcdserver: do not send v2 sync if ttl keys do not exist
* ROADMAP: update for 3.2
* Documentation: add more FAQ questions
* grpcproxy: fix minor typo
* vendor: use versions when possible in glide.yaml
* scripts: use glide update if repo exists in glide.lock
* github: make bug reporting link non-relative
* github: make contribution link non-relative
* Documentation: update get examples to be clearer about ranges
* etcdserver, embed, v2http: move pprof setup to embed
* doc: add faq about apply warning logging
* test: exclude '_home' for gosimple, unused
* auth: fix gosimple errors
* integration: simplify boolean comparison in resp.Created
* raft: simplify boolean comparison, remove unused
* tools: simplify boolean comparison, remove unused
* e2e: remove unused 'ctlV3GetFailPerm'
* v3rpc: remove unused 'splitMethodName' function
* grpcproxy: remove unused field 'wbs *watchBroadcasts'
* doc: add faq about missing heartbeat
* etcdctl: "fields" output formats
* build: remove dir use -r flag
* etcd-tester: add 'enable-pprof' option
* etcd-tester: cancel lease stream; fix OOM panic
* doc: add hardware section
* auth: improve 'removeSubsetRangePerms' to O(n)
* Documentation: use port 2379 in local cluster guide The port in
endpoints should be 2379, instead of 12379.
* op-guide/clustering: fix typo
* embed: deep copy user handlers
* Documentation: add more FAQs (follower, leader, sys-require)
* clientv3: close Lease on client Close
* netutil: ctx-ize URLStringsEqual
* etcdserver: retry for 30s on advertise url check
* membership: retry for 30s on advertise url check
* clientv3: return error from KeepAlive if corresponding loop exits
* clientv3: add test for keep alive loop exit case
* auth, etcdserver: protect membership change operations with auth
* e2e: test cases of protecting membership change with auth
* clientv3: better error message for keep alive loop halt
* Documentation: FAQ entry for cluster ID mismatches
* dev-guide: add limit.md
* Documentation: minor fix nodes -> node
* etcdctl: warn when backend takes too long to open on migrate
* docs: explicitly set ETCDCTL_API=3 in recovery.md
* v3api, rpctypes: add ErrTimeoutDueToConnectionLost
* clientv3/integration: test lease grant/keepalive with/without failures
* clientv3: don't reset keepalive stream on grant failure
* etcdctl: tighten up output, reorganize README.md
* Documentation: add FAQs on membership operation
* Documentation: add 'why.md'
* embed: only override default advertised client URL if the client
listen URL is 0.0.0.0
* raft: make memory storage set method thread safe
* raft: resume paused followers on receipt of MsgHeartbeatResp
* etcd-tester: fix typo, add endpoint in logs
* lease: force leader to apply its pending committed index for lease
operations
* leasehttp: buffer error channel to prevent goroutine leak
* raft: fix pre-vote tests
* etcdserver: rework update committed index logic
* etcd-tester: remove unused err var from maxRev
* e2e: check etcdctl endpoint health is healthy if denied permission to
key
* benchmark: a new option for configuring dial timeout
* ctlv3: consider permission denied error to be healthy for endpoints
* etcdmain: add --metrics flag for exposing histogram metrics
* e2e: test cluster-health
* v2http: submit QGET in health endpoint if no progress
* test: bump grpcproxy pass timeout to 15m
* lease: use atomics for accessing lease expiry
* e2e: poll '/version' in release upgrade tests
* e2e: unset ETCDCTL_API env var before running u2e tests
* etcdserver: consistent naming in raftReadyHandler
* coverage: rework code coverage for unit and integration tests
* testutil: whitelist thread created by go cover
* rafthttp: bump up timeout in pipeline test
* grpcproxy, etcdmain, integration: return done channel with WatchServer
* integration: defer clus.Terminate in watch tests
* raftexample: load snapshot when opening WAL
* etcd-runner: make command compliant
* raft: use status to test node stop
* etcdserver: expose ErrNotEnoughStartedMembers
* etcdserver: resume compactor only if leader
* benchmark: enable grpc error logging on stderr
* etcd-runner:add flags in watcher for hardcoded values
* docs: fix recovery example in recovery.md
* auth: use quorum get for GetUser/GetRole for mutable operations
* grpcproxy: tear down watch when client context is done
* integration: use only digits in unix ports
* e2e: dump stack on ctlTest timeout
* expect: EXPECT_DEBUG environment variable
* why: add origin of the term etcd
* testutil: increase size of buffer for stack dump
* raft: fix test case for #7042
* vendor: update ugorji/go
* integration: add grpc auth testing
* auth: reject empty user name when checking op permissions
* etcdctl: create root role on auth enable if it does not yet exist
* raft: add RawNode test case for #6866
* pkg/report: support 99.9-percentile, change column name
* documentation: display docs.md in github browser
* benchmark: option to rate limit range benchmark
* etcdserver, clientv3: handle a case of expired auth token
* tools: Add etcd 3.0 load test tool refernece
* transport: warn on user-provided CA
* NEWS: add v3.1.0, v3.0.16 + minor fixes
* clienv3: fix balancer test logic
* clientv3: don't reset stream on keepaliveonce or revoke failure
* grpcproxy: use ccache for key cache
* vendor: remove groupcache, add ccache
* pkg/report: add 'Stats' to expose report raw data
* travis: use Go 1.7.4, drop old env var
* ctlv3: print cluster info after adding new member
* Documentation: document upgrading to v3.1
* pkg/report: add nil checking for getTimeSeries
* etcdserver: use ReqTimeout for linearized read
* grpcproxy, etcdmain, integration: add close channel to kv proxy
* glide: update 'golang.org/x/net'
* vendor: update 'golang.org/x/net'
* Documentation: update experimental_apis for v3.1 release
* NEWS: fix date for v3.1 release
* Documentation: fix typo s/endpoint-health/endpoint health/
* clientv3/concurrency: fix rev comparison on concurrent key deletion
* integration: test STM apply on concurrent deletion
* pkg/flags: fixed prefix checking of the env variables
* etcdctlv3: snapshot restore works with lease key
* test: passed the test script arguments as the test function parameters
* documentation: update build documentation
* version: bump to v3.1.0
- Update to version 3.1.0rc.1:
* grpcproxy: watch next revision should be start revision when not 0
* grpcproxy: copy range request before storing in cache
* raft: return empty status if node is stopped
* mvcc: store.restore taking too long triggering snapshot cycle fix
* mvcc: TestStoreRestore fix
* mvcc : Added benchmark for store.resotre
* pkg/netutil: get default interface for tc commands
* version: bump up v3.1.0-rc.1
Changes in grafana:
- Add CVE-2020-13379.patch
* Security: fix unauthorized avatar proxying (bsc#1172409,
CVE-2020-13379)
- Refresh systemd-notification.patch
- Fix declaration for LICENSE
- Add
0002-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch
* Security: Fix annotation popup XSS vulnerability (bsc#1170657)
- Add CVE-2019-15043.patch (SOC-10357, CVE-2019-15043, bsc#1148383)
Changes in keepalived:
- update to 2.0.19
- new BR pkgconfig(libnftnl) to fix nftables support
- add nftables to the BR
- added patch
* linux-4.15.patch
- add buildrequires for file-devel
- used in the checker to verify scripts
- enable json stats and config dump support new BR: pkgconfig(json-c)
- enable http regexp support: new BR pcre2-devel
- disable dbus instance creation support as it is marked as dangerous
- Add BFD build option to keepalived.spec rpm file Issue #1114 identified
that the keepalived.spec file was not being generated to build BFD
support even if keepalived had been configured to support it.
- full changelog https://keepalived.org/changelog.html
- update to 1.4.5:
* Update snapcraft.yaml for 1.4.x+git
* Fix generation of git-commit.h with git commit number.
* Set virtual server address family correctly.
* Set virtual server address family correctly when using tunnelled real
servers.
* Fix handling of virtual servers with no real servers at config time.
* Add warning if virtual and real servers are different address
families. Although normally the virtual server and real servers must
have the same address family, if a real server is tunnelled, the
address families can be different. However, the kernel didn't support
that until 3.18, so add a check that the address families are the same
if different address families are not supported by the kernel.
* Send correct status in Dbus VrrpStatusChange notification. When an
instance transitioned from BACKUP to FAULT, the Dbus status change
message reported the old status (BACKUP) rather than the new status
(FAULT). This commit attempts to resolved that.
* doc: ipvs schedulers update
* Fix a couple of typos in configure.ac.
* Fix namespace collision with musl if_ether.h.
* Check if return value from read_value_block() is null before using.
* Fix reporting real server stats via SNMP.
* Make checker process handle RTM_NEWLINK messages with -a option Even
though the checker process doesn't subscribe to RTNLGRP_LINK messages,
it appears that older kernels (certainly 2.6.32) can send RTM_NEWLINK
(but not RTM_DELLINK) messages. This occurs when the link is set to up
state. Only the VRRP process is interested in link messages, and so
the checker process doesn't do the necessary initialisation to be able
to handle RTM_NEWLINK messages. This commit makes the checker process
simply discard RTM_NEWLINK and RTM_DELLINK messages, rather than
assuming that if it receives an RTM_NEWLINK message it must be the
VRRP process. This problem was reported in issue #848 since the
checker process was segfaulting when a new interface was added when
the -a command line option was specified.
* Fix handling RTM_NEWLINK when building without VRRP code.
* Fix building on Fedora 28. net-snmp-config output can include compiler
and linker flags that refer to spec files that were used to build
net-snmp but may not exist on the system building keepalived. That
would cause the build done by configure to test for net-snmp support
to fail; in particular
on a Fedora 28 system that doesn't have the redhat-rpm-config package
installed. This commit checks that any spec files in the compiler and
linker flags returned by net-snmp-config exist on the system building
keepalived, and if not it removes the reference(s) to the spec
file(s).
* keepalived-1.4.3 released.
* vrrp: setting '0' as default value for ifa_flags to make gcc happy.
* Add additional libraries when testing for presence of SSL_CTX_new().
It appears that some systems need -lcrypto when linking with -lssl.
* Sanitise checking of libnl3 in configure.ac.
* Report and handle missing '}'s in config files.
* Add missing '\n' in keepalived.data output.
* Stop backup taking over as master while master reloads. If a reload
was initiated just before an advert, and since it took
one advert interval after a reload before an advert was sent, if the
reload itself took more than one advert interval, the backup could
time out and take over as master. This commit makes keepalived send
adverts for all instances that are master immediately before a
reload, and also sends adverts immediately after a reload, thereby
trippling the time available for the reload to complete.
* Add route option fastopen_no_cookie and rule option l3mdev.
* Fix errors in KEEPALIVED-MIB.txt.
* Simplify setting on IN6_ADDR_GEN_MODE.
* Cosmetic changes to keepalived(8) man page.
* Don't set ipvs sync daemon to master state before becoming master If a
vrrp instance which was the one specified for the ipvs sync daemon was
configured with initial state master, the sync daemon was being set to
master mode before the vrrp instance transitioned to master mode. This
caused an error message when the vrrp instance transitioned to master
and attempted to make the sync daemon go from backup to master mode.
This commit stops setting the sync daemon to master mode at
initialisation time, and it is set to master mode when the vrrp
instance transitions to master.
* Fix freeing vector which has not had any entries allocated.
* Add additional mem-check disgnostics vector_alloc, vectot_alloc_slot,
vector_free and alloc_strvec all call MALLOC/FREE but the functions
written in the mem_check log are vector_alloc etc, not the functions
that call them. This commit adds logging of the originating calling
function.
* Fix memory leak in parser.c.
* Improve alignment of new mem-check logging.
* Disable all checkers on a virtual server when ha_suspend set. Only the
first checker was being disabled; this commit now disables all of
them. Also, make the decision to disable a checker when
starting/reloading when scheduling the checker, so that the existance
of the required address can be checked.
* Stop genhash segfaulting when built with --enable-mem-check.
* Fix memory allocation problems in genhash.
* Properly fix memory allocation problems in genhash.
* Fix persistence_granularity IPv4 netmask validation. The logic test
from inet_aton() appears to be inverted.
* Fix segfault when checker configuration is missing expected parameter
Issue #806 mentioned as an aside that "nb_get_retry" without a
parameter was sigfaulting. Commit be7ae80 - "Stop segfaulting when
configuration keyword is missing its parameter" missed the "hidden"
uses of vector_slot() (i.e. those used via definitions in header
files). This commit now updates those uses of vector_slot() to use
strvec_slot() instead.
* Fix compiling on Linux 2.x kernels. There were missing checks for
HAVE_DECL_CLONE_NEWNET causing references to an undeclared variable if
CLONE_NEWNET wasn't defined.
* Improve parsing of kernel release. The kernel EXTRAVERSION can start
with any character (although starting with a digit would be daft), so
relax the check for it starting with a '-'. Kernels using both '+' and
'.' being the first character of EXTRAVERSION have been reported.
* Improve grammer.
* add support for SNI in SSL_GET check. this adds a `enable_sni`
parameter to SSL_GET, making sure the check passes the virtualhost in
the SNI extension during SSL handshake.
* Optimise setting host name for SSL_GET requests with SNI.
* Allow SNI to be used with SSL_GET with OpenSSL v1.0.0 and LibreSSL.
* Use configure to check for SSL_set_tlsext_host_name() Rather than
checking for a specific version of the OpenSSL library (and it would
also need checking the version of the LibreSSL library) let configure
check for the presence of SSL_set_tlsext_host_name(). Also omit all
code related to SNI of SSL_set_tlsext_host_name() is not available.
* Use configure to determine available OpenSSL functionality Rather than
using version numbers of the OpenSSL library to determine what
functions are available, let configure determine whether the functions
are supported. The also means that the same tests work for LibreSSL.
* Add support for gratuitous ARPs for IP over Infiniband.
* Use system header definition instead of local definition IF_HWADDR_MAX
linux/netdevice.h has definition MAX_ADDR_LEN, which is 32, whereas
IF_HWADDR_MAX was locally defined to be 20. Unfortunately we end up
with more system header file juggling to ensure we don't have
duplicate definitions.
* Fix vrrp_script and check_misc scripts of type </dev/tcp/127.0.0.1/80.
* Add the first pre-defined config definition (${_PWD}) ${_PWD} in a
configuration file will be replaced with the full path name of the
directory that keepalived is reading the current configuration file
from.
* Open and run the notify fifo and script if no other fifo Due to the
way the code was structured the notify_fifo for both checker and vrrp
messages wasn't run if neither the vrrp or checker fifo wasn't
configured. Also, if all three fifos were configured, the general fifo
script was executed by both the vrrp and checker process, causing
problems.
* Add support for Infiniband interfaces when dumping configuration.
* Tidy up layout in vrrp_arp.c.
* Add configure check for support of position independant executables
(PIE).
* Add check for -pie support, and fix writing to keepalived.data.
* keepalived-1.4.2 released.
* Make genhash exit with exit code 1 on error. Issue #766 identified
that genhash always exits with exit code 1 even if an error has
occurred.
* Rationalise printing of http header in genhash.
* Use http header Content-Length field in HTTP_CHECK/SSL_CHECK. If a
Content-Length is supplied in the http header, use that as a limit to
the data length (as wget does). If the length of data received does
not match the Content-Length log a warning.
* Optimise parameter passing to fprintf in genhash.
* Don't declare mark variable if don't have MARK socket option.
* Fix sync groups with only one member. Commit c88744a0 allowed sync
groups with only 1 member again, but didn't stop removing the sync
group if there was only 1 member. This commit now doesn't remove sync
groups with only one member.
* Make track scripts work with --enable-debug config option.
* Add warning if --enable-debug configure option is used.
* Allow more flexibility of layout of { and } in config files.
keepalived was a bit fussy about where '{'s and '}'s (braces) could be
placed in terms of after the keyword, or on a line on their own. It
certainly was not possible to have multiple braces on one line. This
commit now provides complete flexibility of where braces are, so long
as they occur in the correct order.
* Make alloc_value_block() report block type if there is an error.
* Simplify alloc_value_block() by using libc string functions.
* Add dumping of garp delay config when using -d option.
* Fix fractions of seconds for garp group garp_interval.
* Make read_value_block() use alloc_value_block(). This removes quite a
bit of duplication of functionality, and ensures the configuration
parsing will be more consistent.
* Fix build with Linux kernel headers v4.15. Linux kernel version 4.15
changed the libc/kernel headers suppression logic in a way that
introduces collisions.
* Add missing command line options to keepalived(8) man page.
* Fix --dont-release-vrrp. On github, ushuz reported that commit 62e8455
- "Don't delete vmac interfaces before dropping multicast membership"
broke --dont-release-vrrp. This commit restores the correct
functionality.
* Define _GNU_SOURCE for all compilation units. Rather than defining
_GNU_SOURCE when needed, let configure add it to the flags passed to
the C compiler, so that it is defined for all compilation units. This
ensures consistence.
* Fix new warnings procuded by gcc 8.
* Fix dumping empty lists. Add a check in dump_list() for an empty list,
and don't attempt to dump it if it is empty.
* Resolve conversion-check compiler warnings.
* Add missing content to installing_keepalived.rst documentation. Issue
#778 identified that there was text missing at the end of the
document, and that is now added.
* Fix systemd service to start after network-online.target. This fix was
merged downstream by RedHat in response to RHBZ #1413320.
* Update INSTALL file to describe packages needed for building
documentation.
* INSTALL: note linux distro package that provides 'sphinx_rtd_theme'
* Clear /proc/sys/net/ipv6/conf/IF/disable_ipv6 when create VMACs. An
issue was identified where keepalived was reporting permission denied
when attempting to add an IPv6 address to a VMAC interface. It turned
out that this was because /proc/sys/net/ipv6/conf/default/disable_ipv6
was set to 1, causing IPv6 to be disables on all interfaces that
keepalived created. This commit clears disable_ipv6 on any VMAC
interfaces that keepalived creates if the vrrp instance is using IPv6.
- remove linux-4.15.patch: does not apply anymore and not needed (the
distros using 4.15 have moved on to keepalived 2.x)
- Only Require insserv on distributions without systemd.
- Fix systemd related requires/buildRequires
- Do not run scriptlets that use insserv when using systemd
- add linux-4.15.patch
Changes in kibana:
- Add 0001-Configurable-custom-response-headers-for-server.patch
(bsc#1171909, CVE-2020-10743)
Changes in memcached:
- version update to 1.5.17
* bugfixes fix strncpy call in stats conns to avoid ASAN violation
(bsc#1149110, CVE-2019-15026) extstore: fix indentation add error
handling when calling dup function add unlock when item_cachedump
malloc failed extstore: emulate pread(v) for macOS fix off-by-one in
logger to allow CAS commands to be logged. use strdup for explicitly
configured slab sizes move mem_requested from slabs.c to items.c
(internal cleanup)
* new features add server address to the "stats conns" output log client
connection id with fetchers and mutations Add a handler for seccomp
crashes
- version update to 1.5.16
* bugfixes When nsuffix is 0 space for flags hasn't been allocated so
don't memcpy them.
- version update to 1.5.15
* bugfixes Speed up incr/decr by replacing snprintf. Use correct buffer
size for internal URI encoding. change some links from http to https
Fix small memory leak in testapp.c. free window_global in
slab_automove_extstore.c remove inline_ascii_response option
-Y [filename] for ascii authentication mode fix: idle-timeout wasn't
compatible with binprot
* features
-Y [authfile] enables an authentication mode for ASCII protocol.
- modified patches % memcached-autofoo.patch (refreshed)
- version update to 1.5.14
* update -h output for -I (max item size)
* fix segfault in "lru" command (bsc#1133817, CVE-2019-11596)
* fix compile error on centos7
* extstore: error adjusting page_size after ext_path
* extstore: fix segfault if page_count is too high.
* close delete + incr item survival race bug
* memcached-tool dump fix loss of exp value
* Fix "qw" in "MemcachedTest.pm" so wait_ext_flush is exported properly
* Experimental TLS support.
* Basic implementation of TLS for memcached.
* Improve Get And Touch documentation
* fix INCR/DECR refcount leak for invalid items
- modified patches % memcached-autofoo.patch (refreshed)
- Version bump to 1.5.11:
* extstore: balance IO thread queues
- Drop memcached-fix_test.patch that is present now upstream
- Add patch to fix aarch64, ppc64* and s390x tests:
* memcached-fix_test.patch
- Fix linter errors regarding COPYING
- update to 1.5.10:
* disruptive change in extstore: -o ext_page_count= is deprecated and no
longer works. To specify size: -o ext_path=/d/m/e:500G extstore
figures out the page count based on your desired page size. M|G|T|P
supported.
* extstore: Add basic JBOD support: ext_path can be specified multiple
times for striping onto simimar devices
* fix alignment issues on some ARM platforms for chunked items
- Update to 1.5.9:
* Bugfix release.
* Important note: if using --enable-seccomp, privilege dropping is no
longer on by default. The feature is experimental and many users are
reporting hard to diagnose problems on varied platforms.
* Seccomp is now marked EXPERIMENTAL, and must be explicitly enabled by
adding -o drop_privileges. Once we're more confident with the
usability of the feature, it will be enabled in -o modern, like any
other new change. You should only use it if you are willing to
carefully test it, especially if you're a vendor or distribution.
* Also important is a crash fix in extstore when using the ASCII
protocol, large items, and running low on memory.
- update to 1.5.8:
* Bugfixes for seccomp and extstore
* Extstore platform portability has been greatly improved for ARM and
32bit systems
- includes changes from 1.5.7:
* Fix alignment issues for 64bit ARM processors
* Fix seccomp portability
* Fix refcount leak with extstore while using binary touch commands
- turn on the testsuite again, it seems to pass server side, too
- Home directory shouldn't be world readable bsc#1077718
- Mention that this stream isn't affected by bsc#1085209, CVE-2018-1000127
to make the checker bots happy.
- update to 1.5.6 (bsc#1083903, CVE-2018-1000115):
* This update disables UDP by default to reduce DDoS amplification
attacks
* see https://github.com/memcached/memcached/wiki/ReleaseNotes156
* see https://github.com/memcached/memcached/wiki/ReleaseNotes155
* see https://github.com/memcached/memcached/wiki/ReleaseNotes154
* see https://github.com/memcached/memcached/wiki/ReleaseNotes153
* see https://github.com/memcached/memcached/wiki/ReleaseNotes152
* see https://github.com/memcached/memcached/wiki/ReleaseNotes151
* see https://github.com/memcached/memcached/wiki/ReleaseNotes150
- Replace references to /var/adm/fillup-templates with new %_fillupdir
macro (boo#1069468)
Changes in monasca-installer:
- Add 0001-kibana:-set-x-frame-options-header.patch (bsc#1171909,
CVE-2020-10743)
Changes in openstack-dashboard-theme-SUSE:
- Switch github URL from git@ to git:// to bypass authentication
Changes in openstack-manila:
- Add 0001-Fix-exportfs-u-usage-in-generic-driver.patch Backported from
upstream patch https://review.opendev.org/#/c/411631/ Related Bug
(SOC-9801)
Changes in openstack-neutron-fwaas:
- Add 0050-Remove-tempest-shared-physical-network.patch (SOC-9801) This
tempest configuration option is not present in tempest, as it was only
added after the SOC7 release cut.
Changes in openstack-nova:
- Add 0001-live-mig-keep-disk-device-address-same.patch (bsc#1164316)
- Fix for https://bugs.launchpad.net/nova/+bug/1715569
Changes in openstack-tempest:
- Add 0001-Use-available-scheduler-filters.patch Backported from upstream
patch https://review.opendev.org/#/c/570207/ Related Bugs:
SOC-9801,SOC-11174
- Add 0001-Remove-volume_feature_enabled.volume_services.patch Backported
from upstream patch https://review.opendev.org/#/c/438220/ Related Bug
(SOC-9801)
Changes in python-cffi:
- Do not build python3 subpackages as C:OS:Newton does not support it
- provide also python-cffi = 1.10.0 and 1.5.2 to avoid breaking the cloud
7 and 8 requirements (bsc#948198)
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
- Add dont-corrupt-memory.patch to fix boo#1111657 (originally from
https://bitbucket.org/cffi/cffi/commits/7a76a3815340)
- build python3 subpackage (FATE#324435, FATE#323875)
- Add patch cffi-loader.patch to fix bsc#1070737
- Sort out with spec-cleaner
- update to version 1.11.2:
* Fix Windows issue with managing the thread-state on CPython 3.0 to 3.5
- Update pytest in spec to add c directory tests in addition to testing
directory.
- Omit test_init_once_multithread tests as they rely on multiple threads
finishing in a given time. Returns sporadic pass/fail within build.
- Update to 1.11.1:
* Fix tests, remove deprecated C API usage
* Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary extensions
(cpython issue #29943)
* Fix for 3.7.0a1+
- Update to 1.11.0:
* Support the modern standard types char16_t and char32_t. These work
like wchar_t: they represent one unicode character, or when used as
charN_t * or charN_t[] they represent a unicode string. The difference
with wchar_t is that they have a known, fixed size. They should work
at all places that used to work with wchar_t (please report an issue
if I missed something). Note that with set_source(), you need to make
sure that these types are actually defined by the C source you provide
(if used in cdef()).
* Support the C99 types float _Complex and double _Complex. Note that
libffi doesn’t support them, which means that in the ABI mode you
still cannot call C functions that take complex numbers directly as
arguments or return type.
* Fixed a rare race condition when creating multiple FFI instances from
multiple threads. (Note that you aren’t meant to create many FFI
instances: in inline mode, you should write ffi = cffi.FFI() at module
level just after import cffi; and in
out-of-line mode you don’t instantiate FFI explicitly at all.)
* Windows: using callbacks can be messy because the CFFI internal error
messages show up to stderr—but stderr goes nowhere in many
applications. This makes it particularly hard to get started with the
embedding mode. (Once you get started, you can at least use
@ffi.def_extern(onerror=...) and send the error logs where it makes
sense for your application, or record them in log files, and so on.)
So what is new in CFFI is that now, on Windows CFFI will try to open a
non-modal MessageBox (in addition to sending raw messages to stderr).
The MessageBox is only visible if the process stays alive: typically,
console applications that crash close immediately, but that is also
the situation where stderr should be visible anyway.
* Progress on support for callbacks in NetBSD.
* Functions returning booleans would in some case still return 0
or 1 instead of False or True. Fixed.
* ffi.gc() now takes an optional third parameter, which gives an
estimate of the size (in bytes) of the object. So far, this is
only used by PyPy, to make the next GC occur more quickly (issue
#320). In the future, this might have an effect on CPython too
(provided the CPython issue 31105 is addressed).
* Add a note to the documentation: the ABI mode gives function
objects that are slower to call than the API mode does. For some
reason it is often thought to be faster. It is not!
- Update to 1.10.1:
* Fixed the line numbers reported in case of cdef() errors. Also, I just
noticed, but pycparser always supported the preprocessor directive #
42 "foo.h" to mean “from the next line, we’re in file foo.h
starting from line 42â€, which it puts in the error messages.
- update to 1.10.0:
* Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
to handle ffi.new() with a default allocator. Speeds up
ffi.new(large-array) where most of the time you never touch most of the
array.
* Some OS/X build fixes (“only with Xcode but without CLTâ€).
* Improve a couple of error messages: when getting mismatched versions
of cffi and its backend; and when calling functions which cannot be
called with libffi because an argument is a struct that is “too
complicated†(and not a struct pointer, which always works).
* Add support for some unusual compilers (non-msvc, non-gcc, non-icc,
non-clang)
* Implemented the remaining cases for ffi.from_buffer. Now all
buffer/memoryview objects can be passed. The one remaining check is
against passing unicode strings in Python 2. (They support the buffer
interface, but that gives the raw bytes behind the UTF16/UCS4 storage,
which is most of the times not what you expect. In Python 3 this has
been fixed and the unicode strings don’t support the memoryview
interface any more.)
* The C type _Bool or bool now converts to a Python boolean when
reading, instead of the content of the byte as an integer. The
potential incompatibility here is what occurs if the byte contains a
value different from 0 and 1. Previously, it would just return it;
with this change, CFFI raises an exception in this case. But this case
means “undefined behavior†in C; if you really have to interface
with a library relying on this, don’t use bool in the CFFI side.
Also, it is still valid to use a byte string as initializer for a
bool[], but now it must only contain \x00 or \x01. As an aside,
ffi.string() no longer works on bool[] (but it never made much sense,
as this function stops at the first zero).
* ffi.buffer is now the name of cffi’s buffer type, and ffi.buffer()
works like before but is the constructor of that type.
* ffi.addressof(lib, "name") now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global
variables.
* Issue #255: cdata objects of a primitive type (integers, floats, char)
are now compared and ordered by value. For example, <cdata 'int' 42>
compares equal to 42 and <cdata 'char' b'A'> compares equal to b'A'.
Unlike C, <cdata 'int' -1> does not compare equal to
ffi.cast("unsigned int", -1): it compares smaller, because -1 <
4294967295.
* PyPy: ffi.new() and ffi.new_allocator()() did not record “memory
pressureâ€, causing the GC to run too infrequently if you call
ffi.new() very often and/or with large arrays. Fixed in PyPy 5.7.
* Support in ffi.cdef() for numeric expressions with + or -. Assumes
that there is no overflow; it should be fixed first before we add more
general support for arbitrary arithmetic on constants.
- do not generate HTML documentation for packages that are indirect
dependencies of Sphinx (see docs at https://cffi.readthedocs.org/ )
- update to 1.9.1
- Structs with variable-sized arrays as their last field: now we track
the length of the array after ffi.new() is called, just like we always
tracked the length of ffi.new("int[]", 42). This lets us detect
out-of-range accesses to array items. This also lets us display a
better repr(), and have the total size returned by ffi.sizeof() and
ffi.buffer(). Previously both functions would return a result based on
the size of the declared structure type, with an assumed empty array.
(Thanks andrew for starting this refactoring.)
- Add support in cdef()/set_source() for unspecified-length arrays in
typedefs: typedef int foo_t[...];. It was already supported for global
variables or structure fields.
- I turned in v1.8 a warning from cffi/model.py into an error: 'enum
xxx' has no values explicitly defined: refusing to guess which integer
type it is meant to be (unsigned/signed, int/long). Now I’m turning
it back to a warning again; it seems that guessing that the enum has
size int is a 99%-safe bet. (But not 100%, so it stays as a warning.)
- Fix leaks in the code handling FILE * arguments. In CPython 3 there is
a remaining issue that is hard to fix: if you pass a Python file
object to a FILE * argument, then os.dup() is used and the new file
descriptor is only closed when the GC reclaims the Python file
object—and not at the earlier time when you call close(), which only
closes the original file descriptor. If this is an issue, you should
avoid this automatic convertion of Python file objects: instead,
explicitly manipulate file descriptors and call fdopen() from C
(...via cffi).
- When passing a void * argument to a function with a different pointer
type,
or vice-versa, the cast occurs automatically, like in C. The same
occurs for initialization with ffi.new() and a few other places.
However, I thought that char * had the same property—but I was
mistaken. In C you get the usual warning if you try to give a char *
to a char ** argument, for example. Sorry about the confusion. This
has been fixed in CFFI by giving for now a warning, too. It will turn
into an error in a future version.
- Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely
like the { } syntax does in GCC.
- CPython 3.x: experimental: the generated C extension modules now use
the “limited APIâ€, which means that, as a compiled .so/.dll, it
should work directly on any version of CPython >= 3.2. The name
produced by distutils is still version-specific. To get the
version-independent name, you can rename it manually to NAME.abi3.so,
or use the very recent setuptools 26.
- Added ffi.compile(debug=...), similar to python setup.py build --debug
but defaulting to True if we are running a debugging version of Python
itself.
- Removed the restriction that ffi.from_buffer() cannot be used on byte
strings. Now you can get a char * out of a byte string, which is valid
as long as the string object is kept alive. (But don’t use it to
modify the string object! If you need this, use bytearray or other
official techniques.)
- PyPy 5.4 can now pass a byte string directly to a char * argument (in
older versions, a copy would be made). This used to be a CPython-only
optimization.
- ffi.gc(p, None) removes the destructor on an object previously created
by another call to ffi.gc()
- bool(ffi.cast("primitive type", x)) now returns False if the value is
zero (including -0.0), and True otherwise. Previously this would only
return False for cdata objects of a pointer type when the pointer is
NULL.
- bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The
reason it was not supported was that it was hard to do in PyPy, but it
works since PyPy 5.3.) To call a C function with a char * argument
from a buffer
object—now including bytearrays—you write
lib.foo(ffi.from_buffer(x)). Additionally, this is now supported:
p[0:length] = bytearray-object. The problem with this was that a
iterating over bytearrays gives numbers instead of characters. (Now
it is implemented with just a memcpy, of course, not actually
iterating over the characters.)
- C++: compiling the generated C code with C++ was supposed to work, but
failed if you make use the bool type (because that is rendered as the
C _Bool type, which doesn’t exist in C++).
- help(lib) and help(lib.myfunc) now give useful information, as well as
dir(p) where p is a struct or pointer-to-struct.
- drop upstreamed python-cffi-avoid-bitshifting-negative-int.patch
- update for multipython build
- Add python-cffi-avoid-bitshifting-negative-int.patch to actually fix the
"negative left shift" warning by replacing bitshifting in appropriate
places by bitwise and comparison to self; patch taken from upstream git.
Drop cffi-1.5.2-wnoerror.patch: no longer required.
- disable "negative left shift" warning in test suite to prevent failures
with gcc6, until upstream fixes the undefined code in question
(boo#981848, cffi-1.5.2-wnoerror.patch)
- Update to version 1.6.0:
* ffi.list_types()
* ffi.unpack()
* extern “Python+Câ€
* in API mode, lib.foo.__doc__ contains the C signature now.
* Yet another attempt at robustness of ffi.def_extern() against
CPython’s interpreter shutdown logic.
Changes in python-pylons-sphinx-themes:
- moved LICENSE.txt to docs to match old structure
- specfile:
* update copyright year
- update to version 1.0.11:
* Fix the width of linenos table column when used in code-blocks.
- Replace %fdupes -s with plain %fdupes; hardlinks are better.
- Update to version 1.0.10 (2018-09-25)
+ Add Read the Docs to the recipients of ad revenue.
- Update to version 1.0.9 (2018-09-23)
+ Remove hyphenation because it sometimes hyphenates inappropriately,
such as in code.
- Update to version 1.0.8 (2018-09-21)
+ Fix support for Ethical Ads.
- Update to version 1.0.7 (2018-09-21)
+ Added support for Ethical Ads for Read The Docs. See
https://github.com/Pylons/pylons-sphinx-themes/pull/12
- Remove superfluous devel dependency for noarch package
- Update to version 1.0.6
* Update zest.releaser in order to release to PyPI.
- Update to version 1.0.5
* Clean up licensing
https://github.com/Pylons/pylons-sphinx-themes/issues/8
- Provide/obsolete old pylons_sphinx_theme
- Update to version 1.0.4
* Specify line spacing for list items for only within the .body class.
version 1.0.3
* Add line spacing for list items. Closes #4. version 1.0.2:
* Remove HTTPS protocol to allow either HTTPS or HTTP. version 1.0.1:
* Use HTTPS for protocol of stylesheets. version 1.0:
* Use zest.releaser for releasing.
* Improve documentation.
- Converted to single-spec
- version 0.3.1: initial build
Changes in python-Django:
- Fix merge artifact in CVE-2020-13596.patch
- Add CVE-2019-19844.patch (bsc#1159447, CVE-2019-19844)
* Fix Potential account hijack via password reset form
- Security fixes (bsc#1172167, bsc#1172166, CVE-2020-13254,
CVE-2020-13596)
* Added patch CVE-2020-13254.patch
* Added patch CVE-2020-13596.patch
- Set _defaultlicensedir
- Fix for SG#56542, bsc#1161349:
* Fixed CVE-2019-3498-Fixed-content-spoof.patch
- Fix for SG#56542, bsc#1161349:
* Fixed CVE-2019-3498-Fixed-content-spoof.patch (There was a bug in this
.patch file; some code had been accidentally included in the backport,
and this stopped the 404 page from loading. See commit message and bug
report for more information)
Changes in python-Pillow:
- Remove decompression_bomb.gif and relevant test case to avoid ClamAV
scan alerts during build
- Add 0008-Corrected-negative-seeks.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 0009-Make-Image.crop-an-immediate-operation.patch
* From upstream, backported
* Fixes https://github.com/python-pillow/Pillow/issues/1077
* Used by 0012-Added-decompression-bomb-checks.patch
- Add 0010-Crop-decompression.patch
* From upstream, backported
* Fixes https://github.com/python-pillow/Pillow/issues/2402
* Used by 0012-Added-decompression-bomb-checks.patch
- Add 0011-Added-DecompressionBombError.patch
* From upstream, backported
* Adds DecompressionBombError class
* Used by 0012-Added-decompression-bomb-checks.patch
- Add 0012-Added-decompression-bomb-checks.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 0013-Raise-error-if-dimension-is-a-string.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 0014-Catch-buffer-overruns.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 0015-Catch-PCX-P-mode-buffer-overrun.patch
* From upstream, backported
* Fixes CVE-2020-5312, bsc#1160152
- Add 0016-Ensure-previous-FLI-frame-is-loaded.patch
* From upstream, backported
* Fixes https://github.com/python-pillow/Pillow/issues/2649
* Uncovers CVE-2020-5313, bsc#1160153
- Add 0017-Catch-FLI-buffer-overrun.patch
* From upstream, backported
* Fixes CVE-2020-5313, bsc#1160153
- Add 018-Invalid-number-of-bands-in-FPX-image.patch
* From upstream, backported
* Fixes CVE-2019-19911, bsc#1160192
Changes in python-psql2mysql:
- Update to version 0.5.0+git.1589351878.4ef877c:
* Do not fail on instance_info length, it is expected to be LONGTEXT
- Update to version 0.5.0+git.1582192453.98e9561:
* Neutron drivers use own naming for alembic migrations, e.g.
cisco_alembic_version, aci_alembic_version, etc depending on driver.
Changes in python-psutil:
- Add bsc1156525-CVE-2019-18874.patch (bsc#1156525, CVE-2019-18874)
Changes in python-py:
- update to version 1.5.2
-----------------------------------------------------------------
- update to version 1.4.33
Changes in python-py:
- update to version 1.5.2:
* fix #169, #170: error importing py.log on Windows: no module named
"syslog".
- changes from version 1.5.1:
* fix #167 - prevent pip from installing py in unsupported Python
versions.
- changes from version 1.5.0:
* python 2.6 and 3.3 are no longer supported
* deprecate py.std and remove all internal uses
* fix #73 turn py.error into an actual module
* path join to / no longer produces leading double slashes
* fix #82 - remove unsupportable aliases
* fix python37 compatibility of path.sysfind on windows by correctly
replacing vars
* turn iniconfig and apipkg into vendored packages and ease de-vendoring
for distributions
* fix #68 remove invalid py.test.ensuretemp references
* fix #25 - deprecate path.listdir(sort=callable)
* add TerminalWriter.chars_on_current_line read-only property that
tracks how many characters have been written to the current line.
- changes from version 1.4.34
* fix issue119 / pytest issue708 where tmpdir may fail to make numbered
directories when the filesystem is case-insensitive.
- update to version 1.4.33:
* avoid imports in calls to py.path.local().fnmatch(). Thanks Andreas
Pelme for the PR.
* fix issue106: Naive unicode encoding when calling fspath() in python2.
Thanks Tiago Nobrega for the PR.
* fix issue110: unittest.TestCase.assertWarns fails with py imported.
- changes from version 1.4.32
* fix issue70: aded ability to copy all stat info in py.path.local.copy.
* make TerminalWriter.fullwidth a property. This results in the correct
value when the terminal gets resized.
* update supported html tags to include recent additions. Thanks Denis
Afonso for the PR.
* Remove internal code in ``Source.compile`` meant to support earlier
Python 3 versions that produced the side effect
of leaving ``None`` in ``sys.modules`` when called (see
pytest-dev/pytest#2103). Thanks Bruno Oliveira for the PR.
Changes in python-pysaml2:
- Add 0001-Always-generate-a-random-IV-for-AES-operations.patch
(CVE-2017-1000246, bsc#1068612)
- Add 0001-Fix-XML-Signature-Wrapping-XSW-vulnerabilities.patch
(CVE-2020-5390, bsc#1160851)
Changes in python-waitress:
- update to 1.4.3 to include fixes for:
* CVE-2019-16785 / bsc#1161088
* CVE-2019-16786 / bsc#1161089
* CVE-2019-16789 / bsc#1160790
* CVE-2019-16792 / bsc#1161670
- moved LICENSE.txt to docs to match old structure
- make sure UTF8 locale is used when runnning tests
* Sometimes functional tests executed in python3 failed if stdout was
not set to UTF-8. The error message was: ValueError: underlying buffer
has been detached
- %python3_only -> %python_alternative
- update to 1.4.3
* Waitress did not properly validate that the HTTP headers it received
were properly formed, thereby potentially allowing a front-end server
to treat a request different from Waitress. This could lead to HTTP
request smuggling/splitting.
- drop patch local-intersphinx-inventories.patch
* it was commented out, anyway
- update to 1.4.0:
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the
response. This is of course not very friendly. Waitress now explicitly
sets the header when responding with an internally generated error
such as 400 Bad Request or 500 Internal Server Error to notify the
remote client that it will be closing the connection after the
response is sent.
- Waitress no longer allows any spaces to exist between the header
field-name and the colon. While waitress did not strip the space and
thereby was not vulnerable to any potential header field-name
confusion, it should have sent back a 400 Bad Request. See
https://github.com/Pylons/waitress/issues/273
- CRLR handling Security fixes
- update to 1.3.1
* Waitress won’t accidentally throw away part of the path if it starts
with a double slash
- version update to 1.3.0 Deprecations ~~~~~~~~~~~~
- The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated
pending removal in a future release. and
https://github.com/Pylons/waitress/pull/246 Features ~~~~~~~~
- Add a new ``outbuf_high_watermark`` adjustment which is used to apply
backpressure on the ``app_iter`` to avoid letting it spin faster than
data can be written to the socket. This stabilizes responses that
iterate quickly with a lot of data. See
https://github.com/Pylons/waitress/pull/242
- Stop early and close the ``app_iter`` when attempting to write to a
closed socket due to a client disconnect. This should notify a
long-lived streaming response when a client hangs up. See
https://github.com/Pylons/waitress/pull/238 and
https://github.com/Pylons/waitress/pull/240 and
https://github.com/Pylons/waitress/pull/241
- Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was
set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls
how much waitress will buffer internally before flushing to the
kernel, whereas previously it used to also throttle how much data was
sent to the kernel. This change enables a streaming ``app_iter``
containing small chunks to still be flushed efficiently. See
https://github.com/Pylons/waitress/pull/246 Bugfixes ~~~~~~~~
- Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we
will no longer set the version to the string value "None". See
https://github.com/Pylons/waitress/pull/252 and
https://github.com/Pylons/waitress/issues/110
- When a client closes a socket unexpectedly there was potential for
memory leaks in which data was written to the buffers after they were
closed, causing them to reopen. See
https://github.com/Pylons/waitress/pull/239
- Fix the queue depth warnings to only show when all threads are busy.
See https://github.com/Pylons/waitress/pull/243 and
https://github.com/Pylons/waitress/pull/247
- Trigger the ``app_iter`` to close as part of shutdown. This will only
be noticeable for users of the internal server api. In more typical
operations the server will die before benefiting from these changes.
See https://github.com/Pylons/waitress/pull/245
- Fix a bug in which a streaming ``app_iter`` may never cleanup data
that has already been sent. This would cause buffers in waitress to
grow without bounds. These buffers now properly rotate and release
their data. See https://github.com/Pylons/waitress/pull/242
- Fix a bug in which non-seekable subclasses of ``io.IOBase`` would
trigger an exception when passed to the ``wsgi.file_wrapper``
callback. See https://github.com/Pylons/waitress/pull/249
- Trim marketing wording and other platform mentions.
- Add fetch-intersphinx-inventories.sh to sources
- Add local-intersphinx-inventories.patch for generating the docs correctly
- update to version 1.2.1: too many changes to list here, see:
https://github.com/Pylons/waitress/blob/master/CHANGES.txt
or even: https://github.com/Pylons/waitress/commits/master
- Remove superfluous devel dependency for noarch package
- update to version 1.1.0:
* Features
+ Waitress now has a __main__ and thus may be called with "python
-mwaitress"
* Bugfixes
+ Waitress no longer allows lowercase HTTP verbs. This change was made
to fall in line with most HTTP servers. See
https://github.com/Pylons/waitress/pull/170
+ When receiving non-ascii bytes in the request URL, waitress will no
longer abruptly close the connection, instead returning a 400 Bad
Request. See https://github.com/Pylons/waitress/pull/162 and
https://github.com/Pylons/waitress/issues/64
- Update to 1.0.2
* Python 3.6 is now officially supported in Waitress
* Add a work-around for libc issue on Linux not following the documented
standards. If getnameinfo() fails because of DNS not being available
it should return the IP address instead of the reverse DNS entry,
however instead getnameinfo() raises. We catch this, and ask
getnameinfo() for the same information again, explicitly asking for IP
address instead of reverse DNS hostname.
- Implement single-spec version.
- Fix source URL.
- update to 1.0.1:
- IPv6 support on Windows was broken due to missing constants in the
socket module. This has been resolved by setting the constants on
Windows if they are missing. See
https://github.com/Pylons/waitress/issues/138
- A ValueError was raised on Windows when passing a string for the port,
on Windows in Python 2 using service names instead of port numbers
doesn't work with `getaddrinfo`. This has been resolved by attempting
to convert the port number to an integer, if that fails a ValueError
will be raised. See https://github.com/Pylons/waitress/issues/139
- Removed `AI_ADDRCONFIG` from the call to `getaddrinfo`, this resolves
an issue whereby `getaddrinfo` wouldn't return any addresses to `bind`
to on hosts where there is no internet connection but localhost is
requested to be bound to. See
https://github.com/Pylons/waitress/issues/131 for more information.
- disable tests. need network access.
Changes in rabbitmq-server:
- Apply patches to resolve CVE-2017-4967,CVE-2017-4965 (bsc#1037777)
0001-Escape-HTML-tags-in-policy-definition-fields.patch
0002-Don-t-echo-provided-encoding-value-back.patch
0003-Strip-off-pids-and-format-consumer-details-for-2-end.patch
0004-Format-Web-contexts.patch
Changes in release-notes-suse-openstack-cloud:
- Switch github URL from git@ to https:// to bypass authentication
Changes in rubygem-activeresource:
- Add bsc#1171560-CVE-2020-8151-encode-id-param.patch Prevent possible
information disclosure issue that could allow an attacker to create
specially crafted requests to access data in an unexpected way
(bsc#1171560 CVE-2020-8151))
Changes in rubygem-crowbar-client:
- Update to 3.9.2
- Enable SES commands in Cloud8 (SOC-11122)
Changes in rubygem-json-1_7:
- Add CVE-2020-10663.patch (CVE-2020-10663, bsc#1167244)
Changes in rubygem-puma:
- Fix indentation in gem2rpm.yml
- Add CVE-2020-11077.patch (bsc#1172175, CVE-2020-11077)
- Add chunked-request-handling.patch (needed for CVE-2020-11076.patch)
- Add CVE-2020-11076.patch (bsc#1172176, CVE-2020-11076)
- Add all patches to gem2rpm.yml
- Add CVE-2020-5247.patch (bsc#1165402) "Fixes a problem where we were not
splitting newlines in headers according to Rack spec" The patch is
reduced compared to the upstream version, which was patching also the
parts that are not implemented in our old Puma version. This applies to
unit test as well.
Changes in zookeeper:
- Apply 0002-Apply-patch-to-resolve-CVE-2019-0201.patch This applies the
patch for ZOOKEEPER-1392 to resolve CVE-2019-0201 Should not allow to
read ACL when not authorized to read node (bsc#1135773)
- Various cleanups in spec file
Patch Instructions:
To install this SUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2020-2072=1
Package List:
- SUSE OpenStack Cloud 7 (s390x x86_64):
crowbar-core-4.0+git.1580209654.1d112d31f-9.66.5
crowbar-core-branding-upstream-4.0+git.1580209654.1d112d31f-9.66.5
keepalived-2.0.19-1.8.1
memcached-1.5.17-3.6.1
memcached-debuginfo-1.5.17-3.6.1
memcached-debugsource-1.5.17-3.6.1
python-Pillow-2.8.1-4.12.1
python-Pillow-debuginfo-2.8.1-4.12.1
python-Pillow-debugsource-2.8.1-4.12.1
python-psutil-1.2.1-21.1
python-psutil-debuginfo-1.2.1-21.1
python-psutil-debugsource-1.2.1-21.1
rabbitmq-server-3.4.4-3.16.1
rabbitmq-server-plugins-3.4.4-3.16.1
ruby2.1-rubygem-activeresource-4.0.0-3.3.1
ruby2.1-rubygem-crowbar-client-3.9.2-7.20.1
ruby2.1-rubygem-json-1_7-1.7.7-3.3.1
ruby2.1-rubygem-json-1_7-debuginfo-1.7.7-3.3.1
ruby2.1-rubygem-puma-2.16.0-4.6.1
ruby2.1-rubygem-puma-debuginfo-2.16.0-4.6.1
rubygem-json-1_7-debugsource-1.7.7-3.3.1
rubygem-puma-debugsource-2.16.0-4.6.1
- SUSE OpenStack Cloud 7 (noarch):
ansible-2.2.3.0-12.2
crowbar-ha-4.0+git.1585316203.d6ad2c8-4.52.4
crowbar-openstack-4.0+git.1589804581.9972163f0-9.71.4
monasca-installer-20180608_12.47-12.1
openstack-dashboard-theme-SUSE-2016.2-5.12.4
openstack-manila-3.0.1~dev30-4.12.2
openstack-manila-api-3.0.1~dev30-4.12.2
openstack-manila-data-3.0.1~dev30-4.12.2
openstack-manila-doc-3.0.1~dev30-4.12.3
openstack-manila-scheduler-3.0.1~dev30-4.12.2
openstack-manila-share-3.0.1~dev30-4.12.2
openstack-neutron-fwaas-9.0.2~dev5-4.9.3
openstack-neutron-fwaas-doc-9.0.2~dev5-4.9.4
openstack-nova-14.0.11~dev13-4.40.2
openstack-nova-api-14.0.11~dev13-4.40.2
openstack-nova-cells-14.0.11~dev13-4.40.2
openstack-nova-cert-14.0.11~dev13-4.40.2
openstack-nova-compute-14.0.11~dev13-4.40.2
openstack-nova-conductor-14.0.11~dev13-4.40.2
openstack-nova-console-14.0.11~dev13-4.40.2
openstack-nova-consoleauth-14.0.11~dev13-4.40.2
openstack-nova-doc-14.0.11~dev13-4.40.2
openstack-nova-novncproxy-14.0.11~dev13-4.40.2
openstack-nova-placement-api-14.0.11~dev13-4.40.2
openstack-nova-scheduler-14.0.11~dev13-4.40.2
openstack-nova-serialproxy-14.0.11~dev13-4.40.2
openstack-nova-vncproxy-14.0.11~dev13-4.40.2
openstack-tempest-12.2.1~a0~dev177-4.9.1
openstack-tempest-test-12.2.1~a0~dev177-4.9.1
python-Django-1.8.19-3.23.1
python-manila-3.0.1~dev30-4.12.2
python-neutron-fwaas-9.0.2~dev5-4.9.3
python-nova-14.0.11~dev13-4.40.2
python-psql2mysql-0.5.0+git.1589351878.4ef877c-1.12.1
python-py-1.8.1-11.12.1
python-pysaml2-4.0.2-3.17.1
python-tempest-12.2.1~a0~dev177-4.9.1
python-waitress-1.4.3-3.3.1
release-notes-suse-openstack-cloud-7.20180803-3.18.3
zookeeper-server-3.4.10-6.1
- SUSE OpenStack Cloud 7 (x86_64):
grafana-4.6.5-1.14.1
kibana-4.6.3-5.1
kibana-debuginfo-4.6.3-5.1
References:
https://www.suse.com/security/cve/CVE-2017-1000246.html
https://www.suse.com/security/cve/CVE-2017-4965.html
https://www.suse.com/security/cve/CVE-2017-4967.html
https://www.suse.com/security/cve/CVE-2018-1000115.html
https://www.suse.com/security/cve/CVE-2019-0201.html
https://www.suse.com/security/cve/CVE-2019-11596.html
https://www.suse.com/security/cve/CVE-2019-15026.html
https://www.suse.com/security/cve/CVE-2019-15043.html
https://www.suse.com/security/cve/CVE-2019-16785.html
https://www.suse.com/security/cve/CVE-2019-16786.html
https://www.suse.com/security/cve/CVE-2019-16789.html
https://www.suse.com/security/cve/CVE-2019-16792.html
https://www.suse.com/security/cve/CVE-2019-16865.html
https://www.suse.com/security/cve/CVE-2019-18874.html
https://www.suse.com/security/cve/CVE-2019-19844.html
https://www.suse.com/security/cve/CVE-2019-19911.html
https://www.suse.com/security/cve/CVE-2019-3498.html
https://www.suse.com/security/cve/CVE-2019-3828.html
https://www.suse.com/security/cve/CVE-2020-10663.html
https://www.suse.com/security/cve/CVE-2020-10743.html
https://www.suse.com/security/cve/CVE-2020-11076.html
https://www.suse.com/security/cve/CVE-2020-11077.html
https://www.suse.com/security/cve/CVE-2020-12052.html
https://www.suse.com/security/cve/CVE-2020-13254.html
https://www.suse.com/security/cve/CVE-2020-13379.html
https://www.suse.com/security/cve/CVE-2020-13596.html
https://www.suse.com/security/cve/CVE-2020-5247.html
https://www.suse.com/security/cve/CVE-2020-5312.html
https://www.suse.com/security/cve/CVE-2020-5313.html
https://www.suse.com/security/cve/CVE-2020-5390.html
https://www.suse.com/security/cve/CVE-2020-8151.html
https://bugzilla.suse.com/1037777
https://bugzilla.suse.com/1068612
https://bugzilla.suse.com/1069468
https://bugzilla.suse.com/1070737
https://bugzilla.suse.com/1077718
https://bugzilla.suse.com/1083903
https://bugzilla.suse.com/1111657
https://bugzilla.suse.com/1126503
https://bugzilla.suse.com/1133817
https://bugzilla.suse.com/1135773
https://bugzilla.suse.com/1138748
https://bugzilla.suse.com/1148383
https://bugzilla.suse.com/1149110
https://bugzilla.suse.com/1149535
https://bugzilla.suse.com/1153191
https://bugzilla.suse.com/1156525
https://bugzilla.suse.com/1159447
https://bugzilla.suse.com/1160152
https://bugzilla.suse.com/1160153
https://bugzilla.suse.com/1160192
https://bugzilla.suse.com/1160790
https://bugzilla.suse.com/1160851
https://bugzilla.suse.com/1161088
https://bugzilla.suse.com/1161089
https://bugzilla.suse.com/1161349
https://bugzilla.suse.com/1161670
https://bugzilla.suse.com/1164316
https://bugzilla.suse.com/1165402
https://bugzilla.suse.com/1167244
https://bugzilla.suse.com/1170657
https://bugzilla.suse.com/1171560
https://bugzilla.suse.com/1171909
https://bugzilla.suse.com/1172166
https://bugzilla.suse.com/1172167
https://bugzilla.suse.com/1172175
https://bugzilla.suse.com/1172176
https://bugzilla.suse.com/1172409
https://bugzilla.suse.com/948198
https://bugzilla.suse.com/981848
More information about the sle-updates
mailing list