SUSE-RU-2020:2072-1: Security update for ansible, crowbar-core, crowbar-ha, crowbar-openstack, etcd, flannel, grafana, keepalived, kibana, memcached, monasca-installer, openstack-dashboard-theme-SUSE, openstack-manila, openstack-neutron-fwaas, openstack-nova, openstack-tempest, python-Django, python-Pillow, python-psql2mysql, python-psutil, python-py, python-pysaml2, python-waitress, rabbitmq-server, release-notes-suse-openstack-cloud, zookeeper

sle-updates at sle-updates at
Wed Jul 29 13:12:46 MDT 2020

   SUSE Recommended Update: Security update for ansible, crowbar-core, crowbar-ha, crowbar-openstack, etcd, flannel, grafana, keepalived, kibana, memcached, monasca-installer, openstack-dashboard-theme-SUSE, openstack-manila, openstack-neutron-fwaas, openstack-nova, openstack-tempest, python-Django, python-Pillow, python-psql2mysql, python-psutil, python-py, python-pysaml2, python-waitress, rabbitmq-server, release-notes-suse-openstack-cloud, zookeeper

Announcement ID:    SUSE-RU-2020:2072-1
Rating:             low
References:         #1037777 #1068612 #1069468 #1070737 #1077718 
                    #1083903 #1111657 #1126503 #1133817 #1135773 
                    #1138748 #1148383 #1149110 #1149535 #1153191 
                    #1156525 #1159447 #1160152 #1160153 #1160192 
                    #1160790 #1160851 #1161088 #1161089 #1161349 
                    #1161670 #1164316 #1165402 #1167244 #1170657 
                    #1171560 #1171909 #1172166 #1172167 #1172175 
                    #1172176 #1172409 #948198 #981848 
Affected Products:
                    SUSE OpenStack Cloud 7

   An update that solves 31 vulnerabilities and has 8 fixes is
   now available.


   This update for ansible, crowbar-core, crowbar-ha, crowbar-openstack,
   etcd, flannel, grafana, keepalived, kibana, memcached, monasca-installer,
   openstack-dashboard-theme-SUSE, openstack-manila, openstack-neutron-fwaas,
   openstack-nova, openstack-tempest, python-Django, python-Pillow,
   python-psql2mysql, python-psutil, python-py, python-pysaml2,
   python-waitress, rabbitmq-server, release-notes-suse-openstack-cloud,
   zookeeper fixes the following issues:

   Security fixes included ins this update:

   - CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503).

   - CVE-2020-13379: Fixed an incorrect access control issue which could lead
     to information leaks or denial of service (bsc#1172409).
   - CVE-2020-12052: Fixed an cross site scripting vulnerability related to
     the annotation popup (bsc#1170657).

   - CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909).

   memcached (to version 1.5.17)
   - CVE-2019-15026: Fixed a stack-based buffer over-read in conn_to_str()n
   - CVE-2019-11596: Fixed a denial of service in the 'lru' command
   - CVE-2018-1000115: Disabled UDP by default to reduce DDoS amplification
     attacks (bsc#1083903).

   - CVE-2020-13254: Fixed a data leakage via malformed memcached keys
   - CVE-2020-13596: Fixed a cross site scripting vulnerability related to
     the admin parameters of the ForeignKeyRawIdWidget (bsc#1172166).
   - Fixed a regression with the fix for CVE-2019-3498 (bsc#1161349).

   - CVE-2019-16865: Fixed a denial of service with specially crafted image
     files (bsc#1153191).
   - CVE-2020-5312: Fixed a buffer overflow in the PCX P mode (bsc#1160152).
   - CVE-2020-5313: Fixed a buffer overflow related to FLI (bsc#1160153).
   - CVE-2019-19911: Fixed a denial of service in

   - CVE-2020-5390: Fixed an issue with the verification of signatures in
     SAML documents (bsc#1160851)
   - CVE-2017-1000246: Fixed an issue with  weak encryption data, caused by
     initialization vector reuse(bsc#1068612).

   python-waitress (to version 1.4.3)
   - CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling
   - CVE-2019-16786: Fixed HTTP request smuggling through invalid
     Transfer-Encoding (bsc#1161089).
   - CVE-2019-16789: Fixed HTTP Request Smuggling through invalid whitespace
     characters (bsc#1160790).
   - CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length
     header handling (bsc#1161670).

   - CVE-2020-8151: Fixed information disclosure issue through specially
     crafted requests (bsc#1171560)

   - CVE-2020-10663: Fixed Unsafe Object Creation Vulnerability in JSON

   - CVE-2020-11077: Fixed HTTP Request Smuggling through proxy (bsc#1172175)
   - CVE-2020-11076: Fixed HTTP Request smuggling through invalid
     Transfer-Encoding header.
   - CVE-2020-5247: Fixed HTTP Response Splitting through newline characters
     handling (bsc#1165402)

   - CVE-2019-0201: Fixed an information disclosure related to getACL()

   Non security fixes included in this update:

   Changes in ansible:
   - Add 0001-Disallow-use-of-remote-home-directories-containing-..patch
     (bsc#1126503, CVE-2019-3828)

   Changes in crowbar-core:
   - Update to version 4.0+git.1580209654.1d112d31f:
     * network: start OVS before wickedd (SOC-11067)

   Changes in crowbar-ha:
   - Update to version 4.0+git.1585316203.d6ad2c8:
     * [4.0] add ssl termination on haproxy (bsc#1149535)

   Changes in crowbar-openstack:
   - Update to version 4.0+git.1589804581.9972163f0:
     * [4.0] magnum: fix check for image/flavor (SOC-11251)

   - Update to version 4.0+git.1589647351.ccfd9481f:
     * [4.0] trove: fix rabbitmq connection URL (SOC-11286)

   - Update to version 4.0+git.1589458214.9f765aa08:
     * [4.0] Fix create magnum k8s image and flavor (SOC-11251)

   - Update to version 4.0+git.1588271860.131fc8cc1:
     * run keystone_register on cluster founder only when HA (SOC-11248)
     * nova: run keystone_register on cluster founder only (SOC-11243)

   - Update to version 4.0+git.1588096523.679da5c50:
     * tempest: retry openstack commands (SOC-11238)

   - Update to version 4.0+git.1587129016.c009e43c9:
     * Disable magnum.tests.functional.api.v1.test_cluster (SOC-11224)

   - Update to version 4.0+git.1587035427.abb6e9b4e:
     * Fix barbican SSL support (SOC-9298)

   - Update to version 4.0+git.1586421486.5601320b7:
     * Fix magnum tempest tests (SOC-9298)

   - Update to version 4.0+git.1585331022.609482166:
     * tempest: update blacklisted tempest test cases

   - Update to version 4.0+git.1585136604.988f3a1da:
     * Disabling failing tempest tests on SOC7
     * [4.0] ec2-api: run keystone_register on cluster founder only

   - Update to version 4.0+git.1582582068.c8c2448c0:
     * neutron: Place space between CLI arguments

   - Update to version 4.0+git.1580894959.1fe5fd282:
     * Revert "[4.0] rabbitmq: sync startup definitions.json with recipe"

   - Update to version 4.0+git.1580469474.967ab8baf:
     * rabbitmq: sync startup definitions.json with recipe (SOC-11077)

   Changes in etcd:
   - Build against go 1.6

   - Fix etcd build. We are generating 2 binaries, etcd and etcdctl. They
     need to be built separately

   - Ensure /var/lib/etcd is controlled by etcd:etcd

   - exclude i586. We don't expect this package to be built on i586.

   - remove sysconfig.etcd: this file is not being used

   - Update to version 3.1.0:
     * raft: add node should reset the pendingConf state
     * v3rpc: don't close watcher if client closes send
     * e2e: add test for v3 watch over grpc gateway
     * mvcc: remove unused restore method
     * integration: don't expect recv to stop on CloseSend in waitResponse
     * Documentation: add grpc gateway watch example
     * version: bump up v3.1.0-rc.1+git
     * discovery: warn on scheme mismatch
     * grpcproxy: fix deadlock on watch broadcasts stop
     * etcdmain: add '/metrics' HTTP/1 path to grpc-proxy
     * etcd-tester: do not resolve localhost
     * raftexample: confState should be saved after apply
     * raft: test case to check the duplicate add node propose
     * raft: fix test case, should wait config propose applied
     * raft: fix test case for data race
     * raft: use the channel instead of sleep to make test case reliable
     * raft: fix TestNodeProposeAddDuplicateNode
     * etcdmain: handle TLS in grpc-proxy listener
     * etcd-tester:limit max retry backoff delay
     * functional-tester: add withBlock() to grpc dial
     * op-guide: add notes about Prometheus data source in Grafana
     * clientv3: return copy of endpoints, not pointer
     * auth: add a timeout mechanism to simple token
     * client: update README about health monitoring
     * grpcproxy: fix race between watch ranges delete() and broadcasts
     * lease: Use monotonic time in lease
     * integration: use Range to wait for reboot in quota tests
     * grpcproxy: fix race between coalesce and bcast on nextrev
     * etcd-tester: refactor lease checker
     * store: check sorted order in TestStoreGetSorted
     * vendor: bump go-systemd to v14 to avoid build error
     * integration: cancel Watch when TestV3WatchWithPrevKV exits
     * grpcproxy: add richer metrics for watch
     * grpcproxy: add cache related metrics
     * raft: Fix election "logs converge" test
     * raft: Export Progress.IsPaused
     * benchmark: add rate limit
     * etcdctl: remove GetUser check before mutable commands
     * grpcproxy: lock store when getting size
     * Documentation: link added to with a new v2
       Scala Client
     * grpcproxy: fix deadlock in watchbroadcast
     * etcdserver: time out when readStateC is blocking
     * store: fix store_test.go comments
     * vendor: update ugorji/go
     * client: update generated ugorji codec
     * doc: initial faq
     * clientv3/integration: test lease keepalive works following quorum loss
     * integration: use RequireLeader for TestV3LeaseFailover
     * v3rpc, etcdserver, leasehttp: ctxize Renew with request timeout
     * Documentation: add blox and chain as users
     * etcdserver: do not send v2 sync if ttl keys do not exist
     * ROADMAP: update for 3.2
     * Documentation: add more FAQ questions
     * grpcproxy: fix minor typo
     * vendor: use versions when possible in glide.yaml
     * scripts: use glide update if repo exists in glide.lock
     * github: make bug reporting link non-relative
     * github: make contribution link non-relative
     * Documentation: update get examples to be clearer about ranges
     * etcdserver, embed, v2http: move pprof setup to embed
     * doc: add faq about apply warning logging
     * test: exclude '_home' for gosimple, unused
     * auth: fix gosimple errors
     * integration: simplify boolean comparison in resp.Created
     * raft: simplify boolean comparison, remove unused
     * tools: simplify boolean comparison, remove unused
     * e2e: remove unused 'ctlV3GetFailPerm'
     * v3rpc: remove unused 'splitMethodName' function
     * grpcproxy: remove unused field 'wbs *watchBroadcasts'
     * doc: add faq about missing heartbeat
     * etcdctl: "fields" output formats
     * build: remove dir use -r flag
     * etcd-tester: add 'enable-pprof' option
     * etcd-tester: cancel lease stream; fix OOM panic
     * doc: add hardware section
     * auth: improve 'removeSubsetRangePerms' to O(n)
     * Documentation: use port 2379 in local cluster guide The port in
       endpoints should be 2379, instead of 12379.
     * op-guide/clustering: fix typo
     * embed: deep copy user handlers
     * Documentation: add more FAQs (follower, leader, sys-require)
     * clientv3: close Lease on client Close
     * netutil: ctx-ize URLStringsEqual
     * etcdserver: retry for 30s on advertise url check
     * membership: retry for 30s on advertise url check
     * clientv3: return error from KeepAlive if corresponding loop exits
     * clientv3: add test for keep alive loop exit case
     * auth, etcdserver: protect membership change operations with auth
     * e2e: test cases of protecting membership change with auth
     * clientv3: better error message for keep alive loop halt
     * Documentation: FAQ entry for cluster ID mismatches
     * dev-guide: add
     * Documentation: minor fix nodes -> node
     * etcdctl: warn when backend takes too long to open on migrate
     * docs: explicitly set ETCDCTL_API=3 in
     * v3api, rpctypes: add ErrTimeoutDueToConnectionLost
     * clientv3/integration: test lease grant/keepalive with/without failures
     * clientv3: don't reset keepalive stream on grant failure
     * etcdctl: tighten up output, reorganize
     * Documentation: add FAQs on membership operation
     * Documentation: add ''
     * embed: only override default advertised client URL if the client
       listen URL is
     * raft: make memory storage set method thread safe
     * raft: resume paused followers on receipt of MsgHeartbeatResp
     * etcd-tester: fix typo, add endpoint in logs
     * lease: force leader to apply its pending committed index for lease
     * leasehttp: buffer error channel to prevent goroutine leak
     * raft: fix pre-vote tests
     * etcdserver: rework update committed index logic
     * etcd-tester: remove unused err var from maxRev
     * e2e: check etcdctl endpoint health is healthy if denied permission to
     * benchmark: a new option for configuring dial timeout
     * ctlv3: consider permission denied error to be healthy for endpoints
     * etcdmain: add --metrics flag for exposing histogram metrics
     * e2e: test cluster-health
     * v2http: submit QGET in health endpoint if no progress
     * test: bump grpcproxy pass timeout to 15m
     * lease: use atomics for accessing lease expiry
     * e2e: poll '/version' in release upgrade tests
     * e2e: unset ETCDCTL_API env var before running u2e tests
     * etcdserver: consistent naming in raftReadyHandler
     * coverage: rework code coverage for unit and integration tests
     * testutil: whitelist thread created by go cover
     * rafthttp: bump up timeout in pipeline test
     * grpcproxy, etcdmain, integration: return done channel with WatchServer
     * integration: defer clus.Terminate in watch tests
     * raftexample: load snapshot when opening WAL
     * etcd-runner: make command compliant
     * raft: use status to test node stop
     * etcdserver: expose ErrNotEnoughStartedMembers
     * etcdserver: resume compactor only if leader
     * benchmark: enable grpc error logging on stderr
     * etcd-runner:add flags in watcher for hardcoded values
     * docs: fix recovery example in
     * auth: use quorum get for GetUser/GetRole for mutable operations
     * grpcproxy: tear down watch when client context is done
     * integration: use only digits in unix ports
     * e2e: dump stack on ctlTest timeout
     * expect: EXPECT_DEBUG environment variable
     * why: add origin of the term etcd
     * testutil: increase size of buffer for stack dump
     * raft: fix test case for #7042
     * vendor: update ugorji/go
     * integration: add grpc auth testing
     * auth: reject empty user name when checking op permissions
     * etcdctl: create root role on auth enable if it does not yet exist
     * raft: add RawNode test case for #6866
     * pkg/report: support 99.9-percentile, change column name
     * documentation: display in github browser
     * benchmark: option to rate limit range benchmark
     * etcdserver, clientv3: handle a case of expired auth token
     * tools: Add etcd 3.0 load test tool refernece
     * transport: warn on user-provided CA
     * NEWS: add v3.1.0, v3.0.16 + minor fixes
     * clienv3: fix balancer test logic
     * clientv3: don't reset stream on keepaliveonce or revoke failure
     * grpcproxy: use ccache for key cache
     * vendor: remove groupcache, add ccache
     * pkg/report: add 'Stats' to expose report raw data
     * travis: use Go 1.7.4, drop old env var
     * ctlv3: print cluster info after adding new member
     * Documentation: document upgrading to v3.1
     * pkg/report: add nil checking for getTimeSeries
     * etcdserver: use ReqTimeout for linearized read
     * grpcproxy, etcdmain, integration: add close channel to kv proxy
     * glide: update ''
     * vendor: update ''
     * Documentation: update experimental_apis for v3.1 release
     * NEWS: fix date for v3.1 release
     * Documentation: fix typo s/endpoint-health/endpoint health/
     * clientv3/concurrency: fix rev comparison on concurrent key deletion
     * integration: test STM apply on concurrent deletion
     * pkg/flags: fixed prefix checking of the env variables
     * etcdctlv3: snapshot restore works with lease key
     * test: passed the test script arguments as the test function parameters
     * documentation: update build documentation
     * version: bump to v3.1.0

   - Update to version 3.1.0rc.1:
     * grpcproxy: watch next revision should be start revision when not 0
     * grpcproxy: copy range request before storing in cache
     * raft: return empty status if node is stopped
     * mvcc: store.restore taking too long triggering snapshot cycle fix
     * mvcc: TestStoreRestore fix
     * mvcc : Added benchmark for store.resotre
     * pkg/netutil: get default interface for tc commands
     * version: bump up v3.1.0-rc.1

   Changes in grafana:
   - Add CVE-2020-13379.patch
     * Security: fix unauthorized avatar proxying (bsc#1172409,
   - Refresh systemd-notification.patch
   - Fix declaration for LICENSE

   - Add
     * Security: Fix annotation popup XSS vulnerability (bsc#1170657)

   - Add CVE-2019-15043.patch (SOC-10357, CVE-2019-15043, bsc#1148383)
     Changes in keepalived:
   - update to 2.0.19
   - new BR pkgconfig(libnftnl) to fix nftables support
   - add nftables to the BR
   - added patch
     * linux-4.15.patch
   - add buildrequires for file-devel
     - used in the checker to verify scripts
   - enable json stats and config dump support new BR: pkgconfig(json-c)
   - enable http regexp support: new BR pcre2-devel
   - disable dbus instance creation support as it is marked as dangerous
   - Add BFD build option to keepalived.spec rpm file Issue #1114 identified
     that the keepalived.spec file was not being generated to build BFD
     support even if keepalived had been configured to support it.
   - full changelog

   - update to 1.4.5:
     * Update snapcraft.yaml for 1.4.x+git
     * Fix generation of git-commit.h with git commit number.
     * Set virtual server address family correctly.
     * Set virtual server address family correctly when using tunnelled real
     * Fix handling of virtual servers with no real servers at config time.
     * Add warning if virtual and real servers are different address
       families. Although normally the virtual server and real servers must
       have the same address family, if a real server is tunnelled, the
       address families can be different. However, the kernel didn't support
       that until 3.18, so add a check that the address families are the same
       if different address families are not supported by the kernel.
     * Send correct status in Dbus VrrpStatusChange notification. When an
       instance transitioned from BACKUP to FAULT, the Dbus status change
       message reported the old status (BACKUP) rather than the new status
       (FAULT). This commit attempts to resolved that.
     * doc: ipvs schedulers update
     * Fix a couple of typos in
     * Fix namespace collision with musl if_ether.h.
     * Check if return value from read_value_block() is null before using.
     * Fix reporting real server stats via SNMP.
     * Make checker process handle RTM_NEWLINK messages with -a option Even
       though the checker process doesn't subscribe to RTNLGRP_LINK messages,
       it appears that older kernels (certainly 2.6.32) can send RTM_NEWLINK
       (but not RTM_DELLINK) messages. This occurs when the link is set to up
       state. Only the VRRP process is interested in link messages, and so
       the checker process doesn't do the necessary initialisation to be able
       to handle RTM_NEWLINK messages. This commit makes the checker process
       simply discard RTM_NEWLINK and RTM_DELLINK messages, rather than
       assuming that if it receives an RTM_NEWLINK message it must be the
       VRRP process. This problem was reported in issue #848 since the
       checker process was segfaulting when a new interface was added when
       the -a command line option was specified.
     * Fix handling RTM_NEWLINK when building without VRRP code.
     * Fix building on Fedora 28. net-snmp-config output can include compiler
       and linker flags that refer to spec files that were used to build
       net-snmp but may not exist on the system building keepalived. That
       would cause the build done by configure to test for net-snmp support
       to fail; in particular
       on a Fedora 28 system that doesn't have the redhat-rpm-config package
        installed. This commit checks that any spec files in the compiler and
        linker flags returned by net-snmp-config exist on the system building
        keepalived, and if not it removes the reference(s) to the spec
     * keepalived-1.4.3 released.
     * vrrp: setting '0' as default value for ifa_flags to make gcc happy.
     * Add additional libraries when testing for presence of SSL_CTX_new().
       It appears that some systems need -lcrypto when linking with -lssl.
     * Sanitise checking of libnl3 in
     * Report and handle missing '}'s in config files.
     * Add missing '\n' in output.
     * Stop backup taking over as master while master reloads. If a reload
       was initiated just before an advert, and since it took
       one advert interval after a reload before an advert was sent, if the
        reload itself took more than one advert interval, the backup could
        time out and take over as master. This commit makes keepalived send
        adverts for all instances that are master immediately before a
        reload, and also sends adverts immediately after a reload, thereby
        trippling the time available for the reload to complete.
     * Add route option fastopen_no_cookie and rule option l3mdev.
     * Fix errors in KEEPALIVED-MIB.txt.
     * Simplify setting on IN6_ADDR_GEN_MODE.
     * Cosmetic changes to keepalived(8) man page.
     * Don't set ipvs sync daemon to master state before becoming master If a
       vrrp instance which was the one specified for the ipvs sync daemon was
       configured with initial state master, the sync daemon was being set to
       master mode before the vrrp instance transitioned to master mode. This
       caused an error message when the vrrp instance transitioned to master
       and attempted to make the sync daemon go from backup to master mode.
       This commit stops setting the sync daemon to master mode at
       initialisation time, and it is set to master mode when the vrrp
       instance transitions to master.
     * Fix freeing vector which has not had any entries allocated.
     * Add additional mem-check disgnostics vector_alloc, vectot_alloc_slot,
       vector_free and alloc_strvec all call MALLOC/FREE but the functions
       written in the mem_check log are vector_alloc etc, not the functions
       that call them. This commit adds logging of the originating calling
     * Fix memory leak in parser.c.
     * Improve alignment of new mem-check logging.
     * Disable all checkers on a virtual server when ha_suspend set. Only the
       first checker was being disabled; this commit now disables all of
       them. Also, make the decision to disable a checker when
       starting/reloading when scheduling the checker, so that the existance
       of the required address can be checked.
     * Stop genhash segfaulting when built with --enable-mem-check.
     * Fix memory allocation problems in genhash.
     * Properly fix memory allocation problems in genhash.
     * Fix persistence_granularity IPv4 netmask validation. The logic test
       from inet_aton() appears to be inverted.
     * Fix segfault when checker configuration is missing expected parameter
       Issue #806 mentioned as an aside that "nb_get_retry" without a
       parameter was sigfaulting. Commit be7ae80 - "Stop segfaulting when
       configuration keyword is missing its parameter" missed the "hidden"
       uses of vector_slot() (i.e. those used via definitions in header
       files). This commit now updates those uses of vector_slot() to use
       strvec_slot() instead.
     * Fix compiling on Linux 2.x kernels. There were missing checks for
       HAVE_DECL_CLONE_NEWNET causing references to an undeclared variable if
       CLONE_NEWNET wasn't defined.
     * Improve parsing of kernel release. The kernel EXTRAVERSION can start
       with any character (although starting with a digit would be daft), so
       relax the check for it starting with a '-'. Kernels using both '+' and
       '.' being the first character of EXTRAVERSION have been reported.
     * Improve grammer.
     * add support for SNI in SSL_GET check. this adds a `enable_sni`
       parameter to SSL_GET, making sure the check passes the virtualhost in
       the SNI extension during SSL handshake.
     * Optimise setting host name for SSL_GET requests with SNI.
     * Allow SNI to be used with SSL_GET with OpenSSL v1.0.0 and LibreSSL.
     * Use configure to check for SSL_set_tlsext_host_name() Rather than
       checking for a specific version of the OpenSSL library (and it would
       also need checking the version of the LibreSSL library) let configure
       check for the presence of SSL_set_tlsext_host_name(). Also omit all
       code related to SNI of SSL_set_tlsext_host_name() is not available.
     * Use configure to determine available OpenSSL functionality Rather than
       using version numbers of the OpenSSL library to determine what
       functions are available, let configure determine whether the functions
       are supported. The also means that the same tests work for LibreSSL.
     * Add support for gratuitous ARPs for IP over Infiniband.
     * Use system header definition instead of local definition IF_HWADDR_MAX
       linux/netdevice.h has definition MAX_ADDR_LEN, which is 32, whereas
       IF_HWADDR_MAX was locally defined to be 20. Unfortunately we end up
       with more system header file juggling to ensure we don't have
       duplicate definitions.
     * Fix vrrp_script and check_misc scripts of type </dev/tcp/
     * Add the first pre-defined config definition (${_PWD}) ${_PWD} in a
       configuration file will be replaced with the full path name of the
       directory that keepalived is reading the current configuration file
     * Open and run the notify fifo and script if no other fifo Due to the
       way the code was structured the notify_fifo for both checker and vrrp
       messages wasn't run if neither the vrrp or checker fifo wasn't
       configured. Also, if all three fifos were configured, the general fifo
       script was executed by both the vrrp and checker process, causing
     * Add support for Infiniband interfaces when dumping configuration.
     * Tidy up layout in vrrp_arp.c.
     * Add configure check for support of position independant executables
     * Add check for -pie support, and fix writing to
     * keepalived-1.4.2 released.
     * Make genhash exit with exit code 1 on error. Issue #766 identified
       that genhash always exits with exit code 1 even if an error has
     * Rationalise printing of http header in genhash.
     * Use http header Content-Length field in HTTP_CHECK/SSL_CHECK. If a
       Content-Length is supplied in the http header, use that as a limit to
       the data length (as wget does). If the length of data received does
       not match the Content-Length log a warning.
     * Optimise parameter passing to fprintf in genhash.
     * Don't declare mark variable if don't have MARK socket option.
     * Fix sync groups with only one member. Commit c88744a0 allowed sync
       groups with only 1 member again, but didn't stop removing the sync
       group if there was only 1 member. This commit now doesn't remove sync
       groups with only one member.
     * Make track scripts work with --enable-debug config option.
     * Add warning if --enable-debug configure option is used.
     * Allow more flexibility of layout of { and } in config files.
       keepalived was a bit fussy about where '{'s and '}'s (braces) could be
       placed in terms of after the keyword, or on a line on their own. It
       certainly was not possible to have multiple braces on one line. This
       commit now provides complete flexibility of where braces are, so long
       as they occur in the correct order.
     * Make alloc_value_block() report block type if there is an error.
     * Simplify alloc_value_block() by using libc string functions.
     * Add dumping of garp delay config when using -d option.
     * Fix fractions of seconds for garp group garp_interval.
     * Make read_value_block() use alloc_value_block(). This removes quite a
       bit of duplication of functionality, and ensures the configuration
       parsing will be more consistent.
     * Fix build with Linux kernel headers v4.15. Linux kernel version 4.15
       changed the libc/kernel headers suppression logic in a way that
       introduces collisions.
     * Add missing command line options to keepalived(8) man page.
     * Fix --dont-release-vrrp. On github, ushuz reported that commit 62e8455
       - "Don't delete vmac interfaces before dropping multicast membership"
       broke --dont-release-vrrp. This commit restores the correct
     * Define _GNU_SOURCE for all compilation units. Rather than defining
       _GNU_SOURCE when needed, let configure add it to the flags passed to
       the C compiler, so that it is defined for all compilation units. This
       ensures consistence.
     * Fix new warnings procuded by gcc 8.
     * Fix dumping empty lists. Add a check in dump_list() for an empty list,
       and don't attempt to dump it if it is empty.
     * Resolve conversion-check compiler warnings.
     * Add missing content to installing_keepalived.rst documentation. Issue
       #778 identified that there was text missing at the end of the
       document, and that is now added.
     * Fix systemd service to start after This fix was
       merged downstream by RedHat in response to RHBZ #1413320.
     * Update INSTALL file to describe packages needed for building
     * INSTALL: note linux distro package that provides 'sphinx_rtd_theme'
     * Clear /proc/sys/net/ipv6/conf/IF/disable_ipv6 when create VMACs. An
       issue was identified where keepalived was reporting permission denied
       when attempting to add an IPv6 address to a VMAC interface. It turned
       out that this was because /proc/sys/net/ipv6/conf/default/disable_ipv6
       was set to 1, causing IPv6 to be disables on all interfaces that
       keepalived created. This commit clears disable_ipv6 on any VMAC
       interfaces that keepalived creates if the vrrp instance is using IPv6.
   - remove linux-4.15.patch: does not apply anymore and not needed (the
     distros using 4.15 have moved on to keepalived 2.x)

   - Only Require insserv on distributions without systemd.
   - Fix systemd related requires/buildRequires
   - Do not run scriptlets that use insserv when using systemd

   - add linux-4.15.patch

   Changes in kibana:
   - Add 0001-Configurable-custom-response-headers-for-server.patch
     (bsc#1171909, CVE-2020-10743)

   Changes in memcached:
   - version update to 1.5.17
     * bugfixes fix strncpy call in stats conns to avoid ASAN violation
       (bsc#1149110, CVE-2019-15026) extstore: fix indentation add error
       handling when calling dup function add unlock when item_cachedump
       malloc failed extstore: emulate pread(v) for macOS fix off-by-one in
       logger to allow CAS commands to be logged. use strdup for explicitly
       configured slab sizes move mem_requested from slabs.c to items.c
       (internal cleanup)
     * new features add server address to the "stats conns" output log client
       connection id with fetchers and mutations Add a handler for seccomp
   - version update to 1.5.16
     * bugfixes When nsuffix is 0 space for flags hasn't been allocated so
       don't memcpy them.
   - version update to 1.5.15
     * bugfixes Speed up incr/decr by replacing snprintf. Use correct buffer
       size for internal URI encoding. change some links from http to https
       Fix small memory leak in testapp.c. free window_global in
       slab_automove_extstore.c remove inline_ascii_response option
       -Y [filename] for ascii authentication mode fix: idle-timeout wasn't
        compatible with binprot
     * features
       -Y [authfile] enables an authentication mode for ASCII protocol.
   - modified patches % memcached-autofoo.patch (refreshed)

   - version update to 1.5.14
     * update -h output for -I (max item size)
     * fix segfault in "lru" command (bsc#1133817, CVE-2019-11596)
     * fix compile error on centos7
     * extstore: error adjusting page_size after ext_path
     * extstore: fix segfault if page_count is too high.
     * close delete + incr item survival race bug
     * memcached-tool dump fix loss of exp value
     * Fix "qw" in "" so wait_ext_flush is exported properly
     * Experimental TLS support.
     * Basic implementation of TLS for memcached.
     * Improve Get And Touch documentation
     * fix INCR/DECR refcount leak for invalid items
   - modified patches % memcached-autofoo.patch (refreshed)

   - Version bump to 1.5.11:
     * extstore: balance IO thread queues
   - Drop memcached-fix_test.patch that is present now upstream

   - Add patch to fix aarch64, ppc64* and s390x tests:
     * memcached-fix_test.patch

   - Fix linter errors regarding COPYING

   - update to 1.5.10:
     * disruptive change in extstore: -o ext_page_count= is deprecated and no
       longer works. To specify size: -o ext_path=/d/m/e:500G extstore
       figures out the page count based on your desired page size. M|G|T|P
     * extstore: Add basic JBOD support: ext_path can be specified multiple
       times for striping onto simimar devices
     * fix alignment issues on some ARM platforms for chunked items

   - Update to 1.5.9:
     * Bugfix release.
     * Important note: if using --enable-seccomp, privilege dropping is no
       longer on by default. The feature is experimental and many users are
       reporting hard to diagnose problems on varied platforms.
     * Seccomp is now marked EXPERIMENTAL, and must be explicitly enabled by
       adding -o drop_privileges. Once we're more confident with the
       usability of the feature, it will be enabled in -o modern, like any
       other new change. You should only use it if you are willing to
       carefully test it, especially if you're a vendor or distribution.
     * Also important is a crash fix in extstore when using the ASCII
       protocol, large items, and running low on memory.

   - update to 1.5.8:
     * Bugfixes for seccomp and extstore
     * Extstore platform portability has been greatly improved for ARM and
       32bit systems
   - includes changes from 1.5.7:
     * Fix alignment issues for 64bit ARM processors
     * Fix seccomp portability
     * Fix refcount leak with extstore while using binary touch commands

   - turn on the testsuite again, it seems to pass server side, too

   - Home directory shouldn't be world readable bsc#1077718
   - Mention that this stream isn't affected by bsc#1085209, CVE-2018-1000127
     to make the checker bots happy.

   - update to 1.5.6 (bsc#1083903, CVE-2018-1000115):
     * This update disables UDP by default to reduce DDoS amplification
     * see
     * see
     * see
     * see
     * see
     * see
     * see

   - Replace references to /var/adm/fillup-templates with new %_fillupdir
     macro (boo#1069468)

   Changes in monasca-installer:
   - Add 0001-kibana:-set-x-frame-options-header.patch (bsc#1171909,

   Changes in openstack-dashboard-theme-SUSE:
   - Switch github URL from git@ to git:// to bypass authentication

   Changes in openstack-manila:
   - Add 0001-Fix-exportfs-u-usage-in-generic-driver.patch Backported from
     upstream patch Related Bug

   Changes in openstack-neutron-fwaas:
   - Add 0050-Remove-tempest-shared-physical-network.patch (SOC-9801) This
     tempest configuration option is not present in tempest, as it was only
     added after the SOC7 release cut.

   Changes in openstack-nova:
   - Add 0001-live-mig-keep-disk-device-address-same.patch (bsc#1164316)
     - Fix for

   Changes in openstack-tempest:

   - Add 0001-Use-available-scheduler-filters.patch Backported from upstream
     patch Related Bugs:

   - Add 0001-Remove-volume_feature_enabled.volume_services.patch Backported
     from upstream patch Related Bug

   Changes in python-cffi:
   - Do not build python3 subpackages as C:OS:Newton does not support it

   - provide also python-cffi = 1.10.0 and 1.5.2 to avoid breaking the cloud
     7 and 8 requirements (bsc#948198)

   - Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)

   - Add dont-corrupt-memory.patch to fix boo#1111657 (originally from

   - build python3 subpackage (FATE#324435, FATE#323875)

   - Add patch cffi-loader.patch to fix bsc#1070737
   - Sort out with spec-cleaner

   - update to version 1.11.2:
     * Fix Windows issue with managing the thread-state on CPython 3.0 to 3.5

   - Update pytest in spec to add c directory tests in addition to testing
   - Omit test_init_once_multithread tests as they rely on multiple threads
     finishing in a given time. Returns sporadic pass/fail within build.
   - Update to 1.11.1:
     * Fix tests, remove deprecated C API usage
     * Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary extensions
       (cpython issue #29943)
     * Fix for 3.7.0a1+

   - Update to 1.11.0:
     * Support the modern standard types char16_t and char32_t. These work
       like wchar_t: they represent one unicode character, or when used as
       charN_t * or charN_t[] they represent a unicode string. The difference
       with wchar_t is that they have a known, fixed size. They should work
       at all places that used to work with wchar_t (please report an issue
       if I missed something). Note that with set_source(), you need to make
       sure that these types are actually defined by the C source you provide
       (if used in cdef()).
     * Support the C99 types float _Complex and double _Complex. Note that
       libffi doesn’t support them, which means that in the ABI mode you
       still cannot call C functions that take complex numbers directly as
       arguments or return type.
     * Fixed a rare race condition when creating multiple FFI instances from
       multiple threads. (Note that you aren’t meant to create many FFI
       instances: in inline mode, you should write ffi = cffi.FFI() at module
       level just after import cffi; and in
       out-of-line mode you don’t instantiate FFI explicitly at all.)
     * Windows: using callbacks can be messy because the CFFI internal error
       messages show up to stderr—but stderr goes nowhere in many
       applications. This makes it particularly hard to get started with the
       embedding mode. (Once you get started, you can at least use
       @ffi.def_extern(onerror=...) and send the error logs where it makes
       sense for your application, or record them in log files, and so on.)
       So what is new in CFFI is that now, on Windows CFFI will try to open a
       non-modal MessageBox (in addition to sending raw messages to stderr).
       The MessageBox is only visible if the process stays alive: typically,
       console applications that crash close immediately, but that is also
       the situation where stderr should be visible anyway.
     * Progress on support for callbacks in NetBSD.
     * Functions returning booleans would in some case still return 0
       or 1 instead of False or True. Fixed.
     * ffi.gc() now takes an optional third parameter, which gives an
       estimate of the size (in bytes) of the object. So far, this is
       only used by PyPy, to make the next GC occur more quickly (issue
        #320). In the future, this might have an effect on CPython too
        (provided the CPython issue 31105 is addressed).
     * Add a note to the documentation: the ABI mode gives function
       objects that are slower to call than the API mode does. For some
        reason it is often thought to be faster. It is not!
   - Update to 1.10.1:
     * Fixed the line numbers reported in case of cdef() errors. Also, I just
       noticed, but pycparser always supported the preprocessor directive #
       42 "foo.h" to mean “from the next line, we’re in file foo.h
       starting from line 42”, which it puts in the error messages.

   - update to 1.10.0:
    * Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
      to handle with a default allocator. Speeds up where most of the time you never touch most of the
     * Some OS/X build fixes (“only with Xcode but without CLT”).
     * Improve a couple of error messages: when getting mismatched versions
       of cffi and its backend; and when calling functions which cannot be
       called with libffi because an argument is a struct that is “too
       complicated” (and not a struct pointer, which always works).
     * Add support for some unusual compilers (non-msvc, non-gcc, non-icc,
     * Implemented the remaining cases for ffi.from_buffer. Now all
       buffer/memoryview objects can be passed. The one remaining check is
       against passing unicode strings in Python 2. (They support the buffer
       interface, but that gives the raw bytes behind the UTF16/UCS4 storage,
       which is most of the times not what you expect. In Python 3 this has
       been fixed and the unicode strings don’t support the memoryview
       interface any more.)
     * The C type _Bool or bool now converts to a Python boolean when
       reading, instead of the content of the byte as an integer. The
       potential incompatibility here is what occurs if the byte contains a
       value different from 0 and 1. Previously, it would just return it;
       with this change, CFFI raises an exception in this case. But this case
       means “undefined behavior” in C; if you really have to interface
       with a library relying on this, don’t use bool in the CFFI side.
       Also, it is still valid to use a byte string as initializer for a
       bool[], but now it must only contain \x00 or \x01. As an aside,
       ffi.string() no longer works on bool[] (but it never made much sense,
       as this function stops at the first zero).
     * ffi.buffer is now the name of cffi’s buffer type, and ffi.buffer()
       works like before but is the constructor of that type.
     * ffi.addressof(lib, "name") now works also in in-line mode, not only in
       out-of-line mode. This is useful for taking the address of global
     * Issue #255: cdata objects of a primitive type (integers, floats, char)
       are now compared and ordered by value. For example, <cdata 'int' 42>
       compares equal to 42 and <cdata 'char' b'A'> compares equal to b'A'.
       Unlike C, <cdata 'int' -1> does not compare equal to
       ffi.cast("unsigned int", -1): it compares smaller, because -1 <
     * PyPy: and ffi.new_allocator()() did not record “memory
       pressure”, causing the GC to run too infrequently if you call very often and/or with large arrays. Fixed in PyPy 5.7.
     * Support in ffi.cdef() for numeric expressions with + or -. Assumes
       that there is no overflow; it should be fixed first before we add more
       general support for arbitrary arithmetic on constants.

   - do not generate HTML documentation for packages that are indirect
     dependencies of Sphinx (see docs at )

   - update to 1.9.1
     - Structs with variable-sized arrays as their last field: now we track
       the length of the array after is called, just like we always
       tracked the length of"int[]", 42). This lets us detect
       out-of-range accesses to array items. This also lets us display a
       better repr(), and have the total size returned by ffi.sizeof() and
       ffi.buffer(). Previously both functions would return a result based on
       the size of the declared structure type, with an assumed empty array.
       (Thanks andrew for starting this refactoring.)
     - Add support in cdef()/set_source() for unspecified-length arrays in
       typedefs: typedef int foo_t[...];. It was already supported for global
       variables or structure fields.
     - I turned in v1.8 a warning from cffi/ into an error: 'enum
       xxx' has no values explicitly defined: refusing to guess which integer
       type it is meant to be (unsigned/signed, int/long). Now I’m turning
       it back to a warning again; it seems that guessing that the enum has
       size int is a 99%-safe bet. (But not 100%, so it stays as a warning.)
     - Fix leaks in the code handling FILE * arguments. In CPython 3 there is
       a remaining issue that is hard to fix: if you pass a Python file
       object to a FILE * argument, then os.dup() is used and the new file
       descriptor is only closed when the GC reclaims the Python file
       object—and not at the earlier time when you call close(), which only
       closes the original file descriptor. If this is an issue, you should
       avoid this automatic convertion of Python file objects: instead,
       explicitly manipulate file descriptors and call fdopen() from C
       (...via cffi).
     - When passing a void * argument to a function with a different pointer
       or vice-versa, the cast occurs automatically, like in C. The same
        occurs for initialization with and a few other places.
        However, I thought that char * had the same property—but I was
        mistaken. In C you get the usual warning if you try to give a char *
        to a char ** argument, for example. Sorry about the confusion. This
        has been fixed in CFFI by giving for now a warning, too. It will turn
        into an error in a future version.
     - Issue #283: fixed on structures/unions with nested anonymous
       structures/unions, when there is at least one union in the mix. When
       initialized with a list or a dict, it should now behave more closely
       like the { } syntax does in GCC.
     - CPython 3.x: experimental: the generated C extension modules now use
       the “limited API”, which means that, as a compiled .so/.dll, it
       should work directly on any version of CPython >= 3.2. The name
       produced by distutils is still version-specific. To get the
       version-independent name, you can rename it manually to,
       or use the very recent setuptools 26.
     - Added ffi.compile(debug=...), similar to python build --debug
       but defaulting to True if we are running a debugging version of Python
     - Removed the restriction that ffi.from_buffer() cannot be used on byte
       strings. Now you can get a char * out of a byte string, which is valid
       as long as the string object is kept alive. (But don’t use it to
       modify the string object! If you need this, use bytearray or other
       official techniques.)
     - PyPy 5.4 can now pass a byte string directly to a char * argument (in
       older versions, a copy would be made). This used to be a CPython-only
     - ffi.gc(p, None) removes the destructor on an object previously created
       by another call to ffi.gc()
     - bool(ffi.cast("primitive type", x)) now returns False if the value is
       zero (including -0.0), and True otherwise. Previously this would only
       return False for cdata objects of a pointer type when the pointer is
     - bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The
       reason it was not supported was that it was hard to do in PyPy, but it
       works since PyPy 5.3.) To call a C function with a char * argument
       from a buffer
       object—now including bytearrays—you write Additionally, this is now supported:
        p[0:length] = bytearray-object. The problem with this was that a
        iterating over bytearrays gives numbers instead of characters. (Now
        it is implemented with just a memcpy, of course, not actually
        iterating over the characters.)
     - C++: compiling the generated C code with C++ was supposed to work, but
       failed if you make use the bool type (because that is rendered as the
       C _Bool type, which doesn’t exist in C++).
     - help(lib) and help(lib.myfunc) now give useful information, as well as
       dir(p) where p is a struct or pointer-to-struct.
   - drop upstreamed python-cffi-avoid-bitshifting-negative-int.patch

   - update for multipython build

   - Add python-cffi-avoid-bitshifting-negative-int.patch to actually fix the
     "negative left shift" warning by replacing bitshifting in appropriate
     places by bitwise and comparison to self; patch taken from upstream git.
     Drop cffi-1.5.2-wnoerror.patch: no longer required.

   - disable "negative left shift" warning in test suite to prevent failures
     with gcc6, until upstream fixes the undefined code in question
     (boo#981848, cffi-1.5.2-wnoerror.patch)

   - Update to version 1.6.0:
     * ffi.list_types()
     * ffi.unpack()
     * extern “Python+C”
     * in API mode, contains the C signature now.
     * Yet another attempt at robustness of ffi.def_extern() against
       CPython’s interpreter shutdown logic.

   Changes in python-pylons-sphinx-themes:

   - moved LICENSE.txt to docs to match old structure

   - specfile:
     * update copyright year
   - update to version 1.0.11:
     * Fix the width of linenos table column when used in code-blocks.

   - Replace %fdupes -s with plain %fdupes; hardlinks are better.

   - Update to version 1.0.10 (2018-09-25)
     + Add Read the Docs to the recipients of ad revenue.
   - Update to version 1.0.9 (2018-09-23)
     + Remove hyphenation because it sometimes hyphenates inappropriately,
       such as in code.
   - Update to version 1.0.8 (2018-09-21)
     + Fix support for Ethical Ads.
   - Update to version 1.0.7 (2018-09-21)
     + Added support for Ethical Ads for Read The Docs. See

   - Remove superfluous devel dependency for noarch package

   - Update to version 1.0.6
     * Update zest.releaser in order to release to PyPI.
   - Update to version 1.0.5
     * Clean up licensing

   - Provide/obsolete old pylons_sphinx_theme

   - Update to version 1.0.4
     * Specify line spacing for list items for only within the .body class.
       version 1.0.3
     * Add line spacing for list items. Closes #4. version 1.0.2:
     * Remove HTTPS protocol to allow either HTTPS or HTTP. version 1.0.1:
     * Use HTTPS for protocol of stylesheets. version 1.0:
     * Use zest.releaser for releasing.
     * Improve documentation.
   - Converted to single-spec

   - version 0.3.1: initial build

   Changes in python-Django:
   - Fix merge artifact in CVE-2020-13596.patch

   - Add CVE-2019-19844.patch (bsc#1159447, CVE-2019-19844)
     * Fix Potential account hijack via password reset form

   - Security fixes (bsc#1172167, bsc#1172166, CVE-2020-13254,
     * Added patch CVE-2020-13254.patch
     * Added patch CVE-2020-13596.patch

   - Set _defaultlicensedir

   - Fix for SG#56542, bsc#1161349:
     * Fixed CVE-2019-3498-Fixed-content-spoof.patch

   - Fix for SG#56542, bsc#1161349:
     * Fixed CVE-2019-3498-Fixed-content-spoof.patch (There was a bug in this
       .patch file; some code had been accidentally included in the backport,
       and this stopped the 404 page from loading. See commit message and bug
       report for more information)

   Changes in python-Pillow:
   - Remove decompression_bomb.gif and relevant test case to avoid ClamAV
     scan alerts during build

   - Add 0008-Corrected-negative-seeks.patch
      * From upstream, backported
      * Fixes part of CVE-2019-16865, bsc#1153191
   - Add 0009-Make-Image.crop-an-immediate-operation.patch
      * From upstream, backported
      * Fixes
      * Used by 0012-Added-decompression-bomb-checks.patch
   - Add 0010-Crop-decompression.patch
      * From upstream, backported
      * Fixes
      * Used by 0012-Added-decompression-bomb-checks.patch
   - Add 0011-Added-DecompressionBombError.patch
      * From upstream, backported
      * Adds DecompressionBombError class
      * Used by 0012-Added-decompression-bomb-checks.patch
   - Add 0012-Added-decompression-bomb-checks.patch
      * From upstream, backported
      * Fixes part of CVE-2019-16865, bsc#1153191
   - Add 0013-Raise-error-if-dimension-is-a-string.patch
      * From upstream, backported
      * Fixes part of CVE-2019-16865, bsc#1153191
   - Add 0014-Catch-buffer-overruns.patch
      * From upstream, backported
      * Fixes part of CVE-2019-16865, bsc#1153191
   - Add 0015-Catch-PCX-P-mode-buffer-overrun.patch
      * From upstream, backported
      * Fixes CVE-2020-5312, bsc#1160152
   - Add 0016-Ensure-previous-FLI-frame-is-loaded.patch
      * From upstream, backported
      * Fixes
      * Uncovers CVE-2020-5313, bsc#1160153
   - Add 0017-Catch-FLI-buffer-overrun.patch
      * From upstream, backported
      * Fixes CVE-2020-5313, bsc#1160153
   - Add 018-Invalid-number-of-bands-in-FPX-image.patch
      * From upstream, backported
      * Fixes CVE-2019-19911, bsc#1160192

   Changes in python-psql2mysql:
   - Update to version 0.5.0+git.1589351878.4ef877c:
     * Do not fail on instance_info length, it is expected to be LONGTEXT

   - Update to version 0.5.0+git.1582192453.98e9561:
     * Neutron drivers use own naming for alembic migrations, e.g.
       cisco_alembic_version, aci_alembic_version, etc depending on driver.

   Changes in python-psutil:
   - Add bsc1156525-CVE-2019-18874.patch (bsc#1156525, CVE-2019-18874)

   Changes in python-py:
   - update to version 1.5.2
   - update to version 1.4.33

   Changes in python-py:
   - update to version 1.5.2:
     * fix #169, #170: error importing py.log on Windows: no module named
   - changes from version 1.5.1:
     * fix #167 - prevent pip from installing py in unsupported Python
   - changes from version 1.5.0:
     * python 2.6 and 3.3 are no longer supported
     * deprecate py.std and remove all internal uses
     * fix #73 turn py.error into an actual module
     * path join to / no longer produces leading double slashes
     * fix #82 - remove unsupportable aliases
     * fix python37 compatibility of path.sysfind on windows by correctly
       replacing vars
     * turn iniconfig and apipkg into vendored packages and ease de-vendoring
       for distributions
     * fix #68 remove invalid py.test.ensuretemp references
     * fix #25 - deprecate path.listdir(sort=callable)
     * add TerminalWriter.chars_on_current_line read-only property that
       tracks how many characters have been written to the current line.
   - changes from version 1.4.34
     * fix issue119 / pytest issue708 where tmpdir may fail to make numbered
       directories when the filesystem is case-insensitive.

   - update to version 1.4.33:
     * avoid imports in calls to py.path.local().fnmatch(). Thanks Andreas
       Pelme for the PR.
     * fix issue106: Naive unicode encoding when calling fspath() in python2.
       Thanks Tiago Nobrega for the PR.
     * fix issue110: unittest.TestCase.assertWarns fails with py imported.
   - changes from version 1.4.32
     * fix issue70: aded ability to copy all stat info in py.path.local.copy.
     * make TerminalWriter.fullwidth a property. This results in the correct
       value when the terminal gets resized.
     * update supported html tags to include recent additions. Thanks Denis
       Afonso for the PR.
     * Remove internal code in ``Source.compile`` meant to support earlier
       Python 3 versions that produced the side effect
       of leaving ``None`` in ``sys.modules`` when called (see
        pytest-dev/pytest#2103). Thanks Bruno Oliveira for the PR.

   Changes in python-pysaml2:
   - Add 0001-Always-generate-a-random-IV-for-AES-operations.patch
     (CVE-2017-1000246, bsc#1068612)

   - Add 0001-Fix-XML-Signature-Wrapping-XSW-vulnerabilities.patch
     (CVE-2020-5390, bsc#1160851)

   Changes in python-waitress:
   - update to 1.4.3 to include fixes for:
     * CVE-2019-16785 / bsc#1161088
     * CVE-2019-16786 / bsc#1161089
     * CVE-2019-16789 / bsc#1160790
     * CVE-2019-16792 / bsc#1161670

   - moved LICENSE.txt to docs to match old structure

   - make sure UTF8 locale is used when runnning tests
     * Sometimes functional tests executed in python3 failed if stdout was
       not set to UTF-8. The error message was: ValueError: underlying buffer
       has been detached

   - %python3_only -> %python_alternative

   - update to 1.4.3
     * Waitress did not properly validate that the HTTP headers it received
       were properly formed, thereby potentially allowing a front-end server
       to treat a request different from Waitress. This could lead to HTTP
       request smuggling/splitting.
   - drop patch local-intersphinx-inventories.patch
     * it was commented out, anyway

   - update to 1.4.0:
     - Waitress used to slam the door shut on HTTP pipelined requests without
       setting the ``Connection: close`` header as appropriate in the
       response. This is of course not very friendly. Waitress now explicitly
       sets the header when responding with an internally generated error
       such as 400 Bad Request or 500 Internal Server Error to notify the
       remote client that it will be closing the connection after the
       response is sent.
     - Waitress no longer allows any spaces to exist between the header
       field-name and the colon. While waitress did not strip the space and
       thereby was not vulnerable to any potential header field-name
       confusion, it should have sent back a 400 Bad Request. See
     - CRLR handling Security fixes

   - update to 1.3.1
     * Waitress won’t accidentally throw away part of the path if it starts
       with a double slash

   - version update to 1.3.0 Deprecations ~~~~~~~~~~~~
     - The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated
       pending removal in a future release. and Features ~~~~~~~~
     - Add a new ``outbuf_high_watermark`` adjustment which is used to apply
       backpressure on the ``app_iter`` to avoid letting it spin faster than
       data can be written to the socket. This stabilizes responses that
       iterate quickly with a lot of data. See
     - Stop early and close the ``app_iter`` when attempting to write to a
       closed socket due to a client disconnect. This should notify a
       long-lived streaming response when a client hangs up. See and and
     - Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was
       set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls
       how much waitress will buffer internally before flushing to the
       kernel, whereas previously it used to also throttle how much data was
       sent to the kernel. This change enables a streaming ``app_iter``
       containing small chunks to still be flushed efficiently. See Bugfixes ~~~~~~~~
     - Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we
       will no longer set the version to the string value "None". See and
     - When a client closes a socket unexpectedly there was potential for
       memory leaks in which data was written to the buffers after they were
       closed, causing them to reopen. See
     - Fix the queue depth warnings to only show when all threads are busy.
       See and
     - Trigger the ``app_iter`` to close as part of shutdown. This will only
       be noticeable for users of the internal server api. In more typical
       operations the server will die before benefiting from these changes.
     - Fix a bug in which a streaming ``app_iter`` may never cleanup data
       that has already been sent. This would cause buffers in waitress to
       grow without bounds. These buffers now properly rotate and release
       their data. See
     - Fix a bug in which non-seekable subclasses of ``io.IOBase`` would
       trigger an exception when passed to the ``wsgi.file_wrapper``
       callback. See

   - Trim marketing wording and other platform mentions.

   - Add to sources
   - Add local-intersphinx-inventories.patch for generating the docs correctly

   - update to version 1.2.1: too many changes to list here, see:
     or even:

   - Remove superfluous devel dependency for noarch package

   - update to version 1.1.0:
     * Features
       + Waitress now has a __main__ and thus may be called with "python
     * Bugfixes
       + Waitress no longer allows lowercase HTTP verbs. This change was made
         to fall in line with most HTTP servers. See
       + When receiving non-ascii bytes in the request URL, waitress will no
         longer abruptly close the connection, instead returning a 400 Bad
         Request. See and

   - Update to 1.0.2
     * Python 3.6 is now officially supported in Waitress
     * Add a work-around for libc issue on Linux not following the documented
       standards. If getnameinfo() fails because of DNS not being available
       it should return the IP address instead of the reverse DNS entry,
       however instead getnameinfo() raises. We catch this, and ask
       getnameinfo() for the same information again, explicitly asking for IP
       address instead of reverse DNS hostname.
   - Implement single-spec version.
   - Fix source URL.

   - update to 1.0.1:
     - IPv6 support on Windows was broken due to missing constants in the
       socket module. This has been resolved by setting the constants on
       Windows if they are missing. See
     - A ValueError was raised on Windows when passing a string for the port,
       on Windows in Python 2 using service names instead of port numbers
       doesn't work with `getaddrinfo`. This has been resolved by attempting
       to convert the port number to an integer, if that fails a ValueError
       will be raised. See
     - Removed `AI_ADDRCONFIG` from the call to `getaddrinfo`, this resolves
       an issue whereby `getaddrinfo` wouldn't return any addresses to `bind`
       to on hosts where there is no internet connection but localhost is
       requested to be bound to. See for more information.
   - disable tests. need network access.

   Changes in rabbitmq-server:
   - Apply patches to resolve CVE-2017-4967,CVE-2017-4965 (bsc#1037777)

   Changes in release-notes-suse-openstack-cloud:
   - Switch github URL from git@ to https:// to bypass authentication

   Changes in rubygem-activeresource:
   - Add bsc#1171560-CVE-2020-8151-encode-id-param.patch Prevent possible
     information disclosure issue that could allow an attacker to create
     specially crafted requests to access data in an unexpected way
     (bsc#1171560 CVE-2020-8151))

   Changes in rubygem-crowbar-client:
   - Update to 3.9.2
     - Enable SES commands in Cloud8 (SOC-11122)

   Changes in rubygem-json-1_7:
   - Add CVE-2020-10663.patch (CVE-2020-10663, bsc#1167244)

   Changes in rubygem-puma:
   - Fix indentation in gem2rpm.yml

   - Add CVE-2020-11077.patch (bsc#1172175, CVE-2020-11077)
   - Add chunked-request-handling.patch (needed for CVE-2020-11076.patch)
   - Add CVE-2020-11076.patch (bsc#1172176, CVE-2020-11076)
   - Add all patches to gem2rpm.yml

   - Add CVE-2020-5247.patch (bsc#1165402) "Fixes a problem where we were not
     splitting newlines in headers according to Rack spec" The patch is
     reduced compared to the upstream version, which was patching also the
     parts that are not implemented in our old Puma version. This applies to
     unit test as well.

   Changes in zookeeper:
   - Apply 0002-Apply-patch-to-resolve-CVE-2019-0201.patch This applies the
     patch for ZOOKEEPER-1392 to resolve CVE-2019-0201 Should not allow to
     read ACL when not authorized to read node (bsc#1135773)

   - Various cleanups in spec file

Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2020-2072=1

Package List:

   - SUSE OpenStack Cloud 7 (s390x x86_64):


   - SUSE OpenStack Cloud 7 (noarch):


   - SUSE OpenStack Cloud 7 (x86_64):



More information about the sle-updates mailing list