Packages changed: MicroOS-release (20251111 -> 20251112) coreutils (9.8 -> 9.9) coreutils-systemd (9.8 -> 9.9) crypto-policies (20250124.4d262e7 -> 20250714.cd6043a) llvm21 (21.1.4 -> 21.1.5) multipath-tools (0.11.0+184+suse.9bca786 -> 0.13.0+127+suse.37f9a4c9) polkit-default-privs (1550+20251031.036888e -> 1550+20251111.84b92d9) === Details === ==== MicroOS-release ==== Version update (20251111 -> 20251112) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== coreutils ==== Version update (9.8 -> 9.9) - Update to 9.9: Bug fixes * `basenc --base58` would not operate correctly with input > 15561475 bytes. [bug introduced with --base58 in coreutils-9.8] * 'cksum --check' now supports base64 encoded input in untagged format: - for all length adjustable algorithms (blake2b, sha2, sha3), - if that base64 input starts with a tag like "SHA1" etc. Previously an error was given, about invalid input format. [bug introduced in coreutils-9.2] * 'cksum --check -a sha2' has better support for tagged format. Previously an unneeded but explicit '-a sha2' did not match standard tags like SHA256. Also non standard SHA2 tags with a bad length resulted in undefined behavior. [bug introduced in coreutils-9.8] * 'cp' restores performance with transparently compressed files, which regressed due to the avoidance of copy offload, seen with OpenZFS at least. [bug introduced in coreutils-9.8] * `env` on macOS, for now only when built with --disable-nls, will no longer always set a __CF_USER_TEXT_ENCODING environment variable. [bug introduced in coreutils-9.8] * 'nice' now limits the adjusted niceness value to its supported range on GNU/Hurd. [This bug was present in "the beginning".] * 'numfmt' no longer reads out-of-bounds memory with trailing blanks in input. [bug introduced with numfmt in coreutils-8.21] * 'numfmt' no longer outputs invalid characters with multi-byte blanks in input. [bug introduced in coreutils-9.5] * 'rm -d DIR' no longer fails on Ceph snapshot directories. Although these directories are nonempty, 'rmdir DIR' succeeds on them. [bug introduced in coreutils-8.16] * 'sort --compress-program' now diagnoses if it can't write more data to an exited compressor. Previously sort could have exited silently in this case. [bug introduced in coreutils-6.8] * 'tail' outputs the correct number of lines again for non-small -n values. Previously it may have output too few lines. [bug introduced in coreutils-9.8] * 'unexpand' no longer triggers a heap buffer overflow with --tabs arguments that use the GNU extension /NUM or +NUM formats. [bug introduced in coreutils-8.28] Changes in behavior * 'cp' with default options may again, like with versions before v9.8, miss opportunities to create holes with file systems that support SEEK_HOLE only trivially. This change is a consequence of the abovementioned copy offload fix. * 'sort --compress-program' will continue without compressing temporary files if the specified program cannot be executed. Also malformed shell scripts without a "shebang line" will no longer be executed. New Features * 'numfmt' now accepts the --unit-separator=SEP option, to output or accept a separator between the number and unit. For e.g. "1234 M". Improvements * 'fmt', 'date', 'nl', and 'pr' will now exit promptly upon receiving a write error, which is significant when reading large / unbounded inputs. * install, sort, and split now use posix_spawn() to invoke child programs more efficiently and more independently from their own memory usage. * 'numfmt': - parses numbers with a non-breaking space character before a unit - parses numbers containing grouping characters from the current locale - supports a multi-byte --delimiter character - no longer processes input indefinitely in the presence of write errors * wc -l now operates 10% faster on hosts that support AVX512 instructions. Build-related * chcon and runcon are not built by default if selinux headers are not present, or if the --without-selinux configure option is specified. This can be overridden with the --with-selinux configure option. * nproc no longer fails to build with Android API level <= 20. [build issue introduced in coreutils-9.8] - coreutils-9.8-tail-large-num-of-files.patch: Remove now-upstream patch. - coreutils-i18n.patch: Refresh patch. - Refresh all other patches. ==== coreutils-systemd ==== Version update (9.8 -> 9.9) - Update to 9.9: Bug fixes * `basenc --base58` would not operate correctly with input > 15561475 bytes. [bug introduced with --base58 in coreutils-9.8] * 'cksum --check' now supports base64 encoded input in untagged format: - for all length adjustable algorithms (blake2b, sha2, sha3), - if that base64 input starts with a tag like "SHA1" etc. Previously an error was given, about invalid input format. [bug introduced in coreutils-9.2] * 'cksum --check -a sha2' has better support for tagged format. Previously an unneeded but explicit '-a sha2' did not match standard tags like SHA256. Also non standard SHA2 tags with a bad length resulted in undefined behavior. [bug introduced in coreutils-9.8] * 'cp' restores performance with transparently compressed files, which regressed due to the avoidance of copy offload, seen with OpenZFS at least. [bug introduced in coreutils-9.8] * `env` on macOS, for now only when built with --disable-nls, will no longer always set a __CF_USER_TEXT_ENCODING environment variable. [bug introduced in coreutils-9.8] * 'nice' now limits the adjusted niceness value to its supported range on GNU/Hurd. [This bug was present in "the beginning".] * 'numfmt' no longer reads out-of-bounds memory with trailing blanks in input. [bug introduced with numfmt in coreutils-8.21] * 'numfmt' no longer outputs invalid characters with multi-byte blanks in input. [bug introduced in coreutils-9.5] * 'rm -d DIR' no longer fails on Ceph snapshot directories. Although these directories are nonempty, 'rmdir DIR' succeeds on them. [bug introduced in coreutils-8.16] * 'sort --compress-program' now diagnoses if it can't write more data to an exited compressor. Previously sort could have exited silently in this case. [bug introduced in coreutils-6.8] * 'tail' outputs the correct number of lines again for non-small -n values. Previously it may have output too few lines. [bug introduced in coreutils-9.8] * 'unexpand' no longer triggers a heap buffer overflow with --tabs arguments that use the GNU extension /NUM or +NUM formats. [bug introduced in coreutils-8.28] Changes in behavior * 'cp' with default options may again, like with versions before v9.8, miss opportunities to create holes with file systems that support SEEK_HOLE only trivially. This change is a consequence of the abovementioned copy offload fix. * 'sort --compress-program' will continue without compressing temporary files if the specified program cannot be executed. Also malformed shell scripts without a "shebang line" will no longer be executed. New Features * 'numfmt' now accepts the --unit-separator=SEP option, to output or accept a separator between the number and unit. For e.g. "1234 M". Improvements * 'fmt', 'date', 'nl', and 'pr' will now exit promptly upon receiving a write error, which is significant when reading large / unbounded inputs. * install, sort, and split now use posix_spawn() to invoke child programs more efficiently and more independently from their own memory usage. * 'numfmt': - parses numbers with a non-breaking space character before a unit - parses numbers containing grouping characters from the current locale - supports a multi-byte --delimiter character - no longer processes input indefinitely in the presence of write errors * wc -l now operates 10% faster on hosts that support AVX512 instructions. Build-related * chcon and runcon are not built by default if selinux headers are not present, or if the --without-selinux configure option is specified. This can be overridden with the --with-selinux configure option. * nproc no longer fails to build with Android API level <= 20. [build issue introduced in coreutils-9.8] - coreutils-9.8-tail-large-num-of-files.patch: Remove now-upstream patch. - coreutils-i18n.patch: Refresh patch. - Refresh all other patches. ==== crypto-policies ==== Version update (20250124.4d262e7 -> 20250714.cd6043a) - Fix the testsuite: * Port all the policy changes to the config files in the test suite. * Use the newly introduced SKIP_LINTING=1 option. * Rebase crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch - Adapt the manpages to SUSE/openSUSE: * Add crypto-policies-SUSE-manpages.patch * Compress all the man pages for update-crypto-policies.8.gz, crypto-policies.7.gz, fips-finish-install.8.gz and fips-mode-setup.8.gz into man-crypto-policies.tar.xz - Update to version 20250714.cd6043a: [bsc#1253025, bsc#1252696] * gnutls: enable ML-DSA, for both secure-sig and secure-sig-for-cert * python, policies, tests: alias X25519-MLKEM768 to MLKEM768-X25519 * FIPS: disable MLKEM768-X25519 for openssh (no-op) * FIPS: deprioritize X25519-MLKEM768 over P256-MLKEM768 for openssl... * TEST-PQ: be more careful with the ordering * openssl: send one PQ and one classic key_share; prioritize PQ groups * sequoia: Generate AEAD policy * Do not include EdDSA in FIPS policy * sequoia: Add PQC algorithm * sequoia: Run tests against PQC capable policy-config-check * Revert "openssl, policies: implement group_key_share option" * openssl, policies: implement group_key_share option * FIPS: enable hybrid ML-KEM (TLS only) and pure ML-DSA * python/build-crypto-policies: output diffs on --test mismatches * sequoia, rpm-sequoia: use ignore_invalid with sha3, x25519, ... * policies, alg_lists, openssl: remove KYBER from allowed values * openssl: stricter enabling of Ciphersuites * openssl: make use of -CBC and -AESGCM keywords * openssl: add TLS 1.3 Brainpool identifiers * fix warning on using experimental key_exchanges * update-crypto-policies: don't output FIPS warning in fips mode * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256 * openssh, libssh: refactor kx maps to use tuples * alg_lists: mark MLKEM768/SNTRUP kex experimental * nss: revert enabling mlkem768secp256r1 * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768 * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768 * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768 * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256 * LEGACY: enable 192-bit ciphers for nss pkcs12/smime * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384... * nss: be stricter with new purposes * python/update-crypto-policies: pacify pylint * fips-mode-setup: tolerate fips dracut module presence w/o FIPS * fips-mode-setup: small Argon2 detection fix * SHA1: add __openssl_block_sha1_signatures = 0 * fips-mode-setup: block if LUKS devices using Argon2 are detected * update-crypto-policies: skip warning on --set=FIPS if bootc * fips-setup-helper: skip warning, BTW * fips-mode-setup: force --no-bootcfg when UKI is detected * fips-crypto-policy-overlay: automount FIPS policy * nss: rewrite backend for 3.101 * cryptopolicies: parent scopes for dumping purposes * policygenerators: move scoping inside generators * openssh: make dss no longer enableble, support is dropped * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768 * TEST-PQ: disable pure Kyber768 * DEFAULT: switch to rh-allow-sha1-signatures = no... * java: drop unused javasystem backend * java: stop specifying jdk.tls.namedGroups in javasystem * ec_min_size: introduce and use in java, default to 256 * java: use and include jdk.disabled.namedCurves * BSI: Update BSI policy for new 2024 minimum recommendations * fips-mode-setup: flashy ticking warning upon use * fips-mode-setup: add another scary "unsupported" * BSI: switch to 3072 minimum RSA key size * java: make hash, mac and sign more orthogonal * java: specify jdk.tls.namedGroups system property * java: respect more key size restrictions * java: disable anon ciphersuites, tying them to NULL... * java: start controlling / disable DTLSv1.0 * nss: wire KYBER768 to XYBER768D00 - Update to version 20250425.9267dee: * openssl: fix mistakes in integrity-only cipher definitions * NO-PQ, cryptopolicies: add experimental value suppression * nss: add mlkem768x25519 and mlkem768secp256r1 * gnutls: 'allow-rsa-pkcs1-encrypt = false' everywhere but in LEGACY * TEST-PQ, openssh: add support for MLKEM768 key_exchange * LEGACY: drop cipher@pkcs12 = SEED-CBC * fips-crypto-policy-overlay: automount FIPS policy, follow-up fixes * nss: TLS-REQUIRE-EMS in FIPS * DEFAULT: disable RSA key exchange * LEGACY: disable sign = *-SHA1 * nss: wire XYBER768D00 to X25519-KYBER768, not KYBER768 * Removed patches fixed upstream: - crypto-policies-pylint.patch * Rebased patches: - crypto-policies-nss.patch - Add the FIPS scripts fips-finish-install and fips-mode-setup as sources in the spec file as they have been removed upstream. * We will maintain these scripts downstream. * Update the man pages for update-crypto-policies.8.gz * Rebase crypto-policies-no-build-manpages.patch * Add crypto-policies-FIPS-output.patch * Add man pages in text file in compressed form in the file man-fips-scripts.tar.xz and add them to the Makefile. - Update to version 20250324.3714354: * NO-PQ: introduce ... changelog too long, skipping 21 lines ... - crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch ==== llvm21 ==== Version update (21.1.4 -> 21.1.5) - Update to version 21.1.5. * This release contains bug-fixes for the LLVM 21.1.0 release. This release is API and ABI compatible with 21.1.0. - Rebase llvm-do-not-install-static-libraries.patch. ==== multipath-tools ==== Version update (0.11.0+184+suse.9bca786 -> 0.13.0+127+suse.37f9a4c9) Subpackages: kpartx libmpath0 - Update to version 0.13.0+127+suse.37f9a4c9 - Major rework of the SCSI Persistent Reservation code in upstream 0.13.0 - Changes in upstream 0.12.0 (see also NEWS.md) * Improved the communication with **udev** and **systemd** by triggering uevents when path devices are added to or removed from multipath maps, or when `multipathd reconfigure` is executed after changing blacklist directives in `multipath.conf`. * Maps that were added outside of multipathd (e.g. using the **multipath** command) and that couldn't be reloaded by multipathd used to be ignored by multipathd. multipathd will now monitor them. If some paths were offline while the map was created, multipathd will now add them to the map when they go online again. * multipathd retries persistent reservation commands that have failed on one path on another one. - Bug fixes in upstream 0.12.0 (see also NEWS.md) (bsc#1253260) * Failed paths should be checked every `polling_interval`. In certain cases, this wouldn't happen, because the check interval wasn't reset by multipathd. * It could happen that multipathd would accidentally release a SCSI persistent reservation held by another node. Fix it. * After manually failing some paths and then reinstating them, sometimes the reinstated paths were immediately failed again by multipathd. Fix it. * Fix crash in foreign (nvme native multipath) code, present since 0.8.8. * Various minor fixes reported by coverity. ==== polkit-default-privs ==== Version update (1550+20251031.036888e -> 1550+20251111.84b92d9) - Update to version 1550+20251111.84b92d9: * profiles: fwupd (bsc#1253111)