Packages changed: Mesa (25.0.1 -> 25.0.2) Mesa-drivers (25.0.1 -> 25.0.2) MicroOS-release (20250321 -> 20250324) crypto-policies (20230920.570ea89 -> 20250124.4d262e7) ebook-tools gdm python-alembic (1.14.1 -> 1.15.1) python-bcrypt (4.2.1 -> 4.3.0) shadow (4.17.3 -> 4.17.4) === Details === ==== Mesa ==== Version update (25.0.1 -> 25.0.2) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to release 25.0.2 - -> https://docs.mesa3d.org/relnotes/25.0.2 ==== Mesa-drivers ==== Version update (25.0.1 -> 25.0.2) Subpackages: Mesa-dri Mesa-gallium - Update to release 25.0.2 - -> https://docs.mesa3d.org/relnotes/25.0.2 ==== MicroOS-release ==== Version update (20250321 -> 20250324) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== crypto-policies ==== Version update (20230920.570ea89 -> 20250124.4d262e7) - Allow sshd in FIPS mode when using the DEFAULT policy [bsc#1227370] * Add crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch - Enable SHA1 sigver in the DEFAULT policy. * Add crypto-policies-enable-SHA1-sigver-in-DEFAULT.patch - Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637] * Rebase crypto-policies-FIPS.patch - Remove dangling symlink for the libreswan config [bsc#1236858] - Remove also sequoia config and generator files - Remove not needed fips bind mount service - Update to version 20250124.4d262e7: [bsc#1239009, bsc#1236165] * openssl: stricter enabling of Ciphersuites * openssl: make use of -CBC and -AESGCM keywords * openssl: add TLS 1.3 Brainpool identifiers * fix warning on using experimental key_exchanges * update-crypto-policies: don't output FIPS warning in fips mode * openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256 * openssh, libssh: refactor kx maps to use tuples * alg_lists: mark MLKEM768/SNTRUP kex experimental * nss: revert enabling mlkem768secp256r1 * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768 * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768 * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768 * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256 * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384... * python/update-crypto-policies: pacify pylint * fips-mode-setup: tolerate fips dracut module presence w/o FIPS * fips-mode-setup: small Argon2 detection fix * SHA1: add __openssl_block_sha1_signatures = 0 * fips-mode-setup: block if LUKS devices using Argon2 are detected * update-crypto-policies: skip warning on --set=FIPS if bootc * fips-setup-helper: skip warning, BTW * fips-mode-setup: force --no-bootcfg when UKI is detected * fips-setup-helper: add a libexec helper for anaconda * fips-crypto-policy-overlay: automount FIPS policy * openssh: make dss no longer enableble, support is dropped * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768 * DEFAULT: switch to rh-allow-sha1-signatures = no... * java: drop unused javasystem backend * java: stop specifying jdk.tls.namedGroups in javasystem * ec_min_size: introduce and use in java, default to 256 * java: use and include jdk.disabled.namedCurves * BSI: Update BSI policy for new 2024 minimum recommendations * fips-mode-setup: flashy ticking warning upon use * fips-mode-setup: add another scary "unsupported" * CONTRIBUTING.md: add a small section on updating policies * CONTRIBUTING.md: remove trailing punctuation from headers * BSI: switch to 3072 minimum RSA key size * java: make hash, mac and sign more orthogonal * java: specify jdk.tls.namedGroups system property * java: respect more key size restrictions * java: disable anon ciphersuites, tying them to NULL... * java: start controlling / disable DTLSv1.0 * nss: wire KYBER768 to XYBER768D00 * nss: unconditionally load p11-kit-proxy.so * gnutls: make DTLS0.9 controllable again * gnutls: retire GNUTLS_NO_TLS_SESSION_HASH * openssh: remove OPENSSH_MIN_RSA_SIZE / OPENSSH_MIN_RSA_SIZE_FORCE * gnutls: remove extraneous newline * sequoia: move away from subprocess.getstatusoutput * python/cryptopolicies/cryptopolicies.py: add trailing commas * python, tests: rename MalformedLine to MalformedLineError * Makefile: introduce SKIP_LINTING flag for packagers to use * Makefile: run ruff * tests: use pathlib * tests: run(check=True) + CalledProcessError where convenient * tests: use subprocess.run * tests/krb5.py: check all generated policies * tests: print to stderr on error paths * tests/nss.py: also use encoding='utf-8' * tests/nss.py: also use removesuffix * tests/nss.py: skip creating tempfiles * tests/java.pl -> tests/java.py * tests/gnutls.pl -> tests/gnutls.py * tests/openssl.pl -> tests/openssl.py * tests/verify-output.pl: remove * libreswan: do not use up pfs= / ikev2= keywords for default behaviour * Rebase patches: - crypto-policies-no-build-manpages.patch - crypto-policies-policygenerators.patch - crypto-policies-supported.patch - crypto-policies-nss.patch - Update to version 20241010.5930b9a: * LEGACY: enable 192-bit ciphers for nss pkcs12/smime * nss: be stricter with new purposes * nss: rewrite backend for 3.101 * cryptopolicies: parent scopes for dumping purposes * policygenerators: move scoping inside generators * TEST-PQ: disable pure Kyber768 * nss: wire XYBER768D00 to X25519-KYBER768 * TEST-PQ: update * TEST-PQ: also enable sntrup761x25519-sha512@openssh.com * TEST-PQ, alg_lists, openssl: enable more experimental `sign` values * TEST-PQ, python: add more groups, mark experimental * openssl: mark liboqsprovider groups optional with ? * Remove patches: - crypto-policies-revert-rh-allow-sha1-signatures.patch - Update to version 20240201.9f501f3: * .gitlab-ci.yml: install sequoia-policy-config ... changelog too long, skipping 21 lines ... * pylintrc: use-implicit-booleaness-not-comparison-to-* ==== ebook-tools ==== - Add patch: * ebook-tools-cmake4.patch - Rebase patches - Drop unneeded baselibs.conf ==== gdm ==== Subpackages: gdm-schema gdm-xdm-integration gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0 - Rebase/fix gdm-switch-to-tty1.patch to fix build against gcc 15. - Add gdm-settings-utils_rename-variable.patch: Rename variable to fix build with gcc 15 (https://gitlab.gnome.org/GNOME/gdm/-/merge_requests/273). ==== python-alembic ==== Version update (1.14.1 -> 1.15.1) - Update to 1.15.1 * Fixed an issue in the new :pep:`621` ``pyproject.toml`` layout that prevented Alembic's template files from being included in the ``.whl`` file in the distribution. ==== python-bcrypt ==== Version update (4.2.1 -> 4.3.0) - Update 4.3.0 * Bump proc-macro2 from 1.0.89 to 1.0.90 in /src/_bcrypt (#916) * Bump unicode-ident from 1.0.13 to 1.0.14 in /src/_bcrypt (#915) * fixes #917 -- correctly handle a salt that's too short (#918) * Bump cpufeatures from 0.2.15 to 0.2.16 in /src/_bcrypt (#919) * Bump proc-macro2 from 1.0.90 to 1.0.92 in /src/_bcrypt (#920) * Bump syn from 2.0.87 to 2.0.89 in /src/_bcrypt (#921) * Fix new ruff warning (#923) * Build manylinux 2.34 images (#922) * Bump portable-atomic from 1.9.0 to 1.10.0 in /src/_bcrypt (#924) * drop py37 (#926) * Bump pyo3 from 0.23.1 to 0.23.2 in /src/_bcrypt (#927) * Bump libc from 0.2.164 to 0.2.165 in /src/_bcrypt (#928) * Bump libc from 0.2.165 to 0.2.166 in /src/_bcrypt (#929) * Bump dawidd6/action-download-artifact from 6 to 7 (#932) * Bump syn from 2.0.89 to 2.0.90 in /src/_bcrypt (#931) * Bump libc from 0.2.166 to 0.2.167 in /src/_bcrypt (#930) * Bump pyo3 from 0.23.2 to 0.23.3 in /src/_bcrypt (#933) * Bump actions/cache from 4.1.2 to 4.2.0 (#934) * Bump libc from 0.2.167 to 0.2.168 in /src/_bcrypt (#935) * Bump pypa/gh-action-pypi-publish from 1.12.2 to 1.12.3 (#936) * Bump dtolnay/rust-toolchain (#937) * Bump actions/upload-artifact from 4.4.3 to 4.5.0 (#938) * Bump libc from 0.2.168 to 0.2.169 in /src/_bcrypt (#939) * Bump syn from 2.0.90 to 2.0.91 in /src/_bcrypt (#940) * Bump quote from 1.0.37 to 1.0.38 in /src/_bcrypt (#942) * Bump syn from 2.0.91 to 2.0.92 in /src/_bcrypt (#941) * Bump syn from 2.0.92 to 2.0.93 in /src/_bcrypt (#943) * Bump syn from 2.0.93 to 2.0.94 in /src/_bcrypt (#944) * Bump syn from 2.0.94 to 2.0.95 in /src/_bcrypt (#945) * Bump syn from 2.0.95 to 2.0.96 in /src/_bcrypt (#948) * Bump actions/upload-artifact from 4.5.0 to 4.6.0 (#947) * Bump proc-macro2 from 1.0.92 to 1.0.93 in /src/_bcrypt (#949) * Bump pyo3 from 0.23.3 to 0.23.4 in /src/_bcrypt (#950) * Support free-threaded Python 3.13 (#925) * Switch to nox (#954) * use github hosted arm runners in wheel builder (#952) * use github hosted arm runners in ci (#951) * Bump dawidd6/action-download-artifact from 7 to 8 (#956) * Bump pypa/gh-action-pypi-publish from 1.12.3 to 1.12.4 (#957) * Bump unicode-ident from 1.0.14 to 1.0.15 in /src/_bcrypt (#958) * include matrix.PYTHON.VERSION in CI cache keys (#964) * Bump cpufeatures from 0.2.16 to 0.2.17 in /src/_bcrypt (#960) * Bump unicode-ident from 1.0.15 to 1.0.16 in /src/_bcrypt (#962) * Bump actions/setup-python from 5.3.0 to 5.4.0 (#963) * Update getrandom and bcrypt (#966) * Bump syn from 2.0.96 to 2.0.98 in /src/_bcrypt (#967) * Bump quansight-labs/setup-python from 5.3.1 to 5.4.0 (#968) * add support for free-threaded wheels (#955) * Bump once_cell from 1.20.2 to 1.20.3 in /src/_bcrypt (#970) * Bump unicode-ident from 1.0.16 to 1.0.17 in /src/_bcrypt (#972) * Bump typenum from 1.17.0 to 1.18.0 in /src/_bcrypt (#973) * Bump actions/cache from 4.2.0 to 4.2.1 (#974) * Bump actions/upload-artifact from 4.6.0 to 4.6.1 (#975) * Bump libc from 0.2.169 to 0.2.170 in /src/_bcrypt (#976) * Bump inout from 0.1.3 to 0.1.4 in /src/_bcrypt (#977) * Bump portable-atomic from 1.10.0 to 1.11.0 in /src/_bcrypt (#978) * Update PyO3 to 0.23.5 (#980) * Bump actions/download-artifact from 4.1.8 to 4.1.9 (#982) * Add PyPy 3.11 and armv7l to matrix runner (#983) * PyPy 3.11 and armv7l wheels (#984) ==== shadow ==== Version update (4.17.3 -> 4.17.4) Subpackages: libsubid5 login_defs - Update to 4.17.4: * Revert "lib/, src/: Use local time for human-readable dates" * lib/getdate.y: Ignore time-zone information and use UTC * src/chfn.c: Partially revert "lib/, src/: Use strsep(3) instead of its pattern" * src/chfn.c: Use stpsep() instead of its pattern * src/chfn.c: Add local variable to refer to the separated field * src/chfn.c: copy_field(): Rename local variable * lib/commonio.c: Rely on the POSIX.1-2008 behavior of realpath(3) * lib/fs/readlink/: readlinknul(): Use ssize_t to simplify * autogen.sh: Promote -Wsign-compare to an error * lib/sizeof.h: ssizeof(): Add signed variant of sizeof * src/lastlog.c: Use ssizeof() to avoid a -Wsign-compare diagnostic * tests/unit/test_xasprintf.c: Fix sign-mismatch diagnostic * configure.ac: stop checking for utmp location * configure.ac: be deterministic about passwd location * lib/, src/: update audit messages * lib/: audit function for groups * src/: update group audit messages * doc/: Remove list of distributions