- Prevent overflow when calculating ulog block size. An authenticated
attacker can cause kadmind to write beyond the end of the mapped
region for the iprop log file, likely causing a process crash;
(CVE-2025-24528); (bsc#1236619).
- Add patch 0010-CVE-2025-24528.patch
==== libapparmor ====
- add python313.patch to fix build with python 3.13
- automatically generated by openSUSE-release-tools/pkglistgen
==== pam_pkcs11 ====
Version update (0.6.12 -> 0.6.13)
- Update to 0.6.13
* Added pkcs11-eventmgr systemd service unit.
* Updated Russian translations for pam_pkcs11 (thx Max Kosmach and Andrey Cherepanov).
* Fixed possible authentication bypass (CVE-2025-24032):
* Use signatures to verify authentication by default (thx Frank Morgner).
* Fixed possible authentication bypass (CVE-2025-24531):
* Restoring the original card_only / wait_for_card behavior (thx Matthias Gerstner, Frank Morgner).
* Move pam_securetty.so upward in the example PAM config.
* Set 'slot_num' configuration parameter to 0 by default (thx Jpereyra316).
* Print details about configuration parse errors (thx Jpereyra316).
* Add Chinese (Simplified) translation.
* Capitalize all PAM messages (thx Alynx Zhou).
* Made pkcs11_make_hash_link support whitespaces in file names
* Drop 0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
* Drop 0001-memory-leak-fixes.patch
* Rebase pam_pkcs11-0.5.3-nss-conf.patch
* Rebase pam_pkcs11-0.6.0-nss-autoconf.patch
==== python-cryptography ====
Version update (43.0.3 -> 44.0.0)
- Update to version 44.0.0:
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
* Deprecated Python 3.7 support. Python 3.7 is no longer supported by
the Python core team. Support for Python 3.7 will be removed in a future
cryptography release.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
* macOS wheels are now built against the macOS 10.13 SDK. Users on older
versions of macOS should upgrade, or they will need to build cryptography
themselves.
* Enforce the RFC 5280 requirement that extended key usage extensions must not be empty.
* Added support for timestamp extraction to the :class:`~cryptography.fernet.MultiFernet` class.
* Relax the Authority Key Identifier requirements on root CA certificates
during X.509 verification to allow fields permitted by RFC 5280 but
forbidden by the CA/Browser BRs.
* Added support for
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` when using
OpenSSL 3.2.0+.
* Added support for the :class:`~cryptography.x509.Admissions` certificate extension.
* Added basic support for PKCS7 decryption (including S/MIME 3.2) via
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`,
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`,
and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`.
- Update specfile to accommodate new project structure at version 44.0.0
- Update no-pytest_benchmark.patch
==== python-pyOpenSSL ====
Version update (24.2.1 -> 25.0.0)
- Switch to pyproject macros.
- Add typing-extensions to Requires for 3.11 and 3.12.
- Update to 25.0.0
* Backward-incompatible changes: -
* Deprecations: -
* Changes:
- Corrected type annotations on Context.set_alpn_select_callback,
Context.set_session_cache_mode, Context.set_options, Context.set_mode,
X509.subject_name_hash, and X509Store.load_locations.
- Deprecated APIs are now marked using warnings.deprecated. mypy will emit deprecation notices
for them when used with --enable-error-code deprecated.
- Changes from 24.3.0
* Backward-incompatible changes:
- Removed the deprecated OpenSSL.crypto.CRL, OpenSSL.crypto.Revoked, OpenSSL.crypto.dump_crl,
and OpenSSL.crypto.load_crl. cryptography.x509's CRL functionality should be used instead.
- Removed the deprecated OpenSSL.crypto.sign and OpenSSL.crypto.verify.
cryptography.hazmat.primitives.asymmetric's signature APIs should be used instead.
* Deprecations:
- Deprecated OpenSSL.rand - callers should use os.urandom() instead.
- Deprecated add_extensions and get_extensions on OpenSSL.crypto.X509Req and OpenSSL.crypto.X509.
These should have been deprecated at the same time X509Extension was. Users should use pyca/cryptography's X.509 APIs instead.
- Deprecated OpenSSL.crypto.get_elliptic_curves and OpenSSL.crypto.get_elliptic_curve,
as well as passing the reult of them to OpenSSL.SSL.Context.set_tmp_ecdh,
users should instead pass curves from cryptography.
- Deprecated passing X509 objects to OpenSSL.SSL.Context.use_certificate, OpenSSL.SSL.Connection.use_certificate,
OpenSSL.SSL.Context.add_extra_chain_cert, and OpenSSL.SSL.Context.add_client_ca, users should instead
pass cryptography.x509.Certificate instances. This is in preparation for deprecating pyOpenSSL's X509 entirely.
- Deprecated passing PKey objects to OpenSSL.SSL.Context.use_privatekey and OpenSSL.SSL.Connection.use_privatekey,
users should instead pass cryptography priate key instances. This is in preparation for deprecating pyOpenSSL's PKey entirely.
* Changes:
- cryptography maximum version has been increased to 44.0.x.
- OpenSSL.SSL.Connection.get_certificate, OpenSSL.SSL.Connection.get_peer_certificate,
OpenSSL.SSL.Connection.get_peer_cert_chain, and OpenSSL.SSL.Connection.get_verified_chain
now take an as_cryptography keyword-argument. When True is passed then
cryptography.x509.Certificate are returned, instead of OpenSSL.crypto.X509.
In the future, passing False (the default) will be deprecated.
- Rebase skip-networked-test.patch.
- Update to release 2.10.2
* If the ssh responder is not running, sss_ssh_knownhosts will
not fail (but it will not return the keys).
* SSSD is now capable of handling multiple services associated
with the same port.
* sssd_pam, being a privileged binary, now clears the
environment and does not allow configuration of the
PR_SET_DUMPABLE flag as a precaution.
==== tiff ====
- Update test/test_directory.c not to fail on big-endian machines.
* Add tiff-4.7.0-test_directory.patch
Fix memory leaks (fixes issue #652)
* Resolves bsc#1236834
fix build fail on s390x
