Packages changed: bash hostname krb5 (1.18 -> 1.18.1) libgcrypt openssl-1_1 === Details === ==== bash ==== - Add official patch bash50-017 * There were cases where patch 16 reaped process substitution file descriptors (or FIFOs) and processes to early. This is a better fix for the problem that bash50-016 attempted to solve. - Remove temporary patch bash50-fix-016-close-new-fifos.patch ==== hostname ==== - Fix LIBEXECDIR substitution for systemd service - Add nis-domainname.service for FreeIPA ==== krb5 ==== Version update (1.18 -> 1.18.1) - Upgrade to 1.18.1 * Fix a crash when qualifying short hostnames when the system has no primary DNS domain. * Fix a regression when an application imports "service@" as a GSS host-based name for its acceptor credential handle. * Fix KDC enforcement of auth indicators when they are modified by the KDB module. * Fix removal of require_auth string attributes when the LDAP KDB module is used. * Fix a compile error when building with musl libc on Linux. * Fix a compile error when building with gcc 4.x. * Change the KDC constrained delegation precedence order for consistency with Windows KDCs. - Remove 0009-Fix-null-dereference-qualifying-short-hostnames.patch ==== libgcrypt ==== - FIPS: libgcrypt: Double free in test_keys() on failed signature verification [bsc#1169944] * Use safer gcry_mpi_release() instead of mpi_free() - Update patches: * libgcrypt-PCT-DSA.patch * libgcrypt-PCT-RSA.patch * libgcrypt-PCT-ECC.patch - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) * add libgcrypt-fips_selftest_trigger_file.patch * refresh libgcrypt-global_init-constructor.patch - Remove libgcrypt-binary_integrity_in_non-FIPS.patch obsoleted by libgcrypt-global_init-constructor.patch - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC: [bsc#1165539] - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Refreshed patches: * libgcrypt-PCT-DSA.patch * libgcrypt-PCT-RSA.patch * libgcrypt-PCT-ECC.patch - FIPS: Switch the PCT to use the new signature operation [bsc#1165539] * Patches for DSA, RSA and ECDSA test_keys functions: - libgcrypt-PCT-DSA.patch - libgcrypt-PCT-RSA.patch - libgcrypt-PCT-ECC.patch - Update patch: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: - libgcrypt-global_init-constructor.patch * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: - libgcrypt-random_selftests-testentropy.patch - libgcrypt-rsa-no-blinding.patch - libgcrypt-ecc-ecdsa-no-blinding.patch * Fix benchmark regression test in FIPS mode: - libgcrypt-FIPS-GMAC_AES-benckmark.patch - Remove check not needed in _gcry_global_constructor [bsc#1164950] * Update libgcrypt-Restore-self-tests-from-constructor.patch - FIPS: Run the self-tests from the constructor [bsc#1164950] * Add libgcrypt-invoke-global_init-from-constructor.patch ==== openssl-1_1 ==== Subpackages: libopenssl1_1 - Limit the DRBG selftests to not deplete entropy (bsc#1165274) * fixes also Firefox crashing with Kerberos (bsc#1167132) * update openssl-fips_selftest_upstream_drbg.patch