Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kanidm for openSUSE:Factory checked in at 2026-05-09 12:59:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kanidm (Old) and /work/SRC/openSUSE:Factory/.kanidm.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kanidm" Sat May 9 12:59:57 2026 rev:65 rq:1352143 version:1.10.1~git0.d02660a98 Changes: -------- --- /work/SRC/openSUSE:Factory/kanidm/kanidm.changes 2026-04-01 19:53:25.892115961 +0200 +++ /work/SRC/openSUSE:Factory/.kanidm.new.1966/kanidm.changes 2026-05-09 13:00:19.694353672 +0200 @@ -1,0 +2,134 @@ +Thu May 07 06:06:07 UTC 2026 - [email protected] + +- Update to version 1.10.1~git0.d02660a98: + * Release 1.10.1 + * Fix copy in TOTP removal prompt and align TOTP case (#4314) + * Resolve base64 encoding of webauthn fields (#4312) + +------------------------------------------------------------------- +Fri May 01 07:11:08 UTC 2026 - [email protected] + +- Update to version 1.10.0-pre~git1.32e2f8ec6: + * Release 1.10.0 + * Release 1.10.0-pre + * Release notes (#4304) + * Update ldap3/webauthn-rs (#4302) + * Merge commit from fork + * Merge commit from fork + * Merge commit from fork + * Merge commit from fork + * Add notes on server migration (#4301) + * 20260517 sparkle (#4280) + * Bump mozilla-actions/sccache-action in the all group (#4298) + * Bump the all group with 6 updates (#4299) + * Bump the all group across 1 directory with 3 updates (#4283) + * 20260331 send account recovery emails (#4259) + * Update oauth2 well known urls (#4296) + * Clippy for Rust 1.95 (#4291) + * Invert incorrect thread count logic (#4294) + * Allow modification of OAuth2 Refresh Expiry (#4276) + * 20260327 Introspection token auth metadata (#4230) + * fix: add missing kanidm-mail-sender binary (#4279) + * Correctly handle deleted accounts during page visits (#4275) + * don't fail auth when passed ui_locales (#4288) + * Bump actions/upload-pages-artifact from 4 to 5 in the all group (#4284) + * Fix link formatting in oauth2.rs documentation (#4278) + * Feat: Add OIDC Prompt Support (#4224) + * Handle multivalue URLs in SCIM (#4271) + * Correctly encode ssh tag values (#4272) + * Bump the all group with 2 updates (#4263) + * Bump the all group in /rlm_python with 4 updates (#4262) + * Bump the all group with 8 updates (#4264) + * Update deployment.md with configuration notes (#4258) + * Add .well-known/passkey-endpoints (#4255) + * show repl cert metadata and also handle socket timeouts (#4252) + * Update docs regarding replication cert lifetime (#4251) + * Log cleanup (#4248) + * adding timeouts and tests and port docs for mail_sender (#4246) + * Bump the all group with 5 updates (#4247) + * add dependency data to released containers (#4239) + * Fix to end code block and render remaining md correctly (#4241) + * Update readme.md for replication (#4236) + * Added note on primary email address and email aliases (#4237) + * Bump the all group with 6 updates (#4235) + * Bump the all group with 2 updates (#4234) + * Bump the uv group across 1 directory with 2 updates (#4231) + * cli: allow clearing person's legalname attribute (#4228) + * Add shell diagnostics (#4220) + * OpenSSL shall be vanquished (#4219) + * Bump the all group across 1 directory with 16 updates (#4225) + * Bump rustls-webpki from 0.103.9 to 0.103.10 (#4223) + * Bump flatted (#4222) + * Tabular data is tabular (#4221) + * Example sshd-config fragment, deployment de-activated on Debian (#4214) + * Update RELEASE_NOTES.md (#4215) + * fix(debian): Use correct bin path for kanidmd reload (#4212) + * Allow urlencoded client_id in basic auth (#4141) + * add nsswitch config check to unixd (#4210) + * 20260311 zxcvbn check (#4206) + * Enhance Traefik documentation (#4194) + * Re-add incorrectly removed utopia feature flag (#4207) + * Update ldap3 to 0.7.0 to resolve config filter issue (#4205) + * Added PasswordChangedTime attribute and database field (#3999) + * Defer on some routes (#4202) + * Remove thread local storage (#4204) + * Improve FreeBSD building, fully drop ring as a dependency. + * 20260218 credential reset emails (authenticated only) (#4151) + * android support for cli (#4197) + * Bump the all group with 4 updates (#4198) + * Bump the all group with 7 updates (#4199) + * feat: bind mount home strategy (#3997) + * Bump the all group with 2 updates (#4183) + * Bump the all group with 8 updates (#4184) + * Bump minimatch (#4180) + * Disable multithreading on RADIUS when DEBUG is False. (#4177) + * Don't revert admin changes in some groups during migrcation (#4176) + * Fix bug where DEBUG is always true in RADIUS entrypoint. (#4169) + * 20260220 prevent migration accidents (#4156) + * Bump the all group across 1 directory with 20 updates (#4163) + * Move the grafana group creation step (#4160) + * Alert on unsaved changes (#4155) + * pykanidm v1.3.0 - major rewrite to use openapi-generated codebase based on 1.9.0 spec (#4149) + * Warn about systemd-userdb (#4147) + * Dont require basic auth on token introspection (#4142) + * Dont be as upset when migration dir doesnt exist (#4146) + * Add AGENTS.md instructions (#4148) + * Feature OIDC updated at (#4007) + * pykanidm: clarify token use with service accounts (#4043) + * Fixed small typo in how_does_oauth2_work.md (#4138) + * Bye bye lazy static (#4134) + * Allow LDAP CA verification to be disabled in sync (#4133) + * Add oauth2 example, fix inter-migration reference handling (#4136) + * Add missing future migration in domain check (#4132) + * Corrected recycle_bin.md typo (#4135) + * 20260211 dev version (#4131) + +------------------------------------------------------------------- +Thu Apr 30 02:42:37 UTC 2026 - [email protected] + +- Update to version 1.9.3~git0.7d4108698: + * Release 1.9.3 + * Security - High: SCIM Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user + * Security - Moderate: PNG Image validation did not correctly handle short images allowing a panic to occur in a worker thread. This may lead to system instability over time + * Security - Low: HTML injection via user DisplayName in Passkey enrolment dialogs. This allows an admin to execute JS in the context of a users browser. Since the admin already can reset the users credentials, the impact of this is minimal. + * Security - Low: non-constant time comparison of OAuth2 client secret may allow a remote attacker to remotely recovery the bytes of the secret. Due to the length of the secret (48 chars) this is infeasible practically. + * Security - Low: incorrect handling of origin validation in Webauthn-RS allowed a malicious domain to collide with a valid one (badexample.com would match with example.com). This is mitigated by browsers detecting the forgery and preventing the authentication from proceeding. + * Security - High: LDAP Filters did not contain a bound on their parsing depth allowing stack exhaustion to occur leading to Denial of Service by an unauthenticated user. + * Update two vulnerable dependencies + * Release 1.9.2 + * Allow urlencoded client_id in basic auth (#4141) + * Update ldap3 to 0.7.0 to resolve config filter issue (#4205) + * Remove thread local storage (#4204) + +------------------------------------------------------------------- +Thu Apr 30 02:40:24 UTC 2026 - [email protected] + +- Update to version 1.9.2~git6.896acba35: + * Release 1.9.3 + * Merge commit from fork + * Merge commit from fork + * Merge commit from fork + * Merge commit from fork + * Update two vulnerable dependencies + +------------------------------------------------------------------- Old: ---- kanidm-1.9.2~git0.6a2bb66bd.tar.zst New: ---- kanidm-1.10.1~git0.d02660a98.tar.zst ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kanidm.spec ++++++ --- /var/tmp/diff_new_pack.gXK8GM/_old 2026-05-09 13:00:21.362422117 +0200 +++ /var/tmp/diff_new_pack.gXK8GM/_new 2026-05-09 13:00:21.366422282 +0200 @@ -1,8 +1,7 @@ # # spec file for package kanidm # -# Copyright (c) 2026 SUSE LLC -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,7 +32,7 @@ %endif Name: kanidm -Version: 1.9.2~git0.6a2bb66bd +Version: 1.10.1~git0.d02660a98 Release: 0 Summary: A identity management service and clients. License: ( Apache-2.0 OR BSL-1.0 ) AND ( Apache-2.0 OR ISC OR MIT ) AND ( Apache-2.0 OR MIT ) AND ( Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT ) AND ( CC0-1.0 OR Apache-2.0 ) AND ( MIT OR Apache-2.0 OR Zlib ) AND ( Unlicense OR MIT ) AND ( Zlib OR Apache-2.0 OR MIT ) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND CC0-1.0 AND ISC AND MIT AND MPL-2.0 AND MPL-2.0+ ++++++ _service ++++++ --- /var/tmp/diff_new_pack.gXK8GM/_old 2026-05-09 13:00:21.426424744 +0200 +++ /var/tmp/diff_new_pack.gXK8GM/_new 2026-05-09 13:00:21.430424908 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/kanidm/kanidm.git</param> <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param> <param name="scm">git</param> - <param name="revision">1.9.0</param> + <param name="revision">1.10.0</param> <param name="match-tag">v*</param> <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param> <param name="versionrewrite-replacement">\1</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.gXK8GM/_old 2026-05-09 13:00:21.462426221 +0200 +++ /var/tmp/diff_new_pack.gXK8GM/_new 2026-05-09 13:00:21.470426549 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/kanidm/kanidm.git</param> - <param name="changesrevision">6a2bb66bdcad796f4007cbc8346d099b8b01b347</param></service></servicedata> + <param name="changesrevision">d02660a986edacfbc7253237474d3985b1e1197d</param></service></servicedata> (No newline at EOF) ++++++ kanidm-1.9.2~git0.6a2bb66bd.tar.zst -> kanidm-1.10.1~git0.d02660a98.tar.zst ++++++ /work/SRC/openSUSE:Factory/kanidm/kanidm-1.9.2~git0.6a2bb66bd.tar.zst /work/SRC/openSUSE:Factory/.kanidm.new.1966/kanidm-1.10.1~git0.d02660a98.tar.zst differ: char 7, line 1 ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/kanidm/vendor.tar.zst /work/SRC/openSUSE:Factory/.kanidm.new.1966/vendor.tar.zst differ: char 7, line 1
