Hello community, here is the log from the commit of package patchinfo.12638 for openSUSE:Leap:15.1:Update checked in at 2020-05-22 18:19:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/patchinfo.12638 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.patchinfo.12638.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patchinfo.12638" Fri May 22 18:19:03 2020 rev:1 rq:807361 version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _patchinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _patchinfo ++++++ <patchinfo incident="12638"> <issue tracker="bnc" id="1047218">trackerbug: packages do not build reproducibly from including build time</issue> <issue tracker="bnc" id="833999">use /etc/os-release instead of /etc/SuSE-release</issue> <issue tracker="bnc" id="1166114">security:netfilter/shorewall: Bug non-major, point/dot release `zypper up` incorrectly stops/blocks running shorewall svc</issue> <packager>bruno_friedmann</packager> <rating>moderate</rating> <category>recommended</category> <summary>Recommended update for shorewall</summary> <description>This update for shorewall to 5.2.4.4 fixes the following issues: - Update to bugfix version 5.2.4.4 + When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in shorewall[6].conf, 'shorewall[6] start' could hang. Fixed. + 'shorewall[6] start' would not automatically create dynamic blacklisting ipsets. That has been corrected. - Update to version 5.2.4.2 https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.4/releasenotes.txt - Update to version 5.2.4.1 + Fixes for openSUSE shorewall-init will now ignore 'start' and 'stop' commands, for running firewalls + Spurious messages have been removed - To fix boo#1166114 never restart shorewall-init.service macro service_del_postun is replaced by simpler systemd_postun - Remove conflict between main and lite package. A managing station need main to build configuration and can use -lite to execute it. Users are in charge of choosing which service has to be started and used. - Update to version 5.2.4 https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.4/releasenotes.txt + Previously, when a Shorewall6 firewall was placed into the 'stopped' state, ICMP6 packets required by RFC 4890 were not automatically accepted by the generated ruleset. Beginning with this release, those packets are automatically accepted. + Previously, the output of 'shorewall[6] help' displayed the superseded 'load' command. That text has been deleted. + The QOSExample.html file in the documentation and on the web site previously showed tcrules content for the /etc/shorewall/mangle file (recall that 'mangle' superseded 'tcrules'). That page has been corrected. + The 'Starting and Stopping' and 'Configuration file basics' documents have been updated to align them with the current product behavior. + The 'ipsets' document has been updated to clarify the use of ipsets in the stoppedrules file. - Packaging + shorewall-init package has a removed %service_del_postun macro to close bug boo#1166114 Restarting this service can lock down admin out of the system. + shorewall(6) and shorewall(6)-lite conflict has they shouldn't be installed together on the same system. - Add version to requires in -lite version - Update to minor bugfix version 5.2.3.7 + When DOCKER=Yes, if both the DOCKER-ISOLATE and DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-* chains were not preserved through shorewall state changes. That has been corrected so that both chains are preserved if present. + Previously, the compiler always detected the OLD_CONNTRACK_MATCH capability as being available in IPv6. When OLD_CONNTRACK_MATCH was available, the compiler also mishandled inversion ('!') in the ORIGDEST columns, leading to an assertion failure. Both the incorrect capability detection and the mishandled inversion have been corrected. + During 'enable' processing, if address variables associated with the interface have values different than those when the firewall was last started/restarted/reloaded, then a 'reload' is performed rather than a simple 'enable'. The logic that checks for those changes was incorrect in some configurations, leading to unneeded reload operations. That has been corrected. + When MANGLE_ENABLED=No in shorewall[6].conf, some features requiring use of the mangle table can be allowed, even though the mangle table is not updated. That has been corrected such that use of such features will raise an error. + When the IfEvent(...,reset) action was invoked, the compiler previously emitted a spurious "Resetting..." message. That message has been suppressed. - Packaging + Introduce define conf_need_update to track when we activate the post update warning for users when there's minor or major version update of shorewall boo#1166114 - Update to bugfix minor 5.2.3.6 + Fix for possible start failure when both Docker containers and Libvirt VMs were in use. - Update to bugfix minor 5.2.3.5 + A typo in the FTP documentation has been corrected. + The recommended mss setting when using IPSec with ipcomp has been corrected. + A number of incorrect links in the manpages have been corrected. + The 'bypass' option is now allowed when specifying an NFQUEUE policy. Previously, specifying that option resulted in an error. + Corrected IPv6 Address Range parsing. + Previously, such ranges were required to be of the form [<addr1>-<addr2>] rather than the more standard form [<addr1>]-[<addr2>]. In the snat file (and in nat actions), the latter form was actually flagged as an error while in other contexts, it resulted in a less obvious error being raised. + The manpages have been updated to refer to https://shorewall.org rather than http://www.shorewall.org. - Refresh spec file - Update to bugfix minor 5.2.3.4 + Update release documents. + Correct handling of multi-queue NFQUEUE as a policy. + Correct handling of multi-queue NFQUEUE as a macro parameter. + Correct the description of the 'bypass' NFQUEUE option in shorewall-rules(5). - Update to bugfix minor 5.2.3.3 Previously, if an ipset was specified in an SPORT column, the compiler would raise an error similar to: ERROR: Invalid ipset name () /etc/shorewall/rules (line 44) - Update to bugfix minor 5.2.3.2 Shorewall 5.2 automatically converts an existing 'masq' file to an equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that automatic update, such that the following error message was issued: Use of uninitialized value $Shorewall::Nat::raw::currentline in pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm line 511, <$currentfile> line nnn. and the generated 'masq' file contains only initial comments. That has been corrected. - Update to bugfix minor 5.2.3.1 release + An issue in the implementation of policy file zone exclusion, released in 5.2.3 has been resolved. In the original release, if more than one zone was excluded then the following error was raised: ERROR: 'all' is not allowed in a source zone list etc/shorewall/policy (line ...) - Update to new 5.2.3 bugfix release http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.3/releasenotes.txt This is the retirement of Tom Eastep see. https://sourceforge.net/p/shorewall/mailman/message/36589782/ - Removed module* in file section - Clean-up changes and spec (trailing slashes) - Update to new 5.2.2 bugfix release http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.2/releasenotes.txt - Packaging: + As seen with upstream recommend running shorewall update on all version update - Update to major version 5.2.1.4 A lot of changes occurs since last package please consult http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.1/releasenotes.txt and the know problem list at http://www.shorewall.net/pub/shorewall/5.2/shorewall-5.2.1/known_problems.txt - Update your configuration shorewall update </description> </patchinfo>