Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-lmdb for openSUSE:Factory checked in at 2026-03-25 21:18:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-lmdb (Old) and /work/SRC/openSUSE:Factory/.python-lmdb.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-lmdb" Wed Mar 25 21:18:03 2026 rev:20 rq:1342277 version:2.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-lmdb/python-lmdb.changes 2026-03-18 16:52:00.352786869 +0100 +++ /work/SRC/openSUSE:Factory/.python-lmdb.new.8177/python-lmdb.changes 2026-03-27 06:48:18.607013545 +0100 @@ -1,0 +2,31 @@ +Tue Mar 24 17:14:09 UTC 2026 - Dirk Müller <[email protected]> + +- update to 2.1.1: + * Fix false `MDB_CORRUPTED` error when overwriting values + larger than the page + * size (overflow/bigdata values) with `txn.put(key, value, + overwrite=True)`. + * Two hardening checks from 2.1.0 did not account for + `F_BIGDATA` nodes where + * `NODEDSZ()` returns the logical data size, not the on-page + size. (#431) + * **Security release.** All users who open LMDB databases from + untrusted or potentially-tampered sources should upgrade + immediately. + * **CVE-2019-16224**: heap buffer overflow via `MDB_DUPFIXED` + without `MDB_DUPSORT` in on-disk `md_flags`. (#429) + * **CVE-2019-16225**: `SIGSEGV` from `P_DIRTY` flag set on + mmap'd disk pages, causing `mdb_page_touch()` to skip + copy-on-write. (#429) + * **CVE-2019-16226**: out-of-bounds `memmove` in `mdb_node_del` + via corrupt `mn_hi` making `NODEDSZ()` huge. (#429) + * **CVE-2019-16227**: NULL pointer dereference of `mc_xcursor` + when `F_DUPDATA` is set on a node in a non-DUPSORT database. + * **CVE-2019-16228**: divide-by-zero from zero `mm_psize` in + meta page header. (#429) + * Cross-thread write transactions now block instead of raising + * `lmdb.Error("Attempt to operate on closed/deleted/dropped + object.")`. + * The check added in 1.8.0 was overly strict: it rejected all + +------------------------------------------------------------------- Old: ---- lmdb-2.0.0.tar.gz New: ---- lmdb-2.1.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-lmdb.spec ++++++ --- /var/tmp/diff_new_pack.NGc4Jt/_old 2026-03-27 06:48:19.183037265 +0100 +++ /var/tmp/diff_new_pack.NGc4Jt/_new 2026-03-27 06:48:19.187037430 +0100 @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-lmdb -Version: 2.0.0 +Version: 2.1.1 Release: 0 Summary: Universal Python binding for the LMDB 'Lightning' Database License: OLDAP-2.8 ++++++ lmdb-2.0.0.tar.gz -> lmdb-2.1.1.tar.gz ++++++ ++++ 2136 lines of diff (skipped)
