Hello community, here is the log from the commit of package lxc for openSUSE:Factory checked in at 2017-05-27 13:16:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lxc (Old) and /work/SRC/openSUSE:Factory/.lxc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxc" Sat May 27 13:16:55 2017 rev:72 rq:497945 version:2.0.8 Changes: -------- --- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2017-04-28 09:13:33.675900057 +0200 +++ /work/SRC/openSUSE:Factory/.lxc.new/lxc.changes 2017-05-27 13:17:16.336774253 +0200 @@ -1,0 +2,115 @@ +Tue May 16 16:47:47 UTC 2017 - opensuse_buildserv...@ojkastl.de + +- Update to version 2.0.8 + * Security fix for CVE-2017-5985 + * All templates have been updated to not set default passwords anymore, instead requiring lxc-attach be used to configure users. + * This may affect some automated environments that were relying on our default (very much insecure) users. + + Bugfixes: + Make lxc-start-ephemeral Python 3.2-compatible + Fix typo + Allow build without sys/capability.h + lxc-opensuse: fix default value for release code + util: always malloc for setproctitle + util: update setproctitle comments + confile: clear lxc.network..ipv{4,6} when empty + lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals + Make lxc-net return non-zero on failure + seccomp: allow x32 guests on amd64 hosts. + Add HAVE_LIBCAP + c/r: only supply --ext-mount-map for bind mounts + Added 'mkdir -p' functionality in create_or_remove_cgroup + Use LXC_ROOTFS_MOUNT in clonehostname hook + squeeze is not a supported release anymore, drop the key + start: dumb down SIGCHLD from WARN() to NOTICE() + log: fix lxc_unix_epoch_to_utc() + cgfsng: make trim() safer + seccomp: set SCMP_FLTATR_ATL_TSKIP if available + lxc-user-nic: re-order #includes + lxc-user-nic: improve + bugfix + lxc-user-nic: delete link on failure + conf: only try to delete veth when privileged + Fix lxc-containers to support multiple bridges + Fix mixed tab/spaces in previous patch + lxc-alpine: use dl-cdn.a.o as default mirror instead of random one + lxc-checkconfig: verify new[ug]idmap are setuid-root + [templates] archlinux: resolve conflicting files + [templates] archlinux: noneed default_timezone variable + python3: Deal with potential NULL char* + lxc-download.in / allow setting keyserver from env + lxc-download.in / Document keyserver change in help + Change variable check to match existing style + tree-wide: include directly + conf/ile: make sure buffer is large enough + tree-wide: include directly + tests: Support running on IPv6 networks + tests: Kill containers (don't wait for shutdown) + Fix opening wrong file in suggest_default_idmap + do not set the root password in the debian template + do not set insecure passwords + don't set a default password for altlinux, gentoo, openmandriva and pld + tools: exit with return code of lxc_execute() + Keep veth.pair.name on network shutdown + Makefile: fix static clang init.lxc build + Avoid waiting for bridge interface if disabled in sysconfig/lxc | lxc-net via USE_LXC_BRIDGE + Increased buffer length in print_stats() + avoid assigning to a variable which is not POSIX shell proof (bug #1498) + remove obsolete note about api stability + conf: less error prone pointer access + conf: lxc_map_ids() non-functional changes + caps: add lxc_{proc,file}_cap_is_set() + conf: check for {filecaps,setuid} on new{g,u}idmap + conf: improve log when mounting rootfs + ls: simplify the judgment condition when list active containers + fix typo introduced in #1509 + attach|unshare: fix the wrong comment + caps: skip file capability checks on android + autotools: check for cap_get_file + caps: return false if caps are not supported + conf: non-functional changes to setup_pts() + conf: use bind-mount for /dev/ptmx + conf: non-functional changes + utils: use loop device helpers from LXD + create ISSUE_TEMPLATE.md + cgroups: improve cgfsng debugging + issue template: fix typo + conf: close fd in lxc_setup_devpts() + conf: non-functional changes + utils: tweak lxc_mount_proc_if_needed() + Change sshd template to work with Ubuntu 17.04 + conf: order mount options + conf: add MS_LAZYTIME to mount options + monitor: report errno on exec() error + af unix: allow for maximum socket name + commands: avoid NULL pointer dereference + commands: non-functional changes + lxccontainer: avoid NULL pointer dereference + monitor: simplify abstract socket logic + precise is not the latest LTS, let's use xenial instead + fix the wrong exit status + conf: non-functional changes lxc_fill_autodev() + conf: remove /dev/console from lxc_fill_autodev() + conf: non-functional changes lxc_setup() + conf: non-functional changes to console functions + conf: improve lxc_setup_dev_console() + conf: lxc_setup_ttydir_console() + config: remove /dev/console bind mount + doc: document console behavior + utils: add lxc_unstack_mountpoint() + conf: unstack all mounts atop /dev/console + console: fail when we cannot allocate peer tty + start: remove umount2() + conf: non-functional changes + utils: handle > 2^31 in lxc_unstack_mountpoint() + Install systemd units for CentOS + Merge ubuntu and debiancase + start: add crucial details about lxc_spawn() + +- Deleted patches that have been backported before: + - 0003-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch + - 0001-tree-wide-include-sys-sysmacros.h-directly.patch + - 0002-tree-wide-include-sys-sysmacros.h-directly.patch + +- added signature verification + +------------------------------------------------------------------- Old: ---- 0001-tree-wide-include-sys-sysmacros.h-directly.patch 0002-tree-wide-include-sys-sysmacros.h-directly.patch 0003-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch lxc-2.0.7.tar.gz New: ---- lxc-2.0.8.tar.gz lxc-2.0.8.tar.gz.asc lxc.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ --- /var/tmp/diff_new_pack.3i2ftd/_old 2017-05-27 13:17:19.960261981 +0200 +++ /var/tmp/diff_new_pack.3i2ftd/_new 2017-05-27 13:17:19.960261981 +0200 @@ -18,21 +18,18 @@ %define shlib_version 1 Name: lxc -Version: 2.0.7 +Version: 2.0.8 Release: 0 Url: http://linuxcontainers.org/ Summary: Userspace tools for Linux kernel containers License: LGPL-2.1+ Group: System/Management Source: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz -Source1: lxc-createconfig.in -Source2: README.SUSE -Source3: openSUSE_apparmor_mount.conf -%if 0%{?suse_version} > 1315 -Patch0: 0001-tree-wide-include-sys-sysmacros.h-directly.patch -Patch1: 0002-tree-wide-include-sys-sysmacros.h-directly.patch -%endif -Patch2: 0003-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch +Source1: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.asc +Source2: %{name}.keyring +Source3: lxc-createconfig.in +Source4: README.SUSE +Source5: openSUSE_apparmor_mount.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: docbook-utils @@ -96,11 +93,6 @@ %prep %setup -%if 0%{?suse_version} > 1315 -%patch0 -p1 -%patch1 -p1 -%endif -%patch2 -p1 %build chmod 755 configure @@ -109,8 +101,8 @@ --with-init-script=systemd \ --with-systemdsystemunitdir=%{_unitdir} make %{?_smp_mflags} -cp %{SOURCE2} . -cp %{SOURCE3} . +cp %{SOURCE4} . +cp %{SOURCE5} . rm -rf .doc mkdir -p .doc/examples cp doc/examples/*.conf .doc/examples @@ -120,11 +112,11 @@ install -d -m 755 %{buildroot}/var/lib/lxc find %buildroot -type f -name '*.la' -delete chmod u-s %{buildroot}/%{_libexecdir}/%{name}/lxc-user-nic -./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:1} +./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:3} chmod a+x %{buildroot}%{_bindir}/lxc-createconfig ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rclxc-net -cp %{SOURCE3} %{buildroot}/usr/share/lxc/config/common.conf.d/ +cp %{SOURCE5} %{buildroot}/usr/share/lxc/config/common.conf.d/ %fdupes %{buildroot}/%{_datadir}/%{name}/config/ %pre ++++++ lxc-2.0.7.tar.gz -> lxc-2.0.8.tar.gz ++++++ ++++ 5307 lines of diff (skipped) ++++++ lxc.keyring ++++++ pub rsa4096/0xC638974D64792D67 2010-10-23 [SC] 602F567663E593BCBD14F338C638974D64792D67 uid [ unknown] Stéphane Graber <stgra...@stgraber.org> uid [ unknown] Stéphane Graber <stgra...@ubuntu.com> sub rsa4096/0x9E4B2A99D7B3258F 2010-10-23 [E] -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBEzDJtYBEADeY2GjCIHiP69HyT6dea1bcBYKHzGusmPjUGfNExAgseCgkFGo xROSpjt5ez8FGyvjvSevVTtWTO955eLrhj7fUzfcN8ot+Lj5EeCeyX6evR/jv/Kw dJZfKNHEKFlsRL74NEodSIvxDxANsu4iggpPWe+RMcZt7yP/4j5j7/yfZHCtDNVe 6vYr6FvR9YmJ1TK3SudKQ0eLYBgW75V45xtgl1dzcTfmmnQKRq0NBgGHQ9P+VdA5 TTaKDxDyVGuGL3eSBABLKiOTVxn8cLK75NOHH920PbOIKAfXh0StvIRbHL0EcwNj 4nrSHHsDqFwQaieVueEpxaL3OfKXlF/4KdkCz8J1fXMiKd7MrOaVCGfriU4J9H3V 2JUPzHCv1QOLlJFkzyfbAh/62xRuUKihqBnLvMStl1wCesbMSAUxZZs2u+emqjD7 wqf7bj5u34bCb/7eBnirBhk7fCPrWeiw+tyr8focN3TB9ZjoFba+lzReP+ehYpFI 15ro7wJ82VvEYw3/UIOyUhGBdGWZzwoag6Y2sm7zY84YGtNV44LsaKpJYZUi7er4 2JQZ6PN68lfkGgTyjd3eFQ4la7pmhOWDZt9ldy8rz8dw0K8gKRP+b5NNmaPznCcM tg8s+mQqcjWpeqwmq93JrgbxGwgiI2qw9P+dZI0jn+Aoth+DDki3MC6ZXwARAQAB tCZTdMOpcGhhbmUgR3JhYmVyIDxzdGdyYWJlckB1YnVudHUuY29tPokCNwQTAQoA IQUCTMMuOgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDGOJdNZHktZ35S D/434tFecFY622NY/YLjQUN++bSvP+mbeCeOXnOULZozURQTuQzneTWFgkPOL7Uv RIrw0WznQEwhUMai7PUF3SbOYcj7iYSXJM6t3aNfW0zmjS185Ny2bRB7URihTAyE eM4Jpk6oMTmhqmH2OHnFQuNqmCl1tiH44KVv/sQAEzN/txjxj64YSq5NSzkQKlMG /n7QfLL+RhoB4db1wY8vhnrryP7vUx5DR1A5z9MYfFTIJb75vsQM6r4s3sVtwSTG kozJMUZAs0EXbI2Tgx2Wd7t2ix21lBu0PDb/RINpXQV0pyhT1kQxa1ZKfpLoM2LR Wp6ctqmU+qkryaW8cLEHkYmDKEQIgQ7/DrOJPrPgjfBIC9LOcXgI1LbIh1L7tNFA OiOVS/e4C3zxBowCS4VCWq9m0LrmC531sFF46cmAMhrmtStWqJpn/Yaxn8VmhhTU zIVOUr3gL9RzbynYGIiSif+LXsrPLzEaDTGjmKm3oFvDadUHmb6HyuQ0M9UCgLQK kWiOvybx6Q16doFm61VQsJMqHDSpLBjOc5cSHO9PiXlYzkK0dv8h8e0LG2MORHCJ K4s8SfsPAXBCJwoZufcohaO0DD/fx93ErcAyNlDiwL2TxrQ4wEMHj73lt18A/HqP VpU0zTWDpNDe/N12a3sfTfs9IdB/izq6k2kTzZwHmqgpKbQoU3TDqXBoYW5lIEdy YWJlciA8c3RncmFiZXJAc3RncmFiZXIub3JnPokCOgQTAQoAJAIbAwULCQgHAwUV CgkICwUWAgMBAAIeAQIXgAUCTMMuYQIZAQAKCRDGOJdNZHktZyTdEACcaGpJvqa8 uDiVrmbyaK/LDWhKdVE9JujTg4g05xtRpEE/yQKwHXKKxQfe8wQRuNOXWLj66w4o UBKJs7Rc/DdNEM/RfYiTJD0dZ2fPq3GcU5rbZos1Tvmdpc1qVOyEMf3VJQ/vZEEy 7SM+i+jHx7lCx8lE0D6TsdrLVyh9cvr5+MwiqcVQXqK0aqGKjCdbEjUtsPz1d5Cu Mq95ZQff6W6m1yNlxMnRMxdreYXCrjtv78RzlQi8dTgboaOOBC3TYQQwHx9ZrLGM 3WuPmUl9uecPTOSxIqoZHEpvz5fUQ0DhnlcxCd3R2qgPneEq0yEuaZrq8UZNyp/o 4iQAAz9BH/I7i34HySBuEzkCOSgRd1zMmuXGyrgg67kSMUFs8zyMqyjgups+ig1f x8mKmwykVdH5Wgc310sy2W9wG5lWET45Z7gCDiu9x8B+3l6Qwn4WNffSI39ryTG4 aPGbQ/Z3+Ipm+uEV98Gm8TDcj0GUhL5XmsQ9DEcftGfw/Kxt4vaDtCOFaSZqmsoV b325sKF+LhCZTUwZVCHrkSIC75bJ0JtxRWu+4qWtBgbFTgx5jpr1zWP524x+c0a7 aLGrsB1lAnmFqFoipzvfj2grNgtY7zDf3rcf/lBwt6VKGTCPuoJW0iRLhJQGK3AZ Nkeu4F9t4IC5XcNKSnWJNQg0PiF0sfxTFbkCDQRMwybWARAApvNuefvVycI47ABo T7AzBsHf0lbt4ihMpugZ+GfubzK98kn8pDRprUAfACx6+NLkxuAf9WyL7CFoFLSJ je1m7ZhYeeNckrF5Ir1VRsF+6DueantQzawL8tq6o/sr+4/F5e0jwpXAbHNKiuqj Q/DbLVPEmln29aYtJT3Vtm1eVzK2XkxicSlRROKHrGbaGSHEJgWr/7zqNcDPY9Ss /pms2lqGCWK7MMG/PGVhYIJ9LKNK4yGQtxD51UuruAy6MmRfu1cKDzJ4frQjJTkr c746uofRzK7F/uTQYFpXXd2uQ2/xi+dRnTyoqszvlS7Cm5/V2AhblbnUVE+gWgcR lg3WXetJmI/jMwPCYSy1wxWFwZGYs/VTXcimHBcOZWu7cAur8zDNkm6uQaMaFRrq LmkkLjoY0e8cXZIkcmQfvlWHdDkebQevRvKlNWIJChRXLU7SAKjrIe5y1lxyzy3y dS8saK1nt7swubf737jHahQkNev9QwZ3r9ZxsyRXXRkXpKOoHQ2MVqyId+6Nk8Pn /0yE6RPN+t01je/I731fLUZzsCs6y2e5d+xxQzQSTGBiJfxfHodBts3D6r3sxxYn nvIe3H2Trzv34lNmiwX6RhxqPGiHBSvRxoTXz4luydDKIrBdaN+sgTkMINa3KDhf VMmbdnwTOQbW2pi3qUCbjA0TI+EAEQEAAYkCHwQYAQoACQUCTMMm1gIbDAAKCRDG OJdNZHktZxrrD/97bryBoLKJNc4tAtDY8umo+phdL/kUTx9gVeKHpZZVoymHW7pS 3stXC9UJigHuaDjkdvHq1v9fUdIp9mD8uqWgGJNO+hV99ARZSEkXfAFtNHYw0gVi izz0J0FEmMibJJBjj4kDi9Z/2fWRKsvNfwQ6UKrKtYkkM1DWNnqhNJVDVNJ+4Mr5 Y8wbkItPV07f5L3kdYFE90K08IJh/pvalt383RuNmuqFwNGjStLcfo2YRpTyjmWA oR7qaGflTAKm0+Qj/vx8vfHu7WAfcdcAT6ftZ5Q7C0LcPPuNkTBGFUyvJwW+7AV5 3Pln6vsbZg451J4iFQ0FTAYys40LbkLKYSAXfvfYHXY9ZOCvoZvsoeDG8zDUEGj5 EnsiJNlJx2xCRwjIrCzujUs91HdxQoVtXWwtlknZNwO46x433+ukhkTGJGQ7YFao x/JxkvQOhndYJBKm5C1P7ZlLmcRndv7Lrld9rVsYGk4/lCLDPXb/ZJ0jmZLYNqez 2z0Pcd0m+jtbVVuMxuIMI2NOFIccVsQxlrtWCdhnGfs+KH1D1eyLNB7PpzWq01yI z3pNBo5YYOLovpu0wVB0vxLTkDxmcl4aoM6MGkbnDfK4al+RQ+hDJlCAW+z3hUxH 2CmlO+WHtRJyXqE37QX6y9xmflvckMvo+CB+gopGyzMJuLqkBL2sFHZbIw== =JVth -----END PGP PUBLIC KEY BLOCK-----