Hello community, here is the log from the commit of package vagrant for openSUSE:Factory checked in at 2019-11-15 22:37:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vagrant (Old) and /work/SRC/openSUSE:Factory/.vagrant.new.26869 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vagrant" Fri Nov 15 22:37:55 2019 rev:18 rq:748237 version:2.2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/vagrant/vagrant.changes 2019-10-31 22:23:58.976213789 +0100 +++ /work/SRC/openSUSE:Factory/.vagrant.new.26869/vagrant.changes 2019-11-15 22:37:59.472074708 +0100 @@ -1,0 +2,30 @@ +Wed Nov 13 10:18:47 UTC 2019 - Dan Čermák <[email protected]> + +- Add rubyzip to as Requires: and bump its version to 1.3 + + This is required to address CVE-2019-16892 + + Rebased patches: + + - 0001-bin-vagrant-silence-warning-about-installer.patch + - 0002-Use-a-private-temporary-dir.patch + - 0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch + - 0004-plugins-don-t-abuse-require_relative.patch.patch + - 0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch + - 0006-do-not-depend-on-wdm.patch + - 0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch + - 0008-Don-t-abuse-relative-paths-in-plugins.patch + - 0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch + - 0010-Skip-failing-tests.patch + - 0011-Bump-rspec-its-dependency.patch + - 0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch + - 0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch + + Removed: + - 0014-ARM-only-Disable-Subprocess-unit-test.patch + + Added: + - 0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch + - 0015-ARM-only-Disable-Subprocess-unit-test.patch + +------------------------------------------------------------------- Old: ---- 0014-ARM-only-Disable-Subprocess-unit-test.patch New: ---- 0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch 0015-ARM-only-Disable-Subprocess-unit-test.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vagrant.spec ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.568078260 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.588078325 +0100 @@ -58,12 +58,16 @@ Patch8: 0008-Don-t-abuse-relative-paths-in-plugins.patch Patch9: 0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch Patch10: 0010-Skip-failing-tests.patch +# FIXME: merged, drop at next release after v2.2.6 # https://github.com/hashicorp/vagrant/pull/10991 Patch11: 0011-Bump-rspec-its-dependency.patch +# FIXME: merged, drop at next release after v2.2.6 # https://github.com/hashicorp/vagrant/pull/10945 Patch12: 0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch Patch13: 0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch -Patch14: 0014-ARM-only-Disable-Subprocess-unit-test.patch +# FIXME: upstream fix, drop at next release after v2.2.6 +Patch14: 0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch +Patch15: 0015-ARM-only-Disable-Subprocess-unit-test.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -118,8 +122,8 @@ # s.add_dependency "rest-client", ">= 1.6.0", "< 3.0" BuildRequires: %{rubygem rest-client >= 1.6} BuildConflicts: %{rubygem rest-client >= 3.0} -# s.add_dependency "rubyzip", "~> 1.2.2" -BuildRequires: %{rubygem rubyzip:1.2 >= 1.2.2} +# s.add_dependency "rubyzip", "~> 1.3" +BuildRequires: %{rubygem rubyzip:1 >= 1.3} # Intentionally removed, wdm only works on Windows # BuildRequires: %%{rubygem wdm } # s.add_dependency "winrm", "~> 2.1" @@ -136,7 +140,7 @@ BuildRequires: %{rubygem rake:12.0 } # s.add_development_dependency "rspec", "~> 3.5.0" BuildRequires: %{rubygem rspec:3.5 } -# PATCHED +# FIXME: PATCHED # s.add_development_dependency "rspec-its", "~> 1.3.0" BuildRequires: %{rubygem rspec-its:1.3 } # s.add_dependency "ruby_dep", "<= 1.3.1" @@ -202,6 +206,8 @@ # s.add_dependency "rest-client", ">= 1.6.0", "< 3.0" Requires: %{rubygem rest-client >= 1.6} Requires: %{rubygem rest-client < 3.0} +# s.add_dependency "rubyzip", "~> 1.3" +Requires: %{rubygem rubyzip:1 >= 1.3} # s.add_dependency "wdm", "~> 0.1.0" # skip wdm, Windows only # s.add_dependency "winrm", "~> 2.1" @@ -287,9 +293,10 @@ %patch11 -p 1 %patch12 -p 1 %patch13 -p 1 +%patch14 -p 1 # disable the subprocess test only on ARM %ifarch %{arm} aarch64 -%patch14 -p 1 +%patch15 -p 1 %endif cp %{SOURCE98} . ++++++ 0001-bin-vagrant-silence-warning-about-installer.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.676078611 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.676078611 +0100 @@ -1,7 +1,7 @@ From e1a0054ceecffce9b3ef389d5b4b9bf85f309351 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro <[email protected]> Date: Sat, 11 Oct 2014 16:54:58 -0300 -Subject: [PATCH 01/14] bin/vagrant: silence warning about installer +Subject: [PATCH 01/15] bin/vagrant: silence warning about installer Signed-off-by: Johannes Kastl <[email protected]> --- @@ -36,5 +36,5 @@ # # Unset - Disables experimental features -- -2.23.0 +2.24.0 ++++++ 0002-Use-a-private-temporary-dir.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.708078714 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.708078714 +0100 @@ -1,7 +1,7 @@ From 2e3ac8696235e4239977c10e78474de1b1cbccd8 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro <[email protected]> Date: Wed, 22 Oct 2014 09:40:14 -0200 -Subject: [PATCH 02/14] Use a private temporary dir +Subject: [PATCH 02/15] Use a private temporary dir Without this vagrant will clutter $TMPDIR with dozens of even hundreds of temporary files (~4 per vagrant invocation). @@ -94,5 +94,5 @@ + FileUtils.rm_rf(Vagrant::Util::Tempfile.private_tmpdir) +end -- -2.23.0 +2.24.0 ++++++ 0003-linux-cap-halt-don-t-wait-for-shutdown-h-now-to-fini.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.728078779 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.732078792 +0100 @@ -1,7 +1,7 @@ From 5323b2746d765bee3fd9aa739bf3d0e120eb1874 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro <[email protected]> Date: Tue, 3 Feb 2015 10:35:17 -0200 -Subject: [PATCH 03/14] linux/cap/halt: don't wait for `shutdown -h now` to +Subject: [PATCH 03/15] linux/cap/halt: don't wait for `shutdown -h now` to finish When running a Debian 8 lxc guest (with the vagrant-lxc plugin), which @@ -27,5 +27,5 @@ # Do nothing, because it probably means the machine shut down # and SSH connection was lost. -- -2.23.0 +2.24.0 ++++++ 0004-plugins-don-t-abuse-require_relative.patch.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.752078857 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.752078857 +0100 @@ -1,7 +1,7 @@ From 399ed85dc12e70156c6fa40a49e35110ad6fcff4 Mon Sep 17 00:00:00 2001 From: Johannes Kastl <[email protected]> Date: Wed, 17 May 2017 09:09:57 +0200 -Subject: [PATCH 04/14] plugins-don-t-abuse-require_relative.patch +Subject: [PATCH 04/15] plugins-don-t-abuse-require_relative.patch Signed-off-by: Johannes Kastl <[email protected]> --- @@ -154,5 +154,5 @@ module VagrantPlugins module GuestSUSE -- -2.23.0 +2.24.0 ++++++ 0005-fix-vbox-package-boo-1044087-added-by-robert.muntean.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.772078921 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.776078934 +0100 @@ -1,7 +1,7 @@ From ccaab429a383ff048400a866f3aa77409ae4976d Mon Sep 17 00:00:00 2001 From: Johannes Kastl <[email protected]> Date: Fri, 16 Nov 2018 21:12:43 +0100 -Subject: [PATCH 05/14] fix vbox package boo#1044087, added by +Subject: [PATCH 05/15] fix vbox package boo#1044087, added by [email protected] on Sun Aug 13 19:07:06 UTC 2017 Signed-off-by: Johannes Kastl <[email protected]> @@ -33,5 +33,5 @@ module VagrantPlugins module ProviderVirtualBox -- -2.23.0 +2.24.0 ++++++ 0006-do-not-depend-on-wdm.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.800079012 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.800079012 +0100 @@ -1,7 +1,7 @@ From 98c990b8b57849464a4e1773689635a2328da89e Mon Sep 17 00:00:00 2001 From: Johannes Kastl <[email protected]> Date: Mon, 4 Jun 2018 09:18:23 +0200 -Subject: [PATCH 06/14] do not depend on wdm +Subject: [PATCH 06/15] do not depend on wdm Signed-off-by: Johannes Kastl <[email protected]> --- @@ -21,5 +21,5 @@ s.add_dependency "winrm-fs", "~> 1.0" s.add_dependency "winrm-elevated", "~> 1.1" -- -2.23.0 +2.24.0 ++++++ 0007-do-not-abuse-relative-paths-in-docker-plugin-to-make.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.832079116 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.832079116 +0100 @@ -1,7 +1,7 @@ From 63325a25be5349141e628f4d8738cd66cf2eff69 Mon Sep 17 00:00:00 2001 From: Johannes Kastl <[email protected]> Date: Fri, 16 Nov 2018 21:14:46 +0100 -Subject: [PATCH 07/14] do not abuse relative paths in docker plugin to make +Subject: [PATCH 07/15] do not abuse relative paths in docker plugin to make docker work, added by [email protected] on Thu Oct 26 19:42:46 UTC 2017 Signed-off-by: Johannes Kastl <[email protected]> @@ -22,5 +22,5 @@ module VagrantPlugins module DockerProvider -- -2.23.0 +2.24.0 ++++++ 0008-Don-t-abuse-relative-paths-in-plugins.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.856079194 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.856079194 +0100 @@ -1,7 +1,7 @@ From 6cabd408fd06b60b0b0c74c93da9fea05e8b0339 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <[email protected]> Date: Fri, 11 Jan 2019 12:32:28 +0100 -Subject: [PATCH 08/14] Don't abuse relative paths in plugins +Subject: [PATCH 08/15] Don't abuse relative paths in plugins MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -64,5 +64,5 @@ require_relative "../installer" -- -2.23.0 +2.24.0 ++++++ 0009-Fix-unit-tests-for-GuestLinux-Cap-Halt.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.888079298 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.888079298 +0100 @@ -1,7 +1,7 @@ From e1eaa4583e58d802f0c2339c959b5becb6a2c49f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <[email protected]> Date: Thu, 14 Mar 2019 00:25:05 +0100 -Subject: [PATCH 09/14] Fix unit tests for GuestLinux::Cap::Halt +Subject: [PATCH 09/15] Fix unit tests for GuestLinux::Cap::Halt This test fails since we patch `shutdown -h now` to be `shutdown -h now &` instead. @@ -37,5 +37,5 @@ cap.halt(machine) }.to_not raise_error -- -2.23.0 +2.24.0 ++++++ 0010-Skip-failing-tests.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.912079375 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.912079375 +0100 @@ -1,7 +1,7 @@ From 85808a200ea1a95f00edc2af816ae3f124dc1962 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <[email protected]> Date: Mon, 1 Apr 2019 17:28:31 +0200 -Subject: [PATCH 10/14] Skip failing tests +Subject: [PATCH 10/15] Skip failing tests --- test/unit/bin/vagrant_test.rb | 4 ++-- @@ -30,5 +30,5 @@ end end -- -2.23.0 +2.24.0 ++++++ 0011-Bump-rspec-its-dependency.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.944079479 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.944079479 +0100 @@ -1,7 +1,7 @@ From 79bdf20d3c293293730548f20e329f3c726f5091 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <[email protected]> Date: Wed, 17 Jul 2019 10:59:07 +0200 -Subject: [PATCH 11/14] Bump rspec-its dependency +Subject: [PATCH 11/15] Bump rspec-its dependency --- vagrant.gemspec | 2 +- @@ -21,5 +21,5 @@ s.add_development_dependency "fake_ftp", "~> 0.1.1" -- -2.23.0 +2.24.0 ++++++ 0012-Do-not-list-load-dependencies-if-vagrant-spec-is-not.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:00.992079635 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:00.992079635 +0100 @@ -1,7 +1,7 @@ From 7784ec13f12752f5b73ddec371cb73b6dd97615a Mon Sep 17 00:00:00 2001 From: Pavel Valena <[email protected]> Date: Mon, 1 Jul 2019 17:44:54 +0200 -Subject: [PATCH 12/14] Do not list / load dependencies if `vagrant` spec is +Subject: [PATCH 12/15] Do not list / load dependencies if `vagrant` spec is not loaded in `vagrant_internal_specs` as this fails, due to `find` returning `nil`. @@ -26,5 +26,5 @@ list = {} directories = [Gem::Specification.default_specifications_dir] -- -2.23.0 +2.24.0 ++++++ 0013-Catch-NetworkNoInterfaces-error-in-docker-prepare_ne.patch ++++++ --- /var/tmp/diff_new_pack.WFyWyp/_old 2019-11-15 22:38:01.008079686 +0100 +++ /var/tmp/diff_new_pack.WFyWyp/_new 2019-11-15 22:38:01.008079686 +0100 @@ -1,7 +1,7 @@ From bc275fb74fbb6948246427549f04f0a4323a1747 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <[email protected]> Date: Thu, 24 Oct 2019 12:29:43 +0200 -Subject: [PATCH 13/14] Catch NetworkNoInterfaces error in docker +Subject: [PATCH 13/15] Catch NetworkNoInterfaces error in docker prepare_networks_test The test "generates a network name and configuration" calls at the end @@ -43,5 +43,5 @@ end -- -2.23.0 +2.24.0 ++++++ 0014-Bump-rubyzip-version-to-fix-CVE-2019-16892.patch ++++++ >From e8c23f99c5097199b7d955268e1c97314d25480b Mon Sep 17 00:00:00 2001 From: Stefan Sundin <[email protected]> Date: Wed, 6 Nov 2019 20:37:56 -0800 Subject: [PATCH 14/15] Bump rubyzip version to fix CVE-2019-16892. --- vagrant.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant.gemspec b/vagrant.gemspec index 04561f9c9..58b4cb7ad 100644 --- a/vagrant.gemspec +++ b/vagrant.gemspec @@ -29,7 +29,7 @@ Gem::Specification.new do |s| s.add_dependency "net-scp", "~> 1.2.0" s.add_dependency "rb-kqueue", "~> 0.2.0" s.add_dependency "rest-client", ">= 1.6.0", "< 3.0" - s.add_dependency "rubyzip", "~> 1.2.2" + s.add_dependency "rubyzip", "~> 1.3" s.add_dependency "winrm", "~> 2.1" s.add_dependency "winrm-fs", "~> 1.0" s.add_dependency "winrm-elevated", "~> 1.1" -- 2.24.0 ++++++ 0014-ARM-only-Disable-Subprocess-unit-test.patch -> 0015-ARM-only-Disable-Subprocess-unit-test.patch ++++++ --- /work/SRC/openSUSE:Factory/vagrant/0014-ARM-only-Disable-Subprocess-unit-test.patch 2019-10-31 22:23:58.904213692 +0100 +++ /work/SRC/openSUSE:Factory/.vagrant.new.26869/0015-ARM-only-Disable-Subprocess-unit-test.patch 2019-11-15 22:37:59.456074656 +0100 @@ -1,7 +1,7 @@ -From 751a501fa2952f78d60085272dafc96a97d95cc0 Mon Sep 17 00:00:00 2001 +From 75b7fca0c98396ee755c329f002c8e2afa18dae0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <[email protected]> Date: Wed, 28 Aug 2019 13:39:58 +0200 -Subject: [PATCH 14/14] [ARM only] Disable Subprocess unit test +Subject: [PATCH 15/15] [ARM only] Disable Subprocess unit test This unit test is *very* flaky on OBS' ARM workers and causes random build failures. These are probably caused by worker being under high load and then @@ -33,5 +33,5 @@ sleep(0.1) expect(sp.stop).to be(true) -- -2.23.0 +2.24.0
