Packages changed:
  brotli (1.0.3 -> 1.0.5)
  checkmedia (3.8 -> 4.0)
  efivar (31 -> 36)
  ffmpeg (4.0 -> 4.0.1)
  fwupdate (9+git21.gcd8f7d7 -> 11)
  glibc
  glibc
  grub2
  libiscsi
  libqt5-qtwebengine
  linux-glibc-devel (4.16 -> 4.17)
  lz4 (1.8.1.2 -> 1.8.2)
  mariadb-connector-c
  opal
  openldap2
  p11-kit (0.23.2 -> 0.23.12)
  python-pytz (2018.3 -> 2018.5)
  rdma-core (16.4 -> 18.1)
  spec-cleaner (1.0.9 -> 1.1.0)
  sqlite3
  srt
  sssd (1.16.1 -> 1.16.2)
  xen (4.10.1_02 -> 4.10.1_08)

=== Details ===

==== brotli ====
Version update (1.0.3 -> 1.0.5)
Subpackages: libbrotlicommon1 libbrotlidec1 libbrotlienc1

- Update to version 1.0.5:
  * improve q=1 compression on small files
  * inverse Bazel workspace tree
  * add rolling-composite-hasher for large-window mode
  * add tools to download and transform static dictionary data
- Changes for version 1.0.4:
  * fix unaligned access for aarch64-cross-armhf build
  * fix aarch64 target detection
  * allow CLI to compress with enabled "large window" feature
  * add NPOSTFIX / NDIRECT encoder parameters
  * automatic NDIRECT/NPOSTFIX tuning (better compression)
  * fix "memory leak" in python tests
  * fix bug in durchschlag
  * fix source file lists (add params.h)
  * fix Bazel/MSVC compilator options
  * fix "fall though" warnings

==== checkmedia ====
Version update (3.8 -> 4.0)

- merge gh#openSUSE/checkmedia#6
- change tagmedia to also store checksum over partition
  (bsc#1000947)
- update Makefile
- update documentation
- rewrite checkmedia to use new mediacheck library
- digestdemo: add simple demo tool for libmediacheck usage
- mediacheck library header file
- mediacheck library code
- add test tool for mediachecks
- test data
- enhance code
- fix typo in tagmedia
- 4.0

==== efivar ====
Version update (31 -> 36)

- Update to version 36
- adjust libefiboot-export-disk_get_partition_info.patch to fit
  new version

==== ffmpeg ====
Version update (4.0 -> 4.0.1)
Subpackages: libavcodec58 libavdevice58 libavfilter7 libavformat58 libavresample4 libavutil56 libpostproc55 libswresample3 libswscale5

- Enable ffnvcodec when building with NVIDIA support
- Add pkgconfig(srt) BuildRequires and pass --enable-libsrt to
  configure, enable srt support.
- Refresh patches with quilt:
  * cve-2017-17555.diff
  * ffmpeg-codec-choice.diff
  * ffmpeg-libcdio_cdda-pkgconfig.patch
  * ffmpeg-new-coder-errors.diff
- Enable libxml2 (used by MPEG DASH demuxer)
- Update to new upstream release 4.0.1
  * Fixed some integer overflows, undefined shifts, negative
    shifts, division by 0, and a null pointer deref.
- Enable pkgconfig(vidstab) BuildRequires unconditionally, now
  available in openSUSE.

==== fwupdate ====
Version update (9+git21.gcd8f7d7 -> 11)

- Correct the requirement of efivar-devel version
- Update to version 11
  + lots of fixes from cov-scan and clang analyzer
  + support for Lenovo machines
  + experimental support for UI Capsules
  + Dell WMI support
  + lots of bugfixes
  + configurable EFI ESP location by setting ESPMOUNTPOINT or the git
    config property fwupdate.espmountdir during the build.
  + Lots of coverity work
  + ABI compatibility checking during the release process
  + Make subdirectory builds work
- removed fwupdate-list-firmware-types.patch

==== glibc ====
Subpackages: glibc-32bit glibc-locale-32bit

- Use python3-pexpect instead of python-pexpect
- riscv-kernel-sigaction.patch: fix struct kernel_sigaction to match the
  kernel version (BZ #23069)
- glibc-2.3.90-langpackdir.diff: No longer search in /usr/share/locale-bundle

==== glibc ====
Subpackages: glibc-devel glibc-extra glibc-info glibc-locale nscd

- Use python3-pexpect instead of python-pexpect
- riscv-kernel-sigaction.patch: fix struct kernel_sigaction to match the
  kernel version (BZ #23069)
- glibc-2.3.90-langpackdir.diff: No longer search in /usr/share/locale-bundle

==== grub2 ====
Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen

- Replace "GRUB_DISABLE_LINUX_RECOVERY" by "GRUB_DISABLE_RECOVERY"
  in /etc/default/grub and remove test from s390x install
  section in upec file.
  [bsc#1042433, grub.default, grub2.spec]

==== libiscsi ====

- Fix building of recent rdma (boo#1098749):
  * libiscsi-rdma.patch

==== libqt5-qtwebengine ====

- Enable building against the system ICU again
- Add physicalmemory >= 5GiB to _constraints in the hope to speed up
  builds

==== linux-glibc-devel ====
Version update (4.16 -> 4.17)

- Update to kernel headers 4.17

==== lz4 ====
Version update (1.8.1.2 -> 1.8.2)
Subpackages: liblz4-1 liblz4-1-32bit

- lz4 1.8.2:
  * speed inprovemtns for compression and decompression
  * fix compression compatible with low memory addresses
  * fix decompression segfault when provided with NULL input
  * cli: new command --favor-decSpeed
  * cli: benchmark mode more accurate for small inputs

==== mariadb-connector-c ====

- Drop libmysqlclient_r Provides from the -devel package.
  (bsc#1097938)

==== opal ====

- Pass --disable-ixj to configure instead of --enable-ixj: Linux
  4.17 no longer brings the public telephony headers and future
  versions of opal (starting with 3.14) would not support xJACK
  neither (addresses boo#1098764).

==== openldap2 ====
Subpackages: libldap-2_4-2 libldap-2_4-2-32bit libldap-data openldap2-client openldap2-devel

- fixed shee-bang in openldap_update_modules_path.sh (bsc#1099705)

==== p11-kit ====
Version update (0.23.2 -> 0.23.12)
Subpackages: libp11-kit0 libp11-kit0-32bit p11-kit-tools

- New version 0.23.12
  * Fix compile error when PKCS#11 GNU calling convention enabled
- Changelog from version 0.23.11
  * trust: Add extractor for edk2/cacerts.bin
  * modules: Add option to control module visibility from proxy
  * trust: Prevent trust module being loaded by proxy module
  * library: Use dedicated locale object for printing error
  * Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly
  * Improve const correctness for P11KitUri
  * PKCS#11 URI scheme comparison is now case insensitive
- Drop p11-kit-biarch.patch: Obsolete since 0.23.10
- New version 0.23.10
  * New p11-kit server command
  * The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY attribute
  * New trust dump command
  * New envvar P11_KIT_NO_USER_CONFIG to stop looking at user configurations
  * trust: Respect anyExtendedKeyUsage in CA certificates
  * Support x-init-reserved argument of C_Initialize() in remote modules
  * install private executables in libexecdir, obsoletes p11-kit-biarch.patch
- new server subpackage
- change keyring to new maintainer Daiki Ueno

==== python-pytz ====
Version update (2018.3 -> 2018.5)

- update to 2018.5:
  * various python compatibility fixes
- fix upstream signing key

==== rdma-core ====
Version update (16.4 -> 18.1)
Subpackages: libibverbs libibverbs1 libmlx4-1 libmlx5-1 librdmacm1

- Remove pandoc BuildRequires
  * Add prebuilt-pandoc.sh to pre-generate the man pages
  * Add prebuilt-pandoc.tgz containing pre-generated man pages
  * Extract man pages in the appropriate directory during build
- Update to rdma-core v18.1
  * Fix compilation issue with recent glibc
- Drop Remove-the-obsolete-libibcm-library.patch and
  umad-Do-not-check-for-umad-sysfs-files-in-umad_init.patch as they were
  fixed upstream.
- Update to rdma-core v16.5
  * Backport fixes:
  * buildilb: Fix -msse breakage on ARM builds
  * buildlib: Use -msse if the compiler does not support target(sse) (bsc#1086910)
  * suse: do not call %service rules on a template file (bsc#1093170)
  * mlx5: Convert ah_attr static rate to mlx5 static rate
  * ccan: Add array_size.h file
  * iwpmd: Initialize address of sockaddr
  * mlx5: Fix need_uuar_lock when there are no medium bfregs
  * verbs: Fix wrong clean up flow in ibv_rc_pingpong
  * Match kernel ABI to for 4.17 for 32 bit
  * librdmacm: Set errno correctly if status is positive
  * verbs: Remove bogus cq_fd
  * verbs: Fix typo in copying IBV_FLOW_SPEC_UDP/TCP 'val'

==== spec-cleaner ====
Version update (1.0.9 -> 1.1.0)

- Version update to 1.1.0 bsc#1099674:
  * Fix issue with previous release not finding datadirs

==== sqlite3 ====
Subpackages: libsqlite3-0 libsqlite3-0-32bit

- Run tests during build

==== srt ====

- Add baselibs.conf: build 32bit support libs.
- Update Summary and Descriptions fields.

==== sssd ====
Version update (1.16.1 -> 1.16.2)
Subpackages: libnfsidmap-sss libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 libsss_simpleifp0 sssd-32bit sssd-krb5-common sssd-ldap

- Fixed patch name.
- Introduce patches:
  * Create sockets with right permissions:
    0001-SUDO-Create-the-socket-with-stricter-permissions.patch
    (bsc#1098377, CVE-2018-10852)
  * Fix for sssd upstream integration tests
    0002-intg-Do-not-hardcode-nsslibdir.patch
    (bsc#1098163)
- Update to new minor upstream release 1.16.2
  New Features:
  * The smart card authentication, or in more general certificate
    authentication code now supports OpenSSL in addition to previously
    supported NSS (#3489). In addition, the SSH responder can now
    return public SSH keys derived from the public keys stored in a
    X.509 certificate. Please refer to the ssh_use_certificate_keys
    option in the man pages.
  * The files provider now supports mirroring multiple passwd or
    group files. This enhancement can be used to use the SSSD files
    provider instead of the nss_altfiles module
  Bugfixes:
  * A memory handling issue in the nss_ex interface was fixed. This
    bug would manifest in IPA environments with a trusted AD domain
    as a crash of the ns-slapd process, because a ns-slapd plugin
    loads the nss_ex interface (#3715)
  * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
  * The ad_site override is now honored in GPO code as well (#3646)
  * Several potential crashes in the NSS responder?s netgroup code
    were fixed (#3679, #3731)
  * A potential crash in the autofs responder?s code was fixed (#3752)
  * The LDAP provider now supports group renaming (#2653)
  * The GPO access control code no longer returns an error if one
    of the relevant GPO rules contained no SIDs at all (#3680)
  * A memory leak in the IPA provider related to resolving external
    AD groups was fixed (#3719)
  * Setups that used multiple domains where one of the domains had
    its ID space limited using the min_id/max_id options did not
    resolve requests by ID properly (#3728)
  * Overriding IDs or names did not work correctly when the domain
    resolution order was set as well (#3595)
  * A version mismatch between certain newer Samba versions (e.g.
    those shipped in RHEL-7.5) and the Winbind interface provided
    by SSSD was fixed. To further prevent issues like this in the
    future, the correct interface is now detected at build time (#3741)
  * The files provider no longer returns a qualified name in case
    domain resolution order is used (#3743)
  * A race condition between evaluating IPA group memberships and
    AD group memberships in setups with IPA-AD trusts that would
    have manifested as randomly losing IPA group memberships assigned
    to an AD user was fixed (#3744)
  * Setting an SELinux login label was broken in setups where the
    domain resolution order was used (#3740)
  * SSSD start up issue on systems that use the libldb library
    with version 1.4.0 or newer was fixed.
  Introduce a patch:
  * Fix build of sssd of 1.16.2 version:
    0003-Fix-build-for-1-16-2-version.patch
    (back then called fix-build.patch)

==== xen ====
Version update (4.10.1_02 -> 4.10.1_08)
Subpackages: xen-doc-html xen-libs xen-tools xen-tools-domU

- Upstream patches from Jan (bsc#1027519)
  5b02c786-x86-AMD-mitigations-for-GPZ-SP4.patch (Replaces Spectre-v4-1.patch)
  5b02c786-x86-Intel-mitigations-for-GPZ-SP4.patch (Replaces Spectre-v4-2.patch)
  5b02c786-x86-msr-virtualise-SPEC_CTRL-SSBD.patch (Replaces Spectre-v4-3.patch)
  5b0bc9da-x86-XPTI-fix-S3-resume.patch
  5b0d2286-libxc-x86-PV-dont-hand-through-CPUID-leaf-0x80000008.patch
  5b0d2d91-x86-suppress-sync-when-XPTI-off.patch
  5b0d2dbc-x86-correct-default_xen_spec_ctrl.patch
  5b0d2ddc-x86-CPUID-dont-override-tool-stack-hidden-STIBP.patch
  5b150ef9-x86-fix-error-handling-of-pv-dr7-shadow.patch
  5b21825d-1-x86-support-fully-eager-FPU-context-switching.patch (Replaces xsa267-1.patch)
  5b21825d-2-x86-spec-ctrl-mitigations-for-LazyFPU.patch (Replaces xsa267-2.patch)
  5b238b92-x86-HVM-account-for-fully-eager-FPU.patch
  5b2b7172-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch
  5b31e004-x86-HVM-emul-attempts-FPU-set-fpu_initialised.patch
  5b323e3c-x86-EFI-fix-FPU-state-handling-around-runtime-calls.patch
  5b34882d-x86-mm-dont-bypass-preemption-checks.patch (Replaces xsa264.patch)
  5b348874-x86-refine-checks-in-DB-handler.patch (Replaces xsa265.patch)
  5b348897-libxl-qemu_disk_scsi_drive_string-break-out-common.patch (Replaces xsa266-1-<>.patch)
  5b3488a2-libxl-restore-passing-ro-to-qemu-for-SCSI-disks.patch (Replaces xsa266-2-<>.patch)
  5b34891a-x86-HVM-dont-cause-NM-to-be-raised.patch
  5b348954-x86-guard-against-NM.patch
- Fix more build gcc8 related failures with xen.fuzz-_FORTIFY_SOURCE.patch
- bsc#1098403 - fix regression introduced by changes for bsc#1079730
  a PV domU without qcow2 and/or vfb has no qemu attached.
  Ignore QMP errors for PV domUs to handle PV domUs with and without
  an attached qemu-xen.
  xen.bug1079730.patch
- bsc#1097521 - VUL-0: CVE-2018-12891: xen: preemption checks
  bypassed in x86 PV MM handling (XSA-264)
  xsa264.patch
- bsc#1097522 - VUL-0: CVE-2018-12893: xen: x86: #DB exception
  safety check can be triggered by a guest (XSA-265)
  xsa265.patch
- bsc#1097523 - VUL-0: CVE-2018-12892: xen: libxl fails to honour
  readonly flag on HVM emulated SCSI disks (XSA-266)
  xsa266-1-libxl-qemu_disk_scsi_drive_string-Break-out-common-p.patch
  xsa266-2-libxl-restore-passing-readonly-to-qemu-for-SCSI-disk.patch
- bsc#1095242 - VUL-0: CVE-2018-3665: xen: Lazy FP Save/Restore
  (XSA-267)
  xsa267-1.patch
  xsa267-2.patch