SUSE 5181 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:1997-1: important: Security update for neovim
openSUSE-SU-2019:1999-1: moderate: Security update for teeworlds
openSUSE-SU-2019:2000-1: important: Security update for go1.12
openSUSE-SU-2019:2005-1: moderate: Security update for qbittorrent
openSUSE-SU-2019:2007-1: moderate: Recommended update for dkgpg, libTMCG
openSUSE-SU-2019:2008-1: moderate: Security update for zstd



openSUSE-SU-2019:1997-1: important: Security update for neovim

openSUSE Security Update: Security update for neovim
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1997-1
Rating: important
References: #1137443
Cross-References: CVE-2019-12735
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for neovim fixes the following issues:

neovim was updated to version 0.3.7:

* CVE-2019-12735: source should check sandbox (boo#1137443)
* genappimage.sh: migrate to linuxdeploy

Version Update to version 0.3.5:

* options: properly reset directories on 'autochdir'
* Remove MSVC optimization workaround for SHM_ALL
* Make SHM_ALL to a variable instead of a compound literal #define
* doc: mention "pynvim" module rename
* screen: don't crash when drawing popupmenu with 'rightleft' option
* look-behind match may use the wrong line number
* :terminal : set topline based on window height
* :recover : Fix crash on non-existent *.swp

Version Update to version 0.3.4:

* test: add tests for conceal cursor movement
* display: unify ursorline and concealcursor redraw logic

Version Update to version 0.3.3:

* health/provider: Check for available pynvim when neovim mod is missing
* python#CheckForModule: Use the given module string instead of
hard-coding pynvim
* (health.provider)/python: Import the neovim, rather than pynvim, module
* TUI: Konsole DECSCUSR fixup

Version Update to version 0.3.2:-

* Features

- clipboard: support Custom VimL functions (#9304)
- win/TUI: improve terminal/console support (#9401)
- startup: Use $XDG_CONFIG_DIRS/nvim/sysinit.vim if exists (#9077)
- support mapping in more places (#9299)
- diff/highlight: show underline for low-priority CursorLine (#9028)
- signs: Add "nuhml" argument (#9113)
- clipboard: support Wayland (#9230)
- TUI: add support for undercurl and underline color (#9052)
- man.vim: soft (dynamic) wrap (#9023)

* API

- API: implement object namespaces (#6920)
- API: implement nvim_win_set_buf() (#9100)
- API: virtual text annotations (nvim_buf_set_virtual_text) (#8180)
- API: add nvim_buf_is_loaded() (#8660)
- API: nvm_buf_get_offset_for_line (#8221)
- API/UI: ext_newgrid, ext_histate (#8221)

* UI

- TUI: use BCE again more often (smoother resize) (#8806)
- screen: add missing status redraw when redraw_later(CLEAR) was used
(#9315)
- TUI: clip invalid regions on resize (#8779)
- TUI: improvements for scrolling and clearing (#9193)
- TUI: disable clearing almost everywhere (#9143)
- TUI: always use safe cursor movement after resize (#9079)
- ui_options: also send when starting or from OptionSet (#9211)
- TUI: Avoid reset_color_cursor_color in old VTE (#9191)
- Don't erase screen on :hi Normal during startup (#9021)
- TUI: Hint wrapped lines to terminals (#8915)

* FIXES

- RPC: turn errors from async calls into notifications
- TUI: Restore terminal title via "title stacking" (#9407)
- genappimage: Unset $ARGV0 at invocation (#9376)
- TUI: Konsole 18.07.70 supports DECSCUSR (#9364)
- provider: improve error message (#9344)
- runtime/syntax: Fix highlighting of autogroup contents (#9328)
- VimL/confirm(): Show dialog even if :silent (#9297)
- clipboard: prefer xclip (#9302)
- provider/nodejs: fix npm, yarn detection
- channel: avoid buffering output when only terminal is active (#9218)
- ruby: detect rbenv shims for other versions (#8733)
- third party/unibilium: Fix parsing of extended capabilitiy entries
(#9123)
- jobstart(): Fix hang on non-executable cwd (#9204)
- provide/nodejs: Simultaneously query npm and yarn (#9054)
- undo: Fix infinite loop if undo_read_byte returns EOF (#2880)
- 'swapfile: always show dialog' (#9034)

- Add to the system-wide configuration file extension of runtimepath by
/usr/share/vim/site, so that neovim uses other Vim plugins installed
from packages.

- Add /usr/share/vim/site tree of directories to be owned by neovim as
well.

This update was imported from the openSUSE:Leap:15.1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1997=1



Package List:

- openSUSE Backports SLE-15-SP1 (x86_64):

neovim-0.3.7-bp151.3.3.1

- openSUSE Backports SLE-15-SP1 (noarch):

neovim-lang-0.3.7-bp151.3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-12735.html
https://bugzilla.suse.com/1137443

openSUSE-SU-2019:1999-1: moderate: Security update for teeworlds

openSUSE Security Update: Security update for teeworlds
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1999-1
Rating: moderate
References: #1112910 #1131729
Cross-References: CVE-2018-18541 CVE-2019-10877 CVE-2019-10878
CVE-2019-10879
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for teeworlds fixes the following issues:

- CVE-2019-10879: An integer overflow in CDataFileReader::Open() could
have lead to a buffer overflow and possibly remote code execution,
because size-related multiplications were mishandled. (boo#1131729)
- CVE-2019-10878: A failed bounds check in CDataFileReader::GetData() and
CDataFileReader::ReplaceData() and related functions could have lead to
an arbitrary free and out-of-bounds pointer write, possibly resulting in
remote code execution.
- CVE-2019-10877: An integer overflow in CMap::Load() could have lead to a
buffer overflow, because multiplication of width and height were
mishandled.
- CVE-2018-18541: Connection packets could have been forged. There was no
challenge-response involved in the connection build up. A remote
attacker could have sent connection packets from a spoofed IP address
and occupy all server slots, or even use them for a reflection attack
using map download packets. (boo#1112910)

- Update to version 0.7.3.1
* Colorful gametype and level icons in the browser instead of grayscale.
* Add an option to use raw mouse inputs, revert to (0.6) relative mode
by default.
* Demo list marker indicator.
* Restore ingame Player and Tee menus, add a warning that a reconnect is
needed.
* Emotes can now be cancelled by releasing the mouse in the middle of
the circle.
* Improve add friend text.
* Add a confirmation for removing a filter
* Add a "click a player to follow" hint
* Also hint players which key they should press to set themselves ready.
* fixed using correct array measurements when placing egg doodads
* fixed demo recorder downloaded maps using the sha256 hash
* show correct game release version in the start menu and console
* Fix platform-specific client libraries for Linux
* advanced scoreboard with game statistics
* joystick support (experimental!)
* copy paste (one-way)
* bot cosmetics (a visual difference between players and NPCs)
* chat commands (type / in chat)
* players can change skin without leaving the server (again)
* live automapper and complete rules for 0.7 tilesets
* audio toggling HUD
* an Easter surprise...
* new gametypes: "last man standing" (LMS) and "last team standing"
(LTS). survive by your own or as a team with limited weaponry
* 64 players support. official gametypes are still restricted to 16
players maximum but allow more spectators
* new skin system. build your own skins based on a variety of provided
parts
* enhanced security. all communications require a handshake and use a
token to counter spoofing and reflection attacks
* new maps: ctf8, dm3, lms1. Click to discover them!
* animated background menu map: jungle, heavens (day/night themes,
customisable in the map editor)
* new design for the menus: added start menus, reworked server browser,
settings
* customisable gametype icons (browser). make your own!
* chat overhaul, whispers (private messages)
* composed binds (ctrl+, shift+, alt+)
* scoreboard remodelled, now shows kills/deaths
* demo markers
* master server list cache (in case the masters are unreachable)
* input separated from rendering (optimisation)
* upgrade to SDL2. support for multiple monitors, non-english keyboards,
and more
* broadcasts overhaul, optional colours support
* ready system, for competitive settings
* server difficulty setting (casual, competitive, normal), shown in the
browser
* spectator mode improvements: follow flags, click on players
* bot flags for modified servers: indicate NPCs, can be filtered out in
the server browser
* sharper graphics all around (no more tileset_borderfix and dilate)
* refreshed the HUD, ninja cooldown, new mouse cursor
* mapres update (higher resolution, fixes...)

This update was imported from the openSUSE:Leap:15.1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-1999=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le x86_64):

teeworlds-0.7.3.1-bp151.2.3.3


References:

https://www.suse.com/security/cve/CVE-2018-18541.html
https://www.suse.com/security/cve/CVE-2019-10877.html
https://www.suse.com/security/cve/CVE-2019-10878.html
https://www.suse.com/security/cve/CVE-2019-10879.html
https://bugzilla.suse.com/1112910
https://bugzilla.suse.com/1131729

openSUSE-SU-2019:2000-1: important: Security update for go1.12

openSUSE Security Update: Security update for go1.12
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2000-1
Rating: important
References: #1139210 #1141689 #1146111 #1146115 #1146123

Cross-References: CVE-2019-14809 CVE-2019-9512 CVE-2019-9514

Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that solves three vulnerabilities and has two
fixes is now available.

Description:

This update for go1.12 fixes the following issues:

Security issues fixed:

- CVE-2019-9512: Fixed HTTP/2 flood using PING frames that results in
unbounded memory growth. (bsc#1146111)
- CVE-2019-9514: Fixed HTTP/2 implementation is vulnerable to a reset
flood, potentially leading to a denial of service. (bsc#1146115)
- CVE-2019-14809: Fixed authorization bypass due to malformed hosts in
URLs. (bsc#1146123)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2000=1



Package List:

- openSUSE Leap 15.1 (x86_64):

go1.12-1.12.9-lp151.2.9.1
go1.12-doc-1.12.9-lp151.2.9.1
go1.12-race-1.12.9-lp151.2.9.1


References:

https://www.suse.com/security/cve/CVE-2019-14809.html
https://www.suse.com/security/cve/CVE-2019-9512.html
https://www.suse.com/security/cve/CVE-2019-9514.html
https://bugzilla.suse.com/1139210
https://bugzilla.suse.com/1141689
https://bugzilla.suse.com/1146111
https://bugzilla.suse.com/1146115
https://bugzilla.suse.com/1146123

openSUSE-SU-2019:2005-1: moderate: Security update for qbittorrent

openSUSE Security Update: Security update for qbittorrent
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2005-1
Rating: moderate
References: #1141967
Cross-References: CVE-2019-13640
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for qbittorrent fixes the following issues:

- CVE-2019-13640: avoid command injection (boo#1141967)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2019-2005=1



Package List:

- openSUSE Leap 15.1 (x86_64):

qbittorrent-4.1.5-lp151.2.3.1
qbittorrent-debuginfo-4.1.5-lp151.2.3.1
qbittorrent-debugsource-4.1.5-lp151.2.3.1
qbittorrent-nox-4.1.5-lp151.2.3.1
qbittorrent-nox-debuginfo-4.1.5-lp151.2.3.1


References:

https://www.suse.com/security/cve/CVE-2019-13640.html
https://bugzilla.suse.com/1141967

openSUSE-SU-2019:2007-1: moderate: Recommended update for dkgpg, libTMCG

openSUSE Security Update: Recommended update for dkgpg, libTMCG
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2007-1
Rating: moderate
References:
Affected Products:
openSUSE Backports SLE-15-SP1
openSUSE Backports SLE-15
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:



This update for dkgpg, libTMCG fixes the following issues:

libTMCG was updated to version 1.3.18

* This release is two-fold: first, it fixes some bugs (e.g. iterated S2K)
of the OpenPGP interface, and second, it adds functionality for handling
v5 keys and signatures (see RFC 4880bis-07).

Update to version 1.3.17

* VTMF,ASTC,DKG,VRHE,EOTP,COM,VSS: make CheckGroup() more robust
* VSSHE: security bugfix for Verify_[non]interactive_[_publiccoin]
* mpz_spowm: added check for correct base in fast exponentiation
* mpz_sqrtm: remove unused parameter in tmcg_mpz_qrmn_p()
* configure.ac: added compiler option "-Wextra"
* mpz_sprime: added tmcg_mpz_smprime() with increased B = 80000
* RFC4880: changed type of tmcg_openpgp_mem_alloc to unsigned long

Update to version 1.3.16

* changed constant TMCG_MAX_CARDS (decreased by factor 2)
* changed formulas for TMCG_MAX_VALUE_CHARS and TMCG_MAX_KEY_CHARS
* RFC4880: added support of Preferred AEAD Algorithms [RFC 4880bis]
* RFC4880: added output for key usage "timestamping" [RFC 4880bis]
* RFC4880: changed tmcg_openpgp_byte_t: unsigned char -> uint8_t
* RFC4880: added PacketAeadEncode() [RFC 4880bis]
* RFC4880: added SymmetricDecryptAEAD() and SymmetricEncryptAEAD()
* changed formula for TMCG_MAX_KEYBITS (increased by factor 2)
* mpz_srandom: bugfix in Botan code branch of mpz_grandomb()

Update to version 1.3.15:

* This is a maintenance release that fixes some bugs, e.g. in the Botan
support of functions from module mpz_srandom. Moreover, some interfaces
of the OpenPGP implemenation have been added and removed. For some
modules of LibTMCG a basic exception handling has been introduced.

Update to version 1.3.14:

* With this release three additional parameters for the control of secure
memory allocation have been added to init_libTMCG(). They are explained
in the reference manual. Moreover, the OpenPGP interface has been
enhanced in several way, e.g., ECDH, ECDSA and EdDSA are supported now.

Update to 1.3.13:

* Lots of major improvements for undocumented OpenPGP interface
* PRNG from Botan is used as additional source of randomness
* SHA3 is emulated if runtime version of libgcrypt is too old

dkgpg was updated to version 1.1.3:

* This is a bugfix release that includes only three minor improvements: a
direct-key signature (0x1f) for the primary key is added by default such
that restricting key servers (e.g. keys.openpgp.org) can deliver a
cryptographically checkable key without verification of any included
user ID or without appended subkey. The command line interface of
dkg-decrypt has been improved in order to give users an easy access to
the symmetric-key decryption mode. An additional option ("-5") for
dkg-sign allows to generate V5 signatures (cf. draft RFC 4880bis).

Update to version 1.1.2:

* This release adds a lot of features to some programs: two new options
("-K" and "-f") allow dkg-keysign to read the certification key from a
keyring instead of a single key block file. Moreover, with option "-a"
an interactive confirmation by the user is required for each signature.
Passive support of V5 keys (cf. draft RFC 4880bis) has been added for
all programs, however, dkg-generate still generates V4 keys only,
because this new feature of the draft is not widely spread. There is
also a new encryption capability: an empty KEYSPEC tells dkg-encrypt to
create a symmetric-key encrypted session key, i.e., the user has to
supply a passphrase for encryption and decryption without any public-key
cryptography involved. Last but not least, two bugs have been fixed:
First, dkg-decrypt failed on many ZIP-compressed OpenPGP messages with
"ZLIB ERROR: -3 invalid block type" due to a bug in decompression logic.
Second, dkg-decrypt failed in a special case of symmetric-key encrypted
session keys. Finally, the non-installing program dkg-fuzzer (generates
fuzzy samples of somehow corrupted OpenPGP stuctures) has been added.

Update to version 1.1.1:

* Some small improvements have been applied for dkg-generate: Two new
options ("-u" and "-N") allow providing the initial user ID and to
disable the passphrase at command line. Moreover, since this release
dkg-timestamp and dkg-timestamp-verify require a special key usage flag
from recent RFC 4880bis draft to select so-called timestamping keys.
Finally, the synchronization time of the internally used broadcast
protocol was reduced to a more reasonable amount and in dkg-decrypt the
detection of end of data for message and decryption shares was changed.

Update to version 1.1.0:

* This release supports Authenticated Encryption with Associated Data
(AEAD) in accordance to RFC 4880bis (draft); this can be enforced with
the new added option "-a" when dkg-(d)encrypt is used. For using domain
parameters, as described in RFC 7919, one should specify the new option
"-r", when dkg-gencrs is used. Last, for key generation (dkg-generate)
the timestamp
option was added ( "--timestamping") which sets a key usage flag.

- Update to version 1.0.9 This release improves the possibilities of DKGPG
further. With the new programs dkg-adduid and dkg-revuid an user ID can
be added and revoked, respectively. The program dkg-revoke now supports
a human-readable reason for revocation (by option "-R") and dkg-decrypt
verifies an included signature according to a given key ring (option
"-k"). Last but not least, by the program dkg-addrevoker an external
revocation key can be specified.

Update to version 1.0.8:

* First of all, passive support for ECDSA, ECDH, and EdDSA (cf. RFC 6637
and Werner Koch's draft RFC 4880bis) has been added by relying on the
most recent version of LibTMCG. The threshold signature scheme and the
threshold encryption are still limited to finite field cryptography
(i.e. DSA and ElGamal). Moreover, the programs generate and recognize a
few other new OpenPGP features (e.g. issuer fingerprint subpackets) from
RFC 4880bis. Compressed messages are now decompressed by the program
dkg-decrypt using zlib Compression Library (and optionally by library
routines from libbzip2). This completes DKGPG's compatibility with other
OpenPGP software, however, the prefered compression algorithm (i.e. "no
compression") in self-signatures of generated keys is kept for now.
Support for symmetric-key decryption by dkg-decrypt has been added too.
The program dkg-verify now reads the signature from a file, if option
"-s" is used. To keep track of later protocol changes, all interactive
programs include a version identifier in their common ID of the reliable
broadcast channel. Thus programs from previous releases will not
communicate with those of this release. With the new programs
dkg-timestamp and dkg-timestamp-verify a OpenPGP timestamp signature can
be generated and verified, respectively. Last but not least, by the new
option "-y" some programs (dkg-generate, dkg-decrypt, dkg-sign,
dkg-keysign, and dkg-timestamp) will work with regular OpenPGP keys too.
The README file contains a configuration sample showing how to replace
classic PGP by DKGPG in the famous mail user agent mutt based on this
option. Please note that this feature is experimental and semantics may
be changed later.

Update to 1.0.7:

* Small improvments due to the new OpenPGP structures from libTMCG
* "-k" option has been added to further programs
* OpenPGP cleartext signatures can be generated with the "-t" option
* Output of potentially malicious user IDs has been sanitized in
dkg-keycheck, dkg-keyinfo, and dkg-keysign

This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-2007=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-2007=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

dkgpg-1.1.3-bp151.4.3.1
dkgpg-debuginfo-1.1.3-bp151.4.3.1
dkgpg-debugsource-1.1.3-bp151.4.3.1
libTMCG-debugsource-1.3.18-bp151.4.3.1
libTMCG-devel-1.3.18-bp151.4.3.1
libTMCG18-1.3.18-bp151.4.3.1
libTMCG18-debuginfo-1.3.18-bp151.4.3.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

dkgpg-1.1.3-bp150.3.3.1
libTMCG-debugsource-1.3.18-bp150.3.3.1
libTMCG-devel-1.3.18-bp150.3.3.1
libTMCG18-1.3.18-bp150.3.3.1
libTMCG18-debuginfo-1.3.18-bp150.3.3.1

openSUSE-SU-2019:2008-1: moderate: Security update for zstd

openSUSE Security Update: Security update for zstd
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:2008-1
Rating: moderate
References: #1082318 #1133297 #1142941
Cross-References: CVE-2019-11922
Affected Products:
openSUSE Backports SLE-15-SP1
openSUSE Backports SLE-15
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for zstd fixes the following issues:

- Update to version 1.4.2:
* bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
* bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
* bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)
* misc: Validate blocks are smaller than size limit by @vivekmig (#1685)
* misc: Restructure source files by @ephiepark (#1679)

- Update to version 1.4.1:
* bug: Fix data corruption in niche use cases by @terrelln (#1659)
* bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594,
#1595)
* bug: Fix out of bounds read by @terrelln (#1590)
* perf: Improve decode speed by ~7% @mgrice (#1668)
* perf: Slightly improved compression ratio of level 3 and 4
(ZSTD_dfast) by @cyan4973 (#1681)
* perf: Slightly faster compression speed when re-using a context by
@cyan4973 (#1658)
* perf: Improve compression ratio for small windowLog by @cyan4973
(#1624)
* perf: Faster compression speed in high compression mode for repetitive
data by @terrelln (#1635)
* api: Add parameter to generate smaller dictionaries by @tyler-tran
(#1656)
* cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
* cli: Expose cpu load indicator for each file on -vv mode by @ephiepark
(#1631)
* cli: Restrict read permissions on destination files by @chungy (#1644)
* cli: zstdgrep: handle -f flag by @felixhandte (#1618)
* cli: zstdcat: follow symlinks by @vejnar (#1604)
* doc: Remove extra size limit on compressed blocks by @felixhandte
(#1689)
* doc: Fix typo by @yk-tanigawa (#1633)
* doc: Improve documentation on streaming buffer sizes by @cyan4973
(#1629)
* build: CMake: support building with LZ4 @leeyoung624 (#1626)
* build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
* build: CMake: respect existing uninstall target by @j301scott (#1619)
* build: Make: skip multithread tests when built without support by
@michaelforney (#1620)
* build: Make: Fix examples/ test target by @sjnam (#1603)
* build: Meson: rename options out of deprecated namespace by @lzutao
(#1665)
* build: Meson: fix build by @lzutao (#1602)
* build: Visual Studio: don't export symbols in static lib by @scharan
(#1650)
* build: Visual Studio: fix linking by @absotively (#1639)
* build: Fix MinGW-W64 build by @myzhang1029 (#1600)
* misc: Expand decodecorpus coverage by @ephiepark (#1664)

- Add baselibs.conf: libarchive gained zstd support and provides
-32bit libraries. This means, zstd also needs to provide -32bit libs.

- Update to new upstream release 1.4.0
* perf: level 1 compression speed was improved
* cli: added --[no-]compress-literals flag to enable or disable literal
compression
- Reword "real-time" in description by some actual statistics, because
603MB/s (lowest zstd level) is not "real-time" for quite some
applications.

- zstd 1.3.8:
* better decompression speed on large files (+7%) and cold dictionaries
(+15%)
* slightly better compression ratio at high compression modes
* new --rsyncable mode
* support decompression of empty frames into NULL (used to be an error)
* support ZSTD_CLEVEL environment variable
* --no-progress flag, preserving final summary
* various CLI fixes
* fix race condition in one-pass compression functions that could allow
out of bounds write (CVE-2019-11922, boo#1142941)

- zstd 1.3.7:
* fix ratio for dictionary compression at levels 9 and 10
* add man pages for zstdless and zstdgrep
- includes changes from zstd 1.3.6:
* faster dictionary builder, also the new default for --train
* previous (slower, slightly higher quality) dictionary builder to be
selected via --train-cover
* Faster dictionary decompression and compression under memory limits
with many dictionaries used simultaneously
* New command --adapt for compressed network piping of data adjusted to
the perceived network conditions

- update to 1.3.5:
* much faster dictionary compression
* small quality improvement for dictionary generation
* slightly improved performance at high compression levels
* automatic memory release for long duration contexts
* fix overlapLog can be manually set
* fix decoding invalid lz4 frames
* fix performance degradation for dictionary compression when using
advanced API

- fix pzstd tests
- enable pzstd (parallel zstd)

- Use %license instead of %doc [boo#1082318]
- Add disk _constraints to fix ppc64le build
- Use FAT LTO objects in order to provide proper static library
(boo#1133297).


This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2019-2008=1

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-2008=1



Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

libzstd-devel-1.4.2-bp151.4.3.1
libzstd-devel-static-1.4.2-bp151.4.3.1
libzstd1-1.4.2-bp151.4.3.1
libzstd1-debuginfo-1.4.2-bp151.4.3.1
zstd-1.4.2-bp151.4.3.1
zstd-debuginfo-1.4.2-bp151.4.3.1
zstd-debugsource-1.4.2-bp151.4.3.1

- openSUSE Backports SLE-15-SP1 (aarch64_ilp32):

libzstd1-64bit-1.4.2-bp151.4.3.1
libzstd1-64bit-debuginfo-1.4.2-bp151.4.3.1

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

libzstd-devel-1.4.2-bp150.3.3.1
libzstd-devel-static-1.4.2-bp150.3.3.1
libzstd1-1.4.2-bp150.3.3.1
zstd-1.4.2-bp150.3.3.1

- openSUSE Backports SLE-15 (aarch64_ilp32):

libzstd1-64bit-1.4.2-bp150.3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-11922.html
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1133297
https://bugzilla.suse.com/1142941