Merge remote-tracking branch 'up/master' into master-riscv64

Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
2019-12-22 11:34:48 +02:00 · 2019-12-22 11:34:48 +02:00 · bfc42d4192
parent 0a74459811 2ccb3a9dee
commit bfc42d4192
6 changed files with 51 additions and 318 deletions
--- a/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch
+++ b/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch
@ -1,178 +0,0 @@
-From 224a4eaf6701431af907179e313138213b60ce6c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 3 Apr 2019 10:56:14 +0200
-Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
- services"
-
-This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
---
- units/systemd-coredump@.service.in      | 1 -
- units/systemd-hostnamed.service.in      | 1 -
- units/systemd-initctl.service.in        | 1 -
- units/systemd-journal-remote.service.in | 1 -
- units/systemd-journald.service.in       | 1 -
- units/systemd-localed.service.in        | 1 -
- units/systemd-logind.service.in         | 1 -
- units/systemd-machined.service.in       | 1 -
- units/systemd-networkd.service.in       | 1 -
- units/systemd-resolved.service.in       | 1 -
- units/systemd-rfkill.service.in         | 1 -
- units/systemd-timedated.service.in      | 1 -
- units/systemd-timesyncd.service.in      | 1 -
- 13 files changed, 13 deletions(-)
-
-diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
-index afb2ab9d17..5babc11e4c 100644
--- a/units/systemd-coredump@.service.in
-+++ b/units/systemd-coredump@.service.in
-@@ -22,7 +22,6 @@ IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
- Nice=9
-NoNewPrivileges=yes
- OOMScoreAdjust=500
- PrivateDevices=yes
- PrivateNetwork=yes
-diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
-index b4f606cf78..f7977e1504 100644
--- a/units/systemd-hostnamed.service.in
-+++ b/units/systemd-hostnamed.service.in
-@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateNetwork=yes
- PrivateTmp=yes
-diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
-index c276283908..f48d673d58 100644
--- a/units/systemd-initctl.service.in
-+++ b/units/systemd-initctl.service.in
-@@ -14,6 +14,5 @@ DefaultDependencies=no
- 
- [Service]
- ExecStart=@rootlibexecdir@/systemd-initctl
-NoNewPrivileges=yes
- NotifyAccess=all
- SystemCallArchitectures=native
-diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
-index dd6322e62c..c867aca104 100644
--- a/units/systemd-journal-remote.service.in
-+++ b/units/systemd-journal-remote.service.in
-@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
- LockPersonality=yes
- LogsDirectory=journal/remote
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateNetwork=yes
- PrivateTmp=yes
-diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
-index fab405502a..308622e9b3 100644
--- a/units/systemd-journald.service.in
-+++ b/units/systemd-journald.service.in
-@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- Restart=always
- RestartSec=0
- RestrictAddressFamilies=AF_UNIX AF_NETLINK
-diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
-index 7bca34409a..05fb4f0c80 100644
--- a/units/systemd-localed.service.in
-+++ b/units/systemd-localed.service.in
-@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateNetwork=yes
- PrivateTmp=yes
-diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
-index 3eef95c661..53af530aea 100644
--- a/units/systemd-logind.service.in
-+++ b/units/systemd-logind.service.in
-@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
- ProtectHome=yes
-diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
-index d6deefea08..092abc128f 100644
--- a/units/systemd-machined.service.in
-+++ b/units/systemd-machined.service.in
-@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- ProtectHostname=yes
- RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
- RestrictRealtime=yes
-diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
-index 2c74da6f1e..eaabcb9941 100644
--- a/units/systemd-networkd.service.in
-+++ b/units/systemd-networkd.service.in
-@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
- ExecStart=!!@rootlibexecdir@/systemd-networkd
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- ProtectControlGroups=yes
- ProtectHome=yes
- ProtectKernelModules=yes
-diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
-index eee5d5ea8f..a8f442ef6f 100644
--- a/units/systemd-resolved.service.in
-+++ b/units/systemd-resolved.service.in
-@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
- ExecStart=!!@rootlibexecdir@/systemd-resolved
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
-diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
-index 3abb958310..7447ed5b5b 100644
--- a/units/systemd-rfkill.service.in
-+++ b/units/systemd-rfkill.service.in
-@@ -18,7 +18,6 @@ Before=shutdown.target
- 
- [Service]
- ExecStart=@rootlibexecdir@/systemd-rfkill
-NoNewPrivileges=yes
- StateDirectory=systemd/rfkill
- TimeoutSec=30s
- Type=notify
-diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
-index df546f471f..4d50999a22 100644
--- a/units/systemd-timedated.service.in
-+++ b/units/systemd-timedated.service.in
-@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
- ProtectHome=yes
-diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
-index 6512531e1c..2b2e1d73d2 100644
--- a/units/systemd-timesyncd.service.in
-+++ b/units/systemd-timesyncd.service.in
-@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
- ExecStart=!!@rootlibexecdir@/systemd-timesyncd
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
- PrivateDevices=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
--- a/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
+++ b/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
@ -3,10 +3,7 @@ From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Fri, 11 Mar 2016 17:06:17 -0500
 Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime

-If the symlink doesn't exists, and we are being started, let's
-create it to provie name resolution.
-
-If it exists, do nothing. In particular, if it is a broken symlink,
+If the symlink exists, do nothing. In particular, if it is a broken symlink,
 we cannot really know if the administator configured it to point to
 a location used by some service that hasn't started yet, so we
 don't touch it in that case either.
@ -17,21 +14,6 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1313085
 tmpfiles.d/etc.conf.m4 | 3 ---
 2 files changed, 4 insertions(+), 3 deletions(-)

-diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
-index 2ca9fbdc72..3c8a9ff12a 100644
--- a/src/resolve/resolved.c
-+++ b/src/resolve/resolved.c
-@@ -49,6 +49,10 @@ static int run(int argc, char *argv[]) {
-         /* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
-          * privileges are already dropped. */
-         if (getuid() == 0) {
-+                r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
-+                if (r < 0 && errno != EEXIST)
-+                        log_warning_errno(errno,
-+                                          "Could not create /etc/resolv.conf symlink: %m");
- 
-                 /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
-                 r = drop_privileges(uid, gid,
 diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
 index f82e0b82ce..66a777bdb2 100644
 --- a/tmpfiles.d/etc.conf.m4
--- a/13792.patch
+++ b/13792.patch
@ -1,104 +0,0 @@
-From 8af4c8abfb59ab66f1f5a34f0eac1342e6f0c7e5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Thu, 17 Oct 2019 12:37:12 +0200
-Subject: [PATCH] udev: tag any display devices as master-of-seat when
- nomodeset is used
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes #13773. See also https://bugzilla.redhat.com/show_bug.cgi?id=1728240,
-https://github.com/sddm/sddm/issues/1204.
-
-When nomodeset is used on the kernel command line, there is no graphics
-device that the kernel knows, so we don't tag anything as master-of-seat,
-and seat0 has CanGraphical=no.
-
-$ loginctl seat-status seat0 ; loginctl show-seat seat0
-seat0
-         Devices:
-                  ├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
-                  │ input:input0 "Power Button"
-                  ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1
-                  │ usb:usb1
-                  │ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4
-                  │   input:input4 "QEMU QEMU USB Tablet"
-                  ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2
-                  │ usb:usb2
-                  ├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0
-                  │ sound:card0 "Intel"
-                  ├─/sys/devices/platform/i8042/serio0/input/input1
-                  │ input:input1 "AT Translated Set 2 keyboard"
-                  │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock
-                  │ │ leds:input1::capslock
-                  │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock
-                  │ │ leds:input1::numlock
-                  │ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock
-                  │   leds:input1::scrolllock
-                  └─/sys/devices/platform/i8042/serio1/input/input3
-                    input:input3 "ImExPS/2 Generic Explorer Mouse"
-Id=seat0
-CanMultiSession=yes
-CanTTY=yes
-CanGraphical=no
-Sessions=
-IdleHint=yes
-IdleSinceHint=0
-IdleSinceHintMonotonic=0
-
-Let's tag the PCI device with "master-of-seat", so we get CanGraphical=yes, and "seat",
-so it is show as part of the seat:
-
-[fedora@f31-bios ~]$ loginctl seat-status seat0 ; loginctl show-seat seat0
-seat0
-         Devices:
-                  ├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
-                  │ input:input0 "Power Button"
-                  ├─/sys/devices/pci0000:00/0000:00:01.0
-                  │ [MASTER] pci:0000:00:01.0
-                  ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1
-                  │ usb:usb1
-                  │ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4
-                  │   input:input4 "QEMU QEMU USB Tablet"
-                  ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2
-                  │ usb:usb2
-                  ├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0
-                  │ sound:card0 "Intel"
-                  ├─/sys/devices/platform/i8042/serio0/input/input1
-                  │ input:input1 "AT Translated Set 2 keyboard"
-                  │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock
-                  │ │ leds:input1::capslock
-                  │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock
-                  │ │ leds:input1::numlock
-                  │ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock
-                  │   leds:input1::scrolllock
-                  └─/sys/devices/platform/i8042/serio1/input/input3
-                    input:input3 "ImExPS/2 Generic Explorer Mouse"
-Id=seat0
-CanMultiSession=yes
-CanTTY=yes
-CanGraphical=yes
-Sessions=
-IdleHint=yes
-IdleSinceHint=0
-IdleSinceHintMonotonic=0
---
- src/login/71-seat.rules.in | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/login/71-seat.rules.in b/src/login/71-seat.rules.in
-index 6010f048aef..2bbd18363e6 100644
--- a/src/login/71-seat.rules.in
-+++ b/src/login/71-seat.rules.in
-@@ -24,6 +24,11 @@ SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", DRIVERS=="hyperv_fb", TAG+="master-of-
- # Allow efifb / uvesafb to be a master if KMS is disabled
- SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", IMPORT{cmdline}="nomodeset", TAG+="master-of-seat"
- 
-+# Allow any PCI graphics device to be a master and synthesize a seat if KMS
-+# is disabled and the kernel doesn't have a driver that would work with this device.
-+SUBSYSTEM=="pci", ENV{ID_PCI_CLASS_FROM_DATABASE}=="Display controller", \
-+                  ENV{DRIVER}=="", IMPORT{cmdline}="nomodeset", TAG+="seat", TAG+="master-of-seat"
-+
- SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="seat", TAG+="master-of-seat"
- SUBSYSTEM=="usb", ATTR{bDeviceClass}=="09", TAG+="seat"
- 
--- a/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch
+++ b/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch
@ -15,21 +15,21 @@ See the bug for more discussion and links.
 2 files changed, 6 insertions(+)
 create mode 100644 rules/60-block-scheduler.rules

-diff --git a/rules/60-block-scheduler.rules b/rules/60-block-scheduler.rules
+diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules
 new file mode 100644
 index 00000000000..480b941761f
 --- /dev/null
-+++ b/rules/60-block-scheduler.rules
+++ b/rules.d/60-block-scheduler.rules
@@ -0,0 +1,5 @@
 +# do not edit this file, it will be overwritten on update
 +
 +ACTION=="add", SUBSYSTEM=="block", \
 +  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
 +  ATTR{queue/scheduler}="bfq"
-diff --git a/rules/meson.build b/rules/meson.build
+diff --git a/rules.d/meson.build b/rules.d/meson.build
 index b6a32ba77e2..1da958b4d46 100644
--- a/rules/meson.build
-+++ b/rules/meson.build
+--- a/rules.d/meson.build
+++ b/rules.d/meson.build
@@ -2,6 +2,7 @@
 
 rules = files('''
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (systemd-ef67743.tar.gz) = 9e905ef4f310f5cbd739f15d51e8c500b0e6ce2fbd2ad33b6568e06212ecfb5bba1347754c00b37d30a5b65cd2432d99aef87ebbafa1a94b4185d773f4ce4987
+SHA512 (systemd-244.1.tar.gz) = 7a604d2dcf29b51eeac609813eb8dfca2900fc1d6b5ae6a211704fc695f4fb909644d86e87c790c53dec8fac3cb6f1e628266d44234d2b35d12e06bbf4fbaf8e
--- a/systemd.spec
+++ b/systemd.spec
@ -1,4 +1,4 @@
-%global commit ef677436aa203c24816021dd698b57f219f0ff64
+#global commit ef677436aa203c24816021dd698b57f219f0ff64
 %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}

 %global stable 1
@ -14,8 +14,8 @@

 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
-Version:        243
-Release:        4%{?commit:.git%{shortcommit}}.0.riscv64%{?dist}
+Version:        244.1
+Release:        2%{?commit:.git%{shortcommit}}.0.riscv64%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@ -26,8 +26,12 @@ Summary:        System and Service Manager
 %if %{defined commit}
 Source0:        https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
 %else
+%if 0%{?stable}
+Source0:        https://github.com/systemd/systemd-stable/archive/v%{github_version}/%{name}-%{github_version}.tar.gz
+%else
 Source0:        https://github.com/systemd/systemd/archive/v%{github_version}/%{name}-%{github_version}.tar.gz
 %endif
+%endif
 # This file must be available before %%prep.
 # It is generated during systemd build and can be found in build/src/core/.
 Source1:        triggers.systemd
@ -55,13 +59,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828
 Patch0001:      https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch

-Patch0002:      0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1728240
-# https://github.com/systemd/systemd/issues/13773
-# https://github.com/systemd/systemd/pull/13792
-Patch0003:      13792.patch
-
 Patch0998:      0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch

 #Patch0040:      systemd-seccomp-riscv64.patch
@ -154,6 +151,10 @@ Conflicts:      fedora-release < 23-0.12
 Obsoletes:	timedatex < 0.6-3
 Provides:       timedatex = 0.6-3

+# https://bugzilla.redhat.com/show_bug.cgi?id=1753381
+Provides:       u2f-hidraw-policy = 1.0.2-40
+Obsoletes:      u2f-hidraw-policy < 1.0.2-40
+
 %description
 systemd is a system and service manager that runs as PID 1 and starts
 the rest of the system. It provides aggressive parallelization
@ -305,6 +306,8 @@ CONFIGURE_OPTS=(
        -Dsysvinit-path=/etc/rc.d/init.d
        -Drc-local=/etc/rc.d/rc.local
        -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org'
+        -Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin
+        -Dservice-watchdog=
        -Ddev-kvm-mode=0666
        -Dkmod=true
        -Dxkbcommon=true
@ -715,10 +718,40 @@ fi
 %files tests -f .file-list-tests

 %changelog
-* Fri Nov 08 2019 David Abdurachmanov <david.abdurachmanov@sifive.com> - 243-4.gitef67743.0.riscv64
+* Sun Dec 22 2019 David Abdurachmanov <david.abdurachmanov@sifive.com> - 244.1-2.0.riscv64
 - Disable SECCOMP until the test can pass
 - Add SECCOMP support for RISC-V 64-bit (riscv64)

+* Sat Dec 21 2019  <zbyszek@nano-f31> - 244.1-2
+- Disable service watchdogs (for systemd units)
+
+* Sun Dec 15 2019  <zbyszek@nano-f31> - 244.1-1
+- Update to latest stable batch (systemd-networkd fixups, better
+  support for seccomp on s390x, minor cleanups to documentation).
+- Drop patch to revert addition of NoNewPrivileges to systemd units
+
+* Fri Nov 29 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 244-1
+- Update to latest version. Just minor bugs fixed since the pre-release.
+
+* Fri Nov 22 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 244~rc1-1
+- Update to latest pre-release version,
+  see https://github.com/systemd/systemd/blob/master/NEWS#L3.
+  Biggest items: cgroups v2 cpuset controller, fido_id builtin in udev,
+  systemd-networkd does not create a default route for link local addressing,
+  systemd-networkd supports dynamic reconfiguration and a bunch of new settings.
+  Network files support matching on WLAN SSID and BSSID.
+- Better error messages when preset/enable/disable are used with a glob (#1763488)
+- u2f-hidraw-policy package is obsoleted (#1753381)
+
+* Tue Nov 19 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 243.4
+- Latest bugfix release. Systemd-stable snapshots will now be numbered.
+- Fix broken PrivateDevices filter on big-endian, s390x in particular (#1769148)
+- systemd-modules-load.service should only warn, not fail, on error (#1254340)
+- Fix incorrect certificate validation with DNS over TLS (#1771725, #1771726,
+  CVE-2018-21029)
+- Fix regression with crypttab keys with colons
+- Various memleaks and minor memory access issues, warning adjustments
+
 * Fri Oct 18 2019 Adam Williamson <awilliam@redhat.com> - 243-4.gitef67743
 - Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240)