Packages changed: ImageMagick (7.1.1.10 -> 7.1.1.11) MozillaFirefox-branding-openSUSE apparmor (3.1.3 -> 3.1.4) bcm43xx-firmware binutils ceph checkmedia (6.1 -> 6.2) cppcheck cups curl (8.1.1 -> 8.1.2) dav1d (1.2.0 -> 1.2.1) freerdp gc (8.2.2 -> 8.2.4) glslang (12.1.0 -> 12.2.0) gnome-mahjongg (3.38.3 -> 3.40.0) gnutls imlib2 (1.11.0 -> 1.11.1) javapackages-tools kio-extras5 kyotocabinet libX11 (1.8.4 -> 1.8.5) libapparmor (3.1.3 -> 3.1.4) libgsasl libmfx (22.6.5 -> 23.2.2) libproxy libproxy-plugins libreoffice (7.5.3.2 -> 7.5.4.1) librsvg (2.56.0 -> 2.56.1) libserf (1.3.9 -> 1.3.10) libstorage-ng (4.5.112 -> 4.5.115) libvirt (9.3.0 -> 9.4.0) libxcrypt (4.4.33 -> 4.4.34) libyui (4.5.2 -> 4.6.0) libyui-ncurses (4.5.2 -> 4.6.0) libyui-ncurses-pkg (4.5.2 -> 4.6.0) libyui-qt (4.5.2 -> 4.6.0) libyui-qt-graph (4.5.2 -> 4.6.0) libyui-qt-pkg (4.5.2 -> 4.6.0) lua54 (5.4.4 -> 5.4.6) man-pages (6.02 -> 6.04) manpages-l10n (4.18.1 -> 4.19.0) mariadb-connector-c (3.3.4 -> 3.3.5) mozilla-nss ncurses (6.4.20230506 -> 6.4.20230520) opensc openssl-1_1 (1.1.1t -> 1.1.1u) openssl-3 (3.0.8 -> 3.1.1) openssl (3.0.8 -> 3.1.1) perl-Bootloader (1.1 -> 1.2) perl-IO-Socket-SSL (2.081 -> 2.083) perl-Mojolicious (9.31 -> 9.32) perl-Net-DNS (1.37 -> 1.38) perl-libwww-perl (6.68 -> 6.70) python-argcomplete python-gevent python-libvirt-python (9.3.0 -> 9.4.0) python-rich (13.3.5 -> 13.4.1) python-rpm python-tornado6 (6.2 -> 6.3.2) python-zope.event qemu (8.0.0 -> 8.0.2) qt6-base rp-pppoe rpm rubygem-rack-2.2 (2.2.6.4 -> 2.2.7) sdl12_compat (1.2.60 -> 1.2.64) sendmail shaderc (2023.2 -> 2023.4) texlive tracker (3.5.2 -> 3.5.3) virtiofsd vulkan-loader (1.3.247 -> 1.3.250.0) vulkan-tools (1.3.247 -> 1.3.250.0) webkit2gtk3 (2.40.1 -> 2.40.2) webkit2gtk3-soup2 (2.40.1 -> 2.40.2) xfce4-power-manager (4.18.1 -> 4.18.2) xfce4-pulseaudio-plugin (0.4.6 -> 0.4.7) xfce4-screensaver (4.18.1 -> 4.18.2) xfce4-session (4.18.2 -> 4.18.3) yast2-apparmor (4.6.0 -> 4.6.1) yast2-auth-server (4.6.1 -> 4.6.2) yast2-control-center (4.6.0 -> 4.6.1) === Details === ==== ImageMagick ==== Version update (7.1.1.10 -> 7.1.1.11) Subpackages: ImageMagick-config-7-SUSE ImageMagick-extra libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 - version update to 7.1.1.11 * upstream changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-11---2023-05-29 ==== MozillaFirefox-branding-openSUSE ==== - add sle_version 150500 check - add some useful links about openSUSE in the about:newtab page - add sle_version 150300 and 150400 check ==== apparmor ==== Version update (3.1.3 -> 3.1.4) Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-parser-lang apparmor-profiles apparmor-utils apparmor-utils-lang python3-apparmor - update to AppArmor 3.1.4 - parser: fix mount rules encoding (CVE-2016-1585) - aa-logprof: fix error when choosing named exec with plain profile names - aa-status: fix json output - several fixes for profiles and abstractions - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.4 for the full upstream changelog ==== bcm43xx-firmware ==== - refresh BCM4345C[05].hcd from upstream URL ==== binutils ==== Subpackages: libctf-nobfd0 libctf0 - riscv-dynamic-tls-reloc-pie.patch: Backport for PR ld/22263 and PR ld/25694 - riscv-pr22263-1.patch: Backport for PR ld/22263 ==== ceph ==== Subpackages: librados2 librbd1 - Add "#!BuildConstraint" to spec files for compatibility with _multibuild ==== checkmedia ==== Version update (6.1 -> 6.2) Subpackages: libmediacheck6 - merge gh#openSUSE/checkmedia#17 - do not select EFI System Partition for digest calculation (bsc#1211953) - use default for SKIPSECTORS only for RH media - add man pages for checkmedia and tagmedia - add spec file for OBS - 6.2 ==== cppcheck ==== - test suite quirks: * Add patch disable-some-tests-about-char-signedness.patch, taken from Debian, to disable test "TestCondition::alwaysTrueContainer" which fails on "unsigned char" archs (arm, ppc) * Run test suite with "-j1", as TestProcessExecutor test is flaky otherwise ==== cups ==== Subpackages: cups-client cups-config libcups2 libcupsimage2 - cups-2.4.2-CVE-2023-32324.patch fixes CVE-2023-32324 "Heap buffer overflow in cupsd" https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7 bsc#1211643 ==== curl ==== Version update (8.1.1 -> 8.1.2) Subpackages: libcurl4 - Update to 8.1.2: * Bugfixes: - configure: quote the assignments for run-compiler - configure: without pkg-config and no custom path, use -lnghttp2 - curl: cache the --trace-time value for a second - http2: fix EOF handling on uploads with auth negotiation - http3: send EOF indicator early as possible - lib1560: verify more scheme guessing - lib: remove unused functions, make single-use static - libcurl.m4: remove trailing 'dnl' that causes this to break autoconf - libssh: when keyboard-interactive auth fails, try password - misc: fix spelling mistakes - page-header: mention curl version and how to figure out current release - page-header: minor wording polish in the URL segment - scripts/singleuse.pl: add more API calls - urlapi: remove superfluous host name check ==== dav1d ==== Version update (1.2.0 -> 1.2.1) - Update to version 1.2.1 * Fix a threading race on task_thread.init_done * NEON z2 8bpc and high bit-depth optimizations * SSSE3 z2 high bit-depth optimziations * Fix a desynced luma/chroma planes issue with Film Grain * Reduce memory consumption * Improve dav1d_parse_sequence_header() speed * OBU: Improve header parsing and fix potential overflows * OBU: Improve ITU-T T.35 parsing speed * Misc buildsystems, CI and headers fixes - Add to description some performance mentions that set it apart from other packages e.g. gav1. ==== freerdp ==== Subpackages: libfreerdp2-2 libwinpr2-2 - Don't compile shared objects with -fPIE and use -pie only for executables - Reenable LTO on ARM ==== gc ==== Version update (8.2.2 -> 8.2.4) - Update to release 8.2.4 * Avoid potential race between realloc and GC_block_was_dirty * Fix comparisons to heap boundary in GC_get_back_ptr_info and GC_mark_from * Fix data race in GC_heapsize_at_forced_unmap variable * Workaround a malfunction of soft-dirty bits clearing on Power9 ==== glslang ==== Version update (12.1.0 -> 12.2.0) - Update to release 12.2.0 * Support GLSL_EXT_shader_tile_image, GL_EXT_ray_tracing_position_fetch, and custom include callbacks via the C API * Add preamble-text command-line option * Accept variables as parameters of spirv_decorate_id ==== gnome-mahjongg ==== Version update (3.38.3 -> 3.40.0) Subpackages: gnome-mahjongg-lang - Update to version 3.40.0: + Port to GTK4 and libadwaita + Build fixes + Fix hints + Translate scores dialog + help-overlay.ui: Remove ctrl+f1 shortcut + Updated translations. - Drop patches fixed upstream: + 26.patch + fix-new-cairo-select-tile.patch - Changes in BuildRequires following upstreams changes: + Dropped: hicolor-icon-theme, yelp-tools and pkgconfig(gtk+-3.0). + Added: appstream-glib, desktop-file-utils, itstool, pkgconfig(gtk4) and pkgconfig(libadwaita-1). - Stop passing compile-schemas and update-icon-cache to meson, no longer needed, nor recognized. - Add check section and run meson_test macro during build, validate appdata and desktop files. ==== gnutls ==== Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-32bit - FIPS: Fix baselibs.conf to mention libgnutls30-hmac [bsc#1211476] Extend also the checks in gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch ==== imlib2 ==== Version update (1.11.0 -> 1.11.1) Subpackages: imlib2-loaders libImlib2-1 - update to 1.11.1: * imlib2: added loader for y4m files (uses liby4m and libyuv) * imlib2: add y4m test examples * Y4M loader: Various minor changes * autofoo: Tweak PACKAGE_DATA_DIR definition * XPM loader: Add rgb.txt * loaders: Fix loaders potentially being loaded more than once * loaders: Change method used to not unload loaders * Add JXL saver * loaders: Cosmetics ==== javapackages-tools ==== Subpackages: javapackages-filesystem - Enable the tests also for older distributions - Require python3-xml (python-xml for distributions that use versioned modules), since module xml needed by some scripts. ==== kio-extras5 ==== Subpackages: kio-extras5-lang libkioarchive5 - Add some missing BuildRequires (boo#1211933) ==== kyotocabinet ==== - Update url to new website. ==== libX11 ==== Version update (1.8.4 -> 1.8.5) Subpackages: libX11-6 libX11-data libX11-xcb1 - Update to version 1.8.5 * gitlab CI: Add libtool to required packages * configure: raise minimum autoconf requirement to 2.70 * configure: replace deprecated AC_HELP_STRING with AS_HELP_STRING * configure: Use LT_INIT from libtool 2 instead of deprecated AC_PROG_LIBTOOL * gitlab CI: add workflow rules * nls: delete compose sequences that pointlessly mix upper and lower case * nls: remove four hundred and sixty untypable Greek compose sequences * nls: remove twenty two untypable Greek compose sequences * XSetScreenSaver.man: restore the part that was accidentally snipped * nls: make the Amharic compose sequences use the dead-vowel symbols * nls: sort three sequences alphabetically in their group, like all others * nls: delete six compose sequences that cannot be typed * nls: use a slash instead of a combining solidus in compose sequences * NLS: move long S compositions to respective blocks * NLS: implement the expansion of the six Breton N-graph keysyms * NLS: move dead-caron subscript compositions to the relevant Unicode block * NLS: Remove strange dead_cedilla cedi sign sequences * nls: add compose sequence for capital schwa, and delete a deviant one - Users of the Amharic (am_ET.UTF-8) compose key sequences provided by libX11 will also want to upgrade to xkeyboard-config 2.39 (releasing soon), in order to keep those sequeunces working with this release. ==== libapparmor ==== Version update (3.1.3 -> 3.1.4) - update to AppArmor 3.1.4 - parser: fix mount rules encoding (CVE-2016-1585) - aa-logprof: fix error when choosing named exec with plain profile names - aa-status: fix json output - several fixes for profiles and abstractions - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.4 for the full upstream changelog ==== libgsasl ==== Subpackages: libgsasl-lang libgsasl7 - Remove URLs from keyring and generated patch as these can change at whim of upstream servers. Keep the references in comments so they are still references for the humans - fixes compilation on s390x by not turning on additional compilation warnings which in turn results in -fanalyze resulting false analysis ==== libmfx ==== Version update (22.6.5 -> 23.2.2) - update to 23.2.2: * [Encode] Fix JPEG payload insertion on Linux * Update checking of bitsream left size (#3033) * [Decode] Fix memory out-of-bounds issue for VP9 * [Decode] Fix memory out-of-bounds issue for VP8 * [Decode]Remove AVC level 6.0 check * [Decode]Fix hevc decode issue * hevce: use Low Power mode for RGB encoding by default ==== libproxy ==== - Only build mono support on openSUSE, not SLE nor SUSE ALP. ==== libproxy-plugins ==== Subpackages: libproxy1-config-gnome3 libproxy1-config-kde libproxy1-networkmanager libproxy1-pacrunner-duktape - Only build mono support on openSUSE, not SLE nor SUSE ALP. ==== libreoffice ==== Version update (7.5.3.2 -> 7.5.4.1) Subpackages: libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes libreoffice-impress libreoffice-l10n-cs libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-el libreoffice-l10n-en libreoffice-l10n-en_GB libreoffice-l10n-es libreoffice-l10n-fr libreoffice-l10n-hu libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-pl libreoffice-l10n-pt_BR libreoffice-l10n-ru libreoffice-l10n-zh_CN libreoffice-l10n-zh_TW libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-qt5 libreoffice-writer libreofficekit - Update to 7.5.4.1: https://wiki.documentfoundation.org/Releases/7.5.4/RC1 - Update bundled dependencies: * gpgme-1.16.0.tar.bz2 -> gpgme-1.18.0.tar.bz2 * curl-7.86.0.tar.xz -> curl-8.0.1.tar.xz * icu4c-71_1-src.tgz -> icu4c-72_1-src.tgz * icu4c-71_1-data.zip -> icu4c-72_1-data.zip ==== librsvg ==== Version update (2.56.0 -> 2.56.1) Subpackages: gdk-pixbuf-loader-rsvg librsvg-2-2 rsvg-thumbnailer typelib-1_0-Rsvg-2_0 - Update to version 2.56.1: + The minimum supported Rust version (MSRV) is 1.65. Unfortunately the assert_cmd crate, used in the test suite, bumped its MSRV and is forcing us to do the same. + Shrink the shared library by telling the linker to omit unused code. + Updates to dependencies. ==== libserf ==== Version update (1.3.9 -> 1.3.10) - update to 1.3.10: * Fix handling of invalid chunk lengths in the dechunk bucket * Fix an endless loop in the deflate bucket with truncated input * Fix BIO control handlers to support BIO_CTRL_EOF * Fix a CRT mismatch issue caused by using certain OpenSSL functions - drop upstream patches: * libserf-python3-2.patch * libserf-python3.patch * openssl3.patch ==== libstorage-ng ==== Version update (4.5.112 -> 4.5.115) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Georgian) (bsc#1149754) - 4.5.115 - Translated using Weblate (Georgian) (bsc#1149754) - 4.5.114 - Translated using Weblate (Indonesian) (bsc#1149754) - 4.5.113 ==== libvirt ==== Version update (9.3.0 -> 9.4.0) Subpackages: libvirt-client libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-libxl libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-proxy libvirt-daemon-qemu libvirt-daemon-xen libvirt-libs - Update to libvirt 9.4.0 - Many incremental improvements and bug fixes, see https://libvirt.org/news.html#v9-4-0-2023-06-01 ==== libxcrypt ==== Version update (4.4.33 -> 4.4.34) Subpackages: libcrypt1 libcrypt1-32bit libxcrypt-devel - Update to 4.4.34 * Optimize some cast operation for performance in lib/alg-yescrypt-platform.c. * Add SHA-2 Maj() optimization proposed by Wei Dai in lib/alg-sha512.c. * Explicitly clean the stack and context state after computation in lib/alg-gost3411-2012-hmac.c, lib/alg-hmac-sha1.c, and lib/alg-sha256.c (issue #168). ==== libyui ==== Version update (4.5.2 -> 4.6.0) - NCurses UI: Prevent buffer overflow when drawing very wide labels (bsc#1211354) - 4.6.0 - Cherry-picked BLumia's patch from community PR #97: CMake: use pkg-config to find and use ncurses libs by Wang Zichong ==== libyui-ncurses ==== Version update (4.5.2 -> 4.6.0) - NCurses UI: Prevent buffer overflow when drawing very wide labels (bsc#1211354) - 4.6.0 - Cherry-picked BLumia's patch from community PR #97: CMake: use pkg-config to find and use ncurses libs by Wang Zichong ==== libyui-ncurses-pkg ==== Version update (4.5.2 -> 4.6.0) - NCurses UI: Prevent buffer overflow when drawing very wide labels (bsc#1211354) - 4.6.0 - Cherry-picked BLumia's patch from community PR #97: CMake: use pkg-config to find and use ncurses libs by Wang Zichong ==== libyui-qt ==== Version update (4.5.2 -> 4.6.0) - NCurses UI: Prevent buffer overflow when drawing very wide labels (bsc#1211354) - 4.6.0 - Cherry-picked BLumia's patch from community PR #97: CMake: use pkg-config to find and use ncurses libs by Wang Zichong ==== libyui-qt-graph ==== Version update (4.5.2 -> 4.6.0) - NCurses UI: Prevent buffer overflow when drawing very wide labels (bsc#1211354) - 4.6.0 - Cherry-picked BLumia's patch from community PR #97: CMake: use pkg-config to find and use ncurses libs by Wang Zichong ==== libyui-qt-pkg ==== Version update (4.5.2 -> 4.6.0) - NCurses UI: Prevent buffer overflow when drawing very wide labels (bsc#1211354) - 4.6.0 - Cherry-picked BLumia's patch from community PR #97: CMake: use pkg-config to find and use ncurses libs by Wang Zichong ==== lua54 ==== Version update (5.4.4 -> 5.4.6) - Library is always liblua5_4-5: due to SOVERSION leading digit being 5 - Final release of 5.4.6. No change in the changelog. - Experimenting with lua 5.4.6-rc1 (release 5.4.5 has been effectively withdrawn). - Update to 5.4.5: - this is a bug-fix release. - Lua 5.4.5 also contains several internal improvements and includes a revised reference manual - Remove upstreamed patches: - luabugs1.patch - luabugs10.patch - luabugs11.patch - luabugs2.patch - luabugs3.patch - luabugs4.patch - luabugs5.patch - luabugs6.patch - luabugs7.patch - luabugs8.patch - luabugs9.patch ==== man-pages ==== Version update (6.02 -> 6.04) - update to 6.04: * Newly documented interfaces in existing pages * proc.5 KPF_PGTABLE (Linux 4.18) * landlock.7 LANDLOCK_ACCESS_FS_REFER (Linux 5.19) * udp.7 UDP_GRO (Linux 5.0) UDP_SEGMENT (Linux 4.18) * Changes to individual pages ==== manpages-l10n ==== Version update (4.18.1 -> 4.19.0) Subpackages: man-pages-cs man-pages-da man-pages-de man-pages-el man-pages-es man-pages-fr man-pages-hu man-pages-it man-pages-pl man-pages-pt_BR man-pages-ru - Update to version 4.19.0: Updated and added many translations. ==== mariadb-connector-c ==== Version update (3.3.4 -> 3.3.5) - update to 3.3.5: * https://mariadb.com/kb/en/mariadb-connector-c-3-3-5-release-notes/ ==== mozilla-nss ==== Subpackages: libfreebl3 libfreebl3-hmac libsoftokn3 libsoftokn3-hmac mozilla-nss-certs mozilla-nss-tools - Move testsuite to %check-section and move env-variables to files for easier chroot-debugging ==== ncurses ==== Version update (6.4.20230506 -> 6.4.20230520) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20230520 + fixes for compiler warnings in MinGW environments. - Add ncurses patch 20230514 + modify test-package "ncurses6-doc" to use manpage-aliases, which in turn required a change to the configure script to factor in the extra-suffix option when deriving alias names. + add mode 1004 to xterm+sm+1006 from xterm #380 -TD - Port and correct offsets of patch ncurses-6.4.dif ==== opensc ==== - Security Fix: [CVE-2023-2977, bsc#1211894] * opensc: out of bounds read in pkcs15 cardos_have_verifyrc_package() * Add opensc-CVE-2023-2977.patch ==== openssl-1_1 ==== Version update (1.1.1t -> 1.1.1u) Subpackages: libopenssl1_1 - Update to 1.1.1u: * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier. (CVE-2023-2650, bsc#1211430) To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT IDENTIFIER to canonical numeric text form if the size of that OBJECT IDENTIFIER is 586 bytes or less, and fail otherwise. The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at most 128 sub-identifiers, and that the maximum value that each sub- identifier may have is 2^32-1 (4294967295 decimal). For each byte of every sub-identifier, only the 7 lower bits are part of the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with these restrictions may occupy is 32 * 128 / 7, which is approximately 586 bytes. Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 * Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304, bsc#1207534). The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case compared to 1.1.1s. The new fix uses existing constant time code paths, and restores the previous performance level while fully eliminating all existing timing side channels. The fix was developed by Bernd Edlinger with testing support by Hubert Kario. * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. (CVE-2023-0466, bsc#1209873) * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) * Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. (CVE-2023-0464, bsc#1209624) * Rebased patch openssl-1_1-openssl-config.patch * Removed patches: - openssl-CVE-2023-0464.patch - openssl-CVE-2023-0465.patch - openssl-CVE-2023-0466.patch * Update openssl.keyring with key A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz) - FIPS: Merge libopenssl1_1-hmac package into the library [bsc#1185116] ==== openssl-3 ==== Version update (3.0.8 -> 3.1.1) Subpackages: libopenssl3 libopenssl3-32bit - Update to 3.1.1: * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate (CVE-2023-2650, bsc#1211430) * Multiple algorithm implementation fixes for ARM BE platforms. * Added a -pedantic option to fipsinstall that adjusts the various settings to ensure strict FIPS compliance rather than backwards compatibility. * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714) * Add FIPS provider configuration option to disallow the use of truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The option '-no_drbg_truncated_digests' can optionally be supplied to 'openssl fipsinstall'. * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. (CVE-2023-0466, bsc#1209873) * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) * Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. (CVE-2023-0464, bsc#1209624) * Update openssl.keyring with key A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz) * Rebased patches: - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch - openssl-Add_support_for_Windows_CA_certificate_store.patch * Removed patches: - openssl-CVE-2023-0464.patch - openssl-Fix-OBJ_nid2obj-regression.patch - openssl-CVE-2023-0465.patch - openssl-CVE-2023-0466.patch - FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116] - Add support for Windows CA certificate store [bsc#1209430] https://github.com/openssl/openssl/pull/18070 * Add openssl-Add_support_for_Windows_CA_certificate_store.patch - Security Fix: [CVE-2023-0465, bsc#1209878] * Invalid certificate policies in leaf certificates are silently ignored * Add openssl-CVE-2023-0465.patch - Security Fix: [CVE-2023-0466, bsc#1209873] * Certificate policy check not enabled * Add openssl-CVE-2023-0466.patch - Fix regression in the OBJ_nid2obj() function: [bsc#1209430] * Upstream https://github.com/openssl/openssl/issues/20555 * Add openssl-Fix-OBJ_nid2obj-regression.patch - Fix compiler error "initializer element is not constant" on s390 * Add openssl-z16-s390x.patch - Security Fix: [CVE-2023-0464, bsc#1209624] * Excessive Resource Usage Verifying X.509 Policy Constraints * Add openssl-CVE-2023-0464.patch - Pass over with spec-cleaner - Update to 3.1.0: * Add FIPS provider configuration option to enforce the Extended Master Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can optionally be supplied to 'openssl fipsinstall'. * The FIPS provider includes a few non-approved algorithms for backward compatibility purposes and the "fips=yes" property query must be used for all algorithm fetches to ensure FIPS compliance. The algorithms that are included but not approved are Triple DES ECB, Triple DES CBC and EdDSA. * Added support for KMAC in KBKDF. * RNDR and RNDRRS support in provider functions to provide random number generation for Arm CPUs (aarch64). * s_client and s_server apps now explicitly say when the TLS version does not include the renegotiation mechanism. This avoids confusion between that scenario versus when the TLS version includes secure renegotiation but the peer lacks support for it. * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. * The various OBJ_* functions have been made thread safe. * Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA capable processors. * The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats, OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are now marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining OPENSSL_NO_DEPRECATED_3_1. The macro DEFINE_LHASH_OF is now deprecated in favour of the macro DEFINE_LHASH_OF_EX, which omits the corresponding type-specific function definitions for these functions regardless of whether OPENSSL_NO_DEPRECATED_3_1 is defined. Users of DEFINE_LHASH_OF may start receiving deprecation warnings for these functions regardless of whether they are using them. It is recommended that users transition to the new macro, DEFINE_LHASH_OF_EX. * When generating safe-prime DH parameters set the recommended private key length equivalent to minimum key lengths as in RFC 7919. * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the maximum size that is smaller or equal to the digest length to comply with FIPS 186-4 section 5. This is implemented by a new option OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX ("auto-digestmax") for the rsa_pss_saltlen parameter, which is now the default. Signature verification is not affected by this change and continues to work as before. * Update openssl.keyring with key 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 (Matt Caswell) ==== openssl ==== Version update (3.0.8 -> 3.1.1) - Update to 3.1.1 - Update to 3.1.0 ==== perl-Bootloader ==== Version update (1.1 -> 1.2) - merge gh#openSUSE/perl-bootloader#148 - UEFI: update also default location, if it is controlled by SUSE (bsc#1210799, bsc#1201399) - 1.2 ==== perl-IO-Socket-SSL ==== Version update (2.081 -> 2.083) - updated to 2.083 see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes 2.083 2023/05/18 - fix t/protocol_version.t for OpenSSL versions which don't support SECLEVEL (regression from #122) 2.082 2023/05/17 - SSL_version default now TLS 1.2+ since TLS 1.1 and lower deprecated #122 - fix output of alert string when debugging #132 - improve regex for hostname validation #130, #126 - add can_ciphersuites subroutine for feature checking #127 - Utils::CERT_create - die if unexpected arguments are given instead of ignoring these ==== perl-Mojolicious ==== Version update (9.31 -> 9.32) - updated to 9.32 see /usr/share/doc/packages/perl-Mojolicious/Changes 9.32 2022-05-09 - Improved file and line number details in async/await exceptions. (batman) - Fixed various CSS selector equation bugs in Mojo::DOM::CSS. (mauke) - Fixed exceptions being added to the stash for formats other than HTML. (rawleyfowler) - Fixed context sensitivity issue. (Grinnz) ==== perl-Net-DNS ==== Version update (1.37 -> 1.38) - updated to 1.38 see /usr/share/doc/packages/perl-Net-DNS/Changes ==== perl-libwww-perl ==== Version update (6.68 -> 6.70) - updated to 6.70 see /usr/share/doc/packages/perl-libwww-perl/Changes 6.70 2023-04-30 13:22:56Z - Add cookie_jar_class attribute to allow different cookie jar modules to be used more easily (GH#91) (Tom Hukins, Julien Fiegehenn) - POD now contains all default attributes (GH#428) (Julien Fiegehenn) 6.69 2023-04-29 13:14:31Z - Timeouts for cached connections now update (GH#73) (Eric Johnson) - The conn_cache() can now be unset (GH#424) (Julien Fiegehenn) - LWP::Protocol now only attempts to load modules once (GH#62) (Burak Gursoy) - Fix a bug in no_proxy that allowed partial matches to a proxy address to disable a proxy (GH#421) (Julien Fiegehenn) ==== python-argcomplete ==== - bash-repl.patch: Use correct place for auxiliary bashrc.sh file from pexpect ==== python-gevent ==== - handle-python-ssl-changes.patch: refresh to handle ssl.shared_ciphers() behavior change in python 3.11 as well ==== python-libvirt-python ==== Version update (9.3.0 -> 9.4.0) - Update to 9.4.0 - Add all new APIs and constants in libvirt 9.4.0 ==== python-rich ==== Version update (13.3.5 -> 13.4.1) - update to 13.4.1: * Fixed typing extensions import in markdown #2979 - update to 13.4.0: * Added support for tables in Markdown #2977 ==== python-rpm ==== - add _multibuild for multiple .spec-files ==== python-tornado6 ==== Version update (6.2 -> 6.3.2) - New upstream release 6.3.2 - Security improvements - Fixed an open redirect vulnerability in StaticFileHandler under certain configurations. - ``tornado.web`` - `.RequestHandler.set_cookie` once again accepts capitalized keyword arguments for backwards compatibility. This is deprecated and in Tornado 7.0 only lowercase arguments will be accepted. - What's new in Tornado 6.3.0 - The new `.Application` setting ``xsrf_cookie_name`` can now be used to take advantage of the ``__Host`` cookie prefix for improved security. To use it, add ``{"xsrf_cookie_name": "__Host-xsrf", "xsrf_cookie_kwargs": {"secure": True}}`` to your `.Application` settings. Note that this feature currently only works when HTTPS is used. - `.WSGIContainer` now supports running the application in a ``ThreadPoolExecutor`` so the event loop is no longer blocked. - `.AsyncTestCase` and `.AsyncHTTPTestCase`, which were deprecated in Tornado 6.2, are no longer deprecated. - WebSockets are now much faster at receiving large messages split into many fragments. - General changes - Python 3.7 is no longer supported; the minimum supported . Python version is 3.8 Python 3.12 is now supported . - To avoid spurious deprecation warnings, users of Python 3.10 should upgrade to at least version 3.10.9, and users of Python 3.11 should upgrade to at least version 3.11.1. - Tornado submodules are now imported automatically on demand. This means it is now possible to use a single ``import tornado`` statement and refer to objects in submodules such as `tornado.web.RequestHandler`. - Deprecation notices - In Tornado 7.0, `tornado.testing.ExpectLog` will match ``WARNING`` and above regardless of the current logging configuration, unless the ``level`` argument is used. - `.RequestHandler.get_secure_cookie` is now a deprecated alias for `.RequestHandler.get_signed_cookie`. `.RequestHandler.set_secure_cookie` is now a deprecated alias for `.RequestHandler.set_signed_cookie`. - `.RequestHandler.clear_all_cookies` is deprecated. No direct replacement is provided; `.RequestHandler.clear_cookie` should be used on individual cookies. - Calling the `.IOLoop` constructor without a ``make_current`` argument, which was deprecated in Tornado 6.2, is no longer deprecated. - `.AsyncTestCase` and `.AsyncHTTPTestCase`, which were deprecated in Tornado 6.2, are no longer deprecated. - `.AsyncTestCase.get_new_ioloop` is deprecated. - ``tornado.auth`` - New method `.GoogleOAuth2Mixin.get_google_oauth_settings` can now be overridden to get credentials from a source other than the `.Application` settings. - ``tornado.gen`` - `contextvars` now work properly when a ``@gen.coroutine`` calls a native coroutine. - ``tornado.options`` - `~.OptionParser.parse_config_file` now recognizes single comma-separated strings (in addition to lists of strings) for options with ``multiple=True``. - ``tornado.web`` - New `.Application` setting ``xsrf_cookie_name`` can be used to change the name of the XSRF cookie. This is most useful to take advantage of the ``__Host-`` cookie prefix. - `.RequestHandler.get_secure_cookie` and `.RequestHandler.set_secure_cookie` (and related methods and attributes) have been renamed to `~.RequestHandler.get_signed_cookie` and `~.RequestHandler.set_signed_cookie`. This makes it more explicit what kind of security is provided, and avoids confusion with the ``Secure`` cookie attribute and ``__Secure-`` cookie prefix. The old names remain supported as deprecated aliases. - `.RequestHandler.clear_cookie` now accepts all keyword arguments accepted by `~.RequestHandler.set_cookie`. In some cases clearing a cookie requires certain arguments to be passed the same way in which it was set. - `.RequestHandler.clear_all_cookies` now accepts additional keyword arguments for the same reason as ``clear_cookie``. However, since the requirements for additional arguments mean that it cannot reliably clear all cookies, this method is now deprecated. - ``tornado.websocket`` - It is now much faster (no longer quadratic) to receive large messages that have been split into many fragments. - `.websocket_connect` now accepts a ``resolver`` parameter. - ``tornado.wsgi`` - `.WSGIContainer` now accepts an ``executor`` parameter which can be used to run the WSGI application on a thread pool. - What's new in Tornado 6.2.0 - Deprecation notice - Python 3.10 has begun the process of significant changes to the APIs for managing the event loop. Calls to methods such as `asyncio.get_event_loop` may now raise `DeprecationWarning` if no event loop is running. This has significant impact on the patterns for initializing ... changelog too long, skipping 101 lines ... - Remove upstreamed ignore-py310-deprecation-warnings.patch ==== python-zope.event ==== - Switch documentation to be within the main package. ==== qemu ==== Version update (8.0.0 -> 8.0.2) Subpackages: qemu-accel-tcg-x86 qemu-audio-spice qemu-block-curl qemu-block-nfs qemu-block-rbd qemu-chardev-spice qemu-guest-agent qemu-hw-display-qxl qemu-hw-display-virtio-gpu qemu-hw-display-virtio-gpu-pci qemu-hw-display-virtio-vga qemu-hw-usb-host qemu-hw-usb-redirect qemu-hw-usb-smartcard qemu-ipxe qemu-ksm qemu-lang qemu-microvm qemu-seabios qemu-tools qemu-ui-curses qemu-ui-gtk qemu-ui-opengl qemu-ui-spice-app qemu-ui-spice-core qemu-vgabios qemu-x86 - Update to version 8.0.2: * Stability, security and bug fixes - Patch added: * [openSUSE][RPM] Update to version 8.0.2 ==== qt6-base ==== Subpackages: libQt6Core6 libQt6DBus6 libQt6Gui6 libQt6Network6 libQt6OpenGL6 libQt6Sql6 libQt6Test6 libQt6Widgets6 qt6-network-tls qt6-platformtheme-gtk3 - Add upstream changes (CVE-2023-34410, boo#1211994): * 0001-Schannel-Reject-certificate-not-signed-by-a-configur.patch * 0001-Ssl-Copy-the-on-demand-cert-loading-bool-from-defaul.patch ==== rp-pppoe ==== - Removed remains of permissions setting for the pppoe-wrapper setuid binary. The major update to 4.0 dropped this. ==== rpm ==== Subpackages: librpmbuild9 - add _multibuild for multiple .spec-files ==== rubygem-rack-2.2 ==== Version update (2.2.6.4 -> 2.2.7) - update to version 2.2.7 * Correct the year number in the changelog (https://github.com/rack/rack/pull/2015) * Support underscore in host names for Rack 2.2 (https://github.com/rack/rack/pull/2071) ==== sdl12_compat ==== Version update (1.2.60 -> 1.2.64) - Update to release 1.2.64 * Some games started working: Steel Storm Burning Retribution, Maelstrom, Quake 2 XP, boswars, pink-pony, Sid Meier's Alpha Centauri (Loki version), xrick, grafx2, MLT, tuxfootball, freedroid. ==== sendmail ==== Subpackages: libmilter1_0 - Use the bash intrinsic virtual file /dev/tcp/localhost/ to check for MTA port - Avoid fuser for detecting if sendmail is listen on MTA port ==== shaderc ==== Version update (2023.2 -> 2023.4) - Update to release 2023.4 * Add option to preserve bindings * Add options to control mesh shading limits ==== texlive ==== Subpackages: libkpathsea6 libsynctex2 - Move the provides of pdfjam to its usecase (boo#1211877) ==== tracker ==== Version update (3.5.2 -> 3.5.3) Subpackages: libtracker-sparql-3_0-0 tracker-data-files tracker-lang typelib-1_0-Tracker-3_0 - Update to version 3.5.3: + Build fixes around strftime() bug workarounds on some architectures/platforms. + Improved compatibility of JSON cursor readers. + Leaks plugged. - Drop 63ea8f1a.patch: Fixed upstream. - Drop %systemd_user_postun_with_restart macro from the %postun directive. It's been deprecated and emptied (expands to nil) on both Tumbleweed and Leap already. - Comment unneded "/usr/bin/env python3" shebang line on utils/ trackertestutils/__main__.py Python script. - Change tracker-data-files package's architecture to noarch, as it doesn't contain any binaries. ==== virtiofsd ==== - Add qemu config file to ensure qemu is aware of the virtiofsd executable - https://www.reddit.com/r/suse/comments/13xmote/vm_with_virtiofs_does_not_start_unable_to_find_a/ ==== vulkan-loader ==== Version update (1.3.247 -> 1.3.250.0) - Update to release SDK-1.3.250.0 * No changes over 1.3.247 [SDK-250 is a branch of regular-243 with some cherry-picks bringing it to roughly regular-247; there is little relation to regular-250] ==== vulkan-tools ==== Version update (1.3.247 -> 1.3.250.0) - Update to release SDK-1.3.250.0 * vulkaninfo: Issue flush before exiting ==== webkit2gtk3 ==== Version update (2.40.1 -> 2.40.2) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.40.2 (boo#1211846): + Fix scrollbar jumping to top when drag released outside window in GTK4. + Fix video rendering when GL is disabled. + Fix flickering on looped videos when starting again. + Fix CPU usage on autoplaying videos. + Choose amount of painting threads depending on available CPU cores on GTK4. + Fix several crashes and rendering issues. + Security fixes: CVE-2023-28204 CVE-2023-32373 (boo#1211658 boo#1211659). - Drop gcc13-fix.patch: fixed upstream. ==== webkit2gtk3-soup2 ==== Version update (2.40.1 -> 2.40.2) Subpackages: WebKitGTK-4.0-lang libjavascriptcoregtk-4_0-18 libwebkit2gtk-4_0-37 webkit2gtk-4_0-injected-bundles - Update to version 2.40.2 (boo#1211846): + Fix scrollbar jumping to top when drag released outside window in GTK4. + Fix video rendering when GL is disabled. + Fix flickering on looped videos when starting again. + Fix CPU usage on autoplaying videos. + Choose amount of painting threads depending on available CPU cores on GTK4. + Fix several crashes and rendering issues. + Security fixes: CVE-2023-28204 CVE-2023-32373 (boo#1211658 boo#1211659). - Drop gcc13-fix.patch: fixed upstream. ==== xfce4-power-manager ==== Version update (4.18.1 -> 4.18.2) Subpackages: xfce4-power-manager-lang xfce4-power-manager-plugin - Update to version 4.18.2 * Fix typos in previous backported commit * Keep "lock-on-sleep" in sync with other components via XfceScreensaver * power: Fix old typo * Do not check repeatedly for logind running * Write on stderr when appropriate * build: Require gio-unix-2.0 * settings: Keep a ref on device to avoid use-after-free (Fixes #56) * dpms: Add missing sanity checks (Fixes #163) * Fix Xfconf memory management * Update bug report address * Translation Updates ==== xfce4-pulseaudio-plugin ==== Version update (0.4.6 -> 0.4.7) Subpackages: xfce4-pulseaudio-plugin-lang - Update to version 0.4.7 * Fix crash when D-Bus connection is lost before it's connected * Fix copyright info * MPRIS: Control recently open/used player using multimedia keys * Deduplicate key binding code * Bind all possible keys * Update about authors * MPRIS: Remove old settings when clearing known players * MPRIS: Ignore multimedia keys for blacklisted players * MPRIS: Add possibility to hide inactive players, improve config storage * MPRIS: Remove pulseaudio_mpris_player_can_launch function * MPRIS: Fix memory leak in player finalize * MPRIS: Remove unused pulseaudio_mpris_player_is_equal function * MPRIS: Refactor player connection lost and finalize * MPRIS: Deduplicate find_desktop_entry function * MPRIS: Make pulseaudio_mpris_get_available_players static * MPRIS: Check for filename before launching the player * Improve connection/disconnection with server * Menu: Don't clear structure, it's not needed * MPRIS: Reduce player_is_usable timeout to 5 sec * MPRIS: Memory management fixes * MPRIS: Don't initialize struct members, GLib is doing it * MPRIS: Micro-optimization * MPRIS: Check for is_playing in set_can_play function * Subscribe NameOwnerChanged to watch MPRIS changes instead of timer * Fix removing blacklisted MPRIS players from config * Improve run mixer button sensitivity * Display default device name in tooltip * Don't set has-tooltip property twice * Don't show recording indicator for non-default monitors * Make run mixer button sensitive for any path * Show unplugged devices as insensitive * Don't show rec icon if the source output doesn't belong to any client * Don't show recording indicator when it's not connected to the source * Fix mistake in comment * Don't reset recording value in callback * Allow maximum volume configuration in dialog * Improve volume step size text * Translation Updates - Remove _service file ==== xfce4-screensaver ==== Version update (4.18.1 -> 4.18.2) - Update to version 4.18.2 * screensaver-configure: Ensure consistent dialog positioning * screensaver-configure: Remove dead code * screensaver-configure: Improve some strings * screensaver-configure: Print errors on stderr without translating * screensaver-configure: Replace single quotes with double quotes in _() * screensaver-configure: Get translated strings from desktop files * screensaver-configure: Fix broken translations * screensaver-configure: Set dialogs modal * Revert "prefs-dialog: Grey out prefs button for popsquares (no prefs)" * screensaver-configure: Fix broken prefs * screensaver-configure: Fix critical when closing dialog * prefs-dialog: Grey out prefs button for popsquares (no prefs) * Bump GTK version and remove dead code * Keep "lock-on-sleep" in sync with other components via XfceScreensaver * *.desktop: Distinguishing our screensaver from others (Fixes #17) * Use GLib wrappers for memory allocation * Fix unix.Malloc warnings from scan-build 15.0.7 * Fix core.uninitialized.Assign warnings from scan-build 15.0.7 * Fix deadcode.DeadStores warnings from scan-build 15.0.7 * Avoid duplicated code * manager: Do not discard monitors without model and manufacturer * Translation Updates - Remove xfce4-screensaver-manager-efifb-lockup-fix.patch ==== xfce4-session ==== Version update (4.18.2 -> 4.18.3) Subpackages: xfce4-session-lang - Update to version 4.18.3 * shutdown: Do not set an error when returning TRUE * logout-dialog: Fix use-after-free * Use glib wrappers for memory allocation * build: Fix build when there is no suspend/hibernate support * build: Add suspend support for Solaris * startxfce4: Fix xinit arguments order * manager: Always use xfsm_manager_save_yourself_dbus() (Fixes #106) * settings: Remove useless tooltip * xflock4: Update fallback list * logout-dialog: Lower warning level * shutdown: Keep error NULL when unused * cleanup: Remove dead polkit code * Revert "Fallback to old method for shutdown (bug #8630)." * Use g_critical() instead of g_error() * Use GLib logging functions or g_printerr() instead of g_print() * Use GLib logging functions instead of g_printerr() * build: Fix untranslated policykit file * Escape/unescape string list delimiter when saving/restoring session * Replace XfceRc with GKeyFile for session file parsing * Translation Updates ==== yast2-apparmor ==== Version update (4.6.0 -> 4.6.1) - Added missing textdomain (bsc#1211980) - 4.6.1 ==== yast2-auth-server ==== Version update (4.6.1 -> 4.6.2) - Add deprecation notice to this tool (bsc#1211734). - 4.6.2 ==== yast2-control-center ==== Version update (4.6.0 -> 4.6.1) Subpackages: yast2-control-center-qt - Require xdg-utils since it's no longer required by desktop-data-openSUSE and yast-control-center-qt needs it to start modules with 'xdg-su'. (bsc#1211869) - 4.6.1