Packages changed: LibVNCServer (0.9.13 -> 0.9.14) Mesa (23.1.2 -> 23.1.3) Mesa-drivers (23.1.2 -> 23.1.3) accountsservice crda (4.14 -> 4.15) ding-libs kernel-source (6.3.7 -> 6.3.9) libpng16 (1.6.39 -> 1.6.40) netpbm (10.96.4 -> 11.2.0) rubygem-ruby-dbus (0.23.0.beta1 -> 0.23.0.beta2) selinux-policy (20230425 -> 20230622) sendmail (8.17.1 -> 8.17.2) util-linux (2.38.1 -> 2.39) util-linux-systemd (2.38.1 -> 2.39) === Details === ==== LibVNCServer ==== Version update (0.9.13 -> 0.9.14) Subpackages: libvncclient1 libvncserver1 - version update to 0.9.14 [#]# Overall changes: * Added more documentation (build system integration, repeater setup) and a legal FAQ. * Added [contribution guidelines](CONTRIBUTING.md). * Ported the TravisCI continous integration machinery to GitHub workflows. [#]# LibVNCServer/LibVNCClient: * Added [qemu extended key event]. * Fixed several potential multiplication overflows. [#]# LibVNCClient: * Fixes of several memory leaks and buffer overflows. * Added UltraVNC's MSLogonII authentication scheme. * Fixed TLS interoperability with GnuTLS servers. * Fixed detection of newer UltraVNC and TightVNC servers. * Added support for [SetDesktopSize]. * Added SSH tunneling example using libssh2. * Added some extensions to VeNCrypt in order to be compatible with a wider range of servers. [#]# LibVNCServer: * Fixes to the multi-threaded server implementation which should be a lot more sound now. * Fixed TightVNC-filetransfer file upload for 64-bit systems. * Fixes of crashes in the zlib compression. * Added support for [UTF8 clipboard data]. * Fixed visual artifacts in framebuffer on ARM platforms. * Fixed several WebSockets bugs. * Fixed the UltraVNC-style repeater example. * Added support for larger framebuffers (two 4k screens possible now). * Added support for timeouts for outbound connections (to repeaters for instance). * Fixed out-of-bounds memory access in Tight encoding. - modified patches % 0001-libvncserver-Add-API-to-add-custom-I-O-entry-points.patch (refreshed) % 0002-libvncserver-Add-channel-security-handlers.patch (refreshed) - deleted patches - 0001-libvncserver-don-t-NULL-out-internal-of-the-default-.patch (upstreamed) - 0003-libvncserver-auth-don-t-keep-security-handlers-from-.patch (upstreamed) - 0004-zlib-Clear-buffer-pointers-on-cleanup-444.patch (upstreamed) - LibVNCServer-CVE-2020-29260.patch (upstreamed) ==== Mesa ==== Version update (23.1.2 -> 23.1.3) Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libOSMesa8 libgbm1 - Update to bugfix release 23.1.3 - supersedes U_glx-Remove-pointless-GLX_INTEL_swap_event-paranoia.patch (boo#1209005) - -Dxmlconfig=enabled now also needs -Dexpat=enabled as dependancy ==== Mesa-drivers ==== Version update (23.1.2 -> 23.1.3) Subpackages: Mesa-dri Mesa-gallium Mesa-libva libxatracker2 - Update to bugfix release 23.1.3 - supersedes U_glx-Remove-pointless-GLX_INTEL_swap_event-paranoia.patch (boo#1209005) - -Dxmlconfig=enabled now also needs -Dexpat=enabled as dependancy ==== accountsservice ==== Subpackages: accountsservice-lang libaccountsservice0 typelib-1_0-AccountsService-1_0 - Add accountsservice-assume-gdm.patch: assume gdm when not being able to detect the used display manager. This is basically the same as was in place before we gained support for multiple DMs (boo#1212675). ==== crda ==== Version update (4.14 -> 4.15) - Update to crda 4.15 - Remove patches now upstream * crda-67f1e6ddbdfade357e234c9d58a30fe0a283fe60.patch * crda-f4ef2531698fb9ba006e8b31a223b3269be8bc7c.patch - Port patch crda-python3.patch ==== ding-libs ==== Subpackages: libbasicobjects0 libcollection4 libdhash1 libini_config5 libpath_utils1 libref_array1 - Update to 0.6.2: * Minor maintenance update: INI: Silent ini_argument match failures INI: Fix detection of error message - Remove patches fixed upstream * INI-Fix-detection-of-error-messages.patch * INI-Silence-ini_augment-match-failures.patch * TEST-validators_ut_check-Fix-fail-with-new-glibc.patch * INI-Remove-definiton-of-TRACE_LEVEL.patch - Use github sources ==== kernel-source ==== Version update (6.3.7 -> 6.3.9) - Linux 6.3.9 (bsc#1012628). - x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (bsc#1012628). - cgroup: bpf: use cgroup_lock()/cgroup_unlock() wrappers (bsc#1012628). - cgroup: always put cset in cgroup_css_set_put_fork (bsc#1012628). - cgroup: fix missing cpus_read_{lock,unlock}() in cgroup_transfer_tasks() (bsc#1012628). - qcom: llcc/edac: Fix the base address used for accessing LLCC banks (bsc#1012628). - EDAC/qcom: Get rid of hardcoded register offsets (bsc#1012628). - ksmbd: validate smb request protocol id (bsc#1012628). - of: overlay: Fix missing of_node_put() in error case of init_overlay_changeset() (bsc#1012628). - power: supply: ab8500: Fix external_power_changed race (bsc#1012628). - power: supply: sc27xx: Fix external_power_changed race (bsc#1012628). - power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() + schedule() (bsc#1012628). - ARM: dts: vexpress: add missing cache properties (bsc#1012628). - arm64: dts: arm: add missing cache properties (bsc#1012628). - tools: gpio: fix debounce_period_us output of lsgpio (bsc#1012628). - selftests: gpio: gpio-sim: Fix BUG: test FAILED due to recent change (bsc#1012628). - power: supply: Ratelimit no data debug output (bsc#1012628). - PCI/DPC: Quirk PIO log size for Intel Ice Lake Root Ports (bsc#1012628). - platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0 (bsc#1012628). - regulator: Fix error checking for debugfs_create_dir (bsc#1012628). - irqchip/gic-v3: Disable pseudo NMIs on Mediatek devices w/ firmware issues (bsc#1012628). - irqchip/meson-gpio: Mark OF related data as maybe unused (bsc#1012628). - power: supply: Fix logic checking if system is running from battery (bsc#1012628). - drm: panel-orientation-quirks: Change Air's quirk to support Air Plus (bsc#1012628). - btrfs: scrub: try harder to mark RAID56 block groups read-only (bsc#1012628). - btrfs: handle memory allocation failure in btrfs_csum_one_bio (bsc#1012628). - ASoC: soc-pcm: test if a BE can be prepared (bsc#1012628). - sfc: fix devlink info error handling (bsc#1012628). - ASoC: Intel: avs: Account for UID of ACPI device (bsc#1012628). - ASoC: Intel: avs: Fix avs_path_module::instance_id size (bsc#1012628). - ASoC: Intel: avs: Add missing checks on FE startup (bsc#1012628). - parisc: Improve cache flushing for PCXL in arch_sync_dma_for_cpu() (bsc#1012628). - parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory() (bsc#1012628). - erofs: use HIPRI by default if per-cpu kthreads are enabled (bsc#1012628). - MIPS: unhide PATA_PLATFORM (bsc#1012628). - MIPS: Restore Au1300 support (bsc#1012628). - MIPS: Alchemy: fix dbdma2 (bsc#1012628). - mips: Move initrd_start check after initrd address sanitisation (bsc#1012628). - ASoC: cs35l41: Fix default regmap values for some registers (bsc#1012628). - ASoC: dwc: move DMA init to snd_soc_dai_driver probe() (bsc#1012628). - xen/blkfront: Only check REQ_FUA for writes (bsc#1012628). - drm:amd:amdgpu: Fix missing buffer object unlock in failure path (bsc#1012628). - io_uring: unlock sqd->lock before sq thread release CPU (bsc#1012628). - NVMe: Add MAXIO 1602 to bogus nid list (bsc#1012628). - irqchip/gic: Correctly validate OF quirk descriptors (bsc#1012628). - wifi: cfg80211: fix locking in regulatory disconnect (bsc#1012628). - wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid() (bsc#1012628). - epoll: ep_autoremove_wake_function should use list_del_init_careful (bsc#1012628). - ocfs2: fix use-after-free when unmounting read-only filesystem (bsc#1012628). - ocfs2: check new file size on fallocate call (bsc#1012628). - zswap: do not shrink if cgroup may not zswap (bsc#1012628). - mm/damon/core: fix divide error in damon_nr_accesses_to_accesses_bp() (bsc#1012628). - nios2: dts: Fix tse_mac "max-frame-size" property (bsc#1012628). - mm/uffd: fix vma operation where start addr cuts part of vma (bsc#1012628). - nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key() (bsc#1012628). - nilfs2: fix possible out-of-bounds segment allocation in resize ioctl (bsc#1012628). - nilfs2: reject devices with insufficient block count (bsc#1012628). - LoongArch: Fix debugfs_create_dir() error checking (bsc#1012628). ... changelog too long, skipping 511 lines ... - commit c0cd722 ==== libpng16 ==== Version update (1.6.39 -> 1.6.40) - Update to version 1.6.40: * Fixed the eXIf chunk multiplicity checks. * Fixed a memory leak in pCAL processing. * Corrected the validity report about tRNS inside png_get_valid(). * Fixed various build issues on *BSD, Mac and Windows. * Updated the configurations and the scripts for continuous integration. * Cleaned up the code, the build scripts, and the documentation. ==== netpbm ==== Version update (10.96.4 -> 11.2.0) Subpackages: libnetpbm11 - version update to 11.2.0 * jpegtopnm: Add -traceexif * pbmtextps: Add -asciihex, -ascii85. * pcdovtoppm: remove dependency on obsolete 'tempfile' program. * jpegtopnm: Many fixes to -dumpexif. Always broken. (-dumpexif was new in Netpbm 9.18 (September 2001)) * pamtopng: fix -chroma option: always rejected. Always broken. (pamtopng was new in Netpbm 10.70 (June 2015)). * pnmtopng: fix -rgb option: always rejected. Always broken (-rgb was new in Netpbm 10.30 (October 2005)). * build: change the way you add the separately distributed 'hpcdtoppm' code to the build. * lot of changes since last version update, see https://sourceforge.net/p/netpbm/code/HEAD/tree/advanced/doc/HISTORY - modified patches % netpbm-gcc-warnings.patch (refreshed) % netpbm-security-code.patch (refreshed) % netpbm-security-scripts.patch (refreshed) - deleted patches - netpbm-tmpfile.patch (upstreamed) - ppmforge-fix-overflow.patch (upstreamed) - signed-char.patch (upstreamed) ==== rubygem-ruby-dbus ==== Version update (0.23.0.beta1 -> 0.23.0.beta2) - 0.23.0.beta2 License: * clarified to be LGPL-2.1-or-later API: * DBus::Object#object_server replaces @service (which still works) and the short-lived @connection * ObjectServer#export will raise if the path is already taken by an object * ObjectServer#unexport now also accepts an object path * Connection#object_server can export objects even without requesting any service name (gh#mvidner/ruby-dbus#49, in beta1 already). * Add PeerConnection for connections without a bus, useful for PulseAudio. Fix listening for signals there (gh#mvidner/ruby-dbus##44). * Moved from Connection to BusConnection: #unique_name, #proxy, #service. Call send_hello in BusConnection#initialize already. Bug fixes: * Fixed a refactoring crasher bug in ProxyService#introspect (oops). * Fix crash on #unexport of /child_of_root or even / ==== selinux-policy ==== Version update (20230425 -> 20230622) Subpackages: selinux-policy-targeted - Update to version 20230622: * Allow keyutils_dns_resolver_exec_t be an entrypoint * Allow collectd_t read network state symlinks * Revert "Allow collectd_t read proc_net link files" * Allow nfsd_t to list exports_t dirs * Allow cupsd dbus chat with xdm * Allow haproxy read hardware state information * Label /dev/userfaultfd with userfaultfd_t * Allow blueman send general signals to unprivileged user domains * Allow dkim-milter domain transition to sendmail ==== sendmail ==== Version update (8.17.1 -> 8.17.2) Subpackages: libmilter1_0 - Update to pre version sendmail 8.17.2 * Make sure DANE checks (if enabled) are performed even if CACertPath or CACertFile are not set or unusable. * Note: if the code to set up TLS in the client fails, then {verify} will be set to TEMP but DANE requirements will be ignored, i.e., by default mail will be sent without STARTTLS. This can be changed via a LOCAL_TLS_SERVER ruleset. * Pass server name to clt_features ruleset instead of client name to account for limitations in macro availability described below in CONFIG section. This may break custom clt_features rulesets which expect to receive the client name as input. * Fix a regression introduced in 8.17.1: aliases file which contain continuation lines caused parsing errors. * Add an FFR (for future release) compile time option _FFR_LOG_STAGE to log the protocol stage as stage= for some errors during delivery attempts to make troubleshooting simpler. This new logging may be enabled in a future release. * When EAI is enabled, milters also got the arguments of MAIL/RCPT commands in argv[0] for xxfi_envfrom()/xxfi_envrcpt() callbacks instead of just the mail address. Problem reported by Dilyan Palauzo. * When EAI is enabled, mailq prints UTF-8 addresses as such if SMTPUTF8 was used. * When EAI is enabled, the $h macro is now in the correct format. Previously this could cause wrong values for relay= in log entries and the mailer argument vector. * When the compile time option USE_EAI is enabled, vacation could fail to respond when it should. Problem reported by Alex Hautequest. * When EAI was enabled, header truncation might not have been logged even when it happened. Problem reported by Werner Wiethege. * Handle a possible change in an upcoming release of Cyrus-SASL (2.1.28) by changing the definition of an internal flag. Patch from Dilyan Palauzo. * Avoid an assertion failure when an smtps connection is made to the server and a milter is unavailable. Problem reported by Dilyan Palauzo. * Fixed some spelling errors in documentation and comments, based on a codespell report by Jens Schleusener of fossies.org. * The result of try_tls is now logged using status= instead of reject=. * If tls_rcpt rejected the delivery of a recipient then a bogus dsn= entry might have been logged under some circumstances. * If a server replied with 421 to a RCPT command then a bogus reply= might have been logged. * When quoting the value for ${currHeader} avoid causing a syntax error (Unbalanced '"') when truncating a header value which is too long. Problem reported by Werner Wiethege. * Reduce the performance impact of a change introduced in 8.12.9: the default for MaxMimeHeaderLength was set to 2048/1024. Problem reported by Tabata Shintaro of Internet Initiative Japan Inc. * CONFIG: The default clt_features ruleset tried to access ${server_name} and ${server_addr} which are not set when the ruleset is invoked. Only the server name is available which is passed as an argument. * CONFIG: Properly quote host variable to prevent cf build breakage when a hostname contains 'dnl'. Problem reported by Maxim Shalomikhin of Kaspersky. * DEVTOOLS: Add configure.sh support for BSD's mandoc as an alternative man page formatting tool. * DOC: Document that USAGE is a possible value for {verify}. * LIBMILTER: The macros for the EOH and EOM callbacks are sent in reverse order which means accessing macros in the EOM callback got the macro for the EOH callback. Store those macros in the expected order in libmilter. Note: this does not affect sendmail because the macros for both callbacks are the same because the message is sent to libmilter after it is completely read by sendmail. Fix and problem report from David Buergin. * Portability: Make use of IN_LOOPBACK, if defined, to determine if using a loopback address. Patch from Mike Karels of FreeBSD. On Linux use gethostbyname2(3) if glibc 2.19 or newer is used to avoid potential problems with IPv6 lookups. Patch from Werner Wiethege. Add support for Darwin 21 and Darwin 22. Solaris 12 has been renamed to Solaris 11.4, hence adapt a condition for sigwait(2) taking one argument. Patch from John Beck. - Port and rename patch sendmail-8.17.1.dif which is now sendmail-8.17.2.dif ==== util-linux ==== Version update (2.38.1 -> 2.39) Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 util-linux-lang - Add patch to fix regression with mount options handling (gh#util-linux/util-linux#2326): * 0001-libmount-fix-sync-options-between-context-and-fs-str.patch - Set --disable-libmount-mountfd-support, it's very broken and needs both util-linux and kernel fixes (gh#util-linux/util-linux#2287) - UTIL_LINUX_FOUND_SYSTEMD_DEPS: make grep more robust - util-linux-tty-tools: build together with systemd in preparation of util-linux 2.40 together with systemd v254 - Upgrade to version 2.39: * blkpr: New command to run persistent reservations ioctls on a device. * pipesz: New command to set or examine pipe and FIFO buffer sizes. * waitpid: New command to wait for arbitrary processes. * mount, libmount: Supports new file descriptors based mount kernel API. * mount, libmount: New mount options X-mount.idmap=, X-mount.auto-fstypes, X-mount.{owner,group,mode}=, rootcontext=@target. * renice: Supports posix-compliant -n (via POSIXLY_CORRECT) and add a new option --relative. * dmesg: Supports subsecond granularity for --since and --until. * dmesg: Option --level accepts '+' prefix or postfix for a level name to specify all higher or all lower levels. * blkid, libblkid: Supports bcachefs. * fstrim: New option --types to filter out by filesystem types. * lsblk: --nvme and --virtio are new options to filter out devices. * lsblk: Improves detection of hotplug and removable status. * nsenter: New option --env for allowing environment variables inheritance. * namei: New option -Z to report SELinux contexts. * Many other new features and fixes. For complete list see https://kernel.org/pub/linux/utils/util-linux/v2.39/v2.39-ReleaseNotes - Dropped upstreamed patches: * fix-lib-internal-cache-size.patch * util-linux-fix-tests-when-at-symbol-in-path.patch * util-linux-honor-noclear-when-reprint-issue.patch - Add upstream patch util-linux-fix-tests-with-64k-pagesize.patch * Fixes fadvise tests for ppc64 ==== util-linux-systemd ==== Version update (2.38.1 -> 2.39) - Add patch to fix regression with mount options handling (gh#util-linux/util-linux#2326): * 0001-libmount-fix-sync-options-between-context-and-fs-str.patch - Set --disable-libmount-mountfd-support, it's very broken and needs both util-linux and kernel fixes (gh#util-linux/util-linux#2287) - UTIL_LINUX_FOUND_SYSTEMD_DEPS: make grep more robust - util-linux-tty-tools: build together with systemd in preparation of util-linux 2.40 together with systemd v254 - Upgrade to version 2.39: * blkpr: New command to run persistent reservations ioctls on a device. * pipesz: New command to set or examine pipe and FIFO buffer sizes. * waitpid: New command to wait for arbitrary processes. * mount, libmount: Supports new file descriptors based mount kernel API. * mount, libmount: New mount options X-mount.idmap=, X-mount.auto-fstypes, X-mount.{owner,group,mode}=, rootcontext=@target. * renice: Supports posix-compliant -n (via POSIXLY_CORRECT) and add a new option --relative. * dmesg: Supports subsecond granularity for --since and --until. * dmesg: Option --level accepts '+' prefix or postfix for a level name to specify all higher or all lower levels. * blkid, libblkid: Supports bcachefs. * fstrim: New option --types to filter out by filesystem types. * lsblk: --nvme and --virtio are new options to filter out devices. * lsblk: Improves detection of hotplug and removable status. * nsenter: New option --env for allowing environment variables inheritance. * namei: New option -Z to report SELinux contexts. * Many other new features and fixes. For complete list see https://kernel.org/pub/linux/utils/util-linux/v2.39/v2.39-ReleaseNotes - Dropped upstreamed patches: * fix-lib-internal-cache-size.patch * util-linux-fix-tests-when-at-symbol-in-path.patch * util-linux-honor-noclear-when-reprint-issue.patch - Add upstream patch util-linux-fix-tests-with-64k-pagesize.patch * Fixes fadvise tests for ppc64