Packages changed: GraphicsMagick MozillaFirefox (115.0.3 -> 116.0.2) NetworkManager (1.42.8 -> 1.44.0) amavisd-new bluez (5.66 -> 5.68) catfish (4.16.4 -> 4.18.0) dcraw dracut (059+suse.488.g81715832 -> 059+suse.491.g87f19c22) glibc (2.37 -> 2.38) gspell (1.12.1 -> 1.12.2) java-11-openjdk libcloudproviders (0.3.1 -> 0.3.2) libgweather4 (4.2.0 -> 4.3.2) liborcus opensuse-welcome (0.1.9+git.0.66be0d8 -> 0.1.9+git.35.4b9444a) perl-Image-ExifTool (12.64 -> 12.65) signon (8.60 -> 8.61) systemd (253.7 -> 253.8) === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - add strlcpy-wrong-sizing.patch: fix incorrect usages of strlcpy and strlcat detected by glibc 2.38's fortify ==== MozillaFirefox ==== Version update (115.0.3 -> 116.0.2) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 116.0.2 * fixes for other platforms - Fix OOM when linking on 32-bit - Mozilla Firefox 116.0.1 * fixes for other platforms - ship vaapitest binary for supported archs - re-enable ppc64le - ship v4l2test binary for supported archs - drop obsolete mozilla-bmo1775202.patch - Mozilla Firefox 116.0 * https://www.mozilla.org/en-US/firefox/116.0/releasenotes/ MFSA 2023-29 (bsc#1213746) * CVE-2023-4045 (bmo#1833876) Offscreen Canvas could have bypassed cross-origin restrictions * CVE-2023-4046 (bmo#1837686) Incorrect value used during WASM compilation * CVE-2023-4047 (bmo#1839073) Potential permissions request bypass via clickjacking * CVE-2023-4048 (bmo#1841368) Crash in DOMParser due to out-of-memory conditions * CVE-2023-4049 (bmo#1842658) Fix potential race conditions when releasing platform objects * CVE-2023-4050 (bmo#1843038) Stack buffer overflow in StorageManager * CVE-2023-4051 (bmo#1821884) Full screen notification obscured by file open dialog * CVE-2023-4052 (bmo#1824420) File deletion and privilege escalation through Firefox uninstaller * CVE-2023-4053 (bmo#1839079) Full screen notification obscured by external program * CVE-2023-4054 (bmo#1840777) Lack of warning when opening appref-ms files * CVE-2023-4055 (bmo#1782561) Cookie jar overflow caused unexpected cookie jar state * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, bmo#1843847) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 * CVE-2023-4057 (bmo#1841682) Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1 * CVE-2023-4058 (bmo#1819160, bmo#1828024) Memory safety bugs fixed in Firefox 116 - require NSS 3.91 - remove obsolete mozilla-fix-top-level-asm.patch - re-enable LTO ==== NetworkManager ==== Version update (1.42.8 -> 1.44.0) Subpackages: NetworkManager-bluetooth NetworkManager-lang NetworkManager-pppoe NetworkManager-tui NetworkManager-wwan libnm0 typelib-1_0-NM-1_0 - Update to version 1.44.0: + Introduce a new "link" setting that holds properties related to the kernel link such as "tx-queue-length", "gso-max-size", "gso-max-segments", "gro-max-size". + Support sending a DHCPv6 prefix delegation hint via the "ipv6.dhcp-pd-hint" connection property. + Support new bond options: "arp_missed_max", "lacp_active", "ns_ip6_target". + Add new "initial-eps-bearer-configure" and "initial-eps-bearer-apn" properties in the GSM setting. + Setting "connection.stable-id=default${CONNECTION}" changed behavior to be identical to the built-in default value when the stable-id is not set. + Add a "[keyfile].rename" option to NetworkManager.conf to force renaming profiles on disk when their name changes. + The ifcfg-rh plugin is deprecated; it will only receive bugfixes and no new features. A warning is emitted the log when a connection in ifcfg-rh format is found. + To automatically migrate existing ifcfg-rh connections to the keyfile format, a new configuration option "main.migrate-ifcfg-rh" is provided. Migration is disabled by default, but the default value can be changed at build time via "--with-config-migrate-ifcfg-rh-default=yes". + When configuring hostnames in non-public TLD (like "example.local"), use the TLD as default search domain instead of the full hostname. + Always apply DNS options from the [global-dns] configuration section + The NetworkManager daemon now acquires the D-Bus name only after populating the D-Bus tree. This can add a delay during startup but it is required to avoid race conditions with other services depending on NM. + Add a "version-id" argument to the Update2() D-Bus call to guard against concurrent modifications of profiles. + Don't use tentative IPv6 addresses to resolve the system hostname via DNS. + Track the number of autoconnect retries left for each device and connection. Previously it was tracked only per connection and this lead to unexpected behaviors in case of multiconnect profiles. + Set VLAN filtering options on bridge via netlink instead of sysfs. + nm-cloud-setup now supports IMDSv2 on Amazon EC2. + nmtui now allows to enable or disable Wi-Fi and WWAN radios. + Honor ignore-carrier=no for bond/bridge/team devices. + Add version mismatch warning when running nmcli commands. - Rebase patches with quilt. ==== amavisd-new ==== Subpackages: amavisd-new-docs - Package failed to rebuild on Perl version changes due to missing %{perl_requires} ==== bluez ==== Version update (5.66 -> 5.68) Subpackages: bluez-auto-enable-devices bluez-cups bluez-zsh-completion libbluetooth3 - 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch be removed by Timo Jyrinki when updating to 5.68. I saw some reasons: - Upstream didn't take this patch: https://www.spinics.net/lists/linux-bluetooth/msg40136.html - Fedora also marked this patch in bluez.spec since bluez-5.68-2.fc39 https://src.fedoraproject.org/rpms/bluez/blob/2b133d795f4f823c8b22ef5a07569792ad7ce6aa/f/bluez.spec We didn't put any bug number of this patch when it be introduced to bluez.spec since Nov 23, 2021. So, let's remove this patch unless upstream or Fedora add it back. - update to 5.68 * Fix issue with A2DP and handling of Transport.Acquire. * Fix issue with BAP and initiating QoS and Enable procedures. * Fix issue with BAP and detaching streams when PAC is removed. * Fix issue with BAP and reading all instances of PAC. * Fix issue with BAP and not being able to reconfigure. * Fix issue with BAP and transport configuration changes. * Fix issue with BAP and handling unexpected disconnect. * Fix issue with GATT and not removing pending services. * Fix issue with GATT and client ready handling. * Fix issue with handling fallback to transient hostname. * Add support for SecureConnections configuration option. * Add support for Mesh Remove Provisioning. * Add support for Mesh Private Beacons. - Remove patches that are not needed with the new upstream. ==== catfish ==== Version update (4.16.4 -> 4.18.0) Subpackages: catfish-lang - Update to version 4.18.0 * Filters: Add Archives, Other, update Apps * Use Gio to open files, fix "no default app" issue * Add symlink emblem to thumbnails in thumbnail mode * config: Prefer plocate over mlocate if available * window: Avoid IndexError on right click when selection is empty * Create shared filetype lists for searching and filtering * Ensure site-packages directory is prepended to sys.path * Fix double border between sidebar and results area * window: Fix and refactor new_column() * window: Fix markup warnings in thumbnail view * Fix GtkBuilder warnings * Revert "Suppress the various GTK warnings GtkBuilder outputs" * Fix crash and translations when install prefix != /usr * Update `.gitignore` * Remove generated file po/catfish.pot * Performance improvements (fix #79) * Translation Updates - Refresh 0001-Force-disable-Zeitgeist-support.patch - Remove _service file ==== dcraw ==== Subpackages: dcraw-lang - add dcraw-glibc-2.38.patch to fix prototype clash on memmem with glibc 2.38+ ==== dracut ==== Version update (059+suse.488.g81715832 -> 059+suse.491.g87f19c22) - Update to version 059+suse.491.g87f19c22: * fix(dracut-install): protect against broken links pointing to themselves * fix(dracut.sh): exit if resolving executable dependencies fails (bsc#1214081) ==== glibc ==== Version update (2.37 -> 2.38) Subpackages: glibc-32bit glibc-devel glibc-extra glibc-lang glibc-locale glibc-locale-base nscd - Update to glibc 2.38 * When C2X features are enabled and the base argument is 0 or 2, the following functions support binary integers prefixed by 0b or 0B as input * PRIb*, PRIB* and SCNb* macros from C2X have been added to . * printf-family functions now support the wN format length modifiers for arguments of type intN_t, int_leastN_t, uintN_t or uint_leastN_t and the wfN format length modifiers for arguments of type int_fastN_t or uint_fastN_t, as specified in draft ISO C2X * A new tunable, glibc.pthread.stack_hugetlb, can be used to disable Transparent Huge Pages (THP) in stack allocation at pthread_create * Vector math library libmvec support has been added to AArch64 * The strlcpy and strlcat functions have been added * CVE-2023-25139: When the printf family of functions is called with a format specifier that uses an (enable grouping) and a minimum width specifier, the resulting output could be larger than reasonably expected by a caller that computed a tight bound on the buffer size - Enable build with _FORTIFY_SOURCE - glibc-2.3.90-langpackdir.diff: avoid reference to __strcpy_chk - iconv-error-verbosity.patch: iconv: restore verbosity with unrecognized encoding names (BZ #30694) - printf-grouping.patch, strftime-time64.patch, getlogin-no-loginuid.patch, fix-locking-in-_IO_cleanup.patch, gshadow-erange-rhandling.patch, system-sigchld-block.patch, gmon-buffer-alloc.patch, check-pf-cancel-handler.patch, powerpc64-fcntl-lock.patch, realloc-limit-chunk-reuse.patch, dl-find-object-return.patch; Removed ==== gspell ==== Version update (1.12.1 -> 1.12.2) Subpackages: gspell-lang libgspell-1-2 typelib-1_0-Gspell-1 - Update to version 1.12.2: + Small code maintenance: don't use g_slice_*(). ==== java-11-openjdk ==== Subpackages: java-11-openjdk-headless - Added patch: * reproducible-javadoc-timestamp.patch + use SOURCE_DATE_EPOCH in javadoc and make the javadoc generation more reproducible ==== libcloudproviders ==== Version update (0.3.1 -> 0.3.2) - Update to version 0.3.2: + No upstream changes provided. ==== libgweather4 ==== Version update (4.2.0 -> 4.3.2) Subpackages: gweather4-data libgweather-4-0 libgweather4-lang typelib-1_0-GWeather-4_0 - Update to version 4.3.2: + Fix fallback metric unit detection logic + Documentation fixes + Performance improvements for nearest location lookups + Location database changes + Updated translations. ==== liborcus ==== - Removed patches: * liborcus-filesystem.patch * liborcus-tests.patch + reworked in order to send them upstream - Added patches: * 0001-Possibility-to-build-against-a-host-of-filesystem-im.patch * 0003-Allow-running-tests-with-python-3.4.patch * 0002-Allow-using-older-boost-filesystem.patch + split into chunks per topic so that upsteam can decide what to do ==== opensuse-welcome ==== Version update (0.1.9+git.0.66be0d8 -> 0.1.9+git.35.4b9444a) - Update to version 0.1.9+git.35.4b9444a: * panellayouter: use QTemporaryFile for applyLayout() (bsc#1213708, CVE-2023-32184). * Translation updates. ==== perl-Image-ExifTool ==== Version update (12.64 -> 12.65) Subpackages: exiftool perl-File-RandomAccess - Update to 12.65: * Added a new QuickTime Keys tag * Added a new CanonModelID * Added a new Canon LensType * Added number in brackets to converted Samsung MCCData value * Decode a number of new Sony tags * Decode a few new FlashPix tags (github #217) * Improved decoding of Nikon Z9 firmware 4.0 tags * Improved parsing of PDF:Keywords to support semicolon-separated lists * Enhanced -api option to show list of available options if no argument is provided * Lowered priority of IFD1 tags in ARW images so IFD0/SubIFD take precedence * Changed QuickTime tag names for atID (AlbumTitleID to ArtistID) and plID (PlayListID to AlbumID) (github issue #216), and added cmID (ComposerID) * Changed Apple:MediaGroupUUID tag name back to ContentIdentifier * Patched the -d option to handle the %s format code internally when writing (avoids problems due to inconsistent behaviour of this format code in the strptime function on different systems) * Patched patch of version 12.32 to restore ability to read from named pipes * Fixed bug which could cause a hang when processing a corrupt BigTIFF image * Fixed document number for auxiliary image metadata in HEIC files * Fixed misspelt Apple tag name * API Changes: + Added AvailableOptions method ==== signon ==== Version update (8.60 -> 8.61) Subpackages: libsignon-qt5-1 signon-plugins signond signond-libs - Update to 8.61 * Port away from QHash::unite * Don't emit QObject::destroyed() within Identity::destroy() * Build: remove unnecessary qmake options * Don't use -fno-rtti * Run test script with Busybox compatible mktemp * Fix typos in logs * Tests: add missing parameter to mkdir command * Fix deprecation warning * signond: register the adaptors in SignonDaemonAdaptor * signond: get appId of peer in SignonIdentityAdapter * signond: add Error class * signond: add ErrorAdaptor class * signond: use ErrorAdaptor in SignonSessionCore * signond: reduce usage of D-Bus in SignonIdentity class * signond: introduce PeerContext class * signond: reduce D-Bus usage in SignonAuthSession * signond: register the adaptors, not the object itself * signond: destroy adapter when Identity gets unregistered * Fix Unicode $HOME dir - Drop patch, merged upstream: * 0001-Don-t-use-fno-rtti.patch - Drop the unneeded baselibs.conf ==== systemd ==== Version update (253.7 -> 253.8) Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-container systemd-coredump systemd-lang udev - Import commit fcdb2dd2c921db3c6b7c28465dbda314f4469d17 (merge of v253.8) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/2dac0aff9ced1eca0cd11c24e264b33095ee5a5e...fcdb2dd2c921db3c6b7c28465dbda314f4469d17