Packages changed: bind (9.18.11 -> 9.18.12) gnome-desktop (43.1 -> 43.2) gstreamer-plugins-bad poppler (23.01.0 -> 23.02.0) poppler-qt5 (23.01.0 -> 23.02.0) postfix rust-keylime (0.1.0+git.1672681780.762cec8 -> 0.1.0+git.1676549716.5382ed9) samba (4.17.4+git.314.7b07e3c51a6 -> 4.17.5+git.320.c38ca0f84a) sudo (1.9.12p2 -> 1.9.13) tigervnc (1.12.0 -> 1.13.0) tpm2-0-tss (3.2.0 -> 4.0.1) tpm2.0-tools (5.4 -> 5.5) webkit2gtk3 (2.38.4 -> 2.38.5) webkit2gtk4 (2.38.4 -> 2.38.5) yast2-packager (4.5.14 -> 4.5.15) === Details === ==== bind ==== Version update (9.18.11 -> 9.18.12) - Update to release 9.18.12 Removed Features: * Specifying a port when configuring source addresses (i.e., as an argument to query-source, query-source-v6, transfer-source, transfer-source-v6, notify-source, notify-source-v6, parental-source, or parental-source-v6, or in the source or source-v6 arguments to primaries, parental-agents, also-notify, or catalog-zones) has been deprecated. In addition, the use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and avoid-v6-udp-ports options have also been deprecated. Warnings are now logged when any of these options are encountered in named.conf. In a future release, they will be made nonfunctional. Bug Fixes: * A constant stream of zone additions and deletions via rndc reconfig could cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. * The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of NSEC3 hashing, has been improved. * Pointing parental-agents to a resolver did not work because the RD bit was not set on DS requests. This has been fixed. * Building BIND 9 failed when the --enable-dnsrps switch for ./configure was used. This has been fixed. - Updated keyring and signature ==== gnome-desktop ==== Version update (43.1 -> 43.2) Subpackages: gnome-desktop-lang libgnome-desktop-3-20 libgnome-desktop-3_0-common libgnome-desktop-4-2 typelib-1_0-GnomeDesktop-3_0 - Update to version 43.2: + Fix idle monitor watch leak. + Updated translations. ==== gstreamer-plugins-bad ==== Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Remove sys/decklink since that contains a non-standard license and disable the decklink plugin ==== poppler ==== Version update (23.01.0 -> 23.02.0) Subpackages: libpoppler-cpp0 libpoppler-glib8 libpoppler126 poppler-tools - Update to version 23.02.0: + core: * CairoOutputDev: . Fix rendering of color type 3 fonts . Add handling matte entry * Fix segfault on wrong nssdir * Fix "NSS could not shutdown" + utils: pdfsig: Point out supports PKCS#11 URIs as nickname ==== poppler-qt5 ==== Version update (23.01.0 -> 23.02.0) - Update to version 23.02.0: + core: * CairoOutputDev: . Fix rendering of color type 3 fonts . Add handling matte entry * Fix segfault on wrong nssdir * Fix "NSS could not shutdown" + utils: pdfsig: Point out supports PKCS#11 URIs as nickname ==== postfix ==== - SELinux: postfix denied to access /var/spool/postfix/pid/master.pid (bsc#1207177) Apply proposed changes in postfix.service - remove patch included into the source: harden_postfix.service.patch ==== rust-keylime ==== Version update (0.1.0+git.1672681780.762cec8 -> 0.1.0+git.1676549716.5382ed9) - Drop zmq from the feature set - Remove already merged patches: * 0001-keylime-agent-remove-const_err-deny.patch * 0001-Cargo.toml-tss-esapi-bindings.patch - Update to version 0.1.0+git.1676549716.5382ed9: * Cargo: Update clap minimum version to 3.2 * Cargo: Update uuid minimum version to 1.3 * Cargo: Update tokio minimum version to 1.24 and reduce features * build(deps): bump tss-esapi from 7.1.0 to 7.2.0 * cargo deb: include shim.py in packaging * build(deps): bump thiserror from 1.0.36 to 1.0.38 * keylime-agent.conf: Add comments on how to override options * config: Fix overriding options with env vars * Add missing e2e tests and reordering tests based on alphabetical order * e2e tests: Fix test name * Store associated U keys, auth tags, and payloads together * Refactor ZeroMQ revocation listener to not block * keylime-agent: Gracefully shutdown on SIGINT * Refactor async code for keys and payloads * main: Move payload related functions to payloads module * main: Run ZeroMQ service in a separate task * Remove unused option "openstack" for obtaining uuid * algorithms: fix typo * clippy: fix uninlined_format_args warnings * clippy: fix needless_borrow warnings * crypto, mTLS: allow certificate chain for trusted_client_ca * build(deps): bump base64 from 0.13.0 to 0.13.1 * build(deps): bump serde_json from 1.0.85 to 1.0.91 * build(deps): bump libc from 0.2.133 to 0.2.139 * build(deps): bump bumpalo from 3.11.0 to 3.12.0 * build(deps): bump futures from 0.3.24 to 0.3.25 * Cargo.toml: tss-esapi bindings * packit-ci: Disable Rawhide due to agent compilation issues * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598 * keylime-agent: remove const_err deny * build(deps): bump tokio from 1.23.0 to 1.24.2 ==== samba ==== Version update (4.17.4+git.314.7b07e3c51a6 -> 4.17.5+git.320.c38ca0f84a) Subpackages: libsamba-policy0-python3 samba-ad-dc-libs samba-client samba-client-libs samba-libs samba-libs-python3 samba-python3 - Update to 4.17.5 * smbc_getxattr() return value is incorrect; (bso#14808); * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly; (bso#15172); * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210); * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS; (bso#15226); * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236); * DFS links don't work anymore on Mac clients since 4.17; (bso#15277); * vfs_virusfilter segfault on access, directory edgecase (accessing NULL value); (bso#15283); * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes); (bso#15240); * %U for include directive doesn't work for share listing (netshareenum); (bso#15243); * Shares missing from netshareenum response in samba 4.17.4; (bso#15266); * ctdb: use-after-free in run_proc; (bso#15269); * irpc_destructor may crash during shutdown; (bso#15280); * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286); * smbclient segfaults with use after free on an optimized build; (bso#15268); * smbstatus leaking files in msg.sock and msg.lock; (bso#15282); * Leak in wbcCtxPingDc2; (bso#15164); * Access based share enum does not work in Samba 4.16+; (bso#15265); * Crash during share enumeration; (bso#15267); * rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer; (bso#15271); * Avoid relying on C89 features in a few places; (bso#15281); - named crashes on DLZ zone update; (bso#14030); (bsc#1206996); - Drop libnsl build requirement; (bsc#1208220); ==== sudo ==== Version update (1.9.12p2 -> 1.9.13) Subpackages: sudo-plugin-python - Update to 1.9.13: * Changes in 1.9.13: Fixed a bug running relative commands via sudo when log_subcmds is enabled. GitHub issue #194. Fixed a signal handling bug when running sudo commands in a shell script. Signals were not being forwarded to the command when the sudo process was not run in its own process group. Fixed a bug in the cvtsudoers LDIF parsing when the file ends without a newline and a backslash is the last character of the file. Fixed a potential use-after-free bug with cvtsudoers filtering. GitHub issue #198. Added a reminder to the default lecture that the password will not echo. This line is only displayed when the pwfeedback option is disabled. GitHub issue #195. Fixed potential memory leaks in error paths. GitHub issue #199. GitHub issue #202. Fixed potential NULL dereferences on memory allocation failure. GitHub issue #204. GitHub issue #211. Sudo now uses C23-style attributes in function prototypes instead of gcc-style attributes if supported. Added a new list pseudo-command in sudoers to allow a user to list another user’s privileges. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. This also includes a fix to the log entry when a user lacks permission to run sudo -U otheruser -l command. Previously, the logs would indicate that the user tried to run the actual command, now the log entry includes the list operation. JSON logging now escapes control characters if they happen to appear in the command or environment. New Albanian translation from translationproject.org. Regular expressions in sudoers or logsrvd.conf may no longer contain consecutive repetition operators. This is implementation- specific behavior according to POSIX, but some implementations will allocate excessive amounts of memory. This mainly affects the fuzzers. Sudo now builds AIX-style shared libraries and dynamic shared objects by default instead of svr4-style. This means that the default sudo plugins are now .a (archive) files that contain a .so shared object file instead of bare .so files. This was done to improve compatibility with the AIX Freeware ecosystem, specifically, the AIX Freeware build of OpenSSL. Sudo will still load svr4-style .so plugins and if a .so file is requested, either via sudo.conf or the sudoers file, and only the .a file is present, sudo will convert the path from plugin.so to plugin.a(plugin.so) when loading it. This ensures compatibility with existing configurations. To restore the old, pre-1.9.13 behavior, run configure using the –with-aix-soname=svr4 option. Sudo no longer checks the ownership and mode of the plugins that it loads. Plugins are configured via either the sudo.conf or sudoers file which are trusted configuration files. These checks suffered from time-of-check vs. time-of-use race conditions and complicate loading plugins that are not simple paths. Ownership and mode checks are still performed when loading the sudo.conf and sudoers files, which do not suffer from race conditions. The sudo.conf developer_mode setting is no longer used. Control characters in sudo log messages and sudoreplay -l output are now escaped in octal format. Space characters in the command path are also escaped. Command line arguments that contain spaces are surrounded by single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces. Improved support for DragonFly BSD which uses a different struct procinfo than either FreeBSD or 4.4BSD. Fixed a compilation error on Linux arm systems running older kernels that may not define EM_ARM in linux/elf-em.h. GitHub issue #232. Fixed a compilation error when LDFLAGS contains -Wl,–no-undefined. Sudo will now link using -Wl,–no-undefined by default if possible. GitHub issue #234. Fixed a bug executing a command with a very long argument vector when log_subcmds or intercept is enabled on a system where intercept_type is set to trace. GitHub issue #194. When sudo is configured to run a command in a pseudo-terminal but the standard input is not connected to a terminal, the command will now be run as a background process. This works around a problem running sudo commands in the background from a shell script where changing the terminal to raw mode could interfere with the interactive shell that ran the script. GitHub issue #237. A missing include file in sudoers is no longer a fatal error unless the error_recovery plugin argument has been set to false. ==== tigervnc ==== Version update (1.12.0 -> 1.13.0) Subpackages: libXvnc1 xorg-x11-Xvnc xorg-x11-Xvnc-module - A little cleanup of specfile - Update to tigervnc 1.13.0 * The servers and native viewer now support RealVNC's RSA-AES authentication methods and encryption * The native viewer is now translated to Romanian and Georgian * The native viewer now (optionally) supports PiKVM's H.264 encoding * The display settings for the native viewer have been overhauled to make them easier to understand * The native viewer now supports adding exceptions for expired certificates * Resolved an issue where full-screen mode didn't work in the native viewer on macOS 13 * Lock key synchronization has been re-enabled in the native viewer after being accidentally disabled in 1.11.0 * Xvnc/libvnc.so can now be built with Xorg 1.21 * x0vncserver is a bit better at handling differing server and client keyboard layout * x0vncserver now correctly handles zaphod mode - Removed patches (no longer needed): * tigervnc-newfbsize.patch (https://github.com/TigerVNC/tigervnc/pull/13) * n_utilize-system-crypto-policies.patch (https://github.com/TigerVNC/tigervnc/pull/1262) * xserver211.patch & u_tigervnc-211.patch (https://github.com/TigerVNC/tigervnc/pull/1383) - Refreshed patches: * n_tigervnc-date-time.patch * n_vncserver.patch * u_change-button-layout-in-ServerDialog.patch ==== tpm2-0-tss ==== Version update (3.2.0 -> 4.0.1) Subpackages: libtss2-esys0 libtss2-fapi1 libtss2-mu0 libtss2-rc0 libtss2-sys1 libtss2-tcti-device0 libtss2-tctildr0 - Drop 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch as was already merged upstream - Update to 4.0.1 + Fixed: * A buffer overflow in tss2-rc as CVE-2023-22745. - Update to 4.0.0 + Fixed: * tcti-ldr: Use heap instead of stack when tcti initialize * Fix usage of NULL pointer if Esys_TR_SetAuth is calles with ESYS_TR_NONE. * Conditionally check user/group manipulation commands. * Store VERSION into the release tarball. * When using DESTDIR for make einstall, do not invoke systemd-sysusers and systemd-tmpfiles. * esys_iutil: fix possible NPD. * Tss2_Sys_Flushcontext: flushHandle was encoded as a handleArea handle and not as parameter one, this affected the contents of cpHash. * esys: fix allow usage of HMAC sessions for Esys_TR_FromTPMPublic. * fapi: fix usage of policy_nv with a TPM nv index. * linking tcti for libtpms against tss2-tctildr. It should be linked against tss2-mu. * build: Remove erroneous trailing comma in linker option. Bug [#2391]. * fapi: fix encoding of complex tpm2bs in authorize nv, duplication select and policy template policies. Now the complex and TPMT or TPMS representations can be used. Bug #2383 * The error message for unsupported FAPI curves was in hex without a leading 0x, make it integer output to clarify. * Documentation that had various scalar out pointers as "callee allocated". * test: build with opaque FILE structure like in musl libc. * Transient endorsement keys were not recreated according to the EK credential profile. * Evict control for a persistent EK failed during provisioning if an auth value for the storage hierarchy was set. * The authorization of the storage hierarchy is now added. Fixes FAPI: Provisioning error if an auth value is needed for the storage hierarchy #2438. * Usage of a second profile in a path was not possible because the default profile was always used. * The setting of an empty auth value for Fapi_Provision was fixed. * JSON encoding of a structure TPMS_POLICYAUTHORIZATION used the field keyPEMhashAlg instead of hashAlg as defined in "TCG TSS 2.0 JSON Data Types and Policy Language Specification". Rename to hashAlg but preserve support for reading keyPEMhashAlg for backwards compatibility. * fapi: PolicySecret did not work with keys as secret object. * Esys_PCR_SetAuthValue: remembers the auth like other SetAutg ESAPI functions. * tests: esys-pcr-auth-value.int moved to destructive tests. * FAPI: Fix double free if keystore is corrupted. * Marshaling of TPMU_CAPABILITIES data, only field intelPttProperty was broken before.a * Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string. This is API breaking but considered a bug since it deviated from the FAPI spec. * FAPI: undefined reference to curl_url_strerror when using curl less than 7.80.0. * FAPI: Fixed support for EK templates in NV inidices per the spec, see #2518 for details. * FAPI: fix NPD in ifapi_curl logging. * FAPI: Improve documentation fapi-profile * FAPI: Fix CURL HTTP handling. * FAPI: Return FAPI_RC_IO_ERROR if a policy does not exist in keystore. + Added: * TPM version 1.59 support. * ci: ubuntu-22.04 added. * mbedTLS 3.0 is supported by ESAPI. * Add CreationHash to JSON output for usage between applications not using the FAPI keystore, like command line tools. * Reduced code size for SAPI. * Support for Runtime Switchable ESAPI Crypto Backend via Esys_SetCryptoCallbacks. * Testing for TCG EK Credential Profile TPM 2.0, Version 2.4 Rev. 3, 2021 for the low and high address range of EK templates. * tss2-rc: Tss2_RC_DecodeInfo function for parsing TSS2_RC into the various bit fields. * FAPI support for P_ECC384 profile. * tss2-rc: Tss2_RC_DecodeInfoError: Function to get a human readable error from a TSS2_RC_INFO returned by Tss2_RC_DecodeInfo * tcti: Generic SPI driver, implementors only need to connect to acquire/release, transmit/receive, and sleep/timeout functions. * FAPI: Add event logging for Firmware and IMA Events. See #2170 for details. * FAPI: Fix Fapi_ChangeAuth updates on hierarchy objects not being reflected across profiles. * FAPI: Allow keyedhash keys in PolicySigned. * ESAPI: Support sha512 for mbedtls crypto backend. * TPM2B_MAX_CAP_BUFFER and mu routines * vendor field to TPMU_CAPABILTIIES * FAPI: support for PolicyTemplate + Changed * libmu soname from 0:0:0 to 0:1:0. * tss2-sys soname from 1:0:0 to 1:1:0 * tss2-esys: from 0:0:0 to 0:1:0 ... changelog too long, skipping 6 lines ... * Dead code Tss2_MU_TPMS_ALGORITHM_DESCRIPTION_Unmarshal ==== tpm2.0-tools ==== Version update (5.4 -> 5.5) - Update to version 5.5 + Added: * tpm2_createek: SM2 EK Support * misc: SM2 support to internal OSSL format key routines. Fixes - -format flags for conversions. + Fixed: * echo_tcti.py: set to use python3 named executable in shebang. - Drop already merged patches + fix_bogus_warning.patch + echo_tcti_call_python3_binary.patch ==== webkit2gtk3 ==== Version update (2.38.4 -> 2.38.5) Subpackages: WebKit2GTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.38.5 (boo#1208328): + Fix large memory allocation when uploading content. + Fix scrolling after a history navigation with PSON enabled. + Always update the active uri of WebKitFrame. + Fix the build on Ubuntu 20.04. + Fix several crashes and rendering issues. + Security fixes: CVE-2023-23529. ==== webkit2gtk4 ==== Version update (2.38.4 -> 2.38.5) Subpackages: WebKit2GTK-5.0-lang libjavascriptcoregtk-5_0-0 libwebkit2gtk-5_0-0 webkit2gtk-5_0-injected-bundles - Update to version 2.38.5 (boo#1208328): + Fix large memory allocation when uploading content. + Fix scrolling after a history navigation with PSON enabled. + Always update the active uri of WebKitFrame. + Fix the build on Ubuntu 20.04. + Fix several crashes and rendering issues. + Security fixes: CVE-2023-23529. ==== yast2-packager ==== Version update (4.5.14 -> 4.5.15) - Ruby 3.2: Change a test to treat dir:///foo equal to dir:/foo (bsc#1207239) - 4.5.15