Packages changed: desktop-file-utils ffmpeg-5 (5.1.2 -> 5.1.3) gnome-branding-MicroOS (20230323 -> 20230420) grep (3.9 -> 3.10) libpaper (2.0.10 -> 2.1.0) libpng16 libunistring libxml2 (2.10.3 -> 2.10.4) microos-tools (2.20+git20230413.2a43cdb -> 2.21+git0) mpfr ncurses (6.4.20230408 -> 6.4.20230418) pam (1.5.2 -> 1.5.2.90) pam-config (2.4 -> 2.5) pam-full-src (1.5.2 -> 1.5.2.90) patterns-gnome patterns-microos plasma-branding-MicroOS (20230323 -> 20230420) plasma5-desktop python-pymemcache qalculate (4.5.1 -> 4.6.1) selinux-policy (20230321 -> 20230420) shadow snapper tuned (2.19.0.29+git.b894a3e -> 2.20.0.18+git.7b1a20b) vulkan-loader (1.3.243.0 -> 1.3.247) vulkan-tools (1.3.243.0 -> 1.3.247) xkeyboard-config yast2-trans (84.87.20230416.972001c66e -> 84.87.20230420.b54e9530) === Details === ==== desktop-file-utils ==== - suse-update-mime-defaults: * add support for MATE desktop * ensure C locale is set for sorting order * fix quoting of DESTDIR ==== ffmpeg-5 ==== Version update (5.1.2 -> 5.1.3) Subpackages: libavcodec59 libavfilter8 libavformat59 libavutil57 libpostproc56 libswresample4_ff5 libswscale6 - Update to version 5.1.3: * avcodec/012v: Order operations for odd size handling * avcodec/alsdec: - Check bits left before block decoding in non multi channel coding loop - The minimal block is at least 7 bits * avcodec/atrac3plus: reorder channels to match the output layout * avcodec/audiotoolboxenc: return AVERROR_EXTERNAL immediately when encode error * avcodec/bink: - Avoid undefined out of array end pointers in binkb_decode_plane() - Fix off by 1 error in ref end * avcodec/eac3dec: avoid float noise in fixed mode addition to overflow * avcodec/eatgq: : Check index increments in tgq_decode_block() * avcodec/escape124: - Fix signdness of end of input check - Fix some return codes * avcodec/ffv1dec: - Check that num h/v slices is supported - Fail earlier if prior context is corrupted * avcodec/ffv1dec: restructure slice coordinate reading a bit * avcodec/h274: fix include * avcodec/libjxldec: - Fix gamma22 and gamma28 recognition - Avoid hard failure with unspecified primaries * avcodec/mjpegenc: take into account component count when writing the SOF header size * avcodec/mlpdec: Check max matrix instead of max channel in noise check * avcodec/motionpixels: Mask pixels to valid values * avcodec/mpeg12dec: - Check input size - Use init_get_bits8 and check the return value * avcodec/nvenc: fix vbv buffer size in cq mode * avcodec/pictordec: Remove mid exit branch * avcodec/pngdec: - Check deloco index more exactly - Dont skip/read chunk twice * avcodec/rpzaenc: stop accessing out of bounds frame * avcodec/scpr3: Check bx * avcodec/scpr: Test bx before use * avcodec/smcenc: stop accessing out of bounds frame * avcodec/snowenc: Fix visual weight calculation * avcodec/speedhq: Check buf_size to be big enough for DC * avcodec/speexdec: Check channels > 2 * avcodec/sunrast: Fix maplength check * avcodec/tests/snowenc: - Fix 2nd test - Return a failure if DWT/IDWT mismatches - Unbreak DWT tests * avcodec/tiff: Ignore tile_count * avcodec/utils: - Allocate a line more for VC1 and WMV3 - Ensure linesize for SVQ3 - Use 32pixel alignment for bink * avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things * avcodec/wavpack: - Avoid undefined shift in get_tail() - Check for end of input in wv_unpack_dsd_high() * avcodec/xpmdec: Check size before allocation to avoid truncation * avcodec/aacdec: fix parsing streams with channel configuration 11 * avformat/id3v2: Check taglen in read_uslt() * avformat/mov: Check samplesize and offset to avoid integer overflow * avformat/mxfdec: Use 64bit in remainder * avformat/replaygain: avoid undefined / negative abs * avformat/vividas: Check packet size * avutil/tx: Use unsigned in ff_tx_fft_sr_combine() to avoid undefined behavior * hwcontext_vulkan: remove optional encode/decode extensions from the list * lavf/async: Fix ring_write return value * lavu/vulkan: fix handle type for 32-bit targets * libswscale: force a minimum size of the slide for bayer sources * swscale/input: Use more unsigned intermediates * swscale/output: - Bias 16bps output calculations to improve non overflowing range - Bias 16bps output calculations to improve non overflowing range for GBRP16/GBRPF32 * swscale: aarch64: Fix yuv2rgb with negative strides * Use https for repository links * vulkan: Fix win/i386 calling convention - Rebase patches with quilt. - Drop ffmpeg-CVE-2022-3964.patch: Fixed upstream. - Drop no-vk-video-decoding.patch: Upstream removed this optional code. - Use ldconfig_scriptlets macro. ==== gnome-branding-MicroOS ==== Version update (20230323 -> 20230420) - Remove unneeded cleanup of desktop drop-in - 20230420 - Correct location for Desktop drop-in config - Clean up invalid desktop drop-in file - 20230419 ==== grep ==== Version update (3.9 -> 3.10) Subpackages: grep-lang - update to 3.10: * With -P, \d now matches only ASCII digits, regardless of PCRE options/modes. The changes in grep-3.9 to make ^H and \w work properly had the undesirable side effect of making \d also match e.g., the Arabic digits: ٠١٢٣٤٥٦٧٨٩. With grep-3.9, -P '\d+' would match that ten-digit (20-byte) string. Now, to match such a digit, you would use \p{Nd}. Similarly, \D is now mapped to [^0-9]. ==== libpaper ==== Version update (2.0.10 -> 2.1.0) Subpackages: libpaper-tools libpaper2 - Update to 2.1.0: * This release reintroduces the old ‘paperconf’ utility, for backwards compatibility only. ==== libpng16 ==== - Fix license tag to libpng-2.0. ==== libunistring ==== - Fix license tag to GPL-3.0-or-later or LGPL-3.0-or-later. ==== libxml2 ==== Version update (2.10.3 -> 2.10.4) Subpackages: libxml2-2 libxml2-tools - Update to version 2.10.4: + Security: - [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings isn’t deterministic - [CVE-2023-28484, bsc#1210411] Fix null deref in xmlSchemaFixupComplexType - schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK + Regressions: - SAX2: Ignore namespaces in HTML documents - io: Fix “buffer full” error with certain buffer sizes ==== microos-tools ==== Version update (2.20+git20230413.2a43cdb -> 2.21+git0) - Switch to obs_scm - Call autogen.sh so that it actually builds - Update to version 2.21+git0: * Release version 2.21 * 98selinux-microos: Work around overlayfs bug (bsc#1210690) * 98selinux-microos: Create .relabelled marker before relabelling ==== mpfr ==== - Add mpfr-4.2.0-cummulative.patch, cummulative patches for mpfr 4.2.0: * A test of the thousands separator in tsprintf.c is based on the output from the GNU C Library up to 2.36, which is incorrect. * The mpfr_ui_pow_ui function has infinite loop in case of overflow. * The tfprintf and tprintf tests may fail in locales where decimal_point has several bytes, such as ps_AF. * In particular cases that are very hard to round, mpfr_rec_sqrt may yield a stack overflow due to many small allocations in the stack, based on alloca(). - Remove tests-tsprintf.patch that's included in the above set. ==== ncurses ==== Version update (6.4.20230408 -> 6.4.20230418) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Fix get_version_number.sh to show version without suffix gz.asc - Add ncurses patch 20230418 (boo#1210485, (boo#1210434) + improve checks for limits on privileged execution: + modify _nc_syserr_abort() to use _nc_env_access(), rather than only checking root uid. + use getauxval() when available, to improve setuid/setgid checks. + modify test packages to disable root access/environ options. + modify tgoto() to accept no-parameter capabilities, for joe editor (OpenSUSE #1210485, Gentoo #904263). - Add signatures of the patches as well in patch tar ball - Add ncurses patch 20230415 (boo#1210485) + configure script fixes: + fix copy/paste error in configure option --disable-root-access (report/patch by Sven Joachim). + modify CF_XOPEN_SOURCE macro's amend default case to avoid undefining _XOPEN_SOURCE if _POSIX_C_SOURCE is defined. + modify test_tparm to account for extended capabilities. + add checks in tparm() and tiparm() for misuse of numeric parameters, overlooked in 20230408. + fix errata in clear.1 and curs_terminfo.3x ==== pam ==== Version update (1.5.2 -> 1.5.2.90) - pam-extra: add split provide - pam-userdb: add split provide - Drop pam-xauth_ownership.patch, got fixed in sudo itself - Drop pam-bsc1177858-dont-free-environment-string.patch, was a fix for above patch - Use bcond selinux to disable SELinux - Remove old pam_unix_* compat symlinks - Move pam_userdb to own pam-userdb sub-package - pam-extra contains now modules having extended dependencies like libsystemd - Update to 1.5.3.90 git snapshot - Drop merged patches: - pam-git.diff - docbook5.patch - pam_pwhistory-docu.patch - pam_xauth_data.3.xml.patch - Drop Linux-PAM-1.5.2.90.tar.xz as we have to rebuild all documentation anyways and don't use the prebuild versions - Move all devel manual pages to pam-manpages, too. Fixes the problem that adjusted defaults not shown correct. ==== pam-config ==== Version update (2.4 -> 2.5) - Update to version 2.5 - Add skip_if option for pam_wtmpdb ==== pam-full-src ==== Version update (1.5.2 -> 1.5.2.90) - pam-extra: add split provide - pam-userdb: add split provide - Drop pam-xauth_ownership.patch, got fixed in sudo itself - Drop pam-bsc1177858-dont-free-environment-string.patch, was a fix for above patch - Use bcond selinux to disable SELinux - Remove old pam_unix_* compat symlinks - Move pam_userdb to own pam-userdb sub-package - pam-extra contains now modules having extended dependencies like libsystemd - Update to 1.5.3.90 git snapshot - Drop merged patches: - pam-git.diff - docbook5.patch - pam_pwhistory-docu.patch - pam_xauth_data.3.xml.patch - Drop Linux-PAM-1.5.2.90.tar.xz as we have to rebuild all documentation anyways and don't use the prebuild versions - Move all devel manual pages to pam-manpages, too. Fixes the problem that adjusted defaults not shown correct. ==== patterns-gnome ==== Subpackages: patterns-gnome-gnome_basic patterns-gnome-gnome_basis patterns-gnome-gnome_basis_opt patterns-gnome-sw_management_gnome - Drop pidgin and planner Recommends from openSUSE, only install by default on SLED. Planner is no longer available on Tumbleweed. ==== patterns-microos ==== Subpackages: patterns-microos-alt_onlyDVD patterns-microos-apparmor patterns-microos-base patterns-microos-base-microdnf patterns-microos-base-packagekit patterns-microos-base-zypper patterns-microos-basesystem patterns-microos-cloud patterns-microos-cockpit patterns-microos-defaults patterns-microos-desktop-common patterns-microos-desktop-gnome patterns-microos-desktop-kde patterns-microos-hardware patterns-microos-ima_evm patterns-microos-onlyDVD patterns-microos-ra_agent patterns-microos-ra_verifier patterns-microos-selinux patterns-microos-sssd_ldap - Relocate the below change to kernel-firmware-all and sof-firmware from base pattern to desktop-common - the requirement is for very broad hardware support Desktops, not ever MicroOS install - Add kernel-firmware-all and sof-firmware to the base pattern. This should ensure any MicroOS system can handle the various kinds/vendors of hardware out of the box, since those systems don't use package recommendation/supplementation (boo#1184767, boo#1210483). - Add missing gtk4-branding-openSUSE requirement (GTK2 and GTK3 are already being required). - Drop duplicated NetworkManager requirement from GNOME pattern. This is part of the base pattern which get's pulled in by any MicrOS system. - Move xdg-desktop-portal-gtk to the desktop common pattern. Both GNOME and KDE need it for proper theming of GTK-based flatpak apps. ==== plasma-branding-MicroOS ==== Version update (20230323 -> 20230420) - Remove unneeded cleanup of desktop drop-in - 20230420 - Correct location for Desktop drop-in config - Clean up invalid desktop drop-in file - 20230419 ==== plasma5-desktop ==== Subpackages: plasma5-desktop-emojier plasma5-desktop-lang - Add patch to fix configuration of mouse acceleration with xf86-input-libinput >= 1.3.0 (kde#468217): * 0001-KCM-mouse-enable-compatibility-with-x11-libinput-1.3.patch ==== python-pymemcache ==== - add sle15_python_module_pythons (jsc#PED-68) - Make calling of %{sle15modernpython} optional. ==== qalculate ==== Version update (4.5.1 -> 4.6.1) Subpackages: libqalculate22 qalculate-data - Update to 4.6.1: * Do not automatically by default set prefix higher than kilo for meter, gram, higher than 1 (no prefix) for second and litre, or lower than 1 for byte and bit * Do not use recently introduced SI prefixes (R, Q, r, q) automatically by default * Do not set automatic prefix if resulting multiplier is less than 1 or greater than 1000, with some exceptions (e.g. km) * Default prefix unit property (use for gram, and few other units, instead of hard coded value) * Option to change symbols used for output of digits 10 and 11 in duodecimal numbers (use A and B as default digits) * Allow the same variable left and right of the equals sign (e.g. var=var+2), in variable assignment without colon, if the variable exists and the previous value is known * Use Unicode symbol for minus in scientific e notation * Do not show multiplier if exactly 1, in HTML output of scientific notation * Prefer Nm (torque) over J when the result is a vector with three components * Add "amp" abbreviation to ampere unit, and "thou" name for 1/1000 in (mil) * Fix unit order for Nm and Ws * Fix conversion from ounce (interpreted as fluid ounce) to litre with prefix * Fix automatic reactivation of global object after deletion of conflicting object * Fix parsing of scientific e notation when the number is extremely large and exponentiation fails because of floating point overflow * Fixes for output of scientific notation using number bases other than decimal * Fix prefix selection in denominator when multiplier is higher than the value of the largest prefix * Fix segfault in multisolve() * Don't show anything on empty input * Support "help [OPTION]" and "help set [OPTION]" command to display description for a single set option * Fix division and exponentiation of scalar by matrix/vector, e.g. 4./[8 4.5] * Improve parsing of element-wise operators with comma as decimal separator * Fix rref() with different units for different elements * Fix segfault with empty vector in uncertainty calculation * Fix segfault trying to solve cbrt(x)^(1/3)-x=0 * Fix segfault in handling of vector variable with uncertainty * Fix internal id does not exist error * Fix erroneous simplification of sin(x)^2*y-cos(x)sin(x)^2y * Do not try to calculate norm() and magnitude() for matrices * Fix some memory leaks * Fix order of argument titles in csum() function ==== selinux-policy ==== Version update (20230321 -> 20230420) Subpackages: selinux-policy-targeted - Update to version 20230420: * libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp * only use rsync_exec_t for the rsync server, not for the client (bsc#1209890) * properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation * Allow dovecot-deliver write to the main process runtime fifo files * Allow dmidecode write to cloud-init tmp files * Allow chronyd send a message to cloud-init over a datagram socket * Allow cloud-init domain transition to insights-client domain * Allow mongodb read filesystem sysctls * Allow mongodb read network sysctls * Allow accounts-daemon read generic systemd unit lnk files * Allow blueman watch generic device dirs * Allow nm-dispatcher tlp plugin create tlp dirs * Allow systemd-coredump mounton /usr * Allow rabbitmq to read network sysctls * Allow certmonger dbus chat with the cron system domain * Allow geoclue read network sysctls * Allow geoclue watch the /etc directory * Allow logwatch_mail_t read network sysctls * allow systemd_resolved_t to bind to all nodes (bsc#1200182) * Allow insights-client read all sysctls * Allow passt manage qemu pid sock files * Allow sssd read accountsd fifo files * Add support for the passt_t domain * Allow virtd_t and svirt_t work with passt * Add new interfaces in the virt module * Add passt interfaces defined conditionally * Allow tshark the setsched capability * Allow poweroff create connections to system dbus * Allow wg load kernel modules, search debugfs dir * Boolean: allow qemu-ga manage ssh home directory * Label smtpd with sendmail_exec_t * Label msmtp and msmtpd with sendmail_exec_t * Allow dovecot to map files in /var/spool/dovecot * Confine gnome-initial-setup * Allow qemu-guest-agent create and use vsock socket * Allow login_pgm setcap permission * Allow chronyc read network sysctls * Enhancement of the /usr/sbin/request-key helper policy * Fix opencryptoki file names in /dev/shm * Allow system_cronjob_t transition to rpm_script_t * Revert "Allow system_cronjob_t domtrans to rpm_script_t" * Add tunable to allow squid bind snmp port * Allow staff_t getattr init pid chr & blk files and read krb5 * Allow firewalld to rw z90crypt device * Allow httpd work with tokens in /dev/shm * Allow svirt to map svirt_image_t char files * Allow sysadm_t run initrc_t script and sysadm_r role access * Allow insights-client manage fsadm pid files * Allowing snapper to create snapshots of /home/ subvolume/partition * Add boolean qemu-ga to run unconfined script * Label systemd-journald feature LogNamespace * Add none file context for polyinstantiated tmp dirs * Allow certmonger read the contents of the sysfs filesystem * Add journalctl the sys_resource capability * Allow nm-dispatcher plugins read generic files in /proc - Add debug-build.sh script to make debugging without committing easier ==== shadow ==== Subpackages: libsubid4 login_defs - bsc#1210507 (CVE-2023-29383): Check for control characters - Add shadow-CVE-2023-29383.patch ==== snapper ==== Subpackages: libsnapper7 snapper-zypp-plugin - fixed deleting configs (bsc#1210716) ==== tuned ==== Version update (2.19.0.29+git.b894a3e -> 2.20.0.18+git.7b1a20b) - New polkit interface has been reviewed by security bsc#1185418 - Remove old outdated spec scripts before suse_version 1500 - Separate SAP and related profiles to not be installed in SLE 15 SPx and older, but add them with openSUSE (as before), ALP and upcoming SLE distros - Update to version tuned-2.20.0.18+git.7b1a20b * scheduler: fix traceback if running with runtime=0 * plugin_scheduler: fix perf fd leaks * Better log on unsupported hw for pm_qos_resume_latency_us option * fix-tuned-profiles-adoc-error * explicitly use /bin/bash for tuned scripts * set the icon in the about dialog * install dbus policy in /usr/share/dbus-1 * tuned-adm: better error message for unauthorized switch_profile * man: updated manual pages to be more consistent * spec: dropped unneeded ncat dependency * fix log error * Report reapplied sysctls only on different values * Fixing no _evlist attribute when run without daemon * fix 'is_active' does not work * new release (2.20.0-rc.1) * build: fixed FTBFS with python2 * Expose TuneD API to the Unix Domain Socket. * Inform users about reapplied sysctls * API: add support for moving devices between instances * throughput-performance: set net.core.somaxconn to at least 2048 * Adding support for cpu intel_pstate scaling driver * configparser: use no strict parser to mimic old behavior * Adding pm_qos_resume_latency_us option for cpu plugin.i * Makefile: added fix for python-3.12 * D-Bus: only send tracebacks through the D-Bus if in the debug mode * update vendor_url in policy file * correct section of the tuned-profiles-openshift manpage * Allow selecting a different pkg-config executable * fix tuned/gtk/gui_profile_loader.py spell error * bootloader: create bootcmdline even when skip_grub_config=true * profiles: added aws profile for aws ec2 instances * Closing fd from perf module in scheduler plugin ==== vulkan-loader ==== Version update (1.3.243.0 -> 1.3.247) - Update to 1.3.247 * Make correct layer be used when duplicates are present * Fix ordering regression for VK_INSTANCE_LAYERS ==== vulkan-tools ==== Version update (1.3.243.0 -> 1.3.247) - Update to release 1.3.247 * vulkaninfo: Dont enable Direct Driver Loading Ext * vkcubepp: Fix custom height not working ==== xkeyboard-config ==== Subpackages: xkeyboard-config-lang - remove CCDL from license strings (boo#1210681) ==== yast2-trans ==== Version update (84.87.20230416.972001c66e -> 84.87.20230420.b54e9530) Subpackages: yast2-trans-cs yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-fr yast2-trans-hu yast2-trans-it yast2-trans-ja yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ru yast2-trans-zh_CN yast2-trans-zh_TW - Update to version 84.87.20230420.b54e9530: * Translated using Weblate (Dutch) * Translated using Weblate (Japanese) * Translated using Weblate (Catalan) * New POT for text domain 'storage'. * Translated using Weblate (Czech)