Packages changed: MozillaFirefox (112.0.1 -> 112.0.2) docker (20.10.23_ce -> 23.0.5_ce) git (2.40.0 -> 2.40.1) gtk3 (3.24.37 -> 3.24.37+68) keylime (6.7.0 -> 7.0.0) libalternatives (1.2+3.b848aad -> 1.2+30.a5431e9) libsrtp2 libyui (4.5.1 -> 4.5.2) libyui-ncurses (4.5.1 -> 4.5.2) libyui-ncurses-pkg (4.5.1 -> 4.5.2) libyui-qt (4.5.1 -> 4.5.2) libyui-qt-graph (4.5.1 -> 4.5.2) libyui-qt-pkg (4.5.1 -> 4.5.2) mozjs102 openvpn (2.5.9 -> 2.6.3) setools (4.4.1 -> 4.4.2) tracker (3.5.0 -> 3.5.1) tracker-miners (3.5.0 -> 3.5.1) vim (9.0.1443 -> 9.0.1488) xset === Details === ==== MozillaFirefox ==== Version update (112.0.1 -> 112.0.2) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 112.0.2 * Fix a high memory usage issue with animated images in minimized (or completely covered) windows, especially when using animated themes (bmo#1828587) * Fix an issue where Linux users with bitmap fonts installed may have had entire sections of text invisible to them on some sites (bmo#1827950) - Include Leap 15.5 in check for which python version is required. ==== docker ==== Version update (20.10.23_ce -> 23.0.5_ce) Subpackages: docker-bash-completion - Update to Docker 23.0.5-ce. See upstream changelog online at . - Rebase patches: * cli-0001-docs-include-required-tools-in-source-tree.patch - Update to Docker 23.0.4-ce. See upstream changelog online at . bsc#1208074 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Renumbered patches: - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Remove upstreamed patches: - 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch - 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch - 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch - Backport to allow man pages to be built without internet access in OBS. + cli-0001-docs-include-required-tools-in-source-tree.patch ==== git ==== Version update (2.40.0 -> 2.40.1) - git 2.40.1: * CVE-2023-25652: By feeding specially crafted input to git apply - -reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). * CVE-2023-25815: When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages. * CVE-2023-29007: When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection. ==== gtk3 ==== Version update (3.24.37 -> 3.24.37+68) Subpackages: gtk3-data gtk3-immodule-amharic gtk3-immodule-inuktitut gtk3-immodule-thai gtk3-immodule-tigrigna gtk3-immodule-vietnamese gtk3-immodule-xim gtk3-lang gtk3-schema gtk3-tools libgtk-3-0 typelib-1_0-Gtk-3_0 - Update to version 3.24.37+68: + application: Clean up signal handlers + OLE2 DND: Check if move is supported + Address issue 5711 by checking that the context is not NULL + wayland: - Don't crash without xdg_activation_v1 - Don't crash on cursor size 0 + gdkscreen-wayland: Notify initial setting change from org.gtk.Settings + gdk: Swap Cairo calls when reading back from a GdkWindow + Updated translations. - Deprecate %gtk_immodule_(requires|post|postun) macros defined in the macros.gtk3 file. Since we are using RPM file triggers to provide their functionality, without nullifying them the commands will run twice, once by the file triggers and another time by the macros. ==== keylime ==== Version update (6.7.0 -> 7.0.0) Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python310-keylime - Remove the agent subpackage - Remove keylime_ima_emulator binary - Add keylime_create_policy and keylime_sign_runtime_policy - Update to version v7.0.0: * bump version to 7.0.0 * bump to version 6.8.0 * build-sys: Use comma-separated list for running multiple linters * tenant: Add brackets to ipv6 addresses when used in URL * registrar: Detect IPv6 addresses to bind to and set address_family * setup.cfg: use license_files instead of license_file * Do not run Packit tests on F38 * tests: Use Rust agent from COPR for e2e tests * tenant: Raise a UserError on status_code != 200 returned from server * Add missing test from keylime testsuite to e2e plan * tests: remove tpm2-tss downgrade as Fedora bug got fixed * da: non-zero exit code for attestation replay failures. * ca:CLI utilities (keylime_ca,keylime_tenant) read password from ca.conf * log: add a barebones log config in case configuration files not present * Fix typo * Use subtest in unittest. * create_policy: Strip newline from file path read from measurement list * create_policy: Validate policies against the JSON schema * create_policy: Clarify help text for IMA measurement list * create_policy: Add list of ignored keyrings after processing base policy * create_policy: Add support for adding an IMA exclude list to the policy * create_policy: Avoid duplicate entries in lists * codestyle: Annotate with RuntimePolicyType and adapt code * codestyle: Import urllib to make pyright happy * Introduce PathLike_str for older python versions * codestyle: Annotate create_policy.py and add to mypy * docs: Update docs to reflect renaming of create_policy tool * create_policy: Fix issues related to filelists-ext * Move create_policy to keylime/cmd and install as keylime_create_policy * Implement DSSE signature verification for runtime policies * tenant: Raise UserError on (add/update)runtimepolicy status codes 401 * tests: Split unittests into two runs to avoid issue * ima: Add a JSON schema for the runtime policy and use it on given policies * Implement DSSE policy signing tool * ima: Derive RUNTIME_POLICY_GENERATOR from enum.IntEnum * packit: use rust agent for e2e tests * services: remove agent systemd services * tests: remove unused code * tests: remove agent from config test * tpm_ek_ca: remove check_tpm_cert_store(..) function * tpm, measured boot: remove refrences to virtual TPMs * tpm: remove unsed variables and some refactoring * algorithms: remove unused from_algorithm method * mpypy, pyright: remove refrences to agent in ignores * config: remove refrences to agent * crypto: remove unused functions * secure_mount: removal * tpm: remove unsed functions * registar_client: remove functions only used by the agent * user_utils: removal * revocation notifier: remove zeroMQ client code * ca_util: remove listen command and related functions * revocation actions: remove all * ima emulator: full removal * agent: remove agent code * agentstates: rename tpm_clocking to tpm_clockinfo ==== libalternatives ==== Version update (1.2+3.b848aad -> 1.2+30.a5431e9) Subpackages: alts libalternatives1 - Update to version v1.2+30.a5431e9: (bsc#1191692) * Change license to less restrictive Apache 2.0 * doc: fixing a few typos * Adds option to display target executable only * Makefiles and cmake: rework for reproducible build * Improve Makefile * libalts_exec_default: fix memory leak on error condition * libalts_write_binary_configured_priority_to_file: fix memory leak * saveConfigData(): fix file descriptor leak in while loop error case * loadConfigData(): use goto exit label to prevent file descriptor leaks * libalts_load_available_binaries: use goto err: label to fix leaks * loadAlternativeForBinary: goto-assisted error handling to avoid leaks * checkGroupConsistencies(): explicitly ignore unused `flags` * lib: refactor error handling of findAltConfig() * utils: fix possible memory leaks on error conditions * docs: fix some typos and grammar * Update README.md * lib: generally open[at] with O_CLOEXEC * Fix logic in options parser * Add basic Makefile for buidling without cmake * Added description for options=KeepArgv0 * cmake: Express the dependency on CUnit correctly for building tests * cmake: Build and install CMake and PkgConfig files * cmake: Fix setup of shared linker flags * config.h: Fix the version to match the current latest tag ==== libsrtp2 ==== - Enable running the regression tests: * Add libsrtp2-test-verbose.patch from the debian folks: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460534 ==== libyui ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-ncurses ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-ncurses-pkg ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-qt ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-qt-graph ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== libyui-qt-pkg ==== Version update (4.5.1 -> 4.5.2) - Qt UI: Fixed regression for icon loading (bsc#1210712) https://github.com/libyui/libyui/pull/100 - 4.5.2 ==== mozjs102 ==== - Add missing copyright in the spec to claim: + Frantisek Zatloukal's work from: https://src.fedoraproject.org/rpms/mozjs102/blob/rawhide/f/mozjs102.spec + Wolfgang Rosenauer's work from: https://build.opensuse.org/package/view_file/openSUSE:Leap:42.3/mozjs38/mozjs38.spec?expand=1 ==== openvpn ==== Version update (2.5.9 -> 2.6.3) Subpackages: openvpn-auth-pam-plugin - update to 2.6.3: * For full changelog please refer to: https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst * implement byte counter statistics for DCO Linux (p2mp server and client) * implement byte counter statistics for DCO Windows (client only) * '--dns server address ...' now permits up to 8 v4 or v6 addresses * fix a few cases of possibly undefined behaviour detected by ASAN * add more unit tests for Windows cryptoapi interface * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations. * Keying Material Exporters (RFC 5705) based key generation * As part of the cipher negotiation OpenVPN will automatically prefer the RFC5705 based key material generation to the current custom OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+. * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort has been made to check or implement all the requirements/ recommendation of FIPS 140-2. This just allows OpenVPN to be run on a system that be configured OpenSSL in FIPS mode. * mlock will now check if enough memlock-able memory has been reserved, and if less than 100MB RAM are available, use setrlimit() to upgrade the limit. See Trac #1390. Not available on OpenSolaris. * The --peer-fingerprint option has been introduced to give users an easy to use alternative to the tls-verify for matching the fingerprint of the peer. The option takes use a number of allowed SHA256 certificate fingerprints. * When --peer-fingerprint is used, the --ca and --capath option become optional. This allows for small OpenVPN setups without setting up a PKI with Easy-RSA or similar software. * The --auth-user-pass-verify script supports now deferred authentication. * Both auth plugin and script can now signal pending authentication to the client when using deferred authentication. The new client-crresponse script option and OPENVPN_PLUGIN_CLIENT_CRRESPONSE plugin function can be used to parse a client response to a CR_TEXT two factor challenge. * The modernisation of defaults can impact the compatibility of OpenVPN 2.6.0 with older peers. The options --compat-mode allows UIs to provide users with an easy way to still connect to older servers. * OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user visible but improve general compatibility with OpenSSL 3.0. - -tls-cert-profile insecure has been added to allow selecting the lowest OpenSSL security level (not recommended, use only if you must). OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) algorithm by default and the new option --providers allows loading the legacy provider to renable these algorithms. * Ciphers in --data-ciphers can now be prefixed with a ? to mark those as optional and only use them if the SSL library supports them. * The --mssfix and --fragment options now allow an optional mtu parameter to specify that different overhead for IPv4/IPv6 should taken into account and the resulting size is specified as the total size of the VPN packets including IP and UDP headers. * Instead of allocating a connection for each client on the initial packet OpenVPN server will now use an HMAC based cookie as its session id. This way the server can verify it on completing the handshake without keeping state. This eliminates the amplification and resource exhaustion attacks. For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later because the client needs to resend its client key on completing the hand shake. The tls-crypt-v2 option allows controlling if older clients are accepted. - Removed openvpn-fips140-2.3.2.patch ==== setools ==== Version update (4.4.1 -> 4.4.2) - Update to version 4.4.2: * Make NetworkX optional. sedta and seinfoflow tools, along with the equivalent analyses in apol require NetworkX. * Remove neverallow options in sesearch and apol. These are not usable since they are removed in the final binary policy. - Drop make_networkx_optional.patch, now merged upstream ==== tracker ==== Version update (3.5.0 -> 3.5.1) Subpackages: libtracker-sparql-3_0-0 tracker-data-files tracker-lang - Update to version 3.5.1: + Reintroduce order/distance independent handling of FTS terms. + Documentation improvements. + Do not prune too early content of failed batches for error processing purposes. ==== tracker-miners ==== Version update (3.5.0 -> 3.5.1) Subpackages: tracker-miner-files tracker-miners-lang - Update to version 3.5.1: + The tracker-extract-3 service moved all SPARQL queries and updates to a GResource. Consistently uses TrackerSparqlStatement/TrackerResource for updates. + Fixes in uniquely identifying files in BTRFS subvolumes. + Ensure deletion of files lingering in content graphs. + Ensure correct nie:dataSource after moving files between indexed folders. + Optimize mass removal of deleted files found during initialization. + Documentation improvements for the miner services. + Do not let systemd spuriously start the tracker-extract-3 service. + Test suite fixes. ==== vim ==== Version update (9.0.1443 -> 9.0.1488) Subpackages: vim-data vim-data-common vim-small xxd - Updated to version 9.0.1488, fixes the following problems * Ending Insert mode when accessing a hidden prompt buffer. * Crash when passing NULL to setcmdline(). (Andreas Louv) * openSUSE: configure doesn't find the Motif library. (Tony Mechelynck) * Unnecessary checks for the "skip" flag when skipping. * Condition is always true. * Diff test fails on MacOS 13. * Test for prompt buffer is flaky. * Unnecessary redrawing when 'showcmdloc' is not "last". * Code using EVAL_CONSTANT is dead, it is never set. * Typos in source code and tests. * Code indenting is confused by macros. * C++ 20 modules are not recognized. * Shortmess test depends on order of test execution. * No regression test for what patch 9.0.1333 fixes. * Buffer overflow when expanding long file name. * Typo in name of type. * Insufficient testing for getcmdcompltype(). * Ruler not drawn correctly when using 'rulerformat'. * Recursively calling :defer function if it does :qa. * Virtual text truncation only works with Unicode 'encoding'. * Strace filetype detection is expensive. * Haiku build fails. * Cannot use an object member name as a method argument. * Jenkinsfiles are not recognized as groovy. * Recursively calling :defer function if it does :qa in a compiled function. * Deferred functions not called from autocommands. * Deferred functions invoked in unexpected order when using :qa and autocommands. * Warnings for function declarations. * ":drop fname" may change the last used tab page. * Busted configuration files are not recognized. * Lines put in non-current window are not displayed. (Marius Gedminas) * Crash when recovering from corrupted swap file. * Filetypes for *.v files not detected properly. * Small source file problems; outdated list of distributed files. * Using popup menu may leave text in the command line. * Decrypting with libsodium may fail if the library changes. * Crash when textprop has a very large "padding" value. (Yegappan Lakshmanan) * += operator does not work on class member. * Coverity warns for using invalid array index. * no functions for converting from/to UTF-16 index. * Parallel make might not work. * Content-type header for LSP channel not according to spec. * xchacha20v2 crypt header is platform dependent. ==== xset ==== - Disable building with libXfontcache. xorg-server 1.6 removed the corresponding feature, and it seems unlikely and unusual for anyone to e.g. ssh from an old Xorg system to a contemporary SUSE to attempt to run the (undocumented) `xset fc` command.