Packages changed: bind (9.18.14 -> 9.18.15) cups-filters curl (8.0.1 -> 8.1.0) keylime libstorage-ng (4.5.105 -> 4.5.106) python-SQLAlchemy rubygem-ruby-dbus (0.21.0 -> 0.22.1) sqlite3 (3.41.2 -> 3.42.0) wpa_supplicant === Details === ==== bind ==== Version update (9.18.14 -> 9.18.15) - Update to release 9.18.15 Bug Fixes: * The max-transfer-time-in and max-transfer-idle-in statements have not had any effect since the BIND 9 networking stack was refactored in version 9.16. The missing functionality has been re-implemented and incoming zone transfers now time out properly when not progressing. * The read timeout in rndc is now 60 seconds, matching the behavior in BIND 9.16 and earlier. It had previously been lowered to 30 seconds by mistake. * When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT) error code is returned by libuv, it is now treated as a network failure: the server for which that error code is returned gets marked as broken and is not contacted again during a given resolution process. * When removing delegations from an opt-out range, empty-non-terminal NSEC3 records generated by those delegations were not cleaned up. This has been fixed. * Log file rotation code did not clean up older versions of log files when the logging channel had an absolute path configured as a file destination. This has been fixed. Known Issues: * Sending NOTIFY messages silently fails when the source port specified in the notify-source statement is already in use. This can happen e.g. when multiple servers are configured as NOTIFY targets for a zone and some of them are unresponsive. This issue can be worked around by not specifying the source port for NOTIFY messages in the notify-source statement; note that source port configuration is already deprecated and will be removed altogether in a future release. ==== cups-filters ==== - cups-filters-1.28.15-0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch cups-filters-1.28.15-0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch cups-filters-1.28.15-0003-beh-backend-Further-improvements-CVE-2023-24805.patch are the upstream 0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch 0002-beh-backend-Extra-checks-against-odd-forged-input-CVE-2023-24805.patch 0003-beh-backend-Further-improvements-CVE-2023-24805.patch backported to cups-filters-1.28.15 to fix CVE-2023-24805: RCE in cups-filters, beh CUPS backend (bsc#1211340) and https://github.com/OpenPrinting/cups-filters/commit/8f274035756c04efeb77eb654e9d4c4447287d65 ==== curl ==== Version update (8.0.1 -> 8.1.0) Subpackages: libcurl4 - Update to 8.1.0: * Security fixes: - UAF in SSH sha256 fingerprint [bsc#1211230, CVE-2023-28319] - siglongjmp race condition [bsc#1211231, CVE-2023-28320] - IDN wildcard match [bsc#1211232, CVE-2023-28321] - POST-after-PUT confusion [bsc#1211233, CVE-2023-28322] - See also: https://curl.se/docs/security.html * Changes: - curl: add --proxy-http2 - CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 - hostip: refuse to resolve the .onion TLD - tool_writeout: add URL component variables * Bugfixes: - See full changelog here: https://curl.se/changes.html#8_1_0 ==== keylime ==== Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python310-keylime - Add missing jsonschema dependecy ==== libstorage-ng ==== Version update (4.5.105 -> 4.5.106) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#932 - check for more aliases when looking up udev info - 4.5.106 ==== python-SQLAlchemy ==== - drop unnecessary mypy dependency ==== rubygem-ruby-dbus ==== Version update (0.21.0 -> 0.22.1) - 0.22.1 Bug fixes: * Fix OBS building by disabling IPv6 tests, gh#mvidner/ruby-dbus#134. - 0.22.0 Features: * Enable using nokogiri without rexml (by Dominik Andreas Schorpp, gh#mvidner/ruby-dbus#132) Bug fixes: * Respect DBUS_SYSTEM_BUS_ADDRESS environment variable. Other: * For NameRequestError, mention who is the other owner. * Session bus autolaunch still does not work, but: don't try launchd except on macOS, and improve the error message. * examples/gdbus split off to its own repository ==== sqlite3 ==== Version update (3.41.2 -> 3.42.0) Subpackages: libsqlite3-0 sqlite3-tcl - Update to 3.42.0: * Add the FTS5 secure-delete command. This option causes all forensic traces to be removed from the FTS5 inverted index when content is deleted. * Enhance the JSON SQL functions to support JSON5 extensions. * The SQLITE_CONFIG_LOG and SQLITE_CONFIG_PCACHE_HDRSZ calls to sqlite3_config() are now allowed to occur after sqlite3_initialize(). * New sqlite3_db_config() options: SQLITE_DBCONFIG_STMT_SCANSTATUS and SQLITE_DBCONFIG_REVERSE_SCANORDER. * Query planner improvements. * Add the --unsafe-testing command-line option. * Allow commands ".log on" and ".log off", even in --safe mode. * "--" as a command-line argument means all subsequent arguments that start with "-" are interpreted as normal non-option argument. * Magic parameters ":inf" and ":nan" bind to floating point literals Infinity and NaN, respectively. * Add the ability for application-defined SQL functions to have the same name as join keywords: CROSS, FULL, INNER, LEFT, NATURAL, OUTER, or RIGHT. * Enhancements to PRAGMA integrity_check * Allow the session extension to be configured to capture changes from tables that lack an explicit ROWID. * Added the subsecond modifier to the date and time functions. * Negative values passed into sqlite3_sleep() are henceforth interpreted as 0. * The maximum recursion depth for JSON arrays and objects is lowered from 2000 to 1000. * Extended the built-in printf() function so the comma option now works with floating-point conversions in addition to integer conversions. * Miscellaneous bug fixes and performance optimizations. ==== wpa_supplicant ==== - Change ctrl_interface from /var/run to %_rundir (/run)