Packages changed: crypto-policies (20210917.c9d86d1 -> 20230420.3d08ae7) diffutils (3.9 -> 3.10) grep (3.10 -> 3.11) gstreamer (1.22.2 -> 1.22.3) gstreamer-plugins-bad (1.22.2 -> 1.22.3) gstreamer-plugins-base (1.22.2 -> 1.22.3) gstreamer-plugins-good (1.22.2 -> 1.22.3) icewm (3.3.4 -> 3.3.5) kernel-source (6.3.2 -> 6.3.4) libgcrypt libqt5-qtwebengine (5.15.13 -> 5.15.14) lsof mdadm mutter zstd === Details === ==== crypto-policies ==== Version update (20210917.c9d86d1 -> 20230420.3d08ae7) Subpackages: crypto-policies-scripts - FIPS: Enable to set the kernel FIPS mode with fips-mode-setup and fips-finish-install commands, add also the man pages. The required FIPS modules are left to be installed by the user. * Rebase crypto-policies-FIPS.patch - Revert a breaking change that introduces the config option rh-allow-sha1-signatures that is unkown to OpenSSL and fails on startup. We will consider adding this option to openssl. * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 * Add crypto-policies-revert-rh-allow-sha1-signatures.patch - Update the update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. [bsc#1209998] * Add crypto-policies-supported.patch - Update to version 20230420.3d08ae7: * openssl, alg_lists: add brainpool support * openssl: set Groups explicitly * codespell: ignore aNULL * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 * sequoia: add separate rpm-sequoia backend * crypto-policies.7: state upfront that FUTURE is not so interoperable * Makefile: update for asciidoc 10 * Skip not needed LibreswanGenerator and SequoiaGenerator: - Add crypto-policies-policygenerators.patch * Remove crypto-policies-test_supported_modules_only.patch * Rebase crypto-policies-no-build-manpages.patch - Update to version 20221214.a4c31a3: * bind: expand the list of disableable algorithms * libssh: Add support for openssh fido keys * .gitlab-ci.yml: install krb5-devel for krb5-config * sequoia: check using sequoia-policy-config-check * sequoia: introduce new back-end * Makefile: support overriding asciidoc executable name * openssh: make none and auto explicit and different * openssh: autodetect and allow forcing RequiredRSASize presence/name * openssh: remove _pre_8_5_ssh * pylintrc: update * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... * Makefile: exclude built manpages from codespell * add openssh HostbasedAcceptedAlgorithms * openssh: add RSAMinSize option following min_rsa_size * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" * docs: add customization recommendation * tests/java: fix java.security.disableSystemPropertiesFile=true * policies: add FEDORA38 and TEST-FEDORA39 * bind: control ED25519/ED448 * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 * .gitlab-ci.yml: skip pylint (bz2069837) * openssh: add support for sntrup761x25519-sha512@openssh.com * fips-mode-setup: fix one unrelated check to intended state * fips-mode-setup, fips-finish-install: abandon /etc/system-fips * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT * fips-mode-setup: catch more inconsistencies, clarify --check * fips-mode-setup: improve handling FIPS plus subpolicies * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 * gnutls: enable SHAKE, needed for Ed448 * gnutls: use allowlisting * openssl: add newlines at the end of the output * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* * fips-mode-setup, fips-finish-install: call zipl more often * Add crypto-policies-rpmlintrc file to avoid files-duplicate, zero-length and non-conffile-in-etc warnings. * Rebase patches: - crypto-policies-FIPS.patch - crypto-policies-no-build-manpages.patch * Update README.SUSE ==== diffutils ==== Version update (3.9 -> 3.10) Subpackages: diffutils-lang - diffutils 3.10: * cmp/diff can again work with file dates past Y2K38 * diff -D no longer fails to output #ifndef lines ==== grep ==== Version update (3.10 -> 3.11) Subpackages: grep-lang - update to 3.11: * With -P, patterns like [\d] now work again. Fixing this has caused grep to revert to the behavior of grep 3.8, in that patterns like \w and ^H go back to using ASCII rather than Unicode interpretations. However, future versions of GNU grep and/or PCRE2 are likely to fix this and change the behavior of \w and ^H back to Unicode again, without breaking [\d] as 3.10 did. ==== gstreamer ==== Version update (1.22.2 -> 1.22.3) Subpackages: gstreamer-lang libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.22.3: + Highlighted bugfixes: - avdec: fix occasional video decoder deadlock on seeking with FFmpeg 6.0. - decodebin3: fix regression handling input streams without CAPS or TIME segment such as e.g. udpsrc or `pushfilesrc. - bluez: a2dpsink: fix Bluetooth SIG Certification test failures. - osxvideosink: fix deadlock upon closing output window. - qtdemux: fix edit list handling regression and AV1 codec box parsing. - qtmux: fix extraction of CEA608 closed caption data from S334-1A packets. - rtspsrc: Fix handling of * control path. - splitmux: timestamp handling improvements. - v4l2videodec: Rework dynamic resolution change handling (needed for IMX6 mainline codec). - videoflip: fix regression with automatically rotating video based on tags. - d3d11: many d3d11videosink and d3d11compositor fixes. - webrtc, rtp: numerous data race fixes and stability fixes. - various bug fixes, memory leak fixes, and other stability and reliability improvements. + gstreamer: - tracing: Initialize tracing infrastructure even if the debug system is not compiled in. - parse-launch: fix missing unref of looked-up child element. - gstutils: Add category and object to most logging messages. - Rebase reduce-required-meson.patch. ==== gstreamer-plugins-bad ==== Version update (1.22.2 -> 1.22.3) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.22.3: + a2dpsink: Fails many tests in Bluetooth SIG Certification. + avdtputil: Use int instead of int range for fixed bitpool values. + ccconverter: - reintroduce frame count reset on cycle completion - integer overflow & crashing + codectimestamper: remove PC file generation from plugin's own meson.build. + cudamemory: Fix for semi planar YUV memory size decision. + d3d11compositor: - Reconfigure resource only when output caps is changed. - Skip zero alpha input. + d3d11convert: Fix for runtime property update. + d3d11memory: Don't clear wrapped texture memory. + d3d11videosink: - Fix for ignored initial render rectangle. - Fix race condition in window unprepare. - Enhancement for initial window size decision. - Don't clear prepared buffer on unlock_stop(). + dashdemux: mpdclient: fix divide by 0 if segment has no duration. + dtlstransport: Keep strong ref of dtls encoder/decoder. + GstPlay: - Avoid getting property of playbin2 if subtitle_sid is null. - Fix critical log when using playbin3. + h264decoder: Drop nonexisting picture silently without error. + dtmf: element classification improvements. + mfvideoenc: Allow only even resolution numbers. + sctpenc: - Fix potential shutdown deadlock. - Fix "srtp-key" check. + tests: disable dtls test if openssl is not present. + tsdemux: Set number of channels to 2 for dual mono Opus. + va: Various fixes for defects found with MSVC. + wasapi2: Allows process loopback capture on Windows 10. + webrtcdatachannel: Bind to parent webrtcbin using a weak reference. + webrtcbin: Fix potential deadlock when closing before any data was sent. + webrtc: - Plug leaks of resolved ICE addresses. - Do not tear down data channel before data is flushed. - Rebase reduce-required-meson.patch. ==== gstreamer-plugins-base ==== Version update (1.22.2 -> 1.22.3) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstTag-1_0 - Update to version 1.22.3: + allocators: Fix fdmem unit test with recent GLib versions. + audiotestsrc: Initialize all samples in wave=ticks mode. + decodebin3: - Handle input streams without CAPS or TIME segment such as e.g. udpsrc or pushfilesrc. - Fix regression handling streams without caps. - Fix random hang when remove failing stream. + uridecodebin3: Ensure atomic urisourcebin state change. + glvideoflip: fix leaked caps. + glcontext_wgl: fix missing unref. + playsink: Fix volume leak. - Rebase reduce-required-meson.patch. ==== gstreamer-plugins-good ==== Version update (1.22.2 -> 1.22.3) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Update to version 1.22.3: + adaptivedemux2: fix critical when using an unsupported URI. + dashdemux2: mpdclient: fix divide by 0 if segment has no duration. + imagesequencesrc: Properly set default location. + multifile: error out if no filename was set. + osxvideosink: fix deadlock upon closing output window. + rtpmanager: rtpsession: - Data race leading to critical warnings. - Race conditions leading to critical warnings. + rtspsrc: Fix handling of * control path. + splitmuxsink: Catch invalid DTS to avoid running into problems later. + splitmuxsrc: Make PTS contiguous by preference. + qtdemux: emit no-more-pads after pruning old pads. + Revert "qtdemux: fix conditions for end of segment in reverse playback" to fix edit list regression. + qtdemux: Fix av1C parsing. + qtmux: Fix extraction of CEA608 data from S334-1A packets. + qtwindow: unref caps in destructor. + v4l2: - device provider: Fix GMainLoop leak. - videodec: Rework dynamic resolution change handling. - videodec: Prefer acquired caps over anything downstream. + videoflip: - Fix setting of method property at construction time. - Videoflip 1.22.2 not rotating video when extracting frames. - Rebase reduce-required-meson.patch. ==== icewm ==== Version update (3.3.4 -> 3.3.5) Subpackages: icewm-config-upstream icewm-default icewm-lang - Update to 3.3.5: * Lookup icons in more context directories for issue ice-wm/icewm#132. * An Escape key release event must match the key press event for #726. * Report when icon could not be found for issue ice-wm/icewm#133. * Use "firefox" instead of "mozilla" as Firefox icon for ice-wm/icewm#132. * Rescale workspace buttons when taskbar is rather high. * Temporarily hide the taskbar collapse button when collapsing or expanding. * Compute the ultimate workspace button height, before creating them. * Limit the resource string of an unresponsive client for issue #729. * Check for TaskBarDoubleHeight when computing workspace button height. * Also focus last window when hiding and Click-to-focus for issue #727. * Let icesh exit with zero if the last action was a successful manager action. ==== kernel-source ==== Version update (6.3.2 -> 6.3.4) - xfs: fix livelock in delayed allocation at ENOSPC (brc#2208553 xfs-issue). - commit 2c66b1f - Linux 6.3.4 (bsc#1012628). - drm/fbdev-generic: prohibit potential out-of-bounds access (bsc#1012628). - drm/dsc: fix DP_DSC_MAX_BPP_DELTA_* macro values (bsc#1012628). - drm/nouveau/disp: More DP_RECEIVER_CAP_SIZE array fixes (bsc#1012628). - drm/mipi-dsi: Set the fwnode for mipi_dsi_device (bsc#1012628). - ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings (bsc#1012628). - net: skb_partial_csum_set() fix against transport header magic value (bsc#1012628). - net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe() (bsc#1012628). - perf/core: Fix perf_sample_data not properly initialized for different swevents in perf_tp_event() (bsc#1012628). - scsi: ufs: core: Fix I/O hang that occurs when BKOPS fails in W-LUN suspend (bsc#1012628). - tick/broadcast: Make broadcast device replacement work correctly (bsc#1012628). - linux/dim: Do nothing if no time delta between samples (bsc#1012628). - net: stmmac: Initialize MAC_ONEUS_TIC_COUNTER register (bsc#1012628). - net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs() (bsc#1012628). - net: phy: bcm7xx: Correct read from expansion register (bsc#1012628). - netfilter: nf_tables: always release netdev hooks from notifier (bsc#1012628). - netfilter: conntrack: fix possible bug_on with enable_hooks=1 (bsc#1012628). - bonding: fix send_peer_notif overflow (bsc#1012628). - netlink: annotate accesses to nlk->cb_running (bsc#1012628). - net: annotate sk->sk_err write from do_recvmmsg() (bsc#1012628). - net: deal with most data-races in sk_wait_event() (bsc#1012628). - net: add vlan_get_protocol_and_depth() helper (bsc#1012628). - tcp: add annotations around sk->sk_shutdown accesses (bsc#1012628). - gve: Remove the code of clearing PBA bit (bsc#1012628). - ipvlan:Fix out-of-bounds caused by unclear skb->cb (bsc#1012628). - net: mscc: ocelot: fix stat counter register values (bsc#1012628). - drm/sched: Check scheduler work queue before calling timeout handling (bsc#1012628). - net: datagram: fix data-races in datagram_poll() (bsc#1012628). - af_unix: Fix a data race of sk->sk_receive_queue->qlen (bsc#1012628). - af_unix: Fix data races around sk->sk_shutdown (bsc#1012628). - drm/i915/guc: Don't capture Gen8 regs on Xe devices (bsc#1012628). - drm/i915: Fix NULL ptr deref by checking new_crtc_state (bsc#1012628). - drm/i915/dp: prevent potential div-by-zero (bsc#1012628). - drm/i915: taint kernel when force probing unsupported devices (bsc#1012628). - fbdev: arcfb: Fix error handling in arcfb_probe() (bsc#1012628). - ext4: reflect error codes from ext4_multi_mount_protect() to its callers (bsc#1012628). - ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled (bsc#1012628). - ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set (bsc#1012628). - ext4: allow ext4_get_group_info() to fail (bsc#1012628). - refscale: Move shutdown from wait_event() to wait_event_idle() (bsc#1012628). - selftests: cgroup: Add 'malloc' failures checks in test_memcontrol (bsc#1012628). - rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access (bsc#1012628). - open: return EINVAL for O_DIRECTORY | O_CREAT (bsc#1012628). - fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() (bsc#1012628). - drm/displayid: add displayid_get_header() and check bounds better (bsc#1012628). - drm/amd/display: populate subvp cmd info only for the top pipe (bsc#1012628). - drm/amd/display: Correct DML calculation to align HW formula (bsc#1012628). - drm/amd/display: enable DPG when disabling plane for phantom pipe (bsc#1012628). - platform/x86: x86-android-tablets: Add Acer Iconia One 7 B1-750 data (bsc#1012628). - drm/amd/display: Enable HostVM based on rIOMMU active (bsc#1012628). - drm/amd/display: Use DC_LOG_DC in the trasform pixel function (bsc#1012628). - regmap: cache: Return error in cache sync operations for REGCACHE_NONE (bsc#1012628). - remoteproc: imx_dsp_rproc: Add custom memory copy implementation for i.MX DSP Cores (bsc#1012628). - arm64: dts: qcom: msm8996: Add missing DWC3 quirks (bsc#1012628). - accel/habanalabs: postpone mem_mgr IDR destruction to hpriv_release() (bsc#1012628). - drm/amd/display: reallocate DET for dual displays with high ... changelog too long, skipping 952 lines ... - commit 1237d35 ==== libgcrypt ==== - FIPS: Merge the libgcrypt20-hmac package into the library and remove the "module is complete" trigger file .fips [bsc#1185116] * Remove libgcrypt-1.10.0-use-fipscheck.patch ==== libqt5-qtwebengine ==== Version update (5.15.13 -> 5.15.14) - Update to version 5.15.14: * Blacklist TouchInputTest::touchTap for sles 15.4 * Blacklist tst_QWebEnginePage::mouseMovementProperties for SLES-15 * Do not allow universal with debug builds * Enable accessibility by default on Linux * Fix blacklisting of mouseMovementProperties for sles 15.4 * Fix build with GCC 13 * Fix initialization of QWebEngineDownloadItem::totalBytes for Widgets * Fix memory management in QPdfDocument functions * Update Chromium: * Fixes for building with GCC-13 * [Backport] CVE-2023-1215: Type Confusion in CSS * [Backport] CVE-2023-1217: Stack buffer overflow in Crash reporting * [Backport] CVE-2023-1219: Heap buffer overflow in Metrics * [Backport] CVE-2023-1220: Heap buffer overflow in UMA * [Backport] CVE-2023-1222: Heap buffer overflow in Web Audio API * [Backport] CVE-2023-1529: Out of bounds memory access in WebHID * [Backport] CVE-2023-1530: Use after free in PDF * [Backport] CVE-2023-1531: Use after free in ANGLE * [Backport] CVE-2023-1534: Out of bounds read in ANGLE * [Backport] CVE-2023-1810: Heap buffer overflow in Visuals * [Backport] CVE-2023-1811: Use after free in Frames * [Backport] CVE-2023-2033: Type Confusion in V8 * [Backport] CVE-2023-2137: Heap buffer overflow in sqlite * [Backport] CVE-2023-29469 / Security bug 1433328 * [Backport] Security bug 1337747 * [Backport] Security bug 1417585 * [Backport] Security bug 1418734 * [Backport] Security bug 1423360 * [Backport] Security bug 1427388 - Drop patch, merged upstream: * 0001-Fixes-for-building-with-GCC-13.patch ==== lsof ==== - Repacked tarball to remove proprietary code in dialects/uw/uw7/sys/fs ==== mdadm ==== - Grow: fix possible memory leak (bsc#1208618) 0060-Grow-fix-possible-memory-leak.patch - Grow: fix can't change bitmap type from none to clustered (bsc#1208618) 0061-Grow-fix-can-t-change-bitmap-type-from-none-to-clustered.patch - Use source code mdadm-4.2.tar.xz from kernel.org version for checksum - mdadm-4.2.tar.xz ==== mutter ==== Subpackages: mutter-lang - Add mutter-do-not-unminimize-windows-with-initial-iconic.patch: mutter used to unminimize windows with initial IconicState, which is a workaround for some old wine games, it breaks apps like xterm starts with -iconic, this patch revert it (bsc#1193190, glgo#GNOME/mutter!3001). ==== zstd ==== Subpackages: libzstd1 - Revert the addition of build specific cmake files: breaks gdal, apache-arrow and possibly others -- boo#1211566 * note that shipping cmake files is not intentional or supported upstream at the moment: gh#facebook/zstd#3642