Packages changed: bind (9.18.16 -> 9.18.17) elfutils-debuginfod hwinfo (23.1 -> 23.2) kernel-source (6.4.3 -> 6.4.4) libva (2.18.0 -> 2.19.0) libva-gl (2.18.0 -> 2.19.0) nghttp2 (1.54.0 -> 1.55.1) openssh (9.3p1 -> 9.3p2) openssh-askpass-gnome (9.3p1 -> 9.3p2) openssl-3 python-jsonschema-specifications (2023.6.1 -> 2023.7.1) python-rich qalculate (4.6.1 -> 4.7.0) sof-firmware (2.2.5 -> 2.2.6) systemd (253.5 -> 253.7) sysuser-tools tar update-alternatives (1.21.8 -> 1.21.22) webkit2gtk3 (2.40.3 -> 2.40.4) webkit2gtk4 (2.40.3 -> 2.40.4) === Details === ==== bind ==== Version update (9.18.16 -> 9.18.17) - Update to release 9.18.17 Feature Changes: * If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query, named now retries sending the query to the same server without an EDNS COOKIE option. * The relaxed QNAME minimization mode now uses NS records. This reduces the number of queries named makes when resolving, as it allows the non-existence of NS RRsets at non-referral nodes to be cached in addition to the normally cached referrals. Bug Fixes: * The ability to read HMAC-MD5 key files, which was accidentally lost in BIND 9.18.8, has been restored. * Several minor stability issues with the catalog zone implementation have been fixed. ==== elfutils-debuginfod ==== Subpackages: debuginfod-profile libdebuginfod1 - Replace libdebuginfo1 sub-package's debuginfod-profile Recommends with config(debuginfod-profile) Requires, but on the debuginfod-\ client sub-package, instead. And add binutils, bpftrace-tools, elfutils, gdb, perf, systemd-coredump, and valgrind Supplements to debuginfod-client sub-package. This should make installation of debuginfod-client more consistent, along with debuginfod-\ profile, with software/packages that have debuginfod support. ==== hwinfo ==== Version update (23.1 -> 23.2) Subpackages: libhd23 - merge gh#openSUSE/hwinfo#128 - Add support for loongarch cpu - 23.2 ==== kernel-source ==== Version update (6.4.3 -> 6.4.4) - Linux 6.4.4 (bsc#1012628). - start_kernel: Add __no_stack_protector function attribute (bsc#1012628). - USB: serial: option: add LARA-R6 01B PIDs (bsc#1012628). - usb: dwc3: gadget: Propagate core init errors to UDC during pullup (bsc#1012628). - phy: tegra: xusb: Clear the driver reference in usb-phy dev (bsc#1012628). - extcon: usbc-tusb320: Unregister typec port on driver removal (bsc#1012628). - dt-bindings: iio: ad7192: Add mandatory reference voltage source (bsc#1012628). - iio: addac: ad74413: don't set DIN_SINK for functions other than digital input (bsc#1012628). - iio: adc: ad7192: Fix null ad7192_state pointer access (bsc#1012628). - iio: adc: ad7192: Fix internal/external clock selection (bsc#1012628). - iio: accel: fxls8962af: errata bug only applicable for FXLS8962AF (bsc#1012628). - iio: accel: fxls8962af: fixup buffer scan element type (bsc#1012628). - Revert "drm/amd/display: edp do not add non-edid timings" (bsc#1012628). - fs: pipe: reveal missing function protoypes (bsc#1012628). - s390/kasan: fix insecure W+X mapping warning (bsc#1012628). - blk-mq: don't queue plugged passthrough requests into scheduler (bsc#1012628). - block: Fix the type of the second bdev_op_is_zoned_write() argument (bsc#1012628). - block/rq_qos: protect rq_qos apis with a new lock (bsc#1012628). - splice: Fix filemap_splice_read() to use the correct inode (bsc#1012628). - erofs: kill hooked chains to avoid loops on deduplicated compressed images (bsc#1012628). - x86/resctrl: Only show tasks' pid in current pid namespace (bsc#1012628). - fsverity: use shash API instead of ahash API (bsc#1012628). - fsverity: don't use bio_first_page_all() in fsverity_verify_bio() (bsc#1012628). - blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost (bsc#1012628). - x86/sev: Fix calculation of end address based on number of pages (bsc#1012628). - blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats() (bsc#1012628). - virt: sevguest: Add CONFIG_CRYPTO dependency (bsc#1012628). - blk-mq: fix potential io hang by wrong 'wake_batch' (bsc#1012628). - lockd: drop inappropriate svc_get() from locked_get() (bsc#1012628). - nvme-core: fix memory leak in dhchap_secret_store (bsc#1012628). - nvme-core: fix memory leak in dhchap_ctrl_secret (bsc#1012628). - nvme-core: add missing fault-injection cleanup (bsc#1012628). - nvme-core: fix dev_pm_qos memleak (bsc#1012628). - md/raid10: check slab-out-of-bounds in md_bitmap_get_counter (bsc#1012628). - md/raid10: fix overflow of md/safe_mode_delay (bsc#1012628). - md/raid10: fix wrong setting of max_corr_read_errors (bsc#1012628). - md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request (bsc#1012628). - md/raid10: fix io loss while replacement replace rdev (bsc#1012628). - md/raid1-10: factor out a helper to add bio to plug (bsc#1012628). - md/raid1-10: factor out a helper to submit normal write (bsc#1012628). - md/raid1-10: submit write io directly if bitmap is not enabled (bsc#1012628). - block: fix blktrace debugfs entries leakage (bsc#1012628). - irqchip/loongson-eiointc: Fix irq affinity setting during resume (bsc#1012628). - splice: don't call file_accessed in copy_splice_read (bsc#1012628). - irqchip/stm32-exti: Fix warning on initialized field overwritten (bsc#1012628). - irqchip/jcore-aic: Fix missing allocation of IRQ descriptors (bsc#1012628). - svcrdma: Prevent page release when nothing was received (bsc#1012628). - erofs: fix compact 4B support for 16k block size (bsc#1012628). - posix-timers: Prevent RT livelock in itimer_delete() (bsc#1012628). - tick/rcu: Fix bogus ratelimit condition (bsc#1012628). - tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode() (bsc#1012628). - btrfs: always read the entire extent_buffer (bsc#1012628). - btrfs: don't use btrfs_bio_ctrl for extent buffer reading (bsc#1012628). - btrfs: return bool from lock_extent_buffer_for_io (bsc#1012628). - btrfs: submit a writeback bio per extent_buffer (bsc#1012628). - btrfs: fix range_end calculation in extent_write_locked_range (bsc#1012628). - btrfs: don't fail writeback when allocating the compression context fails (bsc#1012628). - btrfs: only call __extent_writepage_io from extent_write_locked_range (bsc#1012628). - btrfs: don't treat zoned writeback as being from an async ... changelog too long, skipping 1321 lines ... - commit f6ca0bc ==== libva ==== Version update (2.18.0 -> 2.19.0) Subpackages: libva-drm2 libva-x11-2 libva2 - Update to 2.19.0: * add: Add mono_chrome to VAEncSequenceParameterBufferAV1 * add: Enable support for license acquisition of multiple protected playbacks * fix: use secure_getenv instead of getenv * trace: Improve and add VA trace log for AV1 encode * trace: Unify va log message, replace va_TracePrint with va_TraceMsg. ==== libva-gl ==== Version update (2.18.0 -> 2.19.0) - Update to 2.19.0: * add: Add mono_chrome to VAEncSequenceParameterBufferAV1 * add: Enable support for license acquisition of multiple protected playbacks * fix: use secure_getenv instead of getenv * trace: Improve and add VA trace log for AV1 encode * trace: Unify va log message, replace va_TracePrint with va_TraceMsg. ==== nghttp2 ==== Version update (1.54.0 -> 1.55.1) - update to 1.55.1: * Fix memory leak This commit fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent. This issue has already been made public via CVE-2023-35945 by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 repository [2]. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond. PoC described in [1] is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy processing. * NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated into NGHTTP2_ERR_CALLBACK_FAILURE. https://github.com/envoyproxy/envoy/security/advisories/GHSA- jfxv-29pc-x22r ==== openssh ==== Version update (9.3p1 -> 9.3p2) Subpackages: openssh-clients openssh-common openssh-server - Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes - ------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. ==== openssh-askpass-gnome ==== Version update (9.3p1 -> 9.3p2) - Update to openssh 9.3p2 * No changes for askpass, see main package changelog for details ==== openssl-3 ==== Subpackages: libopenssl3 - Security fix: [bsc#1213487, CVE-2023-3446] * Fix DH_check() excessive time with over sized modulus. * The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch - Security fix: [bsc#1213383, CVE-2023-2975] * AES-SIV implementation ignores empty associated data entries * Add openssl-CVE-2023-2975.patch ==== python-jsonschema-specifications ==== Version update (2023.6.1 -> 2023.7.1) - update to 2023.7.1: no changelog, only diff available at https://github.com/python-jsonschema/jsonschema-specifications/compare/v2023.06.1...v2023.07.1 ==== python-rich ==== - %{?sle15_python_module_pythons} mut be at beginning to work. ==== qalculate ==== Version update (4.6.1 -> 4.7.0) Subpackages: libqalculate22 qalculate-data - version update to 4.7.0 * Support for custom default angle unit, e.g. turn, arcsec, arcmin * Append default angle unit (instead of always radians) when converting value without unit to angle unit * More consistent addition and removal of angle unit from function arguments * Always interpret ./, .*, and .^ as entrywise operators if user intention is unclear * Change order of operations to place entrywise and ordinary operators on the same precedence level * Add function, kron(), for Kronecker product, and constants for Pauli matrices * Add radius to planets dataset and update other properties * Support replacement of unknown variables within variable values * Fix besselj(0, 0) * Fix incomplete calculation in tan() with try exact approximation * Fix 0/0=0 equality (do not return true) and output of 2/0 (and similar) * Fixes and improvements for newtonsolve() and secantsolve() * Fix segfault when MathStructure is deleted after Calculator, and in destructor of calculated DynamicVariable (called from Calculator destructor) * Do not save mode on exit if "-defaults" command line switch where used (CLI) * Allow multiple actions for keyboard shortcuts (GTK, Qt) * Add toggle precision, and min, max, or min and max decimals to available shortcut and button actions (GTK, Qt) * Add option to exclude units for unformatted ASCII copy (GTK, Qt) * Add optional value to copy result action, allowing expression copy and formatting selection (GTK, Qt) * Fix copy unformatted ASCII when local digit group separator is same as selected decimal separator (GTK, Qt) * Add option to automatically copy result (Qt) * Always set (primary) selection clipboard contents when whole expression is selected or selection is cleared, e.g. after calculation (Qt) * Improve support dark mode and high contrast modes, and change default style to Fusion, on Windows (Qt) * Minor bug fixes and feature enhancements ==== sof-firmware ==== Version update (2.2.5 -> 2.2.6) - Update to version 2.2.6: There's no FW binary change. This release adds a few new topology binaries for Intel Tiger Lake (TGL), Alder Lake (ADL) and Raptor Lake (RPL) platforms - Add Notice.NXP ==== systemd ==== Version update (253.5 -> 253.7) Subpackages: libsystemd0 libudev1 systemd-boot systemd-coredump systemd-doc systemd-lang udev - Import commit 2dac0aff9ced1eca0cd11c24e264b33095ee5a5e (merge of v253.7) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/6458c066547eaadf0e9709e441ea36ad03faa860...2dac0aff9ced1eca0cd11c24e264b33095ee5a5e - Import commit 6458c066547eaadf0e9709e441ea36ad03faa860 (merge of v253.6) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/07bb12a282b0ea378850934c4a76008b448b8bad...6458c066547eaadf0e9709e441ea36ad03faa860 - Drop 5002-Revert-core-service-when-resetting-PID-also-reset-kn.patch, it's been backported to v253.6. - Move a bunch of files from systemd to udev. These are pretty useless without block devices. ==== sysuser-tools ==== - Add "quilt setup" friendly hint to %sysusers_requires usage It is not required to have sysuser-tools installed when working with a pkg source which uses sysuser-tools at build time. ==== tar ==== Subpackages: tar-lang tar-rmt - Update tests-skip-time01-on-32bit-time_t.patch to not run test on armv6 either ==== update-alternatives ==== Version update (1.21.8 -> 1.21.22) - openssl.patch: use openssl library for MD5 calculation instead of relying on libmd. libmd is not in Ring0 - require Perl 5.28.1 or later ==== webkit2gtk3 ==== Version update (2.40.3 -> 2.40.4) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.40.4: + Fix a bug in JavaScript reading variable arguments in a call. ==== webkit2gtk4 ==== Version update (2.40.3 -> 2.40.4) Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk6_0-1 libwebkitgtk6_0-4 webkitgtk-6_0-injected-bundles - Update to version 2.40.4: + Fix a bug in JavaScript reading variable arguments in a call.