Packages changed: bind (9.18.18 -> 9.18.19) coreutils coreutils-systemd cups dbus-1 (1.14.8 -> 1.14.10) fwupd gpsd gtk4 (4.12.1 -> 4.12.2) hplip (3.22.10 -> 3.23.5) libaom (3.6.1 -> 3.7.0) libraw ncurses (6.4.20230819 -> 6.4.20230909) python-Automat python-gevent (23.7.0 -> 23.9.0) python-python-dateutil python-service_identity update-alternatives (1.21.22 -> 1.22.0) wireless-regdb xen (4.17.2_02 -> 4.17.2_04) xwayland (23.2.0 -> 23.2.1) yast2-trans (84.87.20230909.35988571be -> 84.87.20230913.43f962446c) === Details === ==== bind ==== Version update (9.18.18 -> 9.18.19) - Update to release 9.18.19 Security Fixes: * Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. (CVE-2023-3341) [bsc#1215472] * A flaw in the networking code handling DNS-over-TLS queries could cause named to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been fixed. (CVE-2023-4236) [bsc#1215471] Removed Features: * The dnssec-must-be-secure option has been deprecated and will be removed in a future release. Feature Changes: * If the server command is specified, nsupdate now honors the nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. Bug Fixes: * The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the statistics-channels block definition and usage section). * The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an assertion failure. * Several memory leaks caused by not clearing the OpenSSL error stack were fixed. * The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies accidentally caused named to return SERVFAIL responses to deletion requests for non-existent PTR and SRV records. This has been fixed. * The stale-refresh-time feature was mistakenly disabled when the server cache was flushed by rndc flush. This has been fixed. * BIND’s memory consumption has been improved by implementing dedicated jemalloc memory arenas for sending buffers. This optimization ensures that memory usage is more efficient and better manages the return of memory pages to the operating system. * Previously, partial writes in the TLS DNS code were not accounted for correctly, which could have led to DNS message corruption. This has been fixed. ==== coreutils ==== Subpackages: coreutils-doc coreutils-lang - gnulib-readutmp-under-gdm.patch: Add upstream gnulib patch to fix crash of who/uptime when gdm is in use. [bsc#1215361] - gnulib-readutmp.patch: Update with upstream patch. ==== coreutils-systemd ==== - gnulib-readutmp-under-gdm.patch: Add upstream gnulib patch to fix crash of who/uptime when gdm is in use. [bsc#1215361] - gnulib-readutmp.patch: Update with upstream patch. ==== cups ==== Subpackages: cups-client cups-config libcups2 libcupsimage2 - cups-2.4.2-CVE-2023-4504.patch fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow" https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h bsc#1215204 - cups-2.4.2-CVE-2023-32360.patch fixes CVE-2023-32360 "Information leak through Cups-Get-Document operation" by requiring authentication for CUPS-Get-Document in cupsd.conf https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g bsc#1214254 - cups-2.4.2-additional_policies.patch is an updated version of cups-2.0.3-additional_policies.patch that replaces it to add the 'allowallforanybody' policy to cupsd.conf after cups-2.4.2-CVE-2023-32360.patch was applied ==== dbus-1 ==== Version update (1.14.8 -> 1.14.10) Subpackages: dbus-1-common dbus-1-daemon dbus-1-tools libdbus-1-3 - update to 1.14.10: * Avoid a dbus-daemon crash if re-creating a connection's policy fails. If it isn't possible to re-create its policy (for example if it belongs to a user account that has been deleted or if the Name Service Switch is broken, on a system not supporting SO_PEERGROUPS), we now log a warning, continue to use its current policy, and continue to reload other connections' policies. * If getting the groups from a user ID fails, report the error correctly, instead of logging "(null)" * Return the primary group ID in GetConnectionCredentials()' UnixGroupIDs field for processes with a valid-but-empty supplementary group list ==== fwupd ==== Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0 - Remove protobuf-c BR: SLE now matches TW package layout - Remove gnu-efi BR: efi binary is in fwupd-efi ==== gpsd ==== - Split the Qt5 wrapper from gpsd-devel to avoid installing unneeded dependencies when building plasma 6 packages (boo#1215444) ==== gtk4 ==== Version update (4.12.1 -> 4.12.2) Subpackages: gtk4-lang gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0 - Update to version 4.12.2: + GtkTooltip: Don't cross native boundaries when looking for tooltips. + GtkCenterLayout, GtkEntry, GtkSearchEntry: Fix some issues with baseline handling. + GtkSwitch: Respect text direction. + Theme: Use relative font sizes. + GSK: - Make repeated gradients match between GL and cairo. - Make rounded rect shrinking match between Vulkan, GL and cairo. - Fix parsing of text nodes with color glyphs. - Restrict an optimization to the cases where it is correct. - Fix rendering of shadows with opacity. + Updated translations. - Drop merged upstream patch: e001b421.patch. - Add e001b421.patch: tooltip: don't cross native boundaries. ==== hplip ==== Version update (3.22.10 -> 3.23.5) Subpackages: hplip-hpijs hplip-udev-rules - Update to hplip 3.23.5 * added new CUPS filter hpcdmfax - Support for new printers: * HP Smart Tank 520_540 series * HP Smart Tank 580-590 series * HP Smart Tank 5100 series * HP Smart Tank 210-220 series * HP Color LaserJet Enterprise 6700dn * HP Color LaserJet Enterprise 6700 * HP Color LaserJet Enterprise 6701dn * HP Color LaserJet Enterprise 6701 * HP Color LaserJet Enterprise X654dn * HP Color LaserJet Enterprise X65455dn * HP Color LaserJet Enterprise X654 * HP Color LaserJet Enterprise X65465dn * HP Color LaserJet Enterprise X654 65 PPM * HP Color LaserJet Enterprise X654 55 to 65ppm License * HP Color LaserJet Enterprise X654 Down License * HP Color LaserJet Enterprise MFP 6800dn * HP Color LaserJet Enterprise Flow MFP 6800zf * HP Color LaserJet Enterprise Flow MFP 6800zfsw * HP Color LaserJet Enterprise Flow MFP 6800zfw+ * HP Color LaserJet Enterprise MFP 6800 * HP Color LaserJet Enterprise MFP 6801 * HP Color LaserJet Enterprise MFP 6801 zfsw * HP Color LaserJet Enterprise Flow MFP 6801zfw+ * HP Color LaserJet Enterprise MFP X677 55 to 65ppm License * HP Color LaserJet Enterprise MFP X677 65ppm * HP Color LaserJet Enterprise MFP X677s * HP Color LaserJet Enterprise Flow MFP X677z * HP Color LaserJet Enterprise MFP X67765dn * HP Color LaserJet Enterprise Flow MFP X67765zs * HP Color LaserJet Enterprise Flow MFP X67765z+ * HP Color LaserJet Enterprise MFP X677 * HP Color LaserJet Enterprise MFP X67755dn * HP Color LaserJet Enterprise Flow MFP X67755zs * HP Color LaserJet Enterprise Flow MFP X67755z+ * HP Color LaserJet Enterprise MFP X677dn * HP Color LaserJet Enterprise Flow MFP X677zs * HP Color LaserJet Enterprise Flow MFP X677z+ * HP Color LaserJet Enterprise 5700dn * HP Color LaserJet Enterprise 5700 * HP Color LaserJet Enterprise X55745dn * HP Color LaserJet Enterprise X55745 * HP Color LaserJet Enterprise MFP 5800dn * HP Color LaserJet Enterprise MFP 5800f * HP Color LaserJet Enterprise Flow MFP 5800zf * HP Color LaserJet Enterprise MFP 5800 * HP Color LaserJet Enterprise MFP X57945 * HP Color LaserJet Enterprise Flow MFP X57945zs * HP Color LaserJet Enterprise MFP X57945dn * HP Color LaserJet Enterprise Flow MFP X57945z ==== libaom ==== Version update (3.6.1 -> 3.7.0) - Split docs to multibuild to avoid dependency cycle - New upstream release 3.7.0 - New Features * New codec controls: * AV1E_SET_QUANTIZER_ONE_PASS: Set quantizer for each frame. * AV1E_ENABLE_RATE_GUIDE_DELTAQ: enable the rate distribution guided delta quantization in all intra mode. The "enable-rate-guide-deltaq" option is added for this control. * AV1E_SET_RATE_DISTRIBUTION_INFO: set the input file for rate distribution used in all intra mode. The "rate-distribution-info" option is added for this control. * AV1E_GET_LUMA_CDEF_STRENGTH * AV1E_SET_BITRATE_ONE_PASS_CBR * AOM_SCALING_MODE is extended to include 2/3 and 1/3 scaling. * aom_tune_metric is extended to include AOM_TUNE_VMAF_SALIENCY_MAP. The "tune" option is extended to include "vmaf_saliency_map". * SVC example encoder svc_encoder_rtc is able to use the rate control library. * Loopfilter level and CDEF filter level is supported by RTC rate control library. * New speed (--cpu-used) 11, intended for RTC screen sharing, added for faster encoding with ~3% bdrate loss with 16% IC (instruction count) speedup compared to speed 10. - Compression Efficiency Improvements * Improved VoD encoding performance * 0.1-0.6% BDrate gains for encoding speeds 2 to 6 * Rate control accuracy improvement in VBR mode * RTC encoding improvements * Screen content mode: 10-19% BDrate gains for speeds 6 - 10 * Temporal layers video mode, for speed 10: * 2 temporal layers on low resolutions: 13-15% BDrate gain * 3 temporal layers on VGA/HD: 3-4% BDrate gain - Perceptual Quality Improvements * Fixed multiple block and color artifacts for RTC screen content by * Incorporating color into RD cost for IDTX * Reducing thresholds for palette mode in non RD mode * Allowing more palette mode testing * Improved color sensitivity for altref in non-RD mode. * Reduced video flickering for temporal layer encoding. - Speedup and Memory Optimizations * Speed up the VoD encoder * 2-5% for encoding speed 2 to 4 * 9-15% for encoding speed 5 to 6 * ARM * Standard bitdepth * speed 5: +31% * speed 4: +2% * speed 3: +9% * speed 2: +157% * High bitdepth * speed 5: +85% * RTC speedups * Screen content mode * 15% IC speedup for speeds 6-8 * ARM: 7% for speed 9, 3% for speed 10 * Temporal layers video mode * 7% speedup for 3 temporal layers on VGA/HD, for speed 10 * Single layer video * x86: 2% IC speedup for speeds 7-10 * ARM: 2-4% speedup across speeds 5-10 - Bug Fixes * aomedia:3261 Assertion failed when encoding av1 with film grain and '--monochrome' flag * aomedia:3276 ensure all allocations are checked (partial fix) * aomedia:3451 The libaom library calls exit() * aomedia:3450 enable -Wshadow for C++ sources * aomedia:3449 Test Seg Faults After b459af3e345be402db052a143fcc5383d4b74cbd * aomedia:3416 prune unused symbols / restrict symbol visibility * aomedia:3443 Jenkins failure: UninstantiatedParameterizedTestSuite * aomedia:3434 realtime failures with CONFIG_BITSTREAM_DEBUG=1 * aomedia:3433 DeltaqModeTest crash w/row_mt=0 * aomedia:3429 Encoder crash when turn on both ExternalResize and g_threads > 2 * aomedia:3438 Build failure with `-DSANITIZE=address -DBUILD_SHARED_LIBS=ON` when using clang. * aomedia:3435 Block artifacts when scrolling with AV1 in screen sharing scenarios * aomedia:3170 vmaf tune presets produce extreme glitches in one scene * aomedia:3401 Building shared libaom with MSVC results in a race condition with the export library * aomedia:3420 Floating point exception in av1_tpl_get_frame_importance() * aomedia:3424 heap-buffer-overflow in ScaleFilterCols_16_C() (SIGABRT) * aomedia:3417 examples/svc_encoder_rtc.c is using internal macros and functions * aomedia:3372 SEGV in assign_frame_buffer_p av1_common_int.h * aomedia:3130 'cpu-features.h' file not found on Android NDK 22 * aomedia:3415 Encoder/decoder mismatch for svc_encoder_rtc running 1 SL 3 TL * aomedia:3412 Lossless Mode Fails Loopback Bit Test * aomedia:3409 The use of AV1_VAR_OFFS in av1/encoder/var_based_part.c is incorrect for high bit depths * aomedia:3403 test_libaom fails with error message "feenableexcept() failed" on Linux arm * aomedia:3370 Random color block at fast motion area * aomedia:3393 Assertion failure in av1_convolve_2d_sr_c() * aomedia:3392 Strong artifacting for high bit-depth real-time * aomedia:3376 aomenc --threads=10 --deltaq-mode=3 crashes after ... changelog too long, skipping 18 lines ... - Fix missing images in documentation ==== libraw ==== - security update - added patches fix CVE-2020-22628 [bsc#1215308], stretch() function in libraw/src/postprocessing/aspect_ratio.cpp + libraw-CVE-2020-22628.patch ==== ncurses ==== Version update (6.4.20230819 -> 6.4.20230909) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20230909 + improve formatting of manpages (patches by Branden Robinson). > patches by Nicholas Marriott: + use string-hacks in alloc_entry.c, alloc_type.c and hardscroll.c, overlooked due to compiler changes in recent OpenBSD releases. + add "-6" option to ncu2openbsd script. - Add ncurses patch 20230902 + improve description of search rules for terminal descriptions in terminfo manpage (report by Sven Joachim). - Add ncurses patch 20230826 + fixes for compiler-warnings. + update config.guess, config.sub ==== python-Automat ==== - remove unneded six from setup.py ==== python-gevent ==== Version update (23.7.0 -> 23.9.0) - update to 23.9.0 (CVE-2023-41419): * Make ``gevent.select.select`` accept arbitrary iterables, not just sequences. That is, you can now pass in a generator of file descriptors instead of a realized list. Internally, arbitrary iterables are copied into lists. This better matches what the standard library does. * On Python 3.11 and newer, opt out of Cython's fast exception manipulation, which *may* be causing problems in certain circumstances when combined with greenlets. * On all versions of Python, adjust some error handling in the default * -based loop. This fixes several assertion failures on debug versions of CPython. Hopefully it has a positive impact under real conditions. * Make ``gevent.pywsgi`` comply more closely with the HTTP specification for chunked transfer encoding. In particular, we are much stricter about trailers, and trailers that are invalid (too long or featuring disallowed characters) forcibly close the connection to the client *after* the results have been sent. * Trailers otherwise continue to be ignored and are not available to the WSGI application. Previously, carefully crafted invalid trailers in chunked requests on keep-alive connections might appear as two requests to ``gevent.pywsgi``. Because this was handled exactly as a normal keep-alive connection with two requests, the WSGI application should handle it normally. However, if you were counting on some upstream server to filter incoming requests based on paths or header fields, and the upstream server simply passed trailers through without validating them, then this embedded second request would bypass those checks. (If the upstream server validated that the trailers meet the* HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers.) CVE-2023-41419 was reserved for this. ==== python-python-dateutil ==== - Add patch no-utcfromtimestamp.patch, stop using a deprecated function. - Switch to pyproject and autosetup macros. - Stop using greedy globs in %files. ==== python-service_identity ==== - python-six is not required ==== update-alternatives ==== Version update (1.21.22 -> 1.22.0) - Update to version 1.22.0. The full changelog is very large. Please check it here: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/debian/changelog?h=1.22.0 - Refresh openssl.patch so it works on 1.22.0. ==== wireless-regdb ==== - Define %{_firmwaredir} if not defined. This fixes RPM build errors. ==== xen ==== Version update (4.17.2_02 -> 4.17.2_04) - bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional execution leak via division by zero (XSA-439) xsa439-00.patch xsa439-01.patch xsa439-02.patch xsa439-03.patch xsa439-04.patch xsa439-05.patch xsa439-06.patch xsa439-07.patch xsa439-08.patch xsa439-09.patch - bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow reference dropped too early for 64-bit PV guests (XSA-438) xsa438.patch - Handle potential unaligned access to bitmap in libxc-sr-restore-hvm-legacy-superpage.patch If setting BITS_PER_LONG at once, the initial bit must be aligned ==== xwayland ==== Version update (23.2.0 -> 23.2.1) - Update to version 23.2.1: * glamor: Ignore destination alpha as necessary for composite operation * xtest: Check whether there is a sendEventsProc to call - supersedes xwayland-glamor-Ignore-destination-alpha-as-necessary-for-com.patch - xwayland-glamor-Ignore-destination-alpha-as-necessary-for-com.patch * Fix when vncviewer fades to white on xwayland (bsc#1215385, https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1154) ==== yast2-trans ==== Version update (84.87.20230909.35988571be -> 84.87.20230913.43f962446c) Subpackages: yast2-trans-cs yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-fr yast2-trans-hu yast2-trans-it yast2-trans-ja yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ru yast2-trans-zh_CN yast2-trans-zh_TW - Update to version 84.87.20230913.43f962446c: * Translated using Weblate (Indonesian) * New POT for text domain 'control'.