Packages changed: MozillaFirefox (118.0.1 -> 119.0) glibc java-21-openjdk libbluray ncurses (6.4.20231007 -> 6.4.20231021) open-lldp (1.1+58.8ca361bab766 -> 1.1+77.75e83b6fb98e) protobuf python-jsonschema (4.19.1 -> 4.19.2) python-pyudev qpdf (11.6.2 -> 11.6.3) shadow (4.14.1 -> 4.14.2) strace (6.5 -> 6.6) suse-module-tools (16.0.37 -> 16.0.38) systemd webrtc-audio-processing === Details === ==== MozillaFirefox ==== Version update (118.0.1 -> 119.0) Subpackages: MozillaFirefox-translations-common - Mozilla Firefox 119.0 https://www.mozilla.org/en-US/firefox/119.0/releasenotes MFSA 2023-45 (bsc#1216338) * CVE-2023-5721 (bmo#1830820) Queued up rendering could have allowed websites to clickjack * CVE-2023-5722 (bmo#1738426) Cross-Origin size and header leakage * CVE-2023-5723 (bmo#1802057) Invalid cookie characters could have led to unexpected errors * CVE-2023-5724 (bmo#1836705) Large WebGL draw could have led to a crash * CVE-2023-5725 (bmo#1845739) WebExtensions could open arbitrary URLs * CVE-2023-5726 (bmo#1846205) Full screen notification obscured by file open dialog on macOS * CVE-2023-5727 (bmo#1847180) Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows * CVE-2023-5728 (bmo#1852729) Improper object tracking during GC in the JavaScript engine could have led to a crash. * CVE-2023-5729 (bmo#1823720) Fullscreen notification dialog could have been obscured by WebAuthn prompts * CVE-2023-5730 (bmo#1836607, bmo#1840918, bmo#1848694, bmo#1848833, bmo#1850191, bmo#1850259, bmo#1852596, bmo#1853201, bmo#1854002, bmo#1855306, bmo#1855640, bmo#1856695) Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1 * CVE-2023-5731 (bmo#1690111, bmo#1721904, bmo#1851803, bmo#1854068) Memory safety bugs fixed in Firefox 119 - requires NSS 3.94 - Mozilla Firefox 118.0.2 * Fix games not loading on betsoft.com (bmo#1856145) * Fix printing issues for some SVG images (bmo#1853727) * Fix CORS XHR with authentication no longer working (bmo#1855650) * Fix h264 WebRTC video not working in some contexts (bmo#1855636) * Fix Firefox Translations not working on some pages (bmo#1841656, bmo#1855307) * Stability fixes (bmo#1851991, bmo#1799326, bmo#1856637) - Activate KDE integration again, included rebased and updated patches, firefox-kde.patch and mozilla-kde.patch, (upstream removed special files handling for preferences but that has no effect since we haven't shipped obsolete kde.js for a while) (boo#1216027) ==== glibc ==== Subpackages: glibc-extra glibc-lang glibc-locale glibc-locale-base nscd - gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243) ==== java-21-openjdk ==== Subpackages: java-21-openjdk-headless - Set priority and make it the preferred JDK ==== libbluray ==== - Added patch: * libbluray-java18plus.patch + allow building with JDK 18 and newer (using source/target levels 8) + fixes build with the new OpenJDK 21 LTSS ==== ncurses ==== Version update (6.4.20231007 -> 6.4.20231021) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20231021 + use oldxterm+sm+1006 in vte-2014 (report by Benno Schulenberg) -TD + add ansi+apparrows -TD + change defaults for configure opaque and widec options (prompted by discussion with Branden Robinson). + minor cleanup of compiler- and manpage-warnings. - Correct offsets off some hunks in patches * ncurses-5.9-ibm327x.dif * ncurses-6.4.dif - Add ncurses patch 20231016 + make the recent change to setupterm optional "--enable-check-size" (Debian #1054022). - Add ncurses patch 20231014 + improve formatting/style of manpages (patches by Branden Robinson). + updated configure script macro CF_XOPEN_SOURCE, for uClibc-ng + update config.guess, config.sub ==== open-lldp ==== Version update (1.1+58.8ca361bab766 -> 1.1+77.75e83b6fb98e) Subpackages: liblldp_clif1 - Update to version latest Intel upstream (v1.1+77.75e83b6fb98e, jsc#PED-6852): * lldpad: dcbx: prevent null dereference in dcbx_free_data * dcbx: Fix use-after-free * dcbx: Fix NULL pointer dereference * dcbx: Fix leak when receiving legacy TLVs with mismatched mode * lldp: Reject frames with duplicate TLVs * dcbx: Free manifest in rchange callback * dcbx: Avoid memory leak if ifup is called twice * ctrl_iface: Fix a memory leak in ctrl_iface_deinit * lldp: Avoid sending uninitialized data * lldptool: fix null pointer deference * Revert "Use interface index instead of name in libconfig" * Avoiding null pointer dereference * agent: reset frame status on message delete * basman: use return address when pulling address * 8021Qaz: check for rx block validity * 8021qaz: squelch initialization errors * macvtap: fix error condition * vdp22: convert command parsing to null term ==== protobuf ==== Subpackages: libprotobuf-lite23_4_0 libprotobuf23_4_0 python311-protobuf - Build with source and target levels 8 * fixes build with JDK21 - Install the pom file with the new %%mvn_install_pom macro - Do not install the pom-only artifacts, since the %%mvn_install_pom macro resolves the variables at the install time ==== python-jsonschema ==== Version update (4.19.1 -> 4.19.2) - update tp 4.19.2: * Fix the error message for additional items when used with heterogeneous arrays. * Don't leak the additionalItems keyword into JSON Schema draft 2020-12, where it was replaced by items. ==== python-pyudev ==== - update hypothesis_settings.patch: * Extend deadline for test_child_of_parents that fails on ppc64le (bsc#1216607) ==== qpdf ==== Version update (11.6.2 -> 11.6.3) - update to 11.6.3: * Tweak linearization code to better handle files between 2 GB and 4 GB in size. Fixes #1023. * Fix data loss bug: qpdf could discard a the character after an escaped octal string consisting of less than three digits. For content, this would only happen with QDF or when normalizing content. Outside of content, it could have happened in any binary string, such as /ID, if the encoding software used octal escape strings with less than three digits. This bug was introduced between 10.6.3 and 11.0.0. ==== shadow ==== Version update (4.14.1 -> 4.14.2) Subpackages: libsubid4 login_defs - Update to 4.14.2: * libshadow: + Fix build with musl libc. + Avoid NULL dereference. + Update utmp at an initial login * useradd(8): + Set proper SELinux labels for def_usrtemplate * Manual: + Document --prefix in chage(1), chpasswd(8), and passwd(1) - Drop upstreamed shadow-4.14.0-selinux-labels.patch ==== strace ==== Version update (6.5 -> 6.6) - Update to strace 6.6 * Implemented --kill-on-exit option that instructs the tracer to set PTRACE_O_EXITKILL option to all tracee processes and not to detach them on cleanup so they will not be left running after the tracer exit. * Implemented automatic activation of --kill-on-exit option when - -seccomp-bpf is enabled and -p/--attach option is not used. * Implemented decoding of map_shadow_stack syscall. * Implemented decoding of FSCONFIG_CMD_CREATE_EXCL fsconfig command. * Implemented decoding of IFLA_BRPORT_BACKUP_NHID netlink attribute. * Implemented decoding of SECCOMP_IOCTL_NOTIF_SET_FLAGS ioctl. * Implemented decoding of UFFDIO_CONTINUE, UFFDIO_POISON, and UFFDIO_WRITEPROTECT ioctls. * Updated lists of ARCH_*, BPF_*, DEVCONF_*, IORING_*, KEXEC_*, MAP_*, NT_*, PTRACE_*, QFMT_*, SEGV_*, UFFD_*, V4L2_*, and XDP_* constants. * Updated lists of ioctl commands from Linux 6.6. - Remove haveged build requirement and usage in test suite as it is not needed anymore (jsc#PED-6184). ==== suse-module-tools ==== Version update (16.0.37 -> 16.0.38) Subpackages: suse-module-tools-scriptlets - Update to version 16.0.38: * modprobe.d: use softdep to load sd_mod and sg (boo#1216070) ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-boot systemd-coredump systemd-doc systemd-lang udev - Fix typo in /etc/systemd/user.confd.d (bsc#1216676) ==== webrtc-audio-processing ==== - ExcludeArch s390, s390x and ppc64 since big endian support is not implemented.