Packages changed: dracut (059+suse.503.g41e99e72 -> 059+suse.511.g0bdb16ac) gnome-text-editor (45.0 -> 45.1) gpgme (1.23.0 -> 1.23.1) grub2 kernel-default-base open-vm-tools (12.3.0 -> 12.3.5) poppler (23.09.0 -> 23.10.0) poppler-qt5 (23.09.0 -> 23.10.0) selinux-policy (20231012 -> 20231030) sssd wireplumber yast2-trans (84.87.20231004.bd479b5f2d -> 84.87.20231027.a9c9df2125) === Details === ==== dracut ==== Version update (059+suse.503.g41e99e72 -> 059+suse.511.g0bdb16ac) Subpackages: dracut-ima - Update to version 059+suse.511.g0bdb16ac: * fix(pkcs11): delete trailing dot on libcryptsetup-token-systemd-pkcs11.so * fix(systemd-repart): correct undefined $libdir * fix(dracut-systemd): use `DRACUT_VERSION` instead of `VERSION` * fix(dracut.sh): abort if Bash is in POSIX mode * fix(dracut-initramfs-restore.sh): do not set selinux labels if disabled * fix(network): correct network device naming (bsc#1192986) ==== gnome-text-editor ==== Version update (45.0 -> 45.1) Subpackages: gnome-text-editor-lang - Update to version 45.1: + Use proper etag when comparing document for changes after a Save As operation occurs. + Fix row styling in preferences. + Fix memory leak of GtkNativeDialog. + Updated translations. ==== gpgme ==== Version update (1.23.0 -> 1.23.1) Subpackages: libgpgme11 libgpgmepp6 python311-gpg - update to 1.23.1: * fixes for other platforms ==== grub2 ==== Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi - Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253) * 0001-kern-ieee1275-init-Restrict-high-memory-in-presence-.patch ==== kernel-default-base ==== - Add dummy (boo#1216647) ==== open-vm-tools ==== Version update (12.3.0 -> 12.3.5) Subpackages: libvmtools0 open-vm-tools-desktop - Update to 12.3.5 (build 22544099) (boo#1216670) - There are no new features in the open-vm-tools 12.3.5 release. This is primarily a maintenance release that addresses a few critical problems, including: - This release resolves CVE-2023-34058. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. - This release resolves CVE-2023-34059 which only affects open-vm-tools. For more information on this vulnerability, please see the Resolved Issues section of the Release Notes. - A GitHub issue has been handled. Please see the Resolved Issues section of the Release Notes. - An update to the deployPkg plugin to coordinate with recent releases of cloud-init for improvement for guest VM customization. - For issues resolved in this release, see the Resolved Issues section of the Release Notes. - For complete details, see: https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.5 - Release Notes are available at https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/ReleaseNotes.md - The granular changes that have gone into the 12.3.5 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/open-vm-tools/ChangeLog - Drop patch now contained in 12.3.5: - CVE-2023-34058.patch - CVE-2023-34059.patch ==== poppler ==== Version update (23.09.0 -> 23.10.0) Subpackages: libpoppler-cpp0 libpoppler-glib8 poppler-tools - Add patch to let it build with the heavily patched tiff 4.0.9 we have in SLE 15: * reduce-libtiff-required-version.patch - version update to 23.10.0 core: * cairo: update type 3 fonts for cairo 1.18 api * Fix crash on malformed files build system: * Make a few more dependencies soft-mandatory * Add more supported gnupg releases * Check if linker supports version scripts - modified patches % reduce-boost-required-version.patch (refreshed) ==== poppler-qt5 ==== Version update (23.09.0 -> 23.10.0) - Add patch to let it build with the heavily patched tiff 4.0.9 we have in SLE 15: * reduce-libtiff-required-version.patch - version update to 23.10.0 core: * cairo: update type 3 fonts for cairo 1.18 api * Fix crash on malformed files build system: * Make a few more dependencies soft-mandatory * Add more supported gnupg releases * Check if linker supports version scripts - modified patches % reduce-boost-required-version.patch (refreshed) ==== selinux-policy ==== Version update (20231012 -> 20231030) Subpackages: selinux-policy-targeted - Update to version 20231030: * Allow system_mail_t manage exim spool files and dirs * Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t * Label /run/pcsd.socket with cluster_var_run_t * ci: Run cockpit tests in PRs * Add map_read map_write to kernel_prog_run_bpf * Allow systemd-fstab-generator read all symlinks * Allow systemd-fstab-generator the dac_override capability * Allow rpcbind read network sysctls * Support using systemd containers * Allow sysadm_t to connect to iscsid using a unix domain stream socket * Add policy for coreos installer * Add policy for nvme-stas * Confine systemd fstab,sysv,rc-local * Label /etc/aliases.lmdb with etc_aliases_t * Create policy for afterburn * Make new virt drivers permissive * Split virt policy, introduce virt_supplementary module * Allow apcupsd cgi scripts read /sys * Allow kernel_t to manage and relabel all files * Add missing optional_policy() to files_relabel_all_files() * Allow named and ndc use the io_uring api * Deprecate common_anon_inode_perms usage * Improve default file context(None) of /var/lib/authselect/backups * Allow udev_t to search all directories with a filesystem type * Implement proper anon_inode support * Allow targetd write to the syslog pid sock_file * Add ipa_pki_retrieve_key_exec() interface * Allow kdumpctl_t to list all directories with a filesystem type * Allow udev additional permissions * Allow udev load kernel module * Allow sysadm_t to mmap modules_object_t files * Add the unconfined_read_files() and unconfined_list_dirs() interfaces * Set default file context of HOME_DIR/tmp/.* to <> * Allow kernel_generic_helper_t to execute mount(1) * Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t * Allow systemd-localed create Xserver config dirs * Allow sssd read symlinks in /etc/sssd * Label /dev/gnss[0-9] with gnss_device_t * Allow systemd-sleep read/write efivarfs variables * ci: Fix version number of packit generated srpms * Dontaudit rhsmcertd write memory device * Allow ssh_agent_type create a sockfile in /run/user/USERID * Set default file context of /var/lib/authselect/backups to <> * Allow prosody read network sysctls * Allow cupsd_t to use bpf capability * Allow sssd domain transition on passkey_child execution conditionally * Allow login_userdomain watch lnk_files in /usr * Allow login_userdomain watch video4linux devices * Change systemd-network-generator transition to include class file * Revert "Change file transition for systemd-network-generator" * Allow nm-dispatcher winbind plugin read/write samba var files * Allow systemd-networkd write to cgroup files * Allow kdump create and use its memfd: objects * Allow fedora-third-party get generic filesystem attributes * Allow sssd use usb devices conditionally * Update policy for qatlib * Allow ssh_agent_type manage generic cache home files * Change file transition for systemd-network-generator * Additional support for gnome-initial-setup * Update gnome-initial-setup policy for geoclue * Allow openconnect vpn open vhost net device * Allow cifs.upcall to connect to SSSD also through the /var/run socket * Grant cifs.upcall more required capabilities * Allow xenstored map xenfs files * Update policy for fdo * Allow keepalived watch var_run dirs * Allow svirt to rw /dev/udmabuf * Allow qatlib to modify hardware state information. * Allow key.dns_resolve connect to avahi over a unix stream socket * Allow key.dns_resolve create and use unix datagram socket * Use quay.io as the container image source for CI * ci: Move srpm/rpm build to packit * .copr: Avoid subshell and changing directory * Allow gpsd, oddjob and oddjob_mkhomedir_t write user_tty_device_t chr_file * Label /usr/libexec/openssh/ssh-pkcs11-helper with ssh_agent_exec_t * Make insights_client_t an unconfined domain * Allow insights-client manage user temporary files * Allow insights-client create all rpm logs with a correct label * Allow insights-client manage generic logs * Allow cloud_init create dhclient var files and init_t manage net_conf_t * Allow insights-client read and write cluster tmpfs files * Allow ipsec read nsfs files * Make tuned work with mls policy * Remove nsplugin_role from mozilla.if * allow mon_procd_t self:cap_userns sys_ptrace * Allow pdns name_bind and name_connect all ports * Set the MLS range of fsdaemon_t to s0 - mls_systemhigh * ci: Move to actions/checkout@v3 version * .copr: Replace chown call with standard workflow safe.directory setting * .copr: Enable `set -u` for robustness * .copr: Simplify root directory variable * Allow rhsmcertd dbus chat with policykit * Allow polkitd execute pkla-check-authorization with nnp transition * Allow user_u and staff_u get attributes of non-security dirs * Allow unconfined user filetrans chrome_sandbox_home_t * Allow svnserve execute postdrop with a transition * Do not make postfix_postdrop_t type an MTA executable file * Allow samba-dcerpc service manage samba tmp files ... changelog too long, skipping 64 lines ... * Allow sendmail manage its runtime files ==== sssd ==== Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-krb5-common sssd-ldap - Update dependencies to require the same subpackages version and release - Fix /usr/etc migration fragment in wrong "%pre kcm" instead of "%pre" - Move sss_analyze to sssd-tools package - Default config is unworkable, just stop installing it altogether [boo#1216739] ==== wireplumber ==== Subpackages: libwireplumber-0_4-0 wireplumber-audio wireplumber-lang - Add patch from upstream that fixes too many matches for property interest: * 0001-object-manager-reduce-the-amount-of-globals-that-initially.patch - Add patch from upstream that fixes an odd failure of a test after applying the previous patch: * 0002-object-manager-use-an-idle-callback-to-expose-tmp-globals.patch - Add patch from upstream that adds ability to hide parent nodes, which is useful to prevent hardware misuse or damage by poorly behaved/configured clients: * 0001-policy-dsp-add-ability-to-hide-parent-nodes.patch ==== yast2-trans ==== Version update (84.87.20231004.bd479b5f2d -> 84.87.20231027.a9c9df2125) Subpackages: yast2-trans-cs yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-fr yast2-trans-hu yast2-trans-it yast2-trans-ja yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ru yast2-trans-zh_CN yast2-trans-zh_TW - Update to version 84.87.20231027.a9c9df2125: * Translated using Weblate (Galician) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Macedonian) * Translated using Weblate (Italian) * Translated using Weblate (Catalan) * Translated using Weblate (Czech) * Translated using Weblate (Czech) * Translated using Weblate (Slovak) * Translated using Weblate (Slovak) * Translated using Weblate (Dutch) * Translated using Weblate (Japanese) * New POT for text domain 'storage'. * New POT for text domain 'country'. * Translated using Weblate (Dutch) * Translated using Weblate (Catalan) * Translated using Weblate (Japanese) * Translated using Weblate (French) * New POT for text domain 'qt-pkg'.