Packages changed: GraphicsMagick Mesa (23.1.6 -> 23.1.7) Mesa-drivers (23.1.6 -> 23.1.7) aaa_base (84.87+git20230329.b39efbc -> 84.87+git20230815.cab7b44) btrfsprogs (6.3 -> 6.5) busybox-links coreutils (9.3 -> 9.4) dracut (059+suse.491.g87f19c22 -> 059+suse.497.ga7feaf12) gcab (1.5 -> 1.6) javapackages-tools kdump kexec-tools (2.0.26.0 -> 2.0.27) lastlog2 (1.1.0 -> 1.2.0) libportal (0.6 -> 0.7) libstorage-ng (4.5.139 -> 4.5.141) libvirt (9.6.0 -> 9.7.0) luajit (2.1.0~beta3+git.1669107176.46aa45d -> 5.1.2.1.0+git.1693350652.41fb94d) nodejs20 open-vm-tools (12.2.0 -> 12.3.0) pam-config (2.5 -> 2.8) perl-Bootloader (1.6 -> 1.8) python-click (8.1.6 -> 8.1.7) python-libvirt-python (9.6.0 -> 9.7.0) python-psutil python-zope.event (4.6 -> 5.0) python311 (3.11.4 -> 3.11.5) python311-core (3.11.4 -> 3.11.5) sssd (2.9.1 -> 2.9.2) === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - revert to 1.3.40 [bsc#1214831] https://sourceforge.net/p/graphicsmagick/news/2023/08/because-1341-is-discarded-i-has-been-published-2-builds-for-win32-architecture/ - modified patches % GraphicsMagick-disable-insecure-coders.patch (refreshed) - deleted patches - GraphicsMagick-fix-regression-NULL-instead-of-empty-string.patch (not needed) - GraphicsMagick-name-key-return-input-file-base-name.patch (not needed) - fix regression in 1.3.41 https://sourceforge.net/p/graphicsmagick/bugs/722/ - added patches fix 17179:91afa18a6161 + GraphicsMagick-fix-regression-NULL-instead-of-empty-string.patch fix 17180:bb42cd90ce6f + GraphicsMagick-name-key-return-input-file-base-name.patch - version update to 1.3.41 Bug fixes: * Blob: Immediately reject attempts to write blobs to formats which can not support blobs. * TranslateTextEx(): An empty string argument should return an empty string rather than a NULL string. * SetImageAttribute(): Fix bounds issue when concatenating string. * JPEG: Do not set image resolution if the values provided are outside of the valid range. * Fixes for NaN when reading formats based on floating point. * HEIF: Fix reading images with rotation/transformation. * BMP: Do not decode primaries or gamma unless colorspace is LCS_CALIBRATED_RGB. Add/correct bmp_info.size "biSize" logic which decides if header chunks are present (or invalid). * MNG: Fixes for resizing using X_method 5. * GM command (convert, montage, mogrify): Many command-line parser fixes/checks for invalid command line syntax which causes unexpected behavior, or core dumps. * TopoL: Given that a writer is now provided, issues found in the reader (and writer) due to continual fuzz-testing have been fixed, as encountered. * GetImageClippingPathAttribute(): Check for and use clipping path name (ID=2999) to get the real attribute name. * ReadIPTCProfile(): Fix malformed IPTC data parsing. New Features: * TopoL: Now provides a writer. * WPG: Now provides a writer. * gm batch: Implement simple Test Anything Protocol (TAP) test counting and "ok N"/"not ok N" messaging. * TIFF: Support '-define tiff:photometric=minisblack' and '-define tiff:photometric=miniswhite' to be able to adjust the sense used when writing bilevel TIFF images. * TIFF: Require that TIFFTAG_EXTRASAMPLES be used appropriately to indicate the intention of extra channels. * utilities/tests/gen-tiff-images/genimages: Script for writing (and then reading) thousands (5568 permutations) of TIFF format variants. * EXIF and PNG: Retrieve image orientation from EXIF (if present) and store in image. * HEIF: Retrieve image orientation from EXIF and store in image. Behavior Changes: * The ability to extend existing image attribute text by calling SetImageAttribute() multiple times with the same key is now deprecated, and will soon be removed. In the mean time, the annoying message "SetImageAttribute: Extending attribute value text is deprecated!" is printed to the standard error output to help expose code which is using this feature. - modified patches % GraphicsMagick-disable-insecure-coders.patch (refreshed) - deleted patches - strlcpy-wrong-sizing.patch (upstreamed) ==== Mesa ==== Version update (23.1.6 -> 23.1.7) Subpackages: Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libOSMesa8 libgbm1 - Update to bugfix release 23.1.7: - -> https://docs.mesa3d.org/relnotes/23.1.7.html - mini-cleanup for python package BuildRequires in specfile - added python3-dataclasses package for sle15/Leap15 to finally fix build for these build targets; dataclasses module is in standard library of python >= 3.7 ... ==== Mesa-drivers ==== Version update (23.1.6 -> 23.1.7) Subpackages: Mesa-dri Mesa-gallium Mesa-libva - Update to bugfix release 23.1.7: - -> https://docs.mesa3d.org/relnotes/23.1.7.html - mini-cleanup for python package BuildRequires in specfile - added python3-dataclasses package for sle15/Leap15 to finally fix build for these build targets; dataclasses module is in standard library of python >= 3.7 ... ==== aaa_base ==== Version update (84.87+git20230329.b39efbc -> 84.87+git20230815.cab7b44) Subpackages: aaa_base-extras - Update to version 84.87+git20230815.cab7b44: * Remove broken autocompletion overrides and restore default bash behavior * Add foot to DIR_COLORS * files/u/s/sysconf_addword: avoid bashism, fix shellcheck warnings * files/u/s/smart_agetty: replace shebang with /bin/sh * files/u/s/service: avoid bashism, fix shellcheck warnings * files/u/s/refresh_initrd: make POSIX compliant * files/u/b/safe-rm: make POSIX compliant * aaa_base.post: replace shebang with /usr/sh * files/u/b/old: make POSIX compliant ==== btrfsprogs ==== Version update (6.3 -> 6.5) Subpackages: btrfsprogs-bash-completion btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - update to 6.5: * crc32c implementation speedup (3x) * btrfstune: * be more strict about option combinations and refuse changing features from incompatible groups * metadata_uuid changes fixes * libbtrfs: fix ABI breakage introduced in 6.3.1, revert struct subvol_info and subvol_uuid_search changes (bsc#1212217) * CI updates * pull request build tests enabled * published static binaries built with backward compatibility (-march=x86-64) * other * documentation updates * new and updated tests * experimental feature updates (json, list-chunks, checksum switch) * code refactoring * remove btrfs-fragments - update to 6.3.3: * add btrfs-find-root to btrfs.box * replace: properly enqueue if there's another replace running * other: * CI updates, more tests enabled, code coverage, badges * documentation updates * build warning fixes - Let btrfsprogs-bash-completion conflict with btrfsprogs <= 6.2.1 as there is a file conflict with the bash completion scripts still being bundled with btrfsprogs in these versions. - update to 6.3.2: * fix mkfs and others on big endian hosts * mkfs: don't print changed defaults notice with --quiet * scrub: fix wrong stats of processed bytes in background and foreground mode * convert: actually create free-space-tree instead of v1 space cache * print-tree: recognize and print CHANGING_FSID_V2 flag (for the metadata_uuid change in progress) * other: documentation updates - update to 6.3.1: * convert: fix checksum of a block relocated from 0-1M range * qgroup show: fix formatting of limit values in json output * receive: report paret subovl UUID on errors * btrfsune: new option --convert-to-free-space-tree to convert from block-group-tree back to extent tree for block group tracking * mkfs: make option --rootdir more verbose and report start when filling from the given directory starts * experimental: * btrfstune: checksum switch logic reimplemented, conversion of all metadata and data now works, resume from various states also supported * other: * test updates and fixes * CI cleanups and old files removed * integration with Github actions - Remove patch: btrfs-progs-qgroup-show-fix-formatting-of-limit-valu.patch (upstreamed) ==== busybox-links ==== Subpackages: busybox-bzip2 busybox-coreutils busybox-ed busybox-findutils busybox-gawk busybox-grep busybox-gzip busybox-misc busybox-psmisc busybox-sed busybox-sendmail busybox-tar busybox-which busybox-xz - Add conflict for coreutils-systemd, package got splitted ==== coreutils ==== Version update (9.3 -> 9.4) - Update to 9.4: Bug fixes: * b2sum --check will no longer read unallocated memory when presented with malformed checksum lines. [bug introduced in coreutils-9.2] * cp --parents again succeeds when preserving mode for absolute directories. Previously it would have failed with a "No such file or directory" error. [bug introduced in coreutils-9.1] * cp --sparse=never will avoid copy-on-write (reflinking) and copy offloading, to ensure no holes present in the destination copy. [bug introduced in coreutils-9.0] * cksum again diagnoses read errors in its default CRC32 mode. [bug introduced in coreutils-9.0] * cksum --check now ensures filenames with a leading backslash character are escaped appropriately in the status output. This also applies to the standalone checksumming utilities. [bug introduced in coreutils-8.25] * dd again supports more than two multipliers for numbers. Previously numbers of the form '1024x1024x32' gave "invalid number" errors. [bug introduced in coreutils-9.1] * factor, numfmt, and tsort now diagnose read errors on the input. [This bug was present in "the beginning".] * install --strip now supports installing to files with a leading hyphen. Previously such file names would have caused the strip process to fail. [This bug was present in "the beginning".] * ls now shows symlinks specified on the command line that can't be traversed. Previously a "Too many levels of symbolic links" diagnostic was given. [This bug was present in "the beginning".] * pr --length=1 --double-space no longer enters an infinite loop. [This bug was present in "the beginning".] * tac now handles short reads on its input. Previously it may have exited erroneously, especially with large input files with no separators. [This bug was present in "the beginning".] * uptime no longer incorrectly prints "0 users" on OpenBSD, and is being built again on FreeBSD and Haiku. [bugs introduced in coreutils-9.2] * wc -l and cksum no longer crash with an "Illegal instruction" error on x86 Linux kernels that disable XSAVE YMM. This was seen on Xen VMs. [bug introduced in coreutils-9.0] Changes in behavior: * cp -v and mv -v will no longer output a message for each file skipped due to -i, or -u. Instead they only output this information with --debug. I.e., 'cp -u -v' etc. will have the same verbosity as before coreutils-9.3. * cksum -b no longer prints base64-encoded checksums. Rather that short option is reserved to better support emulation of the standalone checksum utilities with cksum. * mv dir x now complains differently if x/dir is a nonempty directory. Previously it said "mv: cannot move 'dir' to 'x/dir': Directory not empty", where it was unclear whether 'dir' or 'x/dir' was the problem. Now it says "mv: cannot overwrite 'x/dir': Directory not empty". Similarly for other renames where the destination must be the problem. [problem introduced in coreutils-6.0] - Enable systemd-logind support - Add gnulib-readutmp.patch: Fix seg.fault of who, pinky, uptime [dgo#65617] - Create -systemd flavor with binaries linked against libsystemd - Drop coreutils-invalid-ids.patch to get consistent behavior, most tools where already removed from that patch. - coreutils-misc.patch: adjust paths - coreutils-skip-some-sort-tests-on-ppc.patch: adjust paths - coreutils-test_without_valgrind.patch: adjust paths - coreutils-i18n.patch: update from Fedora ==== dracut ==== Version update (059+suse.491.g87f19c22 -> 059+suse.497.ga7feaf12) - Update to version 059+suse.497.ga7feaf12: * chore(suse): disable fips and ima subpackages for i?86 * fix(dracut.sh): remove microcode check based on CONFIG_MICROCODE_[AMD|INTEL] * chore(suse): update SUSE maintainers doc ==== gcab ==== Version update (1.5 -> 1.6) Subpackages: libgcab-1_0-0 - Update to version 1.6: + New Features: Allow specifying the allowed compression formats at runtime. This would allow us, for example, to disable the slightly scary LZX compression format when parsing unknown files. + Bugfixes: Do not require git when building from a tarball. ==== javapackages-tools ==== Subpackages: javapackages-filesystem - Modified patch: * 0001-Make-the-alias-generation-reproducible.patch -> 0001-Make-maven_depmap-order-of-aliases-reproducible.patch + replace by the version of patch integrated by upstream - Added patch: * 0002-Do-not-bomb-on-relativePath-construct.patch + integrated patch fixing parent recursion with empty element ==== kdump ==== - update calibrate values, newly added SLE15-SP6 values ==== kexec-tools ==== Version update (2.0.26.0 -> 2.0.27) - update to 2.0.27: * ppc64: add --reuse-cmdline parameter support * kexec: make -a the default * x86: add devicetree support * ppc64: document elf-ppc64 options and --dt-no-old-root * LoongArch: kdump: set up kernel image segment * arm64: zboot support - Disable Xen support in ALP ==== lastlog2 ==== Version update (1.1.0 -> 1.2.0) Subpackages: liblastlog2-1 - Version 1.2.0 - show_lastlogin: Don't read if no database - Fix -flto for clang - Documentation fixes ==== libportal ==== Version update (0.6 -> 0.7) Subpackages: libportal-1 libportal-gtk3-1 libportal-gtk4-1 - Update to version 0.7: + Add support for the new SetStatus() method of the Background portal. + Add support for the new ConnectToEIS() method of the Remote Desktop portal. + Improve unit and integration tests. + Documentation improvements. + CI improvements. ==== libstorage-ng ==== Version update (4.5.139 -> 4.5.141) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Swedish) (bsc#1149754) - 4.5.141 - merge gh#openSUSE/libstorage-ng#947 - handle json output of btrfs version 6.5 - 4.5.140 ==== libvirt ==== Version update (9.6.0 -> 9.7.0) Subpackages: libvirt-client libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-proxy libvirt-daemon-qemu libvirt-libs - Update to libvirt 9.7.0 (jsc#PED-3279) - Many incremental improvements and bug fixes, see https://libvirt.org/news.html#v9-7-0-2023-09-01 - spec: Unconditionally enable modular daemons (jsc#PED-6303) - spec: ESX hypervisor driver in ALP-based products - spec: Disable glusterfs storage backend in ALP-based products ==== luajit ==== Version update (2.1.0~beta3+git.1669107176.46aa45d -> 5.1.2.1.0+git.1693350652.41fb94d) - Update to version 5.1.2.1.0+git.1693350652.41fb94d: * Add randomized register allocation for fuzz testing. * ARM64: Improve register allocation for integer IR_MUL/IR_MULOV. * ARM64: Fix register allocation for IR_*LOAD. * Update external MSDN URL in code. * FFI/ARM64/OSX: Handle non-standard OSX C calling conventions. * FFI: Unify stack setup for C calls in interpreter. * ARM64: Prevent STP fusion for conditional code emitted by TBAR. * ARM64: Fix LDP/STP fusing for unaligned accesses. * Handle table unsinking in the presence of IRFL_TAB_NOMM. * Use fallback name for install files without valid .git or .relver. * Handle non-.git checkout with .relver in .bat-file builds. * Fix external C call stack check when using LUAJIT_MODE_WRAPCFUNC. * Fix predict_next() in parser (again). - Update luajit-lua-versioned.patch to work with the git checkout created tarball. The point of the patch is to extend the version number so that it is always bigger than 2.2.0 version of moonjit, which is Obsoleted by this package. - Update to version 2.1.0~beta3+git.1692716794.03c3112: * Fix typo. * Handle the case when .git is not a directory. * Add .gitattributes to dynamically resolve .relver. * Add .gitattributes to dynamically resolve .relver. * Fix for last commit: also remove symlink on uninstall. * Switch to rolling releases: mark v2.1 as production. * Fix Windows build scripts for rolling releases. * Switch MSVC and console build scripts to rolling releases. * Switch build system to rolling releases. * Update documentation for switch to rolling releases. * Bump copyright date. * Remove work-in-progress notice in string buffer docs. * MIPS: Fix "bad FP FLOAD" assertion. * Ensure forward progress on trace exit to BC_ITERN. * ARM64: Add support for ARM64e pointer authentication codes (PAC). * DynASM/ARM64: Add instructions for ARM64e PAC. * Fix maxslots when recording BC_VARG, part 3. * Fix predict_next() in parser. * MIPS32: Declare that the assembler part uses the FR=0 model. * ARM64: Fix assembly of HREFK (again). * Fix frame for more types of on-trace error messages. * Add workaround for bytecode dump of builtins. * DynASM: Fix regression due to warning fix. * Fix base register coalescing in side trace. * ARM64: Fix assembly of HREFK. * Fix maxslots when recording BC_VARG, part 2. * Fix maxslots when recording BC_TSETM. * Fix maxslots when recording BC_VARG. * Fix register mask for stack check in head of side trace. * FFI: Fix ffi.metatype() for non-raw types. * ARM64: Fix LDP code generation. * MIPSr6: Add missing files to Makefile install target. * DynASM: Fix warnings. * Fix frame for on-trace out-of-memory error. * Fix handling of instable types in TNEW/TDUP load forwarding. * Fix compiler warning. * Fix last commit. * Print errors from __gc finalizers instead of rethrowing them. * Fix TDUP load forwarding after table rehash. * Fix canonicalization of +-0.0 keys for IR_NEWREF. * Improve error reporting on stack overflow. * Allow building sources with mixed LF/CRLF line-endings. * Fix compiler warning. * Don't fail for Clang builds, which pretend to be an ancient GCC. * Avoid negation of signed integers in C that may hold INT*_MIN. * Correct fix for stack check when recording BC_VARG. * Disable FMA by default. Use -Ofma or jit.opt.start("+fma") to enable. * FFI: Fix dangling reference to CType. Improve checks. * ARM64: Fix code generation for IR_SLOAD with typecheck + conversion. * PS4/PS5: Fix build scripts. * Avoid assertion in case of stack overflow from stitched trace. ==== nodejs20 ==== Subpackages: npm20 - f0ff63fbc32ea55f3d92c5c89fdb91ec47786859.patch: fixes issues with Angular and other software that tries to load ECM modules in somewhat circular fashion ending up with multiple executions. ==== open-vm-tools ==== Version update (12.2.0 -> 12.3.0) Subpackages: libvmtools0 open-vm-tools-desktop - Update to 12.3.0 (build 22234872) (boo#1214850) - There are no new features in the open-vm-tools 12.3.0 release. This is primarily a maintenance release that addresses a few critical problems, including: - This release integrates CVE-2023-20900 without the need for a patch. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. - A tools.conf configuration setting is available to temporaily direct Linux quiesced snaphots to restore pre open-vm-tools 12.2.0 behavior of ignoring file systems already frozen. - Building of the VMware Guest Authentication Service (VGAuth) using "xml-security-c" and "xerces-c" is being deprecated. - A number of Coverity reported issues have been addressed. - A number of GitHub issues and pull requests have been handled. Please see the Resolves Issues section of the Release Notes. - For issues resolved in this release, see the Resolved Issues section of the Release Notes. - For complete details, see: https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.0 - Release Notes are available at https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/ReleaseNotes.md - The granular changes that have gone into the 12.3.0 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog - Fix (bsc#1205927) - hv_vmbus module is loaded unnecessarily in VMware guests - jsc-PED-1344 - reinable building containerinfo plugin for SLES 15 SP4. - Drop patch now contained in 12.3.0: + 0001-build-put-l-specifiers-into-LIBADD-not-LDFLAGS.patch + 0002-build-use-grpc-pkgconfig-to-retrieve-flags-libraries.patch + 2023-20867-Remove-some-dead-code.patch + CVE-20230-20900.patch ==== pam-config ==== Version update (2.5 -> 2.8) - Update to version 2.8 - Replace aad module with himmelblau - Update to version 2.7 - Add support for aad module - Update to version 2.6 - Remove pam_cracklib from config even if no successor is installed - Run update in %posttrans after all other PAM modules got installed/removed - Both are required for [bsc#1214885] ==== perl-Bootloader ==== Version update (1.6 -> 1.8) - merge gh#openSUSE/perl-bootloader#158 - skip warning about unsupported options when in compat mode - 1.8 - merge gh#openSUSE/perl-bootloader#156 - bootloader_entry script can have an optional 'force-default' argument (bsc#1215064) - 1.7 ==== python-click ==== Version update (8.1.6 -> 8.1.7) - update to 8.1.7: * Fix issue with regex flags in shell completion. * Bash version detection issues a warning instead of an error. * Fix issue with completion script for Fish shell. ==== python-libvirt-python ==== Version update (9.6.0 -> 9.7.0) - Update to 9.7.0 - Add all new APIs and constants in libvirt 9.7.0 - jsc#PED-3279 ==== python-psutil ==== - BuildRequire /usr/bin/who: called by the test suite. With coreutils 9.4 'who' is no longer part of the main package but is shipped as part of coreutils-systemd. ==== python-zope.event ==== Version update (4.6 -> 5.0) - update to 5.0: * Drop support for Python 2.7, 3.5, 3.6. ==== python311 ==== Version update (3.11.4 -> 3.11.5) Subpackages: python311-curses python311-dbm - Update to 3.11.5 (bsc#1214692): - Security - gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - Core and Builtins - gh-104432: Fix potential unaligned memory access on C APIs involving returned sequences of char * pointers within the grp and socket modules. These were revealed using a - fsaniziter=alignment build on ARM macOS. Patch by Christopher Chavez. - gh-77377: Ensure that multiprocessing synchronization objects created in a fork context are not sent to a different process created in a spawn context. This changes a segfault into an actionable RuntimeError in the parent process. - gh-106092: Fix a segmentation fault caused by a use-after-free bug in frame_dealloc when the trashcan delays the deallocation of a PyFrameObject. - gh-106719: No longer suppress arbitrary errors in the __annotations__ getter and setter in the type and module types. - gh-106723: Propagate frozen_modules to multiprocessing spawned process interpreters. - gh-105979: Fix crash in _imp.get_frozen_object() due to improper exception handling. - gh-105840: Fix possible crashes when specializing function calls with too many __defaults__. - gh-105588: Fix an issue that could result in crashes when compiling malformed ast nodes. - gh-105375: Fix bugs in the builtins module where exceptions could end up being overwritten. - gh-105375: Fix bug in the compiler where an exception could end up being overwritten. - gh-105375: Improve error handling in PyUnicode_BuildEncodingMap() where an exception could end up being overwritten. - gh-105235: Prevent out-of-bounds memory access during mmap.find() calls. - gh-101006: Improve error handling when read marshal data. - Library - gh-105736: Harmonized the pure Python version of OrderedDict with the C version. Now, both versions set up their internal state in __new__. Formerly, the pure Python version did the set up in __init__. - gh-107963: Fix multiprocessing.set_forkserver_preload() to check the given list of modules names. Patch by Dong-hee Na. - gh-106242: Fixes os.path.normpath() to handle embedded null characters without truncating the path. - gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. - gh-107715: Fix doctest.DocTestFinder.find() in presence of class names with special characters. Patch by Gertjan van Zwieten. - gh-100814: Passing a callable object as an option value to a Tkinter image now raises the expected TclError instead of an AttributeError. - gh-106684: Close asyncio.StreamWriter when it is not closed by application leading to memory leaks. Patch by Kumar Aditya. - gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo - gh-107396: tarfiles; Fixed use before assignment of self.exception for gzip decompression - gh-62519: Make gettext.pgettext() search plural definitions when translation is not found. - gh-83006: Document behavior of shutil.disk_usage() for non-mounted filesystems on Unix. - gh-106186: Do not report MultipartInvariantViolationDefect defect when the email.parser.Parser class is used to parse emails with headersonly=True. - gh-106831: Fix potential missing NULL check of d2i_SSL_SESSION result in _ssl.c. - gh-106774: Update the bundled copy of pip to version 23.2.1. - gh-106752: Fixed several bug in zipfile.Path in name/suffix/suffixes/stem operations when no filename is present and the Path is not at the root of the zipfile. - gh-106602: Add __copy__ and __deepcopy__ in enum - gh-106530: Revert a change to colorsys.rgb_to_hls() that caused division by zero for certain almost-white inputs. Patch by Terry Jan Reedy. - gh-106052: re module: fix the matching of possessive quantifiers in the case of a subpattern containing backtracking. - gh-106510: Improve debug output for atomic groups in regular expressions. - gh-105497: Fix flag mask inversion when unnamed flags exist. - gh-90876: Prevent multiprocessing.spawn from failing to import in environments where sys.executable is None. This regressed in 3.11 with the addition of support for path-like objects in multiprocessing. - gh-106350: Detect possible memory allocation failure in the libtommath function mp_init() used by the _tkinter module. - gh-102541: Make pydoc.doc catch bad module ImportError when output stream is not None. ... changelog too long, skipping 124 lines ... data: *consumed was not set. ==== python311-core ==== Version update (3.11.4 -> 3.11.5) Subpackages: libpython3_11-1_0 python311-base - Update to 3.11.5 (bsc#1214692): - Security - gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. - Core and Builtins - gh-104432: Fix potential unaligned memory access on C APIs involving returned sequences of char * pointers within the grp and socket modules. These were revealed using a - fsaniziter=alignment build on ARM macOS. Patch by Christopher Chavez. - gh-77377: Ensure that multiprocessing synchronization objects created in a fork context are not sent to a different process created in a spawn context. This changes a segfault into an actionable RuntimeError in the parent process. - gh-106092: Fix a segmentation fault caused by a use-after-free bug in frame_dealloc when the trashcan delays the deallocation of a PyFrameObject. - gh-106719: No longer suppress arbitrary errors in the __annotations__ getter and setter in the type and module types. - gh-106723: Propagate frozen_modules to multiprocessing spawned process interpreters. - gh-105979: Fix crash in _imp.get_frozen_object() due to improper exception handling. - gh-105840: Fix possible crashes when specializing function calls with too many __defaults__. - gh-105588: Fix an issue that could result in crashes when compiling malformed ast nodes. - gh-105375: Fix bugs in the builtins module where exceptions could end up being overwritten. - gh-105375: Fix bug in the compiler where an exception could end up being overwritten. - gh-105375: Improve error handling in PyUnicode_BuildEncodingMap() where an exception could end up being overwritten. - gh-105235: Prevent out-of-bounds memory access during mmap.find() calls. - gh-101006: Improve error handling when read marshal data. - Library - gh-105736: Harmonized the pure Python version of OrderedDict with the C version. Now, both versions set up their internal state in __new__. Formerly, the pure Python version did the set up in __init__. - gh-107963: Fix multiprocessing.set_forkserver_preload() to check the given list of modules names. Patch by Dong-hee Na. - gh-106242: Fixes os.path.normpath() to handle embedded null characters without truncating the path. - gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. - gh-107715: Fix doctest.DocTestFinder.find() in presence of class names with special characters. Patch by Gertjan van Zwieten. - gh-100814: Passing a callable object as an option value to a Tkinter image now raises the expected TclError instead of an AttributeError. - gh-106684: Close asyncio.StreamWriter when it is not closed by application leading to memory leaks. Patch by Kumar Aditya. - gh-107077: Seems that in some conditions, OpenSSL will return SSL_ERROR_SYSCALL instead of SSL_ERROR_SSL when a certification verification has failed, but the error parameters will still contain ERR_LIB_SSL and SSL_R_CERTIFICATE_VERIFY_FAILED. We are now detecting this situation and raising the appropiate ssl.SSLCertVerificationError. Patch by Pablo Galindo - gh-107396: tarfiles; Fixed use before assignment of self.exception for gzip decompression - gh-62519: Make gettext.pgettext() search plural definitions when translation is not found. - gh-83006: Document behavior of shutil.disk_usage() for non-mounted filesystems on Unix. - gh-106186: Do not report MultipartInvariantViolationDefect defect when the email.parser.Parser class is used to parse emails with headersonly=True. - gh-106831: Fix potential missing NULL check of d2i_SSL_SESSION result in _ssl.c. - gh-106774: Update the bundled copy of pip to version 23.2.1. - gh-106752: Fixed several bug in zipfile.Path in name/suffix/suffixes/stem operations when no filename is present and the Path is not at the root of the zipfile. - gh-106602: Add __copy__ and __deepcopy__ in enum - gh-106530: Revert a change to colorsys.rgb_to_hls() that caused division by zero for certain almost-white inputs. Patch by Terry Jan Reedy. - gh-106052: re module: fix the matching of possessive quantifiers in the case of a subpattern containing backtracking. - gh-106510: Improve debug output for atomic groups in regular expressions. - gh-105497: Fix flag mask inversion when unnamed flags exist. - gh-90876: Prevent multiprocessing.spawn from failing to import in environments where sys.executable is None. This regressed in 3.11 with the addition of support for path-like objects in multiprocessing. - gh-106350: Detect possible memory allocation failure in the libtommath function mp_init() used by the _tkinter module. - gh-102541: Make pydoc.doc catch bad module ImportError when output stream is not None. ... changelog too long, skipping 124 lines ... data: *consumed was not set. ==== sssd ==== Version update (2.9.1 -> 2.9.2) Subpackages: libsss_certmap0 libsss_idmap0 libsss_nss_idmap0 sssd-krb5-common sssd-ldap - Update to release 2.9.2 * sssctl cert-show and cert-show cert-eval-rule can now be run as non-root user. * New option local_auth_policy is added to control which offline authentication methods will be enabled by SSSD.